tweek 0.1.0__py3-none-any.whl → 0.2.0__py3-none-any.whl

tweek/hooks/pre_tool_use.py

@@ -25,6 +25,7 @@ Claude Code Hook Protocol:
 - "permissionDecision": "ask" - prompt user for confirmation
 - "permissionDecision": "deny" - block execution
 """
+from __future__ import annotations
 
 import json
 import os
@@ -42,6 +43,17 @@ sys.path.insert(0, str(Path(__file__).parent.parent.parent))
 from tweek.logging.security_log import (
     SecurityLogger, SecurityEvent, EventType, get_logger
 )
+from tweek.hooks.overrides import (
+    get_overrides, get_trust_mode, is_protected_config_file,
+    bash_targets_protected_config, filter_by_severity, SEVERITY_RANK,
+    EnforcementPolicy,
+)
+from tweek.skills.guard import (
+    get_skill_guard_reason,
+    get_skill_download_prompt,
+)
+from tweek.skills.fingerprints import get_fingerprints
+from tweek.sandbox.project import get_project_sandbox
 
 
 # =============================================================================
@@ -195,6 +207,139 @@ def run_screening_plugins(
         return True, False, None, []
 
 
+# Module-level caches for hot-path performance (avoid YAML re-parsing per invocation)
+_cached_tier_mgr: Optional["TierManager"] = None
+_cached_pattern_matcher: Optional["PatternMatcher"] = None
+
+
+def _get_tier_manager() -> "TierManager":
+    """Get or create cached TierManager singleton."""
+    global _cached_tier_mgr
+    if _cached_tier_mgr is None:
+        _cached_tier_mgr = TierManager()
+    return _cached_tier_mgr
+
+
+def _get_pattern_matcher() -> "PatternMatcher":
+    """Get or create cached PatternMatcher singleton."""
+    global _cached_pattern_matcher
+    if _cached_pattern_matcher is None:
+        _cached_pattern_matcher = PatternMatcher()
+    return _cached_pattern_matcher
+
+
+_cached_heuristic_scorer: Optional[Any] = None
+_heuristic_scorer_checked: bool = False
+
+
+def _get_heuristic_scorer(tier_mgr: "TierManager") -> Optional[Any]:
+    """Get or create cached HeuristicScorerPlugin singleton.
+
+    Returns None if the scorer is disabled in config or unavailable.
+    Uses a checked-flag pattern to avoid re-importing on every call
+    if the module isn't available.
+    """
+    global _cached_heuristic_scorer, _heuristic_scorer_checked
+    if _heuristic_scorer_checked:
+        return _cached_heuristic_scorer
+    _heuristic_scorer_checked = True
+
+    # Check config: heuristic_scorer.enabled
+    hs_config = tier_mgr.config.get("heuristic_scorer", {})
+    if not hs_config.get("enabled", True):
+        return None
+
+    try:
+        from tweek.plugins.screening.heuristic_scorer import HeuristicScorerPlugin
+        _cached_heuristic_scorer = HeuristicScorerPlugin()
+        return _cached_heuristic_scorer
+    except ImportError:
+        return None
+    except Exception:
+        return None
+
+
+def _resolve_enforcement(
+    pattern_match: Optional[Dict],
+    enforcement_policy: Optional[EnforcementPolicy],
+    has_non_pattern_trigger: bool = False,
+    memory_adjustment: Optional[Dict] = None,
+) -> str:
+    """Determine the enforcement decision based on severity + confidence.
+
+    Args:
+        pattern_match: The highest-severity pattern match dict, or None.
+        enforcement_policy: The active EnforcementPolicy (from overrides config).
+        has_non_pattern_trigger: True if LLM/session/sandbox/compliance triggered.
+        memory_adjustment: Optional memory-based adjustment suggestion.
+
+    Returns:
+        Decision string: "deny", "ask", or "log".
+    """
+    # Non-pattern triggers (LLM review, session anomaly, etc.) always "ask"
+    if not pattern_match:
+        if has_non_pattern_trigger:
+            return "ask"
+        return "log"
+
+    severity = pattern_match.get("severity", "medium")
+    confidence = pattern_match.get("confidence", "heuristic")
+
+    # Use the enforcement policy matrix if available
+    if enforcement_policy:
+        decision = enforcement_policy.resolve(severity, confidence)
+    elif severity == "critical" and confidence == "deterministic":
+        decision = "deny"
+    elif severity == "low":
+        decision = "log"
+    else:
+        decision = "ask"
+
+    # Break-glass: downgrade "deny" to "ask" if active override exists
+    if decision == "deny":
+        try:
+            from tweek.hooks.break_glass import check_override
+            override = check_override(pattern_match.get("name", ""))
+            if override:
+                # Log the break-glass usage
+                _log(
+                    EventType.BREAK_GLASS,
+                    "break_glass",
+                    decision="ask",
+                    decision_reason=(
+                        f"Break-glass override active for pattern "
+                        f"'{pattern_match.get('name')}': {override.get('reason', 'no reason')}"
+                    ),
+                    metadata={
+                        "pattern_name": pattern_match.get("name"),
+                        "override_mode": override.get("mode"),
+                        "override_reason": override.get("reason"),
+                        "override_created_at": override.get("created_at"),
+                    },
+                )
+                decision = "ask"  # Downgrade deny → ask (user still sees prompt)
+        except ImportError:
+            pass  # Break-glass module not available
+
+    # Memory-based adjustment: only touches "ask" decisions
+    if memory_adjustment and decision == "ask":
+        try:
+            from tweek.memory.safety import validate_memory_adjustment
+            suggested = memory_adjustment.get("adjusted_decision")
+            if suggested:
+                decision = validate_memory_adjustment(
+                    pattern_name=pattern_match.get("name", "") if pattern_match else "",
+                    original_severity=pattern_match.get("severity", "medium") if pattern_match else "medium",
+                    original_confidence=pattern_match.get("confidence", "heuristic") if pattern_match else "heuristic",
+                    suggested_decision=suggested,
+                    current_decision=decision,
+                )
+        except Exception:
+            pass  # Memory is best-effort
+
+    return decision
+
+
 class TierManager:
     """Manages security tier classification and escalation."""
 
