typeclaw 0.34.0 → 0.34.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "typeclaw",
-  "version": "0.34.0",
+  "version": "0.34.1",
   "homepage": "https://github.com/typeclaw/typeclaw#readme",
   "bugs": {
     "url": "https://github.com/typeclaw/typeclaw/issues"

package/src/bundled-plugins/github-cli-auth/git-askpass.ts

@@ -0,0 +1,65 @@
+import { randomBytes } from 'node:crypto'
+import { chmod, mkdir, rename, writeFile } from 'node:fs/promises'
+import { dirname, join } from 'node:path'
+
+// A GIT_ASKPASS helper git invokes for username/password prompts. The token
+// rides in TYPECLAW_GIT_TOKEN (env, via the bash env overlay), NEVER in argv or
+// git config — so it cannot leak through process listings, logs, or .git/config.
+// The script contents are constant and secret-free; only the env value is secret.
+//
+// Host-scoped: git's prompt is `Username for 'https://github.com': ` etc. We
+// answer ONLY when the prompt names github.com; for any other host (e.g. one an
+// `insteadOf`/`pushurl` rewrite redirected to) we exit non-zero WITHOUT printing
+// the token, so a redirect can never exfiltrate it. The analyzer already blocks
+// the known redirect vectors; this is defense-in-depth at the credential edge.
+// The host match is on \`//github.com/\` and \`//github.com'\` (git wraps the URL
+// in quotes: \`Password for 'https://github.com': \`) so it cannot be fooled by
+// \`evil-github.com\` or \`github.com.evil/\`.
+const ASKPASS_SCRIPT = `#!/bin/sh
+case "$1" in
+  *//github.com/*|*//github.com\\'*) : ;;
+  *) exit 1 ;;
+esac
+case "$1" in
+  *Username*) printf '%s\\n' 'x-access-token' ;;
+  *) printf '%s\\n' "$TYPECLAW_GIT_TOKEN" ;;
+esac
+`
+
+// /usr is --ro-bind mounted into the per-tool bwrap sandbox (src/sandbox/build.ts),
+// so a helper here is readable by sandboxed bash; the per-session /tmp bind is not
+// a stable path. TYPECLAW_GIT_ASKPASS_PATH overrides it for tests/CI, which
+// cannot write under /usr.
+const DEFAULT_ASKPASS_PATH = '/usr/local/bin/typeclaw-git-askpass'
+
+function defaultPath(): string {
+  const override = process.env.TYPECLAW_GIT_ASKPASS_PATH
+  return override !== undefined && override !== '' ? override : DEFAULT_ASKPASS_PATH
+}
+
+let ensurePromise: Promise<string> | null = null
+
+export function resetGitAskPassHelperForTests(): void {
+  ensurePromise = null
+}
+
+// Writes the helper once per process (idempotent, race-safe via the shared
+// promise) and returns its absolute path. The temp name is unpredictable and
+// opened with `wx` (exclusive create, fails on an existing file/symlink) so a
+// planted symlink cannot redirect the write; then atomically renamed so a
+// concurrent reader never sees a partial file.
+export function ensureGitAskPassHelper(path: string = defaultPath()): Promise<string> {
+  if (ensurePromise !== null) return ensurePromise
+  ensurePromise = (async () => {
+    await mkdir(dirname(path), { recursive: true })
+    const tmp = join(dirname(path), `.typeclaw-git-askpass.${randomBytes(8).toString('hex')}.tmp`)
+    await writeFile(tmp, ASKPASS_SCRIPT, { mode: 0o755, flag: 'wx' })
+    await chmod(tmp, 0o755)
+    await rename(tmp, path)
+    return path
+  })().catch((err) => {
+    ensurePromise = null
+    throw err
+  })
+  return ensurePromise
+}

package/src/bundled-plugins/github-cli-auth/git-command.ts

@@ -0,0 +1,492 @@
+// Plain-`git` analog of analyzeGhCommand. `gh` names its repo in argv (`-R`);
+// `git` only implies it via a remote, so this RESOLVES the target repo:
+// explicit github.com URL -> remote name via `git remote get-url` -> the
+// branch.<cur>.pushRemote/remote.pushDefault/origin fallback chain. The slug
+// feeds the same per-repo mint the `gh` path uses; the token is injected via
+// GIT_ASKPASS env, never into the command string.
