@aictrl/hush 0.1.6 → 0.1.8

package/src/plugins/sensitive-patterns.ts

@@ -0,0 +1,71 @@
+/**
+ * Shared helpers for detecting sensitive file paths and commands.
+ * Used by the OpenCode hush plugin to block reads of secret files.
+ */
+
+/** Glob-style patterns for files that should never be read by AI tools. */
+const SENSITIVE_GLOBS = [
+  /^\.env($|\..*)/, // .env, .env.local, .env.production, etc.
+  /credentials/i,
+  /secret/i,
+  /\.pem$/,
+  /\.key$/,
+  /\.p12$/,
+  /\.pfx$/,
+  /\.jks$/,
+  /\.keystore$/,
+  /\.asc$/,
+  /^id_rsa/,
+  /^\.netrc$/,
+  /^\.pgpass$/,
+];
+
+/**
+ * Check whether a file path points to a sensitive file.
+ * Matches against the basename only so absolute/relative paths both work.
+ */
+export function isSensitivePath(filePath: string): boolean {
+  const basename = (filePath.split('/').pop() ?? '').trim();
+  return SENSITIVE_GLOBS.some((re) => re.test(basename));
+}
+
+/** Commands that read file contents (includes batcat — Ubuntu symlink for bat). */
+const READ_COMMANDS = /\b(cat|head|tail|less|more|bat|batcat)\b/;
+
+/** Strip shell metacharacters that could wrap a filename to bypass detection. */
+function stripShellMeta(token: string): string {
+  return token.replace(/[`"'$(){}]/g, '');
+}
+
+/**
+ * Check whether a bash command reads a sensitive file.
+ * Looks for common read commands followed by a sensitive filename.
+ */
+export function commandReadsSensitiveFile(cmd: string): boolean {
+  if (!READ_COMMANDS.test(cmd)) return false;
+
+  // Check input redirections: `cat <.env` or `cat < .env`
+  // The file after `<` is read by the preceding command.
+  const redirectPattern = /<\s*([^\s|;&<>]+)/g;
+  let rMatch;
+  while ((rMatch = redirectPattern.exec(cmd)) !== null) {
+    if (isSensitivePath(stripShellMeta(rMatch[1]!))) return true;
+  }
+
+  // Split on pipes, semicolons, &&, and redirections to get individual commands
+  const parts = cmd.split(/[|;&<>]+/);
+  for (const part of parts) {
+    const tokens = part.trim().split(/\s+/);
+    const cmdIndex = tokens.findIndex((t) => READ_COMMANDS.test(t));
+    if (cmdIndex === -1) continue;
+
+    // Check all tokens after the command for sensitive paths (skip flags).
+    for (let i = cmdIndex + 1; i < tokens.length; i++) {
+      const token = tokens[i]!;
+      if (token.startsWith('-')) continue; // skip flags like -n, -5
+      const cleaned = stripShellMeta(token);
+      if (isSensitivePath(cleaned)) return true;
+    }
+  }
+  return false;
+}

package/src/vault/token-vault.ts

@@ -88,7 +88,9 @@ export class TokenVault {
     let buffer = '';
     const maxTokenLen = Math.max(...[...this.vault.keys()].map(t => t.length), 0);
 
-    // Accumulate content fields across SSE events to reassemble split tokens
+    // Accumulate content fields across SSE events to reassemble split tokens.
+    // Cap buffer size to prevent unbounded memory growth on very long streams.
+    const MAX_BUFFER_SIZE = 1024 * 1024; // 1 MB per field
     const contentBuffers: Record<string, string> = {};
     const CONTENT_FIELDS = ['content', 'reasoning_content', 'partial_json'];
 
@@ -186,11 +188,23 @@ export class TokenVault {
           const bufKey = actualField;
           contentBuffers[bufKey] = (contentBuffers[bufKey] || '') + target[actualField];
 
