use super::Verdict;
use crate::policy::{Policy, PolicyAction};
use serde::Deserialize;
use serde::Serialize;
#[derive(Deserialize)]
struct HookInput {
#[serde(default)]
tool_name: String,
#[serde(default)]
tool_input: HookToolInput,
}
#[derive(Deserialize, Default)]
struct HookToolInput {
#[serde(default)]
command: String,
}
#[derive(Serialize)]
struct HookOutput {
#[serde(rename = "hookSpecificOutput")]
hook_specific_output: HookSpecificOutput,
}
#[derive(Serialize)]
struct HookSpecificOutput {
#[serde(rename = "hookEventName")]
hook_event_name: &'static str,
#[serde(rename = "permissionDecision")]
permission_decision: &'static str,
#[serde(
rename = "permissionDecisionReason",
skip_serializing_if = "Option::is_none"
)]
reason: Option<String>,
#[serde(rename = "updatedInput", skip_serializing_if = "Option::is_none")]
updated_input: Option<UpdatedInput>,
}
#[derive(Serialize)]
struct UpdatedInput {
command: String,
}
#[derive(Debug)]
pub enum HookDecision {
PassThrough,
Allow { command: String },
Ask {
command: String,
reason: String,
rule_name: String,
},
Deny { reason: String, rule_name: String },
}
pub fn rewrite_decision(tool_name: &str, command: &str, policy: Option<&Policy>) -> HookDecision {
if tool_name != "Bash" {
return HookDecision::PassThrough;
}
let wrapped = format!(
"vallum run --policy-approved -- bash -c {}",
super::shell_escape(command)
);
match super::decide(command, policy) {
Verdict::PassThrough => HookDecision::PassThrough,
Verdict::Allow => HookDecision::Allow { command: wrapped },
Verdict::Ask { reason, rule_name } => HookDecision::Ask {
command: wrapped,
reason,
rule_name,
},
Verdict::Deny { reason, rule_name } => HookDecision::Deny { reason, rule_name },
}
}
pub fn run() -> i32 {
let Some(buf) = super::read_stdin() else {
return 0;
};
let input: HookInput = match serde_json::from_str(&buf) {
Ok(v) => v,
Err(_) => return 0, };
let (config, policy) = super::load_config_and_policy();
let decision = rewrite_decision(&input.tool_name, &input.tool_input.command, policy.as_ref());
let out = match decision {
HookDecision::PassThrough => return 0,
HookDecision::Allow { command } => HookSpecificOutput {
hook_event_name: "PreToolUse",
permission_decision: "allow",
reason: None,
updated_input: Some(UpdatedInput { command }),
},
HookDecision::Ask {
command,
reason,
rule_name,
} => {
super::audit_verdict(
PolicyAction::Ask,
reason.clone(),
rule_name,
&input.tool_input.command,
"claude",
&config,
);
HookSpecificOutput {
hook_event_name: "PreToolUse",
permission_decision: "ask",
reason: Some(reason),
updated_input: Some(UpdatedInput { command }),
}
}
HookDecision::Deny { reason, rule_name } => {
super::audit_verdict(
PolicyAction::Deny,
reason.clone(),
rule_name,
&input.tool_input.command,
"claude",
&config,
);
HookSpecificOutput {
hook_event_name: "PreToolUse",
permission_decision: "deny",
reason: Some(reason),
updated_input: None,
}
}
};
if let Ok(s) = serde_json::to_string(&HookOutput {
hook_specific_output: out,
}) {
println!("{}", s);
}
0
}
#[cfg(test)]
mod tests {
use super::*;
use crate::config::PolicyConfig;
use crate::policy::Policy;
fn guardrail() -> Policy {
Policy::compile(&PolicyConfig::default()).unwrap()
}
#[test]
fn allow_rewrites_plain_command() {
let d = rewrite_decision("Bash", "git status", Some(&guardrail()));
match d {
HookDecision::Allow { command } => {
assert_eq!(
command,
"vallum run --policy-approved -- bash -c 'git status'"
)
}
other => panic!("expected Allow, got {other:?}"),
}
}
#[test]
fn dangerous_command_asks_with_reason() {
let d = rewrite_decision("Bash", "rm -rf /", Some(&guardrail()));
match d {
HookDecision::Ask {
command, reason, ..
} => {
assert_eq!(
command,
"vallum run --policy-approved -- bash -c 'rm -rf /'"
);
assert!(reason.contains("root or home"));
}
other => panic!("expected Ask, got {other:?}"),
}
}
fn guardrail_with_deny() -> Policy {
use crate::config::{PolicyConfig, PolicyRuleConfig};
Policy::compile(&PolicyConfig {
rules: vec![PolicyRuleConfig {
pattern: "SECRETDROP".into(),
action: "deny".into(),
reason: "denied in test".into(),
}],
disabled: vec![],
})
.unwrap()
}
#[test]
fn denied_command_returns_deny_no_rewrite() {
let d = rewrite_decision("Bash", "echo SECRETDROP", Some(&guardrail_with_deny()));
match d {
HookDecision::Deny { reason, .. } => assert!(reason.contains("denied in test")),
other => panic!("expected Deny, got {other:?}"),
}
}
#[test]
fn guardrail_off_always_allows() {
let d = rewrite_decision("Bash", "rm -rf /", None);
match d {
HookDecision::Allow { command } => {
assert_eq!(
command,
"vallum run --policy-approved -- bash -c 'rm -rf /'"
)
}
other => panic!("expected Allow, got {other:?}"),
}
}
#[test]
fn non_bash_and_tui_pass_through() {
assert!(matches!(
rewrite_decision("Edit", "git status", None),
HookDecision::PassThrough
));
assert!(matches!(
rewrite_decision("Bash", "vim foo", Some(&guardrail())),
HookDecision::PassThrough
));
assert!(matches!(
rewrite_decision("Bash", "vallum run x", None),
HookDecision::PassThrough
));
assert!(matches!(
rewrite_decision("Bash", "", None),
HookDecision::PassThrough
));
}
}