tweek 0.4.1__py3-none-any.whl → 0.4.2__py3-none-any.whl

tweek/hooks/break_glass.py

@@ -12,14 +12,34 @@ The AI agent cannot execute `tweek override` — it requires a
 separate CLI invocation by a human operator.
 """
 
+import fcntl
 import json
 import sys
+from contextlib import contextmanager
 from datetime import datetime, timezone, timedelta
 from pathlib import Path
 from typing import Dict, List, Optional
 
 
 BREAK_GLASS_PATH = Path.home() / ".tweek" / "break_glass.json"
+BREAK_GLASS_LOCK = Path.home() / ".tweek" / ".break_glass.lock"
+
+
+@contextmanager
+def _file_lock():
+    """Acquire exclusive file lock for break-glass state read-modify-write.
+
+    Prevents race conditions when concurrent hook calls try to consume
+    the same single-use override simultaneously.
+    """
+    BREAK_GLASS_LOCK.parent.mkdir(parents=True, exist_ok=True)
+    lock_fd = open(BREAK_GLASS_LOCK, "w")
+    try:
+        fcntl.flock(lock_fd, fcntl.LOCK_EX)
+        yield
+    finally:
+        fcntl.flock(lock_fd, fcntl.LOCK_UN)
+        lock_fd.close()
 
 
 def _load_state() -> Dict:
@@ -62,26 +82,27 @@ def create_override(
     Returns:
         The created override dict.
     """
-    state = _load_state()
-    now = datetime.now(timezone.utc)
+    with _file_lock():
+        state = _load_state()
+        now = datetime.now(timezone.utc)
 
-    override = {
-        "pattern": pattern_name,
-        "mode": mode,
-        "reason": reason,
-        "created_at": now.isoformat(),
-        "expires_at": None,
-        "used": False,
-        "used_at": None,
-    }
+        override = {
+            "pattern": pattern_name,
+            "mode": mode,
+            "reason": reason,
+            "created_at": now.isoformat(),
+            "expires_at": None,
+            "used": False,
+            "used_at": None,
+        }
 
-    if mode == "duration" and duration_minutes:
-        expires = now + timedelta(minutes=duration_minutes)
-        override["expires_at"] = expires.isoformat()
+        if mode == "duration" and duration_minutes:
+            expires = now + timedelta(minutes=duration_minutes)
+            override["expires_at"] = expires.isoformat()
 
-    state["overrides"].append(override)
-    _save_state(state)
-    return override
+        state["overrides"].append(override)
+        _save_state(state)
+        return override
 
 
 def check_override(pattern_name: str) -> Optional[Dict]:
@@ -93,38 +114,39 @@ def check_override(pattern_name: str) -> Optional[Dict]:
 
     Returns the override dict if valid, None otherwise.
     """
-    state = _load_state()
-    now = datetime.now(timezone.utc)
-    found = None
+    with _file_lock():
+        state = _load_state()
+        now = datetime.now(timezone.utc)
+        found = None
 
-    for override in state["overrides"]:
-        if override["pattern"] != pattern_name:
-            continue
+        for override in state["overrides"]:
+            if override["pattern"] != pattern_name:
+                continue
 
-        # Skip already-consumed single-use overrides
-        if override["mode"] == "once" and override.get("used"):
-            continue
+            # Skip already-consumed single-use overrides
+            if override["mode"] == "once" and override.get("used"):
+                continue
 
-        # Check expiry for duration-based overrides
-        if override.get("expires_at"):
-            try:
-                expires = datetime.fromisoformat(override["expires_at"])
-                if now > expires:
+            # Check expiry for duration-based overrides
+            if override.get("expires_at"):
+                try:
+                    expires = datetime.fromisoformat(override["expires_at"])
+                    if now > expires:
+                        continue
+                except (ValueError, TypeError):
                     continue
-            except (ValueError, TypeError):
-                continue
 
-        found = override
-        break
+            found = override
+            break
 
-    if found:
-        # Consume single-use overrides
-        if found["mode"] == "once":
-            found["used"] = True
-            found["used_at"] = now.isoformat()
-            _save_state(state)
+        if found:
+            # Consume single-use overrides
+            if found["mode"] == "once":
+                found["used"] = True
+                found["used_at"] = now.isoformat()
+                _save_state(state)
 
