feat(gateguard): add env knobs for routine bash gate + extra destructive patterns

[gaurav0107]

Summary

• Adds GATEGUARD_BASH_ROUTINE_DISABLED env var: truthy values (1, true, on, yes, enabled) skip the once-per-session routine bash gate in scripts/hooks/gateguard-fact-force.js. Destructive gate is unaffected.
• Adds GATEGUARD_BASH_EXTRA_DESTRUCTIVE env var: regex source string for operator-supplied additional destructive patterns. Matches against the same quote-stripped, subshell-flattened command that the built-in DESTRUCTIVE_SQL_DD regex sees, so a phrase inside $(...) or backticks is also caught.
• Defaults preserve current behavior (both env vars unset → identical to current code path).
• Malformed GATEGUARD_BASH_EXTRA_DESTRUCTIVE regex is logged once to stderr with a [gateguard-fact-force] prefix and treated as not configured — hooks must never crash tool execution because of operator config errors.
• Implements Option 2 from Feature request: surface gateguard fact_force_bash_routine / destructive_bash_extra config knobs in the JS port #2078 (the env-var sketch). Option 1 (.gateguard.yml reading) is deliberately out of scope for this PR.

Verification

• node tests/run-all.js — 2619/2619 passed, 0 failed (12 new tests added in tests/hooks/gateguard-fact-force.test.js)
• npx eslint scripts/**/*.js tests/**/*.js — clean
• New test coverage:
  • GATEGUARD_BASH_ROUTINE_DISABLED=1 skips routine bash gate
  • Truthy aliases (true, on, yes, enabled, mixed case) all enable opt-out
  • Unset preserves baseline (denies first routine bash)
  • Falsy values (0, false, off, empty, unknown string) keep current behavior
  • Routine opt-out does NOT disable destructive bash gate (rm -rf still gated)
  • GATEGUARD_BASH_EXTRA_DESTRUCTIVE custom phrase fires destructive gate
  • Alternation second member also fires
  • Invalid regex degrades to baseline (no crash)
  • Unset extra-regex preserves baseline (no false positives)
  • Custom phrase inside $(...) is also caught

Fixes #2078

---

Summary by cubic

Adds env options to the Bash gateguard to disable the once-per-session routine gate and to add custom destructive regex patterns. Defaults are unchanged; destructive protections remain on. Fixes #2078.

• New Features

  • GATEGUARD_BASH_ROUTINE_DISABLED: truthy values (1, true, on, yes, enabled) skip the routine Bash gate; destructive gate still runs.
  • GATEGUARD_BASH_EXTRA_DESTRUCTIVE: regex source for extra destructive phrases; matched against quote-stripped, subshell-flattened commands. Malformed regex is logged and ignored (no crash).

• Bug Fixes

  • Reset warning when GATEGUARD_BASH_EXTRA_DESTRUCTIVE changes so each distinct invalid regex logs once, avoiding silent failures in long-running processes.

^{Written for commit 9e5a59b. Summary will update on new commits.}

Summary by CodeRabbit

• New Features

  • Operators can define custom destructive command patterns via an environment variable to extend destructive-command detection.
  • Added a configuration toggle to disable routine Bash gating while keeping destructive-command blocking active.

• Bug Fixes

  • Malformed custom patterns no longer crash the gate; invalid patterns are treated as unset and an error is logged only once per distinct value.

[coderabbitai]

Need the big picture first? Review this PR in Change Stack to see what changed before going file by file.

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f3aaafee-f792-447c-911a-45e2fc85be5a

📥 Commits

Reviewing files that changed from the base of the PR and between a3f795e and 9e5a59b.

📒 Files selected for processing (2)

• scripts/hooks/gateguard-fact-force.js
• tests/hooks/gateguard-fact-force.test.js

🚧 Files skipped from review as they are similar to previous changes (2)

• tests/hooks/gateguard-fact-force.test.js
• scripts/hooks/gateguard-fact-force.js

---

📝 Walkthrough

Walkthrough

The hook adds two env controls: GATEGUARD_BASH_ROUTINE_DISABLED skips the once-per-session routine-Bash gate, and GATEGUARD_BASH_EXTRA_DESTRUCTIVE supplies operator regex for extra destructive detections. Extra regex is lazily compiled and memoized, invalid patterns log once to stderr and are treated as unconfigured, and destructive gating remains independent.

Changes

Bash gate environment configuration controls

Layer / File(s)	Summary
Environment configuration helpers scripts/hooks/gateguard-fact-force.js	Adds getExtraDestructiveRegex() and isRoutineBashGateDisabled() helper functions to parse and memoize env-var-based configuration, with safe handling of invalid regex patterns (one-time stderr logging, graceful fallback to unconfigured state).
Extra destructive pattern detection scripts/hooks/gateguard-fact-force.js	Extends isDestructiveBash() to test the operator-supplied extra destructive regex against the flattened normalized command and each stripped command segment, returning early on match.
Routine gate skip integration scripts/hooks/gateguard-fact-force.js	Adds conditional early-return in the Bash tool path to skip the once-per-session routine-bash gate when GATEGUARD_BASH_ROUTINE_DISABLED is enabled, leaving the destructive gate intact above.
Test coverage for env-based controls tests/hooks/gateguard-fact-force.test.js	Validates GATEGUARD_BASH_ROUTINE_DISABLED with truthy aliases and baseline preservation, confirms destructive gate is unaffected by routine disable, verifies GATEGUARD_BASH_EXTRA_DESTRUCTIVE pattern matching (including alternation and command substitution), and tests graceful degradation on invalid regex without crashing; also asserts one-time-per-distinct-invalid-pattern stderr warnings.