-          const buf = contentBuffers[bufKey];
+          // Cap buffer size: flush everything if it grows too large
+          if (contentBuffers[bufKey]!.length > MAX_BUFFER_SIZE) {
+            target[actualField] = flushField(bufKey);
+            modified = true;
+            continue;
+          }
+
+          const buf = contentBuffers[bufKey]!;
           const lastBracket = buf.lastIndexOf('[');
+          // Only treat as partial token if the text after '[' looks like a
+          // token prefix (uppercase letter or underscore), not JSON array content.
+          // Also hold back a bare '[' at the end — not enough chars yet to decide.
+          const tail = lastBracket >= 0 ? buf.substring(lastBracket) : '';
           const hasPartialToken = maxTokenLen > 0 && lastBracket >= 0 &&
-            !buf.substring(lastBracket).includes(']') &&
-            buf.length - lastBracket < maxTokenLen;
+            !tail.includes(']') &&
+            buf.length - lastBracket < maxTokenLen &&
+            (tail === '[' || /^\[[A-Z_]/.test(tail));
 
           if (hasPartialToken) {
             const safe = buf.substring(0, lastBracket);

package/tests/init.test.ts

@@ -0,0 +1,255 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { mkdtempSync, readFileSync, writeFileSync, mkdirSync, existsSync, rmSync } from 'fs';
+import { join } from 'path';
+import { execFileSync } from 'child_process';
+import { tmpdir } from 'os';
+
+const CLI = join(__dirname, '..', 'dist', 'cli.js');
+
+function runInit(cwd: string, ...extraArgs: string[]): { stdout: string; stderr: string; exitCode: number } {
+  try {
+    const stdout = execFileSync('node', [CLI, 'init', '--hooks', ...extraArgs], {
+      encoding: 'utf-8',
+      cwd,
+      timeout: 5000,
+    });
+    return { stdout, stderr: '', exitCode: 0 };
+  } catch (err: any) {
+    return {
+      stdout: err.stdout ?? '',
+      stderr: err.stderr ?? '',
+      exitCode: err.status ?? 1,
+    };
+  }
+}
+
+describe('hush init --hooks', () => {
+  let tmpDir: string;
+
+  beforeEach(() => {
+    tmpDir = mkdtempSync(join(tmpdir(), 'hush-init-'));
+  });
+
+  afterEach(() => {
+    rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  it('should create .claude/settings.json with both PreToolUse and PostToolUse', () => {
+    const { stdout, exitCode } = runInit(tmpDir);
+    expect(exitCode).toBe(0);
+    expect(stdout).toContain('Wrote hush hooks config');
+
+    const settings = JSON.parse(readFileSync(join(tmpDir, '.claude', 'settings.json'), 'utf-8'));
+
+    // PreToolUse
+    expect(settings.hooks.PreToolUse).toHaveLength(1);
+    expect(settings.hooks.PreToolUse[0].matcher).toBe('mcp__.*');
+    expect(settings.hooks.PreToolUse[0].hooks[0].command).toBe('hush redact-hook');
+
+    // PostToolUse
+    expect(settings.hooks.PostToolUse).toHaveLength(2);
+    expect(settings.hooks.PostToolUse[0].matcher).toBe('Bash|Read|Grep|WebFetch');
+    expect(settings.hooks.PostToolUse[0].hooks[0].command).toBe('hush redact-hook');
+    expect(settings.hooks.PostToolUse[1].matcher).toBe('mcp__.*');
+    expect(settings.hooks.PostToolUse[1].hooks[0].command).toBe('hush redact-hook');
+  });
+
+  it('should merge into existing settings preserving other keys', () => {
+    const claudeDir = join(tmpDir, '.claude');
+    mkdirSync(claudeDir, { recursive: true });
+    writeFileSync(
+      join(claudeDir, 'settings.json'),
+      JSON.stringify({ env: { ANTHROPIC_BASE_URL: 'http://127.0.0.1:4000' } }, null, 2),
+    );
+
+    const { exitCode } = runInit(tmpDir);
