feat(bootstrap): add converters for WebSearch, Read/Edit/Write, and Skill (#8)

Author: nnemirovsky

.claude-plugin/marketplace.json

@@ -1,6 +1,6 @@
 {
   "name": "passthru",
-  "version": "0.2.3",
+  "version": "0.3.0",
   "description": "Regex-based permission rules for Claude Code via hooks",
   "owner": {
     "name": "nnemirovsky"

.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "passthru",
-  "version": "0.2.3",
+  "version": "0.3.0",
   "description": "Regex-based permission rules for Claude Code via hooks",
   "license": "MIT"
 }

CLAUDE.md

@@ -33,7 +33,9 @@ hooks/
                        marker. Prints to stderr only when the user has no passthru files yet
                        AND has importable entries in ~/.claude/settings.json.
 scripts/
-  bootstrap.sh         one-time importer from native permissions.allow into passthru.imported.json
+  bootstrap.sh         one-time importer from native permissions.allow into passthru.imported.json.
+                       Supported shapes: Bash(prefix:*) | Bash(exact) | mcp__* | WebFetch(domain:X)
+                       | WebSearch | Read/Edit/Write(path[/**]) | Skill(name). Others -> [WARN] skip.
   write-rule.sh        atomic write wrapper: backup + append + verify + rollback
   verify.sh            rule verifier CLI (also invoked by write-rule.sh and /passthru:verify)
   log.sh               audit-log viewer CLI + sentinel toggle

README.md

@@ -103,6 +103,20 @@ bash .../scripts/bootstrap.sh --write
 
 `--write` mode also runs `scripts/verify.sh --quiet` after writing. If the verifier finds errors, the script restores the pre-write backup and exits non-zero.
 
+**What bootstrap converts.** Six native rule shapes are recognized:
+
+| Native rule | Converted to |
+| --- | --- |
+| `Bash(<prefix>:*)` | `{"tool": "Bash", "match": {"command": "^<prefix>(\\s|$)"}}` |
+| `Bash(<exact command>)` | `{"tool": "Bash", "match": {"command": "^<exact>$"}}` |
+| `mcp__server__tool` | `{"tool": "^mcp__server__tool$"}` |
+| `WebFetch(domain:x.com)` | `{"tool": "WebFetch", "match": {"url": "^https?://([^/.]+\\.)*x\\.com([/:?#]\|$)"}}` |
+| `WebSearch` | `{"tool": "^WebSearch$"}` |
+| `Read(<path>)`, `Edit(<path>)`, `Write(<path>)` | `{"tool": "^Read$", "match": {"file_path": "^<path>$"}}` (exact) or `"^<path>(/\|$)"` when the native rule ends in `/**` or `/*` |
+| `Skill(<name>)` | `{"tool": "^Skill$", "match": {"skill": "^<name>$"}}` |
+
+Regex metacharacters in the original path/prefix/name are escaped so the converted pattern matches literally. Anything that does not match one of the shapes above is skipped with a `[WARN]` line on stderr (for example, custom MCP tool patterns that do not start with `mcp__`, or a `WebFetch(...)` with a non-`domain:` argument).
+
 Bootstrap writes to dedicated imported files so hand-curated rules in `passthru.json` stay separate:
 
 * `~/.claude/passthru.imported.json` (user scope)

scripts/bootstrap.sh

@@ -16,6 +16,12 @@
 #   mcp__server__tool         -> {tool:"^mcp__server__tool$"}
 #   WebFetch(domain:x.com)    -> {tool:"WebFetch",
 #                                 match:{url:"^https?://([^/.]+\\.)*x\\.com([/:?#]|$)"}}
+#   WebSearch                 -> {tool:"^WebSearch$"}
+#   Read(<path>/**)           -> {tool:"^Read$", match:{file_path:"^<escaped>(/|$)"}}
+#   Read(<path>)              -> {tool:"^Read$", match:{file_path:"^<escaped>$"}}
+#   Edit(<path>[/**])         -> same shape as Read
+#   Write(<path>[/**])        -> same shape as Read
+#   Skill(<name>)             -> {tool:"^Skill$", match:{skill:"^<escaped>$"}}
 #
 # Unknown shapes (rules with spaces past the prefix, unrecognized forms) are
 # skipped with a warning printed to stderr.
@@ -234,6 +240,60 @@ convert_rule() {
       --arg tool "^${escaped}\$" \
       '{tool:$tool, reason:"imported from settings"}')"
 