-    return found
+        return found
 
 
 def list_overrides() -> List[Dict]:
@@ -156,8 +178,9 @@ def list_active_overrides() -> List[Dict]:
 
 def clear_overrides() -> int:
     """Remove all overrides. Returns count of removed overrides."""
-    state = _load_state()
-    count = len(state.get("overrides", []))
-    state["overrides"] = []
-    _save_state(state)
-    return count
+    with _file_lock():
+        state = _load_state()
+        count = len(state.get("overrides", []))
+        state["overrides"] = []
+        _save_state(state)
+        return count

tweek/hooks/overrides.py

@@ -272,10 +272,28 @@ def get_trust_mode(overrides: Optional[SecurityOverrides] = None) -> str:
 
     Returns: "interactive" or "automated"
     """
+    # Valid trust level values
+    _valid_trust_levels = frozenset({"interactive", "automated"})
+
     # 1. Explicit environment variable (highest priority)
     env_trust = os.environ.get("TWEEK_TRUST_LEVEL", "").lower().strip()
-    if env_trust in ("interactive", "automated"):
+    if env_trust in _valid_trust_levels:
+        # Check if locked by CI/admin (prevents override by untrusted code)
+        locked = os.environ.get("TWEEK_TRUST_LEVEL_LOCKED", "").lower().strip()
+        if locked in _valid_trust_levels:
+            import logging as _logging
+            _logging.getLogger("tweek.overrides").info(
+                "TWEEK_TRUST_LEVEL_LOCKED=%s overrides TWEEK_TRUST_LEVEL=%s",
+                locked, env_trust,
+            )
+            return locked
         return env_trust
+    elif env_trust:
+        import logging as _logging
+        _logging.getLogger("tweek.overrides").warning(
+            "Invalid TWEEK_TRUST_LEVEL=%r, ignoring. Valid: %s",
+            env_trust, _valid_trust_levels,
+        )
 
     # 2. Parent process heuristic (macOS/Linux)
     try:

tweek/hooks/post_tool_use.py

@@ -381,8 +381,12 @@ def process_hook(input_data: Dict[str, Any]) -> Dict[str, Any]:
     session_id = input_data.get("session_id")
     working_dir = input_data.get("cwd")
 
-    # Only screen tools that return content worth analyzing
-    screened_tools = {"Read", "WebFetch", "Bash", "Grep", "WebSearch"}
+    # Screen tools that return content worth analyzing.
+    # Includes content-bearing tools that could carry prompt injection.
+    screened_tools = {
+        "Read", "WebFetch", "Bash", "Grep", "WebSearch",
+        "Skill", "NotebookEdit", "Edit", "Write",
+    }
     if tool_name not in screened_tools:
         return {}
 

tweek/hooks/pre_tool_use.py

@@ -465,14 +465,31 @@ class TierManager:
 
         for target_path_str in target_paths:
             try:
-                target_resolved = Path(target_path_str).expanduser().resolve()
+                target_path = Path(target_path_str).expanduser()
+                target_resolved = target_path.resolve()
             except (OSError, ValueError):
                 continue
 
+            # Symlink detection: if the path or any parent is a symlink,
+            # log it and never relax the tier (fail-closed).
+            _is_symlink = False
+            try:
+                if target_path.is_symlink():
+                    _is_symlink = True
+                else:
+                    for parent in target_path.parents:
+                        if parent.is_symlink():
+                            _is_symlink = True
+                            break
+            except (OSError, ValueError):
+                pass
+
             # Check if path is inside the project
             try:
                 target_resolved.relative_to(cwd_resolved)
-                continue  # Inside project -- no escalation
+                if not _is_symlink:
+                    continue  # Inside project, not a symlink -- no escalation
+                # Symlink inside project pointing elsewhere — still check further
             except ValueError:
                 pass  # Outside project -- check further
 

