tweek 0.3.0__py3-none-any.whl → 0.4.0__py3-none-any.whl

tweek/hooks/pre_tool_use.py

@@ -54,6 +54,7 @@ from tweek.skills.guard import (
 )
 from tweek.skills.fingerprints import get_fingerprints
 from tweek.sandbox.project import get_project_sandbox
+from tweek.plugins.base import ReDoSProtection, RegexTimeoutError
 
 
 # =============================================================================
@@ -264,6 +265,7 @@ def _resolve_enforcement(
     enforcement_policy: Optional[EnforcementPolicy],
     has_non_pattern_trigger: bool = False,
     memory_adjustment: Optional[Dict] = None,
+    taint_level: str = "clean",
 ) -> str:
     """Determine the enforcement decision based on severity + confidence.
 
@@ -296,6 +298,7 @@ def _resolve_enforcement(
         decision = "ask"
 
     # Break-glass: downgrade "deny" to "ask" if active override exists
+    break_glass_used = False
     if decision == "deny":
         try:
             from tweek.hooks.break_glass import check_override
@@ -318,6 +321,7 @@ def _resolve_enforcement(
                     },
                 )
                 decision = "ask"  # Downgrade deny → ask (user still sees prompt)
+                break_glass_used = True
         except ImportError:
             pass  # Break-glass module not available
 
@@ -337,6 +341,21 @@ def _resolve_enforcement(
         except Exception:
             pass  # Memory is best-effort
 
+    # Provenance-based adjustment: modify decision based on session taint
+    # Skip when break-glass is active — explicit user overrides take priority
+    if not break_glass_used:
+        try:
+            from tweek.memory.provenance import adjust_enforcement_for_taint
+            if pattern_match:
+                decision = adjust_enforcement_for_taint(
+                    base_decision=decision,
+                    severity=severity,
+                    confidence=confidence,
+                    taint_level=taint_level,
+                )
+        except Exception:
+            pass  # Provenance is best-effort
+
     return decision
 
 
@@ -362,15 +381,25 @@ class TierManager:
             return yaml.safe_load(f) or {}
 
     def get_base_tier(self, tool_name: str, skill_name: Optional[str] = None) -> str:
-        """Get the base tier for a tool or skill."""
-        # Skills override tools if specified
-        if skill_name and skill_name in self.skills:
-            return self.skills[skill_name]
+        """Get the base tier for a tool or skill.
 
-        if tool_name in self.tools:
-            return self.tools[tool_name]
+        Skills can only ESCALATE a tool's tier, never relax it.
+        This prevents a safe skill from disabling screening on dangerous tools.
+        For example, the 'explore' skill (safe) cannot downgrade Bash (dangerous).
+        But the 'deploy' skill (dangerous) can escalate Read (default) to dangerous.
+        """
+        tier_priority = {"safe": 0, "default": 1, "risky": 2, "dangerous": 3}
 
-        return self.default_tier
+        # Start with the tool's inherent tier
+        tool_tier = self.tools.get(tool_name, self.default_tier)
+
+        if skill_name and skill_name in self.skills:
+            skill_tier = self.skills[skill_name]
+            # Skill can only escalate, never relax
+            if tier_priority.get(skill_tier, 1) > tier_priority.get(tool_tier, 1):
+                return skill_tier
+
+        return tool_tier
 
     def check_escalations(self, content: str) -> Optional[Dict]:
         """Check if content triggers any escalation patterns.
@@ -551,6 +580,21 @@ class PatternMatcher:
                 extra = self._load_patterns(user_patterns)
                 self._merge_patterns(extra)
 
+        # Pre-compile all regex patterns for performance and ReDoS protection.
+        # These are our own trusted patterns (not user-supplied), so skip
+        # ReDoS validation during compilation (validate=False).
+        self._compiled_patterns: List[Tuple[re.Pattern, dict]] = []
+        for pattern in self.patterns:
+            regex = pattern.get("regex", "")
+            if not regex:
+                continue
+            try:
+                compiled = re.compile(regex, re.IGNORECASE | re.DOTALL)
+                self._compiled_patterns.append((compiled, pattern))
+            except re.error:
+                # Skip invalid patterns at compile time
+                continue
+
     def _merge_patterns(self, extra_patterns: List[dict]):
         """Merge additional patterns into existing set (additive).
 
