@aictrl/hush 0.1.6 → 0.1.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.github/workflows/opencode-review.yml +52 -7
- package/.gitlab-ci.yml +59 -0
- package/README.md +150 -3
- package/dist/cli.js +30 -17
- package/dist/cli.js.map +1 -1
- package/dist/commands/init.d.ts +11 -0
- package/dist/commands/init.d.ts.map +1 -0
- package/dist/commands/init.js +135 -0
- package/dist/commands/init.js.map +1 -0
- package/dist/commands/redact-hook.d.ts +21 -0
- package/dist/commands/redact-hook.d.ts.map +1 -0
- package/dist/commands/redact-hook.js +225 -0
- package/dist/commands/redact-hook.js.map +1 -0
- package/dist/index.js +8 -2
- package/dist/index.js.map +1 -1
- package/dist/middleware/redactor.d.ts +5 -0
- package/dist/middleware/redactor.d.ts.map +1 -1
- package/dist/middleware/redactor.js +69 -0
- package/dist/middleware/redactor.js.map +1 -1
- package/dist/plugins/opencode-hush.d.ts +32 -0
- package/dist/plugins/opencode-hush.d.ts.map +1 -0
- package/dist/plugins/opencode-hush.js +58 -0
- package/dist/plugins/opencode-hush.js.map +1 -0
- package/dist/plugins/sensitive-patterns.d.ts +15 -0
- package/dist/plugins/sensitive-patterns.d.ts.map +1 -0
- package/dist/plugins/sensitive-patterns.js +69 -0
- package/dist/plugins/sensitive-patterns.js.map +1 -0
- package/dist/vault/token-vault.d.ts.map +1 -1
- package/dist/vault/token-vault.js +16 -3
- package/dist/vault/token-vault.js.map +1 -1
- package/examples/team-config/.claude/settings.json +41 -0
- package/examples/team-config/.codex/config.toml +4 -0
- package/examples/team-config/.gemini/settings.json +38 -0
- package/examples/team-config/.opencode/plugins/hush.ts +79 -0
- package/examples/team-config/opencode.json +10 -0
- package/package.json +11 -1
- package/scripts/e2e-plugin-block.sh +142 -0
- package/scripts/e2e-proxy-live.sh +185 -0
- package/src/cli.ts +28 -16
- package/src/commands/init.ts +186 -0
- package/src/commands/redact-hook.ts +297 -0
- package/src/index.ts +7 -2
- package/src/middleware/redactor.ts +75 -0
- package/src/plugins/opencode-hush.ts +70 -0
- package/src/plugins/sensitive-patterns.ts +71 -0
- package/src/vault/token-vault.ts +18 -4
- package/tests/init.test.ts +255 -0
- package/tests/opencode-plugin.test.ts +219 -0
- package/tests/redact-hook.test.ts +498 -0
- package/tests/redaction.test.ts +96 -0
|
@@ -0,0 +1,225 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* hush redact-hook — Hook handler for Claude Code and Gemini CLI
|
|
3
|
+
*
|
|
4
|
+
* Reads the hook payload from stdin, redacts PII, and returns the
|
|
5
|
+
* appropriate response format depending on the hook event type:
|
|
6
|
+
*
|
|
7
|
+
* Claude Code:
|
|
8
|
+
* PreToolUse — redacts outbound MCP tool arguments (updatedInput)
|
|
9
|
+
* PostToolUse — redacts inbound MCP tool results (updatedMCPToolOutput)
|
|
10
|
+
* or blocks built-in tool output (decision: "block")
|
|
11
|
+
*
|
|
12
|
+
* Gemini CLI:
|
|
13
|
+
* BeforeTool — redacts outbound MCP tool arguments (hookSpecificOutput.tool_input)
|
|
14
|
+
* AfterTool — redacts inbound tool results (decision: "deny")
|
|
15
|
+
*
|
|
16
|
+
* Exit codes:
|
|
17
|
+
* 0 — success (may or may not redact)
|
|
18
|
+
* 2 — malformed input (blocks the tool call per hooks spec)
|
|
19
|
+
*/
|
|
20
|
+
import { Redactor } from '../middleware/redactor.js';
|
|
21
|
+
/** Collect all text from a built-in tool_response object. */
|
|
22
|
+
function extractText(toolResponse) {
|
|
23
|
+
if (!toolResponse || typeof toolResponse !== 'object')
|
|
24
|
+
return null;
|
|
25
|
+
const parts = [];
|
|
26
|
+
if (typeof toolResponse.stdout === 'string' && toolResponse.stdout) {
|
|
27
|
+
parts.push(toolResponse.stdout);
|
|
28
|
+
}
|
|
29
|
+
if (typeof toolResponse.stderr === 'string' && toolResponse.stderr) {
|
|
30
|
+
parts.push(toolResponse.stderr);
|
|
31
|
+
}
|
|
32
|
+
// Read tool nests content under file.content
|
|
33
|
+
if (toolResponse.file && typeof toolResponse.file.content === 'string' && toolResponse.file.content) {
|
|
34
|
+
parts.push(toolResponse.file.content);
|
|
35
|
+
}
|
|
36
|
+
if (typeof toolResponse.content === 'string' && toolResponse.content) {
|
|
37
|
+
parts.push(toolResponse.content);
|
|
38
|
+
}
|
|
39
|
+
if (typeof toolResponse.output === 'string' && toolResponse.output) {
|
|
40
|
+
parts.push(toolResponse.output);
|
|
41
|
+
}
|
|
42
|
+
return parts.length > 0 ? parts.join('\n') : null;
|
|
43
|
+
}
|
|
44
|
+
// ── Shared helpers ──────────────────────────────────────────────────────
|
|
45
|
+
/**
|
|
46
|
+
* Redact PII from tool_input and format the response.
|
|
47
|
+
* Shared by PreToolUse (Claude) and BeforeTool (Gemini).
|
|
48
|
+
*/
|
|
49
|
+
function redactToolInput(payload, redactor, formatResponse) {
|
|
50
|
+
if (!payload.tool_input || typeof payload.tool_input !== 'object') {
|
|
51
|
+
process.exit(0);
|
|
52
|
+
}
|
|
53
|
+
const { content, hasRedacted } = redactor.redact(payload.tool_input);
|
|
54
|
+
if (!hasRedacted) {
|
|
55
|
+
process.exit(0);
|
|
56
|
+
}
|
|
57
|
+
const response = formatResponse(content);
|
|
58
|
+
process.stdout.write(JSON.stringify(response) + '\n');
|
|
59
|
+
process.exit(0);
|
|
60
|
+
}
|
|
61
|
+
/**
|
|
62
|
+
* Redact PII from a built-in tool response and format the response.
|
|
63
|
+
* Shared by PostToolUse (Claude, decision:"block") and AfterTool (Gemini, decision:"deny").