+
+export type GitCommandDecision =
+  | { kind: 'pass-through' }
+  | { kind: 'block'; reason: string }
+  // rewrittenCommand replaces the executed command: `cd <dir> && git …` becomes
+  // `git -C <dir> …` so the token-bearing command stays a single bare `git`
+  // (no sibling process inherits the askpass env).
+  | { kind: 'inject'; repoSlug: string; rewrittenCommand?: string }
+
+// Returns null when the remote/config is absent or git fails — the analyzer
+// then passes through so git fails honestly rather than us guessing a repo.
+// forPush selects the PUSH url (`git remote get-url --push`), which differs from
+// the fetch url when a remote sets `pushurl`; minting against the fetch url for a
+// push would scope the token to the wrong repo/owner.
+export type GitRemoteResolver = (cwd: string, remote: string, forPush: boolean) => Promise<string | null>
+export type GitConfigResolver = (cwd: string, key: string) => Promise<string | null>
+export type GitBranchResolver = (cwd: string) => Promise<string | null>
+
+export type GitResolvers = {
+  resolveRemoteUrl: GitRemoteResolver
+  resolveConfig: GitConfigResolver
+  resolveCurrentBranch: GitBranchResolver
+}
+
+async function runGit(cwd: string, args: string[]): Promise<string | null> {
+  const bun = (globalThis as { Bun?: { spawn: typeof Bun.spawn } }).Bun
+  if (!bun) return null
+  try {
+    const proc = bun.spawn({
+      cmd: ['git', '-C', cwd, ...args],
+      stdout: 'pipe',
+      stderr: 'ignore',
+      env: { ...process.env, GIT_TERMINAL_PROMPT: '0', GIT_OPTIONAL_LOCKS: '0' },
+    })
+    const exitCode = await proc.exited
+    if (exitCode !== 0) return null
+    const out = (await new Response(proc.stdout).text()).trim()
+    return out === '' ? null : out
+  } catch {
+    return null
+  }
+}
+
+export const defaultGitResolvers: GitResolvers = {
+  resolveRemoteUrl: (cwd, remote, forPush) =>
+    runGit(cwd, forPush ? ['remote', 'get-url', '--push', remote] : ['remote', 'get-url', remote]),
+  resolveConfig: (cwd, key) => runGit(cwd, ['config', '--get', key]),
+  resolveCurrentBranch: (cwd) => runGit(cwd, ['symbolic-ref', '--short', 'HEAD']),
+}
+
+const REMOTE_SUBCOMMANDS = new Set(['push', 'fetch', 'pull', 'clone', 'ls-remote'])
+
+const MULTI_OWNER_REASON =
+  'This git command targets repos under more than one owner; a single minted ' +
+  'GitHub App token cannot authenticate all of them. Split it into separate ' +
+  'commands, one owner each.'
+
+const COMPOSITION_REASON =
+  'A repo-targeting `git` command receives a minted GitHub App token via ' +
+  'GIT_ASKPASS in its process environment, so it must run as a single bare ' +
+  '`git` command — no `;`, `&&`, `||`, `&`, newlines, pipes, redirections, ' +
+  'command/parameter substitution, or subshells (any sibling process would ' +
+  'inherit the token). The one accepted prefix is `cd <simple-path> && git …`, ' +
+  'which is rewritten to `git -C <path> …`.'
+
+const DANGEROUS_CONFIG_REASON =
+  'A repo-targeting `git` command that would receive a minted GitHub App token ' +
+  'cannot carry a leading environment assignment or `-c`/`--config-env`/' +
+  '`--git-dir`/`--work-tree`/`--namespace`/`--exec-path`: those can redirect ' +
+  "git's authentication or destination away from the resolved repo (e.g. " +
+  '`-c url.https://evil/.insteadOf=…` or `-c core.askPass=…`), which would leak ' +
+  'the token. Remove them and re-run, or run without the minted token.'
+
+const FETCH_ALL_REASON =
+  '`git fetch --all` / `git pull --all` contacts every configured remote, which ' +
+  'cannot be enumerated safely here — a minted token scoped to one remote could ' +
+  'be sent to another. Fetch a specific remote instead.'
