feat(enforce-lsp-over-grep): telemetry log + regex hardening + quoted-pattern FP fix

- _log_block() disk-only JSONL telemetry with 256KB rotation + secret redaction
- POS_CODE_FILE_RE trailing boundary includes |>;& for pipe/redirect forms
- _strip_quoted() preprocessor prevents FP on code ext inside quoted pattern
- --selftest CLI flag with 8 regex cases
- strip user-specific mcp__ollama-filter__ollama_filter_call branch
  (MCP-agnostic repo; user-scope branch lives in ~/.claude/hooks/)
- tests: +_log_block (3), escape-quote ANSI-C/locale (2), rotation (2)

Co-authored-by: Claude <noreply@anthropic.com>

Author: Blanquitoh

hooks/enforce-lsp-over-grep.py

@@ -18,6 +18,36 @@
 HOME = Path(os.environ.get("HOME", str(Path.home())))
 AVAIL_FILE = HOME / ".claude" / "locks" / "lsp-availability.json"
 PLUGINS_FILE = HOME / ".claude" / "plugins" / "installed_plugins.json"
+METRICS_LOG = HOME / ".claude" / ".metrics" / "lsp-grep-blocks.log"
+
+
+def _log_block(payload: dict, tool_name: str, pattern_excerpt: str, reason: str) -> None:
+    """append single jsonl entry to metrics log; silent-pass on any failure.
+    disk-only — never emits to stdout/stderr/additionalContext (zero-token invariant)."""
+    try:
+        from datetime import datetime, timezone
+        # rotate when oversized: rename to .log.1 (overwriting any prior backup), start fresh
+        try:
+            if METRICS_LOG.exists() and METRICS_LOG.stat().st_size > 256 * 1024:
+                os.replace(str(METRICS_LOG), str(METRICS_LOG) + ".1")
+        except Exception:
+            pass
+        excerpt = (pattern_excerpt or "")[:80]
+        # redact secret-looking content (long hex/base64 or key= tokens)
+        if re.search(r"(?i)(api[_-]?key|secret|token|password|bearer)\s*[:=]", excerpt) or re.search(r"[A-Za-z0-9+/=]{40,}", excerpt):
+            excerpt = "[REDACTED]"
+        entry = {
+            "ts": datetime.now(timezone.utc).isoformat(),
+            "session_id": payload.get("session_id", ""),
+            "tool_name": tool_name,
+            "pattern_excerpt": excerpt,
+            "reason": reason,
+        }
+        METRICS_LOG.parent.mkdir(parents=True, exist_ok=True)
+        with open(METRICS_LOG, "a") as f:
+            f.write(json.dumps(entry) + "\n")
+    except Exception:
+        pass
 
 # plugin + binary fallback when avail file lacks an entry (prewarm hasn't run for this cwd yet)
 PLUGIN_BINARY_MAP = {
@@ -132,7 +162,15 @@ def lang_info_fallback(lang: str) -> Optional[dict]:
 RG_TYPE_RE = re.compile(r"""--type[=\s](\w+)""")
 RG_GLOB_RE = re.compile(r"""-g[=\s]['"]*\*(\.\w+)['"]*""")
 # positional code-file argument to grep/rg: "grep pattern path/to/file.scala"
-POS_CODE_FILE_RE = re.compile(r"""(?:^|\s)['"]?[^\s'"|&;<>]*(\.(?:scala|sbt|sc|py|ts|tsx|js|jsx|cs|vue|java))['"]?(?:\s|$)""")
+# trailing boundary includes pipe/redirect/semicolon/ampersand to catch
+# `grep "x" /a/b.ts | head` and `grep "x" /a/b.ts > out` and `grep "x" /a/b.ts;echo`
+POS_CODE_FILE_RE = re.compile(r"""(?:^|\s)['"]?[^\s'"|&;<>]*(\.(?:scala|sbt|sc|py|ts|tsx|js|jsx|cs|vue|java))['"]?(?:\s|$|[|>;&])""")
+_QUOTED_RE = re.compile(r"""(?:"(?:\\.|[^"\\])*"|'(?:\\.|[^'\\])*'|\$'(?:\\.|[^'\\])*'|\$"(?:\\.|[^"\\])*")""")
+
+
+def _strip_quoted(cmd: str) -> str:
+    """remove shell-quoted substrings before POS_CODE_FILE_RE match — avoids FP on `grep "foo.ts" /a/b.md` where `.ts` is inside the search pattern, not a target filename"""
+    return _QUOTED_RE.sub(" ", cmd)
 