@@ -239,7 +384,7 @@ class TierManager:
         for escalation in self.escalations:
             pattern = escalation.get("pattern", "")
             try:
-                if re.search(pattern, content, re.IGNORECASE):
+                if re.search(pattern, content, re.IGNORECASE | re.DOTALL):
                     target_tier = escalation.get("escalate_to", "default")
                     priority = tier_priority.get(target_tier, 1)
                     if priority > highest_priority:
@@ -250,33 +395,134 @@ class TierManager:
 
         return highest_match
 
+    def check_path_escalation(
+        self,
+        target_paths: List[str],
+        working_dir: Optional[str],
+    ) -> Optional[Dict]:
+        """Check if any target paths are outside the working directory.
+
+        Returns an escalation dict if an out-of-project path is detected,
+        or None. The dict has the same shape as content-based escalations
+        (escalate_to, description keys) plus path_boundary and target_path.
+        """
+        if not working_dir or not target_paths:
+            return None
+
+        try:
+            cwd_resolved = Path(working_dir).expanduser().resolve()
+        except (OSError, ValueError):
+            return None
+
+        path_config = self.config.get("path_boundary", {})
+        if not path_config.get("enabled", True):
+            return None
+
+        sensitive_dirs = path_config.get("sensitive_directories", [
+            {"pattern": ".ssh", "escalate_to": "dangerous", "description": "SSH directory access"},
+            {"pattern": ".aws", "escalate_to": "dangerous", "description": "AWS credentials directory"},
+            {"pattern": ".gnupg", "escalate_to": "dangerous", "description": "GPG keyring directory"},
+            {"pattern": ".kube", "escalate_to": "dangerous", "description": "Kubernetes config directory"},
+            {"pattern": "/etc/shadow", "escalate_to": "dangerous", "description": "System shadow file"},
+            {"pattern": "/etc/sudoers", "escalate_to": "dangerous", "description": "Sudoers file"},
+            {"pattern": "/etc/passwd", "escalate_to": "risky", "description": "System passwd file"},
+        ])
+
+        default_escalate_to = path_config.get("default_escalate_to", "risky")
+
+        tier_priority = {"safe": 0, "default": 1, "risky": 2, "dangerous": 3}
+        highest_escalation = None
+        highest_priority = -1
+
+        for target_path_str in target_paths:
+            try:
+                target_resolved = Path(target_path_str).expanduser().resolve()
+            except (OSError, ValueError):
+                continue
+
+            # Check if path is inside the project
+            try:
+                target_resolved.relative_to(cwd_resolved)
+                continue  # Inside project -- no escalation
+            except ValueError:
+                pass  # Outside project -- check further
+
+            # Path is outside project. Check sensitive directories.
+            target_str_lower = str(target_resolved).lower()
+
+            matched_sensitive = False
+            for sensitive in sensitive_dirs:
+                pattern = sensitive.get("pattern", "")
+                if pattern and pattern in target_str_lower:
+                    esc_to = sensitive.get("escalate_to", "dangerous")
+                    priority = tier_priority.get(esc_to, 2)
+                    if priority > highest_priority:
+                        highest_priority = priority
+                        highest_escalation = {
+                            "escalate_to": esc_to,
+                            "description": f"Out-of-project access: {sensitive.get('description', pattern)}",
+                            "path_boundary": True,
+                            "target_path": target_path_str,
+                        }
+                    matched_sensitive = True
+                    break
+
+            if not matched_sensitive:
+                priority = tier_priority.get(default_escalate_to, 2)
+                if priority > highest_priority:
+                    highest_priority = priority
+                    highest_escalation = {
+                        "escalate_to": default_escalate_to,
+                        "description": f"Out-of-project file access: {target_path_str}",
+                        "path_boundary": True,
+                        "target_path": target_path_str,
+                    }
+
+        return highest_escalation
+
     def get_effective_tier(
         self,
         tool_name: str,
         content: str,
-        skill_name: Optional[str] = None
+        skill_name: Optional[str] = None,
+        target_paths: Optional[List[str]] = None,
+        working_dir: Optional[str] = None,
     ) -> tuple[str, Optional[Dict]]:
-        """Get the effective tier after checking escalations.
+        """Get the effective tier after checking content and path escalations.
 
         Returns (tier, escalation_match) where escalation_match is None
-        if no escalation occurred.
+        if no escalation occurred. Takes the highest of base tier,
+        content-based escalation, and path-boundary escalation.
         """
+        tier_priority = {"safe": 0, "default": 1, "risky": 2, "dangerous": 3}
+
         base_tier = self.get_base_tier(tool_name, skill_name)
-        escalation = self.check_escalations(content)
+        content_escalation = self.check_escalations(content)
+        path_escalation = self.check_path_escalation(
+            target_paths or [], working_dir
+        )
 
-        if escalation is None:
-            return base_tier, None
+        best_tier = base_tier
+        best_priority = tier_priority.get(base_tier, 1)
+        best_escalation = None
 
-        tier_priority = {"safe": 0, "default": 1, "risky": 2, "dangerous": 3}
-        base_priority = tier_priority.get(base_tier, 1)
-        escalated_tier = escalation.get("escalate_to", "default")
-        escalated_priority = tier_priority.get(escalated_tier, 1)
+        if content_escalation:
+            esc_tier = content_escalation.get("escalate_to", "default")
+            esc_priority = tier_priority.get(esc_tier, 1)
+            if esc_priority > best_priority:
+                best_tier = esc_tier
+                best_priority = esc_priority
+                best_escalation = content_escalation
 
-        # Only escalate, never de-escalate
-        if escalated_priority > base_priority:
-            return escalated_tier, escalation
+        if path_escalation:
+            esc_tier = path_escalation.get("escalate_to", "default")
+            esc_priority = tier_priority.get(esc_tier, 1)
+            if esc_priority > best_priority:
+                best_tier = esc_tier
+                best_priority = esc_priority
+                best_escalation = path_escalation
 