+
+// OUTSIDE single quotes these spawn a sibling process (which would inherit the
+// askpass token) or expand shell state. `$`/backtick stay active inside double
+// quotes too, so they are screened separately. Mirrors gh-command.ts.
+const SHELL_ACTIVE_METACHARS = new Set(['|', ';', '&', '\n', '\r', '(', ')', '{', '}', '<', '>', '`', '$'])
+
+export async function analyzeGitCommand(
+  command: string,
+  options: { cwd: string; resolvers: GitResolvers },
+): Promise<GitCommandDecision> {
+  const stripped = stripSafeCdPrefix(command)
+  if (stripped.unsafe) return { kind: 'pass-through' }
+  const segment = extractSingleGitInvocation(stripped.rest)
+  if (segment === null) return { kind: 'pass-through' }
+
+  const args = segment.args
+  const subcommand = findSubcommand(args)
+  if (subcommand === undefined || !REMOTE_SUBCOMMANDS.has(subcommand)) return { kind: 'pass-through' }
+
+  // We are about to put a live token in this process's env. Reject any command
+  // that could redirect git's auth/destination away from the resolved repo:
+  // user `-c` (url.*.insteadOf, core.askPass, credential.*, http.*), a leading
+  // env assignment (`GIT_ASKPASS=… git …`), or a different git-dir/work-tree.
+  if (segment.hasLeadingEnvAssignment || hasDangerousGitConfig(args)) {
+    return { kind: 'block', reason: DANGEROUS_CONFIG_REASON }
+  }
+  // `fetch/pull --all` contacts every configured remote; we cannot enumerate
+  // them here, so we could mint for one and leak the token to another. Block.
+  if ((subcommand === 'fetch' || subcommand === 'pull') && args.includes('--all')) {
+    return { kind: 'block', reason: FETCH_ALL_REASON }
+  }
+
+  const dashCDir = extractDashCDir(args)
+  const effectiveCwd = resolveCwd(resolveCwd(options.cwd, stripped.cdDir), dashCDir)
+
+  // A resolver that throws is treated as "couldn't resolve" → pass-through, so a
+  // git/subprocess failure never crashes the hook or guesses a repo.
+  let slugs: string[]
+  try {
+    slugs = await resolveRepoSlugs(subcommand, args, effectiveCwd, options.resolvers)
+  } catch {
+    return { kind: 'pass-through' }
+  }
+  if (slugs.length === 0) return { kind: 'pass-through' }
+
+  const owners = new Set(slugs.map((s) => s.split('/')[0]))
+  if (owners.size > 1) return { kind: 'block', reason: MULTI_OWNER_REASON }
+
+  const repoSlug = slugs[0] as string
+
+  // Injecting the askpass token into env means any sibling process inherits it,
+  // so a token-bearing command must be a single bare `git`. A `cd … && git …`
+  // is allowed only by rewriting away the `&&` into `git -C …` — but not when the
+  // git part already has its own `-C` (the rewrite would stack two and change cwd).
+  if (stripped.cdDir !== null) {
+    if (containsShellActiveMetachar(stripped.rest) || dashCDir !== null) {
+      return { kind: 'block', reason: COMPOSITION_REASON }
+    }
+    return { kind: 'inject', repoSlug, rewrittenCommand: rewriteCdToDashC(effectiveCwd, stripped.rest) }
+  }
+  if (containsShellActiveMetachar(command)) return { kind: 'block', reason: COMPOSITION_REASON }
+  return { kind: 'inject', repoSlug }
+}
+
+// Global flags that can redirect git's auth or destination. `-c`/`--config-env`
+// inject arbitrary config (url.insteadOf, core.askPass, credential.*, http.*);
+// `--git-dir`/`--work-tree`/`--namespace`/`--exec-path` point git at a different
+// repo or helper than the one we resolved. Any of these on a token-bearing
+// command means we cannot vouch for where the token goes — block.
+function hasDangerousGitConfig(args: readonly string[]): boolean {
+  for (const arg of args) {
+    // git accepts both `--config-env <name>=<envvar>` and the inline
+    // `--config-env=<name>=<envvar>`; both must be caught. (`-c` has no inline
+    // `-c=…` form — git always takes the next token.)
