rhachet-roles-ehmpathy 1.13.3 → 1.13.7

package/dist/logic/roles/mechanic/.skills/claude.hooks/check.pretooluse.permissions.sh

@@ -107,29 +107,28 @@ mapfile -t ALLOWED_PATTERNS < <(
   jq -r '.permissions.allow // [] | .[] | select(startswith("Bash(")) | sub("^Bash\\("; "") | sub("\\)$"; "")' "$SETTINGS_FILE" 2>/dev/null
 )
 
-# Check if command matches any allowed pattern
+# Check if a single command matches any allowed pattern
 match_pattern() {
   local cmd="$1"
   local pattern="$2"
 
   # Handle Claude Code's :* suffix matcher
-  # :* means "optionally match colon and anything after"
-  # e.g., "npm run test:*" matches "npm run test", "npm run test:", "npm run test:unit"
+  # :* means "match anything after" (any suffix, including spaces)
+  # e.g., "mkdir:*" matches "mkdir", "mkdir /path", "mkdir -p /foo/bar"
+  # e.g., "npm run test:*" matches "npm run test", "npm run test:unit"
 
   # First, escape regex special chars except * and :
   local escaped_pattern
   escaped_pattern=$(printf '%s' "$pattern" | sed 's/[.^$+?{}()[\]|\\]/\\&/g')
 
   # Convert :* to placeholder first (to avoid * -> .* conversion interfering)
-  # Using a unique placeholder that won't appear in commands
-  escaped_pattern="${escaped_pattern//:\*/__COLON_STAR_PLACEHOLDER__}"
+  escaped_pattern="${escaped_pattern//:\*/__ANY_SUFFIX_PLACEHOLDER__}"
 
   # Convert remaining * to .* (glob-style wildcard)
   escaped_pattern="${escaped_pattern//\*/.*}"
 
-  # Now replace placeholder with the actual regex for :*
-  # (:.*)? matches: nothing, ":", ":foo", ":foo:bar"
-  escaped_pattern="${escaped_pattern//__COLON_STAR_PLACEHOLDER__/(:.*)?}"
+  # Now replace placeholder with .* for "any suffix" matching
+  escaped_pattern="${escaped_pattern//__ANY_SUFFIX_PLACEHOLDER__/.*}"
 
   # Build final regex
   local regex="^${escaped_pattern}$"
@@ -140,6 +139,120 @@ match_pattern() {
   return 1
 }
 
+# Check if a single command matches ANY allowed pattern
+command_is_allowed() {
+  local cmd="$1"
+  # Trim leading/trailing whitespace
+  cmd=$(echo "$cmd" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+
+  # Empty commands are allowed (e.g., trailing &&)
+  if [[ -z "$cmd" ]]; then
+    return 0
+  fi
+
+  for pattern in "${ALLOWED_PATTERNS[@]}"; do
+    if match_pattern "$cmd" "$pattern"; then
+      return 0
+    fi
+  done
+  return 1
+}
+
+# Split compound command on &&, ||, ; (respecting quotes)
+# Returns newline-separated list of commands
+split_compound_command() {
+  local input="$1"
+  local result=""
+  local current=""
+  local in_single_quote=false
+  local in_double_quote=false
+  local i=0
+  local len=${#input}
+
+  while [[ $i -lt $len ]]; do
+    local char="${input:$i:1}"
+    local next_char="${input:$((i+1)):1}"
+
+    # Handle quotes
+    if [[ "$char" == "'" && "$in_double_quote" == false ]]; then
+      in_single_quote=$([[ "$in_single_quote" == true ]] && echo false || echo true)
+      current+="$char"
+      ((i++))
+      continue
+    fi
+
+    if [[ "$char" == '"' && "$in_single_quote" == false ]]; then
+      in_double_quote=$([[ "$in_double_quote" == true ]] && echo false || echo true)
+      current+="$char"
+      ((i++))
+      continue
+    fi
+
+    # Only split if not inside quotes
+    if [[ "$in_single_quote" == false && "$in_double_quote" == false ]]; then
+      # Check for && or ||
+      if [[ "$char" == "&" && "$next_char" == "&" ]] || [[ "$char" == "|" && "$next_char" == "|" ]]; then
+        if [[ -n "$result" ]]; then
+          result+=$'\n'
+        fi
+        result+="$current"
+        current=""
+        ((i+=2))
+        continue
+      fi
+
+      # Check for ;
+      if [[ "$char" == ";" ]]; then
+        if [[ -n "$result" ]]; then
+          result+=$'\n'
+        fi
+        result+="$current"
+        current=""
+        ((i++))
+        continue
+      fi
+    fi
+
+    current+="$char"
+    ((i++))
+  done
+
+  # Add final command
+  if [[ -n "$result" ]]; then
+    result+=$'\n'
+  fi
+  result+="$current"
+
+  echo "$result"
+}
+
+# Check if ALL parts of a compound command are allowed
+all_parts_allowed() {
+  local cmd="$1"
+  local parts
+  local failed_part=""
+
+  # Split command into parts
+  parts=$(split_compound_command "$cmd")
+
+  # Check each part
+  while IFS= read -r part; do
+    # Trim whitespace
+    part=$(echo "$part" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+
+    # Skip empty parts
+    [[ -z "$part" ]] && continue
+
+    if ! command_is_allowed "$part"; then
+      # Store the failed part for error reporting
+      echo "$part"
+      return 1
+    fi
+  done <<< "$parts"
+
+  return 0
+}
+
 # Transform raw permission pattern to compact bracket notation for display
 format_pattern() {
   local pattern="$1"
@@ -155,13 +268,11 @@ format_pattern() {
   fi
 }
 