+    expect(exitCode).toBe(0);
+
+    const settings = JSON.parse(readFileSync(join(claudeDir, 'settings.json'), 'utf-8'));
+    // Preserved existing env
+    expect(settings.env.ANTHROPIC_BASE_URL).toBe('http://127.0.0.1:4000');
+    // Added both hook types
+    expect(settings.hooks.PreToolUse).toHaveLength(1);
+    expect(settings.hooks.PostToolUse).toHaveLength(2);
+    expect(settings.hooks.PostToolUse[0].hooks[0].command).toBe('hush redact-hook');
+  });
+
+  it('should be idempotent on re-run', () => {
+    runInit(tmpDir);
+    const { stdout, exitCode } = runInit(tmpDir);
+    expect(exitCode).toBe(0);
+    expect(stdout).toContain('already configured');
+
+    const settings = JSON.parse(readFileSync(join(tmpDir, '.claude', 'settings.json'), 'utf-8'));
+    expect(settings.hooks.PreToolUse).toHaveLength(1);  // Not duplicated
+    expect(settings.hooks.PostToolUse).toHaveLength(2); // Not duplicated
+  });
+
+  it('should write to settings.local.json with --local flag', () => {
+    const { stdout, exitCode } = runInit(tmpDir, '--local');
+    expect(exitCode).toBe(0);
+    expect(stdout).toContain('settings.local.json');
+
+    const localPath = join(tmpDir, '.claude', 'settings.local.json');
+    expect(existsSync(localPath)).toBe(true);
+
+    const settings = JSON.parse(readFileSync(localPath, 'utf-8'));
+    expect(settings.hooks.PreToolUse[0].hooks[0].command).toBe('hush redact-hook');
+    expect(settings.hooks.PostToolUse[0].hooks[0].command).toBe('hush redact-hook');
+  });
+
+  it('should show usage without --hooks flag', () => {
+    try {
+      execFileSync('node', [CLI, 'init'], {
+        encoding: 'utf-8',
+        cwd: tmpDir,
+        timeout: 5000,
+      });
+    } catch (err: any) {
+      expect(err.status).toBe(1);
+      expect(err.stderr).toContain('Usage');
+    }
+  });
+
+  it('should upgrade old PostToolUse-only config by adding PreToolUse', () => {
+    const claudeDir = join(tmpDir, '.claude');
+    mkdirSync(claudeDir, { recursive: true });
+
+    // Simulate old config with only PostToolUse
+    const oldConfig = {
+      hooks: {
+        PostToolUse: [
+          {
+            matcher: 'Bash|Read|Grep|WebFetch',
+            hooks: [{ type: 'command', command: 'hush redact-hook', timeout: 10 }],
+          },
+        ],
+      },
+    };
+    writeFileSync(join(claudeDir, 'settings.json'), JSON.stringify(oldConfig, null, 2));
+
+    const { stdout, exitCode } = runInit(tmpDir);
+    expect(exitCode).toBe(0);
+    expect(stdout).toContain('Wrote hush hooks config');
+
+    const settings = JSON.parse(readFileSync(join(claudeDir, 'settings.json'), 'utf-8'));
+
+    // PreToolUse added
+    expect(settings.hooks.PreToolUse).toHaveLength(1);
+    expect(settings.hooks.PreToolUse[0].matcher).toBe('mcp__.*');
+
+    // PostToolUse: original entry preserved + new mcp entry added
+    expect(settings.hooks.PostToolUse).toHaveLength(2);
+    expect(settings.hooks.PostToolUse[0].matcher).toBe('Bash|Read|Grep|WebFetch');
+    expect(settings.hooks.PostToolUse[1].matcher).toBe('mcp__.*');
+  });
+
+  it('should not duplicate PostToolUse entries when upgrading', () => {
+    const claudeDir = join(tmpDir, '.claude');
+    mkdirSync(claudeDir, { recursive: true });
+
+    // Old config already has the built-in PostToolUse entry
+    const oldConfig = {
+      hooks: {
+        PostToolUse: [
+          {
+            matcher: 'Bash|Read|Grep|WebFetch',
+            hooks: [{ type: 'command', command: 'hush redact-hook', timeout: 10 }],
+          },
+        ],
+      },
+    };