+    if (arg === '-c' || arg === '--config-env' || arg.startsWith('--config-env=')) return true
+    if (arg === '--git-dir' || arg.startsWith('--git-dir=')) return true
+    if (arg === '--work-tree' || arg.startsWith('--work-tree=')) return true
+    if (arg === '--namespace' || arg.startsWith('--namespace=')) return true
+    if (arg === '--exec-path' || arg.startsWith('--exec-path=')) return true
+  }
+  return false
+}
+
+async function resolveRepoSlugs(
+  subcommand: string,
+  args: readonly string[],
+  cwd: string,
+  resolvers: GitResolvers,
+): Promise<string[]> {
+  const explicitUrl = extractExplicitUrl(subcommand, args)
+  if (explicitUrl !== null) {
+    const slug = parseGithubRepoFromGitUrl(explicitUrl)
+    return slug === null ? [] : [slug]
+  }
+
+  // clone needs an explicit URL; it has no configured-remote fallback.
+  if (subcommand === 'clone') return []
+
+  // Only `push` consults the push url; fetch/pull/ls-remote use the fetch url.
+  const forPush = subcommand === 'push'
+
+  // EVERY named remote must be resolved, not just the first: `git fetch
+  // --multiple origin upstream` touches both, and feeding only one to the
+  // multi-owner guard would let a second-owner remote slip past and still mint.
+  const remoteNames = extractRemoteNames(args)
+  // The branch.pushRemote/pushDefault/origin chain is a PUSH default; applying it
+  // to a bare `fetch`/`pull`/`ls-remote` could mint for the wrong (push) remote,
+  // so only push falls back. Other subcommands with no explicit remote pass through.
+  const remotes =
+    remoteNames.length > 0 ? remoteNames : subcommand === 'push' ? [await resolveDefaultPushRemote(cwd, resolvers)] : []
+  if (remotes.length === 0) return []
+
+  const slugs: string[] = []
+  for (const remote of remotes) {
+    if (remote === null) continue
+    const url = looksLikeUrl(remote) ? remote : await resolvers.resolveRemoteUrl(cwd, remote, forPush)
+    if (url === null) continue
+    const slug = parseGithubRepoFromGitUrl(url)
+    if (slug !== null) slugs.push(slug)
+  }
+  return slugs
+}
+
+// Mirrors git's own push-remote resolution order for a bare `git push`.
+async function resolveDefaultPushRemote(cwd: string, resolvers: GitResolvers): Promise<string | null> {
+  const branch = await resolvers.resolveCurrentBranch(cwd)
+  if (branch !== null && branch !== '') {
+    const perBranch = await resolvers.resolveConfig(cwd, `branch.${branch}.pushRemote`)
+    if (perBranch !== null && perBranch !== '') return perBranch
+  }
+  const pushDefault = await resolvers.resolveConfig(cwd, 'remote.pushDefault')
+  if (pushDefault !== null && pushDefault !== '') return pushDefault
+  return 'origin'
+}
+
+const HTTPS_GITHUB_RE = /^https:\/\/github\.com\/([^/\s:@]+)\/([^/\s?#]+?)(?:\.git)?\/?(?:[?#].*)?$/i
+const SCP_GITHUB_RE = /^git@github\.com:([^/\s:?#]+)\/([^/\s?#]+?)(?:\.git)?$/i
+const SSH_GITHUB_RE = /^ssh:\/\/git@github\.com(?::\d+)?\/([^/\s]+)\/([^/\s?#]+?)(?:\.git)?\/?(?:[?#].*)?$/i
+
+// Parses a github.com remote URL into an `owner/name` slug. Returns null for
+// non-github.com hosts, credential-bearing https URLs (https://tok@github.com/…
+// — we never reuse an embedded credential), local paths, or malformed input.
+export function parseGithubRepoFromGitUrl(raw: string): string | null {
+  const url = raw.trim()
+  for (const re of [HTTPS_GITHUB_RE, SCP_GITHUB_RE, SSH_GITHUB_RE]) {
+    const m = url.match(re)
+    if (m === null) continue
+    const owner = m[1]
+    const name = m[2]
+    if (owner === undefined || name === undefined || owner === '' || name === '') return null
+    return `${owner}/${name}`
+  }
+  return null
+}
+
+function looksLikeUrl(token: string): boolean {
+  if (/^[a-z][a-z0-9+.-]*:\/\//i.test(token)) return true
+  if (/^[^@\s]+@[^:\s]+:/.test(token)) return true
+  return false
+}
+
+// Flags that consume the FOLLOWING token, so a positional after them (the
+// subcommand or a remote/URL) is not mistaken for the flag's value. Includes the
+// dangerous-config flags in their separate-arg form (`--config-env <v>`) so the
+// real subcommand is still located and hasDangerousGitConfig can fire.
