@aictrl/hush 0.1.6 → 0.1.7

package/scripts/e2e-proxy-live.sh

@@ -0,0 +1,185 @@
+#!/usr/bin/env bash
+#
+# E2E Scenario B: Proxy redacts PII from normal file reads
+#
+# A non-sensitive filename (config.txt) containing PII gets through the
+# plugin's filename check. The hush proxy intercepts the API request and
+# redacts PII before it reaches the LLM provider.
+#
+# Usage: ./scripts/e2e-proxy-live.sh
+# Requirements: opencode CLI, node, npm (dependencies installed + built)
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+CYAN='\033[0;36m'
+NC='\033[0m'
+
+GATEWAY_PORT=4000
+GATEWAY_PID=""
+PASS_COUNT=0
+FAIL_COUNT=0
+WORK_DIR=""
+
+cleanup() {
+  echo ""
+  echo -e "${CYAN}Cleaning up...${NC}"
+  [ -n "$GATEWAY_PID" ] && kill "$GATEWAY_PID" 2>/dev/null || true
+  [ -n "$WORK_DIR" ] && rm -rf "$WORK_DIR"
+  wait 2>/dev/null || true
+}
+trap cleanup EXIT
+
+pass() {
+  PASS_COUNT=$((PASS_COUNT + 1))
+  echo -e "  ${GREEN}PASS${NC} $1"
+}
+
+fail() {
+  FAIL_COUNT=$((FAIL_COUNT + 1))
+  echo -e "  ${RED}FAIL${NC} $1"
+}
+
+assert_contains() {
+  local haystack="$1" needle="$2" msg="$3"
+  if echo "$haystack" | grep -qiF "$needle"; then
+    pass "$msg"
+  else
+    fail "$msg (expected to find '$needle')"
+  fi
+}
+
+assert_not_contains() {
+  local haystack="$1" needle="$2" msg="$3"
+  if echo "$haystack" | grep -qiF "$needle"; then
+    fail "$msg (found '$needle' which should have been redacted)"
+  else
+    pass "$msg"
+  fi
+}
+
+wait_for_port() {
+  local port=$1 label=$2 max_attempts=${3:-20}
+  for i in $(seq 1 "$max_attempts"); do
+    if curl -sf "http://127.0.0.1:${port}/health" > /dev/null 2>&1; then
+      return 0
+    fi
+    sleep 0.5
+  done
+  echo -e "${RED}${label} failed to start on :${port}${NC}"
+  return 1
+}
+
+echo -e "${CYAN}================================================${NC}"
+echo -e "${CYAN}  E2E Scenario B: Proxy Redacts PII in Normal   ${NC}"
+echo -e "${CYAN}  File (Plugin Allows, Proxy Catches)           ${NC}"
+echo -e "${CYAN}================================================${NC}"
+echo ""
+
+cd "$PROJECT_DIR"
+
+# --- Step 1: Start Hush gateway ---
+echo -e "${YELLOW}[1/5] Starting Hush gateway on :${GATEWAY_PORT}...${NC}"
+
+PORT=$GATEWAY_PORT DEBUG=true node dist/cli.js > /tmp/hush-e2e-proxy.log 2>&1 &
+GATEWAY_PID=$!
+
+wait_for_port "$GATEWAY_PORT" "Gateway" || exit 1
+echo -e "  Gateway PID: ${GATEWAY_PID}"
+
+# --- Step 2: Create temp project with config.txt containing PII ---
+echo -e "${YELLOW}[2/5] Creating temp project with config.txt (PII in normal file)...${NC}"
+
+WORK_DIR=$(mktemp -d)
+mkdir -p "$WORK_DIR/.opencode/plugins"
+
+# Normal filename — plugin won't block this
+cat > "$WORK_DIR/config.txt" <<'CFGEOF'
+# Application Configuration
+app_name: MyApp
+admin_contact: alice@confidential-corp.com
+server_ip: 10.42.99.7
