@aictrl/hush 0.1.6 → 0.1.8

package/src/commands/init.ts

@@ -0,0 +1,186 @@
+/**
+ * hush init — Generate hook configuration for Claude Code or Gemini CLI
+ *
+ * Usage:
+ *   hush init --hooks           Write to .claude/settings.json
+ *   hush init --hooks --local   Write to .claude/settings.local.json
+ *   hush init --hooks --gemini  Write to .gemini/settings.json
+ *   hush init --hooks --gemini --local  Write to .gemini/settings.local.json
+ */
+
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'fs';
+import { join } from 'path';
+
+const HUSH_HOOK = {
+  type: 'command' as const,
+  command: 'hush redact-hook',
+  timeout: 10,
+};
+
+const CLAUDE_HOOK_CONFIG = {
+  hooks: {
+    PreToolUse: [
+      {
+        matcher: 'mcp__.*',
+        hooks: [HUSH_HOOK],
+      },
+    ],
+    PostToolUse: [
+      {
+        matcher: 'Bash|Read|Grep|WebFetch',
+        hooks: [HUSH_HOOK],
+      },
+      {
+        matcher: 'mcp__.*',
+        hooks: [HUSH_HOOK],
+      },
+    ],
+  },
+};
+
+const GEMINI_HOOK_CONFIG = {
+  hooks: {
+    BeforeTool: [
+      {
+        matcher: 'mcp__.*',
+        hooks: [HUSH_HOOK],
+      },
+    ],
+    AfterTool: [
+      {
+        matcher: 'run_shell_command|read_file|read_many_files|search_file_content|web_fetch',
+        hooks: [HUSH_HOOK],
+      },
+      {
+        matcher: 'mcp__.*',
+        hooks: [HUSH_HOOK],
+      },
+    ],
+  },
+};
+
+interface HookEntry {
+  matcher: string;
+  hooks: Array<{ type: string; command: string; timeout?: number }>;
+}
+
+interface SettingsJson {
+  hooks?: {
+    PreToolUse?: HookEntry[];
+    PostToolUse?: HookEntry[];
+    BeforeTool?: HookEntry[];
+    AfterTool?: HookEntry[];
+    [key: string]: unknown;
+  };
+  [key: string]: unknown;
+}
+
+interface HookConfig {
+  hooks: Record<string, HookEntry[]>;
+}
+
+function hasHushHookInEntries(entries: HookEntry[] | undefined): boolean {
+  if (!Array.isArray(entries)) return false;
+  return entries.some((entry) =>
+    entry.hooks?.some((h) => h.command?.includes('hush redact-hook')),
+  );
+}
+
+function hasHushHookClaude(settings: SettingsJson): boolean {
+  return (
+    hasHushHookInEntries(settings.hooks?.PreToolUse) &&
+    hasHushHookInEntries(settings.hooks?.PostToolUse)
+  );
+}
+
+function hasHushHookGemini(settings: SettingsJson): boolean {
+  return (
+    hasHushHookInEntries(settings.hooks?.BeforeTool) &&
+    hasHushHookInEntries(settings.hooks?.AfterTool)
+  );
+}
+
+function mergeHookEntries(
+  existing: HookEntry[] | undefined,
+  newEntries: HookEntry[],
+): HookEntry[] {
+  const merged = Array.isArray(existing) ? [...existing] : [];
