@aictrl/hush 0.1.7 → 0.1.8

package/src/commands/redact-hook.ts

@@ -1,17 +1,33 @@
 /**
- * hush redact-hook — Claude Code PostToolUse hook handler
+ * hush redact-hook — Hook handler for Claude Code and Gemini CLI
  *
- * Reads the hook payload from stdin, redacts PII from the tool response,
- * and blocks the output (replacing it with redacted text) if PII was found.
+ * Reads the hook payload from stdin, redacts PII, and returns the
+ * appropriate response format depending on the hook event type:
+ *
+ *   Claude Code:
+ *     PreToolUse  — redacts outbound MCP tool arguments (updatedInput)
+ *     PostToolUse — redacts inbound MCP tool results  (updatedMCPToolOutput)
+ *                   or blocks built-in tool output     (decision: "block")
+ *
+ *   Gemini CLI:
+ *     BeforeTool  — redacts outbound MCP tool arguments (hookSpecificOutput.tool_input)
+ *     AfterTool   — redacts inbound tool results        (decision: "deny")
  *
  * Exit codes:
- *   0 — success (may or may not block)
+ *   0 — success (may or may not redact)
  *   2 — malformed input (blocks the tool call per hooks spec)
  */
 
 import { Redactor } from '../middleware/redactor.js';
 
+interface MCPContentBlock {
+  type: string;
+  text?: string;
+  [key: string]: unknown;
+}
+
 interface HookPayload {
+  hook_event_name?: 'PreToolUse' | 'PostToolUse' | 'BeforeTool' | 'AfterTool';
   tool_name?: string;
   tool_input?: Record<string, unknown>;
   tool_response?: {
@@ -21,18 +37,13 @@ interface HookPayload {
     // Read tool (nested under file)
     file?: { content?: string; [key: string]: unknown };
     // Grep / WebFetch / generic
-    content?: string;
+    content?: string | MCPContentBlock[];
     output?: string;
     [key: string]: unknown;
   };
 }
 
-interface HookResponse {
-  decision: 'block';
-  reason: string;
-}
-
-/** Collect all text from a tool_response object. */
+/** Collect all text from a built-in tool_response object. */
 function extractText(toolResponse: HookPayload['tool_response']): string | null {
   if (!toolResponse || typeof toolResponse !== 'object') return null;
 
@@ -58,16 +69,162 @@ function extractText(toolResponse: HookPayload['tool_response']): string | null
   return parts.length > 0 ? parts.join('\n') : null;
 }
 
-/** Redact PII from the tool response text. */
-function redactToolResponse(
-  toolResponse: NonNullable<HookPayload['tool_response']>,
+// ── Shared helpers ──────────────────────────────────────────────────────
+
+/**
+ * Redact PII from tool_input and format the response.
+ * Shared by PreToolUse (Claude) and BeforeTool (Gemini).
+ */
+function redactToolInput(
+  payload: HookPayload,
   redactor: Redactor,
-): { text: string; hasRedacted: boolean } {
-  const text = extractText(toolResponse);
-  if (!text) return { text: '', hasRedacted: false };
+  formatResponse: (redactedInput: Record<string, unknown>) => object,
+): void {
+  if (!payload.tool_input || typeof payload.tool_input !== 'object') {
+    process.exit(0);
+  }
+
+  const { content, hasRedacted } = redactor.redact(payload.tool_input);
+
+  if (!hasRedacted) {
+    process.exit(0);
+  }
+
+  const response = formatResponse(content as Record<string, unknown>);
+  process.stdout.write(JSON.stringify(response) + '\n');
+  process.exit(0);
+}
+
+/**
+ * Redact PII from a built-in tool response and format the response.
+ * Shared by PostToolUse (Claude, decision:"block") and AfterTool (Gemini, decision:"deny").
+ */
+function redactBuiltinResponse(
+  payload: HookPayload,
+  redactor: Redactor,
+  decision: 'block' | 'deny',
+): void {
+  if (!payload.tool_response) {
+    process.exit(0);
+  }
+
+  const text = extractText(payload.tool_response);
+  if (!text) {
+    process.exit(0);
+  }
 
