@claudemini/ses-cli 1.4.3

package/lib/list.js

@@ -0,0 +1,62 @@
+#!/usr/bin/env node
+
+import { readFileSync, existsSync, readdirSync, statSync } from 'fs';
+import { join } from 'path';
+import { getProjectRoot, getLogDir, SESSION_ID_REGEX } from './config.js';
+
+export default async function list(args) {
+  const logDir = getLogDir(getProjectRoot());
+
+  if (!existsSync(logDir)) {
+    console.log('No log directory found. Run "ses init" first.');
+    return;
+  }
+
+  const entries = readdirSync(logDir);
+  const sessions = entries
+    .filter(name => SESSION_ID_REGEX.test(name))
+    .map(id => {
+      const dir = join(logDir, id);
+      const metaFile = join(dir, 'metadata.json');
+      const stateFile = join(dir, 'state.json');
+      try {
+        const meta = JSON.parse(readFileSync(metaFile, 'utf-8'));
+        let state = null;
+        if (existsSync(stateFile)) {
+          state = JSON.parse(readFileSync(stateFile, 'utf-8'));
+        }
+        return { id, meta, state, mtime: statSync(dir).mtime };
+      } catch { return null; }
+    })
+    .filter(Boolean)
+    .sort((a, b) => b.mtime - a.mtime);
+
+  if (sessions.length === 0) {
+    console.log('No sessions found.');
+    return;
+  }
+
+  console.log(`${sessions.length} session(s):\n`);
+
+  sessions.forEach((s, i) => {
+    const m = s.meta;
+    const st = s.state;
+    const dur = m.duration_minutes ?? (st?.start_time && st?.last_time
+      ? Math.round((new Date(st.last_time) - new Date(st.start_time)) / 60000) : 0);
+    const type = m.type || 'unknown';
+    const risk = m.risk || '-';
+    const intent = m.intent || '';
+    const files = (m.files_touched || 0);
+    const errs = (m.errors || 0);
+    const shadow = st?.shadow_branch ? ` [${st.shadow_branch}]` : '';
+    const date = new Date(m.last_updated).toLocaleString();
+
+    console.log(`${i + 1}. ${s.id.slice(0, 8)}  [${type}]  risk:${risk}`);
+    if (intent) {
+      console.log(`   ${intent.slice(0, 100)}`);
+    }
+    console.log(`   ${dur}min | ${m.event_count} events | ${m.tool_calls || 0} tools | ${files} files | ${errs} errors${shadow}`);
+    console.log(`   ${date}`);
+    console.log('');
+  });
+}

package/lib/log.js

@@ -0,0 +1,77 @@
+#!/usr/bin/env node
+
+/**
+ * ses log — event ingestion dispatcher.
+ * Reads stdin, parses event, delegates to session/extract/report modules.
+ */
+
+import { appendFileSync, existsSync, mkdirSync, readFileSync, writeFileSync } from 'fs';
+import { join } from 'path';
+import { getProjectRoot, getLogDir } from './config.js';
+import { loadState, saveState, processEvent, updateIndex } from './session.js';
+import { extractIntent, extractChanges, classifySession } from './extract.js';
+import { generateReports } from './report.js';
+import { dispatchWebhook } from './webhook.js';
+
+export default async function log(args) {
+  const hookType = args[0] || 'unknown';
+
+  // Read payload from stdin
+  let payload = '';
+  for await (const chunk of process.stdin) {
+    payload += chunk;
+  }
+  if (!payload.trim()) process.exit(0);
+
+  let event;
+  try {
+    event = JSON.parse(payload);
+  } catch {
+    process.exit(1);
+  }
+
+  const projectRoot = getProjectRoot();
+  const logDir = getLogDir(projectRoot);
+  const sessionId = event.session_id || 'unknown';
+  const sessionDir = join(logDir, sessionId);
+  mkdirSync(sessionDir, { recursive: true });
+
+  // 1. Append raw event
+  appendFileSync(join(sessionDir, 'events.jsonl'), payload.trim() + '\n');
+
+  // 2. Load and update state
+  const state = loadState(sessionDir);
+  if (!state) process.exit(1);
+  processEvent(state, event, hookType, projectRoot);
+  saveState(sessionDir, state);
+
+  // 3. Extract semantics and generate reports
+  const intent = extractIntent(state.prompts);
+  const changes = extractChanges(state);
+  const classification = classifySession(intent, changes);
+  generateReports(sessionDir, sessionId, state, intent, changes, classification);
+
+  // 4. On session end: checkpoint + update index + webhook (idempotent — run once per session)
+  const isSessionEnd = ['session-end', 'SessionEnd', 'stop', 'session_end', 'end', 'onSessionEnd'].includes(hookType);
+  const endedSentinel = join(sessionDir, '.ended');
+  if (isSessionEnd && !existsSync(endedSentinel)) {
+    writeFileSync(endedSentinel, new Date().toISOString());
+    try {
+      const { commitCheckpoint } = await import('./checkpoint.js');
+      await commitCheckpoint(projectRoot, sessionDir, sessionId);
+    } catch { /* checkpoint is best-effort */ }
+
+    try {
+      updateIndex(logDir, sessionId, intent, classification, changes, state);
+    } catch { /* index is best-effort */ }
+
+    // Dispatch webhook for session end — must await before exit
+    try {
+      const summaryPath = join(sessionDir, 'summary.json');
+      const summary = JSON.parse(readFileSync(summaryPath, 'utf-8'));
+      await dispatchWebhook(projectRoot, 'session.ended', summary);
+    } catch { /* webhook is best-effort */ }
+  }
+
+  process.exit(0);
+}