+
+  for (const entry of newEntries) {
+    const alreadyHas = merged.some(
+      (e) =>
+        e.matcher === entry.matcher &&
+        e.hooks?.some((h) => h.command?.includes('hush redact-hook')),
+    );
+    if (!alreadyHas) {
+      merged.push(entry);
+    }
+  }
+
+  return merged;
+}
+
+function mergeHooks(existing: SettingsJson, hookConfig: HookConfig): SettingsJson {
+  const merged = { ...existing };
+
+  if (!merged.hooks) {
+    merged.hooks = {};
+  }
+
+  for (const [eventName, entries] of Object.entries(hookConfig.hooks)) {
+    const existingEntries = merged.hooks[eventName] as HookEntry[] | undefined;
+    merged.hooks[eventName] = mergeHookEntries(existingEntries, entries);
+  }
+
+  return merged;
+}
+
+export function run(args: string[]): void {
+  const hasHooksFlag = args.includes('--hooks');
+  const isLocal = args.includes('--local');
+  const isGemini = args.includes('--gemini');
+
+  if (!hasHooksFlag) {
+    process.stderr.write('Usage: hush init --hooks [--local] [--gemini]\n');
+    process.stderr.write('\n');
+    process.stderr.write('Options:\n');
+    process.stderr.write('  --hooks   Generate hook config (PreToolUse + PostToolUse or BeforeTool + AfterTool)\n');
+    process.stderr.write('  --local   Write to settings.local.json instead of settings.json\n');
+    process.stderr.write('  --gemini  Write Gemini CLI hooks instead of Claude Code hooks\n');
+    process.exit(1);
+  }
+
+  const dirName = isGemini ? '.gemini' : '.claude';
+  const configDir = join(process.cwd(), dirName);
+  const filename = isLocal ? 'settings.local.json' : 'settings.json';
+  const filePath = join(configDir, filename);
+
+  // Ensure config dir exists
+  if (!existsSync(configDir)) {
+    mkdirSync(configDir, { recursive: true });
+  }
+
+  // Read existing settings or start fresh
+  let settings: SettingsJson = {};
+  if (existsSync(filePath)) {
+    try {
+      const raw = readFileSync(filePath, 'utf-8');
+      settings = JSON.parse(raw) as SettingsJson;
+    } catch {
+      process.stderr.write(`Warning: could not parse ${filePath}, starting fresh\n`);
+    }
+  }
+
+  // Idempotency check
+  const hookConfig = isGemini ? GEMINI_HOOK_CONFIG : CLAUDE_HOOK_CONFIG;
+  const hasHook = isGemini ? hasHushHookGemini : hasHushHookClaude;
+
+  if (hasHook(settings)) {
+    process.stdout.write(`hush hooks already configured in ${filePath}\n`);
+    return;
+  }
+
+  const merged = mergeHooks(settings, hookConfig);
+  writeFileSync(filePath, JSON.stringify(merged, null, 2) + '\n');
+  process.stdout.write(`Wrote hush hooks config to ${filePath}\n`);
+}

