rippy-cli 0.2.0

A shell command safety hook for AI coding tools (Claude Code, Cursor, Gemini CLI) — Rust rewrite of Dippy
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550

//! Project config trust model.
//!
//! Stores SHA-256 hashes of trusted project config files in
//! `~/.rippy/trusted.json`. When rippy encounters a project config,
//! it checks this database before loading. Untrusted or modified
//! configs are ignored with a stderr warning.

use std::collections::HashMap;
use std::path::{Path, PathBuf};

use sha2::{Digest, Sha256};

use crate::error::RippyError;

/// A single trust entry recording the hash and timestamp of a trusted config.
#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
pub struct TrustEntry {
    /// Content hash in the form `"sha256:<hex>"`.
    pub hash: String,
    /// ISO 8601 timestamp when the file was trusted.
    pub trusted_at: String,
    /// Repository identity — git remote URL or `"local:<repo_root>"`.
    /// When present, trust is repo-level: config changes within the
    /// same repo are auto-trusted without re-running `rippy trust`.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub repo_id: Option<String>,
}

/// Result of checking a project config against the trust database.
#[derive(Debug, PartialEq, Eq)]
pub enum TrustStatus {
    /// The file's hash matches the stored entry.
    Trusted,
    /// No entry exists for this file path.
    Untrusted,
    /// An entry exists but the file content has changed.
    Modified { expected: String, actual: String },
}

/// Trust database backed by a JSON file at `~/.rippy/trusted.json`.
#[derive(Debug)]
pub struct TrustDb {
    entries: HashMap<String, TrustEntry>,
    path: PathBuf,
}

impl TrustDb {
    /// Load the trust database from `~/.rippy/trusted.json`.
    ///
    /// Returns an empty database if the file does not exist or cannot be parsed.
    pub fn load() -> Self {
        trust_db_path().map_or_else(
            || Self {
                entries: HashMap::new(),
                path: PathBuf::new(),
            },
            |path| Self::load_from(&path),
        )
    }

    /// Load the trust database from a specific path (for testing).
    pub fn load_from(path: &Path) -> Self {
        let entries = std::fs::read_to_string(path)
            .ok()
            .and_then(|content| serde_json::from_str(&content).ok())
            .unwrap_or_default();
        Self {
            entries,
            path: path.to_owned(),
        }
    }

    /// Save the trust database back to disk.
    ///
    /// # Errors
    ///
    /// Returns `RippyError::Trust` if the file cannot be written.
    pub fn save(&self) -> Result<(), RippyError> {
        if let Some(parent) = self.path.parent() {
            std::fs::create_dir_all(parent).map_err(|e| {
                RippyError::Trust(format!(
                    "could not create directory {}: {e}",
                    parent.display()
                ))
            })?;
        }
        let json = serde_json::to_string_pretty(&self.entries)
            .map_err(|e| RippyError::Trust(format!("could not serialize trust db: {e}")))?;
        std::fs::write(&self.path, json)
            .map_err(|e| RippyError::Trust(format!("could not write {}: {e}", self.path.display())))
    }

    /// Check whether a project config file is trusted.
    ///
    /// Trust is determined in order:
    /// 1. If the entry has a `repo_id` that matches the current repo → Trusted
    /// 2. If the content hash matches → Trusted
    /// 3. If neither matches → Modified (hash-based) or Untrusted (no entry)
    pub fn check(&self, path: &Path, content: &str) -> TrustStatus {
        let key = canonical_key(path);
        match self.entries.get(&key) {
            None => TrustStatus::Untrusted,
            Some(entry) => {
                // Repo-level trust: same repo → trusted regardless of hash.
                if let Some(stored_repo) = &entry.repo_id
                    && detect_repo_id(path).is_some_and(|current| current == *stored_repo)
                {
                    return TrustStatus::Trusted;
                }
                // Fall back to hash check (legacy entries or repo mismatch).
                let actual_hash = hash_content(content);
                if entry.hash == actual_hash {
                    TrustStatus::Trusted
                } else {
                    TrustStatus::Modified {
                        expected: entry.hash.clone(),
                        actual: actual_hash,
                    }
                }
            }
        }
    }

    /// Mark a project config file as trusted using its current content.
    ///
    /// Also detects and stores the repository identity so that future
    /// config changes within the same repo are automatically trusted.
    pub fn trust(&mut self, path: &Path, content: &str) {
        let key = canonical_key(path);
        let hash = hash_content(content);
        let repo_id = detect_repo_id(path);
        let now = now_iso8601();
        self.entries.insert(
            key,
            TrustEntry {
                hash,
                trusted_at: now,
                repo_id,
            },
        );
    }