 
 def lsp_suggestion(lang: str, avail: dict) -> Optional[str]:
@@ -234,7 +272,7 @@ def detect_langs(cmd: str) -> set:
                 langs.add(EXT_LANG[ext])
     # positional code-file argument (e.g. `grep foo path/to/file.scala`)
     if tool_head in {"grep", "egrep", "fgrep", "rg", "ack", "ag"}:
-        for m in POS_CODE_FILE_RE.finditer(cmd):
+        for m in POS_CODE_FILE_RE.finditer(_strip_quoted(cmd)):
             ext = m.group(1).lower()
             if ext in EXT_LANG:
                 langs.add(EXT_LANG[ext])
@@ -329,30 +367,13 @@ def main() -> None:
                 "  - targeting non-source files → add --include='*.<ext>' (e.g. *.sql, *.md, *.properties) or -g '*.<ext>' for rg\n"
                 "  - scoped to a known non-code subtree → recurse inside conf/, docs/, .claude/, i18n/, etc. explicitly\n"
             )
+            _log_block(payload, tool_name, cmd, "unscoped_recursive_grep_bash")
             sys.exit(2)
         langs = detect_langs(cmd)
         source = "Bash: " + cmd[:200] + ("..." if len(cmd) > 200 else "")
     elif tool_name == "Grep":
         langs = detect_langs_native_grep(inp)
         source = f"Grep(pattern={inp.get('pattern','')[:40]}, type={inp.get('type')}, glob={inp.get('glob')}, path={inp.get('path')})"
-    elif tool_name == "mcp__ollama-filter__ollama_filter_call":
-        # filter_bash bypass: catches grep/rg/find wrapped in the ollama compression layer
-        sub_tool = (inp.get("tool") or "").strip()
-        sub_args = inp.get("args") or {}
-        if sub_tool != "filter_bash":
-            sys.exit(0)
-        cmd = sub_args.get("command", "") if isinstance(sub_args, dict) else ""
-        if not cmd or not is_search_tool(cmd):
-            sys.exit(0)
-        if is_unscoped_recursive_grep(cmd):
-            sys.stderr.write(
-                "BLOCKED by enforce-lsp-over-grep: unscoped recursive grep/rg (via ollama_filter_call)\n"
-                f"command: {cmd[:300]}{'...' if len(cmd) > 300 else ''}\n"
-                "declare intent: <lang>-direct wrapper for source code, or --include='*.<ext>' for non-source.\n"
-            )
-            sys.exit(2)
-        langs = detect_langs(cmd)
-        source = "ollama_filter_call(filter_bash): " + cmd[:200] + ("..." if len(cmd) > 200 else "")
     else:
         sys.exit(0)
     if not langs:
@@ -381,8 +402,35 @@ def main() -> None:
         f"{source}\n\n"
     )
     sys.stderr.write(header + "\n\n".join(msgs) + "\n")
+    if block:
+        _log_block(payload, tool_name, source, f"lsp_available_langs:{','.join(sorted(langs))}")
     sys.exit(2 if block else 0)
 
 
+def _selftest() -> int:
+    """inline regex self-test for POS_CODE_FILE_RE pipe/redirect boundary fix.
+    run: `python3 enforce-lsp-over-grep.py --selftest`"""
+    cases = [
+        ('grep "x" /a/b.ts',                    True),   # plain positional code file
+        ('grep "x" /a/b.ts | head -20',         True),   # pipe boundary
+        ('grep "x" /a/b.ts > out',              True),   # redirect boundary
+        ('grep "x" /a/b.md',                    False),  # non-source extension
+        ('grep "foo.ts" /a/b.md',               False),  # code ext INSIDE quoted pattern, target is .md
+        ('grep "pattern.ts;literal" file.md',   False),  # ext + separator inside quoted pattern
+        ('grep "x" /a/b.ts;echo done',          True),   # real .ts file then ;echo separator
+        ("grep 'foo.py' /a/b.md",               False),  # single-quoted pattern variant
+    ]
+    failed = 0
+    for cmd, expected_block in cases:
+        matched = bool(POS_CODE_FILE_RE.search(_strip_quoted(cmd)))
+        ok = matched == expected_block
+        print(f"{'OK' if ok else 'FAIL'}: {cmd!r} matched={matched} expected={expected_block}")
+        if not ok:
+            failed += 1
+    return 0 if failed == 0 else 1
+
+
 if __name__ == "__main__":
+    if len(sys.argv) > 1 and sys.argv[1] == "--selftest":
+        sys.exit(_selftest())
     main()

hooks/tests/test_enforce_lsp_over_grep.py

@@ -291,52 +291,6 @@ def test_bash_positional_non_code_passes(fake_home):
     assert rc == 0
 