package/lib/prompts.js

@@ -0,0 +1,125 @@
+export const SUMMARY_SYSTEM_PROMPT = 'You are a helpful assistant that summarizes AI coding sessions.';
+
+export function buildSummarizePrompt(context = {}) {
+  const parts = [];
+
+  parts.push('Generate a concise summary that explains:');
+  parts.push('1. What the user wanted to accomplish');
+  parts.push('2. What changes were made');
+  parts.push('3. Any issues or errors encountered');
+  parts.push('4. Overall outcome');
+  parts.push('\n---\n');
+
+  if (context.prompts_text) {
+    parts.push(`## User Prompts\n${context.prompts_text}\n`);
+  } else if (context.prompts && context.prompts.length > 0) {
+    parts.push('## User Prompts\n');
+    context.prompts.slice(0, 5).forEach((p) => {
+      const text = typeof p === 'string' ? p : p.text || '';
+      parts.push(`- ${text.slice(0, 200)}`);
+    });
+    parts.push('');
+  }
+
+  if (context.changes && context.changes.length > 0) {
+    parts.push('## Files Changed\n');
+    context.changes.slice(0, 10).forEach((f) => {
+      const ops = f.operations?.join(', ') || 'modified';
+      parts.push(`- ${f.path}: ${ops}`);
+    });
+    parts.push('');
+  }
+
+  if (context.tools && Object.keys(context.tools).length > 0) {
+    parts.push('## Tools Used\n');
+    Object.entries(context.tools).forEach(([tool, count]) => {
+      parts.push(`- ${tool}: ${count} times`);
+    });
+    parts.push('');
+  }
+
+  if (context.errors && context.errors.length > 0) {
+    parts.push('## Errors\n');
+    context.errors.slice(0, 5).forEach((e) => {
+      parts.push(`- ${e.tool}: ${(e.message || '').slice(0, 100)}`);
+    });
+    parts.push('');
+  }
+
+  return parts.join('\n');
+}
+
+export const REVIEW_AGENT_SYSTEM_PROMPT = [
+  'You are a professional code review expert. Your task is to find defects introduced by code changes that still exist in the final code.',
+  '',
+  '## Core Principles',
+  '',
+  'You review the **final state** of the code, not the change process.',
+  '- A diff shows what changed, but you must answer: what problems remain after the change?',
+  '- If a diff fixes a bug, that is not a finding. It is an improvement.',
+  '- If a diff introduces a new bug or misses an edge case, that is a finding.',
+  '- Do not treat change descriptions as findings (for example, "X changed to Y" is not a problem unless Y is defective).',
+  '',
+  '## Workflow',
+  '',
+  '1. read_session_summary - understand session intent and scope of changes',
+  '2. read_git_diff - inspect code changes and mark suspicious points',
+  '3. read_source_file - read full context for each suspicious point and verify',
+  '4. submit_findings - submit only verified findings',
+  '',
+  'Key rule: step 3 is the validation step. If context disproves a suspicion, discard that finding.',