-        return base_tier, None
+        return best_tier, best_escalation
 
     def get_screening_methods(self, tier: str) -> List[str]:
         """Get the screening methods for a tier."""
@@ -288,16 +534,34 @@ class PatternMatcher:
     """Matches commands against hostile patterns."""
 
     def __init__(self, patterns_path: Optional[Path] = None):
-        # Try user patterns first (~/.tweek/patterns/), fall back to bundled
+        # Always load bundled patterns first, then merge user patterns on top
         user_patterns = Path.home() / ".tweek" / "patterns" / "patterns.yaml"
         bundled_patterns = Path(__file__).parent.parent / "config" / "patterns.yaml"
 
         if patterns_path is not None:
-            self.patterns = self._load_patterns(patterns_path)
-        elif user_patterns.exists():
-            self.patterns = self._load_patterns(user_patterns)
+            # Explicit path: load bundled + explicit (for testing)
+            self.patterns = self._load_patterns(bundled_patterns)
+            extra = self._load_patterns(patterns_path)
+            self._merge_patterns(extra)
         else:
+            # Always start with bundled patterns
             self.patterns = self._load_patterns(bundled_patterns)
+            # Merge user patterns on top (additive, not replacement)
+            if user_patterns.exists():
+                extra = self._load_patterns(user_patterns)
+                self._merge_patterns(extra)
+
+    def _merge_patterns(self, extra_patterns: List[dict]):
+        """Merge additional patterns into existing set (additive).
+
+        User patterns supplement bundled patterns — they cannot replace or
+        remove bundled patterns. Duplicate names are skipped.
+        """
+        existing_names = {p.get("name") for p in self.patterns}
+        for pattern in extra_patterns:
+            if pattern.get("name") not in existing_names:
+                self.patterns.append(pattern)
+                existing_names.add(pattern.get("name"))
 
     def _load_patterns(self, path: Path) -> List[dict]:
         """Load patterns from YAML config.
@@ -313,14 +577,21 @@ class PatternMatcher:
 
         return config.get("patterns", [])
 
+    @staticmethod
+    def _normalize(content: str) -> str:
+        """Normalize Unicode to defeat homoglyph evasion (e.g., Cyrillic 'а' → Latin 'a')."""
+        import unicodedata
+        return unicodedata.normalize("NFKC", content)
+
     def check(self, content: str) -> Optional[dict]:
         """Check content against all patterns.
 
         Returns the first matching pattern, or None.
         """
+        content = self._normalize(content)
         for pattern in self.patterns:
             try:
-                if re.search(pattern.get("regex", ""), content, re.IGNORECASE):
+                if re.search(pattern.get("regex", ""), content, re.IGNORECASE | re.DOTALL):
                     return pattern
             except re.error:
                 continue
@@ -328,10 +599,11 @@ class PatternMatcher:
 
     def check_all(self, content: str) -> List[dict]:
         """Check content against all patterns, returning all matches."""
+        content = self._normalize(content)
         matches = []
         for pattern in self.patterns:
             try:
-                if re.search(pattern.get("regex", ""), content, re.IGNORECASE):
+                if re.search(pattern.get("regex", ""), content, re.IGNORECASE | re.DOTALL):
                     matches.append(pattern)
             except re.error:
                 continue
@@ -402,6 +674,150 @@ def format_prompt_message(
     return "\n".join(lines)
 
 
+def _check_project_skill_fingerprints(working_dir: Optional[str], _log) -> None:
+    """
+    Check project skills for new/modified SKILL.md files via fingerprint cache.
+
+    If a new or modified skill is detected (e.g. from git pull/clone), it is
+    routed through the isolation chamber for security scanning. Results:
+    - PASS: skill stays in place, fingerprint recorded
+    - FAIL: skill removed from project dir, jailed, user warned
+    - MANUAL_REVIEW: skill moved to chamber, user warned
+    """
+    if not working_dir:
+        return
+
+    from tweek.skills.config import load_isolation_config
+
+    config = load_isolation_config()
+    if not config.enabled:
+        return
+
+    fingerprints = get_fingerprints()
+    changed = fingerprints.check_project_skills(Path(working_dir))
+
+    if not changed:
+        return
+
+    # Import chamber lazily to avoid circular imports and overhead on clean runs
+    from tweek.skills.isolation import SkillIsolationChamber
+
+    chamber = SkillIsolationChamber(config=config)
+
+    for skill_path, status in changed:
+        skill_name = skill_path.parent.name
+        _log(
+            EventType.TOOL_INVOKED,
+            "SkillFingerprint",
+            tier="skill_guard",
+            decision="scan",
+            decision_reason=f"Git-arrived skill detected: {skill_name} ({status})",
+        )
+
+        report, msg = chamber.accept_and_scan(
+            skill_path.parent,
+            skill_name=f"git-{skill_name}",
+            target="project",
+        )
+
+        if report.verdict == "pass":
+            # Record the fingerprint so we don't re-scan
+            fingerprints.register(
+                skill_path,
+                verdict="pass",
+                report_path=msg,
+            )
+        elif report.verdict == "fail":
+            # Remove from project dir — it's now in jail
+            import shutil
+
+            try:
+                shutil.rmtree(skill_path.parent)
+            except OSError:
+                pass
+            print(
+                f"TWEEK SECURITY: Skill '{skill_name}' FAILED security scan "
+                f"and was removed from project. See: tweek skills jail list",
+                file=sys.stderr,
+            )
+        elif report.verdict == "manual_review":
+            print(
+                f"TWEEK SECURITY: Skill '{skill_name}' requires manual review. "
+                f"Run: tweek skills chamber approve git-{skill_name}",
+                file=sys.stderr,
+            )
+
+
+# =============================================================================
+# PATH EXTRACTION: Extract filesystem target paths from tool inputs
+# =============================================================================
+
+
+def _extract_paths_from_bash(command: str) -> List[str]:
+    """Best-effort extraction of filesystem paths from a bash command.
+
+    Catches obvious cases like:
+      cat /etc/passwd
+      cp ~/.ssh/id_rsa /tmp/key
+      python3 /home/user/script.py
+
+    Intentionally simple -- does NOT handle pipes, subshells, or variable
+    expansion. Content-based escalations (259 patterns) cover the rest.
+    """
+    import shlex
+
+    paths: List[str] = []
+    if not command:
+        return paths
+
+    # Only look at the first simple command (before |, &&, ||, ;)
+    first_cmd = re.split(r'[|;&]', command)[0].strip()
+
+    try:
+        tokens = shlex.split(first_cmd)
+    except ValueError:
+        # Malformed quotes -- fall back to simple split
+        tokens = first_cmd.split()
+
+    for token in tokens:
+        if token.startswith('-'):
+            continue
+        if token.startswith('/') or token.startswith('~'):
+            paths.append(token)
+
+    return paths
+
+
+def extract_target_paths(tool_name: str, tool_input: Dict[str, Any]) -> List[str]:
+    """Extract filesystem paths from a tool invocation for boundary checking.
+
+    Returns a list of path strings. For tools with no filesystem target
+    (WebFetch, WebSearch), returns an empty list.
+    """
+    paths: List[str] = []
+
+    if tool_name in ("Read", "Write", "Edit"):
+        fp = tool_input.get("file_path", "")
+        if fp:
+            paths.append(fp)
+    elif tool_name == "NotebookEdit":
+        np = tool_input.get("notebook_path", "")
+        if np:
+            paths.append(np)
+    elif tool_name == "Glob":
+        gp = tool_input.get("path", "")
+        if gp:
+            paths.append(gp)
+    elif tool_name == "Grep":
+        gp = tool_input.get("path", "")
+        if gp:
+            paths.append(gp)
+    elif tool_name == "Bash":
+        paths.extend(_extract_paths_from_bash(tool_input.get("command", "")))
+
+    return paths
+
+
 def process_hook(input_data: dict, logger: SecurityLogger) -> dict:
     """Main hook logic with tiered security screening.
 
