feat(overlay): full command display, smart regex proposal, tmux notification passthrough

- overlay-dialog: wrap long commands at terminal width instead of truncating with "..."
- propose-rule: when compound command has uncovered segments (via new
  PASSTHRU_OVERLAY_UNALLOWED_SEGMENTS env var), target the first uncovered
  segment's first word instead of the full command's first word
- pre-tool-use: compute uncovered segments via new compute_unallowed_segments
  helper in common.sh (filters out readonly auto-allowed + allow/ask matched)
- notification: write OSC 777 to /dev/tty instead of stdout (stdout is the
  hook's JSON response); wrap in DCS tmux; ... ST passthrough when inside tmux
  so Ghostty can receive the notification through the tmux popup

Author: nnemirovsky

hooks/common.sh

@@ -2186,3 +2186,69 @@ match_all_segments() {
 
   return 0
 }
+
+# ---------------------------------------------------------------------------
+# compute_unallowed_segments
+# ---------------------------------------------------------------------------
+#
+# Usage: compute_unallowed_segments <ordered_entries_json> <tool_name> \
+#                                   <cwd> <allowed_dirs_json> <segments...>
+#
+# For compound Bash commands that fall through to the overlay, identifies
+# which segments are NOT covered by readonly auto-allow or by any allow/ask
+# rule. The overlay uses this information to propose a rule targeting only
+# the uncovered portion instead of the full command's first word.
+#
+# A segment is "unallowed" if:
+#   - It is NOT read-only auto-allowed (either not in readonly list or
+#     has absolute path outside cwd/allowed_dirs).
+#   - AND it does not match any allow or ask rule in ordered_entries.
+#
+# Output (stdout): NUL-separated list of unallowed segment strings.
+# Return: 0 always.
+compute_unallowed_segments() {
+  local ordered="$1"
+  local tool_name="$2"
+  local cwd="$3"
+  local allowed_dirs_json="$4"
+  shift 4
+
+  local _cus_segments=("$@")
+  local seg_count="${#_cus_segments[@]}"
+  [ "$seg_count" -eq 0 ] && return 0
+
+  local ordered_count
+  ordered_count="$(jq -r 'if type == "array" then length else 0 end' <<<"$ordered" 2>/dev/null)"
+  [ -z "$ordered_count" ] && ordered_count=0
+
+  local seg seg_idx seg_input entry rule mrc matched
+  for ((seg_idx = 0; seg_idx < seg_count; seg_idx++)); do
+    seg="${_cus_segments[$seg_idx]}"
+
+    # Skip read-only segments with valid paths.
+    if is_readonly_command "$seg" \
+       && readonly_paths_allowed "$seg" "$cwd" "$allowed_dirs_json"; then
+      continue
+    fi
+
+    # Check if it matches any allow/ask rule.
+    seg_input="$(jq -cn --arg c "$seg" '{command: $c}')"
+    matched=0
+    local i
+    for ((i = 0; i < ordered_count; i++)); do
+      entry="$(jq -c --argjson i "$i" '.[$i]' <<<"$ordered" 2>/dev/null)"
+      rule="$(jq -c '.rule // {}' <<<"$entry" 2>/dev/null)"
+      mrc=0
+      match_rule "$tool_name" "$seg_input" "$rule" || mrc=$?
+      if [ "$mrc" -eq 0 ]; then
+        matched=1
+        break
+      fi
+    done
+
+    if [ "$matched" -eq 0 ]; then
+      printf '%s\0' "$seg"
+    fi
+  done
+  return 0
+}

hooks/handlers/pre-tool-use.sh

@@ -751,6 +751,23 @@ export PASSTHRU_OVERLAY_TOOL_NAME="$TOOL_NAME"
 export PASSTHRU_OVERLAY_TOOL_INPUT_JSON="$TOOL_INPUT"
 export PASSTHRU_OVERLAY_CWD="$CC_CWD"
 
+# For compound Bash commands falling through to overlay, compute which
+# segments are uncovered (not readonly auto-allowed, not matched by any
+# allow/ask rule). The overlay uses this to propose a regex targeting only
+# the uncovered portion, not the full command's first word. Separator is
+# newline since env vars cannot carry NULs portably across multiplexer
+# popups. Segments never contain newlines because split_bash_command splits
+# at operators and redirections.
+PASSTHRU_OVERLAY_UNALLOWED_SEGMENTS=""
+if [ "$TOOL_NAME" = "Bash" ] && [ "$BASH_SEGMENT_COUNT" -gt 1 ]; then
+  _unallowed_raw="$(compute_unallowed_segments "$ORDERED" "$TOOL_NAME" "$CC_CWD" "$ALLOWED_DIRS_JSON" "${BASH_SEGMENTS[@]}" 2>/dev/null || true)"
+  # Convert NUL separators to newlines for env var transport.
+  if [ -n "$_unallowed_raw" ]; then
+    PASSTHRU_OVERLAY_UNALLOWED_SEGMENTS="$(printf '%s' "$_unallowed_raw" | tr '\0' '\n')"
+  fi
+fi
+export PASSTHRU_OVERLAY_UNALLOWED_SEGMENTS
+
 # --- Overlay queue lock -------------------------------------------------------
 # CC can fire multiple PreToolUse hooks concurrently (parallel tool calls).
 # Only one overlay popup can be visible at a time in a given multiplexer.
@@ -787,7 +804,19 @@ done
 