   const { content, hasRedacted } = redactor.redact(text);
-  return { text: content as string, hasRedacted };
+  if (!hasRedacted) {
+    process.exit(0);
+  }
+
+  const response = {
+    decision,
+    reason: content as string,
+  };
+
+  process.stdout.write(JSON.stringify(response) + '\n');
+  process.exit(0);
+}
+
+// ── Claude Code handlers ────────────────────────────────────────────────
+
+/** Handle PreToolUse — redact outbound MCP tool arguments. */
+function handlePreToolUse(payload: HookPayload, redactor: Redactor): void {
+  redactToolInput(payload, redactor, (redactedInput) => ({
+    hookSpecificOutput: {
+      hookEventName: 'PreToolUse',
+      permissionDecision: 'allow',
+      updatedInput: redactedInput,
+    },
+  }));
+}
+
+/** Handle PostToolUse for MCP tools — redact inbound content blocks. */
+function handlePostToolUseMCP(payload: HookPayload, redactor: Redactor): void {
+  const toolResponse = payload.tool_response;
+  if (!toolResponse || typeof toolResponse !== 'object') {
+    process.exit(0);
+  }
+
+  const contentArray = toolResponse.content;
+  if (!Array.isArray(contentArray)) {
+    process.exit(0);
+  }
+
+  const { content: redactedArray, hasRedacted } = redactor.redact(contentArray);
+
+  if (!hasRedacted) {
+    process.exit(0);
+  }
+
+  const response = {
+    updatedMCPToolOutput: {
+      content: redactedArray,
+    },
+  };
+
+  process.stdout.write(JSON.stringify(response) + '\n');
+  process.exit(0);
+}
+
+/** Handle PostToolUse for built-in tools — decision: "block". */
+function handlePostToolUseBuiltin(payload: HookPayload, redactor: Redactor): void {
+  redactBuiltinResponse(payload, redactor, 'block');
+}
+
+// ── Gemini CLI handlers ─────────────────────────────────────────────────
+
+/** Handle BeforeTool — redact outbound MCP tool arguments (Gemini format). */
+function handleBeforeTool(payload: HookPayload, redactor: Redactor): void {
+  redactToolInput(payload, redactor, (redactedInput) => ({
+    hookSpecificOutput: {
+      tool_input: redactedInput,
+    },
+  }));
+}
+
+/** Handle AfterTool for MCP tools — redact content array, flatten to deny/reason. */
+function handleAfterToolMCP(payload: HookPayload, redactor: Redactor): void {
+  const toolResponse = payload.tool_response;
+  if (!toolResponse || typeof toolResponse !== 'object') {
+    process.exit(0);
+  }
+
+  const contentArray = toolResponse.content;
+  if (!Array.isArray(contentArray)) {
+    process.exit(0);
+  }
+
+  const { content: redactedArray, hasRedacted } = redactor.redact(contentArray);
+
+  if (!hasRedacted) {
+    process.exit(0);
+  }
+
+  // Flatten content blocks to a single text for Gemini's deny/reason format
+  const textParts = (redactedArray as MCPContentBlock[])
+    .filter((b) => typeof b.text === 'string')
+    .map((b) => b.text as string);
+
+  const response = {
+    decision: 'deny' as const,
+    reason: textParts.join('\n'),
+  };
+
+  process.stdout.write(JSON.stringify(response) + '\n');
+  process.exit(0);
+}
+
+/** Handle AfterTool for built-in tools — decision: "deny". */
+function handleAfterToolBuiltin(payload: HookPayload, redactor: Redactor): void {
+  redactBuiltinResponse(payload, redactor, 'deny');
+}
+
+// ── Utilities ───────────────────────────────────────────────────────────
+
+function isMCPTool(toolName?: string): boolean {
+  return typeof toolName === 'string' && toolName.startsWith('mcp__');
 }
 
 function readStdin(): Promise<string> {
@@ -79,6 +236,8 @@ function readStdin(): Promise<string> {
   });
 }
 