+    writeFileSync(join(claudeDir, 'settings.json'), JSON.stringify(oldConfig, null, 2));
+
+    // Run init twice
+    runInit(tmpDir);
+    const { stdout, exitCode } = runInit(tmpDir);
+    expect(exitCode).toBe(0);
+    expect(stdout).toContain('already configured');
+
+    const settings = JSON.parse(readFileSync(join(claudeDir, 'settings.json'), 'utf-8'));
+    // Should have exactly 1 PreToolUse and 2 PostToolUse (no duplicates)
+    expect(settings.hooks.PreToolUse).toHaveLength(1);
+    expect(settings.hooks.PostToolUse).toHaveLength(2);
+  });
+});
+
+// ── Gemini CLI init ───────────────────────────────────────────────────
+
+function runInitGemini(cwd: string, ...extraArgs: string[]): { stdout: string; stderr: string; exitCode: number } {
+  try {
+    const stdout = execFileSync('node', [CLI, 'init', '--hooks', '--gemini', ...extraArgs], {
+      encoding: 'utf-8',
+      cwd,
+      timeout: 5000,
+    });
+    return { stdout, stderr: '', exitCode: 0 };
+  } catch (err: any) {
+    return {
+      stdout: err.stdout ?? '',
+      stderr: err.stderr ?? '',
+      exitCode: err.status ?? 1,
+    };
+  }
+}
+
+describe('hush init --hooks --gemini', () => {
+  let tmpDir: string;
+
+  beforeEach(() => {
+    tmpDir = mkdtempSync(join(tmpdir(), 'hush-init-gemini-'));
+  });
+
+  afterEach(() => {
+    rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  it('should create .gemini/settings.json with BeforeTool and AfterTool', () => {
+    const { stdout, exitCode } = runInitGemini(tmpDir);
+    expect(exitCode).toBe(0);
+    expect(stdout).toContain('Wrote hush hooks config');
+
+    const settings = JSON.parse(readFileSync(join(tmpDir, '.gemini', 'settings.json'), 'utf-8'));
+
+    // BeforeTool
+    expect(settings.hooks.BeforeTool).toHaveLength(1);
+    expect(settings.hooks.BeforeTool[0].matcher).toBe('mcp__.*');
+    expect(settings.hooks.BeforeTool[0].hooks[0].command).toBe('hush redact-hook');
+
+    // AfterTool
+    expect(settings.hooks.AfterTool).toHaveLength(2);
+    expect(settings.hooks.AfterTool[0].matcher).toBe('run_shell_command|read_file|read_many_files|search_file_content|web_fetch');
+    expect(settings.hooks.AfterTool[0].hooks[0].command).toBe('hush redact-hook');
+    expect(settings.hooks.AfterTool[1].matcher).toBe('mcp__.*');
+    expect(settings.hooks.AfterTool[1].hooks[0].command).toBe('hush redact-hook');
+  });
+
+  it('should not create .claude/ directory', () => {
+    runInitGemini(tmpDir);
+    expect(existsSync(join(tmpDir, '.claude'))).toBe(false);
+  });
+
+  it('should be idempotent on re-run', () => {
+    runInitGemini(tmpDir);
+    const { stdout, exitCode } = runInitGemini(tmpDir);
+    expect(exitCode).toBe(0);
+    expect(stdout).toContain('already configured');
+
+    const settings = JSON.parse(readFileSync(join(tmpDir, '.gemini', 'settings.json'), 'utf-8'));
+    expect(settings.hooks.BeforeTool).toHaveLength(1);
+    expect(settings.hooks.AfterTool).toHaveLength(2);
+  });
+
+  it('should write to settings.local.json with --local flag', () => {
+    const { stdout, exitCode } = runInitGemini(tmpDir, '--local');
+    expect(exitCode).toBe(0);
+    expect(stdout).toContain('settings.local.json');
+
+    const localPath = join(tmpDir, '.gemini', 'settings.local.json');
+    expect(existsSync(localPath)).toBe(true);
+
+    const settings = JSON.parse(readFileSync(localPath, 'utf-8'));
+    expect(settings.hooks.BeforeTool[0].hooks[0].command).toBe('hush redact-hook');
+    expect(settings.hooks.AfterTool[0].hooks[0].command).toBe('hush redact-hook');
+  });
+});