Sequence Diagram

sequenceDiagram
  participant Caller
  participant run as run(rawInput)
  participant BashCheck as tool === 'Bash'
  participant Destructive as isDestructiveBash()
  participant RoutineDisabled as isRoutineBashGateDisabled()
  participant Session as ROUTINE_BASH_SESSION_KEY

  Caller->>run: invoke hook
  run->>BashCheck: check tool name
  alt tool is Bash
    run->>Destructive: test built-in destructive patterns
    Destructive->>Destructive: apply extra destructive regex (if configured)
    alt destructive match
      run->>Caller: deny (destructive gate)
    else no destructive match
      run->>RoutineDisabled: check GATEGUARD_BASH_ROUTINE_DISABLED
      alt routine disabled
        run->>Caller: allow (routine gate skipped)
      else routine enabled
        run->>Session: check once-per-session key
        alt first Bash of session
          Session->>Session: mark checked
          run->>Caller: deny (routine gate)
        else already checked
          run->>Caller: allow
        end
      end
    end
  else not Bash
    run->>Caller: allow (no gate)
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A tiny hook nibbles the env seed,

Destructive scents caught in a regex weed.
Routine shies back when the flag is high,
Bad patterns warn once — no crash, just a sigh.
Hooray, operators: fewer patches to feed.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the two main features added: environment knobs for controlling the routine bash gate and configurable extra destructive patterns.
Linked Issues check	✅ Passed	The PR implements Option 2 from issue #2078: adds GATEGUARD_BASH_ROUTINE_DISABLED to skip routine gating while preserving destructive checks, and GATEGUARD_BASH_EXTRA_DESTRUCTIVE for operator-supplied patterns with proper error handling and regex memoization.
Out of Scope Changes check	✅ Passed	All changes are directly related to issue #2078 requirements: hook implementation in gateguard-fact-force.js and comprehensive test coverage in gateguard-fact-force.test.js with no unrelated modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/hooks/gateguard-fact-force.js`:
- Around line 79-92: The warning flag extraDestructiveWarnLogged is never reset
when extraDestructiveCacheKey (the env raw) changes, so subsequent distinct
invalid regex values are not reported; update the logic where
extraDestructiveCacheKey is assigned to reset extraDestructiveWarnLogged (or
track warnings per-key) whenever raw differs from the cached key so each bad
pattern logs once, and add a same-process regression test exercising
loadDirectHook() that sets multiple different invalid
GATEGUARD_BASH_EXTRA_DESTRUCTIVE values to verify a warning is emitted for each
distinct invalid value.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 91fb3ddb-cb3f-4282-8f54-62aa57ddd991

📥 Commits

Reviewing files that changed from the base of the PR and between bc8e12b and a3f795e.

📒 Files selected for processing (2)

• scripts/hooks/gateguard-fact-force.js
• tests/hooks/gateguard-fact-force.test.js

[cubic-dev-ai]

1 issue found across 2 files

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[gaurav0107]

Thanks @coderabbitai and @cubic-dev-ai — both findings were the same valid bug, fixed in 9e5a59b.

extraDestructiveWarnLogged is now reset whenever the cache key changes (right after the new raw is assigned, before the try/RegExp block), so a process that flips through bad-pattern-a → bad-pattern-b reports both. A same-process regression test was added that spies on process.stderr.write via loadDirectHook() and asserts:

• same invalid pattern warns once (sanity baseline)
• switching to a different invalid pattern emits a second warning (the bug being fixed)
• switching to a valid regex emits zero warnings (no regression on the happy path)

node tests/hooks/gateguard-fact-force.test.js → 102/102 passing.

[cubic-dev-ai]

Thanks @coderabbitai and @cubic-dev-ai — both findings were the same valid bug, fixed in 9e5a59b.

extraDestructiveWarnLogged is now reset whenever the cache key changes (right after the new raw is assigned, before the try/RegExp block), so a process that flips through bad-pattern-a → bad-pattern-b reports both. A same-process regression test was added that spies on process.stderr.write via loadDirectHook() and asserts:

• same invalid pattern warns once (sanity baseline)
  ...

@gaurav0107 Looks good — the fix addresses exactly what both reviewers flagged. The key change in getExtraDestructiveRegex():

extraDestructiveCacheKey = raw;
extraDestructiveWarnLogged = false;      // <— the fix

That reset right before the try block means each distinct invalid pattern gets its own warning, rather than the first bad pattern consuming the slot forever. The test covering the three scenarios (same warn once, different warn again, valid no warn) pins that behavior properly.

The rest of the diff is clean too — ECC_ENABLE_VALUES for the routine opt-out, the getExtraDestructiveRegex() integration into isDestructiveBash(), and the graceful degradation on malformed regex all match what was described in the original sketch.

102/102 passing with no eslint issues is exactly the bar this team expects before merging. No further concerns on my side.

_{Tip: get faster answers by chatting with cubic’s review copilot in the review UI}

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@gaurav0107 The fix is clean and well-targeted — resetting extraDestructiveWarnLogged right after the new raw is assigned (before the try/RegExp block) is exactly the right insertion point, since it ensures the flag is always tied to the current cache key's lifecycle rather than the module's lifetime. The three-assertion regression test covers the important bases neatly: baseline deduplication, the actual bug scenario (different-pattern second warning), and no false warnings on a valid regex.

🐇🎉