@bookedsolid/reagent 0.7.1 → 0.10.0

package/hooks/rate-limit-guard.sh

@@ -2,7 +2,7 @@
 # PreToolUse hook: rate-limit-guard.sh
 # Fires BEFORE every Bash and Write tool call.
 # Blocks if more than 20 calls to the same tool occur within 60 seconds.
-# Uses a log file per tool in /tmp/reagent-rate-limit-{tool}.log.
+# Uses a log file per tool in $HOME/.reagent/rate-limits/{tool}.log.
 #
 # Exit codes:
 #   0 = within rate limit — allow
@@ -36,7 +36,31 @@ fi
 
 # Sanitize tool name for use in filename
 SAFE_TOOL=$(printf '%s' "$TOOL_NAME" | tr '[:upper:]' '[:lower:]' | tr -cd 'a-z0-9-')
-LOG_FILE="/tmp/reagent-rate-limit-${SAFE_TOOL}.log"
+
+# ── Counter directory: prefer user-owned $HOME/.reagent/rate-limits/ ──────────
+# Storing counters in /tmp is world-writable and allows symlink attacks.
+# Use a user-owned directory with mode 700 instead.
+RATE_LIMIT_DIR="${HOME}/.reagent/rate-limits"
+
+if [[ -n "${HOME:-}" ]] && mkdir -p "$RATE_LIMIT_DIR" 2>/dev/null && chmod 700 "$RATE_LIMIT_DIR" 2>/dev/null; then
+  LOG_FILE="${RATE_LIMIT_DIR}/${SAFE_TOOL}.log"
+else
+  # $HOME not writable — fall back to a session-scoped tmpdir (not /tmp root)
+  if [[ -z "${REAGENT_RATE_LIMIT_TMPDIR:-}" ]]; then
+    REAGENT_RATE_LIMIT_TMPDIR=$(mktemp -d 2>/dev/null || true)
+    export REAGENT_RATE_LIMIT_TMPDIR
+    if [[ -n "$REAGENT_RATE_LIMIT_TMPDIR" ]]; then
+      printf 'RATE-LIMIT-GUARD WARN: $HOME not writable — using session tmpdir for rate-limit counters: %s\n' \
+        "$REAGENT_RATE_LIMIT_TMPDIR" >&2
+    fi
+  fi
+  if [[ -n "${REAGENT_RATE_LIMIT_TMPDIR:-}" ]]; then
+    LOG_FILE="${REAGENT_RATE_LIMIT_TMPDIR}/${SAFE_TOOL}.log"
+  else
+    # Last resort: skip rate limiting rather than failing noisily
+    exit 0
+  fi
+fi
 
 LIMIT=20
 WINDOW=60  # seconds

package/hooks/reagent-notify.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+# hooks/reagent-notify.sh — post a one-off Discord notification about a repo event
+#
+# Useful for CI steps, post-merge automation, or manual release announcements.
+# Sources the shared discord library so webhook resolution is consistent with
+# the other hooks.
+#
+# Usage: hooks/reagent-notify.sh <event_type> <message>
+#   event_type: push | merge | release | alert
+#
+# Event-to-channel routing:
+#   push    → dev
+#   merge   → dev
+#   release → release
+#   alert   → alert
+#   (anything else) → dev
+
+set -uo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# shellcheck source=/dev/null
+source "${SCRIPT_DIR}/_lib/discord.sh"
+
+EVENT_TYPE="${1:-}"
+MESSAGE="${2:-}"
+
+if [ -z "$EVENT_TYPE" ] || [ -z "$MESSAGE" ]; then
+  printf 'Usage: %s <event_type> <message>\n' "$(basename "$0")" >&2
+  printf '  event_type: push | merge | release | alert\n' >&2
+  exit 1
+fi
+
+# Route event to the appropriate channel and pick a sensible default color
+channel_type="dev"
+color="blue"
+
+case "$EVENT_TYPE" in
+  push)
+    channel_type="dev"
+    color="green"
+    ;;
+  merge)
+    channel_type="dev"
+    color="green"
+    ;;
+  release)
+    channel_type="release"
+    color="blue"
+    ;;
+  alert)
+    channel_type="alert"
+    color="red"
+    ;;
+  *)
+    channel_type="dev"
+    color="blue"
+    ;;
+esac
+
+discord_notify "$channel_type" "$MESSAGE" "$color"
+
+# Wait for the background curl before the script exits so the caller gets
+# a clean exit code even in scripted pipelines.
+wait