@@ -425,7 +841,7 @@ def process_hook(input_data: dict, logger: SecurityLogger) -> dict:
     working_dir = input_data.get("cwd")
 
     # Generate correlation ID to link all events in this screening pass
-    correlation_id = uuid.uuid4().hex[:12]
+    correlation_id = uuid.uuid4().hex[:16]
 
     def _log(event_type, tool, **kwargs):
         """Log with correlation_id, source, and session_id automatically included."""
@@ -436,19 +852,241 @@ def process_hook(input_data: dict, logger: SecurityLogger) -> dict:
             **kwargs
         )
 
-    # Extract content to analyze (command for Bash, path for Read, etc.)
+    # =========================================================================
+    # PROJECT SANDBOX: Initialize per-project security state isolation
+    # Provides project-scoped logger, overrides, and fingerprints (Layer 2)
+    # =========================================================================
+    _sandbox = None
+    try:
+        _sandbox = get_project_sandbox(working_dir)
+        if _sandbox:
+            # Replace logger with project-scoped one (Python closures are
+            # late-binding, so _log will use the new logger automatically)
+            logger = _sandbox.get_logger()
+    except Exception:
+        # Sandbox init is best-effort — fall back to global state
+        _sandbox = None
+
+    # =========================================================================
+    # SKILL FINGERPRINT CHECK: Detect new/modified git-arrived skills
+    # Lightweight SHA-256 check; full scan only on first encounter or change
+    # =========================================================================
+    try:
+        _check_project_skill_fingerprints(working_dir, _log)
+    except Exception:
+        # Fingerprint check is best-effort — never break the hook
+        pass
+
+    # =========================================================================
+    # SELF-PROTECTION: Block AI from modifying security override config
+    # This file can only be edited by a human directly.
+    # =========================================================================
+    if tool_name in ("Write", "Edit"):
+        target_path = tool_input.get("file_path", "")
+        if is_protected_config_file(target_path):
+            _log(
+                EventType.BLOCKED,
+                tool_name,
+                tier="self_protection",
+                decision="deny",
+                decision_reason=f"BLOCKED: AI cannot modify security override config: {target_path}",
+            )
+            return {
+                "hookSpecificOutput": {
+                    "hookEventName": "PreToolUse",
+                    "permissionDecision": "deny",
+                    "permissionDecisionReason": (
+                        "TWEEK SELF-PROTECTION: This file can only be edited by a human.\n"
+                        f"File: {target_path}\n"
+                        "Security overrides (whitelist, pattern toggles, trust levels) are human-only.\n"
+                        "Edit this file directly in your text editor."
+                    ),
+                }
+            }
+
+    if tool_name == "Bash":
+        command = tool_input.get("command", "")
+        if bash_targets_protected_config(command):
+            _log(
+                EventType.BLOCKED,
+                tool_name,
+                tier="self_protection",
+                decision="deny",
+                decision_reason="BLOCKED: Bash command targets protected config file",
+            )
+            return {
+                "hookSpecificOutput": {
+                    "hookEventName": "PreToolUse",
+                    "permissionDecision": "deny",
+                    "permissionDecisionReason": (
+                        "TWEEK SELF-PROTECTION: Cannot modify security override config via shell.\n"
+                        "Security overrides can only be edited by a human directly."
+                    ),
+                }
+            }
+
+        # Block AI from running tweek trust/untrust/uninstall — human-only commands
+        command_stripped = command.strip()
+        if re.match(r"tweek\s+(trust|untrust|uninstall)\b", command_stripped):
+            if "uninstall" in command_stripped:
+                reason = (
+                    "TWEEK SELF-PROTECTION: Uninstall must be done by a human.\n"
+                    "Run this command directly in your terminal:\n"
+                    f"  {command_stripped}\n"
+                    "AI agents cannot remove security protections."
+                )
+                log_reason = "BLOCKED: AI cannot run tweek uninstall"
+            else:
+                reason = (
+                    "TWEEK SELF-PROTECTION: Trust decisions must be made by a human.\n"
+                    "Run this command directly in your terminal:\n"
+                    f"  {command_stripped}\n"
+                    "Trust settings control which projects are exempt from security screening."
+                )
+                log_reason = "BLOCKED: AI cannot modify trust settings"
+            _log(
+                EventType.BLOCKED,
+                tool_name,
+                tier="self_protection",
+                decision="deny",
+                decision_reason=log_reason,
+            )
+            return {
+                "hookSpecificOutput": {
+                    "hookEventName": "PreToolUse",
+                    "permissionDecision": "deny",
+                    "permissionDecisionReason": reason,
+                }
+            }
+
+    # =========================================================================
+    # SKILL GUARD: Block direct skill installation bypassing isolation chamber
+    # =========================================================================
+    skill_block_reason = get_skill_guard_reason(tool_name, tool_input)
+    if skill_block_reason:
+        _log(
+            EventType.BLOCKED,
+            tool_name,
+            tier="skill_guard",