+  elif [[ "$raw" == "WebSearch" ]]; then
+    # Bare WebSearch native rule allows any query. No match block.
+    json="$(jq -cn \
+      '{tool:"^WebSearch$", reason:"imported from settings"}')"
+
+  elif [[ "$raw" == Read\(*\) ]] || [[ "$raw" == Edit\(*\) ]] || [[ "$raw" == Write\(*\) ]]; then
+    # File-path-based native rules. Detect the tool name, then inspect the
+    # inner path for a trailing glob suffix (`/**` or `/*`). A glob suffix
+    # means "anything under this directory"; without it the path is an
+    # exact-file match.
+    local tool_name="${raw%%(*}"
+    local inner="${raw#${tool_name}(}"
+    inner="${inner%)}"
+    if [ -z "$inner" ]; then
+      printf '[WARN] skipping %s rule with empty path: %s\n' "$tool_name" "$raw" >&2
+      return 0
+    fi
+    local path_re
+    if [[ "$inner" == */\*\* ]]; then
+      local prefix="${inner%/\*\*}"
+      local escaped
+      escaped="$(regex_escape "$prefix")"
+      path_re="^${escaped}(/|\$)"
+    elif [[ "$inner" == */\* ]]; then
+      local prefix="${inner%/\*}"
+      local escaped
+      escaped="$(regex_escape "$prefix")"
+      path_re="^${escaped}(/|\$)"
+    else
+      local escaped
+      escaped="$(regex_escape "$inner")"
+      path_re="^${escaped}\$"
+    fi
+    json="$(jq -cn \
+      --arg tool "^${tool_name}\$" \
+      --arg fp "$path_re" \
+      '{tool:$tool, match:{file_path:$fp}, reason:"imported from settings"}')"
+
+  elif [[ "$raw" == Skill\(*\) ]]; then
+    # Skill(<name>) -> exact-match the skill identifier.
+    local name="${raw#Skill(}"
+    name="${name%)}"
+    name="${name#"${name%%[![:space:]]*}"}"
+    name="${name%"${name##*[![:space:]]}"}"
+    if [ -z "$name" ]; then
+      printf '[WARN] skipping Skill rule with empty name: %s\n' "$raw" >&2
+      return 0
+    fi
+    local escaped
+    escaped="$(regex_escape "$name")"
+    json="$(jq -cn \
+      --arg skill "^${escaped}\$" \
+      '{tool:"^Skill$", match:{skill:$skill}, reason:"imported from settings"}')"
+
   else
     printf '[WARN] skipping unknown rule format: %s\n' "$raw" >&2
     return 0

tests/bootstrap.bats

@@ -114,7 +114,7 @@ run_boot() {
   cp "$FIXTURES/settings-with-allow.json" "$PROJ_ROOT/.claude/settings.local.json"
   run bash -c "bash '$BOOTSTRAP' 2>&1 >/dev/null"
   [[ "$output" == *"[WARN]"* ]]
-  [[ "$output" == *"Read(/tmp/foo)"* ]] || [[ "$output" == *"ExactStrangeFormat"* ]]
+  [[ "$output" == *"ExactStrangeFormat"* ]]
 }
 
 @test "bootstrap: --write persists converted rules to project .imported.json" {
@@ -123,8 +123,8 @@ run_boot() {
   [ "$status" -eq 0 ]
   [ -f "$(proj_imported)" ]
   run jq -r '.allow | length' "$(proj_imported)"
-  # fixture has 13 entries, 2 skipped (Read, ExactStrangeFormat) -> 11 kept
-  [ "$output" = "11" ]
+  # fixture has 18 entries, 1 skipped (ExactStrangeFormat) -> 17 kept
+  [ "$output" = "17" ]
 }
 