-for pattern in "${ALLOWED_PATTERNS[@]}"; do
-  if match_pattern "$COMMAND" "$pattern"; then
-    exit 0  # Command matches an allowed pattern
-  fi
-done
+# Check if all parts of the command (including compound commands) are allowed
+FAILED_PART=$(all_parts_allowed "$COMMAND") && exit 0
 
 # Command not matched - handle based on mode
+# FAILED_PART contains the first disallowed part of the command
 
 # SOFTNUDGE mode: provide guidance but don't block (early return)
 # Output plain text - no hookSpecificOutput so normal permission flow continues

package/dist/logic/roles/mechanic/.skills/claude.tools/mvsafe.sh

@@ -0,0 +1,75 @@
+#!/usr/bin/env bash
+######################################################################
+# .what = safe mv wrapper that constrains moves to within the repo
+#
+# .why  = mv can move/overwrite files anywhere on the filesystem.
+#         this wrapper ensures both source and destination resolve
+#         to paths within the current working directory (repo root).
+#
+# .how  = uses realpath to resolve absolute paths, then validates
+#         both are prefixed by $PWD before executing mv.
+#
+# usage:
+#   bash mvsafe.sh <source> <destination>
+#
+# guarantee:
+#   ✔ fails if source is outside repo
+#   ✔ fails if destination is outside repo
+#   ✔ fails if source doesn't exist
+#   ✔ passes all arguments to mv if validation passes
+######################################################################
+
+set -euo pipefail
+
+if [[ $# -lt 2 ]]; then
+  echo "error: mvsafe requires at least 2 arguments" >&2
+  echo "usage: mvsafe.sh <source> <destination>" >&2
+  exit 1
+fi
+
+REPO_ROOT="$PWD"
+
+# get the last argument (destination)
+DEST="${*: -1}"
+
+# get all arguments except the last (sources, could be multiple)
+SOURCES=("${@:1:$#-1}")
+
+# resolve destination path
+# if dest doesn't exist yet, resolve its parent directory
+if [[ -e "$DEST" ]]; then
+  DEST_RESOLVED="$(realpath "$DEST")"
+else
+  DEST_PARENT="$(dirname "$DEST")"
+  if [[ ! -d "$DEST_PARENT" ]]; then
+    echo "error: destination parent directory does not exist: $DEST_PARENT" >&2
+    exit 1
+  fi
+  DEST_RESOLVED="$(realpath "$DEST_PARENT")/$(basename "$DEST")"
+fi
+
+# validate destination is within repo
+if [[ "$DEST_RESOLVED" != "$REPO_ROOT"* ]]; then
+  echo "error: destination is outside repo: $DEST_RESOLVED" >&2
+  echo "       repo root: $REPO_ROOT" >&2
+  exit 1
+fi
+
+# validate each source is within repo
+for SRC in "${SOURCES[@]}"; do
+  if [[ ! -e "$SRC" ]]; then
+    echo "error: source does not exist: $SRC" >&2
+    exit 1
+  fi
+
+  SRC_RESOLVED="$(realpath "$SRC")"
+
+  if [[ "$SRC_RESOLVED" != "$REPO_ROOT"* ]]; then
+    echo "error: source is outside repo: $SRC_RESOLVED" >&2
+    echo "       repo root: $REPO_ROOT" >&2
+    exit 1
+  fi
+done
+
+# all validations passed, execute mv
+exec mv "$@"

package/dist/logic/roles/mechanic/.skills/init.claude.permissions.sh

@@ -38,7 +38,10 @@ PERMISSIONS_CONFIG=$(cat <<'EOF'
       "Bash(sed:*)",
       "Bash(tee:*)",
       "Bash(find:*)",
-      "Bash(echo:*)"
+      "Bash(echo:*)",
+      "Bash(mv:*)",
+      "Bash(npx biome:*)",
+      "Bash(npx jest:*)",
     ],
     "ask": [
       "Bash(bash:*)",
@@ -55,7 +58,6 @@ PERMISSIONS_CONFIG=$(cat <<'EOF'
       "WebFetch(domain:raw.githubusercontent.com)",
       "WebFetch(domain:biomejs.dev)",
 