 
-# ---------- ollama-filter filter_bash bypass ----------
-
-
-def _ollama(sub_tool: str, **args) -> dict:
-    return {
-        "hook_event_name": "PreToolUse",
-        "tool_name": "mcp__ollama-filter__ollama_filter_call",
-        "tool_input": {"tool": sub_tool, "args": args},
-    }
-
-
-@pytest.mark.parametrize("cmd,lang", [
-    ('grep -rn foo ~/x --include="*.scala"', "scala"),
-    ('rg --type python bar ~/x',              "python"),
-    ('find ~/x -name "*.ts"',                 "typescript"),
-    ('grep -n foo /tmp/Foo.cs',               "csharp"),
-])
-def test_ollama_filter_bash_bypass_blocked(fake_home, cmd, lang):
-    _write_availability(fake_home, {"lsps": {
-        "scala":      {"tool":"metals-direct","binary":"/x","backend":"metals-mcp","workspace":"/w"},
-        "python":     {"tool":"claude-lsp","plugin_installed":True,"binary_on_path":True,"binary_name":"pyright-langserver","workspace":"/w"},
-        "typescript": {"tool":"claude-lsp","plugin_installed":True,"binary_on_path":True,"binary_name":"typescript-language-server","workspace":"/w"},
-        "csharp":     {"tool":"claude-lsp","plugin_installed":True,"binary_on_path":True,"binary_name":"csharp-ls","workspace":"/w"},
-    }})
-    rc, _, err = _run(_ollama("filter_bash", command=cmd), fake_home)
-    assert rc == 2
-    assert lang in err
-    assert "ollama_filter_call" in err
-
-
-@pytest.mark.parametrize("sub_tool,args", [
-    ("search_memory",   {"query": "foo"}),
-    ("search_repo",     {"query": "foo", "repo_path": "/x"}),
-    ("filter_read",     {"path": "/tmp/Foo.scala"}),
-    ("filter_webfetch", {"url": "https://x/y"}),
-    ("filter_bash",     {"command": "docker ps"}),
-    ("filter_bash",     {"command": "git log --oneline"}),
-])
-def test_ollama_filter_non_grep_passes(fake_home, sub_tool, args):
-    _write_availability(fake_home, {"lsps": {
-        "scala": {"tool":"metals-direct","binary":"/x","backend":"metals-mcp","workspace":"/w"},
-    }})
-    rc, _, _ = _run(_ollama(sub_tool, **args), fake_home)
-    assert rc == 0
-
-
 # ---------- non-bash non-grep ----------
 
 
@@ -363,5 +317,112 @@ def test_empty_command_passes(fake_home):
     assert rc == 0
 