+            decision="deny",
+            decision_reason=skill_block_reason,
+        )
+        return {
+            "hookSpecificOutput": {
+                "hookEventName": "PreToolUse",
+                "permissionDecision": "deny",
+                "permissionDecisionReason": skill_block_reason,
+            }
+        }
+
+    # Skill download detection: prompt user instead of blocking
+    if tool_name == "Bash":
+        download_prompt = get_skill_download_prompt(tool_input.get("command", ""))
+        if download_prompt:
+            _log(
+                EventType.TOOL_INVOKED,
+                tool_name,
+                tier="skill_guard",
+                decision="ask",
+                decision_reason="Potential skill download detected",
+            )
+            return {
+                "hookSpecificOutput": {
+                    "hookEventName": "PreToolUse",
+                    "permissionDecision": "ask",
+                    "permissionDecisionReason": download_prompt,
+                }
+            }
+
+    # Extract target filesystem paths for boundary checking
+    target_paths = extract_target_paths(tool_name, tool_input)
+
+    # Extract content to analyze (command for Bash, path + payload for Write/Edit, etc.)
     if tool_name == "Bash":
         content = tool_input.get("command", "")
-    elif tool_name in ("Read", "Write", "Edit"):
+    elif tool_name == "Read":
         content = tool_input.get("file_path", "")
+    elif tool_name == "Write":
+        # Screen both path and content payload
+        file_path = tool_input.get("file_path", "")
+        file_content = tool_input.get("content", "")
+        content = f"{file_path}\n{file_content}" if file_content else file_path
+    elif tool_name == "Edit":
+        # Screen path, old content (may carry injection context), and new content
+        file_path = tool_input.get("file_path", "")
+        old_string = tool_input.get("old_string", "")
+        new_string = tool_input.get("new_string", "")
+        content = "\n".join(filter(None, [file_path, old_string, new_string]))
+    elif tool_name == "NotebookEdit":
+        # Screen notebook path and cell source content
+        notebook_path = tool_input.get("notebook_path", "")
+        new_source = tool_input.get("new_source", "")
+        content = f"{notebook_path}\n{new_source}" if new_source else notebook_path
     elif tool_name == "WebFetch":
-        content = tool_input.get("url", "")
+        # Screen both URL and prompt (prompt could carry injection)
+        url = tool_input.get("url", "")
+        prompt = tool_input.get("prompt", "")
+        content = f"{url}\n{prompt}" if prompt else url
+    elif tool_name == "WebSearch":
+        content = tool_input.get("query", "")
+    elif tool_name == "Glob":
+        content = tool_input.get("pattern", "")
+        glob_path = tool_input.get("path", "")
+        if glob_path:
+            content = f"{glob_path}\n{content}"
+    elif tool_name == "Grep":
+        content = tool_input.get("pattern", "")
+        grep_path = tool_input.get("path", "")
+        if grep_path:
+            content = f"{grep_path}\n{content}"
     else:
         content = json.dumps(tool_input)
 
     if not content:
         return {}
 
+    # =========================================================================
+    # SELF-TRUST: Skip screening when reading verified Tweek source files.
+    # Content-based (SHA-256), not path-based. Prevents false positives
+    # when AI reads Tweek's own patterns, hooks, and security modules.
+    # =========================================================================
+    if tool_name in ("Read", "Grep"):
+        try:
+            from tweek.security.integrity import is_trusted_tweek_file
+            read_path = tool_input.get("file_path") or tool_input.get("path") or ""
+            if read_path and is_trusted_tweek_file(read_path):
+                _log(
+                    EventType.ALLOWED,
+                    tool_name,
+                    tier="self_trust",
+                    decision="allow",
+                    decision_reason=f"Self-trust: verified Tweek file {Path(read_path).name}",
+                    metadata={"self_trust": True, "file": read_path},
+                )
+                return {}
+        except Exception:
+            pass  # Best-effort — fall through to normal screening
+
+    # =========================================================================
+    # WHITELIST CHECK: Skip screening for whitelisted tool+path combinations
+    # Uses project-scoped overrides (additive-only merge) if sandbox active
+    # =========================================================================
+    overrides = _sandbox.get_overrides() if _sandbox else get_overrides()
+    enforcement_policy = overrides.get_enforcement_policy() if overrides else EnforcementPolicy()
+    if overrides:
+        whitelist_match = overrides.check_whitelist(tool_name, tool_input, content)
+        if whitelist_match:
+            _log(
+                EventType.ALLOWED,
+                tool_name,
+                command=content if tool_name == "Bash" else None,
+                tier="whitelisted",
+                decision="allow",
+                decision_reason=f"Whitelisted: {whitelist_match.get('reason', 'matched whitelist rule')}",
+                metadata={"whitelist_rule": whitelist_match}
+            )
+            return {}
+
     # =========================================================================
     # LAYER 0: Compliance Scanning (INPUT direction)
     # Scan incoming content for sensitive data before processing
@@ -470,14 +1108,69 @@ def process_hook(input_data: dict, logger: SecurityLogger) -> dict:
             }
         }
 
-    # Initialize managers
-    tier_mgr = TierManager()
-    pattern_matcher = PatternMatcher()
+    # Use cached managers (avoids YAML re-parsing on every invocation)
+    tier_mgr = _get_tier_manager()
+    pattern_matcher = _get_pattern_matcher()
 