-
       "Bash(ls:*)",
       "Bash(tree:*)",
       "Bash(cat:*)",
@@ -68,15 +70,13 @@ PERMISSIONS_CONFIG=$(cat <<'EOF'
       "Bash(file:*)",
       "Bash(mkdir:*)",
       "Bash(pwd)",
+      "Bash(bash src/logic/roles/mechanic/.skills/claude.tools/mvsafe.sh:*)",
       "Bash(npm view:*)",
       "Bash(npm list:*)",
       "Bash(npm remove:*)",
 
       "Bash(npx rhachet roles boot --repo ehmpathy --role mechanic)",
       "Bash(npx tsx ./bin/run:*)",
-      "Bash(npx tsc:*)",
-      "Bash(npx biome:*)",
-      "Bash(npx jest:*)",
 
       "Bash(npm run build:*)",
       "Bash(npm run build:compile)",
@@ -92,6 +92,9 @@ PERMISSIONS_CONFIG=$(cat <<'EOF'
       "Bash(npm run test:acceptance:*)",
 
       "Bash(THOROUGH=true npm run test:*)",
+      "Bash(THOROUGH=true npm run test:types:*)",
+      "Bash(THOROUGH=true npm run test:format:*)",
+      "Bash(THOROUGH=true npm run test:lint:*)",
       "Bash(THOROUGH=true npm run test:unit:*)",
       "Bash(THOROUGH=true npm run test:integration:*)",
       "Bash(THOROUGH=true npm run test:acceptance:*)",

package/package.json

@@ -2,7 +2,7 @@
   "name": "rhachet-roles-ehmpathy",
   "author": "ehmpathy",
   "description": "empathetic software construction roles and skills, via rhachet",
-  "version": "1.13.3",
+  "version": "1.13.7",
   "repository": "ehmpathy/rhachet-roles-ehmpathy",
   "homepage": "https://github.com/ehmpathy/rhachet-roles-ehmpathy",
   "keywords": [
@@ -34,8 +34,8 @@
     "test:format": "npm run test:format:biome",
     "test:lint:deps": "npx depcheck -c ./.depcheckrc.yml",
     "test:integration:hold": "jest -c ./jest.integration.config.ts --forceExit --verbose --passWithNoTests $([ -z $THOROUGH ] && echo '--changedSince=main')",
-    "test:lint:biome": "biome check src --diagnostic-level=error",
-    "test:lint:biome:all": "biome check src",
+    "test:lint:biome": "biome check --diagnostic-level=error",
+    "test:lint:biome:all": "biome check",
     "test:lint": "npm run test:lint:biome && npm run test:lint:deps",
     "test:unit": "jest -c ./jest.unit.config.ts --forceExit --verbose --passWithNoTests $([ -z $THOROUGH ] && echo '--changedSince=main')",
     "test:integration": "echo 'todo: release'",
@@ -48,13 +48,13 @@
     "postversion": "git push origin HEAD --tags --no-verify",
     "prepare:husky": "npx husky install && chmod ug+x .husky/*",
     "prepare": "[ -e .git ] && npm run prepare:husky || exit 0",
-    "test:format:biome": "biome format src"
+    "test:format:biome": "biome format"
   },
   "dependencies": {
     "@ehmpathy/as-command": "1.0.3",
     "@ehmpathy/uni-time": "1.8.1",
     "as-procedure": "1.1.7",
-    "domain-objects": "0.31.3",
+    "domain-objects": "0.31.7",
     "fast-glob": "3.3.3",
     "helpful-errors": "1.5.3",
     "inquirer": "12.7.0",
@@ -80,9 +80,9 @@
     "@types/node": "22.15.21",
     "cz-conventional-changelog": "3.3.0",
     "declapract": "0.13.0",
-    "declapract-typescript-ehmpathy": "0.43.11",
-    "declastruct": "1.4.5",
-    "declastruct-github": "1.0.5",
+    "declapract-typescript-ehmpathy": "0.43.16",
+    "declastruct": "1.5.1",
+    "declastruct-github": "1.0.7",
     "depcheck": "1.4.3",
     "esbuild-register": "3.6.0",
     "husky": "8.0.3",