+const GIT_VALUE_FLAGS = new Set([
+  '-C',
+  '-c',
+  '--config-env',
+  '--git-dir',
+  '--work-tree',
+  '--namespace',
+  '--exec-path',
+  '-o',
+  '--origin',
+  '-b',
+  '--branch',
+  '-u',
+])
+
+function extractExplicitUrl(subcommand: string, args: readonly string[]): string | null {
+  // `git push --repo <url>` / `--repo=<url>`
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i] as string
+    if (arg === '--repo' || arg === '--repository') {
+      const v = args[i + 1]
+      if (v !== undefined && looksLikeUrl(v)) return v
+    }
+    if (arg.startsWith('--repo=')) return arg.slice('--repo='.length)
+    if (arg.startsWith('--repository=')) return arg.slice('--repository='.length)
+  }
+  // First positional after the subcommand that looks like a URL.
+  for (const pos of positionalsAfterSubcommand(subcommand, args)) {
+    if (looksLikeUrl(pos)) return pos
+  }
+  return null
+}
+
+// The git subcommand is the first positional that is NOT consumed by a global
+// value-flag (`git -C <dir> push`, `git -c k=v push`). A naive first-non-flag
+// scan would pick the flag's value (e.g. `<dir>`) as the subcommand.
+function findSubcommand(args: readonly string[]): string | undefined {
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i] as string
+    if (arg.startsWith('-')) {
+      if (!arg.includes('=') && GIT_VALUE_FLAGS.has(arg)) i += 1
+      continue
+    }
+    return arg
+  }
+  return undefined
+}
+
+// The remote name(s) a command targets. Normally just the first positional —
+// later positionals are refspecs (`git push origin main` -> remote `origin`,
+// refspec `main`). With `--multiple` (fetch), EVERY positional is a remote, so
+// all are returned to feed the multi-owner guard. URL positionals are excluded
+// here; resolveRepoSlugs handles a bare-URL target directly.
+function extractRemoteNames(args: readonly string[]): string[] {
+  const sub = findSubcommand(args)
+  if (sub === undefined) return []
+  const positionals = positionalsAfterSubcommand(sub, args).filter((p) => !looksLikeUrl(p))
+  if (positionals.length === 0) return []
+  if (args.includes('--multiple')) return positionals
+  return [positionals[0] as string]
+}
+
+function positionalsAfterSubcommand(subcommand: string, args: readonly string[]): string[] {
+  const out: string[] = []
+  let seenSub = false
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i] as string
+    if (arg.startsWith('-')) {
+      if (!arg.includes('=') && GIT_VALUE_FLAGS.has(arg)) i += 1
+      continue
+    }
+    if (!seenSub) {
+      if (arg === subcommand) seenSub = true
+      continue
+    }
+    out.push(arg)
+  }
+  return out
+}
+
+function extractDashCDir(args: readonly string[]): string | null {
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i]
+    if (arg === '-C') {
+      const v = args[i + 1]
+      if (v !== undefined) return stripQuotes(v)
+    }
+  }
+  return null
+}
+
+type GitInvocation = { args: string[]; hasLeadingEnvAssignment: boolean }
+
+// Null unless there is exactly one `git` at command position. Composition is NOT
+// rejected here — it is screened later against the original command so the block
+// reason stays accurate. hasLeadingEnvAssignment flags `FOO=bar git …`: such an
+// assignment lands in git's env (where a `GIT_ASKPASS=…` override would receive
+// the token), so the caller blocks it for token-bearing commands.