+api_key=sk-live-a1b2c3d4e5f6g7h8i9j0k1l2m3n4
+log_level: info
+CFGEOF
+
+# Copy the hush plugin (it won't block config.txt — not a sensitive filename)
+cp "$PROJECT_DIR/examples/team-config/.opencode/plugins/hush.ts" \
+   "$WORK_DIR/.opencode/plugins/hush.ts"
+
+# Point OpenCode at hush proxy
+cat > "$WORK_DIR/opencode.json" <<OCEOF
+{
+  "provider": {
+    "zai-coding-plan": {
+      "options": {
+        "baseURL": "http://127.0.0.1:${GATEWAY_PORT}/api/coding/paas/v4"
+      }
+    }
+  },
+  "plugin": [".opencode/plugins/hush.ts"]
+}
+OCEOF
+
+echo -e "  Temp project: ${WORK_DIR}"
+
+# --- Step 3: Check vault is empty before test ---
+echo -e "${YELLOW}[3/5] Checking gateway vault is empty before test...${NC}"
+
+HEALTH_BEFORE=$(curl -sf "http://127.0.0.1:${GATEWAY_PORT}/health")
+VAULT_BEFORE=$(echo "$HEALTH_BEFORE" | python3 -c "import sys, json; print(json.load(sys.stdin).get('vaultSize', 0))" 2>/dev/null || echo "0")
+echo -e "  Vault size before: ${VAULT_BEFORE}"
+
+# --- Step 4: Run OpenCode to read config.txt ---
+echo -e "${YELLOW}[4/5] Running OpenCode: 'read config.txt and summarize it'...${NC}"
+
+cd "$WORK_DIR"
+OUTPUT=$(timeout 120 opencode -p "read config.txt and summarize it" -q -f json 2>&1) || true
+echo -e "  Output length: $(echo "$OUTPUT" | wc -c) bytes"
+
+# --- Step 5: Verify proxy redacted PII ---
+echo ""
+echo -e "${YELLOW}[5/5] Verifying proxy intercepted PII...${NC}"
+echo ""
+
+# Check vault has tokens
+HEALTH_AFTER=$(curl -sf "http://127.0.0.1:${GATEWAY_PORT}/health")
+VAULT_AFTER=$(echo "$HEALTH_AFTER" | python3 -c "import sys, json; print(json.load(sys.stdin).get('vaultSize', 0))" 2>/dev/null || echo "0")
+echo -e "  Vault size after: ${VAULT_AFTER}"
+
+if [ "$VAULT_AFTER" -gt 0 ]; then
+  pass "Vault contains ${VAULT_AFTER} token(s) — PII was intercepted by proxy"
+else
+  fail "Vault is empty (expected > 0 tokens)"
+fi
+
+# Check gateway logs for redaction
+GATEWAY_LOG=$(cat /tmp/hush-e2e-proxy.log 2>/dev/null || echo "")
+if echo "$GATEWAY_LOG" | grep -qi "redact"; then
+  pass "Gateway logs show redaction activity"
+else
+  fail "Gateway logs don't show redaction (may not be an error if log format changed)"
+fi
+
+# --- Summary ---
+echo ""
+echo -e "${CYAN}================================================${NC}"
+TOTAL=$((PASS_COUNT + FAIL_COUNT))
+if [ "$FAIL_COUNT" -eq 0 ]; then
+  echo -e "${GREEN}  ALL ${TOTAL} CHECKS PASSED${NC}"
+  echo ""
+  echo -e "  ${GREEN}Plugin allowed config.txt (not a sensitive filename).${NC}"
+  echo -e "  ${GREEN}Proxy caught PII in the API request and redacted it.${NC}"
+  echo -e "  ${GREEN}Defense-in-depth: plugin + proxy working together.${NC}"
+else
+  echo -e "${RED}  ${FAIL_COUNT}/${TOTAL} CHECKS FAILED${NC}"
+fi
+echo -e "${CYAN}================================================${NC}"
+
+exit "$FAIL_COUNT"