+// ── Entry point ─────────────────────────────────────────────────────────
+
 export async function run(): Promise<void> {
   let raw: string;
   try {
@@ -89,7 +248,6 @@ export async function run(): Promise<void> {
   }
 
   if (!raw.trim()) {
-    // Empty stdin — nothing to redact
     process.exit(0);
   }
 
@@ -101,24 +259,39 @@ export async function run(): Promise<void> {
     process.exit(2);
   }
 
-  if (!payload.tool_response) {
-    // No tool_response to redact
-    process.exit(0);
+  const redactor = new Redactor();
+  const eventName = payload.hook_event_name;
+
+  // Claude Code events
+  if (eventName === 'PreToolUse') {
+    handlePreToolUse(payload, redactor);
+    return;
   }
 
-  const redactor = new Redactor();
-  const { text, hasRedacted } = redactToolResponse(payload.tool_response, redactor);
+  if (eventName === 'PostToolUse') {
+    if (isMCPTool(payload.tool_name)) {
+      handlePostToolUseMCP(payload, redactor);
+    } else {
+      handlePostToolUseBuiltin(payload, redactor);
+    }
+    return;
+  }
 
-  if (!hasRedacted) {
-    // No PII found — let Claude Code keep the original output
-    process.exit(0);
+  // Gemini CLI events
+  if (eventName === 'BeforeTool') {
+    handleBeforeTool(payload, redactor);
+    return;
   }
 
-  const response: HookResponse = {
-    decision: 'block',
-    reason: text,
-  };
+  if (eventName === 'AfterTool') {
+    if (isMCPTool(payload.tool_name)) {
+      handleAfterToolMCP(payload, redactor);
+    } else {
+      handleAfterToolBuiltin(payload, redactor);
+    }
+    return;
+  }
 
-  process.stdout.write(JSON.stringify(response) + '\n');
-  process.exit(0);
+  // Backward compat: no hook_event_name → treat as PostToolUse built-in
+  handlePostToolUseBuiltin(payload, redactor);
 }

package/src/index.ts

@@ -105,7 +105,7 @@ async function proxyRequest(
       method: req.method,
       headers: fetchHeaders,
       body: hasBody ? JSON.stringify(redactedBody) : undefined,
-      signal: AbortSignal.timeout(30000), // 30s timeout
+      signal: AbortSignal.timeout(120000), // 120s timeout for long LLM responses
     });
 
     // Handle Upstream Errors (4xx, 5xx)
@@ -159,7 +159,12 @@ async function proxyRequest(
 
   } catch (error) {
     log.error({ err: error, path: req.path }, 'Failed to forward request');
-    res.status(502).json({ error: 'Gateway forwarding failed' });
+    if (!res.headersSent) {
+      res.status(502).json({ error: 'Gateway forwarding failed' });
+    } else {
+      // Headers already sent (streaming in progress) — just end the response
+      res.end();
+    }
   }
 }
 

package/src/plugins/opencode-hush.ts

@@ -1,24 +1,30 @@
 /**
  * OpenCode Plugin: Hush PII Guard
  *
- * Blocks reads of sensitive files (`.env`, `*.pem`, `credentials.*`, etc.)
- * before the tool executes — the AI model never sees the content.
+ * 1. Blocks reads of sensitive files (`.env`, `*.pem`, `credentials.*`, etc.)
+ *    before the tool executes — the AI model never sees the content.
+ * 2. Redacts PII (emails, IPs, secrets) from tool arguments before execution.
+ * 3. Redacts PII from tool outputs (built-in and MCP) after execution.
  *
  * Defense-in-depth: works alongside the Hush proxy which redacts PII from
- * API requests. The plugin prevents file reads; the proxy catches anything
- * that slips through in normal files.
+ * API requests. The plugin prevents file reads and scrubs tool I/O;
+ * the proxy catches anything that slips through.
  *
  * Install: copy to `.opencode/plugins/hush.ts` and add to `opencode.json`:
  *   { "plugin": [".opencode/plugins/hush.ts"] }
  */
 