     # Determine effective tier
-    effective_tier, escalation = tier_mgr.get_effective_tier(tool_name, content)
+    effective_tier, escalation = tier_mgr.get_effective_tier(
+        tool_name, content,
+        target_paths=target_paths,
+        working_dir=working_dir,
+    )
     screening_methods = tier_mgr.get_screening_methods(effective_tier)
 
+    # =========================================================================
+    # Non-English Language Detection
+    # Escalate tier when non-English content detected so LLM review can catch
+    # prompt injection in other languages that bypass English-only regex patterns
+    # =========================================================================
+    try:
+        from tweek.security.language import detect_non_english, NonEnglishHandling
+
+        # Load handling mode from config (default: escalate)
+        ne_handling_str = tier_mgr.config.get("non_english_handling", "escalate")
+        try:
+            ne_handling = NonEnglishHandling(ne_handling_str)
+        except ValueError:
+            ne_handling = NonEnglishHandling.ESCALATE
+
+        if ne_handling != NonEnglishHandling.NONE:
+            lang_result = detect_non_english(content)
+
+            if lang_result.has_non_english and lang_result.confidence >= 0.3:
+                _log(
+                    EventType.ESCALATION,
+                    tool_name,
+                    command=content if tool_name == "Bash" else None,
+                    tier=effective_tier,
+                    decision_reason=f"Non-English content detected ({', '.join(lang_result.detected_scripts)}, confidence: {lang_result.confidence:.0%})",
+                    metadata={
+                        "language_detection": {
+                            "scripts": lang_result.detected_scripts,
+                            "confidence": lang_result.confidence,
+                            "ratio": lang_result.non_english_ratio,
+                            "sample": lang_result.sample,
+                            "handling": ne_handling.value,
+                        }
+                    }
+                )
+
+                if ne_handling in (NonEnglishHandling.ESCALATE, NonEnglishHandling.BOTH):
+                    # Escalate to at least risky tier to trigger LLM review
+                    tier_priority = {"safe": 0, "default": 1, "risky": 2, "dangerous": 3}
+                    if tier_priority.get(effective_tier, 1) < tier_priority["risky"]:
+                        effective_tier = "risky"
+                        screening_methods = tier_mgr.get_screening_methods(effective_tier)
+    except ImportError:
+        pass  # Language detection module not available
+    except Exception as e:
+        _log(
+            EventType.ERROR,
+            tool_name,
+            decision_reason=f"Language detection error: {e}",
+        )
+
     # Log tool invocation
     _log(
         EventType.TOOL_INVOKED,
@@ -563,8 +1256,27 @@ def process_hook(input_data: dict, logger: SecurityLogger) -> dict:
     # LAYER 2: Pattern Matching
     # =========================================================================
     pattern_match = None
+    all_pattern_matches = []
     if "regex" in screening_methods:
-        pattern_match = pattern_matcher.check(content)
+        all_pattern_matches = pattern_matcher.check_all(content)
+
+        # Apply pattern toggles from overrides (disabled/scoped_disabled patterns)
+        if overrides and all_pattern_matches:
+            working_path = (
+                tool_input.get("file_path", "")
+                or tool_input.get("url", "")
+                or working_dir
+                or ""
+            )
+            all_pattern_matches = overrides.filter_patterns(
+                all_pattern_matches, working_path
+            )
+
+        # Use highest-severity match as primary (critical > high > medium > low)
+        if all_pattern_matches:
+            severity_order = {"critical": 0, "high": 1, "medium": 2, "low": 3}
+            all_pattern_matches.sort(key=lambda p: severity_order.get(p.get("severity", "medium"), 4))
+            pattern_match = all_pattern_matches[0]
 
         if pattern_match:
             _log(
@@ -578,11 +1290,87 @@ def process_hook(input_data: dict, logger: SecurityLogger) -> dict:
             )
 
     # =========================================================================
-    # LAYER 3: LLM Review (for risky/dangerous tiers)
+    # MEMORY: Read pattern history for confidence adjustment
+    # =========================================================================
+    memory_adjustment = None
+    if pattern_match:
+        try:
+            from tweek.memory.queries import memory_read_for_pattern
+            from tweek.memory.store import hash_project, normalize_path_prefix
+            _mem_path = (
+                tool_input.get("file_path", "")
+                or tool_input.get("url", "")
+                or working_dir
+                or ""
+            )
+            memory_adjustment = memory_read_for_pattern(
+                pattern_name=pattern_match.get("name", ""),
+                pattern_severity=pattern_match.get("severity", "medium"),
+                pattern_confidence=pattern_match.get("confidence", "heuristic"),
+                tool_name=tool_name,
+                path_prefix=_mem_path,
+                project_hash=hash_project(working_dir) if working_dir else None,
+            )
+        except Exception:
+            pass  # Memory is best-effort
+
+    # =========================================================================
+    # LAYER 2.5: Heuristic Scoring (Confidence-Gated LLM Escalation)
+    # Bridges the gap between regex patterns (Layer 2) and LLM review (Layer 3).
+    # Runs ONLY when: no regex match AND LLM not already scheduled.
+    # If score exceeds threshold, adds "llm" to screening_methods.
+    # =========================================================================
+    heuristic_escalated = False
+    if not pattern_match and "llm" not in screening_methods:
+        try:
+            scorer = _get_heuristic_scorer(tier_mgr)
+            if scorer:
+                heuristic_result = scorer.screen(
+                    tool_name=tool_name,
+                    content=content,
+                    context={
+                        "tier": effective_tier,
+                        "tool_input": tool_input,
+                        "working_dir": working_dir,
+                    }
+                )
+                heuristic_score = heuristic_result.details.get("heuristic_score", 0.0)
+                should_escalate = heuristic_result.details.get("should_escalate", False)
+
+                if should_escalate:
+                    heuristic_escalated = True
+                    screening_methods = list(screening_methods) + ["llm"]
+                    _log(
+                        EventType.ESCALATION,
+                        tool_name,
+                        command=content if tool_name == "Bash" else None,
+                        tier=effective_tier,
+                        decision_reason=f"Heuristic scorer escalation (score: {heuristic_score:.3f})",
+                        metadata={
+                            "heuristic_score": heuristic_score,
+                            "family_scores": heuristic_result.details.get("family_scores", {}),
+                            "signals": heuristic_result.details.get("signals", []),
+                            "threshold": heuristic_result.details.get("threshold", 0.4),
+                        }
+                    )
+                elif tier_mgr.config.get("heuristic_scorer", {}).get("log_all_scores", False):
+                    _log(
+                        EventType.TOOL_INVOKED,
+                        tool_name,
+                        metadata={
+                            "heuristic_score": heuristic_score,
+                            "heuristic_below_threshold": True,
+                        }
+                    )
+        except Exception:
+            pass  # Heuristic scorer is best-effort
+
+    # =========================================================================
+    # LAYER 3: LLM Review (for risky/dangerous tiers, or heuristic-escalated)
     # =========================================================================
     llm_msg = None
     llm_triggered = False
-    if "llm" in screening_methods and tool_name == "Bash":
+    if "llm" in screening_methods:
         try:
             from tweek.security.llm_reviewer import get_llm_reviewer
 
