OpenCode + Claude Code bash policy written in Rust!!!#68
Open
davidabram wants to merge 6 commits into
Open
Conversation
Implements a CLI-agnostic bash-policy evaluator that matches the current OpenCode TypeScript runtime behavior: command tokenization, shell segment splitting for operators, wrapper/env stripping, executable basename normalization, nested nix/sh|bash -c recursion, preset/custom active-policy construction, longest-prefix/custom-over- preset precedence, and canonical block-message formatting. Co-authored-by: SCE <sce@crocoder.dev>
Expose the Rust bash-policy evaluator through a hidden `sce policy bash`
subcommand for hook callers. The command reads JSON from STDIN, resolves
bash-policy config from the project root (git root with current-directory
fallback), evaluates the command against active policies, and emits
hook-safe output.
Input modes:
- --input claude-pre-tool-use (default): parses Claude PreToolUse event JSON
- --input normalized: parses {"command":...} for OpenCode delegation
Output modes:
- --output claude-hook (default): emits Claude Code deny JSON or empty string
- --output json: emits structured allow/deny result with normalized_argv
Also adds resolve_bash_policy_runtime_config to the config resolver so
policy evaluation can resolve config without requiring the full
observability config path.
Adds parity tests covering Claude PreToolUse parsing, normalized request
parsing, deny/allow JSON rendering, malformed custom policy handling,
parseCommandSegments edge cases, shell operator policy evaluation, and
sh -c payload unwrapping.
Co-authored-by: SCE <sce@crocoder.dev>
Replace the TypeScript bash-policy runtime with a thin wrapper that calls `sce policy bash --input normalized --output json` via `spawnSync`. The plugin fails open when `sce` is unavailable or returns errors, and throws stable SCE denial messages on deny decisions. Remove `bash-policy/runtime.ts` and all generated copies. Rewrite tests to mock `node:child_process` and cover allow, deny, fail-open, and invalid JSON paths. Co-authored-by: SCE <sce@crocoder.dev>
Add a generated Claude `.claude/settings.json` PreToolUse command hook for the Bash tool that runs `sce policy bash`, delegating bash-policy enforcement to the Rust evaluator. The Pkl rendering source in claude-content.pkl is updated accordingly. Claude and OpenCode now both delegate to the same Rust `sce policy bash` path, with Claude using a settings.json command hook and OpenCode using a thin TypeScript plugin wrapper. Co-authored-by: SCE <sce@crocoder.dev>
Remove stale default-path accessors and doctor presence checks for the deleted OpenCode bash-policy runtime asset. Update current project guidance and durable context to reflect Rust-owned `sce policy bash` evaluation and OpenCode plugin wrapper test ownership. Co-authored-by: SCE <sce@crocoder.dev>
The Claude settings $schema URL pointed at www.schemastore.org, which serves a redirect rather than the schema document directly. Update the Pkl renderer (source of truth) and its rendered config output to use json.schemastore.org so tooling resolves the schema in one hop. Co-authored-by: SCE <sce@crocoder.dev>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.