package/hooks/security-disclosure-gate.sh

@@ -0,0 +1,146 @@
+#!/usr/bin/env bash
+# security-disclosure-gate.sh — PreToolUse: Bash
+#
+# Intercepts `gh issue create` commands that contain security-sensitive
+# keywords and blocks them. Routing depends on REAGENT_DISCLOSURE_MODE:
+#
+#   advisory (default) — redirect to GitHub Security Advisories (private)
+#                        Use for public OSS repos
+#   issues             — redirect to gh issue create with security + internal labels
+#                        Use for permanently private client repos
+#   disabled           — pass through (not recommended)
+#
+# Set REAGENT_DISCLOSURE_MODE in .reagent/policy.yaml (written to settings.json
+# env by reagent init). Defaults to "advisory" when unset.
+#
+# Triggered by: PreToolUse — Bash tool
+
+set -euo pipefail
+
+# shellcheck source=_lib/common.sh
+source "$(dirname "$0")/_lib/common.sh"
+
+check_halt
+
+# Read disclosure mode — default to advisory
+DISCLOSURE_MODE="${REAGENT_DISCLOSURE_MODE:-advisory}"
+
+# Disabled mode: pass through entirely
+if [[ "$DISCLOSURE_MODE" == "disabled" ]]; then
+  exit 0
+fi
+
+INPUT="$(cat)"
+TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name // ""')
+
+if [[ "$TOOL_NAME" != "Bash" ]]; then
+  exit 0
+fi
+
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // ""')
+
+# Only intercept gh issue create
+if ! echo "$COMMAND" | grep -qE 'gh\s+issue\s+create'; then
+  exit 0
+fi
+
+require_jq
+
+# Security-sensitive keywords that should not appear in public issues —
+# these terms suggest a vulnerability, exploit path, or bypass technique
+SECURITY_PATTERNS=(
+  # Vulnerability classes
+  'bypass'
+  'exploit'
+  'injection'
+  'traversal'
+  'exfiltrat'
+  'escalat'
+  'privilege'
+  'rce'
+  'remote.code.exec'
+  'arbitrary.code'
+  'code.execution'
+  'zero.day'
+  '0day'
+  'CVE-'
+  'CVSS'
+  'GHSA-'
+  # Reagent-specific sensitive terms
+  'hook.bypass'
+  'HALT.bypass'
+  'redaction.bypass'
+  'policy.bypass'
+  'middleware.bypass'
+  'skip.*gate'
+  'evad'
+  # Credential/secret exposure
+  'secret.*leak'
+  'credential.*leak'
+  'token.*leak'
+  'key.*expos'
+  'expos.*secret'
+  # Prompt injection
+  'prompt.inject'
+  'jailbreak'
+  'jail.break'
+)
+
+# Scan the full command text (title + body + flags) for sensitive patterns
+FULL_TEXT=$(echo "$COMMAND" | tr '[:upper:]' '[:lower:]')
+
+MATCHED_PATTERN=""
+for PATTERN in "${SECURITY_PATTERNS[@]}"; do
+  if echo "$FULL_TEXT" | grep -qiE "$PATTERN"; then
+    MATCHED_PATTERN="$PATTERN"
+    break
+  fi
+done
+
+if [[ -z "$MATCHED_PATTERN" ]]; then
+  exit 0
+fi
+
+# ─── Route based on disclosure mode ──────────────────────────────────────────
+
+if [[ "$DISCLOSURE_MODE" == "issues" ]]; then
+  # Private repo mode: redirect to labeled internal issue
+  json_output "block" \
+    "SECURITY DISCLOSURE GATE: This issue appears to describe a security finding (matched: '${MATCHED_PATTERN}').
+
+This project is configured for PRIVATE disclosure (REAGENT_DISCLOSURE_MODE=issues).
+
+CORRECT PATH for security findings in this private repo:
+  Use: gh issue create --label 'security,internal' --title '...' --body '...'
+
+The 'security' and 'internal' labels keep this off public project boards and
+mark it for maintainer-only triage. Do NOT use the public issue queue without
+these labels for security findings.
+
+If this is NOT a security finding, rephrase the title/body to avoid triggering
+security patterns, then retry."
+
+else
+  # Advisory mode (default): redirect to GitHub Security Advisories
+  json_output "block" \
+    "SECURITY DISCLOSURE GATE: This issue appears to describe a security vulnerability (matched: '${MATCHED_PATTERN}'). Do NOT create a public GitHub issue for security vulnerabilities.
+
+CORRECT DISCLOSURE PATH:
+1. Use GitHub Security Advisories (private):
+   gh api repos/{owner}/{repo}/security-advisories --method POST --input - <<'JSON'
+   { \"summary\": \"...\", \"description\": \"...\", \"severity\": \"medium|high|critical\",
+     \"vulnerabilities\": [{\"package\": {\"name\": \"@pkg\", \"ecosystem\": \"npm\"}}] }
+   JSON
+2. Or navigate to: Security tab → Advisories → 'Report a vulnerability'
+3. Or email security@bookedsolid.tech (see SECURITY.md)
+
+The finding will be publicly disclosed AFTER a patch is released (coordinated disclosure).
+
+WHY: Public issues expose vulnerabilities before users can patch. This is enforced by the
+security-disclosure-gate hook (REAGENT_DISCLOSURE_MODE=${DISCLOSURE_MODE}).
+
+If this is NOT a security vulnerability, rephrase the issue to avoid triggering
+security patterns, then retry."
+fi
+
+exit 2

package/husky/pre-push.sh

@@ -64,12 +64,96 @@ run_gate "type-check"   "TypeScript type check"
 run_gate "test"         "Test suite"
 run_gate "build"        "Build"
 