    /// Remove trust for a project config file.
    ///
    /// Returns `true` if an entry was removed.
    pub fn revoke(&mut self, path: &Path) -> bool {
        let key = canonical_key(path);
        self.entries.remove(&key).is_some()
    }

    /// Return all trusted entries.
    #[must_use]
    pub const fn list(&self) -> &HashMap<String, TrustEntry> {
        &self.entries
    }

    /// Check if the database is empty.
    #[must_use]
    pub fn is_empty(&self) -> bool {
        self.entries.is_empty()
    }
}

/// Compute a SHA-256 hash of the given content, prefixed with `"sha256:"`.
#[must_use]
pub fn hash_content(content: &str) -> String {
    let mut hasher = Sha256::new();
    hasher.update(content.as_bytes());
    let result = hasher.finalize();
    format!("sha256:{result:x}")
}

/// Derive a stable key from a file path.
///
/// Uses the canonical (absolute) path if possible, falling back to the
/// original path string.
fn canonical_key(path: &Path) -> String {
    std::fs::canonicalize(path)
        .unwrap_or_else(|_| path.to_owned())
        .to_string_lossy()
        .into_owned()
}

/// Return the path to `~/.rippy/trusted.json`.
fn trust_db_path() -> Option<PathBuf> {
    dirs::home_dir().map(|h| h.join(".rippy/trusted.json"))
}

/// Current time as an ISO 8601 string (UTC-like, using system time).
fn now_iso8601() -> String {
    // Use a simple seconds-since-epoch representation to avoid pulling in chrono.
    let dur = std::time::SystemTime::now()
        .duration_since(std::time::UNIX_EPOCH)
        .unwrap_or_default();
    // Format as a readable timestamp without external crate.
    let secs = dur.as_secs();
    format_epoch_secs(secs)
}

/// Format seconds since epoch as `YYYY-MM-DDTHH:MM:SSZ`.
fn format_epoch_secs(secs: u64) -> String {
    // Days since epoch, then decompose into y/m/d.
    let days = secs / 86400;
    let time_of_day = secs % 86400;
    let hours = time_of_day / 3600;
    let minutes = (time_of_day % 3600) / 60;
    let seconds = time_of_day % 60;

    let (year, month, day) = days_to_ymd(days);
    format!("{year:04}-{month:02}-{day:02}T{hours:02}:{minutes:02}:{seconds:02}Z")
}

/// Convert days since 1970-01-01 to (year, month, day).
const fn days_to_ymd(days: u64) -> (u64, u64, u64) {
    // Civil calendar algorithm from Howard Hinnant.
    let z = days + 719_468;
    let era = z / 146_097;
    let doe = z - era * 146_097;
    let yoe = (doe - doe / 1460 + doe / 36524 - doe / 146_096) / 365;
    let y = yoe + era * 400;
    let doy = doe - (365 * yoe + yoe / 4 - yoe / 100);
    let mp = (5 * doy + 2) / 153;
    let d = doy - (153 * mp + 2) / 5 + 1;
    let m = if mp < 10 { mp + 3 } else { mp - 9 };
    let y = if m <= 2 { y + 1 } else { y };
    (y, m, d)
}

/// Detect the repository identity for a config file path.
///
/// Prefers the git remote origin URL (`git@github.com:org/repo.git`).
/// Falls back to `"local:<repo_root>"` for repos without a remote.
/// Returns `None` if the file is not in a git repository.
pub fn detect_repo_id(path: &Path) -> Option<String> {
    let dir = path.parent()?;

    // Try git remote origin URL first.
    let remote = std::process::Command::new("git")
        .args(["-C", &dir.to_string_lossy(), "remote", "get-url", "origin"])
        .stdout(std::process::Stdio::piped())
        .stderr(std::process::Stdio::null())
        .output()
        .ok()?;

    if remote.status.success() {
        let url = String::from_utf8_lossy(&remote.stdout).trim().to_owned();
        if !url.is_empty() {
            return Some(url);
        }
    }

    // Fall back to repo root path.
    let toplevel = std::process::Command::new("git")
        .args(["-C", &dir.to_string_lossy(), "rev-parse", "--show-toplevel"])
        .stdout(std::process::Stdio::piped())
        .stderr(std::process::Stdio::null())
        .output()
        .ok()?;

    if toplevel.status.success() {
        let root = String::from_utf8_lossy(&toplevel.stdout).trim().to_owned();
        if !root.is_empty() {
            return Some(format!("local:{root}"));
        }
    }