|
|
64
|
+
*/
|
|
65
|
+
function redactBuiltinResponse(payload, redactor, decision) {
|
|
66
|
+
if (!payload.tool_response) {
|
|
67
|
+
process.exit(0);
|
|
68
|
+
}
|
|
69
|
+
const text = extractText(payload.tool_response);
|
|
70
|
+
if (!text) {
|
|
71
|
+
process.exit(0);
|
|
72
|
+
}
|
|
73
|
+
const { content, hasRedacted } = redactor.redact(text);
|
|
74
|
+
if (!hasRedacted) {
|
|
75
|
+
process.exit(0);
|
|
76
|
+
}
|
|
77
|
+
const response = {
|
|
78
|
+
decision,
|
|
79
|
+
reason: content,
|
|
80
|
+
};
|
|
81
|
+
process.stdout.write(JSON.stringify(response) + '\n');
|
|
82
|
+
process.exit(0);
|
|
83
|
+
}
|
|
84
|
+
// ── Claude Code handlers ────────────────────────────────────────────────
|
|
85
|
+
/** Handle PreToolUse — redact outbound MCP tool arguments. */
|
|
86
|
+
function handlePreToolUse(payload, redactor) {
|
|
87
|
+
redactToolInput(payload, redactor, (redactedInput) => ({
|
|
88
|
+
hookSpecificOutput: {
|
|
89
|
+
hookEventName: 'PreToolUse',
|
|
90
|
+
permissionDecision: 'allow',
|
|
91
|
+
updatedInput: redactedInput,
|
|
92
|
+
},
|
|
93
|
+
}));
|
|
94
|
+
}
|
|
95
|
+
/** Handle PostToolUse for MCP tools — redact inbound content blocks. */
|
|
96
|
+
function handlePostToolUseMCP(payload, redactor) {
|
|
97
|
+
const toolResponse = payload.tool_response;
|
|
98
|
+
if (!toolResponse || typeof toolResponse !== 'object') {
|
|
99
|
+
process.exit(0);
|
|
100
|
+
}
|
|
101
|
+
const contentArray = toolResponse.content;
|
|
102
|
+
if (!Array.isArray(contentArray)) {
|
|
103
|
+
process.exit(0);
|
|
104
|
+
}
|
|
105
|
+
const { content: redactedArray, hasRedacted } = redactor.redact(contentArray);
|
|
106
|
+
if (!hasRedacted) {
|
|
107
|
+
process.exit(0);
|
|
108
|
+
}
|
|
109
|
+
const response = {
|
|
110
|
+
updatedMCPToolOutput: {
|
|
111
|
+
content: redactedArray,
|
|
112
|
+
},
|
|
113
|
+
};
|
|
114
|
+
process.stdout.write(JSON.stringify(response) + '\n');
|
|
115
|
+
process.exit(0);
|
|
116
|
+
}
|
|
117
|
+
/** Handle PostToolUse for built-in tools — decision: "block". */
|
|
118
|
+
function handlePostToolUseBuiltin(payload, redactor) {
|
|
119
|
+
redactBuiltinResponse(payload, redactor, 'block');
|
|
120
|
+
}
|
|
121
|
+
// ── Gemini CLI handlers ─────────────────────────────────────────────────
|
|
122
|
+
/** Handle BeforeTool — redact outbound MCP tool arguments (Gemini format). */
|
|
123
|
+
function handleBeforeTool(payload, redactor) {
|
|
124
|
+
redactToolInput(payload, redactor, (redactedInput) => ({
|
|
125
|
+
hookSpecificOutput: {
|
|
126
|
+
tool_input: redactedInput,
|
|
127
|
+
},
|
|
128
|
+
}));
|
|
129
|
+
}
|
|
130
|
+
/** Handle AfterTool for MCP tools — redact content array, flatten to deny/reason. */
|
|
131
|
+
function handleAfterToolMCP(payload, redactor) {
|
|
132
|
+
const toolResponse = payload.tool_response;
|
|
133
|
+
if (!toolResponse || typeof toolResponse !== 'object') {
|
|
134
|
+
process.exit(0);
|
|
135
|
+
}
|
|
136
|
+
const contentArray = toolResponse.content;
|
|
137
|
+
if (!Array.isArray(contentArray)) {
|
|
138
|
+
process.exit(0);
|
|
139
|
+
}
|
|
140
|
+
const { content: redactedArray, hasRedacted } = redactor.redact(contentArray);
|
|
141
|
+
if (!hasRedacted) {
|
|
142
|
+
process.exit(0);
|
|
143
|
+
}
|
|
144
|
+
// Flatten content blocks to a single text for Gemini's deny/reason format
|
|
145
|
+
const textParts = redactedArray
|
|
146
|
+
.filter((b) => typeof b.text === 'string')
|
|
147
|
+
.map((b) => b.text);
|
|
148
|
+
const response = {
|
|
149
|
+
decision: 'deny',
|
|
150
|
+
reason: textParts.join('\n'),
|
|
151
|
+
};
|
|
152
|
+
process.stdout.write(JSON.stringify(response) + '\n');
|
|
153
|
+
process.exit(0);
|
|
154
|
+
}
|
|
155
|
+
/** Handle AfterTool for built-in tools — decision: "deny". */
|
|
156
|
+
function handleAfterToolBuiltin(payload, redactor) {
|
|
157
|
+
redactBuiltinResponse(payload, redactor, 'deny');
|
|
158
|
+
}
|
|
159
|
+
// ── Utilities ───────────────────────────────────────────────────────────
|
|
160
|
+
function isMCPTool(toolName) {
|
|
161
|
+
return typeof toolName === 'string' && toolName.startsWith('mcp__');
|
|
162
|
+
}
|
|
163
|
+
function readStdin() {
|
|
164
|
+
return new Promise((resolve, reject) => {
|
|
165
|
+
const chunks = [];
|
|
166
|
+
process.stdin.on('data', (chunk) => chunks.push(chunk));
|
|
167
|
+
process.stdin.on('end', () => resolve(Buffer.concat(chunks).toString('utf-8')));
|
|
168
|
+
process.stdin.on('error', reject);
|
|
169
|
+
});
|
|
170
|
+
}
|
|
171
|
+
// ── Entry point ─────────────────────────────────────────────────────────
|
|
172
|
+
export async function run() {
|
|
173
|
+
let raw;
|
|
174
|
+
try {
|
|
175
|
+
raw = await readStdin();
|
|
176
|
+
}
|
|
177
|
+
catch {
|
|
178
|
+
process.stderr.write('hush redact-hook: failed to read stdin\n');
|
|
179
|
+
process.exit(2);
|
|
180
|
+
}
|
|
181
|
+
if (!raw.trim()) {
|
|
182
|
+
process.exit(0);
|
|
183
|
+
}
|
|
184
|
+
let payload;
|
|
185
|
+
try {
|
|
186
|
+
payload = JSON.parse(raw);
|
|
187
|
+
}
|
|
188
|
+
catch {
|
|
189
|
+
process.stderr.write('hush redact-hook: invalid JSON on stdin\n');
|
|
190
|
+
process.exit(2);
|
|
191
|
+
}
|
|
192
|
+
const redactor = new Redactor();
|
|
193
|
+
const eventName = payload.hook_event_name;
|
|
194
|
+
// Claude Code events
|
|
195
|
+
if (eventName === 'PreToolUse') {
|
|
196
|
+
handlePreToolUse(payload, redactor);
|
|
197
|
+
return;
|
|
198
|
+
}
|
|
199
|
+
if (eventName === 'PostToolUse') {
|
|
200
|
+
if (isMCPTool(payload.tool_name)) {
|
|
201
|
+
handlePostToolUseMCP(payload, redactor);
|
|
202
|
+
}
|
|
203
|
+
else {
|
|
204
|
+
handlePostToolUseBuiltin(payload, redactor);
|
|
205
|
+
}
|
|
206
|
+
return;
|
|
207
|
+
}
|
|
208
|
+
// Gemini CLI events
|
|
209
|
+
if (eventName === 'BeforeTool') {
|
|
210
|
+
handleBeforeTool(payload, redactor);
|
|
211
|
+
return;
|
|
212
|
+
}
|
|
213
|
+
if (eventName === 'AfterTool') {
|
|
214
|
+
if (isMCPTool(payload.tool_name)) {
|
|
215
|
+
handleAfterToolMCP(payload, redactor);
|
|
216
|
+
}
|
|
217
|
+
else {
|
|
218
|
+
handleAfterToolBuiltin(payload, redactor);
|
|
219
|
+
}
|
|
220
|
+
return;
|
|
221
|
+
}
|
|
222
|
+
// Backward compat: no hook_event_name → treat as PostToolUse built-in
|
|
223
|
+
handlePostToolUseBuiltin(payload, redactor);
|
|
224
|
+
}
|
|
225
|
+
//# sourceMappingURL=redact-hook.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"redact-hook.js","sourceRoot":"","sources":["../../src/commands/redact-hook.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAC;AAyBrD,6DAA6D;AAC7D,SAAS,WAAW,CAAC,YAA0C;IAC7D,IAAI,CAAC,YAAY,IAAI,OAAO,YAAY,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAEnE,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,IAAI,OAAO,YAAY,CAAC,MAAM,KAAK,QAAQ,IAAI,YAAY,CAAC,MAAM,EAAE,CAAC;QACnE,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC;IACD,IAAI,OAAO,YAAY,CAAC,MAAM,KAAK,QAAQ,IAAI,YAAY,CAAC,MAAM,EAAE,CAAC;QACnE,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC;IACD,6CAA6C;IAC7C,IAAI,YAAY,CAAC,IAAI,IAAI,OAAO,YAAY,CAAC,IAAI,CAAC,OAAO,KAAK,QAAQ,IAAI,YAAY,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QACpG,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACxC,CAAC;IACD,IAAI,OAAO,YAAY,CAAC,OAAO,KAAK,QAAQ,IAAI,YAAY,CAAC,OAAO,EAAE,CAAC;QACrE,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;IACnC,CAAC;IACD,IAAI,OAAO,YAAY,CAAC,MAAM,KAAK,QAAQ,IAAI,YAAY,CAAC,MAAM,EAAE,CAAC;QACnE,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC;IAED,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACpD,CAAC;AAED,2EAA2E;AAE3E;;;GAGG;AACH,SAAS,eAAe,CACtB,OAAoB,EACpB,QAAkB,EAClB,cAAkE;IAElE,IAAI,CAAC,OAAO,CAAC,UAAU,IAAI,OAAO,OAAO,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QAClE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAErE,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAkC,CAAC,CAAC;IACpE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,CAAC;IACtD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED;;;GAGG;AACH,SAAS,qBAAqB,CAC5B,OAAoB,EACpB,QAAkB,EAClB,QAA0B;IAE1B,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC;QAC3B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAChD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACvD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,QAAQ,GAAG;QACf,QAAQ;QACR,MAAM,EAAE,OAAiB;KAC1B,CAAC;IAEF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,CAAC;IACtD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,2EAA2E;AAE3E,8DAA8D;AAC9D,SAAS,gBAAgB,CAAC,OAAoB,EAAE,QAAkB;IAChE,eAAe,CAAC,OAAO,EAAE,QAAQ,EAAE,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;QACrD,kBAAkB,EAAE;YAClB,aAAa,EAAE,YAAY;YAC3B,kBAAkB,EAAE,OAAO;YAC3B,YAAY,EAAE,aAAa;SAC5B;KACF,CAAC,CAAC,CAAC;AACN,CAAC;AAED,wEAAwE;AACxE,SAAS,oBAAoB,CAAC,OAAoB,EAAE,QAAkB;IACpE,MAAM,YAAY,GAAG,OAAO,CAAC,aAAa,CAAC;IAC3C,IAAI,CAAC,YAAY,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;QACtD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,YAAY,GAAG,YAAY,CAAC,OAAO,CAAC;IAC1C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;QACjC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,GAAG,QAAQ,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAE9E,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,QAAQ,GAAG;QACf,oBAAoB,EAAE;YACpB,OAAO,EAAE,aAAa;SACvB;KACF,CAAC;IAEF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,CAAC;IACtD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,iEAAiE;AACjE,SAAS,wBAAwB,CAAC,OAAoB,EAAE,QAAkB;IACxE,qBAAqB,CAAC,OAAO,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;AACpD,CAAC;AAED,2EAA2E;AAE3E,8EAA8E;AAC9E,SAAS,gBAAgB,CAAC,OAAoB,EAAE,QAAkB;IAChE,eAAe,CAAC,OAAO,EAAE,QAAQ,EAAE,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;QACrD,kBAAkB,EAAE;YAClB,UAAU,EAAE,aAAa;SAC1B;KACF,CAAC,CAAC,CAAC;AACN,CAAC;AAED,qFAAqF;AACrF,SAAS,kBAAkB,CAAC,OAAoB,EAAE,QAAkB;IAClE,MAAM,YAAY,GAAG,OAAO,CAAC,aAAa,CAAC;IAC3C,IAAI,CAAC,YAAY,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;QACtD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,YAAY,GAAG,YAAY,CAAC,OAAO,CAAC;IAC1C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;QACjC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,GAAG,QAAQ,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAE9E,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,0EAA0E;IAC1E,MAAM,SAAS,GAAI,aAAmC;SACnD,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC;SACzC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAc,CAAC,CAAC;IAEhC,MAAM,QAAQ,GAAG;QACf,QAAQ,EAAE,MAAe;QACzB,MAAM,EAAE,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC;KAC7B,CAAC;IAEF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,CAAC;IACtD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,8DAA8D;AAC9D,SAAS,sBAAsB,CAAC,OAAoB,EAAE,QAAkB;IACtE,qBAAqB,CAAC,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;AACnD,CAAC;AAED,2EAA2E;AAE3E,SAAS,SAAS,CAAC,QAAiB;IAClC,OAAO,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;AACtE,CAAC;AAED,SAAS,SAAS;IAChB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAChE,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QAChF,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,2EAA2E;AAE3E,MAAM,CAAC,KAAK,UAAU,GAAG;IACvB,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,SAAS,EAAE,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;QACjE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC;QAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,OAAoB,CAAC;IACzB,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAgB,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAClE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,QAAQ,EAAE,CAAC;IAChC,MAAM,SAAS,GAAG,OAAO,CAAC,eAAe,CAAC;IAE1C,qBAAqB;IACrB,IAAI,SAAS,KAAK,YAAY,EAAE,CAAC;QAC/B,gBAAgB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACpC,OAAO;IACT,CAAC;IAED,IAAI,SAAS,KAAK,aAAa,EAAE,CAAC;QAChC,IAAI,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;YACjC,oBAAoB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC1C,CAAC;aAAM,CAAC;YACN,wBAAwB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC9C,CAAC;QACD,OAAO;IACT,CAAC;IAED,oBAAoB;IACpB,IAAI,SAAS,KAAK,YAAY,EAAE,CAAC;QAC/B,gBAAgB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACpC,OAAO;IACT,CAAC;IAED,IAAI,SAAS,KAAK,WAAW,EAAE,CAAC;QAC9B,IAAI,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;YACjC,kBAAkB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACxC,CAAC;aAAM,CAAC;YACN,sBAAsB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC5C,CAAC;QACD,OAAO;IACT,CAAC;IAED,sEAAsE;IACtE,wBAAwB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;AAC9C,CAAC"}
|
package/dist/index.js
CHANGED
|
@@ -83,7 +83,7 @@ async function proxyRequest(req, res, targetUrl, headers) {
|
|
|
83
83
|
method: req.method,
|
|
84
84
|
headers: fetchHeaders,
|
|
85
85
|
body: hasBody ? JSON.stringify(redactedBody) : undefined,
|
|
86
|
-
signal: AbortSignal.timeout(
|
|
86
|
+
signal: AbortSignal.timeout(120000), // 120s timeout for long LLM responses
|
|
87
87
|
});
|
|
88
88
|
// Handle Upstream Errors (4xx, 5xx)
|
|
89
89
|
if (!response.ok) {
|
|
@@ -131,7 +131,13 @@ async function proxyRequest(req, res, targetUrl, headers) {
|
|
|
131
131
|
}
|
|
132
132
|
catch (error) {
|
|
133
133
|
log.error({ err: error, path: req.path }, 'Failed to forward request');
|
|
134
|
-
res.
|
|
134
|
+
if (!res.headersSent) {
|
|
135
|
+
res.status(502).json({ error: 'Gateway forwarding failed' });
|
|
136
|
+
}
|
|
137
|
+
else {
|
|
138
|
+
// Headers already sent (streaming in progress) — just end the response
|
|
139
|
+
res.end();
|
|
140
|
+
}
|
|
135
141
|
}
|
|
136
142
|
}
|
|
137
143
|
/**
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,OAAO,MAAM,SAAS,CAAC;AAC9B,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAE/C,MAAM,GAAG,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;AACvC,MAAM,QAAQ,GAAG,IAAI,QAAQ,EAAE,CAAC;AAChC,MAAM,KAAK,GAAG,IAAI,UAAU,EAAE,CAAC;AAE/B,0EAA0E;AAC1E,IAAI,UAAU,GAAqB,IAAI,CAAC;AACxC,SAAS,YAAY;IACnB,IAAI,UAAU;QAAE,OAAO,UAAU,CAAC;IAClC,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,KAAK,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QAClF,UAAU,GAAG,IAAI,SAAS,EAAE,CAAC;IAC/B,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,8DAA8D;AAC9D,YAAY,EAAE,CAAC;AAEf,MAAM,CAAC,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;AAE7B,0EAA0E;AAC1E,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,WAAW,CAAC;AAE1D,uDAAuD;AACvD,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;AAE/C,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC,CAAC,CAAC,CAAC,gBAAgB;AAC/D,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;AAEzC;;GAEG;AACH,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;IACzB,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS;QAAE,OAAO,IAAI,EAAE,CAAC;IAE1C,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAC/E,MAAM,aAAa,GAAG,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;QAE7E,IAAI,CAAC,aAAa,IAAI,CAAC,aAAa,KAAK,UAAU,IAAI,aAAa,KAAK,UAAU,UAAU,EAAE,CAAC,EAAE,CAAC;YACjG,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,EAAE,6BAA6B,CAAC,CAAC;YACxD,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uCAAuC,EAAE,CAAC,CAAC;QAClF,CAAC;IACH,CAAC;IACD,IAAI,EAAE,CAAC;AACT,CAAC,CAAC,CAAC;AAEH;;GAEG;AACH,KAAK,UAAU,YAAY,CACzB,GAAoB,EACpB,GAAqB,EACrB,SAAiB,EACjB,OAA+B;IAE/B,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;IACpC,MAAM,SAAS,GAAG,YAAY,EAAE,CAAC;IAEjC,MAAM,OAAO,GAAG,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAE9D,gFAAgF;IAChF,IAAI,YAAiB,CAAC;IACtB,IAAI,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,IAAI,WAAW,GAAG,KAAK,CAAC;IAExB,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACzC,YAAY,GAAG,MAAM,CAAC,OAAO,CAAC;QAC9B,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;QACvB,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC;IACnC,CAAC;IAED,MAAM,iBAAiB,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,CAAC;IAEpE,gCAAgC;IAChC,IAAI,SAAS,EAAE,CAAC;QACd,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,EAAE,iBAAiB,CAAC,CAAC;IACpD,CAAC;IAED,IAAI,WAAW,EAAE,CAAC;QAChB,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,CAAC,IAAI,EAAE,QAAQ,EAAE,iBAAiB,EAAE,EAAE,sCAAsC,CAAC,CAAC;QAC3H,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;QAEzB,uBAAuB;QACvB,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;gBAC9B,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,mCAAmC;gBAC9E,SAAU,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;YACvC,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,IAAI,CAAC;QACH,MAAM,YAAY,GAA2B,EAAE,GAAG,OAAO,EAAE,CAAC;QAC5D,IAAI,OAAO;YAAE,YAAY,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAC;QAE/D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,SAAS,EAAE;YACtC,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,OAAO,EAAE,YAAY;YACrB,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS;YACxD,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,OAAO,MAAM,SAAS,CAAC;AAC9B,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAE/C,MAAM,GAAG,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;AACvC,MAAM,QAAQ,GAAG,IAAI,QAAQ,EAAE,CAAC;AAChC,MAAM,KAAK,GAAG,IAAI,UAAU,EAAE,CAAC;AAE/B,0EAA0E;AAC1E,IAAI,UAAU,GAAqB,IAAI,CAAC;AACxC,SAAS,YAAY;IACnB,IAAI,UAAU;QAAE,OAAO,UAAU,CAAC;IAClC,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,KAAK,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QAClF,UAAU,GAAG,IAAI,SAAS,EAAE,CAAC;IAC/B,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,8DAA8D;AAC9D,YAAY,EAAE,CAAC;AAEf,MAAM,CAAC,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;AAE7B,0EAA0E;AAC1E,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,WAAW,CAAC;AAE1D,uDAAuD;AACvD