+# Pack dry-run — validates the publish payload matches what CI would produce
+# Always uses npm pack --dry-run regardless of $PKG_MANAGER: pnpm uses a
+# different flag syntax and this gate mirrors the npm pack --dry-run step in CI.
+if script_exists "build"; then
+  echo "pre-push: running Pack dry-run..."
+  if ! npm pack --dry-run > "$OUT" 2>&1; then
+    echo ""
+    echo "GATE FAILED: Pack dry-run"
+    cat "$OUT"
+    echo ""
+    FAILED="${FAILED} pack"
+  fi
+fi
+
+# Shellcheck — lint all hook and husky shell scripts if shellcheck is installed
+if command -v shellcheck > /dev/null 2>&1; then
+  echo "pre-push: running Shellcheck on hook scripts..."
+  SHELL_SCRIPTS=$(find hooks/ husky/ -name "*.sh" 2>/dev/null | tr '\n' ' ')
+  if [ -n "$SHELL_SCRIPTS" ]; then
+    # shellcheck disable=SC2086
+    if ! shellcheck --shell=bash --severity=warning --exclude=SC1091,SC2034 $SHELL_SCRIPTS > "$OUT" 2>&1; then
+      echo ""
+      echo "GATE FAILED: Shellcheck"
+      cat "$OUT"
+      echo ""
+      FAILED="${FAILED} shellcheck"
+    fi
+  fi
+else
+  echo "pre-push: shellcheck not installed — hook lint skipped (install: brew install shellcheck)"
+fi
+
+# ── Optional: coverage threshold gate ─────────────────────────────────────────
+# Enabled via .reagent/policy.yaml:
+#   coverage:
+#     enabled: true
+#     threshold: 80   # line/function/statement coverage percentage (branches: threshold - 10)
+#
+# Only runs if coverage.enabled is true AND the project has a test script.
+POLICY_FILE=".reagent/policy.yaml"
+COVERAGE_ENABLED="false"
+COVERAGE_THRESHOLD=80
+
+if [ -f "$POLICY_FILE" ]; then
+  # Extract coverage.enabled — look for "enabled: true" within the coverage block
+  if awk '/^coverage:/{in_block=1} in_block && /enabled: true/{found=1; exit} in_block && /^[^ ]/{in_block=0}' "$POLICY_FILE" | grep -q "enabled: true" 2>/dev/null || \
+     grep -A5 "^coverage:" "$POLICY_FILE" 2>/dev/null | grep -q "enabled: true"; then
+    COVERAGE_ENABLED="true"
+  fi
+
+  # Extract coverage.threshold (default 80)
+  # The || true prevents set -euo pipefail from exiting when coverage: block is absent
+  THRESHOLD_LINE=$(grep -A5 "^coverage:" "$POLICY_FILE" 2>/dev/null | grep "threshold:" | head -1) || true
+  if [ -n "$THRESHOLD_LINE" ]; then
+    EXTRACTED=$(echo "$THRESHOLD_LINE" | awk '{print $2}' | tr -d '"' | tr -d "'")
+    if [ -n "$EXTRACTED" ] && [ "$EXTRACTED" -eq "$EXTRACTED" ] 2>/dev/null; then
+      COVERAGE_THRESHOLD="$EXTRACTED"
+    fi
+  fi
+fi
+
+if [ "$COVERAGE_ENABLED" = "true" ] && script_exists "test"; then
+  echo "pre-push: running Coverage threshold (≥${COVERAGE_THRESHOLD}%)..."
+  if ! COVERAGE_THRESHOLD="$COVERAGE_THRESHOLD" $PKG_MANAGER run test -- --coverage > "$OUT" 2>&1; then
+    echo ""
+    echo "GATE FAILED: Coverage threshold (${COVERAGE_THRESHOLD}%)"
+    cat "$OUT"
+    echo ""
+    FAILED="${FAILED} coverage"
+  fi
+fi
+
 # ── Report ────────────────────────────────────────────────────────────────────
+HOOKS_LIB="$(git rev-parse --show-toplevel 2>/dev/null)/hooks/_lib/discord.sh"
+
 if [ -n "$FAILED" ]; then
   echo "pre-push: FAILED gates:${FAILED}"
   echo "All quality gates must pass before push. Fix failures and retry."
+  if [ -f "$HOOKS_LIB" ]; then
+    # shellcheck source=/dev/null
+    source "$HOOKS_LIB"
+    discord_notify "alert" "Push BLOCKED -- gate failures: \`${FAILED}\` on \`$(git rev-parse --abbrev-ref HEAD 2>/dev/null)\`" "red"
+  fi
   exit 1
 fi
 