tweek/hooks/wrapper_post_tool_use.py

@@ -0,0 +1,121 @@
+#!/usr/bin/env python3
+"""
+Tweek Self-Healing Post-Tool-Use Hook Wrapper
+
+Deployed to ~/.tweek/hooks/ at install time. This wrapper script is
+referenced by settings.json instead of the package-internal hook scripts.
+
+Behavior:
+    1. Tries to import and run the real post_tool_use hook from the
+       installed tweek package.
+    2. If tweek has been uninstalled (ImportError), silently removes
+       all tweek hooks from settings.json and allows the tool response.
+    3. If the hook crashes for any other reason, allows the tool response
+       (fail-open to avoid blocking the user).
+
+This file survives `pip uninstall tweek` because it lives outside the
+Python package directory. It uses ONLY stdlib imports at module level.
+"""
+from __future__ import annotations
+
+import json
+import sys
+from pathlib import Path
+
+
+# ---------------------------------------------------------------------------
+# Self-healing: remove tweek hooks from settings.json
+# ---------------------------------------------------------------------------
+
+def _remove_tweek_hooks_from_file(settings_path: Path) -> None:
+    """Remove all tweek hook entries from a single settings.json file."""
+    if not settings_path.exists():
+        return
+    try:
+        with open(settings_path) as f:
+            settings = json.load(f)
+    except (json.JSONDecodeError, IOError, OSError):
+        return
+
+    hooks = settings.get("hooks", {})
+    if not hooks:
+        return
+
+    changed = False
+    for hook_type in list(hooks.keys()):
+        original = hooks[hook_type]
+        filtered = []
+        for hook_config in original:
+            original_inner = hook_config.get("hooks", [])
+            inner = [
+                h for h in original_inner
+                if "tweek" not in h.get("command", "").lower()
+            ]
+            if len(inner) != len(original_inner):
+                changed = True
+            if inner:
+                hook_config["hooks"] = inner
+                filtered.append(hook_config)
+        if len(filtered) != len(original):
+            changed = True
+        if filtered:
+            hooks[hook_type] = filtered
+        else:
+            del hooks[hook_type]
+
+    if not changed:
+        return
+
+    if not hooks:
+        settings.pop("hooks", None)
+
+    try:
+        with open(settings_path, "w") as f:
+            json.dump(settings, f, indent=2)
+    except (IOError, OSError):
+        pass
+
+
+def _self_heal() -> None:
+    """Remove tweek hooks from all known settings.json locations and allow."""
+    # Clean global settings
+    _remove_tweek_hooks_from_file(
+        Path("~/.claude/settings.json").expanduser()
+    )
+    # Clean current project settings
+    _remove_tweek_hooks_from_file(
+        Path.cwd() / ".claude" / "settings.json"
+    )
+    # Clean any recorded project scopes
+    scopes_file = Path("~/.tweek/installed_scopes.json").expanduser()
+    if scopes_file.exists():
+        try:
+            scopes = json.loads(scopes_file.read_text()) or []
+            for scope_str in scopes:
+                _remove_tweek_hooks_from_file(
+                    Path(scope_str) / "settings.json"
+                )
+        except (json.JSONDecodeError, IOError, OSError):
+            pass
+
+    # Output empty JSON to allow the tool response
+    print("{}")
+
+
+# ---------------------------------------------------------------------------
+# Main entry point
+# ---------------------------------------------------------------------------
+
+def main():
+    try:
+        from tweek.hooks.post_tool_use import main as real_main
+        real_main()
+    except ImportError:
+        _self_heal()
+    except Exception:
+        # Fail-open: if the hook crashes, allow the tool response
+        print("{}")
+
+
+if __name__ == "__main__":
+    main()

tweek/hooks/wrapper_pre_tool_use.py

@@ -0,0 +1,121 @@
+#!/usr/bin/env python3
+"""
+Tweek Self-Healing Pre-Tool-Use Hook Wrapper
+
+Deployed to ~/.tweek/hooks/ at install time. This wrapper script is
+referenced by settings.json instead of the package-internal hook scripts.
+
+Behavior:
+    1. Tries to import and run the real pre_tool_use hook from the
+       installed tweek package.
+    2. If tweek has been uninstalled (ImportError), silently removes
+       all tweek hooks from settings.json and allows the tool call.
+    3. If the hook crashes for any other reason, allows the tool call
+       (fail-open to avoid blocking the user).
+
+This file survives `pip uninstall tweek` because it lives outside the
+Python package directory. It uses ONLY stdlib imports at module level.
+"""
+from __future__ import annotations
+
+import json
+import sys
+from pathlib import Path
+
+
+# ---------------------------------------------------------------------------
+# Self-healing: remove tweek hooks from settings.json
+# ---------------------------------------------------------------------------
+
+def _remove_tweek_hooks_from_file(settings_path: Path) -> None:
+    """Remove all tweek hook entries from a single settings.json file."""
+    if not settings_path.exists():
+        return
+    try:
+        with open(settings_path) as f:
+            settings = json.load(f)
+    except (json.JSONDecodeError, IOError, OSError):
+        return
+
+    hooks = settings.get("hooks", {})
+    if not hooks:
+        return
+
+    changed = False
+    for hook_type in list(hooks.keys()):
+        original = hooks[hook_type]
+        filtered = []
+        for hook_config in original:
+            original_inner = hook_config.get("hooks", [])
+            inner = [
+                h for h in original_inner
+                if "tweek" not in h.get("command", "").lower()
+            ]
+            if len(inner) != len(original_inner):
+                changed = True
+            if inner:
+                hook_config["hooks"] = inner
+                filtered.append(hook_config)
+        if len(filtered) != len(original):
+            changed = True
+        if filtered:
+            hooks[hook_type] = filtered
+        else:
+            del hooks[hook_type]
+
+    if not changed:
+        return
+
+    if not hooks:
+        settings.pop("hooks", None)
+
+    try:
+        with open(settings_path, "w") as f:
+            json.dump(settings, f, indent=2)
+    except (IOError, OSError):
+        pass
+
+
+def _self_heal() -> None:
+    """Remove tweek hooks from all known settings.json locations and allow."""
+    # Clean global settings
+    _remove_tweek_hooks_from_file(
+        Path("~/.claude/settings.json").expanduser()
+    )
+    # Clean current project settings
+    _remove_tweek_hooks_from_file(
+        Path.cwd() / ".claude" / "settings.json"
+    )
+    # Clean any recorded project scopes
+    scopes_file = Path("~/.tweek/installed_scopes.json").expanduser()
+    if scopes_file.exists():
+        try:
+            scopes = json.loads(scopes_file.read_text()) or []
+            for scope_str in scopes:
+                _remove_tweek_hooks_from_file(
+                    Path(scope_str) / "settings.json"
+                )
+        except (json.JSONDecodeError, IOError, OSError):
+            pass
+
+    # Output empty JSON to allow the tool call
+    print("{}")
+
+
+# ---------------------------------------------------------------------------
+# Main entry point
+# ---------------------------------------------------------------------------
+
+def main():
+    try:
+        from tweek.hooks.pre_tool_use import main as real_main
+        real_main()
+    except ImportError:
+        _self_heal()
+    except Exception:
+        # Fail-open: if the hook crashes, allow the tool call
+        print("{}")
+
+
+if __name__ == "__main__":
+    main()