    None
}

/// Guard that wraps a config file modification to preserve trust.
///
/// Snapshots the file's trust status *before* the write. After the write,
/// call [`TrustGuard::commit`] to update the trust hash — but only if
/// the pre-write content was verified as trusted. This prevents a TOCTOU
/// attack where a malicious actor modifies the file between the last
/// trust check and rippy's write.
///
/// For newly created files (no prior content), use [`TrustGuard::for_new_file`].
pub struct TrustGuard {
    path: PathBuf,
    was_trusted: bool,
}

impl TrustGuard {
    /// Snapshot the trust state of an existing config file before modifying it.
    ///
    /// Reads the file, checks trust status. If the file doesn't exist yet
    /// (will be created by the write), `was_trusted` is false.
    pub fn before_write(path: &Path) -> Self {
        let was_trusted = std::fs::read_to_string(path).ok().is_some_and(|content| {
            let db = TrustDb::load();
            db.check(path, &content) == TrustStatus::Trusted
        });
        Self {
            path: path.to_owned(),
            was_trusted,
        }
    }

    /// Create a guard for a file that is being newly created by the user.
    ///
    /// `commit()` will unconditionally trust the new file since the user
    /// explicitly created it (e.g., `rippy init`).
    pub fn for_new_file(path: &Path) -> Self {
        Self {
            path: path.to_owned(),
            was_trusted: true,
        }
    }

    /// Update the trust hash after the write, if the pre-write state was trusted.
    ///
    /// If the file was not trusted before the write (tampered or never approved),
    /// this is a no-op and a warning is logged.
    ///
    /// Errors are logged to stderr but do not fail the caller.
    pub fn commit(self) {
        if !self.was_trusted {
            return;
        }

        let content = match std::fs::read_to_string(&self.path) {
            Ok(c) => c,
            Err(e) => {
                eprintln!("[rippy] could not re-trust {}: {e}", self.path.display());
                return;
            }
        };
        let mut db = TrustDb::load();
        db.trust(&self.path, &content);
        if let Err(e) = db.save() {
            eprintln!("[rippy] could not save trust db: {e}");
        }
    }
}

// ---------------------------------------------------------------------------
// Tests
// ---------------------------------------------------------------------------

#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
    use super::*;

    #[test]
    fn hash_content_deterministic() {
        let h1 = hash_content("allow *\n");
        let h2 = hash_content("allow *\n");
        assert_eq!(h1, h2);
        assert!(h1.starts_with("sha256:"));
    }

    #[test]
    fn hash_content_different_for_different_input() {
        let h1 = hash_content("allow *");
        let h2 = hash_content("deny *");
        assert_ne!(h1, h2);
    }

    #[test]
    fn empty_db_returns_untrusted() {
        let tmp = tempfile::NamedTempFile::new().unwrap();
        let db = TrustDb::load_from(tmp.path());
        assert_eq!(
            db.check(Path::new("/fake/.rippy"), "content"),
            TrustStatus::Untrusted
        );
    }

    #[test]
    fn trust_then_check_returns_trusted() {
        let tmp = tempfile::NamedTempFile::new().unwrap();
        let mut db = TrustDb::load_from(tmp.path());
        let path = tmp.path();
        db.trust(path, "allow git status\n");
        assert_eq!(db.check(path, "allow git status\n"), TrustStatus::Trusted);
    }

    #[test]
    fn modified_content_returns_modified() {
        let tmp = tempfile::NamedTempFile::new().unwrap();
        let mut db = TrustDb::load_from(tmp.path());
        let path = tmp.path();
        db.trust(path, "allow git status\n");
        let status = db.check(path, "allow *\n");
        assert!(matches!(status, TrustStatus::Modified { .. }));
    }

    #[test]
    fn revoke_existing_returns_true() {
        let tmp = tempfile::NamedTempFile::new().unwrap();
        let mut db = TrustDb::load_from(tmp.path());
        let path = tmp.path();
        db.trust(path, "content");
        assert!(db.revoke(path));
        assert_eq!(db.check(path, "content"), TrustStatus::Untrusted);
    }

    #[test]
    fn revoke_nonexistent_returns_false() {
        let tmp = tempfile::NamedTempFile::new().unwrap();
        let mut db = TrustDb::load_from(tmp.path());
        assert!(!db.revoke(Path::new("/nonexistent/.rippy")));
    }

    #[test]
    fn save_and_load_roundtrip() {
        let dir = tempfile::tempdir().unwrap();
        let db_path = dir.path().join("trusted.json");

        let mut db = TrustDb::load_from(&db_path);
        let config_path = dir.path().join(".rippy");
        std::fs::write(&config_path, "deny rm -rf").unwrap();
        db.trust(&config_path, "deny rm -rf");
        db.save().unwrap();

        let db2 = TrustDb::load_from(&db_path);
        assert_eq!(db2.check(&config_path, "deny rm -rf"), TrustStatus::Trusted);
    }