package/src/commands/redact-hook.ts

@@ -0,0 +1,297 @@
+/**
+ * hush redact-hook — Hook handler for Claude Code and Gemini CLI
+ *
+ * Reads the hook payload from stdin, redacts PII, and returns the
+ * appropriate response format depending on the hook event type:
+ *
+ *   Claude Code:
+ *     PreToolUse  — redacts outbound MCP tool arguments (updatedInput)
+ *     PostToolUse — redacts inbound MCP tool results  (updatedMCPToolOutput)
+ *                   or blocks built-in tool output     (decision: "block")
+ *
+ *   Gemini CLI:
+ *     BeforeTool  — redacts outbound MCP tool arguments (hookSpecificOutput.tool_input)
+ *     AfterTool   — redacts inbound tool results        (decision: "deny")
+ *
+ * Exit codes:
+ *   0 — success (may or may not redact)
+ *   2 — malformed input (blocks the tool call per hooks spec)
+ */
+
+import { Redactor } from '../middleware/redactor.js';
+
+interface MCPContentBlock {
+  type: string;
+  text?: string;
+  [key: string]: unknown;
+}
+
+interface HookPayload {
+  hook_event_name?: 'PreToolUse' | 'PostToolUse' | 'BeforeTool' | 'AfterTool';
+  tool_name?: string;
+  tool_input?: Record<string, unknown>;
+  tool_response?: {
+    // Bash tool
+    stdout?: string;
+    stderr?: string;
+    // Read tool (nested under file)
+    file?: { content?: string; [key: string]: unknown };
+    // Grep / WebFetch / generic
+    content?: string | MCPContentBlock[];
+    output?: string;
+    [key: string]: unknown;
+  };
+}
+
+/** Collect all text from a built-in tool_response object. */
+function extractText(toolResponse: HookPayload['tool_response']): string | null {
+  if (!toolResponse || typeof toolResponse !== 'object') return null;
+
+  const parts: string[] = [];
+
+  if (typeof toolResponse.stdout === 'string' && toolResponse.stdout) {
+    parts.push(toolResponse.stdout);
+  }
+  if (typeof toolResponse.stderr === 'string' && toolResponse.stderr) {
+    parts.push(toolResponse.stderr);
+  }
+  // Read tool nests content under file.content
+  if (toolResponse.file && typeof toolResponse.file.content === 'string' && toolResponse.file.content) {
+    parts.push(toolResponse.file.content);
+  }
+  if (typeof toolResponse.content === 'string' && toolResponse.content) {
+    parts.push(toolResponse.content);
+  }
+  if (typeof toolResponse.output === 'string' && toolResponse.output) {
+    parts.push(toolResponse.output);
+  }
+
+  return parts.length > 0 ? parts.join('\n') : null;
+}
+
+// ── Shared helpers ──────────────────────────────────────────────────────
+
+/**
+ * Redact PII from tool_input and format the response.
+ * Shared by PreToolUse (Claude) and BeforeTool (Gemini).
+ */
+function redactToolInput(
+  payload: HookPayload,
+  redactor: Redactor,
+  formatResponse: (redactedInput: Record<string, unknown>) => object,
+): void {
+  if (!payload.tool_input || typeof payload.tool_input !== 'object') {
+    process.exit(0);
+  }
+
+  const { content, hasRedacted } = redactor.redact(payload.tool_input);
+
+  if (!hasRedacted) {
+    process.exit(0);
+  }
+
+  const response = formatResponse(content as Record<string, unknown>);
+  process.stdout.write(JSON.stringify(response) + '\n');
+  process.exit(0);
+}
+
+/**
+ * Redact PII from a built-in tool response and format the response.
+ * Shared by PostToolUse (Claude, decision:"block") and AfterTool (Gemini, decision:"deny").
+ */
+function redactBuiltinResponse(
+  payload: HookPayload,
+  redactor: Redactor,
+  decision: 'block' | 'deny',
+): void {
+  if (!payload.tool_response) {
+    process.exit(0);
+  }
+
+  const text = extractText(payload.tool_response);
+  if (!text) {
+    process.exit(0);
+  }
+
+  const { content, hasRedacted } = redactor.redact(text);
+  if (!hasRedacted) {
+    process.exit(0);
+  }
+
+  const response = {
+    decision,
+    reason: content as string,
+  };
+
+  process.stdout.write(JSON.stringify(response) + '\n');
+  process.exit(0);
+}
+
+// ── Claude Code handlers ────────────────────────────────────────────────
+
+/** Handle PreToolUse — redact outbound MCP tool arguments. */
+function handlePreToolUse(payload: HookPayload, redactor: Redactor): void {
+  redactToolInput(payload, redactor, (redactedInput) => ({
+    hookSpecificOutput: {
+      hookEventName: 'PreToolUse',
+      permissionDecision: 'allow',
+      updatedInput: redactedInput,
+    },
+  }));
+}
+
