drip-cli 0.1.1

Delta Read Interception Proxy — sends only file diffs to your LLM agent
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280

//! Claude Code PreToolUse hook for the Grep tool.
//!
//! Re-runs the agent's grep using `ripgrep` (`rg`) and applies
//! `.dripignore` as additional exclude rules, then substitutes the
//! filtered output via `permissionDecision: deny` (same trick as the
//! Read and Glob hooks).
//!
//! Why ripgrep? Claude Code's own Grep tool is a ripgrep wrapper, so
//! relying on the same engine keeps results semantically aligned. If
//! `rg` isn't on PATH we just allow the native call through.

use crate::core::ignore::Matcher;
use anyhow::{Context, Result};
use serde::Deserialize;
use serde_json::json;
use std::path::Path;
use std::process::Command;

#[derive(Debug, Deserialize)]
struct PreToolUse {
    #[serde(default)]
    tool_name: Option<String>,
    #[serde(default)]
    tool_input: Option<serde_json::Value>,
}

pub fn handle(stdin_payload: &str) -> Result<String> {
    if std::env::var_os("DRIP_DISABLE").is_some() {
        return Ok(allow());
    }
    let p: PreToolUse =
        serde_json::from_str(stdin_payload).context("PreToolUse Grep payload malformed")?;

    if p.tool_name.as_deref() != Some("Grep") {
        return Ok(allow());
    }
    let Some(input) = p.tool_input else {
        return Ok(allow());
    };
    let Some(pattern) = input.get("pattern").and_then(|v| v.as_str()) else {
        return Ok(allow());
    };
    if which_rg().is_none() {
        // Without rg we'd be reimplementing regex search ourselves —
        // not worth the divergence from native behavior. Pass through.
        return Ok(allow());
    }

    let path = input.get("path").and_then(|v| v.as_str()).unwrap_or(".");
    let case_insensitive = input.get("-i").and_then(|v| v.as_bool()).unwrap_or(false);
    let multiline = input
        .get("multiline")
        .and_then(|v| v.as_bool())
        .unwrap_or(false);
    let output_mode = input
        .get("output_mode")
        .and_then(|v| v.as_str())
        .unwrap_or("files_with_matches");
    let extra_glob = input.get("glob").and_then(|v| v.as_str());
    let typ = input.get("type").and_then(|v| v.as_str());
    let head_limit = input.get("head_limit").and_then(|v| v.as_i64());
    let context_lines = input.get("-C").and_then(|v| v.as_i64());
    let after_lines = input.get("-A").and_then(|v| v.as_i64());
    let before_lines = input.get("-B").and_then(|v| v.as_i64());
    let line_numbers = input.get("-n").and_then(|v| v.as_bool()).unwrap_or(false);

    let mut cmd = Command::new("rg");
    cmd.arg("--no-config");
    cmd.arg("--no-messages");
    if case_insensitive {
        cmd.arg("-i");
    }
    if multiline {
        cmd.arg("-U").arg("--multiline-dotall");
    }
    match output_mode {
        "content" => {
            if line_numbers {
                cmd.arg("-n");
            }
            if let Some(c) = context_lines {
                cmd.arg("-C").arg(c.to_string());
            }
            if let Some(a) = after_lines {
                cmd.arg("-A").arg(a.to_string());
            }
            if let Some(b) = before_lines {
                cmd.arg("-B").arg(b.to_string());
            }
        }
        "count" => {
            cmd.arg("-c");
        }
        _ => {
            // "files_with_matches" — ripgrep's -l
            cmd.arg("-l");
        }
    }
    if let Some(t) = typ {
        cmd.arg("--type").arg(t);
    }
    if let Some(g) = extra_glob {
        cmd.arg("--glob").arg(g);
    }

    // Add .dripignore patterns as --glob '!pattern' exclusions so rg
    // does the filtering at the source — both faster and consistent
    // with how rg already handles .gitignore.
    let _matcher = Matcher::load();
    for pat in dripignore_patterns_for_rg() {
        cmd.arg("--glob").arg(format!("!{pat}"));
    }

    cmd.arg("-e").arg(pattern);
    cmd.arg("--").arg(path);

    // Stream rg's stdout with a hard byte cap so a pathological pattern
    // against a huge tree can't OOM the hook subprocess. Anything past
    // the cap is dropped — the agent gets a truncated-but-coherent result
    // rather than no result at all (or a crashed hook).
    const MAX_STDOUT_BYTES: usize = 4 * 1024 * 1024; // 4 MiB
    cmd.stdout(std::process::Stdio::piped());
    cmd.stderr(std::process::Stdio::null());
    let mut child = match cmd.spawn() {
        Ok(c) => c,
        Err(e) => {
            eprintln!("drip: grep hook failed to spawn rg: {e}");
            return Ok(allow());
        }
    };
    let mut buf = Vec::with_capacity(64 * 1024);
    if let Some(mut out) = child.stdout.take() {
        use std::io::Read;
        let mut chunk = [0u8; 64 * 1024];
        loop {
            match out.read(&mut chunk) {
                Ok(0) => break,
                Ok(n) => {
                    let take = n.min(MAX_STDOUT_BYTES.saturating_sub(buf.len()));
                    buf.extend_from_slice(&chunk[..take]);
                    if buf.len() >= MAX_STDOUT_BYTES {
                        // Stop pulling more from rg — let it finish writing
                        // to a closed pipe, which will SIGPIPE/EPIPE-out it.
                        break;
                    }
                }
                Err(_) => break,
            }
        }
    }
    let _ = child.wait();
    let mut stdout = String::from_utf8_lossy(&buf).into_owned();