,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;AAE/C,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC,CAAC,CAAC,CAAC,gBAAgB;AAC/D,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;AAEzC;;GAEG;AACH,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;IACzB,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS;QAAE,OAAO,IAAI,EAAE,CAAC;IAE1C,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAC/E,MAAM,aAAa,GAAG,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;QAE7E,IAAI,CAAC,aAAa,IAAI,CAAC,aAAa,KAAK,UAAU,IAAI,aAAa,KAAK,UAAU,UAAU,EAAE,CAAC,EAAE,CAAC;YACjG,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,EAAE,6BAA6B,CAAC,CAAC;YACxD,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uCAAuC,EAAE,CAAC,CAAC;QAClF,CAAC;IACH,CAAC;IACD,IAAI,EAAE,CAAC;AACT,CAAC,CAAC,CAAC;AAEH;;GAEG;AACH,KAAK,UAAU,YAAY,CACzB,GAAoB,EACpB,GAAqB,EACrB,SAAiB,EACjB,OAA+B;IAE/B,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;IACpC,MAAM,SAAS,GAAG,YAAY,EAAE,CAAC;IAEjC,MAAM,OAAO,GAAG,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAE9D,gFAAgF;IAChF,IAAI,YAAiB,CAAC;IACtB,IAAI,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,IAAI,WAAW,GAAG,KAAK,CAAC;IAExB,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACzC,YAAY,GAAG,MAAM,CAAC,OAAO,CAAC;QAC9B,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;QACvB,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC;IACnC,CAAC;IAED,MAAM,iBAAiB,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,CAAC;IAEpE,gCAAgC;IAChC,IAAI,SAAS,EAAE,CAAC;QACd,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,EAAE,iBAAiB,CAAC,CAAC;IACpD,CAAC;IAED,IAAI,WAAW,EAAE,CAAC;QAChB,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,CAAC,IAAI,EAAE,QAAQ,EAAE,iBAAiB,EAAE,EAAE,sCAAsC,CAAC,CAAC;QAC3H,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;QAEzB,uBAAuB;QACvB,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;gBAC9B,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,mCAAmC;gBAC9E,SAAU,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;YACvC,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,IAAI,CAAC;QACH,MAAM,YAAY,GAA2B,EAAE,GAAG,OAAO,EAAE,CAAC;QAC5D,IAAI,OAAO;YAAE,YAAY,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAC;QAE/D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,SAAS,EAAE;YACtC,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,OAAO,EAAE,YAAY;YACrB,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS;YACxD,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,sCAAsC;SAC5E,CAAC,CAAC;QAEH,oCAAoC;QACpC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,GAAG,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,EAAE,qCAAqC,CAAC,CAAC;YAC9F,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACxC,OAAO,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACrD,CAAC;QAED,oBAAoB;QACpB,MAAM,WAAW,GAAG,GAAG,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,IAAI,GAAG,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM,CAAC;QAC7E,IAAI,WAAW,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;YACjC,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,EAAE,uBAAuB,CAAC,CAAC;YACtD,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,mBAAmB,CAAC,CAAC;YACnD,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;YAC3C,GAAG,CAAC,SAAS,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;YAE1C,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACzC,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;YAElC,yEAAyE;YACzE,MAAM,cAAc,GAAG,KAAK,CAAC,yBAAyB,EAAE,CAAC;YAEzD,IAAI,CAAC;gBACH,OAAO,IAAI,EAAE,CAAC;oBACZ,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;oBAC5C,IAAI,IAAI;wBAAE,MAAM;oBAEhB,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;oBACtD,MAAM,eAAe,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;oBAE9C,IAAI,eAAe,EAAE,CAAC;wBACpB,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;wBAC5C,sBAAsB;wBACtB,IAAI,CAAC,QAAQ,EAAE,CAAC;4BACd,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;wBAC7D,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;oBAAS,CAAC;gBACT,MAAM,CAAC,WAAW,EAAE,CAAC;YACvB,CAAC;YACD,GAAG,CAAC,GAAG,EAAE,CAAC;YACV,OAAO;QACT,CAAC;QAED,uBAAuB;QACvB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,MAAM,cAAc,GAAG,KAAK,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAC7C,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAEnD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,GAAG,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,EAAE,2BAA2B,CAAC,CAAC;QACvE,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;YACrB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAC,CAAC;QAC/D,CAAC;aAAM,CAAC;YACN,uEAAuE;YACvE,GAAG,CAAC,GAAG,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,GAAG,CAAC,IAAI,CAAC,cAAc,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;IAC1C,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IACxC,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI;QAAE,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mDAAmD,EAAE,CAAC,CAAC;IAElH,MAAM,OAAO,GAA2B;QACtC,mBAAmB,EAAE,GAAG,CAAC,OAAO,CAAC,mBAAmB,CAAW,IAAI,YAAY;KAChF,CAAC;IACF,IAAI,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC;QAAE,OAAO,CAAC,gBAAgB,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAW,CAAC;IACvG,IAAI,MAAM;QAAE,OAAO,CAAC,WAAW,CAAC,GAAG,MAAgB,CAAC;IACpD,IAAI,IAAI;QAAE,OAAO,CAAC,eAAe,CAAC,GAAG,IAAc,CAAC;IAEpD,MAAM,YAAY,CAAC,GAAG,EAAE,GAAG,EAAE,uCAAuC,EAAE,OAAO,CAAC,CAAC;AACjF,CAAC,CAAC,CAAC;AAEH;;GAEG;AACH,GAAG,CAAC,IAAI,CAAC,sBAAsB,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;IAClD,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAC1C,IAAI,CAAC,IAAI;QAAE,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,8BAA8B,EAAE,CAAC,CAAC;IAElF,MAAM,YAAY,CAAC,GAAG,EAAE,GAAG,EAAE,4CAA4C,EAAE;QACzE,eAAe,EAAE,IAAc;KAChC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH;;;;;GAKG;AACH,GAAG,CAAC,IAAI,CAAC,+BAA+B,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;IAC3D,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAC1C,IAAI,CAAC,IAAI;QAAE,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,+BAA+B,EAAE,CAAC,CAAC;IAEnF,MAAM,YAAY,CAAC,GAAG,EAAE,GAAG,EAAE,+CAA+C,EAAE;QAC5E,eAAe,EAAE,IAAc;KAChC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,GAAG,CAAC,IAAI,CAAC,sCAAsC,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;IAClE,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAC1C,IAAI,CAAC,IAAI;QAAE,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,+BAA+B,EAAE,CAAC,CAAC;IAEnF,MAAM,YAAY,CAAC,GAAG,EAAE,GAAG,EAAE,sDAAsD,EAAE;QACnF,eAAe,EAAE,IAAc;KAChC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH;;;GAGG;AACH,GAAG,CAAC,IAAI,CAAC,gCAAgC,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;IAC5D,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC;IAC9D,IAAI,CAAC,MAAM;QAAE,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,wBAAwB,EAAE,CAAC,CAAC;IAE9E,MAAM,SAAS,GAAG,2DAA2D,GAAG,CAAC,MAAM,CAAC,cAAc,GAAG,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IAEpK,MAAM,YAAY,CAAC,GAAG,EAAE,GAAG,EAAE,SAAS,EAAE;QACtC,gBAAgB,EAAE,MAAgB;KACnC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,0CAA0C;AAC1C,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;IAC9B,MAAM,QAAQ,GAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAC5C,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,MAAM,EAAE,CAAC;QACjC,QAAQ,CAAC,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC;IAClC,CAAC;IACD,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACrB,CAAC,CAAC,CAAC;AAEH;;;GAGG;AACH,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;IACnC,MAAM,UAAU,GAAG,2CAA2C,CAAC;IAC/D,MAAM,SAAS,GAAG,GAAG,UAAU,GAAG,GAAG,CAAC,GAAG,EAAE,CAAC;IAE5C,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,EAAE,wBAAwB,CAAC,CAAC;IAEjG,uCAAuC;IACvC,MAAM,OAAO,GAA2B,EAAE,CAAC;IAC3C,IAAI,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC;QAAE,OAAO,CAAC,eAAe,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAW,CAAC;IACpG,IAAI,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC;QAAE,OAAO,CAAC,WAAW,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,WAAW,CAAW,CAAC;IACxF,IAAI,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC;QAAE,OAAO,CAAC,gBAAgB,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAW,CAAC;IAEvG,MAAM,YAAY,CAAC,GAAG,EAAE,GAAG,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;AACnD,CAAC,CAAC,CAAC"}
|
|
@@ -23,6 +23,11 @@ export declare class Redactor {
|
|
|
23
23
|
* Common PII Regex patterns.
|
|
24
24
|
*/
|
|
25
25
|
private static readonly PATTERNS;
|
|
26
|
+
/**
|
|
27
|
+
* Cloud provider key patterns — Tier 1 only (unique prefixes, very low false-positive risk).
|
|
28
|
+
* Sources: GitHub secret scanning, gitleaks, trufflehog.
|
|
29
|
+
*/
|
|
30
|
+
private static readonly CLOUD_KEY_PATTERNS;
|
|
26
31
|
/**
|
|
27
32
|
* Redact sensitive information from a JSON object or string.