@@ -587,25 +631,33 @@ class PatternMatcher:
         """Check content against all patterns.
 
         Returns the first matching pattern, or None.
+        Uses timeout-protected regex execution to prevent ReDoS.
         """
         content = self._normalize(content)
-        for pattern in self.patterns:
+        if len(content) > ReDoSProtection.MAX_INPUT_LENGTH:
+            content = content[:ReDoSProtection.MAX_INPUT_LENGTH]
+        for compiled, pattern in self._compiled_patterns:
             try:
-                if re.search(pattern.get("regex", ""), content, re.IGNORECASE | re.DOTALL):
+                if ReDoSProtection.safe_search(compiled, content, timeout=2.0):
                     return pattern
-            except re.error:
+            except (RegexTimeoutError, re.error):
                 continue
         return None
 
     def check_all(self, content: str) -> List[dict]:
-        """Check content against all patterns, returning all matches."""
+        """Check content against all patterns, returning all matches.
+
+        Uses timeout-protected regex execution to prevent ReDoS.
+        """
         content = self._normalize(content)
+        if len(content) > ReDoSProtection.MAX_INPUT_LENGTH:
+            content = content[:ReDoSProtection.MAX_INPUT_LENGTH]
         matches = []
-        for pattern in self.patterns:
+        for compiled, pattern in self._compiled_patterns:
             try:
-                if re.search(pattern.get("regex", ""), content, re.IGNORECASE | re.DOTALL):
+                if ReDoSProtection.safe_search(compiled, content, timeout=2.0):
                     matches.append(pattern)
-            except re.error:
+            except (RegexTimeoutError, re.error):
                 continue
         return matches
 
@@ -762,7 +814,7 @@ def _extract_paths_from_bash(command: str) -> List[str]:
       python3 /home/user/script.py
 
     Intentionally simple -- does NOT handle pipes, subshells, or variable
-    expansion. Content-based escalations (259 patterns) cover the rest.
+    expansion. Content-based escalations (262 patterns) cover the rest.
     """
     import shlex
 
@@ -877,6 +929,39 @@ def process_hook(input_data: dict, logger: SecurityLogger) -> dict:
         # Fingerprint check is best-effort — never break the hook
         pass
 
+    # =========================================================================
+    # SKILL CONTEXT TRACKING: Detect active skill from Skill tool invocations
+    # When Claude invokes the Skill tool, we extract the skill name and write
+    # a breadcrumb. Subsequent tool calls read it for tier/memory context.
+    # =========================================================================
+    _active_skill = None
+    try:
+        from tweek.skills.context import (
+            extract_skill_from_tool_input,
+            write_skill_breadcrumb,
+            read_skill_context,
+        )
+
+        if tool_name == "Skill" and session_id:
+            # Skill tool invocation — extract and record the active skill
+            skill = extract_skill_from_tool_input(tool_input)
+            if skill:
+                write_skill_breadcrumb(skill, session_id)
+                _active_skill = skill
+                _log(
+                    EventType.SCREENING_COMPLETE,
+                    tool_name,
+                    decision="allow",
+                    decision_reason=f"Skill context recorded: {skill}",
+                    metadata={"skill_context": skill},
+                )
+        elif session_id:
+            # Non-Skill tool — check for active skill breadcrumb
+            _active_skill = read_skill_context(session_id)
+    except Exception:
+        # Skill context is best-effort — never break the hook
+        _active_skill = None
+
     # =========================================================================
     # SELF-PROTECTION: Block AI from modifying security override config
     # This file can only be edited by a human directly.
@@ -1112,9 +1197,10 @@ def process_hook(input_data: dict, logger: SecurityLogger) -> dict:
     tier_mgr = _get_tier_manager()
     pattern_matcher = _get_pattern_matcher()
 