    // Belt-and-braces: even with --glob '!...', a pattern like
    // `package-lock.json` (basename, no slashes) only matches when rg
    // sees that file at the top of the search root. So we also drop any
    // result line whose path matches our matcher.
    let matcher = Matcher::load();
    let mut matcher_dropped: usize = 0;
    if matches!(output_mode, "files_with_matches" | "content" | "count") {
        let pre_lines: Vec<&str> = stdout.lines().collect();
        let pre_count = pre_lines.len();
        let kept: Vec<&str> = pre_lines
            .into_iter()
            .filter(|line| {
                // For "content" mode rg prints "<path>:<lineno>:<text>"; we
                // peel off the path portion before checking. If parsing is
                // ambiguous (e.g. paths containing colons), we keep the line
                // — better to over-include than to silently drop a real hit.
                let candidate = match output_mode {
                    "files_with_matches" => Path::new(line),
                    "count" => match line.rfind(':') {
                        Some(i) => Path::new(&line[..i]),
                        None => Path::new(line),
                    },
                    _ => match line.find(':') {
                        Some(i) => Path::new(&line[..i]),
                        None => return true,
                    },
                };
                !matcher.is_ignored(candidate)
            })
            .collect();
        matcher_dropped = pre_count.saturating_sub(kept.len());
        let collected: Vec<&str> = match head_limit {
            Some(n) if n > 0 => kept.into_iter().take(n as usize).collect(),
            _ => kept,
        };
        stdout = collected.join("\n");
        if !stdout.is_empty() {
            stdout.push('\n');
        }
    }

    // Early-out: if the result is empty AND DRIP's matcher didn't drop
    // anything (i.e., the post-rg filter was a no-op), substituting
    // would just charge the agent ~80 bytes of `[DRIP: ...]` header
    // for an "(no matches)" payload that native rg would have rendered
    // as a clean empty exit. The rg upstream `--glob !` excludes
    // *might* have filtered something silently, but that's the less
    // common case for a genuinely-zero-result search; passing through
    // here costs at most a noisy native result on a path that didn't
    // match many files in the first place. Override via
    // `DRIP_GREP_ALWAYS_FILTER=1`.
    let always_filter = std::env::var("DRIP_GREP_ALWAYS_FILTER").as_deref() == Ok("1");
    if !always_filter && stdout.is_empty() && matcher_dropped == 0 {
        return Ok(allow());
    }

    let header =
        format!("[DRIP: grep filtered via .dripignore | mode={output_mode} | pattern={pattern}]\n");
    let body = if stdout.is_empty() {
        format!("{header}(no matches)\n")
    } else {
        format!("{header}{stdout}")
    };
    Ok(deny(body))
}

/// The default ignore list as `rg --glob` patterns. We don't ship the
/// `Matcher`'s raw strings because they include negations and basename
/// matchers, neither of which translate cleanly to a single rg flag.
/// Keeping a curated subset here is pragmatic — it'll catch the loud
/// stuff (node_modules, lock files) which is the whole point.
fn dripignore_patterns_for_rg() -> Vec<&'static str> {
    vec![
        "node_modules",
        ".git",
        "vendor",
        "target",
        "dist",
        "build",
        ".next",
        ".turbo",
        ".svelte-kit",
        "out",
        "package-lock.json",
        "yarn.lock",
        "pnpm-lock.yaml",
        "Cargo.lock",
        "Gemfile.lock",
        "poetry.lock",
        "uv.lock",
        "composer.lock",
        "*.min.js",
        "*.min.css",
    ]
}

fn which_rg() -> Option<std::path::PathBuf> {
    let path = std::env::var_os("PATH")?;
    for dir in std::env::split_paths(&path) {
        let candidate = dir.join("rg");
        if candidate.is_file() {
            return Some(candidate);
        }
    }
    None
}

fn allow() -> String {
    json!({
        "hookSpecificOutput": {
            "hookEventName": "PreToolUse",
            "permissionDecision": "allow"
        }
    })
    .to_string()
}

fn deny(reason: String) -> String {
    json!({
        "hookSpecificOutput": {
            "hookEventName": "PreToolUse",
            "permissionDecision": "deny",
            "permissionDecisionReason": reason
        }
    })
    .to_string()
}