 # Send a desktop notification so the user knows a permission prompt is waiting.
 # OSC 777 is supported by Ghostty, iTerm2, and other modern terminals.
-printf '\033]777;notify;passthru;permission prompt: %s\a' "$TOOL_NAME" 2>/dev/null || true
+# Write to /dev/tty, not stdout - stdout is captured by CC as the hook's JSON
+# response. When running inside tmux, the OSC sequence must be wrapped in
+# tmux's "passthrough" escape (DCS tmux; ... ST) to reach the outer terminal.
+_notify_msg="passthru: permission prompt: ${TOOL_NAME}"
+if [ -e /dev/tty ]; then
+  if [ -n "${TMUX:-}" ]; then
+    # tmux wraps: ESC P tmux; ESC <escaped-inner> ESC \
+    # Inner ESC characters must be doubled (ESC ESC) for tmux passthrough.
+    printf '\033Ptmux;\033\033]777;notify;passthru;%s\a\033\\' "$_notify_msg" > /dev/tty 2>/dev/null || true
+  else
+    printf '\033]777;notify;passthru;%s\a' "$_notify_msg" > /dev/tty 2>/dev/null || true
+  fi
+fi
 
 # Invoke the overlay and capture its exit code. We have an ERR trap in place
 # (converts unexpected errors to fail-open passthrough), so we cannot rely on

scripts/overlay-dialog.sh

@@ -184,13 +184,66 @@ selected=0
 # Build a human-readable preview from tool_input. Each tool type gets a
 # tailored display. MCP tools show pretty JSON. Edits show a diff preview.
 _extract() { jq -r --arg f "$1" '.[$f] // empty' <<<"$TOOL_INPUT_JSON" 2>/dev/null; }
-_truncate() {
-  local s="$1" max="${2:-120}"
-  if [ "${#s}" -gt "$max" ]; then
-    printf '%s...' "${s:0:$((max - 3))}"
-  else
-    printf '%s' "$s"
+
+# _wrap_line: split a string into multiple lines at whitespace boundaries,
+# each line fitting within the given width. Falls back to hard-splitting
+# for any single run of non-whitespace longer than the width. Emits lines
+# via printf '%s\n' so callers can read them with `while IFS= read`.
+_wrap_line() {
+  local s="$1" width="${2:-100}"
+  # Hard guard against tiny widths or empty input.
+  [ "$width" -lt 20 ] && width=20
+  if [ -z "$s" ] || [ "${#s}" -le "$width" ]; then
+    printf '%s\n' "$s"
+    return 0
   fi
+  awk -v w="$width" '
+    {
+      line = ""
+      n = split($0, words, /[ \t]+/)
+      for (i = 1; i <= n; i++) {
+        word = words[i]
+        if (word == "") continue
+        if (length(line) == 0) {
+          # First word on a line. If it itself exceeds width, hard-split it.
+          while (length(word) > w) {
+            print substr(word, 1, w)
+            word = substr(word, w + 1)
+          }
+          line = word
+        } else if (length(line) + 1 + length(word) <= w) {
+          line = line " " word
+        } else {
+          print line
+          while (length(word) > w) {
+            print substr(word, 1, w)
+            word = substr(word, w + 1)
+          }
+          line = word
+        }
+      }
+      if (length(line) > 0) print line
+    }
+  ' <<<"$s"
+}
+
+# _append_wrapped: push wrapped lines of $1 into preview_lines, updating
+# extra_height accordingly. Width defaults to terminal columns - 10 (for
+# "Input: " prefix and popup padding) or 100 if tput fails.
+_append_wrapped() {
+  local s="$1"
+  local cols
+  cols="$(tput cols 2>/dev/null || echo 0)"
+  [ "$cols" -lt 40 ] && cols=110
+  local width=$((cols - 10))
+  local first=1
+  while IFS= read -r _wl; do
+    preview_lines+=("$_wl")
+    if [ "$first" -eq 0 ]; then
+      extra_height=$((extra_height + 1))
+    fi
+    first=0
+  done < <(_wrap_line "$s" "$width")
 }
 