-    # Determine effective tier
+    # Determine effective tier (skill context overrides tool tier if configured)
     effective_tier, escalation = tier_mgr.get_effective_tier(
         tool_name, content,
+        skill_name=_active_skill,
         target_paths=target_paths,
         working_dir=working_dir,
     )
@@ -1192,6 +1278,23 @@ def process_hook(input_data: dict, logger: SecurityLogger) -> dict:
             metadata={"escalation": escalation}
         )
 
+    # =========================================================================
+    # PROVENANCE: Record tool call and get session taint level
+    # Tracks every tool call for taint decay; provides taint_level for
+    # enforcement adjustment later in the pipeline.
+    # =========================================================================
+    # Default to "low" when no session tracking — clean session relaxation
+    # requires active provenance tracking as a safety prerequisite.
+    _session_taint_level = "low"
+    try:
+        from tweek.memory.provenance import get_taint_store
+        if session_id:
+            _taint_store = get_taint_store()
+            _taint_state = _taint_store.record_tool_call(session_id, tool_name)
+            _session_taint_level = _taint_state.get("taint_level", "clean")
+    except Exception:
+        _session_taint_level = "low"  # Provenance unavailable — no relaxation
+
     # =========================================================================
     # LAYER 1: Rate Limiting
     # =========================================================================
@@ -1538,7 +1641,7 @@ def process_hook(input_data: dict, logger: SecurityLogger) -> dict:
     if pattern_match or llm_triggered or session_triggered or sandbox_triggered or compliance_triggered:
         # Determine graduated enforcement decision
         has_non_pattern = llm_triggered or session_triggered or sandbox_triggered or compliance_triggered
-        decision = _resolve_enforcement(pattern_match, enforcement_policy, has_non_pattern, memory_adjustment)
+        decision = _resolve_enforcement(pattern_match, enforcement_policy, has_non_pattern, memory_adjustment, _session_taint_level)
 
         # Build the warning message for ask/deny decisions
         final_msg = format_prompt_message(
@@ -1721,53 +1824,50 @@ def process_hook(input_data: dict, logger: SecurityLogger) -> dict:
     return {}
 
 
-def check_allowed_directory() -> bool:
+def check_hook_enabled(hook_name: str = "pre_tool_use") -> bool:
     """
-    Check if current working directory is in the allowed list.
+    Check if a Tweek hook should run in the current working directory.
 
-    This is a SAFETY CHECK to prevent Tweek from accidentally
-    running in production or other directories.
+    Looks for a .tweek.yaml file in the project root (cwd). This file
+    is created during `tweek protect claude-code` with hooks enabled
+    by default. Users can manually set hooks to false to disable
+    screening in a specific directory.
+
+    .tweek.yaml format:
+        hooks:
+          pre_tool_use: true    # set false to disable pre-screening
+          post_tool_use: true   # set false to disable post-screening
+
+    If no .tweek.yaml exists, hooks are ENABLED (protected by default).
+    This file is protected by Tweek self-protection — only a human
+    can create or edit it.
+
+    Args:
+        hook_name: "pre_tool_use" or "post_tool_use"
 
     Returns:
-        True if Tweek should activate, False to pass through
+        True if the hook should run, False to skip
     """
-    config_path = Path(__file__).parent.parent / "config" / "allowed_dirs.yaml"
+    tweek_config = Path.cwd() / ".tweek.yaml"
 
