feat(hook): Windows hook-decide over named pipe — enforce works on Windows (#162)#163
Merged
Conversation
…n Windows (#162) Windows sigil-hook --enforce was a silent no-op: the daemon started no decide listener on Windows and the hook client was a #[cfg(not(unix))] stub returning None, so every tool call fail-opened regardless of hook_deny_rules — false assurance for Windows users. Daemon: extract the per-connection decide logic into a transport-generic handle_decide_conn (AsyncRead+AsyncWrite), keep the Unix socket serve, and add a Windows serve_pipe over a named pipe, mirroring the control plane's named-pipe server. Windows pipes carry no peer uid -> u32::MAX. Spawned from runtime under #[cfg(windows)] on the same shared (hot-reloadable) evaluator. Pipe name: \\.\pipe\sigil-hook-decide. Hook: implement the #[cfg(not(unix))] request_verdict as a blocking named-pipe client (the hook is a short-lived no-tokio process) on a worker thread bounded by the deadline via recv_timeout; any failure/timeout -> None (unchanged fail-to-on_failure contract). Default pipe path added. Unix path unchanged (verified: decide listener + enforce_e2e green). Windows compile + runtime verified separately on the ARM64 VM. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The modules were lib-level #[cfg(unix)], so the Windows serve_pipe + its runtime spawn failed to resolve (E0433). Make both modules cross-platform and gate the Unix-socket-only imports/serve internally; the pure helpers (to_event) the decide path needs are cross-platform. Caught by building the branch on the Windows ARM64 VM (cannot cross-compile locally: sqlite C dep). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Move to_event + enum_str into a transport-agnostic hook_event module so the Windows decide path can use them without compiling the Unix-socket hook_listener. hook_listener returns to #[cfg(unix)]; this eliminates the dead_code/unused-import warnings that surfaced when it was forced to compile on Windows. No behavior change (unix: hook_event tests + drift test green). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Implements the Windows hook-decide IPC so
sigil-hook --enforceactually blocks on Windows. Previously it was a silent no-op (#162): the daemon started no decide listener on Windows and the hook client was a#[cfg(not(unix))]stub returningNone, so every tool call fail-opened regardless ofhook_deny_rules— false assurance for Windows users.Changes
hook_event(new, cross-platform module):to_event+enum_strextracted fromhook_listenerso the decide path can convert events without compiling the Unix-socket listener.hook_decide_listener): per-connection logic factored into a transport-generichandle_decide_conn<S: AsyncRead + AsyncWrite>. The Unix-socketservekeeps its behavior; a new#[cfg(windows)] serve_pipelistens on a named pipe, mirroring the control plane's named-pipe server. Spawned fromruntimeunder#[cfg(windows)]on the same shared, hot-reloadable evaluator. Windows pipes carry no peer uid →u32::MAX.hook_listenerreturns to#[cfg(unix)].decide.rs): the#[cfg(not(unix))]request_verdictis now a real client — opens the named pipe as a blocking file (the hook is a short-lived, no-tokio process) on a worker thread bounded by the deadline viarecv_timeout; any failure/timeout →None(unchanged fail-to-on_failurecontract). Default pipe:\\.\pipe\sigil-hook-decide.Verification
Cannot cross-compile Windows locally (sqlite C dep), so the Windows side was built and run on a real Windows 11 ARM64 VM:
cargo build+cargo clippy -D warningsforsigil-agent/sigil-hook— both exit 0.block-rm-rfdeny pack inC:\ProgramData\Sigil\rule-packs.yaml:hook-decide IPC listening pipe=\\.\pipe\sigil-hook-decide(absent before).sigil-hook claude-code --enforceonrm -rf …→permissionDecision: deny("Blocked by Sigil rule block-rm-rf").ls→ allow (silent).hook_eventtests +hook_listenerdrift test + decide listenerenforce_e2egreen;fmt/clippy -D warnings/tests clean.Notes / follow-ups
0660). Verdicts are non-sensitive (allow/deny for a submitted action, no mutation, semaphore-bounded), but tightening the pipe ACL to the owning user could be a hardening follow-up.Closes #162
🤖 Generated with Claude Code