 import { isSensitivePath, commandReadsSensitiveFile } from './sensitive-patterns.js';
+import { Redactor } from '../middleware/redactor.js';
+
+const redactor = new Redactor();
 
 export const HushPlugin = async () => ({
   'tool.execute.before': async (
     input: { tool: string },
     output: { args: Record<string, string> },
   ) => {
+    // Block sensitive file reads first (hard block — throws)
     if (input.tool === 'read' && isSensitivePath(output.args['filePath'] ?? '')) {
       throw new Error('[hush] Blocked: sensitive file');
     }
@@ -26,5 +32,39 @@ export const HushPlugin = async () => ({
     if (input.tool === 'bash' && commandReadsSensitiveFile(output.args['command'] ?? '')) {
       throw new Error('[hush] Blocked: command reads sensitive file');
     }
+
+    // Redact PII from outbound tool arguments (in-place mutation)
+    const { content, hasRedacted } = redactor.redact(output.args);
+    if (hasRedacted) {
+      const redacted = content as Record<string, string>;
+      for (const key of Object.keys(redacted)) {
+        output.args[key] = redacted[key]!;
+      }
+    }
+  },
+
+  'tool.execute.after': async (
+    input: { tool: string },
+    output: { output?: string; content?: Array<{ type: string; text?: string }> },
+  ) => {
+    // Built-in tools: output is a string at output.output
+    if (typeof output.output === 'string') {
+      const { content, hasRedacted } = redactor.redact(output.output);
+      if (hasRedacted) {
+        output.output = content as string;
+      }
+    }
+
+    // MCP tools: output is content blocks at output.content
+    if (Array.isArray(output.content)) {
+      for (const block of output.content) {
+        if (block.type === 'text' && typeof block.text === 'string') {
+          const { content, hasRedacted } = redactor.redact(block.text);
+          if (hasRedacted) {
+            block.text = content as string;
+          }
+        }
+      }
+    }
   },
 });

package/tests/init.test.ts

@@ -34,15 +34,24 @@ describe('hush init --hooks', () => {
     rmSync(tmpDir, { recursive: true, force: true });
   });
 
-  it('should create .claude/settings.json from scratch', () => {
+  it('should create .claude/settings.json with both PreToolUse and PostToolUse', () => {
     const { stdout, exitCode } = runInit(tmpDir);
     expect(exitCode).toBe(0);
     expect(stdout).toContain('Wrote hush hooks config');
 
     const settings = JSON.parse(readFileSync(join(tmpDir, '.claude', 'settings.json'), 'utf-8'));
-    expect(settings.hooks.PostToolUse).toHaveLength(1);
+
+    // PreToolUse
+    expect(settings.hooks.PreToolUse).toHaveLength(1);
+    expect(settings.hooks.PreToolUse[0].matcher).toBe('mcp__.*');
+    expect(settings.hooks.PreToolUse[0].hooks[0].command).toBe('hush redact-hook');
+
+    // PostToolUse
+    expect(settings.hooks.PostToolUse).toHaveLength(2);
     expect(settings.hooks.PostToolUse[0].matcher).toBe('Bash|Read|Grep|WebFetch');
     expect(settings.hooks.PostToolUse[0].hooks[0].command).toBe('hush redact-hook');
+    expect(settings.hooks.PostToolUse[1].matcher).toBe('mcp__.*');
+    expect(settings.hooks.PostToolUse[1].hooks[0].command).toBe('hush redact-hook');
   });
 