package/tests/opencode-plugin.test.ts

@@ -0,0 +1,219 @@
+import { describe, it, expect } from 'vitest';
+import { isSensitivePath, commandReadsSensitiveFile } from '../src/plugins/sensitive-patterns.js';
+import { HushPlugin } from '../src/plugins/opencode-hush.js';
+
+describe('isSensitivePath', () => {
+  it.each([
+    '.env',
+    '.env.local',
+    '.env.production',
+    '.env.development.local',
+    'credentials.json',
+    'credentials.yaml',
+    'db-credentials',
+    'secret.txt',
+    'secrets.yaml',
+    'server.pem',
+    'tls.key',
+    'id_rsa',
+    'id_rsa.pub',
+    '.netrc',
+    '.pgpass',
+    'keystore.p12',
+    'cert.pfx',
+    'truststore.jks',
+    'app.keystore',
+    'private.asc',
+  ])('blocks %s', (path) => {
+    expect(isSensitivePath(path)).toBe(true);
+  });
+
+  it.each([
+    '.env',
+    '/home/user/project/.env.local',
+    '/etc/ssl/private/server.key',
+    'config/credentials.json',
+  ])('blocks absolute/relative path %s', (path) => {
+    expect(isSensitivePath(path)).toBe(true);
+  });
+
+  it.each([
+    'package.json',
+    'src/index.ts',
+    'README.md',
+    'tsconfig.json',
+    '.gitignore',
+    'environment.ts',
+    'docker-compose.yml',
+  ])('allows %s', (path) => {
+    expect(isSensitivePath(path)).toBe(false);
+  });
+});
+
+describe('commandReadsSensitiveFile', () => {
+  it.each([
+    'cat .env',
+    'cat /app/.env.local',
+    'head -5 secrets.yaml',
+    'tail -n 20 credentials.json',
+    'less .env.production',
+    'more secret.txt',
+    'bat id_rsa',
+    'cat .pgpass',
+    'cat foo.txt && cat .env',
+    'echo hello | cat .env',
+    'cat $HOME/.env',
+    'cat ${HOME}/.env',
+    'cat ~/secrets/.env',
+    'cat ~/.pgpass',
+    'batcat .env',
+    'batcat id_rsa',
+    'cat "$(echo .env)"',
+    'cat `.env`',
+    'cat <.env',
+    "cat '.env'",
+  ])('blocks: %s', (cmd) => {
+    expect(commandReadsSensitiveFile(cmd)).toBe(true);
+  });
+
+  it.each([
+    'cat README.md',
+    'ls -la',
+    'echo "hello"',
+    'grep password src/config.ts',
+    'head -5 package.json',
+    'cat src/index.ts',
+    'npm install',
+    'node dist/cli.js',
+  ])('allows: %s', (cmd) => {
+    expect(commandReadsSensitiveFile(cmd)).toBe(false);
+  });
+});
+
+describe('HushPlugin integration', () => {
+  it('exports a factory that returns a tool.execute.before hook', async () => {
+    const plugin = await HushPlugin();
+    expect(plugin['tool.execute.before']).toBeTypeOf('function');
+  });
+
+  it('throws when read targets a sensitive file', async () => {
+    const plugin = await HushPlugin();
+    await expect(
+      plugin['tool.execute.before'](
+        { tool: 'read' },
+        { args: { filePath: '/project/.env' } },
+      ),
+    ).rejects.toThrow('[hush] Blocked: sensitive file');
+  });
+
+  it('passes when read targets a normal file', async () => {
+    const plugin = await HushPlugin();
+    await expect(
+      plugin['tool.execute.before'](
+        { tool: 'read' },
+        { args: { filePath: 'src/index.ts' } },
+      ),
+    ).resolves.toBeUndefined();
+  });
+
+  it('throws when bash command reads a sensitive file', async () => {
+    const plugin = await HushPlugin();
+    await expect(
+      plugin['tool.execute.before'](
+        { tool: 'bash' },
+        { args: { command: 'cat .env' } },
+      ),
+    ).rejects.toThrow('[hush] Blocked: command reads sensitive file');
+  });
+
+  it('passes when bash command is harmless', async () => {