+function extractSingleGitInvocation(command: string): GitInvocation | null {
+  const tokens = tokenize(command)
+  const gitStarts: number[] = []
+  for (let i = 0; i < tokens.length; i++) {
+    if (tokens[i] !== 'git') continue
+    if (i === 0 || isCommandBoundaryBefore(tokens, i)) gitStarts.push(i)
+  }
+  if (gitStarts.length !== 1) return null
+  const start = gitStarts[0] as number
+  const hasLeadingEnvAssignment = start > 0 && /^[A-Za-z_][A-Za-z0-9_]*=/.test(tokens[start - 1] ?? '')
+  const args = tokens.slice(start + 1).filter((t) => t !== '\n' && t !== ';' && t !== '|' && t !== '&')
+  return { args, hasLeadingEnvAssignment }
+}
+
+function isCommandBoundaryBefore(tokens: readonly string[], index: number): boolean {
+  let cursor = index - 1
+  while (cursor >= 0) {
+    const prev = tokens[cursor]
+    if (prev === undefined) return false
+    if (prev === '&&' || prev === '||' || prev === '|' || prev === ';' || prev === '\n') return true
+    if (/^[A-Za-z_][A-Za-z0-9_]*=/.test(prev)) {
+      cursor -= 1
+      continue
+    }
+    return false
+  }
+  return true
+}
+
+function containsShellActiveMetachar(command: string): boolean {
+  let quote: '"' | "'" | null = null
+  for (let i = 0; i < command.length; i++) {
+    const ch = command[i] as string
+    if (quote === "'") {
+      if (ch === "'") quote = null
+      continue
+    }
+    if (quote === '"') {
+      if (ch === '$' || ch === '`') return true
+      if (ch === '"') quote = null
+      continue
+    }
+    if (ch === "'" || ch === '"') {
+      quote = ch
+      continue
+    }
+    if (SHELL_ACTIVE_METACHARS.has(ch)) return true
+  }
+  return false
+}
+
+// unsafe=true when the command LOOKS like a `cd … && git …` but the cd target is
+// not a plain path we can faithfully turn into `git -C` (shell `~`/`-` expansion,
+// metachars). The caller then passes through rather than rewrite wrong cwd.
+type StrippedCd = { cdDir: string | null; rest: string; unsafe: boolean }
+
+// Accepts ONLY `cd <simple-path> && git …`. <simple-path> must be a single
+// token (optionally quoted) free of metachars and of a literal single quote
+// (rewriteCdToDashC single-quotes it), and not a shell-expanded `~`/`-`. A plain
+// command (no `cd` prefix) returns cdDir=null, unsafe=false.
+function stripSafeCdPrefix(command: string): StrippedCd {
+  const m = command.match(/^\s*cd\s+("[^"]*"|'[^']*'|[^\s'"]+)\s+&&\s+(git\b[\s\S]*)$/)
+  if (m === null) return { cdDir: null, rest: command, unsafe: false }
+  const rawDir = m[1] as string
+  const rest = m[2] as string
+  const dir = stripQuotes(rawDir)
+  const shellExpands = dir === '-' || dir === '~' || dir.startsWith('~/')
+  if (dir.includes('$') || dir.includes('`') || dir.includes("'") || /[;|&<>()]/.test(dir) || shellExpands) {
+    return { cdDir: null, rest: command, unsafe: true }
+  }
+  return { cdDir: dir, rest, unsafe: false }
+}
+
+function rewriteCdToDashC(dir: string, gitCommand: string): string {
+  return gitCommand.replace(/^git\b/, `git -C '${dir}'`)
+}
+
+function resolveCwd(base: string, dir: string | null): string {
+  if (dir === null || dir === '') return base
+  if (dir.startsWith('/')) return dir
+  return `${base.replace(/\/$/, '')}/${dir}`
+}
+
+function stripQuotes(token: string): string {
+  if (token.length < 2) return token
+  const first = token[0]
+  const last = token[token.length - 1]
+  if ((first === '"' && last === '"') || (first === "'" && last === "'")) return token.slice(1, -1)
+  return token
+}
+
+// Quote-aware; emits shell control operators as standalone tokens so
+// command-boundary detection works. Mirrors gh-command.ts's tokenize.