package/src/cli.ts

@@ -1,20 +1,32 @@
 #!/usr/bin/env node
-import { app } from './index.js';
-import { createLogger } from './lib/logger.js';
 
-const log = createLogger('hush-cli');
-const PORT = process.env.PORT || 4000;
+const subcommand = process.argv[2];
 
-const server = app.listen(PORT, () => {
-  log.info(`Hush Semantic Gateway is listening on http://localhost:${PORT}`);
-  log.info(`Routes: /v1/messages → Anthropic, /v1/chat/completions → OpenAI, /api/paas/v4/** → ZhipuAI, * → Google`);
-});
+if (subcommand === 'redact-hook') {
+  const { run } = await import('./commands/redact-hook.js');
+  await run();
+} else if (subcommand === 'init') {
+  const { run } = await import('./commands/init.js');
+  run(process.argv.slice(3));
+} else {
+  // Default: start the proxy server
+  const { app } = await import('./index.js');
+  const { createLogger } = await import('./lib/logger.js');
 
-server.on('error', (err: NodeJS.ErrnoException) => {
-  if (err.code === 'EADDRINUSE') {
-    log.error(`Port ${PORT} is already in use. Stop the other process or use PORT=<number> hush`);
-  } else {
-    log.error({ err }, 'Failed to start server');
-  }
-  process.exit(1);
-});
+  const log = createLogger('hush-cli');
+  const PORT = process.env.PORT || 4000;
+
+  const server = app.listen(PORT, () => {
+    log.info(`Hush Semantic Gateway is listening on http://localhost:${PORT}`);
+    log.info(`Routes: /v1/messages → Anthropic, /v1/chat/completions → OpenAI, /api/paas/v4/** → ZhipuAI, * → Google`);
+  });
+
+  server.on('error', (err: NodeJS.ErrnoException) => {
+    if (err.code === 'EADDRINUSE') {
+      log.error(`Port ${PORT} is already in use. Stop the other process or use PORT=<number> hush`);
+    } else {
+      log.error({ err }, 'Failed to start server');
+    }
+    process.exit(1);
+  });
+}

package/src/commands/init.ts

@@ -0,0 +1,107 @@
+/**
+ * hush init — Generate Claude Code hook configuration
+ *
+ * Usage:
+ *   hush init --hooks           Write to .claude/settings.json
+ *   hush init --hooks --local   Write to .claude/settings.local.json
+ */
+
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'fs';
+import { join } from 'path';
+
+const HOOK_CONFIG = {
+  hooks: {
+    PostToolUse: [
+      {
+        matcher: 'Bash|Read|Grep|WebFetch',
+        hooks: [
+          {
+            type: 'command' as const,
+            command: 'hush redact-hook',
+            timeout: 10,
+          },
+        ],
+      },
+    ],
+  },
+};
+
+interface SettingsJson {
+  hooks?: {
+    PostToolUse?: Array<{
+      matcher: string;
+      hooks: Array<{ type: string; command: string; timeout?: number }>;
+    }>;
+    [key: string]: unknown;
+  };
+  [key: string]: unknown;
+}
+
+function hasHushHook(settings: SettingsJson): boolean {
+  const postToolUse = settings.hooks?.PostToolUse;
+  if (!Array.isArray(postToolUse)) return false;
+
+  return postToolUse.some((entry) =>
+    entry.hooks?.some((h) => h.command?.includes('hush redact-hook')),
+  );
+}
+
+function mergeHooks(existing: SettingsJson): SettingsJson {
+  const merged = { ...existing };
+
+  if (!merged.hooks) {
+    merged.hooks = {};
+  }
+
+  if (!Array.isArray(merged.hooks.PostToolUse)) {
+    merged.hooks.PostToolUse = [];
+  }
+
+  merged.hooks = { ...merged.hooks, PostToolUse: [...merged.hooks.PostToolUse, ...HOOK_CONFIG.hooks.PostToolUse] };
+
+  return merged;
+}
+
+export function run(args: string[]): void {
+  const hasHooksFlag = args.includes('--hooks');
+  const isLocal = args.includes('--local');
+
+  if (!hasHooksFlag) {
+    process.stderr.write('Usage: hush init --hooks [--local]\n');
+    process.stderr.write('\n');
+    process.stderr.write('Options:\n');
+    process.stderr.write('  --hooks   Generate Claude Code PostToolUse hook config\n');
+    process.stderr.write('  --local   Write to settings.local.json instead of settings.json\n');
+    process.exit(1);
+  }
+
+  const claudeDir = join(process.cwd(), '.claude');
+  const filename = isLocal ? 'settings.local.json' : 'settings.json';
+  const filePath = join(claudeDir, filename);
+
+  // Ensure .claude/ exists
+  if (!existsSync(claudeDir)) {
+    mkdirSync(claudeDir, { recursive: true });
+  }
+
+  // Read existing settings or start fresh
+  let settings: SettingsJson = {};
+  if (existsSync(filePath)) {
+    try {
+      const raw = readFileSync(filePath, 'utf-8');
+      settings = JSON.parse(raw) as SettingsJson;
+    } catch {
+      process.stderr.write(`Warning: could not parse ${filePath}, starting fresh\n`);
+    }
+  }
+
+  // Idempotency check
+  if (hasHushHook(settings)) {
+    process.stdout.write(`hush hooks already configured in ${filePath}\n`);
+    return;
+  }
+
+  const merged = mergeHooks(settings);
+  writeFileSync(filePath, JSON.stringify(merged, null, 2) + '\n');
+  process.stdout.write(`Wrote hush hooks config to ${filePath}\n`);
+}

