feat(rules): block inline redis-cli mutations

lapc506 · lapc506 · commit 01f9cf9f00ec · 2026-05-21T16:53:16.000-06:00
Adds Redis to the inline-db-mutation family. Even in a cache, manual
one-liners create cross-env drift: the value you set is visible to
your machine only until eviction, and other engineers cannot reproduce.

Write verbs blocked: SET / DEL / FLUSHDB / FLUSHALL / HSET / HDEL /
SADD / SREM / LPUSH / RPUSH / ZADD / ZREM / EXPIRE / RENAME / MSET /
SETEX / SETNX / INCR / DECR / COPY / MOVE / UNLINK / RESTORE / EVAL
(EVAL is included because Lua scripts can mutate).

Read verbs (GET, MGET, HGET, KEYS, SCAN, INFO, PING, EXISTS, TYPE,
TTL, LLEN, SCARD, ZRANGE, SMEMBERS, ...) remain allowed inline.

Bypass via `# hook-bypass: db-mutation-rule` or the per-repo sentinel
`.no-make-no-mistakes-db-mutation`.

Tests: 10 (5 block + 4 allow + 1 bypass).
diff --git a/hooks/rules/rules.json b/hooks/rules/rules.json
@@ -3199,5 +3199,120 @@
         "expected_exit": 0
       }
     ]
+  },
+  {
+    "id": "inline-db-mutation-redis",
+    "description": "Block inline redis-cli mutations (use a versioned script in scripts/ or bin/ instead)",
+    "applies_to": [
+      "Bash"
+    ],
+    "match": [
+      {
+        "field": "command",
+        "pattern": "\\bredis-cli\\b[^|]*[[:space:]]+(SET|DEL|FLUSHDB|FLUSHALL|HSET|HDEL|SADD|SREM|LPUSH|RPUSH|ZADD|ZREM|EXPIRE|RENAME|MSET|SETEX|SETNX|INCR|DECR|COPY|MOVE|UNLINK|RESTORE|EVAL)\\b",
+        "flags": "i"
+      },
+      {
+        "field": "command",
+        "not_pattern": "^[[:space:]]*(\\./scripts/|bash[[:space:]]+scripts/|\\./bin/|bash[[:space:]]+bin/|sh[[:space:]]+scripts/|sh[[:space:]]+bin/)"
+      }
+    ],
+    "action": "block",
+    "bypass_marker": "db-mutation-rule",
+    "disable_if_repo_file": ".no-make-no-mistakes-db-mutation",
+    "memory_ref": "feedback_scripts_not_db.md",
+    "message": "BLOCKED: inline redis-cli mutation detected.\n\nEven in a cache, manual one-liners create cross-env drift: the value\nyou set is visible to your machine only until eviction, and other\nengineers cannot reproduce. Use a script under scripts/ or bin/.\n\nRead verbs (GET, MGET, HGET, KEYS, SCAN, INFO, PING, EXISTS, TYPE,\nTTL, LLEN, SCARD, ZRANGE, SMEMBERS, ...) remain allowed inline.\n\nBypass marker: `db-mutation-rule`. Per-repo opt-out:\n`touch .no-make-no-mistakes-db-mutation` at the root.\n",
+    "tests": [
+      {
+        "name": "blocks-redis-cli-set",
+        "input": {
+          "tool_input": {
+            "command": "redis-cli SET feature:enabled 1"
+          }
+        },
+        "expected_exit": 2
+      },
+      {
+        "name": "blocks-redis-cli-del",
+        "input": {
+          "tool_input": {
+            "command": "redis-cli DEL session:42"
+          }
+        },
+        "expected_exit": 2
+      },
+      {
+        "name": "blocks-redis-cli-flushall",
+        "input": {
+          "tool_input": {
+            "command": "redis-cli -h cache.example.com FLUSHALL"
+          }
+        },
+        "expected_exit": 2
+      },
+      {
+        "name": "blocks-redis-cli-flushdb",
+        "input": {
+          "tool_input": {
+            "command": "redis-cli -n 3 FLUSHDB"
+          }
+        },
+        "expected_exit": 2
+      },
+      {
+        "name": "blocks-redis-cli-hset",
+        "input": {
+          "tool_input": {
+            "command": "redis-cli HSET user:1 name alice"
+          }
+        },
+        "expected_exit": 2
+      },
+      {
+        "name": "allows-redis-cli-get",
+        "input": {
+          "tool_input": {
+            "command": "redis-cli GET feature:enabled"
+          }
+        },
+        "expected_exit": 0
+      },
+      {
+        "name": "allows-redis-cli-keys",
+        "input": {
+          "tool_input": {
+            "command": "redis-cli KEYS \"session:*\""
+          }
+        },
+        "expected_exit": 0
+      },
+      {
+        "name": "allows-redis-cli-info",
+        "input": {
+          "tool_input": {
+            "command": "redis-cli INFO memory"
+          }
+        },
+        "expected_exit": 0
+      },
+      {
+        "name": "allows-redis-via-versioned-script",
+        "input": {
+          "tool_input": {
+            "command": "./scripts/flush-cache.sh"
+          }
+        },
+        "expected_exit": 0
+      },
+      {
+        "name": "allows-bypass-marker",
+        "input": {
+          "tool_input": {
+            "command": "redis-cli FLUSHALL # hook-bypass: db-mutation-rule"
+          }
+        },
+        "expected_exit": 0
+      }
+    ]
   }
 ]
diff --git a/hooks/rules/rules.yaml b/hooks/rules/rules.yaml
@@ -2595,3 +2595,88 @@
           command: 'mongo --eval "db.users.drop()" # hook-bypass: db-mutation-rule'
       expected_exit: 0
 