 echo "pre-push: all quality gates passed"
+if [ -f "$HOOKS_LIB" ]; then
+  # shellcheck source=/dev/null
+  source "$HOOKS_LIB"
+  discord_notify "dev" "Pre-push gates passed on \`$(git rev-parse --abbrev-ref HEAD 2>/dev/null)\`" "green"
+fi
 exit 0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/reagent",
-  "version": "0.7.1",
+  "version": "0.10.0",
   "description": "Zero-trust MCP gateway — policy enforcement, secret redaction, and audit logging for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",
@@ -52,12 +52,19 @@
     "changeset": "changeset",
     "changeset:version": "changeset version",
     "changeset:publish": "changeset publish",
+    "daemon:start": "reagent daemon start",
+    "daemon:stop": "reagent daemon stop",
+    "daemon:status": "reagent daemon status",
+    "daemon:restart": "reagent daemon restart",
+    "daemon:build": "cargo build --release --manifest-path daemon/Cargo.toml",
     "lint": "eslint .",
     "format": "prettier --write .",
     "format:check": "prettier --check .",
     "test": "vitest run",
     "test:watch": "vitest",
-    "type-check": "tsc --noEmit"
+    "type-check": "tsc --noEmit",
+    "docs:dev": "cd docs && npm run dev",
+    "docs:build": "cd docs && npm run build"
   },
   "keywords": [
     "claude",
@@ -78,6 +85,7 @@
     "@types/node": "^25.5.2",
     "@typescript-eslint/eslint-plugin": "^8.0.0",
     "@typescript-eslint/parser": "^8.0.0",
+    "@vitest/coverage-v8": "^3.2.4",
     "eslint": "^10.2.0",
     "husky": "^9.1.7",
     "prettier": "^3.8.1",

package/profiles/bst-internal.json

@@ -18,6 +18,9 @@
     "preflightCmd": "pnpm preflight",
     "attributionRule": "Do NOT include AI attribution in commits, PR bodies, code comments, or any content. When block_ai_attribution is enabled in .reagent/policy.yaml, the commit-msg hook REJECTS commits containing structural AI attribution (Co-Authored-By with AI names, 'Generated with [Tool]' footers, etc.). The attribution-advisory hook also blocks gh pr create/edit and git commit commands with attribution. You must remove all attribution markers before committing — the hooks will NOT silently fix them."
   },
+  "security": {
+    "disclosureMode": "advisory"
+  },
   "claudeHooks": {
     "PreToolUse": [
       {
@@ -27,12 +30,19 @@
           "env-file-protection",
           "dependency-audit-gate",
           "commit-review-gate",
-          "push-review-gate"
+          "push-review-gate",
+          "security-disclosure-gate",
+          "pr-issue-link-gate"
         ]
       },
       {
         "matcher": "Write|Edit",
-        "hooks": ["secret-scanner", "settings-protection", "blocked-paths-enforcer"]
+        "hooks": [
+          "secret-scanner",
+          "settings-protection",
+          "blocked-paths-enforcer",
+          "changeset-security-gate"
+        ]
       },
       {
         "matcher": "Bash",

package/profiles/client-engagement.json

@@ -18,6 +18,9 @@
     "preflightCmd": "pnpm preflight",
     "attributionRule": "Do NOT include AI attribution in commits, PR bodies, code comments, or any content. When block_ai_attribution is enabled in .reagent/policy.yaml, the commit-msg hook REJECTS commits containing structural AI attribution (Co-Authored-By with AI names, 'Generated with [Tool]' footers, etc.). The attribution-advisory hook also blocks gh pr create/edit and git commit commands with attribution. You must remove all attribution markers before committing — the hooks will NOT silently fix them."
   },
+  "security": {
+    "disclosureMode": "issues"
+  },
   "claudeHooks": {
     "PreToolUse": [
       {
@@ -27,12 +30,19 @@
           "env-file-protection",
           "dependency-audit-gate",
           "commit-review-gate",
-          "push-review-gate"
+          "push-review-gate",
+          "security-disclosure-gate",
+          "pr-issue-link-gate"
         ]
       },
       {
         "matcher": "Write|Edit",
-        "hooks": ["secret-scanner", "settings-protection", "blocked-paths-enforcer"]
+        "hooks": [
+          "secret-scanner",
+          "settings-protection",
+          "blocked-paths-enforcer",
+          "changeset-security-gate"
+        ]
       },
       {
         "matcher": "Bash",