|
|
28
33
|
*
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"redactor.d.ts","sourceRoot":"","sources":["../../src/middleware/redactor.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,8CAA8C;IAC9C,OAAO,EAAE,GAAG,CAAC;IACb,uCAAuC;IACvC,WAAW,EAAE,OAAO,CAAC;IACrB,6CAA6C;IAC7C,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,qBAAa,QAAQ;IACnB;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAa9B;IAEF;;;;;OAKG;IACI,MAAM,CAAC,KAAK,EAAE,GAAG,GAAG,eAAe;
|
|
1
|
+
{"version":3,"file":"redactor.d.ts","sourceRoot":"","sources":["../../src/middleware/redactor.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,8CAA8C;IAC9C,OAAO,EAAE,GAAG,CAAC;IACb,uCAAuC;IACvC,WAAW,EAAE,OAAO,CAAC;IACrB,6CAA6C;IAC7C,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,qBAAa,QAAQ;IACnB;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAa9B;IAEF;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,kBAAkB,CA4CxC;IAEF;;;;;OAKG;IACI,MAAM,CAAC,KAAK,EAAE,GAAG,GAAG,eAAe;CA6H3C"}
|
|
@@ -30,6 +30,55 @@ export class Redactor {
|
|
|
30
30
|
/** Phone Numbers (robust version) */
|
|
31
31
|
PHONE: /(?:^|[\s:;])(?:\+\d{1,3}[-. ]?)?\(?\d{2,4}\)?[-. ]\d{3,4}[-. ]\d{3,4}(?:\s*(?:ext|x)\s*\d+)?/g,
|
|
32
32
|
};
|
|
33
|
+
/**
|
|
34
|
+
* Cloud provider key patterns — Tier 1 only (unique prefixes, very low false-positive risk).
|
|
35
|
+
* Sources: GitHub secret scanning, gitleaks, trufflehog.
|
|
36
|
+
*/
|
|
37
|
+
static CLOUD_KEY_PATTERNS = [
|
|
38
|
+
// AWS
|
|
39
|
+
{ re: /\b((?:AKIA|ASIA|ABIA|ACCA)[A-Z2-7]{16})\b/g, label: 'AWS_KEY' },
|
|
40
|
+
// GCP / Firebase
|
|
41
|
+
{ re: /\b(AIza[\w-]{35})\b/g, label: 'GCP_KEY' },
|
|
42
|
+
{ re: /\b(GOCSPX-[a-zA-Z0-9_-]{28})\b/g, label: 'GCP_OAUTH' },
|
|
43
|
+
// GitHub
|
|
44
|
+
{ re: /\b(ghp_[0-9a-zA-Z]{36})\b/g, label: 'GITHUB_PAT' },
|
|
45
|
+
{ re: /\b(gho_[0-9a-zA-Z]{36})\b/g, label: 'GITHUB_OAUTH' },
|
|
46
|
+
{ re: /\b(ghu_[0-9a-zA-Z]{36})\b/g, label: 'GITHUB_U2S' },
|
|
47
|
+
{ re: /\b(ghs_[0-9a-zA-Z]{36})\b/g, label: 'GITHUB_S2S' },
|
|
48
|
+
{ re: /\b(ghr_[0-9a-zA-Z]{36})\b/g, label: 'GITHUB_REFRESH' },
|
|
49
|
+
{ re: /\b(github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59})\b/g, label: 'GITHUB_FINE_PAT' },
|
|
50
|
+
// GitLab
|
|
51
|
+
{ re: /\b(glpat-[\w-]{20})\b/g, label: 'GITLAB_PAT' },
|
|
52
|
+
{ re: /\b(glptt-[a-zA-Z0-9_-]{40})\b/g, label: 'GITLAB_TRIGGER' },
|
|
53
|
+
// Slack
|
|
54
|
+
{ re: /\b(xoxb-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]*)\b/g, label: 'SLACK_BOT' },
|
|
55
|
+
{ re: /\b(xox[pe]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9-]+)\b/g, label: 'SLACK_TOKEN' },
|
|
56
|
+
// Stripe
|
|
57
|
+
{ re: /\b(sk_(?:live|test)_[a-zA-Z0-9]{10,99})\b/g, label: 'STRIPE_SECRET' },
|
|
58
|
+
{ re: /\b(rk_(?:live|test)_[a-zA-Z0-9]{10,99})\b/g, label: 'STRIPE_RESTRICTED' },
|
|
59
|
+
{ re: /\b(whsec_[a-zA-Z0-9]{24,})\b/g, label: 'STRIPE_WEBHOOK' },
|
|
60
|
+
// SendGrid (SG. + base64url with internal dot separator)
|
|
61
|
+
{ re: /\b(SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43})\b/g, label: 'SENDGRID_KEY' },
|
|
62
|
+
// npm
|
|
63
|
+
{ re: /\b(npm_[a-z0-9]{36})\b/gi, label: 'NPM_TOKEN' },
|
|
64
|
+
// PyPI
|
|
65
|
+
{ re: /\b(pypi-AgEIcHlwaS5vcmc[\w-]{50,})\b/g, label: 'PYPI_TOKEN' },
|
|
66
|
+
// Docker Hub
|
|
67
|
+
{ re: /\b(dckr_pat_[a-zA-Z0-9_-]{27,})\b/g, label: 'DOCKER_PAT' },
|
|
68
|
+
// Anthropic
|
|
69
|
+
{ re: /\b(sk-ant-[a-zA-Z0-9_-]{36,})\b/g, label: 'ANTHROPIC_KEY' },
|
|
70
|
+
// OpenAI (with T3BlbkFJ marker)
|
|
71
|
+
{ re: /\b(sk-(?:proj|svcacct|admin)-[A-Za-z0-9_-]{20,}T3BlbkFJ[A-Za-z0-9_-]{20,})\b/g, label: 'OPENAI_KEY' },
|
|
72
|
+
// DigitalOcean
|
|
73
|
+
{ re: /\b(do[por]_v1_[a-f0-9]{64})\b/g, label: 'DIGITALOCEAN_TOKEN' },
|
|
74
|
+
// HashiCorp Vault
|
|
75
|
+
{ re: /\b(hvs\.[\w-]{90,})\b/g, label: 'VAULT_TOKEN' },
|
|
76
|
+
{ re: /\b(hvb\.[\w-]{90,})\b/g, label: 'VAULT_BATCH' },
|
|
77
|
+
// Supabase
|
|
78
|
+
{ re: /\b(sbp_[a-f0-9]{40})\b/g, label: 'SUPABASE_PAT' },
|
|
79
|
+
{ re: /\b(sb_secret_[a-zA-Z0-9_-]{20,})\b/g, label: 'SUPABASE_SECRET' },
|
|
80
|
+
// PEM private keys (multiline — matched separately in redactPEMKeys)
|
|
81
|
+
];
|
|
33
82
|
/**
|
|
34
83
|
* Redact sensitive information from a JSON object or string.
|
|
35
84
|
*
|
|
@@ -78,6 +127,26 @@ export class Redactor {
|
|
|
78
127
|
tokens.set(token, match);
|
|
79
128
|
return token;
|
|
80
129
|
});
|
|
130
|
+
// Redact cloud provider keys BEFORE generic patterns — specific prefixed
|
|
131
|
+
// keys must be matched first so they don't get partially eaten by SECRET
|
|
132
|
+
// or CREDIT_CARD patterns.
|
|
133
|
+
for (const { re, label } of Redactor.CLOUD_KEY_PATTERNS) {
|
|
134
|
+
re.lastIndex = 0;
|
|
135
|
+
text = text.replace(re, (match, p1) => {
|
|
136
|
+
hasRedacted = true;
|
|
137
|
+
const val = p1 || match;
|
|
138
|
+
const token = `[${label}_${tokenHash(val)}]`;
|
|
139
|
+
tokens.set(token, val);
|
|
140
|
+
return token;
|
|
141
|
+
});
|
|
142
|
+
}
|
|
143
|
+
// Redact PEM private keys
|
|
144
|
+
text = text.replace(/-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY-----[\s\S]{64,}?-----END[ A-Z0-9_-]{0,100}PRIVATE KEY-----/g, (match) => {
|
|
145
|
+
hasRedacted = true;
|
|
146
|
+
const token = `[PRIVATE_KEY_${tokenHash(match)}]`;
|
|
147
|
+
tokens.set(token, match);
|
|
148
|
+
return token;
|
|
149
|
+
});
|
|
81
150
|
// Redact Secrets in text (e.g. "api_key=...")