 # preview_lines: array of lines to display. Populated per tool type.
@@ -200,51 +253,68 @@ extra_height=0  # additional lines beyond standard 1-line preview
 if [ -n "$TOOL_INPUT_JSON" ]; then
   case "$TOOL_NAME" in
     Bash)
-      preview_lines+=("$(_truncate "$(_extract command)" 120)")
+      _append_wrapped "$(_extract command)"
       ;;
     WebFetch)
-      preview_lines+=("$(_extract url)")
+      _append_wrapped "$(_extract url)"
       ;;
     WebSearch)
       _q="$(_extract query)"
-      [ -n "$_q" ] && preview_lines+=("search: $_q") || preview_lines+=("$(_extract url)")
+      if [ -n "$_q" ]; then
+        _append_wrapped "search: $_q"
+      else
+        _append_wrapped "$(_extract url)"
+      fi
       ;;
     Edit|Write)
-      preview_lines+=("$(_extract file_path)")
+      _append_wrapped "$(_extract file_path)"
       ;;
     Read|NotebookRead)
-      preview_lines+=("$(_extract file_path)")
+      _append_wrapped "$(_extract file_path)"
       ;;
     NotebookEdit)
       _fp="$(_extract file_path)"
       _cell="$(_extract cell_id)"
-      preview_lines+=("$_fp")
-      [ -n "$_cell" ] && preview_lines+=("cell: $_cell") && extra_height=1
+      _append_wrapped "$_fp"
+      if [ -n "$_cell" ]; then
+        preview_lines+=("cell: $_cell")
+        extra_height=$((extra_height + 1))
+      fi
       ;;
     Grep)
       _pat="$(_extract pattern)"
       _path="$(_extract path)"
-      preview_lines+=("/$_pat/")
-      [ -n "$_path" ] && preview_lines+=("in: $_path") && extra_height=1
+      _append_wrapped "/$_pat/"
+      if [ -n "$_path" ]; then
+        preview_lines+=("in: $_path")
+        extra_height=$((extra_height + 1))
+      fi
       ;;
     Glob)
       _pat="$(_extract pattern)"
       _path="$(_extract path)"
-      preview_lines+=("$_pat")
-      [ -n "$_path" ] && preview_lines+=("in: $_path") && extra_height=1
+      _append_wrapped "$_pat"
+      if [ -n "$_path" ]; then
+        preview_lines+=("in: $_path")
+        extra_height=$((extra_height + 1))
+      fi
       ;;
     Skill)
       _skill="$(_extract skill)"
       _args="$(_extract args)"
       if [ -n "$_args" ]; then
-        preview_lines+=("$_skill $_args")
+        _append_wrapped "$_skill $_args"
       else
-        preview_lines+=("$_skill")
+        _append_wrapped "$_skill"
       fi
       ;;
     Agent)
       _desc="$(_extract description)"
-      [ -n "$_desc" ] && preview_lines+=("$_desc") || preview_lines+=("$(_truncate "$(_extract prompt)" 120)")
+      if [ -n "$_desc" ]; then
+        _append_wrapped "$_desc"
+      else
+        _append_wrapped "$(_extract prompt)"
+      fi
       ;;
     mcp__*)
       # MCP tools: pretty-print the JSON args with indentation.
@@ -266,13 +336,13 @@ if [ -n "$TOOL_INPUT_JSON" ]; then
       extra_height=$((_line_count - 1))
       ;;
     *)
-      preview_lines+=("$(_truncate "$TOOL_INPUT_JSON" 120)")
+      _append_wrapped "$TOOL_INPUT_JSON"
       ;;
   esac
 fi
 # Fallback if nothing was extracted.
 if [ "${#preview_lines[@]}" -eq 0 ]; then
-  preview_lines+=("$(_truncate "$TOOL_INPUT_JSON" 120)")
+  _append_wrapped "$TOOL_INPUT_JSON"
 fi
 
 # Session context for the header (helps distinguish multiple CC sessions).

scripts/overlay-propose-rule.sh

@@ -85,6 +85,14 @@ if [ "$TOOL_NAME" = "Bash" ]; then
     emit_fallback
     exit 0
   fi
+  # If the hook identified specific uncovered segments (compound command
+  # where some parts are already auto-allowed), target the first uncovered
+  # segment instead of the whole command. This produces a useful rule for
+  # the part that actually needs it.
+  if [ -n "${PASSTHRU_OVERLAY_UNALLOWED_SEGMENTS:-}" ]; then
+    # Take the first non-empty line.
+    cmd="$(printf '%s\n' "$PASSTHRU_OVERLAY_UNALLOWED_SEGMENTS" | awk 'NF{print; exit}')"
+  fi
   # First token = first word of the command. Trim leading whitespace then
   # split on whitespace.
   cmd="${cmd#"${cmd%%[![:space:]]*}"}"