+/** Handle PostToolUse for MCP tools — redact inbound content blocks. */
+function handlePostToolUseMCP(payload: HookPayload, redactor: Redactor): void {
+  const toolResponse = payload.tool_response;
+  if (!toolResponse || typeof toolResponse !== 'object') {
+    process.exit(0);
+  }
+
+  const contentArray = toolResponse.content;
+  if (!Array.isArray(contentArray)) {
+    process.exit(0);
+  }
+
+  const { content: redactedArray, hasRedacted } = redactor.redact(contentArray);
+
+  if (!hasRedacted) {
+    process.exit(0);
+  }
+
+  const response = {
+    updatedMCPToolOutput: {
+      content: redactedArray,
+    },
+  };
+
+  process.stdout.write(JSON.stringify(response) + '\n');
+  process.exit(0);
+}
+
+/** Handle PostToolUse for built-in tools — decision: "block". */
+function handlePostToolUseBuiltin(payload: HookPayload, redactor: Redactor): void {
+  redactBuiltinResponse(payload, redactor, 'block');
+}
+
+// ── Gemini CLI handlers ─────────────────────────────────────────────────
+
+/** Handle BeforeTool — redact outbound MCP tool arguments (Gemini format). */
+function handleBeforeTool(payload: HookPayload, redactor: Redactor): void {
+  redactToolInput(payload, redactor, (redactedInput) => ({
+    hookSpecificOutput: {
+      tool_input: redactedInput,
+    },
+  }));
+}
+
+/** Handle AfterTool for MCP tools — redact content array, flatten to deny/reason. */
+function handleAfterToolMCP(payload: HookPayload, redactor: Redactor): void {
+  const toolResponse = payload.tool_response;
+  if (!toolResponse || typeof toolResponse !== 'object') {
+    process.exit(0);
+  }
+
+  const contentArray = toolResponse.content;
+  if (!Array.isArray(contentArray)) {
+    process.exit(0);
+  }
+
+  const { content: redactedArray, hasRedacted } = redactor.redact(contentArray);
+
+  if (!hasRedacted) {
+    process.exit(0);
+  }
+
+  // Flatten content blocks to a single text for Gemini's deny/reason format
+  const textParts = (redactedArray as MCPContentBlock[])
+    .filter((b) => typeof b.text === 'string')
+    .map((b) => b.text as string);
+
+  const response = {
+    decision: 'deny' as const,
+    reason: textParts.join('\n'),
+  };
+
+  process.stdout.write(JSON.stringify(response) + '\n');
+  process.exit(0);
+}
+
+/** Handle AfterTool for built-in tools — decision: "deny". */
+function handleAfterToolBuiltin(payload: HookPayload, redactor: Redactor): void {
+  redactBuiltinResponse(payload, redactor, 'deny');
+}
+
+// ── Utilities ───────────────────────────────────────────────────────────
+
+function isMCPTool(toolName?: string): boolean {
+  return typeof toolName === 'string' && toolName.startsWith('mcp__');
+}
+
+function readStdin(): Promise<string> {
+  return new Promise((resolve, reject) => {
+    const chunks: Buffer[] = [];
+    process.stdin.on('data', (chunk: Buffer) => chunks.push(chunk));
+    process.stdin.on('end', () => resolve(Buffer.concat(chunks).toString('utf-8')));
+    process.stdin.on('error', reject);
+  });
+}
+
+// ── Entry point ─────────────────────────────────────────────────────────
+
+export async function run(): Promise<void> {
+  let raw: string;
+  try {
+    raw = await readStdin();
+  } catch {
+    process.stderr.write('hush redact-hook: failed to read stdin\n');
+    process.exit(2);
+  }
+
+  if (!raw.trim()) {
+    process.exit(0);
+  }
+
+  let payload: HookPayload;
+  try {
+    payload = JSON.parse(raw) as HookPayload;
+  } catch {
+    process.stderr.write('hush redact-hook: invalid JSON on stdin\n');
+    process.exit(2);
+  }
+
+  const redactor = new Redactor();
+  const eventName = payload.hook_event_name;
+
+  // Claude Code events
+  if (eventName === 'PreToolUse') {
+    handlePreToolUse(payload, redactor);
+    return;
+  }
+
+  if (eventName === 'PostToolUse') {
+    if (isMCPTool(payload.tool_name)) {
+      handlePostToolUseMCP(payload, redactor);
+    } else {
+      handlePostToolUseBuiltin(payload, redactor);
+    }
+    return;
+  }
+
+  // Gemini CLI events
+  if (eventName === 'BeforeTool') {
+    handleBeforeTool(payload, redactor);
+    return;
+  }
+
+  if (eventName === 'AfterTool') {
+    if (isMCPTool(payload.tool_name)) {
+      handleAfterToolMCP(payload, redactor);
+    } else {
+      handleAfterToolBuiltin(payload, redactor);
+    }
+    return;
+  }
+
+  // Backward compat: no hook_event_name → treat as PostToolUse built-in
+  handlePostToolUseBuiltin(payload, redactor);
+}