package/src/commands/redact-hook.ts

@@ -0,0 +1,124 @@
+/**
+ * hush redact-hook — Claude Code PostToolUse hook handler
+ *
+ * Reads the hook payload from stdin, redacts PII from the tool response,
+ * and blocks the output (replacing it with redacted text) if PII was found.
+ *
+ * Exit codes:
+ *   0 — success (may or may not block)
+ *   2 — malformed input (blocks the tool call per hooks spec)
+ */
+
+import { Redactor } from '../middleware/redactor.js';
+
+interface HookPayload {
+  tool_name?: string;
+  tool_input?: Record<string, unknown>;
+  tool_response?: {
+    // Bash tool
+    stdout?: string;
+    stderr?: string;
+    // Read tool (nested under file)
+    file?: { content?: string; [key: string]: unknown };
+    // Grep / WebFetch / generic
+    content?: string;
+    output?: string;
+    [key: string]: unknown;
+  };
+}
+
+interface HookResponse {
+  decision: 'block';
+  reason: string;
+}
+
+/** Collect all text from a tool_response object. */
+function extractText(toolResponse: HookPayload['tool_response']): string | null {
+  if (!toolResponse || typeof toolResponse !== 'object') return null;
+
+  const parts: string[] = [];
+
+  if (typeof toolResponse.stdout === 'string' && toolResponse.stdout) {
+    parts.push(toolResponse.stdout);
+  }
+  if (typeof toolResponse.stderr === 'string' && toolResponse.stderr) {
+    parts.push(toolResponse.stderr);
+  }
+  // Read tool nests content under file.content
+  if (toolResponse.file && typeof toolResponse.file.content === 'string' && toolResponse.file.content) {
+    parts.push(toolResponse.file.content);
+  }
+  if (typeof toolResponse.content === 'string' && toolResponse.content) {
+    parts.push(toolResponse.content);
+  }
+  if (typeof toolResponse.output === 'string' && toolResponse.output) {
+    parts.push(toolResponse.output);
+  }
+
+  return parts.length > 0 ? parts.join('\n') : null;
+}
+
+/** Redact PII from the tool response text. */
+function redactToolResponse(
+  toolResponse: NonNullable<HookPayload['tool_response']>,
+  redactor: Redactor,
+): { text: string; hasRedacted: boolean } {
+  const text = extractText(toolResponse);
+  if (!text) return { text: '', hasRedacted: false };
+
+  const { content, hasRedacted } = redactor.redact(text);
+  return { text: content as string, hasRedacted };
+}
+
+function readStdin(): Promise<string> {
+  return new Promise((resolve, reject) => {
+    const chunks: Buffer[] = [];
+    process.stdin.on('data', (chunk: Buffer) => chunks.push(chunk));
+    process.stdin.on('end', () => resolve(Buffer.concat(chunks).toString('utf-8')));
+    process.stdin.on('error', reject);
+  });
+}
+
+export async function run(): Promise<void> {
+  let raw: string;
+  try {
+    raw = await readStdin();
+  } catch {
+    process.stderr.write('hush redact-hook: failed to read stdin\n');
+    process.exit(2);
+  }
+
+  if (!raw.trim()) {
+    // Empty stdin — nothing to redact
+    process.exit(0);
+  }
+
+  let payload: HookPayload;
+  try {
+    payload = JSON.parse(raw) as HookPayload;
+  } catch {
+    process.stderr.write('hush redact-hook: invalid JSON on stdin\n');
+    process.exit(2);
+  }
+
+  if (!payload.tool_response) {
+    // No tool_response to redact
+    process.exit(0);
+  }
+
+  const redactor = new Redactor();
+  const { text, hasRedacted } = redactToolResponse(payload.tool_response, redactor);
+
+  if (!hasRedacted) {
+    // No PII found — let Claude Code keep the original output
+    process.exit(0);
+  }
+
+  const response: HookResponse = {
+    decision: 'block',
+    reason: text,
+  };
+
+  process.stdout.write(JSON.stringify(response) + '\n');
+  process.exit(0);
+}