   it('should merge into existing settings preserving other keys', () => {
@@ -59,8 +68,9 @@ describe('hush init --hooks', () => {
     const settings = JSON.parse(readFileSync(join(claudeDir, 'settings.json'), 'utf-8'));
     // Preserved existing env
     expect(settings.env.ANTHROPIC_BASE_URL).toBe('http://127.0.0.1:4000');
-    // Added hooks
-    expect(settings.hooks.PostToolUse).toHaveLength(1);
+    // Added both hook types
+    expect(settings.hooks.PreToolUse).toHaveLength(1);
+    expect(settings.hooks.PostToolUse).toHaveLength(2);
     expect(settings.hooks.PostToolUse[0].hooks[0].command).toBe('hush redact-hook');
   });
 
@@ -71,7 +81,8 @@ describe('hush init --hooks', () => {
     expect(stdout).toContain('already configured');
 
     const settings = JSON.parse(readFileSync(join(tmpDir, '.claude', 'settings.json'), 'utf-8'));
-    expect(settings.hooks.PostToolUse).toHaveLength(1); // Not duplicated
+    expect(settings.hooks.PreToolUse).toHaveLength(1);  // Not duplicated
+    expect(settings.hooks.PostToolUse).toHaveLength(2); // Not duplicated
   });
 
   it('should write to settings.local.json with --local flag', () => {
@@ -83,6 +94,7 @@ describe('hush init --hooks', () => {
     expect(existsSync(localPath)).toBe(true);
 
     const settings = JSON.parse(readFileSync(localPath, 'utf-8'));
+    expect(settings.hooks.PreToolUse[0].hooks[0].command).toBe('hush redact-hook');
     expect(settings.hooks.PostToolUse[0].hooks[0].command).toBe('hush redact-hook');
   });
 