tweek/integrations/openclaw.py

@@ -7,17 +7,24 @@ the OpenClaw ecosystem.
 """
 
 import json
+import os
 import subprocess
+import tempfile
 from dataclasses import dataclass, field
 from pathlib import Path
 from typing import Optional
 
+from tweek.integrations.openclaw_detection import (
+    OPENCLAW_CONFIG,
+    OPENCLAW_DEFAULT_PORT,
+    OPENCLAW_HOME,
+    OPENCLAW_SKILLS_DIR,
+    check_gateway_active,
+    check_npm_installation,
+    check_running_process,
+    read_config_port,
+)
 
-# OpenClaw default paths and ports
-OPENCLAW_DEFAULT_PORT = 18789
-OPENCLAW_HOME = Path.home() / ".openclaw"
-OPENCLAW_CONFIG = OPENCLAW_HOME / "openclaw.json"
-OPENCLAW_SKILLS_DIR = OPENCLAW_HOME / "workspace" / "skills"
 OPENCLAW_PLUGIN_NAME = "@tweek/openclaw-plugin"
 
 # Scanning server port (separate from Tweek proxy port)
@@ -63,43 +70,21 @@ def detect_openclaw_installation() -> dict:
         "skills_dir": None,
     }
 
-    # Check npm global installation
-    try:
-        proc = subprocess.run(
-            ["npm", "list", "-g", "openclaw", "--json"],
-            capture_output=True,
-            text=True,
-            timeout=10,
-        )
-        if proc.returncode == 0:
-            data = json.loads(proc.stdout)
-            deps = data.get("dependencies", {})
-            if "openclaw" in deps:
-                info["installed"] = True
-                info["version"] = deps["openclaw"].get("version")
-    except (subprocess.TimeoutExpired, json.JSONDecodeError, FileNotFoundError):
-        pass
-
-    # Check which/where
-    if not info["installed"]:
-        try:
-            import os
-            cmd = ["which", "openclaw"] if os.name != "nt" else ["where", "openclaw"]
-            proc = subprocess.run(cmd, capture_output=True, text=True, timeout=5)
-            if proc.returncode == 0 and proc.stdout.strip():
-                info["installed"] = True
-        except (subprocess.TimeoutExpired, FileNotFoundError):
-            pass
+    # Check npm global installation (shared detection)
+    npm_info = check_npm_installation()
+    if npm_info:
+        info["installed"] = True
+        info["version"] = npm_info.get("version")
 
     # Check for OpenClaw home directory
     if OPENCLAW_HOME.exists():
         info["installed"] = True
-
-        # Check for skills directory
         if OPENCLAW_SKILLS_DIR.exists():
             info["skills_dir"] = OPENCLAW_SKILLS_DIR
 