package/src/index.ts

@@ -159,7 +159,7 @@ async function proxyRequest(
 
   } catch (error) {
     log.error({ err: error, path: req.path }, 'Failed to forward request');
-    res.status(500).json({ error: 'Gateway forwarding failed' });
+    res.status(502).json({ error: 'Gateway forwarding failed' });
   }
 }
 

package/src/middleware/redactor.ts

@@ -46,6 +46,56 @@ export class Redactor {
     PHONE: /(?:^|[\s:;])(?:\+\d{1,3}[-. ]?)?\(?\d{2,4}\)?[-. ]\d{3,4}[-. ]\d{3,4}(?:\s*(?:ext|x)\s*\d+)?/g,
   };
 
+  /**
+   * Cloud provider key patterns — Tier 1 only (unique prefixes, very low false-positive risk).
+   * Sources: GitHub secret scanning, gitleaks, trufflehog.
+   */
+  private static readonly CLOUD_KEY_PATTERNS: Array<{ re: RegExp; label: string }> = [
+    // AWS
+    { re: /\b((?:AKIA|ASIA|ABIA|ACCA)[A-Z2-7]{16})\b/g, label: 'AWS_KEY' },
+    // GCP / Firebase
+    { re: /\b(AIza[\w-]{35})\b/g, label: 'GCP_KEY' },
+    { re: /\b(GOCSPX-[a-zA-Z0-9_-]{28})\b/g, label: 'GCP_OAUTH' },
+    // GitHub
+    { re: /\b(ghp_[0-9a-zA-Z]{36})\b/g, label: 'GITHUB_PAT' },
+    { re: /\b(gho_[0-9a-zA-Z]{36})\b/g, label: 'GITHUB_OAUTH' },
+    { re: /\b(ghu_[0-9a-zA-Z]{36})\b/g, label: 'GITHUB_U2S' },
+    { re: /\b(ghs_[0-9a-zA-Z]{36})\b/g, label: 'GITHUB_S2S' },
+    { re: /\b(ghr_[0-9a-zA-Z]{36})\b/g, label: 'GITHUB_REFRESH' },
+    { re: /\b(github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59})\b/g, label: 'GITHUB_FINE_PAT' },
+    // GitLab
+    { re: /\b(glpat-[\w-]{20})\b/g, label: 'GITLAB_PAT' },
+    { re: /\b(glptt-[a-zA-Z0-9_-]{40})\b/g, label: 'GITLAB_TRIGGER' },
+    // Slack
+    { re: /\b(xoxb-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]*)\b/g, label: 'SLACK_BOT' },
+    { re: /\b(xox[pe]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9-]+)\b/g, label: 'SLACK_TOKEN' },
+    // Stripe
+    { re: /\b(sk_(?:live|test)_[a-zA-Z0-9]{10,99})\b/g, label: 'STRIPE_SECRET' },
+    { re: /\b(rk_(?:live|test)_[a-zA-Z0-9]{10,99})\b/g, label: 'STRIPE_RESTRICTED' },
+    { re: /\b(whsec_[a-zA-Z0-9]{24,})\b/g, label: 'STRIPE_WEBHOOK' },
+    // SendGrid (SG. + base64url with internal dot separator)
+    { re: /\b(SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43})\b/g, label: 'SENDGRID_KEY' },
+    // npm