+- id: inline-db-mutation-redis
+  description: Block inline redis-cli mutations (use a versioned script in scripts/ or bin/ instead)
+  applies_to: [Bash]
+  match:
+    # Positive: `redis-cli ... <MUTATING_VERB> ...`. The Redis command
+    # surface is large — match the common write verbs that show up in
+    # incident-driven one-liners: SET, DEL, FLUSHDB, FLUSHALL, HSET,
+    # HDEL, SADD, SREM, LPUSH, RPUSH, ZADD, ZREM, EXPIRE, RENAME, MSET,
+    # SETEX, SETNX, INCR, DECR, COPY, MOVE, UNLINK, RESTORE, EVAL (EVAL
+    # can mutate via Lua even though it can also read).
+    # Verb must be at command-word boundaries to avoid mis-matching
+    # values that happen to contain those substrings.
+    - field: command
+      pattern: '\bredis-cli\b[^|]*[[:space:]]+(SET|DEL|FLUSHDB|FLUSHALL|HSET|HDEL|SADD|SREM|LPUSH|RPUSH|ZADD|ZREM|EXPIRE|RENAME|MSET|SETEX|SETNX|INCR|DECR|COPY|MOVE|UNLINK|RESTORE|EVAL)\b'
+      flags: i
+    - field: command
+      not_pattern: '^[[:space:]]*(\./scripts/|bash[[:space:]]+scripts/|\./bin/|bash[[:space:]]+bin/|sh[[:space:]]+scripts/|sh[[:space:]]+bin/)'
+  action: block
+  bypass_marker: db-mutation-rule
+  disable_if_repo_file: .no-make-no-mistakes-db-mutation
+  memory_ref: feedback_scripts_not_db.md
+  message: |
+    BLOCKED: inline redis-cli mutation detected.
+
+    Even in a cache, manual one-liners create cross-env drift: the value
+    you set is visible to your machine only until eviction, and other
+    engineers cannot reproduce. Use a script under scripts/ or bin/.
+
+    Read verbs (GET, MGET, HGET, KEYS, SCAN, INFO, PING, EXISTS, TYPE,
+    TTL, LLEN, SCARD, ZRANGE, SMEMBERS, ...) remain allowed inline.
+
+    Bypass marker: `db-mutation-rule`. Per-repo opt-out:
+    `touch .no-make-no-mistakes-db-mutation` at the root.
+  tests:
+    - name: blocks-redis-cli-set
+      input:
+        tool_input:
+          command: 'redis-cli SET feature:enabled 1'
+      expected_exit: 2
+    - name: blocks-redis-cli-del
+      input:
+        tool_input:
+          command: 'redis-cli DEL session:42'
+      expected_exit: 2
+    - name: blocks-redis-cli-flushall
+      input:
+        tool_input:
+          command: 'redis-cli -h cache.example.com FLUSHALL'
+      expected_exit: 2
+    - name: blocks-redis-cli-flushdb
+      input:
+        tool_input:
+          command: 'redis-cli -n 3 FLUSHDB'
+      expected_exit: 2
+    - name: blocks-redis-cli-hset
+      input:
+        tool_input:
+          command: 'redis-cli HSET user:1 name alice'
+      expected_exit: 2
+    - name: allows-redis-cli-get
+      input:
+        tool_input:
+          command: 'redis-cli GET feature:enabled'
+      expected_exit: 0
+    - name: allows-redis-cli-keys
+      input:
+        tool_input:
+          command: 'redis-cli KEYS "session:*"'
+      expected_exit: 0
+    - name: allows-redis-cli-info
+      input:
+        tool_input:
+          command: 'redis-cli INFO memory'
+      expected_exit: 0
+    - name: allows-redis-via-versioned-script
+      input:
+        tool_input:
+          command: './scripts/flush-cache.sh'
+      expected_exit: 0
+    - name: allows-bypass-marker
+      input:
+        tool_input:
+          command: 'redis-cli FLUSHALL # hook-bypass: db-mutation-rule'
+      expected_exit: 0
+