     # Check for config file and extract port
+    # Note: uses local OPENCLAW_CONFIG reference (not shared module) so
+    # tests can patch tweek.integrations.openclaw.OPENCLAW_CONFIG
     if OPENCLAW_CONFIG.exists():
         info["config_path"] = OPENCLAW_CONFIG
         try:
@@ -111,28 +96,13 @@ def detect_openclaw_installation() -> dict:
         except (json.JSONDecodeError, IOError):
             pass
 
-    # Check for running process
-    try:
-        proc = subprocess.run(
-            ["pgrep", "-f", "openclaw"],
-            capture_output=True,
-            text=True,
-            timeout=5,
-        )
-        if proc.returncode == 0 and proc.stdout.strip():
-            info["process_running"] = True
-    except (subprocess.TimeoutExpired, FileNotFoundError):
-        pass
+    # Check for running process (shared detection)
+    process_info = check_running_process()
+    if process_info:
+        info["process_running"] = True
 
-    # Check if gateway port is active
-    import socket
-    try:
-        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
-            s.settimeout(1)
-            result = s.connect_ex(("127.0.0.1", info["gateway_port"]))
-            info["gateway_active"] = result == 0
-    except (socket.error, OSError):
-        pass
+    # Check if gateway port is active (shared detection)
+    info["gateway_active"] = check_gateway_active(info["gateway_port"])
 
     return info
 
@@ -268,10 +238,16 @@ def _write_openclaw_config(
 
     preset_config = preset_configs.get(preset, preset_configs["cautious"])
 
+    # Read scanner auth token if it exists
+    token_file = Path.home() / ".tweek" / ".scanner_token"
+    scanner_token = None
+    if token_file.exists():
+        scanner_token = token_file.read_text().strip()
+
     # Merge into existing config
     plugins = config.setdefault("plugins", {})
     entries = plugins.setdefault("entries", {})
-    entries["tweek"] = {
+    tweek_entry = {
         "enabled": True,
         "config": {
             "preset": preset,
@@ -279,6 +255,9 @@ def _write_openclaw_config(
             **preset_config,
         },
     }
+    if scanner_token:
+        tweek_entry["config"]["scannerToken"] = scanner_token
+    entries["tweek"] = tweek_entry
 
     try:
         OPENCLAW_HOME.mkdir(parents=True, exist_ok=True)
@@ -397,10 +376,28 @@ def setup_openclaw_protection(
         "plugin_installed": result.plugin_installed,
     }
 
+    # Sanitize preset for safe YAML interpolation
+    allowed_presets = {"paranoid", "cautious", "balanced", "trusted"}
+    safe_preset = preset if preset in allowed_presets else "cautious"
+
     try:
+        # Write to temp file, then atomically replace
+        tweek_dir.mkdir(parents=True, exist_ok=True)
         if yaml:
-            with open(tweek_config_path, "w") as f:
-                yaml.dump(tweek_config, f, default_flow_style=False)
+            fd, tmp_path = tempfile.mkstemp(
+                dir=str(tweek_dir), suffix=".yaml.tmp"
+            )
+            try:
+                with os.fdopen(fd, "w") as f:
+                    yaml.dump(tweek_config, f, default_flow_style=False)
+                os.replace(tmp_path, str(tweek_config_path))
+            except Exception:
+                # Clean up temp file on failure
+                try:
+                    os.unlink(tmp_path)
+                except OSError:
+                    pass
+                raise
         else:
             # Manual YAML writing as fallback
             existing_lines = []
@@ -418,16 +415,29 @@ def setup_openclaw_protection(
                     existing_lines.append(line)
 
             openclaw_lines = [
+                "# Generated by tweek",
                 "openclaw:",
                 "  enabled: true",
                 f"  gateway_port: {result.gateway_port}",
                 f"  scanner_port: {result.scanner_port}",
-                f"  preset: {preset}",
+                f"  preset: {safe_preset}",
                 f"  plugin_installed: {'true' if result.plugin_installed else 'false'}",
             ]
 
             all_lines = existing_lines + openclaw_lines
-            tweek_config_path.write_text("\n".join(all_lines) + "\n")
+            fd, tmp_path = tempfile.mkstemp(
+                dir=str(tweek_dir), suffix=".yaml.tmp"
+            )
+            try:
+                with os.fdopen(fd, "w") as f:
+                    f.write("\n".join(all_lines) + "\n")
+                os.replace(tmp_path, str(tweek_config_path))
+            except Exception:
+                try:
+                    os.unlink(tmp_path)
+                except OSError:
+                    pass
+                raise
     except Exception as e:
         result.warnings.append(f"Could not update Tweek config: {e}")