 @test "bootstrap: dry-run output matches --write file content (schema-wise)" {
@@ -465,3 +465,162 @@ EOF
   run jq -r '.allow[0].match.command' "$(user_imported)"
   [ "$output" = "^ls(\\s|\$)" ]
 }
+
+# ---------------------------------------------------------------------------
+# WebSearch converter
+# ---------------------------------------------------------------------------
+
+@test "bootstrap: WebSearch converts to ^WebSearch$ tool rule with no match block" {
+  printf '{"permissions":{"allow":["WebSearch"]}}\n' > "$USER_ROOT/.claude/settings.json"
+  run_boot --user-only --write
+  [ "$status" -eq 0 ]
+  run jq -r '.allow | length' "$(user_imported)"
+  [ "$output" = "1" ]
+  run jq -r '.allow[0].tool' "$(user_imported)"
+  [ "$output" = "^WebSearch\$" ]
+  # No match block should be present.
+  run jq -r '.allow[0] | has("match")' "$(user_imported)"
+  [ "$output" = "false" ]
+}
+
+# ---------------------------------------------------------------------------
+# Read/Edit/Write file_path converters
+# ---------------------------------------------------------------------------
+
+@test "bootstrap: Read(/tmp/foo/**) converts to Read tool with prefix regex" {
+  printf '{"permissions":{"allow":["Read(/tmp/foo/**)"]}}\n' > "$USER_ROOT/.claude/settings.json"
+  run_boot --user-only --write
+  [ "$status" -eq 0 ]
+  run jq -r '.allow[0].tool' "$(user_imported)"
+  [ "$output" = "^Read\$" ]
+  pat="$(jq -r '.allow[0].match.file_path' "$(user_imported)")"
+  # Must match /tmp/foo and everything under it.
+  run perl -e 'exit(1) unless $ARGV[0] =~ /$ARGV[1]/' '/tmp/foo' "$pat"
+  [ "$status" -eq 0 ]
+  run perl -e 'exit(1) unless $ARGV[0] =~ /$ARGV[1]/' '/tmp/foo/bar' "$pat"
+  [ "$status" -eq 0 ]
+  run perl -e 'exit(1) unless $ARGV[0] =~ /$ARGV[1]/' '/tmp/foo/bar/baz' "$pat"
+  [ "$status" -eq 0 ]
+  # Must NOT match /tmp/foobar (sibling with same prefix).
+  run perl -e 'exit(1) unless $ARGV[0] =~ /$ARGV[1]/' '/tmp/foobar' "$pat"
+  [ "$status" -ne 0 ]
+}
+
+@test "bootstrap: Read(/etc/hosts) converts to exact file_path match" {
+  printf '{"permissions":{"allow":["Read(/etc/hosts)"]}}\n' > "$USER_ROOT/.claude/settings.json"
+  run_boot --user-only --write
+  [ "$status" -eq 0 ]
+  run jq -r '.allow[0].tool' "$(user_imported)"
+  [ "$output" = "^Read\$" ]
+  pat="$(jq -r '.allow[0].match.file_path' "$(user_imported)")"
+  # Must match exactly.
+  run perl -e 'exit(1) unless $ARGV[0] =~ /$ARGV[1]/' '/etc/hosts' "$pat"
+  [ "$status" -eq 0 ]
+  # Must NOT match /etc/hosts.bak or subpaths.
+  run perl -e 'exit(1) unless $ARGV[0] =~ /$ARGV[1]/' '/etc/hosts.bak' "$pat"
+  [ "$status" -ne 0 ]
+  run perl -e 'exit(1) unless $ARGV[0] =~ /$ARGV[1]/' '/etc/hosts/sub' "$pat"
+  [ "$status" -ne 0 ]
+}
+
+@test "bootstrap: Edit(/path) converts with same file_path shape as Read" {
+  printf '{"permissions":{"allow":["Edit(/var/log/app.log)"]}}\n' > "$USER_ROOT/.claude/settings.json"
+  run_boot --user-only --write
+  [ "$status" -eq 0 ]
+  run jq -r '.allow[0].tool' "$(user_imported)"
+  [ "$output" = "^Edit\$" ]
+  pat="$(jq -r '.allow[0].match.file_path' "$(user_imported)")"
+  run perl -e 'exit(1) unless $ARGV[0] =~ /$ARGV[1]/' '/var/log/app.log' "$pat"
+  [ "$status" -eq 0 ]
+}
+
+@test "bootstrap: Write(/path/**) converts to Write prefix regex" {
+  printf '{"permissions":{"allow":["Write(/tmp/out/**)"]}}\n' > "$USER_ROOT/.claude/settings.json"
+  run_boot --user-only --write
+  [ "$status" -eq 0 ]
+  run jq -r '.allow[0].tool' "$(user_imported)"
+  [ "$output" = "^Write\$" ]
+  pat="$(jq -r '.allow[0].match.file_path' "$(user_imported)")"
+  run perl -e 'exit(1) unless $ARGV[0] =~ /$ARGV[1]/' '/tmp/out/file.txt' "$pat"
+  [ "$status" -eq 0 ]
+  run perl -e 'exit(1) unless $ARGV[0] =~ /$ARGV[1]/' '/tmp/output' "$pat"