 
+# ---------- _log_block telemetry ----------
+
+
+@pytest.fixture
+def hook_module():
+    import importlib.util
+    spec = importlib.util.spec_from_file_location("enforce_lsp_over_grep", HOOK_PATH)
+    mod = importlib.util.module_from_spec(spec)
+    assert spec.loader is not None
+    spec.loader.exec_module(mod)
+    return mod
+
+
+def test_log_block_writes_jsonl_entry(hook_module, tmp_path, monkeypatch):
+    log_path = tmp_path / "log.jsonl"
+    monkeypatch.setattr(hook_module, "METRICS_LOG", log_path)
+    hook_module._log_block({"session_id": "abc"}, "Bash", "grep x /a/b.ts", "positional")
+    lines = log_path.read_text().splitlines()
+    assert len(lines) == 1
+    entry = json.loads(lines[0])
+    assert "ts" in entry
+    assert entry["session_id"] == "abc"
+    assert entry["tool_name"] == "Bash"
+    assert "grep x" in entry["pattern_excerpt"]
+    assert entry["reason"] == "positional"
+
+
+def test_log_block_redacts_secrets(hook_module, tmp_path, monkeypatch):
+    log_path = tmp_path / "log.jsonl"
+    monkeypatch.setattr(hook_module, "METRICS_LOG", log_path)
+    hook_module._log_block({"session_id": "s"}, "Bash", "api_key=AKIA1234", "x")
+    entry = json.loads(log_path.read_text().splitlines()[0])
+    assert entry["pattern_excerpt"] == "[REDACTED]"
+    # 45-char alphanumeric string
+    log_path.write_text("")
+    hook_module._log_block({"session_id": "s"}, "Bash", "A" * 45, "x")
+    entry = json.loads(log_path.read_text().splitlines()[0])
+    assert entry["pattern_excerpt"] == "[REDACTED]"
+
+
+def test_log_block_silent_pass_on_io_error(hook_module, monkeypatch):
+    monkeypatch.setattr(hook_module, "METRICS_LOG", Path("/nonexistent-root-dir/log.jsonl"))
+    # MUST NOT raise
+    result = hook_module._log_block({"session_id": "s"}, "Bash", "grep x /a/b.ts", "x")
+    assert result is None
+
+
+def test_log_block_rotates_when_oversized(hook_module, tmp_path, monkeypatch):
+    log_path = tmp_path / "lsp-grep-blocks.log"
+    backup_path = tmp_path / "lsp-grep-blocks.log.1"
+    # pre-fill with 260 KB of dummy content
+    dummy = "x" * (260 * 1024)
+    log_path.write_text(dummy)
+    monkeypatch.setattr(hook_module, "METRICS_LOG", log_path)
+    hook_module._log_block({"session_id": "s"}, "Bash", "grep x /a/b.ts", "rot")
+    # .log now small + only has new entry
+    new_contents = log_path.read_text()
+    assert len(new_contents) < 1024, f"expected small fresh log, got {len(new_contents)} bytes"
+    assert '"reason": "rot"' in new_contents
+    # .log.1 exists, holds the previous oversized content
+    assert backup_path.exists()
+    assert backup_path.read_text() == dummy
+
+
+def test_log_block_overwrites_old_rotation(hook_module, tmp_path, monkeypatch):
+    log_path = tmp_path / "lsp-grep-blocks.log"
+    backup_path = tmp_path / "lsp-grep-blocks.log.1"
+    fresh = "y" * (260 * 1024)
+    stale = "STALE-OLD-BACKUP"
+    log_path.write_text(fresh)
+    backup_path.write_text(stale)
+    monkeypatch.setattr(hook_module, "METRICS_LOG", log_path)
+    hook_module._log_block({"session_id": "s"}, "Bash", "grep x /a/b.ts", "rot")
+    # .log.1 now holds fresh (what .log had pre-rotation); stale backup overwritten
+    assert backup_path.read_text() == fresh
+    assert "STALE" not in backup_path.read_text()
+
+
+# ---------- backslash/single-quote escape in positional regex ----------
+
+
+def test_strip_quoted_handles_backslash_escape_inside_double_quote(hook_module):
+    cmd = r'''grep "it\"s a .ts" /a/b.md'''
+    langs = hook_module.detect_langs(cmd)
+    assert langs == set(), f"expected no lang detection, got {langs}"
+
+
+def test_strip_quoted_handles_single_quote_literal(hook_module):
+    cmd = '''grep 'a"b.ts' /a/b.md'''
+    langs = hook_module.detect_langs(cmd)
+    assert langs == set(), f"expected no lang detection, got {langs}"
+
+
+def test_strip_quoted_handles_ansi_c_dollar_single(hook_module):
+    # bash ANSI-C quoting: $'...' — `.ts` inside pattern, target is .md
+    cmd = r"""grep $'foo.ts\n' /a/b.md"""
+    langs = hook_module.detect_langs(cmd)
+    assert langs == set(), f"expected no lang detection, got {langs}"
+
+
+def test_strip_quoted_handles_locale_dollar_double(hook_module):
+    # locale-translation quoting: $"..." — `.ts` inside pattern, target is .md
+    cmd = '''grep $"x.ts" /a/b.md'''
+    langs = hook_module.detect_langs(cmd)
+    assert langs == set(), f"expected no lang detection, got {langs}"
+
+
 if __name__ == "__main__":
     sys.exit(pytest.main([__file__, "-v"]))