+  'Do not lower standards to increase count. Prefer 2 high-quality findings over 8 weak findings.',
+  '',
+  '## Finding Categories',
+  '',
+  '| Category | Review Focus |',
+  '|---|---|',
+  '| correctness | logic errors, missed edge cases, type errors, race conditions |',
+  '| security | injection, path traversal, secret leaks, auth bypass |',
+  '| reliability | unhandled errors, resource leaks, missing timeouts, weak recovery |',
+  '| performance | O(n^2) loops, memory leaks, unnecessary sync I/O |',
+  '| testing | logic changed without tests, coverage gaps |',
+  '| maintainability | report only serious design issues, not style nitpicks |',
+  '',
+  '## Severity Standards',
+  '',
+  '- critical: production crash or data loss',
+  '- high: incorrect functionality or security vulnerability',
+  '- medium: issue may trigger under specific conditions',
+  '- low: code smell or long-term maintenance risk',
+  '- info: session summary only (exactly 1 required)',
+  '',
+  'If an issue is truly severe, mark it as high or critical. Do not downplay severity.',
+  '',
+  '## Rules',
+  '',
+  '- Every finding must include evidence: exact file, line number, and code snippet.',
+  '- You must verify with read_source_file before reporting. Do not guess from diff alone.',
+  '- Do not review content outside project scope (IDE config, external artifacts, etc.).',
+  '- Submit exactly 1 info-level finding to summarize session results and change quality.',
+  '- The summary finding should include: what changed, quality assessment, and missing tests/docs.',
+  '- Priority order: correctness > security > reliability > performance > testing > maintainability',
+].join('\n');
+
+export function buildReviewUserMessage(sessionIds, options = {}) {
+  const timeoutLine = Number.isFinite(options.timeoutMs)
+    ? `- Execution budget: timeout ${options.timeoutMs}ms, autoApprove=${Boolean(options.autoApprove)}`
+    : null;
+  const lines = [
+    `Review sessions: ${sessionIds.join(', ')}`,
+    '',
+    'Execution steps:',
+    '1. Call read_session_summary first to understand change scope',
+    '2. Call read_git_diff and list all suspicious points',
+    '3. For each suspicious point, call read_source_file to verify with full context',
+    '4. Submit only validated findings and call submit_findings once',
+    '',
+    'Important reminders:',
+    '- Distinguish "change description" from "defect": report only real defects in final code state.',
+    '- If code fixes an issue, do not report the fix itself as a finding.',
+    '- If uncertain, verify in source. If not validated, discard the finding.',
+    `- Minimum report severity: ${options.minSeverity}, CI fail threshold: ${options.failOn}`,
+    timeoutLine,
+  ];
+  return lines.filter(Boolean).join('\n');
+}