+function tokenize(command: string): string[] {
+  const tokens: string[] = []
+  let current = ''
+  let quote: '"' | "'" | null = null
+  let hasContent = false
+
+  const flush = (): void => {
+    if (hasContent) {
+      tokens.push(current)
+      current = ''
+      hasContent = false
+    }
+  }
+
+  for (let i = 0; i < command.length; i++) {
+    const ch = command[i]
+    if (ch === undefined) continue
+    if (quote !== null) {
+      if (ch === quote) quote = null
+      else current += ch
+      continue
+    }
+    if (ch === '"' || ch === "'") {
+      quote = ch
+      hasContent = true
+      continue
+    }
+    if (ch === ' ' || ch === '\t') {
+      flush()
+      continue
+    }
+    if (ch === '\n') {
+      flush()
+      tokens.push('\n')
+      continue
+    }
+    if (ch === ';' || ch === '|' || ch === '&') {
+      flush()
+      const next = command[i + 1]
+      if ((ch === '|' && next === '|') || (ch === '&' && next === '&')) {
+        tokens.push(ch + ch)
+        i += 1
+      } else {
+        tokens.push(ch)
+      }
+      continue
+    }
+    current += ch
+    hasContent = true
+  }
+  flush()
+  return tokens
+}

package/src/bundled-plugins/github-cli-auth/index.ts

@@ -4,6 +4,8 @@ import { definePlugin } from '@/plugin'
 import { createApproveIdempotencyGuard } from './approve-idempotency'
 import { createGithubEffectiveApprovalResolver, createGithubHeadShaResolver } from './effective-approval'
 import { analyzeGhCommand } from './gh-command'
+import { ensureGitAskPassHelper } from './git-askpass'
+import { analyzeGitCommand, defaultGitResolvers } from './git-command'
 import { checkGraphqlAuthNudge } from './graphql-auth-nudge'
 import { commitReviewIfSucceeded, noteReviewCommand } from './review-recorder'
 import { classifyGhToken } from './token-class'
@@ -19,48 +21,107 @@ export default definePlugin({
       resolveEffectiveApproval: createGithubEffectiveApprovalResolver({ resolveToken }),
       resolveHeadSha: createGithubHeadShaResolver({ resolveToken }),
     })
+
+    type HookResult = void | { block: true; reason: string }
+
+    // 'fall-through' means "not a repo-targeting gh command" so the caller can
+    // try the git path on the same command (e.g. `git ... # gh` substrings).
+    const handleGhCommand = async (params: {
+      event: { callId: string; args: Record<string, unknown> }
+      command: string
+    }): Promise<HookResult | 'fall-through'> => {
+      const { event, command } = params
+      const review = await noteReviewCommand({ callId: event.callId, command })
+      if (review.detected !== null) {
+        const block = await verdictGuard.guard({
+          callId: event.callId,
+          workspace: review.detected.workspace,
+          prNumber: review.detected.prNumber,
+          verdict: review.detected.verdict,
+        })
+        if (block !== null) return block
+      }
+      if (review.dump !== null) return review.dump
+
+      const decision = analyzeGhCommand(command)
+      if (decision.kind === 'pass-through') return 'fall-through'
+
+      const tokenClass = classifyGhToken(process.env.GH_TOKEN)
+      // Classic PATs reach every owner; nothing to inject or enforce.
+      if (tokenClass === 'cross-owner') return
+
+      if (decision.kind === 'block') return { block: true, reason: decision.reason }
+
+      // Fine-grained PATs are single-owner but cannot be re-minted per repo;
+      // the seeded GH_TOKEN is the only token we have. Leave it in place so
+      // `gh` fails honestly if the named repo is under a different owner.
+      if (tokenClass === 'fine-grained-pat') return
+
+      const result = await resolveTokenForRepo(decision.repoSlug)
+      if (result.kind === 'unavailable') return { block: true, reason: result.reason }
+      // Inject via the internal env overlay (delivered to the spawn / bwrap
+      // --setenv by the bash wrapper) so the token never enters the command
+      // string, where it could leak through logs or later hooks.
+      event.args[TYPECLAW_INTERNAL_BASH_ENV] = { GH_TOKEN: result.token }
+      // graphql consumed `-R/--repo` as a mint hint; `gh api` rejects it, so
+      // run the command with the flag stripped (token still rides in env).
+      if (decision.rewrittenCommand !== undefined) event.args.command = decision.rewrittenCommand
+      return
+    }
+
+    const handleGitCommand = async (params: {
+      event: { args: Record<string, unknown> }
+      command: string
+      agentDir: string
+    }): Promise<HookResult> => {
+      const { event, command, agentDir } = params
+      // Only App auth re-mints per repo. Classic/fine-grained PATs and absent
+      // tokens are left untouched, exactly as the gh path treats them.