|
|
82
151
|
text = text.replace(Redactor.PATTERNS.SECRET, (match, p1) => {
|
|
83
152
|
hasRedacted = true;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"redactor.js","sourceRoot":"","sources":["../../src/middleware/redactor.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAEpC,0EAA0E;AAC1E,SAAS,SAAS,CAAC,KAAa;IAC9B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AACtE,CAAC;AAcD;;GAEG;AACH,MAAM,OAAO,QAAQ;IACnB;;OAEG;IACK,MAAM,CAAU,QAAQ,GAAG;QACjC,kFAAkF;QAClF,KAAK,EAAE,kEAAkE;QACzE,yBAAyB;QACzB,IAAI,EAAE,8BAA8B;QACpC,yBAAyB;QACzB,IAAI,EAAE,spBAAspB;QAC5pB,wDAAwD;QACxD,MAAM,EAAE,+GAA+G;QACvH,0BAA0B;QAC1B,WAAW,EAAE,0BAA0B;QACvC,qCAAqC;QACrC,KAAK,EAAE,+FAA+F;KACvG,CAAC;IAEF;;;;;OAKG;IACI,MAAM,CAAC,KAAU;QACtB,MAAM,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAC;QACzC,IAAI,WAAW,GAAG,KAAK,CAAC;QAExB,0DAA0D;QAC1D,MAAM,MAAM,GAAG,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI;YACxD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;YACnC,CAAC,CAAC,KAAK,CAAC;QAEV,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;QAEjG,MAAM,OAAO,GAAG,CAAC,IAAS,EAAE,OAAgB,EAAO,EAAE;YACnD,wCAAwC;YACxC,IAAI,OAAO,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACxC,MAAM,aAAa,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;gBACjE,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBACxD,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,qBAAqB,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC;oBACtD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;oBACxB,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC;YAED,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC7B,IAAI,IAAI,GAAG,IAAI,CAAC;gBAEhB,gBAAgB;gBAChB,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC,KAAK,EAAE,EAAE;oBACrD,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,eAAe,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC;oBACjD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACzB,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;gBAEH,2BAA2B;gBAC3B,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,EAAE,EAAE;oBACpD,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,eAAe,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC;oBACjD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACzB,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;gBAEH,2BAA2B;gBAC3B,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,EAAE,EAAE;oBACpD,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,kBAAkB,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC;oBACpD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACzB,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;gBAEH,8CAA8C;gBAC9C,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;oBAC1D,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,qBAAqB,SAAS,CAAC,EAAE,CAAC,GAAG,CAAC;oBACpD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;oBACtB,OAAO,KAAK,CAAC,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;gBAClC,CAAC,CAAC,CAAC;gBAEH,sBAAsB;gBACtB,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,KAAK,EAAE,EAAE;oBAC3D,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,iBAAiB,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC;oBACnD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACzB,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;gBAEH,uBAAuB;gBACvB,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC,KAAK,EAAE,EAAE;oBACrD,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,iBAAiB,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC;oBACnD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACzB,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;gBAEH,OAAO,IAAI,CAAC;YACd,CAAC;YAED,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxB,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;YACzC,CAAC;YAED,IAAI,IAAI,KAAK,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC9C,MAAM,GAAG,GAAQ,EAAE,CAAC;gBACpB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;oBAChD,GAAG,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBACjC,CAAC;gBACD,OAAO,GAAG,CAAC;YACb,CAAC;YAED,OAAO,IAAI,CAAC;QACd,CAAC,CAAC;QAEF,MAAM,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;QAExC,OAAO;YACL,OAAO,EAAE,eAAe;YACxB,WAAW;YACX,MAAM;SACP,CAAC;IACJ,CAAC"}
|
|
1
|
+
{"version":3,"file":"redactor.js","sourceRoot":"","sources":["../../src/middleware/redactor.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAEpC,0EAA0E;AAC1E,SAAS,SAAS,CAAC,KAAa;IAC9B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AACtE,CAAC;AAcD;;GAEG;AACH,MAAM,OAAO,QAAQ;IACnB;;OAEG;IACK,MAAM,CAAU,QAAQ,GAAG;QACjC,kFAAkF;QAClF,KAAK,EAAE,kEAAkE;QACzE,yBAAyB;QACzB,IAAI,EAAE,8BAA8B;QACpC,yBAAyB;QACzB,IAAI,EAAE,spBAAspB;QAC5pB,wDAAwD;QACxD,MAAM,EAAE,+GAA+G;QACvH,0BAA0B;QAC1B,WAAW,EAAE,0BAA0B;QACvC,qCAAqC;QACrC,KAAK,EAAE,+FAA+F;KACvG,CAAC;IAEF;;;OAGG;IACK,MAAM,CAAU,kBAAkB,GAAyC;QACjF,MAAM;QACN,EAAE,EAAE,EAAE,4CAA4C,EAAE,KAAK,EAAE,SAAS,EAAE;QACtE,iBAAiB;QACjB,EAAE,EAAE,EAAE,sBAAsB,EAAE,KAAK,EAAE,SAAS,EAAE;QAChD,EAAE,EAAE,EAAE,iCAAiC,EAAE,KAAK,EAAE,WAAW,EAAE;QAC7D,SAAS;QACT,EAAE,EAAE,EAAE,4BAA4B,EAAE,KAAK,EAAE,YAAY,EAAE;QACzD,EAAE,EAAE,EAAE,4BAA4B,EAAE,KAAK,EAAE,cAAc,EAAE;QAC3D,EAAE,EAAE,EAAE,4BAA4B,EAAE,KAAK,EAAE,YAAY,EAAE;QACzD,EAAE,EAAE,EAAE,4BAA4B,EAAE,KAAK,EAAE,YAAY,EAAE;QACzD,EAAE,EAAE,EAAE,4BAA4B,EAAE,KAAK,EAAE,gBAAgB,EAAE;QAC7D,EAAE,EAAE,EAAE,mDAAmD,EAAE,KAAK,EAAE,iBAAiB,EAAE;QACrF,SAAS;QACT,EAAE,EAAE,EAAE,wBAAwB,EAAE,KAAK,EAAE,YAAY,EAAE;QACrD,EAAE,EAAE,EAAE,gCAAgC,EAAE,KAAK,EAAE,gBAAgB,EAAE;QACjE,QAAQ;QACR,EAAE,EAAE,EAAE,oDAAoD,EAAE,KAAK,EAAE,WAAW,EAAE;QAChF,EAAE,EAAE,EAAE,wDAAwD,EAAE,KAAK,EAAE,aAAa,EAAE;QACtF,SAAS;QACT,EAAE,EAAE,EAAE,4CAA4C,EAAE,KAAK,EAAE,eAAe,EAAE;QAC5E,EAAE,EAAE,EAAE,4CAA4C,EAAE,KAAK,EAAE,mBAAmB,EAAE;QAChF,EAAE,EAAE,EAAE,+BAA+B,EAAE,KAAK,EAAE,gBAAgB,EAAE;QAChE,yDAAyD;QACzD,EAAE,EAAE,EAAE,iDAAiD,EAAE,KAAK,EAAE,cAAc,EAAE;QAChF,MAAM;QACN,EAAE,EAAE,EAAE,0BAA0B,EAAE,KAAK,EAAE,WAAW,EAAE;QACtD,OAAO;QACP,EAAE,EAAE,EAAE,uCAAuC,EAAE,KAAK,EAAE,YAAY,EAAE;QACpE,aAAa;QACb,EAAE,EAAE,EAAE,oCAAoC,EAAE,KAAK,EAAE,YAAY,EAAE;QACjE,YAAY;QACZ,EAAE,EAAE,EAAE,kCAAkC,EAAE,KAAK,EAAE,eAAe,EAAE;QAClE,gCAAgC;QAChC,EAAE,EAAE,EAAE,+EAA+E,EAAE,KAAK,EAAE,YAAY,EAAE;QAC5G,eAAe;QACf,EAAE,EAAE,EAAE,gCAAgC,EAAE,KAAK,EAAE,oBAAoB,EAAE;QACrE,kBAAkB;QAClB,EAAE,EAAE,EAAE,wBAAwB,EAAE,KAAK,EAAE,aAAa,EAAE;QACtD,EAAE,EAAE,EAAE,wBAAwB,EAAE,KAAK,EAAE,aAAa,EAAE;QACtD,WAAW;QACX,EAAE,EAAE,EAAE,yBAAyB,EAAE,KAAK,EAAE,cAAc,EAAE;QACxD,EAAE,EAAE,EAAE,qCAAqC,EAAE,KAAK,EAAE,iBAAiB,EAAE;QACvE,qEAAqE;KACtE,CAAC;IAEF;;;;;OAKG;IACI,MAAM,CAAC,KAAU;QACtB,MAAM,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAC;QACzC,IAAI,WAAW,GAAG,KAAK,CAAC;QAExB,0DAA0D;QAC1D,MAAM,MAAM,GAAG,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI;YACxD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;YACnC,CAAC,CAAC,KAAK,CAAC;QAEV,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;QAEjG,MAAM,OAAO,GAAG,CAAC,IAAS,EAAE,OAAgB,EAAO,EAAE;YACnD,wCAAwC;YACxC,IAAI,OAAO,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACxC,MAAM,aAAa,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;gBACjE,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBACxD,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,qBAAqB,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC;oBACtD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;oBACxB,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC;YAED,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC7B,IAAI,IAAI,GAAG,IAAI,CAAC;gBAEhB,gBAAgB;gBAChB,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC,KAAK,EAAE,EAAE;oBACrD,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,eAAe,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC;oBACjD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACzB,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;gBAEH,2BAA2B;gBAC3B,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,EAAE,EAAE;oBACpD,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,eAAe,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC;oBACjD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACzB,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;gBAEH,2BAA2B;gBAC3B,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,EAAE,EAAE;oBACpD,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,kBAAkB,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC;oBACpD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACzB,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;gBAEH,yEAAyE;gBACzE,yEAAyE;gBACzE,2BAA2B;gBAC3B,KAAK,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,QAAQ,CAAC,kBAAkB,EAAE,CAAC;oBACxD,EAAE,CAAC,SAAS,GAAG,CAAC,CAAC;oBACjB,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,EAAU,EAAE,EAAE;wBAC5C,WAAW,GAAG,IAAI,CAAC;wBACnB,MAAM,GAAG,GAAG,EAAE,IAAI,KAAK,CAAC;wBACxB,MAAM,KAAK,GAAG,IAAI,KAAK,IAAI,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC;wBAC7C,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;wBACvB,OAAO,KAAK,CAAC;oBACf,CAAC,CAAC,CAAC;gBACL,CAAC;gBAED,0BAA0B;gBAC1B,IAAI,GAAG,IAAI,CAAC,OAAO,CACjB,qGAAqG,EACrG,CAAC,KAAK,EAAE,EAAE;oBACR,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,gBAAgB,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC;oBAClD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACzB,OAAO,KAAK,CAAC;gBACf,CAAC,CACF,CAAC;gBAEF,8CAA8C;gBAC9C,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;oBAC1D,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,qBAAqB,SAAS,CAAC,EAAE,CAAC,GAAG,CAAC;oBACpD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;oBACtB,OAAO,KAAK,CAAC,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;gBAClC,CAAC,CAAC,CAAC;gBAEH,sBAAsB;gBACtB,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,KAAK,EAAE,EAAE;oBAC3D,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,iBAAiB,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC;oBACnD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACzB,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;gBAEH,uBAAuB;gBACvB,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC,KAAK,EAAE,EAAE;oBACrD,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,iBAAiB,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC;oBACnD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACzB,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;gBAEH,OAAO,IAAI,CAAC;YACd,CAAC;YAED,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxB,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;YACzC,CAAC;YAED,IAAI,IAAI,KAAK,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC9C,MAAM,GAAG,GAAQ,EAAE,CAAC;gBACpB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;oBAChD,GAAG,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBACjC,CAAC;gBACD,OAAO,GAAG,CAAC;YACb,CAAC;YAED,OAAO,IAAI,CAAC;QACd,CAAC,CAAC;QAEF,MAAM,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;QAExC,OAAO;YACL,OAAO,EAAE,eAAe;YACxB,WAAW;YACX,MAAM;SACP,CAAC;IACJ,CAAC"}
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* OpenCode Plugin: Hush PII Guard
|
|
3
|
+
*
|
|
4
|
+
* 1. Blocks reads of sensitive files (`.env`, `*.pem`, `credentials.*`, etc.)