+  [ "$status" -ne 0 ]
+}
+
+@test "bootstrap: Read path with regex metachars (dots, asterisks) is escaped" {
+  # A literal path with regex metacharacters (dot, asterisk) must be escaped
+  # so the resulting pattern matches only the literal path and does not
+  # admit anything a greedy reader would allow.
+  printf '{"permissions":{"allow":["Read(/a.b/c*/**)"]}}\n' > "$USER_ROOT/.claude/settings.json"
+  run_boot --user-only --write
+  [ "$status" -eq 0 ]
+  pat="$(jq -r '.allow[0].match.file_path' "$(user_imported)")"
+  # Must match the literal path.
+  run perl -e 'exit(1) unless $ARGV[0] =~ /$ARGV[1]/' '/a.b/c*' "$pat"
+  [ "$status" -eq 0 ]
+  run perl -e 'exit(1) unless $ARGV[0] =~ /$ARGV[1]/' '/a.b/c*/file' "$pat"
+  [ "$status" -eq 0 ]
+  # Must NOT match paths that only pass because dots and asterisks were
+  # treated as regex operators.
+  run perl -e 'exit(1) unless $ARGV[0] =~ /$ARGV[1]/' '/aXb/cZZ' "$pat"
+  [ "$status" -ne 0 ]
+  run perl -e 'exit(1) unless $ARGV[0] =~ /$ARGV[1]/' '/a/b/c/file' "$pat"
+  [ "$status" -ne 0 ]
+}
+
+# ---------------------------------------------------------------------------
+# Skill converter
+# ---------------------------------------------------------------------------
+
+@test "bootstrap: Skill(revdiff) converts to ^Skill$ with {skill: ^revdiff$}" {
+  printf '{"permissions":{"allow":["Skill(revdiff)"]}}\n' > "$USER_ROOT/.claude/settings.json"
+  run_boot --user-only --write
+  [ "$status" -eq 0 ]
+  run jq -r '.allow[0].tool' "$(user_imported)"
+  [ "$output" = "^Skill\$" ]
+  run jq -r '.allow[0].match.skill' "$(user_imported)"
+  [ "$output" = "^revdiff\$" ]
+}
+
+@test "bootstrap: Skill name with metachars is escaped" {
+  printf '{"permissions":{"allow":["Skill(my.skill*)"]}}\n' > "$USER_ROOT/.claude/settings.json"
+  run_boot --user-only --write
+  [ "$status" -eq 0 ]
+  pat="$(jq -r '.allow[0].match.skill' "$(user_imported)")"
+  # Must match literal name only.
+  run perl -e 'exit(1) unless $ARGV[0] =~ /$ARGV[1]/' 'my.skill*' "$pat"
+  [ "$status" -eq 0 ]
+  # Must NOT match a name that only passes because . or * were unescaped.
+  run perl -e 'exit(1) unless $ARGV[0] =~ /$ARGV[1]/' 'myXskill' "$pat"
+  [ "$status" -ne 0 ]
+}
+
+# ---------------------------------------------------------------------------
+# Regressions: Bash, MCP, WebFetch still convert with the new converters added.
+# ---------------------------------------------------------------------------
+
+@test "bootstrap: Bash/MCP/WebFetch conversions still work alongside new converters" {
+  cat > "$USER_ROOT/.claude/settings.json" <<'EOF'
+{"permissions":{"allow":[
+  "Bash(git status:*)",
+  "Bash(echo hello)",
+  "mcp__context7__query-docs",
+  "WebFetch(domain:docs.anthropic.com)",
+  "WebSearch",
+  "Read(/tmp/foo/**)",
+  "Skill(revdiff)"
+]}}
+EOF
+  run_boot --user-only --write
+  [ "$status" -eq 0 ]
+  run jq -r '.allow | length' "$(user_imported)"
+  [ "$output" = "7" ]
+  # Spot-check each shape.
+  run jq -r '[.allow[].tool] | sort | join(",")' "$(user_imported)"
+  [[ "$output" == *'Bash'* ]]
+  [[ "$output" == *'WebFetch'* ]]
+  [[ "$output" == *'^WebSearch$'* ]]
+  [[ "$output" == *'^Read$'* ]]
+  [[ "$output" == *'^Skill$'* ]]
+  [[ "$output" == *'^mcp__context7__query\-docs$'* ]]
+}

tests/fixtures/settings-with-allow.json

@@ -12,7 +12,12 @@
       "WebFetch(domain:docs.anthropic.com)",
       "WebFetch(domain:x.com)",
       "Bash(npm run test:unit)",
-      "Read(/tmp/foo)",
+      "WebSearch",
+      "Read(/private/tmp/ios-webkit-debug-proxy/**)",
+      "Read(/etc/hosts)",
+      "Edit(/var/log/app.log)",
+      "Write(/tmp/out/**)",
+      "Skill(revdiff)",
       "ExactStrangeFormat"
     ]
   }