@@ -703,32 +1491,56 @@ def process_hook(input_data: dict, logger: SecurityLogger) -> dict:
                 decision_reason=f"Sandbox preview error: {e}",
             )
 
+    # =========================================================================
+    # TRUST LEVEL: Filter pattern matches by severity threshold
+    # Interactive (human at CLI) → only prompt on high/critical
+    # Automated (launchd/cron) → prompt on everything
+    # =========================================================================
+    trust_mode = get_trust_mode(overrides)
+    if overrides and pattern_match:
+        min_severity = overrides.get_min_severity(trust_mode)
+        kept, suppressed = filter_by_severity(
+            all_pattern_matches if all_pattern_matches else [pattern_match],
+            min_severity,
+        )
+        if suppressed:
+            _log(
+                EventType.ALLOWED,
+                tool_name,
+                command=content if tool_name == "Bash" else None,
+                tier=effective_tier,
+                decision="allow",
+                decision_reason=(
+                    f"Trust level '{trust_mode}': {len(suppressed)} pattern(s) "
+                    f"below {min_severity} severity threshold"
+                ),
+                metadata={
+                    "trust_mode": trust_mode,
+                    "min_severity": min_severity,
+                    "suppressed_patterns": [
+                        p.get("name") for p in suppressed
+                    ],
+                },
+            )
+        if kept:
+            all_pattern_matches = kept
+            kept.sort(key=lambda p: SEVERITY_RANK.get(p.get("severity", "medium"), 4))
+            pattern_match = kept[0]
+        else:
+            all_pattern_matches = []
+            pattern_match = None
+
     # =========================================================================
     # Decision: Prompt if any layer triggered
     # =========================================================================
     compliance_triggered = bool(compliance_findings)
 
     if pattern_match or llm_triggered or session_triggered or sandbox_triggered or compliance_triggered:
-        _log(
-            EventType.USER_PROMPTED,
-            tool_name,
-            command=content if tool_name == "Bash" else None,
-            tier=effective_tier,
-            pattern_name=pattern_match.get("name") if pattern_match else "multi_layer",
-            pattern_severity=pattern_match.get("severity") if pattern_match else "high",
-            decision="ask",
-            decision_reason="Security check triggered",
-            metadata={
-                "pattern_triggered": pattern_match is not None,
-                "llm_triggered": llm_triggered,
-                "session_triggered": session_triggered,
-                "sandbox_triggered": sandbox_triggered,
-                "compliance_triggered": compliance_triggered,
-                "compliance_findings": len(compliance_findings) if compliance_findings else 0,
-            }
-        )
+        # Determine graduated enforcement decision
+        has_non_pattern = llm_triggered or session_triggered or sandbox_triggered or compliance_triggered
+        decision = _resolve_enforcement(pattern_match, enforcement_policy, has_non_pattern, memory_adjustment)
 
-        # Combine all messages
+        # Build the warning message for ask/deny decisions
         final_msg = format_prompt_message(
             pattern_match, escalation, content, effective_tier,
             rate_limit_msg=rate_limit_msg,
@@ -736,21 +1548,153 @@ def process_hook(input_data: dict, logger: SecurityLogger) -> dict:
             session_msg=session_msg
         )
 
-        # Add sandbox message if applicable
         if sandbox_msg:
             final_msg += f"\n\n{sandbox_msg}"
 
-        # Add compliance message if applicable
         if compliance_msg:
             final_msg += f"\n\n COMPLIANCE NOTICE\n{compliance_msg}"
 