    #[test]
    fn format_epoch_known_date() {
        // 2024-01-01T00:00:00Z = 1704067200
        let s = format_epoch_secs(1_704_067_200);
        assert_eq!(s, "2024-01-01T00:00:00Z");
    }

    #[test]
    fn detect_repo_id_in_git_repo_with_remote() {
        let dir = tempfile::tempdir().unwrap();
        std::process::Command::new("git")
            .args(["init"])
            .current_dir(dir.path())
            .output()
            .unwrap();
        std::process::Command::new("git")
            .args(["remote", "add", "origin", "git@github.com:test/repo.git"])
            .current_dir(dir.path())
            .output()
            .unwrap();
        let config = dir.path().join(".rippy.toml");
        std::fs::write(&config, "# test").unwrap();
        let repo_id = detect_repo_id(&config);
        assert_eq!(repo_id.as_deref(), Some("git@github.com:test/repo.git"));
    }

    #[test]
    fn detect_repo_id_local_repo_without_remote() {
        let dir = tempfile::tempdir().unwrap();
        std::process::Command::new("git")
            .args(["init"])
            .current_dir(dir.path())
            .output()
            .unwrap();
        let config = dir.path().join(".rippy");
        std::fs::write(&config, "# test").unwrap();
        let repo_id = detect_repo_id(&config);
        assert!(
            repo_id.as_ref().is_some_and(|id| id.starts_with("local:")),
            "expected local: prefix, got: {repo_id:?}"
        );
    }

    #[test]
    fn detect_repo_id_no_git_returns_none() {
        let dir = tempfile::tempdir().unwrap();
        let config = dir.path().join(".rippy");
        std::fs::write(&config, "# test").unwrap();
        assert_eq!(detect_repo_id(&config), None);
    }

    #[test]
    fn repo_trust_survives_hash_change() {
        let dir = tempfile::tempdir().unwrap();
        // Set up a git repo so detect_repo_id works.
        std::process::Command::new("git")
            .args(["init"])
            .current_dir(dir.path())
            .output()
            .unwrap();
        std::process::Command::new("git")
            .args(["remote", "add", "origin", "git@github.com:test/repo.git"])
            .current_dir(dir.path())
            .output()
            .unwrap();

        let db_path = dir.path().join("trusted.json");
        let config_path = dir.path().join(".rippy.toml");
        std::fs::write(&config_path, "deny rm -rf").unwrap();

        let mut db = TrustDb::load_from(&db_path);
        db.trust(&config_path, "deny rm -rf");

        // Content changed but repo is the same → still trusted.
        assert_eq!(
            db.check(&config_path, "allow * MALICIOUS"),
            TrustStatus::Trusted
        );
    }

    #[test]
    fn legacy_entry_without_repo_id_uses_hash() {
        let tmp = tempfile::NamedTempFile::new().unwrap();
        let mut db = TrustDb::load_from(tmp.path());
        let path = tmp.path();
        // Manually insert entry without repo_id (simulates legacy).
        let key = canonical_key(path);
        db.entries.insert(
            key,
            TrustEntry {
                hash: hash_content("original"),
                trusted_at: "2024-01-01T00:00:00Z".to_string(),
                repo_id: None,
            },
        );
        assert_eq!(db.check(path, "original"), TrustStatus::Trusted);
        assert!(matches!(
            db.check(path, "changed"),
            TrustStatus::Modified { .. }
        ));
    }

    #[test]
    fn re_trust_after_write_updates_hash() {
        let dir = tempfile::tempdir().unwrap();
        let db_path = dir.path().join("trusted.json");
        let config_path = dir.path().join(".rippy");

        // Trust the original content.
        std::fs::write(&config_path, "deny rm").unwrap();
        let mut db = TrustDb::load_from(&db_path);
        db.trust(&config_path, "deny rm");
        db.save().unwrap();

        // Modify the file and re-trust.
        std::fs::write(&config_path, "deny rm\nallow git status").unwrap();
        // re_trust_after_write uses TrustDb::load() which reads HOME.
        // For unit test, manually simulate:
        let content = std::fs::read_to_string(&config_path).unwrap();
        db.trust(&config_path, &content);
        db.save().unwrap();

        let db2 = TrustDb::load_from(&db_path);
        assert_eq!(
            db2.check(&config_path, "deny rm\nallow git status"),
            TrustStatus::Trusted
        );
    }
}