@@ -98,4 +110,146 @@ describe('hush init --hooks', () => {
       expect(err.stderr).toContain('Usage');
     }
   });
+
+  it('should upgrade old PostToolUse-only config by adding PreToolUse', () => {
+    const claudeDir = join(tmpDir, '.claude');
+    mkdirSync(claudeDir, { recursive: true });
+
+    // Simulate old config with only PostToolUse
+    const oldConfig = {
+      hooks: {
+        PostToolUse: [
+          {
+            matcher: 'Bash|Read|Grep|WebFetch',
+            hooks: [{ type: 'command', command: 'hush redact-hook', timeout: 10 }],
+          },
+        ],
+      },
+    };
+    writeFileSync(join(claudeDir, 'settings.json'), JSON.stringify(oldConfig, null, 2));
+
+    const { stdout, exitCode } = runInit(tmpDir);
+    expect(exitCode).toBe(0);
+    expect(stdout).toContain('Wrote hush hooks config');
+
+    const settings = JSON.parse(readFileSync(join(claudeDir, 'settings.json'), 'utf-8'));
+
+    // PreToolUse added
+    expect(settings.hooks.PreToolUse).toHaveLength(1);
+    expect(settings.hooks.PreToolUse[0].matcher).toBe('mcp__.*');
+
+    // PostToolUse: original entry preserved + new mcp entry added
+    expect(settings.hooks.PostToolUse).toHaveLength(2);
+    expect(settings.hooks.PostToolUse[0].matcher).toBe('Bash|Read|Grep|WebFetch');
+    expect(settings.hooks.PostToolUse[1].matcher).toBe('mcp__.*');
+  });
+
+  it('should not duplicate PostToolUse entries when upgrading', () => {
+    const claudeDir = join(tmpDir, '.claude');
+    mkdirSync(claudeDir, { recursive: true });
+
+    // Old config already has the built-in PostToolUse entry
+    const oldConfig = {
+      hooks: {
+        PostToolUse: [
+          {
+            matcher: 'Bash|Read|Grep|WebFetch',
+            hooks: [{ type: 'command', command: 'hush redact-hook', timeout: 10 }],
+          },
+        ],
+      },
+    };
+    writeFileSync(join(claudeDir, 'settings.json'), JSON.stringify(oldConfig, null, 2));
+
+    // Run init twice
+    runInit(tmpDir);
+    const { stdout, exitCode } = runInit(tmpDir);
+    expect(exitCode).toBe(0);
+    expect(stdout).toContain('already configured');
+
+    const settings = JSON.parse(readFileSync(join(claudeDir, 'settings.json'), 'utf-8'));
+    // Should have exactly 1 PreToolUse and 2 PostToolUse (no duplicates)
+    expect(settings.hooks.PreToolUse).toHaveLength(1);
+    expect(settings.hooks.PostToolUse).toHaveLength(2);
+  });
+});
+
+// ── Gemini CLI init ───────────────────────────────────────────────────
+
+function runInitGemini(cwd: string, ...extraArgs: string[]): { stdout: string; stderr: string; exitCode: number } {
+  try {
+    const stdout = execFileSync('node', [CLI, 'init', '--hooks', '--gemini', ...extraArgs], {
+      encoding: 'utf-8',
+      cwd,
+      timeout: 5000,
+    });
+    return { stdout, stderr: '', exitCode: 0 };
+  } catch (err: any) {
+    return {
+      stdout: err.stdout ?? '',
+      stderr: err.stderr ?? '',
+      exitCode: err.status ?? 1,
+    };
+  }
+}
+
+describe('hush init --hooks --gemini', () => {
+  let tmpDir: string;
+
+  beforeEach(() => {
+    tmpDir = mkdtempSync(join(tmpdir(), 'hush-init-gemini-'));
+  });
+
+  afterEach(() => {
+    rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  it('should create .gemini/settings.json with BeforeTool and AfterTool', () => {
+    const { stdout, exitCode } = runInitGemini(tmpDir);
+    expect(exitCode).toBe(0);
+    expect(stdout).toContain('Wrote hush hooks config');
+
+    const settings = JSON.parse(readFileSync(join(tmpDir, '.gemini', 'settings.json'), 'utf-8'));
+
+    // BeforeTool
+    expect(settings.hooks.BeforeTool).toHaveLength(1);
+    expect(settings.hooks.BeforeTool[0].matcher).toBe('mcp__.*');
+    expect(settings.hooks.BeforeTool[0].hooks[0].command).toBe('hush redact-hook');
+
+    // AfterTool
+    expect(settings.hooks.AfterTool).toHaveLength(2);
+    expect(settings.hooks.AfterTool[0].matcher).toBe('run_shell_command|read_file|read_many_files|search_file_content|web_fetch');
+    expect(settings.hooks.AfterTool[0].hooks[0].command).toBe('hush redact-hook');
+    expect(settings.hooks.AfterTool[1].matcher).toBe('mcp__.*');
+    expect(settings.hooks.AfterTool[1].hooks[0].command).toBe('hush redact-hook');
+  });
+
+  it('should not create .claude/ directory', () => {
+    runInitGemini(tmpDir);
+    expect(existsSync(join(tmpDir, '.claude'))).toBe(false);
+  });
+
+  it('should be idempotent on re-run', () => {
+    runInitGemini(tmpDir);
+    const { stdout, exitCode } = runInitGemini(tmpDir);
+    expect(exitCode).toBe(0);
+    expect(stdout).toContain('already configured');
+
+    const settings = JSON.parse(readFileSync(join(tmpDir, '.gemini', 'settings.json'), 'utf-8'));
+    expect(settings.hooks.BeforeTool).toHaveLength(1);
+    expect(settings.hooks.AfterTool).toHaveLength(2);
+  });
+
+  it('should write to settings.local.json with --local flag', () => {
+    const { stdout, exitCode } = runInitGemini(tmpDir, '--local');
+    expect(exitCode).toBe(0);
+    expect(stdout).toContain('settings.local.json');
+
+    const localPath = join(tmpDir, '.gemini', 'settings.local.json');
+    expect(existsSync(localPath)).toBe(true);
+
+    const settings = JSON.parse(readFileSync(localPath, 'utf-8'));
+    expect(settings.hooks.BeforeTool[0].hooks[0].command).toBe('hush redact-hook');
+    expect(settings.hooks.AfterTool[0].hooks[0].command).toBe('hush redact-hook');
+  });
 });