+    const plugin = await HushPlugin();
+    await expect(
+      plugin['tool.execute.before'](
+        { tool: 'bash' },
+        { args: { command: 'ls -la' } },
+      ),
+    ).resolves.toBeUndefined();
+  });
+
+  it('passes for unrelated tools', async () => {
+    const plugin = await HushPlugin();
+    await expect(
+      plugin['tool.execute.before'](
+        { tool: 'write' },
+        { args: { filePath: '.env', content: 'x' } },
+      ),
+    ).resolves.toBeUndefined();
+  });
+
+  it('redacts email in tool args (in-place mutation)', async () => {
+    const plugin = await HushPlugin();
+    const output = { args: { text: 'Contact admin@secret.corp for access', channel: '#general' } };
+    await plugin['tool.execute.before']({ tool: 'mcp_send' }, output);
+    expect(output.args.text).toMatch(/\[USER_EMAIL_[a-f0-9]{6}\]/);
+    expect(output.args.text).not.toContain('admin@secret.corp');
+    expect(output.args.channel).toBe('#general');
+  });
+
+  it('passes through clean args without mutation', async () => {
+    const plugin = await HushPlugin();
+    const output = { args: { text: 'hello world', channel: '#general' } };
+    await plugin['tool.execute.before']({ tool: 'mcp_send' }, output);
+    expect(output.args.text).toBe('hello world');
+    expect(output.args.channel).toBe('#general');
+  });
+
+  it('still blocks sensitive files before redacting args', async () => {
+    const plugin = await HushPlugin();
+    await expect(
+      plugin['tool.execute.before'](
+        { tool: 'read' },
+        { args: { filePath: '.env', extra: 'admin@secret.corp' } },
+      ),
+    ).rejects.toThrow('[hush] Blocked: sensitive file');
+  });
+});
+
+describe('HushPlugin tool.execute.after', () => {
+  it('exports a tool.execute.after hook', async () => {
+    const plugin = await HushPlugin();
+    expect(plugin['tool.execute.after']).toBeTypeOf('function');
+  });
+
+  it('redacts email in built-in tool output (output.output string)', async () => {
+    const plugin = await HushPlugin();
+    const output = { output: 'Contact admin@secret.corp for access' } as any;
+    await plugin['tool.execute.after']({ tool: 'bash' }, output);
+    expect(output.output).toMatch(/\[USER_EMAIL_[a-f0-9]{6}\]/);
+    expect(output.output).not.toContain('admin@secret.corp');
+  });
+
+  it('redacts IP in MCP content blocks (output.content array)', async () => {
+    const plugin = await HushPlugin();
+    const output = {
+      content: [
+        { type: 'text', text: 'Server at 192.168.1.100' },
+        { type: 'text', text: 'No PII here' },
+      ],
+    } as any;
+    await plugin['tool.execute.after']({ tool: 'mcp_query' }, output);
+    expect(output.content[0].text).toMatch(/\[NETWORK_IP_[a-f0-9]{6}\]/);
+    expect(output.content[0].text).not.toContain('192.168.1.100');
+    expect(output.content[1].text).toBe('No PII here');
+  });
+
+  it('passes through clean output unchanged', async () => {
+    const plugin = await HushPlugin();
+    const output = { output: 'hello world' } as any;
+    await plugin['tool.execute.after']({ tool: 'bash' }, output);
+    expect(output.output).toBe('hello world');
+  });
+
+  it('handles output with no relevant fields gracefully', async () => {
+    const plugin = await HushPlugin();
+    const output = {} as any;
+    await expect(
+      plugin['tool.execute.after']({ tool: 'bash' }, output),
+    ).resolves.toBeUndefined();
+  });
+});