|
|
5
|
+
* before the tool executes — the AI model never sees the content.
|
|
6
|
+
* 2. Redacts PII (emails, IPs, secrets) from tool arguments before execution.
|
|
7
|
+
* 3. Redacts PII from tool outputs (built-in and MCP) after execution.
|
|
8
|
+
*
|
|
9
|
+
* Defense-in-depth: works alongside the Hush proxy which redacts PII from
|
|
10
|
+
* API requests. The plugin prevents file reads and scrubs tool I/O;
|
|
11
|
+
* the proxy catches anything that slips through.
|
|
12
|
+
*
|
|
13
|
+
* Install: copy to `.opencode/plugins/hush.ts` and add to `opencode.json`:
|
|
14
|
+
* { "plugin": [".opencode/plugins/hush.ts"] }
|
|
15
|
+
*/
|
|
16
|
+
export declare const HushPlugin: () => Promise<{
|
|
17
|
+
'tool.execute.before': (input: {
|
|
18
|
+
tool: string;
|
|
19
|
+
}, output: {
|
|
20
|
+
args: Record<string, string>;
|
|
21
|
+
}) => Promise<void>;
|
|
22
|
+
'tool.execute.after': (input: {
|
|
23
|
+
tool: string;
|
|
24
|
+
}, output: {
|
|
25
|
+
output?: string;
|
|
26
|
+
content?: Array<{
|
|
27
|
+
type: string;
|
|
28
|
+
text?: string;
|
|
29
|
+
}>;
|
|
30
|
+
}) => Promise<void>;
|
|
31
|
+
}>;
|
|
32
|
+
//# sourceMappingURL=opencode-hush.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"opencode-hush.d.ts","sourceRoot":"","sources":["../../src/plugins/opencode-hush.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAOH,eAAO,MAAM,UAAU;mCAEZ;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,UACf;QAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE;kCAsBjC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,UACf;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,IAAI,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC,CAAA;KAAE;EAsB/E,CAAC"}
|
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* OpenCode Plugin: Hush PII Guard
|
|
3
|
+
*
|
|
4
|
+
* 1. Blocks reads of sensitive files (`.env`, `*.pem`, `credentials.*`, etc.)
|
|
5
|
+
* before the tool executes — the AI model never sees the content.
|
|
6
|
+
* 2. Redacts PII (emails, IPs, secrets) from tool arguments before execution.
|
|
7
|
+
* 3. Redacts PII from tool outputs (built-in and MCP) after execution.
|
|
8
|
+
*
|
|
9
|
+
* Defense-in-depth: works alongside the Hush proxy which redacts PII from
|
|
10
|
+
* API requests. The plugin prevents file reads and scrubs tool I/O;
|
|
11
|
+
* the proxy catches anything that slips through.
|
|
12
|
+
*
|
|
13
|
+
* Install: copy to `.opencode/plugins/hush.ts` and add to `opencode.json`:
|
|
14
|
+
* { "plugin": [".opencode/plugins/hush.ts"] }
|
|
15
|
+
*/
|
|
16
|
+
import { isSensitivePath, commandReadsSensitiveFile } from './sensitive-patterns.js';
|
|
17
|
+
import { Redactor } from '../middleware/redactor.js';
|
|
18
|
+
const redactor = new Redactor();
|
|
19
|
+
export const HushPlugin = async () => ({
|
|
20
|
+
'tool.execute.before': async (input, output) => {
|
|
21
|
+
// Block sensitive file reads first (hard block — throws)
|
|
22
|
+
if (input.tool === 'read' && isSensitivePath(output.args['filePath'] ?? '')) {
|
|
23
|
+
throw new Error('[hush] Blocked: sensitive file');
|
|
24
|
+
}
|
|
25
|
+
if (input.tool === 'bash' && commandReadsSensitiveFile(output.args['command'] ?? '')) {
|
|
26
|
+
throw new Error('[hush] Blocked: command reads sensitive file');
|
|
27
|
+
}
|
|
28
|
+
// Redact PII from outbound tool arguments (in-place mutation)
|
|
29
|
+
const { content, hasRedacted } = redactor.redact(output.args);
|
|
30
|
+
if (hasRedacted) {
|
|
31
|
+
const redacted = content;
|
|
32
|
+
for (const key of Object.keys(redacted)) {
|
|
33
|
+
output.args[key] = redacted[key];
|
|
34
|
+
}
|
|
35
|
+
}
|
|
36
|
+
},
|
|
37
|
+
'tool.execute.after': async (input, output) => {
|
|
38
|
+
// Built-in tools: output is a string at output.output
|
|
39
|
+
if (typeof output.output === 'string') {
|
|
40
|
+
const { content, hasRedacted } = redactor.redact(output.output);
|
|
41
|
+
if (hasRedacted) {
|
|
42
|
+
output.output = content;
|
|
43
|
+
}
|
|
44
|
+
}
|
|
45
|
+
// MCP tools: output is content blocks at output.content
|
|
46
|
+
if (Array.isArray(output.content)) {
|
|
47
|
+
for (const block of output.content) {
|
|
48
|
+
if (block.type === 'text' && typeof block.text === 'string') {
|
|
49
|
+
const { content, hasRedacted } = redactor.redact(block.text);
|
|
50
|
+
if (hasRedacted) {
|
|
51
|
+
block.text = content;
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
}
|
|
55
|
+
}
|
|
56
|
+
},
|
|
57
|
+
});
|
|
58
|
+
//# sourceMappingURL=opencode-hush.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"opencode-hush.js","sourceRoot":"","sources":["../../src/plugins/opencode-hush.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,eAAe,EAAE,yBAAyB,EAAE,MAAM,yBAAyB,CAAC;AACrF,OAAO,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAC;AAErD,MAAM,QAAQ,GAAG,IAAI,QAAQ,EAAE,CAAC;AAEhC,MAAM,CAAC,MAAM,UAAU,GAAG,KAAK,IAAI,EAAE,CAAC,CAAC;IACrC,qBAAqB,EAAE,KAAK,EAC1B,KAAuB,EACvB,MAAwC,EACxC,EAAE;QACF,yDAAyD;QACzD,IAAI,KAAK,CAAC,IAAI,KAAK,MAAM,IAAI,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;YAC5E,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACpD,CAAC;QAED,IAAI,KAAK,CAAC,IAAI,KAAK,MAAM,IAAI,yBAAyB,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;YACrF,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;QAClE,CAAC;QAED,8DAA8D;QAC9D,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC9D,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,QAAQ,GAAG,OAAiC,CAAC;YACnD,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACxC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAE,CAAC;YACpC,CAAC;QACH,CAAC;IACH,CAAC;IAED,oBAAoB,EAAE,KAAK,EACzB,KAAuB,EACvB,MAA6E,EAC7E,EAAE;QACF,sDAAsD;QACtD,IAAI,OAAO,MAAM,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;YACtC,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAChE,IAAI,WAAW,EAAE,CAAC;gBAChB,MAAM,CAAC,MAAM,GAAG,OAAiB,CAAC;YACpC,CAAC;QACH,CAAC;QAED,wDAAwD;QACxD,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;YAClC,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACnC,IAAI,KAAK,CAAC,IAAI,KAAK,MAAM,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;oBAC5D,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBAC7D,IAAI,WAAW,EAAE,CAAC;wBAChB,KAAK,CAAC,IAAI,GAAG,OAAiB,CAAC;oBACjC,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;CACF,CAAC,CAAC"}
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Shared helpers for detecting sensitive file paths and commands.