+      if (classifyGhToken(process.env.GH_TOKEN) !== 'app') return
+
+      const decision = await analyzeGitCommand(command, { cwd: agentDir, resolvers: defaultGitResolvers })
+      if (decision.kind === 'pass-through') return
+      if (decision.kind === 'block') return { block: true, reason: decision.reason }
+
+      const result = await resolveTokenForRepo(decision.repoSlug)
+      if (result.kind === 'unavailable') return { block: true, reason: result.reason }
+
+      const askpass = await ensureGitAskPassHelper()
+      const existing = event.args[TYPECLAW_INTERNAL_BASH_ENV]
+      const overlay = existing !== null && typeof existing === 'object' ? (existing as Record<string, string>) : {}
+      // Token rides in TYPECLAW_GIT_TOKEN (read by the askpass helper), never in
+      // argv/config. insteadOf rewrites SSH/scp remotes to https so the helper's
+      // credential applies; GIT_TERMINAL_PROMPT=0 fails fast instead of hanging.
+      event.args[TYPECLAW_INTERNAL_BASH_ENV] = {
+        ...overlay,
+        GIT_ASKPASS: askpass,
+        TYPECLAW_GIT_TOKEN: result.token,
+        GIT_TERMINAL_PROMPT: '0',
+        GIT_CONFIG_COUNT: '2',
+        GIT_CONFIG_KEY_0: 'url.https://github.com/.insteadOf',
+        GIT_CONFIG_VALUE_0: 'git@github.com:',
+        GIT_CONFIG_KEY_1: 'url.https://github.com/.insteadOf',
+        GIT_CONFIG_VALUE_1: 'ssh://git@github.com/',
+      }
+      if (decision.rewrittenCommand !== undefined) event.args.command = decision.rewrittenCommand
+      return
+    }
+
     return {
       hooks: {
         'tool.before': async (event) => {
           if (event.tool !== 'bash') return
           const command = event.args.command
-          if (typeof command !== 'string' || !command.includes('gh')) return
-
-          const review = await noteReviewCommand({ callId: event.callId, command })
-          if (review.detected !== null) {
-            const block = await verdictGuard.guard({
-              callId: event.callId,
-              workspace: review.detected.workspace,
-              prNumber: review.detected.prNumber,
-              verdict: review.detected.verdict,
-            })
-            if (block !== null) return block
+          if (typeof command !== 'string') return
+
+          if (command.includes('gh')) {
+            const ghResult = await handleGhCommand({ event, command })
+            if (ghResult !== 'fall-through') return ghResult
+          }
+
+          if (command.includes('git')) {
+            return await handleGitCommand({ event, command, agentDir: ctx.agentDir })
           }
-          if (review.dump !== null) return review.dump
-
-          const decision = analyzeGhCommand(command)
-          if (decision.kind === 'pass-through') return
-
-          const tokenClass = classifyGhToken(process.env.GH_TOKEN)
-          // Classic PATs reach every owner; nothing to inject or enforce.
-          if (tokenClass === 'cross-owner') return
-
-          if (decision.kind === 'block') return { block: true, reason: decision.reason }
-
-          // Fine-grained PATs are single-owner but cannot be re-minted per repo;
-          // the seeded GH_TOKEN is the only token we have. Leave it in place so
-          // `gh` fails honestly if the named repo is under a different owner.
-          if (tokenClass === 'fine-grained-pat') return
-
-          const result = await resolveTokenForRepo(decision.repoSlug)
-          if (result.kind === 'unavailable') return { block: true, reason: result.reason }
-          // Inject via the internal env overlay (delivered to the spawn / bwrap
-          // --setenv by the bash wrapper) so the token never enters the command
-          // string, where it could leak through logs or later hooks.
-          event.args[TYPECLAW_INTERNAL_BASH_ENV] = { GH_TOKEN: result.token }
-          // graphql consumed `-R/--repo` as a mint hint; `gh api` rejects it, so
-          // run the command with the flag stripped (token still rides in env).
-          if (decision.rewrittenCommand !== undefined) event.args.command = decision.rewrittenCommand
           return
         },
         'tool.after': async (event) => {