-    if not config_path.exists():
-        # No config = disabled everywhere (safe default)
-        return False
+    if not tweek_config.exists():
+        # No config = hooks enabled (protected by default)
+        return True
 
     try:
-        with open(config_path) as f:
+        with open(tweek_config) as f:
             config = yaml.safe_load(f) or {}
     except Exception:
-        return False
-
-    # Check if globally enabled (production mode)
-    if config.get("global_enabled", False):
-        return True
-
-    # Check allowed directories
-    allowed_dirs = config.get("allowed_directories", [])
-    cwd = Path.cwd().resolve()
-
-    for allowed in allowed_dirs:
-        allowed_path = Path(allowed).expanduser().resolve()
-        try:
-            # Check if cwd is the allowed dir or a subdirectory
-            cwd.relative_to(allowed_path)
-            return True
-        except ValueError:
-            continue
+        return True  # Can't read config = fail safe, keep hooks on
 
-    return False
+    hooks = config.get("hooks", {})
+    return hooks.get(hook_name, True)
 
 
 def main():
     """Entry point for the hook."""
-    # SAFETY CHECK: Only activate in allowed directories
-    if not check_allowed_directory():
-        # Not in allowed directory - pass through without screening
+    # Check if pre_tool_use hook is enabled for this directory
+    if not check_hook_enabled("pre_tool_use"):
         print("{}")
         return
 

tweek/integrations/openclaw.py

@@ -441,3 +441,87 @@ def setup_openclaw_protection(
 
     result.success = True
     return result
+
+
+def remove_openclaw_protection() -> dict:
+    """
+    Remove Tweek protection from OpenClaw.
+
+    Reverses setup_openclaw_protection():
+    1. Uninstalls the Tweek plugin from OpenClaw
+    2. Removes the Tweek plugin entry from openclaw.json
+    3. Removes the openclaw section from ~/.tweek/config.yaml
+
+    Returns:
+        dict with 'success', 'message', 'details', and optionally 'error'
+    """
+    details = []
+
+    # 1. Uninstall the npm plugin
+    if _check_plugin_installed():
+        try:
+            proc = subprocess.run(
+                ["openclaw", "plugins", "uninstall", OPENCLAW_PLUGIN_NAME],
+                capture_output=True,
+                text=True,
+                timeout=60,
+            )
+            if proc.returncode == 0:
+                details.append(f"Uninstalled {OPENCLAW_PLUGIN_NAME} plugin")
+            else:
+                details.append(f"Plugin uninstall returned non-zero (may already be removed)")
+        except subprocess.TimeoutExpired:
+            return {"success": False, "error": "Plugin uninstall timed out"}
+        except FileNotFoundError:
+            details.append("openclaw CLI not found, skipping plugin uninstall")
+    else:
+        details.append("Tweek plugin not found in OpenClaw (already removed)")
+
+    # 2. Remove Tweek entry from openclaw.json
+    if OPENCLAW_CONFIG.exists():
+        try:
+            with open(OPENCLAW_CONFIG) as f:
+                config = json.load(f)
+
+            plugins = config.get("plugins", {})
+            entries = plugins.get("entries", {})
+            if "tweek" in entries:
+                del entries["tweek"]
+                with open(OPENCLAW_CONFIG, "w") as f:
+                    json.dump(config, f, indent=2)
+                details.append(f"Removed tweek entry from {OPENCLAW_CONFIG}")
+            else:
+                details.append("No tweek entry found in openclaw.json")
+        except (json.JSONDecodeError, IOError) as e:
+            details.append(f"Could not update openclaw.json: {e}")
+
+    # 3. Remove openclaw section from ~/.tweek/config.yaml
+    tweek_config_path = Path.home() / ".tweek" / "config.yaml"
+    if tweek_config_path.exists():
+        try:
+            import yaml
+        except ImportError:
+            yaml = None
+
+        if yaml:
+            try:
+                with open(tweek_config_path) as f:
+                    tweek_config = yaml.safe_load(f) or {}
+
+                if "openclaw" in tweek_config:
+                    del tweek_config["openclaw"]
+                    with open(tweek_config_path, "w") as f:
+                        yaml.dump(tweek_config, f, default_flow_style=False)
+                    details.append("Removed openclaw section from ~/.tweek/config.yaml")
+                else:
+                    details.append("No openclaw section in ~/.tweek/config.yaml")
+            except Exception as e:
+                details.append(f"Could not update ~/.tweek/config.yaml: {e}")
+        else:
+            details.append("PyYAML not available, skipping config.yaml cleanup")
+
+    return {
+        "success": True,
+        "message": "OpenClaw protection removed",
+        "details": details,
+    }