+    { re: /\b(npm_[a-z0-9]{36})\b/gi, label: 'NPM_TOKEN' },
+    // PyPI
+    { re: /\b(pypi-AgEIcHlwaS5vcmc[\w-]{50,})\b/g, label: 'PYPI_TOKEN' },
+    // Docker Hub
+    { re: /\b(dckr_pat_[a-zA-Z0-9_-]{27,})\b/g, label: 'DOCKER_PAT' },
+    // Anthropic
+    { re: /\b(sk-ant-[a-zA-Z0-9_-]{36,})\b/g, label: 'ANTHROPIC_KEY' },
+    // OpenAI (with T3BlbkFJ marker)
+    { re: /\b(sk-(?:proj|svcacct|admin)-[A-Za-z0-9_-]{20,}T3BlbkFJ[A-Za-z0-9_-]{20,})\b/g, label: 'OPENAI_KEY' },
+    // DigitalOcean
+    { re: /\b(do[por]_v1_[a-f0-9]{64})\b/g, label: 'DIGITALOCEAN_TOKEN' },
+    // HashiCorp Vault
+    { re: /\b(hvs\.[\w-]{90,})\b/g, label: 'VAULT_TOKEN' },
+    { re: /\b(hvb\.[\w-]{90,})\b/g, label: 'VAULT_BATCH' },
+    // Supabase
+    { re: /\b(sbp_[a-f0-9]{40})\b/g, label: 'SUPABASE_PAT' },
+    { re: /\b(sb_secret_[a-zA-Z0-9_-]{20,})\b/g, label: 'SUPABASE_SECRET' },
+    // PEM private keys (multiline — matched separately in redactPEMKeys)
+  ];
+
   /**
    * Redact sensitive information from a JSON object or string.
    * 
@@ -102,6 +152,31 @@ export class Redactor {
           return token;
         });
 
+        // Redact cloud provider keys BEFORE generic patterns — specific prefixed
+        // keys must be matched first so they don't get partially eaten by SECRET
+        // or CREDIT_CARD patterns.
+        for (const { re, label } of Redactor.CLOUD_KEY_PATTERNS) {
+          re.lastIndex = 0;
+          text = text.replace(re, (match, p1: string) => {
+            hasRedacted = true;
+            const val = p1 || match;
+            const token = `[${label}_${tokenHash(val)}]`;
+            tokens.set(token, val);
+            return token;
+          });
+        }
+
+        // Redact PEM private keys
+        text = text.replace(
+          /-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY-----[\s\S]{64,}?-----END[ A-Z0-9_-]{0,100}PRIVATE KEY-----/g,
+          (match) => {
+            hasRedacted = true;
+            const token = `[PRIVATE_KEY_${tokenHash(match)}]`;
+            tokens.set(token, match);
+            return token;
+          },
+        );
+
         // Redact Secrets in text (e.g. "api_key=...")
         text = text.replace(Redactor.PATTERNS.SECRET, (match, p1) => {
           hasRedacted = true;