package/tests/opencode-plugin.test.ts

@@ -145,4 +145,75 @@ describe('HushPlugin integration', () => {
       ),
     ).resolves.toBeUndefined();
   });
+
+  it('redacts email in tool args (in-place mutation)', async () => {
+    const plugin = await HushPlugin();
+    const output = { args: { text: 'Contact admin@secret.corp for access', channel: '#general' } };
+    await plugin['tool.execute.before']({ tool: 'mcp_send' }, output);
+    expect(output.args.text).toMatch(/\[USER_EMAIL_[a-f0-9]{6}\]/);
+    expect(output.args.text).not.toContain('admin@secret.corp');
+    expect(output.args.channel).toBe('#general');
+  });
+
+  it('passes through clean args without mutation', async () => {
+    const plugin = await HushPlugin();
+    const output = { args: { text: 'hello world', channel: '#general' } };
+    await plugin['tool.execute.before']({ tool: 'mcp_send' }, output);
+    expect(output.args.text).toBe('hello world');
+    expect(output.args.channel).toBe('#general');
+  });
+
+  it('still blocks sensitive files before redacting args', async () => {
+    const plugin = await HushPlugin();
+    await expect(
+      plugin['tool.execute.before'](
+        { tool: 'read' },
+        { args: { filePath: '.env', extra: 'admin@secret.corp' } },
+      ),
+    ).rejects.toThrow('[hush] Blocked: sensitive file');
+  });
+});
+
+describe('HushPlugin tool.execute.after', () => {
+  it('exports a tool.execute.after hook', async () => {
+    const plugin = await HushPlugin();
+    expect(plugin['tool.execute.after']).toBeTypeOf('function');
+  });
+
+  it('redacts email in built-in tool output (output.output string)', async () => {
+    const plugin = await HushPlugin();
+    const output = { output: 'Contact admin@secret.corp for access' } as any;
+    await plugin['tool.execute.after']({ tool: 'bash' }, output);
+    expect(output.output).toMatch(/\[USER_EMAIL_[a-f0-9]{6}\]/);
+    expect(output.output).not.toContain('admin@secret.corp');
+  });
+
+  it('redacts IP in MCP content blocks (output.content array)', async () => {
+    const plugin = await HushPlugin();
+    const output = {
+      content: [
+        { type: 'text', text: 'Server at 192.168.1.100' },
+        { type: 'text', text: 'No PII here' },
+      ],
+    } as any;
+    await plugin['tool.execute.after']({ tool: 'mcp_query' }, output);
+    expect(output.content[0].text).toMatch(/\[NETWORK_IP_[a-f0-9]{6}\]/);
+    expect(output.content[0].text).not.toContain('192.168.1.100');
+    expect(output.content[1].text).toBe('No PII here');
+  });
+
+  it('passes through clean output unchanged', async () => {
+    const plugin = await HushPlugin();
+    const output = { output: 'hello world' } as any;
+    await plugin['tool.execute.after']({ tool: 'bash' }, output);
+    expect(output.output).toBe('hello world');
+  });
+
+  it('handles output with no relevant fields gracefully', async () => {
+    const plugin = await HushPlugin();
+    const output = {} as any;
+    await expect(
+      plugin['tool.execute.after']({ tool: 'bash' }, output),
+    ).resolves.toBeUndefined();
+  });
 });