tweek/licensing.py

@@ -74,7 +74,7 @@ class LicenseInfo:
 # Only compliance and team management features require a license.
 TIER_FEATURES = {
     Tier.FREE: [
-        "pattern_matching",       # All 215 patterns included free
+        "pattern_matching",       # All 262 patterns included free
         "basic_logging",
         "vault_storage",
         "cli_commands",

tweek/mcp/__init__.py

@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 """
-Tweek MCP Security Gateway & Proxy
+Tweek MCP Security Proxy
 
 MCP (Model Context Protocol) integration for desktop LLM applications:
 - Claude Desktop
@@ -8,17 +8,15 @@ MCP (Model Context Protocol) integration for desktop LLM applications:
 - Gemini CLI
 - VS Code (Continue.dev)
 
-Two modes of operation:
-- **Proxy** (recommended): Transparently wraps upstream MCP servers with
-  security screening and human-in-the-loop approval. Tools keep their
-  original names. Use: tweek mcp proxy
-- **Gateway**: Exposes tweek_vault and tweek_status as new MCP tools for
-  capabilities not available as built-in desktop client tools.
-  Use: tweek mcp serve
+Transparently wraps upstream MCP servers with security screening and
+human-in-the-loop approval. Also provides built-in tweek_vault and
+tweek_status tools alongside proxied upstream tools.
+
+Use: tweek mcp proxy
 
 Built-in desktop client tools (Bash, Read, Write, etc.) cannot be
 intercepted via MCP — use CLI hooks for Claude Code, or the HTTP
 proxy for Cursor/direct API calls.
 """
 
-__all__ = ["create_server", "create_proxy"]
+__all__ = ["create_proxy"]

tweek/mcp/clients/chatgpt.py

@@ -31,8 +31,8 @@ class ChatGPTClient:
         """Get the arguments for the tweek MCP server."""
         tweek_path = shutil.which("tweek")
         if tweek_path:
-            return ["mcp", "serve"]
-        return ["-m", "tweek.mcp", "serve"]
+            return ["mcp", "proxy"]
+        return ["-m", "tweek.mcp", "proxy"]
 
     def install(self) -> Dict[str, Any]:
         """

tweek/mcp/clients/claude_desktop.py

@@ -52,8 +52,8 @@ class ClaudeDesktopClient:
         """Get the arguments for the tweek MCP server."""
         tweek_path = shutil.which("tweek")
         if tweek_path:
-            return ["mcp", "serve"]
-        return ["-m", "tweek.mcp", "serve"]
+            return ["mcp", "proxy"]
+        return ["-m", "tweek.mcp", "proxy"]
 
     def _build_server_config(self) -> Dict[str, Any]:
         """Build the MCP server configuration entry."""

tweek/mcp/clients/gemini.py

@@ -35,8 +35,8 @@ class GeminiClient:
         """Get the arguments for the tweek MCP server."""
         tweek_path = shutil.which("tweek")
         if tweek_path:
-            return ["mcp", "serve"]
-        return ["-m", "tweek.mcp", "serve"]
+            return ["mcp", "proxy"]
+        return ["-m", "tweek.mcp", "proxy"]
 
     def _build_server_config(self) -> Dict[str, Any]:
         """Build the MCP server configuration entry."""