fix(hook): respect Claude Code deny/ask permission rules on rewrite

[FlorianBruniaux]

Problem

The PreToolUse hook (rtk-rewrite.sh) was emitting permissionDecision: "allow" on every rewritten command, silently bypassing deny and ask rules defined in .claude/settings.json.

Concrete example: user has Bash(git push --force) in deny rules → hook rewrites to rtk git push --force with auto-allow → command executes without confirmation. P1-critical bug reported by the community and confirmed by @pszymkowiak.

Closes #260

Solution

Permission logic lives in the Rust binary (rtk rewrite), not the shell. The hook interprets exit codes.

Exit code protocol:

Exit	Stdout	Meaning
0	rewritten	No deny/ask rule matched — hook auto-allows
1	(none)	No RTK equivalent — passthrough unchanged
2	(none)	Deny rule matched — CC native deny handles it
3	rewritten	Ask rule matched — rewrite without permissionDecision (CC prompts user)

Changes

• src/permissions.rs (new) — loads Bash(...) deny/ask rules from all 4 Claude Code settings files ($PROJECT_ROOT/.claude/settings.json, .local.json, ~/.claude/settings.json, .local.json). Checks commands including compound (&&, ||, |, ;) and returns Allow / Deny / Ask verdict. Deny takes priority over Ask. 16 unit tests.
• src/rewrite_cmd.rs — after finding a rewrite, calls check_command() on the original command. Exits 0/2/3 accordingly.
• hooks/rtk-rewrite.sh + .claude/hooks/rtk-rewrite.sh — handle exit codes 2 (passthrough silently) and 3 (rewrite without permissionDecision). Hook version bumped 2→3.
• src/hook_check.rs — CURRENT_HOOK_VERSION 2→3 so existing users get the upgrade prompt.
• ARCHITECTURE.md — updated module count.

Test plan

• 16 unit tests in src/permissions.rs (exact match, prefix match, wildcard, deny precedence, compound commands, word boundary)
• Full test suite: 915 passed
• Manual: echo '{"permissions":{"deny":["Bash(git push --force)"]}}' > .claude/settings.json → rtk rewrite "git push --force" exits 2
• Manual: ask rule → exits 3 with rewritten command in stdout
• Manual: rtk rewrite "git status" → exits 0 as before (no regression)
• set -euo pipefail bug fixed in .claude/hooks/rtk-rewrite.sh (use || EXIT_CODE=$? pattern)

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Adds Claude Code permission-awareness to the rtk rewrite flow so hooks can avoid auto-allowing rewritten commands when deny/ask rules match, preserving user intent while still enabling rewrites.

Changes:

• Introduces src/permissions.rs to load Claude Code settings and evaluate deny/ask Bash rules against commands.
• Updates rtk rewrite to return a richer exit-code protocol (0/1/2/3) to drive hook behavior (auto-allow vs prompt vs passthrough).
• Updates hook scripts and hook versioning to handle the new exit codes, and documents the new module in ARCHITECTURE.md.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
src/rewrite_cmd.rs	Adds permission checking and new exit-code protocol for rtk rewrite.
src/permissions.rs	Implements settings discovery + deny/ask rule matching (with unit tests).
src/main.rs	Registers the new permissions module.
src/hook_check.rs	Bumps expected hook version to 3.
hooks/rtk-rewrite.sh	Updates hook logic to respect deny/ask via rtk rewrite exit codes.
.claude/hooks/rtk-rewrite.sh	Same as above, with audit logging retained.
ARCHITECTURE.md	Documents the new module and updates module counts.

Comments suppressed due to low confidence (1)

ARCHITECTURE.md:301

• The module counts in this section are internally inconsistent after the update: it now claims “Total: 65 modules (38 command + 27 infrastructure)”, but the breakdown immediately below still lists different numbers (e.g. “Command Modules: 34”). Please reconcile these counts (and the “Complete Module Map (30 Modules)” heading earlier in this section if it’s still accurate).

**Total: 65 modules** (38 command modules + 27 infrastructure modules)

### Module Count Breakdown

- **Command Modules**: 34 (directly exposed to users)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[aeppling]

follow-up wildcards issue

The PR's pattern matching only handles * at the end of a pattern. Claude Code's permission system supports *
anywhere.

Works:

• Bash(git push --force) — exact match
• Bash(git push *) — trailing wildcard
• Bash(sudo:*) — legacy colon syntax

Doesn't work:

• Bash(* --force) — leading wildcard. User wants to deny any command ending with --force. The PR sees * --force,
  doesn't find a trailing *, falls through to exact match, matches nothing. Hook auto-allows.
• Bash(git * main) — middle wildcard. User wants to deny git push main, git merge main, etc. Same problem — no
  trailing *, treated as literal string, matches nothing.
• Bash(* --help *) — multiple wildcards. Same.

[pszymkowiak]

Ran a second deeper review focused on edge cases. Found 2 additional gaps beyond @aeppling's wildcard finding.

Bug 1 (Critical): deny rules skipped for non-RTK commands

check_command() only runs inside the Some(rewritten) branch (rewrite_cmd.rs:38). When rewrite_command returns None (no RTK equivalent), exit 1 is returned immediately — deny rules are never consulted.

Commands that return None include everything in IGNORED_PREFIXES: rm, mv, cp, chmod, kill, bash, python3 -c, etc.

Concrete failure: user adds Bash(rm -rf *) to deny list. Claude runs rm -rf /. Hook calls rtk rewrite "rm -rf /" → exit 1 (no rewrite) → hook passes through. Deny rule never checked.

Fix: run check_command before the rewrite match, not inside it.

Bug 2 (Critical): *:* pattern matches nothing

Bash(*:*) — a user expects this to block everything. strip_suffix('*') → *:, trim_end_matches(':') → *, then checks cmd == "*" → false. Pattern silently matches nothing.

Fix: add || prefix == "*" to the empty-prefix guard at permissions.rs:180.

@aeppling's wildcard finding confirmed

Leading (* --force), middle (git * main), and multiple (* --force *) wildcards all silently return false. Only trailing wildcards work.

Summary

Bug	Impact	Status
Deny skipped for non-RTK commands	Security bypass for rm, mv, kill, etc.	New finding
*:* matches nothing	Catch-all deny rule is a no-op	New finding
Leading/middle wildcards	@aeppling's finding, confirmed	Known

Core architecture is solid — these are fixable without redesign. Happy to re-review after fixes.

[FlorianBruniaux]

@pszymkowiak @aeppling All four findings addressed. Two commits on this branch:

53b8366 — rewrite_cmd.rs (Bug 1 + Bug 4)

• check_command() now runs before registry::rewrite_command(), so non-RTK commands (rm, kill, python3 -c) hit deny rules instead of bypassing them.
• Added explicit stdout().flush() before each process::exit().

6ddc805 — permissions.rs (Bug 2 + Bug 3)

• *:* catch-all: after strip_suffix('*') + trim, we now detect an empty-or-* prefix and return true.
• Leading/middle/multi wildcards: new glob_matches() function with segment anchoring (first = prefix, last = suffix, middle = str::find in order). * --force, git * main, git * --force * all work correctly.

8 new tests cover all the fixed cases, including integration variants with check_command_with_rules. 945 passing, 0 failures.

[pszymkowiak]

@FlorianBruniaux This PR has a merge conflict with develop (likely src/main.rs). Could you rebase on develop and enable "Allow edits by maintainers" so we can merge faster?

git fetch upstream develop
git rebase upstream/develop
# resolve conflicts
git push --force-with-lease

This is P1 security — we'd like to get it in the next release. Thanks!