package/src/index.ts

@@ -105,7 +105,7 @@ async function proxyRequest(
       method: req.method,
       headers: fetchHeaders,
       body: hasBody ? JSON.stringify(redactedBody) : undefined,
-      signal: AbortSignal.timeout(30000), // 30s timeout
+      signal: AbortSignal.timeout(120000), // 120s timeout for long LLM responses
     });
 
     // Handle Upstream Errors (4xx, 5xx)
@@ -159,7 +159,12 @@ async function proxyRequest(
 
   } catch (error) {
     log.error({ err: error, path: req.path }, 'Failed to forward request');
-    res.status(500).json({ error: 'Gateway forwarding failed' });
+    if (!res.headersSent) {
+      res.status(502).json({ error: 'Gateway forwarding failed' });
+    } else {
+      // Headers already sent (streaming in progress) — just end the response
+      res.end();
+    }
   }
 }
 

package/src/middleware/redactor.ts

@@ -46,6 +46,56 @@ export class Redactor {
     PHONE: /(?:^|[\s:;])(?:\+\d{1,3}[-. ]?)?\(?\d{2,4}\)?[-. ]\d{3,4}[-. ]\d{3,4}(?:\s*(?:ext|x)\s*\d+)?/g,
   };
 
+  /**
+   * Cloud provider key patterns — Tier 1 only (unique prefixes, very low false-positive risk).
+   * Sources: GitHub secret scanning, gitleaks, trufflehog.
+   */
+  private static readonly CLOUD_KEY_PATTERNS: Array<{ re: RegExp; label: string }> = [
+    // AWS
+    { re: /\b((?:AKIA|ASIA|ABIA|ACCA)[A-Z2-7]{16})\b/g, label: 'AWS_KEY' },
+    // GCP / Firebase
+    { re: /\b(AIza[\w-]{35})\b/g, label: 'GCP_KEY' },
+    { re: /\b(GOCSPX-[a-zA-Z0-9_-]{28})\b/g, label: 'GCP_OAUTH' },
+    // GitHub
+    { re: /\b(ghp_[0-9a-zA-Z]{36})\b/g, label: 'GITHUB_PAT' },
+    { re: /\b(gho_[0-9a-zA-Z]{36})\b/g, label: 'GITHUB_OAUTH' },
+    { re: /\b(ghu_[0-9a-zA-Z]{36})\b/g, label: 'GITHUB_U2S' },
+    { re: /\b(ghs_[0-9a-zA-Z]{36})\b/g, label: 'GITHUB_S2S' },
+    { re: /\b(ghr_[0-9a-zA-Z]{36})\b/g, label: 'GITHUB_REFRESH' },
+    { re: /\b(github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59})\b/g, label: 'GITHUB_FINE_PAT' },
+    // GitLab
+    { re: /\b(glpat-[\w-]{20})\b/g, label: 'GITLAB_PAT' },
+    { re: /\b(glptt-[a-zA-Z0-9_-]{40})\b/g, label: 'GITLAB_TRIGGER' },
+    // Slack
+    { re: /\b(xoxb-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]*)\b/g, label: 'SLACK_BOT' },
+    { re: /\b(xox[pe]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9-]+)\b/g, label: 'SLACK_TOKEN' },
+    // Stripe
+    { re: /\b(sk_(?:live|test)_[a-zA-Z0-9]{10,99})\b/g, label: 'STRIPE_SECRET' },
+    { re: /\b(rk_(?:live|test)_[a-zA-Z0-9]{10,99})\b/g, label: 'STRIPE_RESTRICTED' },
+    { re: /\b(whsec_[a-zA-Z0-9]{24,})\b/g, label: 'STRIPE_WEBHOOK' },
+    // SendGrid (SG. + base64url with internal dot separator)
+    { re: /\b(SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43})\b/g, label: 'SENDGRID_KEY' },
+    // npm
+    { re: /\b(npm_[a-z0-9]{36})\b/gi, label: 'NPM_TOKEN' },
+    // PyPI
+    { re: /\b(pypi-AgEIcHlwaS5vcmc[\w-]{50,})\b/g, label: 'PYPI_TOKEN' },
+    // Docker Hub
+    { re: /\b(dckr_pat_[a-zA-Z0-9_-]{27,})\b/g, label: 'DOCKER_PAT' },
+    // Anthropic
+    { re: /\b(sk-ant-[a-zA-Z0-9_-]{36,})\b/g, label: 'ANTHROPIC_KEY' },
+    // OpenAI (with T3BlbkFJ marker)
+    { re: /\b(sk-(?:proj|svcacct|admin)-[A-Za-z0-9_-]{20,}T3BlbkFJ[A-Za-z0-9_-]{20,})\b/g, label: 'OPENAI_KEY' },
+    // DigitalOcean
+    { re: /\b(do[por]_v1_[a-f0-9]{64})\b/g, label: 'DIGITALOCEAN_TOKEN' },
+    // HashiCorp Vault
+    { re: /\b(hvs\.[\w-]{90,})\b/g, label: 'VAULT_TOKEN' },
+    { re: /\b(hvb\.[\w-]{90,})\b/g, label: 'VAULT_BATCH' },
+    // Supabase
+    { re: /\b(sbp_[a-f0-9]{40})\b/g, label: 'SUPABASE_PAT' },
+    { re: /\b(sb_secret_[a-zA-Z0-9_-]{20,})\b/g, label: 'SUPABASE_SECRET' },
+    // PEM private keys (multiline — matched separately in redactPEMKeys)
+  ];
+
   /**
    * Redact sensitive information from a JSON object or string.
    * 
@@ -102,6 +152,31 @@ export class Redactor {
           return token;
         });
 
