fix: allow DSO shim ticket commands in tickets-tracker-guard (merge worktree-20260324-091358)

JoeOakhartNava · JoeOakhartNava · commit 77fafb7a66fd · 2026-03-24T14:35:02.000-07:00
diff --git a/plugins/dso/hooks/lib/pre-bash-functions.sh b/plugins/dso/hooks/lib/pre-bash-functions.sh
@@ -744,7 +744,7 @@ print(json.dumps(entry))
 #
 # .tickets-tracker/ is an event-sourced log; direct Bash modifications bypass
 # event sourcing invariants and may corrupt the event log. All mutations must
-# go through ticket CLI commands (ticket *, tk *).
+# go through ticket CLI commands (ticket *, .claude/scripts/dso ticket *).
 #
 # Logic:
 #   1. Only fires on Bash tool calls
@@ -753,7 +753,7 @@ print(json.dumps(entry))
 #   4. If command contains .tickets-tracker/ AND NOT allowlisted: return 2 (block)
 #   5. All other cases: return 0 (allow, fail-open)
 #
-# Allowlist: ticket CLI scripts (ticket, tk) are the sanctioned write path.
+# Allowlist: ticket CLI scripts (ticket, .claude/scripts/dso ticket) are the sanctioned write path.
 #
 # REVIEW-DEFENSE: This function is intentionally not wired into dispatchers yet.
 # Task dso-280g ("Wire tickets-tracker guards into dispatchers") handles dispatcher
@@ -783,12 +783,24 @@ hook_tickets_tracker_bash_guard() {
         return 0
     fi
 
-    # Allowlist: ticket CLI patterns (ticket *) — sanctioned write path
-    # Check if command's first meaningful token is 'ticket'
-    local FIRST_TOKEN
-    FIRST_TOKEN="${COMMAND##*([[:space:]])}"   # trim leading whitespace
-    FIRST_TOKEN="${FIRST_TOKEN%%[[:space:]]*}" # first token
-    if [[ "$FIRST_TOKEN" == "ticket" ]]; then
+    # Allowlist: ticket CLI patterns — sanctioned write path.
+    # Three invocation forms:
+    #   1. "ticket <subcommand> ..." — bare ticket dispatcher
+    #   2. ".claude/scripts/dso ticket <subcommand> ..." — via DSO shim
+    #   3. "bash .claude/scripts/dso ticket <subcommand> ..." — shim via bash
+    local _TRIMMED
+    _TRIMMED="${COMMAND##*([[:space:]])}"   # trim leading whitespace
+    local _FIRST_TOKEN="${_TRIMMED%%[[:space:]]*}"
+    # Form 1: bare "ticket" command
+    if [[ "$_FIRST_TOKEN" == "ticket" ]]; then
+        return 0
+    fi
+    # Form 2: DSO shim — command starts with the shim path + "ticket"
+    if [[ "$_TRIMMED" == ".claude/scripts/dso ticket "* ]] || [[ "$_TRIMMED" == ".claude/scripts/dso ticket" ]]; then
+        return 0
+    fi
+    # Form 3: shim invoked via bash
+    if [[ "$_TRIMMED" == "bash .claude/scripts/dso ticket "* ]] || [[ "$_TRIMMED" == "bash .claude/scripts/dso ticket" ]]; then
         return 0
     fi
 
diff --git a/tests/hooks/test-tickets-tracker-guard.sh b/tests/hooks/test-tickets-tracker-guard.sh
@@ -108,11 +108,48 @@ EXIT_CODE=$(run_bash_guard "$INPUT")
 assert_eq_verbose "test_bash_tickets_tracker_reference_blocks" "2" "$EXIT_CODE"
 
 # --- test_bash_ticket_cli_allowlisted ---
-# Bash command that is a ticket CLI invocation (tk show) must be allowed (exit 0).
-INPUT='{"tool_name":"Bash","tool_input":{"command":"tk show dso-1234"}}'
+# Bash command that is a bare ticket CLI invocation must be allowed (exit 0).
+INPUT='{"tool_name":"Bash","tool_input":{"command":"ticket show dso-1234"}}'
 EXIT_CODE=$(run_bash_guard "$INPUT")
 assert_eq_verbose "test_bash_ticket_cli_allowlisted" "0" "$EXIT_CODE"
 
+# --- test_bash_dso_shim_ticket_comment_allowlisted ---
+# Bash command via DSO shim (.claude/scripts/dso ticket comment) must be allowed (exit 0).
+INPUT='{"tool_name":"Bash","tool_input":{"command":".claude/scripts/dso ticket comment 4506-e5da \"## Description\""}}'
+EXIT_CODE=$(run_bash_guard "$INPUT")
+assert_eq_verbose "test_bash_dso_shim_ticket_comment_allowlisted" "0" "$EXIT_CODE"
+
+# --- test_bash_dso_shim_ticket_create_allowlisted ---
+# Bash command via DSO shim (.claude/scripts/dso ticket create) must be allowed (exit 0).
+INPUT='{"tool_name":"Bash","tool_input":{"command":".claude/scripts/dso ticket create bug \"some title\""}}'
+EXIT_CODE=$(run_bash_guard "$INPUT")
+assert_eq_verbose "test_bash_dso_shim_ticket_create_allowlisted" "0" "$EXIT_CODE"
+
+# --- test_bash_dso_shim_ticket_transition_allowlisted ---
+# Bash command via DSO shim (.claude/scripts/dso ticket transition) must be allowed (exit 0).
+INPUT='{"tool_name":"Bash","tool_input":{"command":".claude/scripts/dso ticket transition w21-u3op open in_progress"}}'
+EXIT_CODE=$(run_bash_guard "$INPUT")
+assert_eq_verbose "test_bash_dso_shim_ticket_transition_allowlisted" "0" "$EXIT_CODE"
+
+# --- test_bash_dso_shim_ticket_list_allowlisted ---
+# Bash command via DSO shim (.claude/scripts/dso ticket list) must be allowed (exit 0).
+INPUT='{"tool_name":"Bash","tool_input":{"command":".claude/scripts/dso ticket list 2>/dev/null | python3 -c \"...\""}}'
+EXIT_CODE=$(run_bash_guard "$INPUT")
+assert_eq_verbose "test_bash_dso_shim_ticket_list_allowlisted" "0" "$EXIT_CODE"
+
+# --- test_bash_dso_shim_via_bash_allowlisted ---
+# Bash command via "bash .claude/scripts/dso ticket ..." must be allowed (exit 0).
+INPUT='{"tool_name":"Bash","tool_input":{"command":"bash .claude/scripts/dso ticket show w21-1234"}}'
+EXIT_CODE=$(run_bash_guard "$INPUT")
+assert_eq_verbose "test_bash_dso_shim_via_bash_allowlisted" "0" "$EXIT_CODE"
+
+# --- test_bash_embedded_dso_ticket_in_echo_blocks ---
+# A command that embeds "/dso ticket" as a string argument (not a real invocation)
+# while also referencing .tickets-tracker/ must still be blocked (exit 2).
+INPUT='{"tool_name":"Bash","tool_input":{"command":"echo \"/dso ticket\" > /repo/.tickets-tracker/event.json"}}'
+EXIT_CODE=$(run_bash_guard "$INPUT")
+assert_eq_verbose "test_bash_embedded_dso_ticket_in_echo_blocks" "2" "$EXIT_CODE"
+
 # --- test_bash_no_tickets_tracker_ref_allows ---
 # Bash command with no .tickets-tracker/ reference must be allowed (exit 0).
 INPUT='{"tool_name":"Bash","tool_input":{"command":"echo hello world"}}'