tests/common_load.bats

@@ -466,3 +466,39 @@ EOF
   run validate_rules "$merged"
   [ "$status" -eq 0 ]
 }
+
+# ---------------------------------------------------------------------------
+# compute_unallowed_segments
+# ---------------------------------------------------------------------------
+
+@test "compute_unallowed_segments: readonly segment is filtered out" {
+  # Two segments: ls (readonly) and weird_cmd (not readonly, no rule).
+  # Only weird_cmd should be returned.
+  result="$(compute_unallowed_segments '[]' "Bash" "$PROJ_ROOT" "[]" "ls" "weird_cmd --flag" | tr '\0' '\n')"
+  [ "$result" = "weird_cmd --flag" ]
+}
+
+@test "compute_unallowed_segments: allow-rule segment is filtered out" {
+  # Ordered allow/ask list covers 'git' but not 'weird_cmd'.
+  ordered='[{"list":"allow","merged_idx":0,"rule":{"tool":"Bash","match":{"command":"^git\\b"}}}]'
+  result="$(compute_unallowed_segments "$ordered" "Bash" "$PROJ_ROOT" "[]" "git status" "weird_cmd" | tr '\0' '\n')"
+  [ "$result" = "weird_cmd" ]
+}
+
+@test "compute_unallowed_segments: all readonly returns empty" {
+  # All segments readonly -> returns empty.
+  result="$(compute_unallowed_segments '[]' "Bash" "$PROJ_ROOT" "[]" "ls" "cat README.md" | tr '\0' '\n')"
+  [ -z "$result" ]
+}
+
+@test "compute_unallowed_segments: no rules and no readonly returns all" {
+  # Nothing covers the segments -> all are unallowed.
+  result="$(compute_unallowed_segments '[]' "Bash" "$PROJ_ROOT" "[]" "weird_a" "weird_b" | tr '\0' '\n')"
+  [ "$result" = "$(printf 'weird_a\nweird_b')" ]
+}
+
+@test "compute_unallowed_segments: readonly with invalid path is not filtered" {
+  # cat with absolute path outside cwd -> not readonly-allowed -> uncovered.
+  result="$(compute_unallowed_segments '[]' "Bash" "$PROJ_ROOT" "[]" "cat /etc/passwd" | tr '\0' '\n')"
+  [ "$result" = "cat /etc/passwd" ]
+}

tests/overlay.bats

@@ -282,6 +282,37 @@ restricted_path() {
   [ "$output" = '^rm(\s[^<>()\$\x60|{}&;\n\r]*)?$' ]
 }
 
+@test "propose-rule: Bash uses unallowed segments env var when set" {
+  # Compound command where ls is auto-allowed but weird_cmd is not.
+  # The proposer should target weird_cmd, not ls.
+  export PASSTHRU_OVERLAY_UNALLOWED_SEGMENTS="weird_cmd --flag"
+  run bash "$PROPOSER" "Bash" '{"command":"ls && weird_cmd --flag"}'
+  unset PASSTHRU_OVERLAY_UNALLOWED_SEGMENTS
+  [ "$status" -eq 0 ]
+  run jq -r '.match.command' <<<"$output"
+  [ "$output" = '^weird_cmd(\s[^<>()\$\x60|{}&;\n\r]*)?$' ]
+}
+
+@test "propose-rule: Bash uses first non-empty unallowed segment" {
+  # Multiple unallowed segments; should use the first.
+  export PASSTHRU_OVERLAY_UNALLOWED_SEGMENTS=$'npm test\ncargo build'
+  run bash "$PROPOSER" "Bash" '{"command":"ls && npm test && cargo build"}'
+  unset PASSTHRU_OVERLAY_UNALLOWED_SEGMENTS
+  [ "$status" -eq 0 ]
+  run jq -r '.match.command' <<<"$output"
+  [ "$output" = '^npm(\s[^<>()\$\x60|{}&;\n\r]*)?$' ]
+}
+
+@test "propose-rule: Bash ignores empty unallowed segments env var" {
+  # Empty env var should fall back to using the whole command's first word.
+  export PASSTHRU_OVERLAY_UNALLOWED_SEGMENTS=""
+  run bash "$PROPOSER" "Bash" '{"command":"git status"}'
+  unset PASSTHRU_OVERLAY_UNALLOWED_SEGMENTS
+  [ "$status" -eq 0 ]
+  run jq -r '.match.command' <<<"$output"
+  [ "$output" = '^git(\s[^<>()\$\x60|{}&;\n\r]*)?$' ]
+}
+
 @test "propose-rule: Read file_path -> parent-dir prefix match" {
   run bash "$PROPOSER" "Read" '{"file_path":"/Users/me/proj/src/file.ts"}'
   [ "$status" -eq 0 ]