+        // Redact cloud provider keys BEFORE generic patterns — specific prefixed
+        // keys must be matched first so they don't get partially eaten by SECRET
+        // or CREDIT_CARD patterns.
+        for (const { re, label } of Redactor.CLOUD_KEY_PATTERNS) {
+          re.lastIndex = 0;
+          text = text.replace(re, (match, p1: string) => {
+            hasRedacted = true;
+            const val = p1 || match;
+            const token = `[${label}_${tokenHash(val)}]`;
+            tokens.set(token, val);
+            return token;
+          });
+        }
+
+        // Redact PEM private keys
+        text = text.replace(
+          /-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY-----[\s\S]{64,}?-----END[ A-Z0-9_-]{0,100}PRIVATE KEY-----/g,
+          (match) => {
+            hasRedacted = true;
+            const token = `[PRIVATE_KEY_${tokenHash(match)}]`;
+            tokens.set(token, match);
+            return token;
+          },
+        );
+
         // Redact Secrets in text (e.g. "api_key=...")
         text = text.replace(Redactor.PATTERNS.SECRET, (match, p1) => {
           hasRedacted = true;

package/src/plugins/opencode-hush.ts

@@ -0,0 +1,70 @@
+/**
+ * OpenCode Plugin: Hush PII Guard
+ *
+ * 1. Blocks reads of sensitive files (`.env`, `*.pem`, `credentials.*`, etc.)
+ *    before the tool executes — the AI model never sees the content.
+ * 2. Redacts PII (emails, IPs, secrets) from tool arguments before execution.
+ * 3. Redacts PII from tool outputs (built-in and MCP) after execution.
+ *
+ * Defense-in-depth: works alongside the Hush proxy which redacts PII from
+ * API requests. The plugin prevents file reads and scrubs tool I/O;
+ * the proxy catches anything that slips through.
+ *
+ * Install: copy to `.opencode/plugins/hush.ts` and add to `opencode.json`:
+ *   { "plugin": [".opencode/plugins/hush.ts"] }
+ */
+
+import { isSensitivePath, commandReadsSensitiveFile } from './sensitive-patterns.js';
+import { Redactor } from '../middleware/redactor.js';
+
+const redactor = new Redactor();
+
+export const HushPlugin = async () => ({
+  'tool.execute.before': async (
+    input: { tool: string },
+    output: { args: Record<string, string> },
+  ) => {
+    // Block sensitive file reads first (hard block — throws)
+    if (input.tool === 'read' && isSensitivePath(output.args['filePath'] ?? '')) {
+      throw new Error('[hush] Blocked: sensitive file');
+    }
+
+    if (input.tool === 'bash' && commandReadsSensitiveFile(output.args['command'] ?? '')) {
+      throw new Error('[hush] Blocked: command reads sensitive file');
+    }
+
+    // Redact PII from outbound tool arguments (in-place mutation)
+    const { content, hasRedacted } = redactor.redact(output.args);
+    if (hasRedacted) {
+      const redacted = content as Record<string, string>;
+      for (const key of Object.keys(redacted)) {
+        output.args[key] = redacted[key]!;
+      }
+    }
+  },
+
+  'tool.execute.after': async (
+    input: { tool: string },
+    output: { output?: string; content?: Array<{ type: string; text?: string }> },
+  ) => {
+    // Built-in tools: output is a string at output.output
+    if (typeof output.output === 'string') {
+      const { content, hasRedacted } = redactor.redact(output.output);
+      if (hasRedacted) {
+        output.output = content as string;
+      }
+    }
+
+    // MCP tools: output is content blocks at output.content
+    if (Array.isArray(output.content)) {
+      for (const block of output.content) {
+        if (block.type === 'text' && typeof block.text === 'string') {
+          const { content, hasRedacted } = redactor.redact(block.text);
+          if (hasRedacted) {
+            block.text = content as string;
+          }
+        }
+      }
+    }
+  },
+});