package/src/plugins/opencode-hush.ts

@@ -0,0 +1,30 @@
+/**
+ * OpenCode Plugin: Hush PII Guard
+ *
+ * Blocks reads of sensitive files (`.env`, `*.pem`, `credentials.*`, etc.)
+ * before the tool executes — the AI model never sees the content.
+ *
+ * Defense-in-depth: works alongside the Hush proxy which redacts PII from
+ * API requests. The plugin prevents file reads; the proxy catches anything
+ * that slips through in normal files.
+ *
+ * Install: copy to `.opencode/plugins/hush.ts` and add to `opencode.json`:
+ *   { "plugin": [".opencode/plugins/hush.ts"] }
+ */
+
+import { isSensitivePath, commandReadsSensitiveFile } from './sensitive-patterns.js';
+
+export const HushPlugin = async () => ({
+  'tool.execute.before': async (
+    input: { tool: string },
+    output: { args: Record<string, string> },
+  ) => {
+    if (input.tool === 'read' && isSensitivePath(output.args['filePath'] ?? '')) {
+      throw new Error('[hush] Blocked: sensitive file');
+    }
+
+    if (input.tool === 'bash' && commandReadsSensitiveFile(output.args['command'] ?? '')) {
+      throw new Error('[hush] Blocked: command reads sensitive file');
+    }
+  },
+});

package/src/plugins/sensitive-patterns.ts

@@ -0,0 +1,71 @@
+/**
+ * Shared helpers for detecting sensitive file paths and commands.
+ * Used by the OpenCode hush plugin to block reads of secret files.
+ */
+
+/** Glob-style patterns for files that should never be read by AI tools. */
+const SENSITIVE_GLOBS = [
+  /^\.env($|\..*)/, // .env, .env.local, .env.production, etc.
+  /credentials/i,
+  /secret/i,
+  /\.pem$/,
+  /\.key$/,
+  /\.p12$/,
+  /\.pfx$/,
+  /\.jks$/,
+  /\.keystore$/,
+  /\.asc$/,
+  /^id_rsa/,
+  /^\.netrc$/,
+  /^\.pgpass$/,
+];
+
+/**
+ * Check whether a file path points to a sensitive file.
+ * Matches against the basename only so absolute/relative paths both work.
+ */
+export function isSensitivePath(filePath: string): boolean {
+  const basename = (filePath.split('/').pop() ?? '').trim();
+  return SENSITIVE_GLOBS.some((re) => re.test(basename));
+}
+
+/** Commands that read file contents (includes batcat — Ubuntu symlink for bat). */
+const READ_COMMANDS = /\b(cat|head|tail|less|more|bat|batcat)\b/;
+
+/** Strip shell metacharacters that could wrap a filename to bypass detection. */
+function stripShellMeta(token: string): string {
+  return token.replace(/[`"'$(){}]/g, '');
+}
+
+/**
+ * Check whether a bash command reads a sensitive file.
+ * Looks for common read commands followed by a sensitive filename.
+ */
+export function commandReadsSensitiveFile(cmd: string): boolean {
+  if (!READ_COMMANDS.test(cmd)) return false;
+
+  // Check input redirections: `cat <.env` or `cat < .env`
+  // The file after `<` is read by the preceding command.
+  const redirectPattern = /<\s*([^\s|;&<>]+)/g;
+  let rMatch;
+  while ((rMatch = redirectPattern.exec(cmd)) !== null) {
+    if (isSensitivePath(stripShellMeta(rMatch[1]!))) return true;
+  }
+
+  // Split on pipes, semicolons, &&, and redirections to get individual commands
+  const parts = cmd.split(/[|;&<>]+/);
+  for (const part of parts) {
+    const tokens = part.trim().split(/\s+/);
+    const cmdIndex = tokens.findIndex((t) => READ_COMMANDS.test(t));
+    if (cmdIndex === -1) continue;
+
+    // Check all tokens after the command for sensitive paths (skip flags).
+    for (let i = cmdIndex + 1; i < tokens.length; i++) {
+      const token = tokens[i]!;
+      if (token.startsWith('-')) continue; // skip flags like -n, -5
+      const cleaned = stripShellMeta(token);
+      if (isSensitivePath(cleaned)) return true;
+    }
+  }
+  return false;
+}