-        return {
-            "hookSpecificOutput": {
-                "hookEventName": "PreToolUse",
-                "permissionDecision": "ask",
-                "permissionDecisionReason": final_msg,
+        if decision == "deny":
+            # Hard block: critical + deterministic patterns (or configured deny)
+            _log(
+                EventType.BLOCKED,
+                tool_name,
+                command=content if tool_name == "Bash" else None,
+                tier=effective_tier,
+                pattern_name=pattern_match.get("name") if pattern_match else "multi_layer",
+                pattern_severity=pattern_match.get("severity") if pattern_match else "high",
+                decision="deny",
+                decision_reason="Hard block: critical deterministic pattern",
+                metadata={
+                    "pattern_triggered": pattern_match is not None,
+                    "pattern_confidence": pattern_match.get("confidence") if pattern_match else None,
+                    "llm_triggered": llm_triggered,
+                    "session_triggered": session_triggered,
+                    "sandbox_triggered": sandbox_triggered,
+                    "compliance_triggered": compliance_triggered,
+                    "enforcement_decision": "deny",
+                }
+            )
+            # Memory: record denied decision
+            try:
+                from tweek.memory.queries import memory_write_after_decision, memory_update_workflow
+                from tweek.memory.store import hash_project, normalize_path_prefix
+                if pattern_match:
+                    memory_write_after_decision(
+                        pattern_name=pattern_match.get("name", ""),
+                        pattern_id=pattern_match.get("id"),
+                        original_severity=pattern_match.get("severity", "medium"),
+                        original_confidence=pattern_match.get("confidence", "heuristic"),
+                        decision="deny", user_response="denied",
+                        tool_name=tool_name, content=content,
+                        path_prefix=tool_input.get("file_path", "") or tool_input.get("url", "") or working_dir or "",
+                        project_hash=hash_project(working_dir) if working_dir else None,
+                    )
+                memory_update_workflow(
+                    project_hash=hash_project(working_dir) if working_dir else "global",
+                    tool_name=tool_name, was_denied=True,
+                )
+            except Exception:
+                pass
+            return {
+                "hookSpecificOutput": {
+                    "hookEventName": "PreToolUse",
+                    "permissionDecision": "deny",
+                    "permissionDecisionReason": final_msg,
+                }
+            }
+
+        elif decision == "log":
+            # Silent allow with logging: low-severity or low-confidence patterns
+            _log(
+                EventType.ALLOWED,
+                tool_name,
+                command=content if tool_name == "Bash" else None,
+                tier=effective_tier,
+                pattern_name=pattern_match.get("name") if pattern_match else "multi_layer",
+                pattern_severity=pattern_match.get("severity") if pattern_match else "low",
+                decision="log",
+                decision_reason="Low-severity pattern logged only",
+                metadata={
+                    "pattern_triggered": pattern_match is not None,
+                    "pattern_confidence": pattern_match.get("confidence") if pattern_match else None,
+                    "enforcement_decision": "log",
+                    "memory_adjusted": memory_adjustment is not None,
+                }
+            )
+            # Memory: record logged decision
+            try:
+                from tweek.memory.queries import memory_write_after_decision, memory_update_workflow
+                from tweek.memory.store import hash_project
+                if pattern_match:
+                    memory_write_after_decision(
+                        pattern_name=pattern_match.get("name", ""),
+                        pattern_id=pattern_match.get("id"),
+                        original_severity=pattern_match.get("severity", "medium"),
+                        original_confidence=pattern_match.get("confidence", "heuristic"),
+                        decision="log", user_response=None,
+                        tool_name=tool_name, content=content,
+                        path_prefix=tool_input.get("file_path", "") or tool_input.get("url", "") or working_dir or "",
+                        project_hash=hash_project(working_dir) if working_dir else None,
+                    )
+                memory_update_workflow(
+                    project_hash=hash_project(working_dir) if working_dir else "global",
+                    tool_name=tool_name, was_denied=False,
+                )
+            except Exception:
+                pass
+            return {}
+
+        else:
+            # Ask: prompt user for confirmation (default behavior)
+            _log(
+                EventType.USER_PROMPTED,
+                tool_name,
+                command=content if tool_name == "Bash" else None,
+                tier=effective_tier,
+                pattern_name=pattern_match.get("name") if pattern_match else "multi_layer",
+                pattern_severity=pattern_match.get("severity") if pattern_match else "high",
+                decision="ask",
+                decision_reason="Security check triggered",
+                metadata={
+                    "pattern_triggered": pattern_match is not None,
+                    "pattern_confidence": pattern_match.get("confidence") if pattern_match else None,
+                    "llm_triggered": llm_triggered,
+                    "session_triggered": session_triggered,
+                    "sandbox_triggered": sandbox_triggered,
+                    "compliance_triggered": compliance_triggered,
+                    "compliance_findings": len(compliance_findings) if compliance_findings else 0,
+                    "enforcement_decision": "ask",
+                }
+            )
+            # Memory: record ask decision (user_response set to None until feedback)
+            try:
+                from tweek.memory.queries import memory_write_after_decision, memory_update_workflow
+                from tweek.memory.store import hash_project
+                if pattern_match:
+                    memory_write_after_decision(
+                        pattern_name=pattern_match.get("name", ""),
+                        pattern_id=pattern_match.get("id"),
+                        original_severity=pattern_match.get("severity", "medium"),
+                        original_confidence=pattern_match.get("confidence", "heuristic"),
+                        decision="ask", user_response=None,
+                        tool_name=tool_name, content=content,
+                        path_prefix=tool_input.get("file_path", "") or tool_input.get("url", "") or working_dir or "",
+                        project_hash=hash_project(working_dir) if working_dir else None,
+                    )
+                memory_update_workflow(
+                    project_hash=hash_project(working_dir) if working_dir else "global",
+                    tool_name=tool_name, was_denied=False,
+                )
+            except Exception:
+                pass
+            return {
+                "hookSpecificOutput": {
+                    "hookEventName": "PreToolUse",
+                    "permissionDecision": "ask",
+                    "permissionDecisionReason": final_msg,
+                }
             }
-        }
 
     # No issues found - allow
     _log(
@@ -762,6 +1706,18 @@ def process_hook(input_data: dict, logger: SecurityLogger) -> dict:
         decision_reason="Passed all screening layers",
     )
 
+    # Memory: record clean pass and update workflow baseline
+    try:
+        from tweek.memory.queries import memory_update_workflow
+        from tweek.memory.store import hash_project
+        memory_update_workflow(
+            project_hash=hash_project(working_dir) if working_dir else "global",
+            tool_name=tool_name,
+            was_denied=False,
+        )
+    except Exception:
+        pass
+
     return {}
 
 
@@ -831,14 +1787,20 @@ def main():
         print(json.dumps(result))
 
     except json.JSONDecodeError as e:
-        # Invalid JSON - fail open (allow) but log
+        # Invalid JSON - fail closed (deny) for safety
         logger.log_quick(
             EventType.ERROR,
             "unknown",
-            decision="allow",
+            decision="deny",
             decision_reason=f"JSON decode error: {e}"
         )
-        print("{}")
+        print(json.dumps({
+            "hookSpecificOutput": {
+                "hookEventName": "PreToolUse",
+                "permissionDecision": "deny",
+                "permissionDecisionReason": f" TWEEK ERROR: Invalid hook input.\nBlocking for safety.",
+            }
+        }))
 
     except Exception as e:
         # Any error - fail closed (block for safety)