|
|
3
|
+
* Used by the OpenCode hush plugin to block reads of secret files.
|
|
4
|
+
*/
|
|
5
|
+
/**
|
|
6
|
+
* Check whether a file path points to a sensitive file.
|
|
7
|
+
* Matches against the basename only so absolute/relative paths both work.
|
|
8
|
+
*/
|
|
9
|
+
export declare function isSensitivePath(filePath: string): boolean;
|
|
10
|
+
/**
|
|
11
|
+
* Check whether a bash command reads a sensitive file.
|
|
12
|
+
* Looks for common read commands followed by a sensitive filename.
|
|
13
|
+
*/
|
|
14
|
+
export declare function commandReadsSensitiveFile(cmd: string): boolean;
|
|
15
|
+
//# sourceMappingURL=sensitive-patterns.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"sensitive-patterns.d.ts","sourceRoot":"","sources":["../../src/plugins/sensitive-patterns.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAmBH;;;GAGG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAGzD;AAUD;;;GAGG;AACH,wBAAgB,yBAAyB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CA2B9D"}
|
|
@@ -0,0 +1,69 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Shared helpers for detecting sensitive file paths and commands.
|
|
3
|
+
* Used by the OpenCode hush plugin to block reads of secret files.
|
|
4
|
+
*/
|
|
5
|
+
/** Glob-style patterns for files that should never be read by AI tools. */
|
|
6
|
+
const SENSITIVE_GLOBS = [
|
|
7
|
+
/^\.env($|\..*)/, // .env, .env.local, .env.production, etc.
|
|
8
|
+
/credentials/i,
|
|
9
|
+
/secret/i,
|
|
10
|
+
/\.pem$/,
|
|
11
|
+
/\.key$/,
|
|
12
|
+
/\.p12$/,
|
|
13
|
+
/\.pfx$/,
|
|
14
|
+
/\.jks$/,
|
|
15
|
+
/\.keystore$/,
|
|
16
|
+
/\.asc$/,
|
|
17
|
+
/^id_rsa/,
|
|
18
|
+
/^\.netrc$/,
|
|
19
|
+
/^\.pgpass$/,
|
|
20
|
+
];
|
|
21
|
+
/**
|
|
22
|
+
* Check whether a file path points to a sensitive file.
|
|
23
|
+
* Matches against the basename only so absolute/relative paths both work.
|
|
24
|
+
*/
|
|
25
|
+
export function isSensitivePath(filePath) {
|
|
26
|
+
const basename = (filePath.split('/').pop() ?? '').trim();
|
|
27
|
+
return SENSITIVE_GLOBS.some((re) => re.test(basename));
|
|
28
|
+
}
|
|
29
|
+
/** Commands that read file contents (includes batcat — Ubuntu symlink for bat). */
|
|
30
|
+
const READ_COMMANDS = /\b(cat|head|tail|less|more|bat|batcat)\b/;
|
|
31
|
+
/** Strip shell metacharacters that could wrap a filename to bypass detection. */
|
|
32
|
+
function stripShellMeta(token) {
|
|
33
|
+
return token.replace(/[`"'$(){}]/g, '');
|
|
34
|
+
}
|
|
35
|
+
/**
|
|
36
|
+
* Check whether a bash command reads a sensitive file.
|
|
37
|
+
* Looks for common read commands followed by a sensitive filename.
|
|
38
|
+
*/
|
|
39
|
+
export function commandReadsSensitiveFile(cmd) {
|
|
40
|
+
if (!READ_COMMANDS.test(cmd))
|
|
41
|
+
return false;
|
|
42
|
+
// Check input redirections: `cat <.env` or `cat < .env`
|
|
43
|
+
// The file after `<` is read by the preceding command.
|
|
44
|
+
const redirectPattern = /<\s*([^\s|;&<>]+)/g;
|
|
45
|
+
let rMatch;
|
|
46
|
+
while ((rMatch = redirectPattern.exec(cmd)) !== null) {
|
|
47
|
+
if (isSensitivePath(stripShellMeta(rMatch[1])))
|
|
48
|
+
return true;
|
|
49
|
+
}
|
|
50
|
+
// Split on pipes, semicolons, &&, and redirections to get individual commands
|
|
51
|
+
const parts = cmd.split(/[|;&<>]+/);
|
|
52
|
+
for (const part of parts) {
|
|
53
|
+
const tokens = part.trim().split(/\s+/);
|
|
54
|
+
const cmdIndex = tokens.findIndex((t) => READ_COMMANDS.test(t));
|
|
55
|
+
if (cmdIndex === -1)
|
|
56
|
+
continue;
|
|
57
|
+
// Check all tokens after the command for sensitive paths (skip flags).
|
|
58
|
+
for (let i = cmdIndex + 1; i < tokens.length; i++) {
|
|
59
|
+
const token = tokens[i];
|
|
60
|
+
if (token.startsWith('-'))
|
|
61
|
+
continue; // skip flags like -n, -5
|
|
62
|
+
const cleaned = stripShellMeta(token);
|
|
63
|
+
if (isSensitivePath(cleaned))
|
|
64
|
+
return true;
|
|
65
|
+
}
|
|
66
|
+
}
|
|
67
|
+
return false;
|
|
68
|
+
}
|
|
69
|
+
//# sourceMappingURL=sensitive-patterns.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"sensitive-patterns.js","sourceRoot":"","sources":["../../src/plugins/sensitive-patterns.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,2EAA2E;AAC3E,MAAM,eAAe,GAAG;IACtB,gBAAgB,EAAE,0CAA0C;IAC5D,cAAc;IACd,SAAS;IACT,QAAQ;IACR,QAAQ;IACR,QAAQ;IACR,QAAQ;IACR,QAAQ;IACR,aAAa;IACb,QAAQ;IACR,SAAS;IACT,WAAW;IACX,YAAY;CACb,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,QAAgB;IAC9C,MAAM,QAAQ,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAC1D,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;AACzD,CAAC;AAED,mFAAmF;AACnF,MAAM,aAAa,GAAG,0CAA0C,CAAC;AAEjE,iFAAiF;AACjF,SAAS,cAAc,CAAC,KAAa;IACnC,OAAO,KAAK,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;AAC1C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,yBAAyB,CAAC,GAAW;IACnD,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAE3C,wDAAwD;IACxD,uDAAuD;IACvD,MAAM,eAAe,GAAG,oBAAoB,CAAC;IAC7C,IAAI,MAAM,CAAC;IACX,OAAO,CAAC,MAAM,GAAG,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACrD,IAAI,eAAe,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAE,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;IAC/D,CAAC;IAED,8EAA8E;IAC9E,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IACpC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACxC,MAAM,QAAQ,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAChE,IAAI,QAAQ,KAAK,CAAC,CAAC;YAAE,SAAS;QAE9B,uEAAuE;QACvE,KAAK,IAAI,CAAC,GAAG,QAAQ,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAClD,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAE,CAAC;YACzB,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,SAAS,CAAC,yBAAyB;YAC9D,MAAM,OAAO,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;YACtC,IAAI,eAAe,CAAC,OAAO,CAAC;gBAAE,OAAO,IAAI,CAAC;QAC5C,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"token-vault.d.ts","sourceRoot":"","sources":["../../src/vault/token-vault.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;GAEG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,KAAK,CAAgE;IAC7E,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAS;IAE7B;;OAEG;gBACS,KAAK,GAAE,MAAuB;IAI1C;;;;OAIG;IACI,UAAU,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI;IAQpD;;;;;OAKG;IACI,SAAS,CAAC,KAAK,EAAE,GAAG,GAAG,GAAG;IA0CjC;;;OAGG;IACI,yBAAyB,
|
|
1
|
+
{"version":3,"file":"token-vault.d.ts","sourceRoot":"","sources":["../../src/vault/token-vault.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;GAEG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,KAAK,CAAgE;IAC7E,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAS;IAE7B;;OAEG;gBACS,KAAK,GAAE,MAAuB;IAI1C;;;;OAIG;IACI,UAAU,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI;IAQpD;;;;;OAKG;IACI,SAAS,CAAC,KAAK,EAAE,GAAG,GAAG,GAAG;IA0CjC;;;OAGG;IACI,yBAAyB,KAwBtB,OAAO,MAAM,KAAG,MAAM;IAoHhC;;OAEG;IACH,OAAO,CAAC,KAAK;IASb;;;;;OAKG;IACI,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS;IAK7C;;OAEG;IACI,KAAK,IAAI,IAAI;IAIpB;;OAEG;IACH,IAAW,IAAI,IAAI,MAAM,CAExB;CACF"}
|