package/lib/query.js

@@ -0,0 +1,110 @@
+#!/usr/bin/env node
+
+/**
+ * ses query — cross-session memory queries.
+ * Reads index.json to answer questions about past sessions.
+ */
+
+import { readFileSync, existsSync } from 'fs';
+import { join } from 'path';
+import { getProjectRoot, getLogDir } from './config.js';
+
+function loadIndex(logDir) {
+  const indexFile = join(logDir, 'index.json');
+  if (!existsSync(indexFile)) return null;
+  try {
+    return JSON.parse(readFileSync(indexFile, 'utf-8'));
+  } catch {
+    return null;
+  }
+}
+
+export default async function query(args) {
+  const logDir = getLogDir(getProjectRoot());
+  const index = loadIndex(logDir);
+
+  if (!index || index.sessions.length === 0) {
+    console.log('No session index found. Sessions are indexed on session-end.');
+    console.log('Run "ses list" to see raw sessions.');
+    return;
+  }
+
+  const jsonOutput = args.includes('--json');
+  const fileArg = args.find(a => a.startsWith('--file='));
+  const recentArg = args.find(a => a.startsWith('--recent='));
+  const typeArg = args.find(a => a.startsWith('--type='));
+  const riskArg = args.find(a => a.startsWith('--risk='));
+
+  let results = [...index.sessions];
+
+  // Filter by file
+  if (fileArg) {
+    const filePath = fileArg.split('=')[1];
+    const sessionIds = index.file_history?.[filePath] || [];
+    if (sessionIds.length === 0) {
+      // Try partial match
+      const matchingFiles = Object.keys(index.file_history || {})
+        .filter(f => f.includes(filePath));
+      const matchedIds = new Set();
+      for (const f of matchingFiles) {
+        for (const id of index.file_history[f]) matchedIds.add(id);
+      }
+      results = results.filter(s => matchedIds.has(s.id));
+      if (matchingFiles.length > 0 && !jsonOutput) {
+        console.log(`Matched files: ${matchingFiles.join(', ')}\n`);
+      }
+    } else {
+      const idSet = new Set(sessionIds);
+      results = results.filter(s => idSet.has(s.id));
+    }
+  }
+
+  // Filter by type
+  if (typeArg) {
+    const type = typeArg.split('=')[1];
+    results = results.filter(s => s.type === type);
+  }
+
+  // Filter by risk
+  if (riskArg) {
+    const risk = riskArg.split('=')[1];
+    results = results.filter(s => s.risk === risk);
+  }
+
+  // Limit by recent
+  if (recentArg) {
+    const n = parseInt(recentArg.split('=')[1]) || 5;
+    results = results.slice(-n);
+  }
+
+  // Output
+  if (jsonOutput) {
+    console.log(JSON.stringify(results, null, 2));
+    return;
+  }
+
+  if (results.length === 0) {
+    console.log('No matching sessions found.');
+    return;
+  }
+
+  console.log(`${results.length} session(s):\n`);
+  for (const s of results.reverse()) {
+    const filesCount = s.files?.length || 0;
+    console.log(`  ${s.id.slice(0, 8)}  ${s.date}  [${s.type}]  risk:${s.risk}  ${s.duration}min  ${filesCount} files`);
+    if (s.intent) {
+      console.log(`    ${s.intent.slice(0, 100)}`);
+    }
+  }
+
+  // Show file history summary if --file was used
+  if (fileArg) {
+    const filePath = fileArg.split('=')[1];
+    const history = index.file_history?.[filePath];
+    if (history) {
+      console.log(`\nFile "${filePath}" modified in ${history.length} session(s)`);
+    }
+  }
+
+  console.log('\nOptions: --file=<path> --type=<type> --risk=<level> --recent=<n> --json');
+}

package/lib/redact.js

@@ -0,0 +1,170 @@
+#!/usr/bin/env node
+
+/**
+ * Secrets redaction module
+ * Best-effort redaction of sensitive information from logs
+ * Reference: Entire's security approach
+ */
+
+// Common secret patterns
+const SECRET_PATTERNS = [
+  // API Keys
+  [/(api[_-]?key|apikey|api[_-]?secret)[":\s=]+["']?([a-zA-Z0-9_\-]{20,})["']?/gi, '$1: [REDACTED]'],
+
+  // AWS
+  [/(aws[_-]?access[_-]?key[_-]?id|aws[_-]?secret[_-]?access[_-]?key)[":\s=]+["']?([A-Z0-9]{20,})["']?/gi, '$1: [REDACTED]'],
+  [/(AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY)["\s=]+["']?([A-Za-z0-9\/+]{40})["']?/gi, '$1: [REDACTED]'],
+
+  // GitHub Tokens
+  [/(ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36,}/gi, '[GITHUB_TOKEN_REDACTED]'],
+  [/github[_-]?(token|pat)[":\s=]+["']?[a-zA-Z0-9_]{36,}["']?/gi, 'github_token: [REDACTED]'],
+
+  // NPM Tokens
+  [/(npm|NPM)[_-]?[a-zA-Z0-9]{30,}/gi, '[NPM_TOKEN_REDACTED]'],
+  [/(npm[_-]?token|NPM_AUTH_TOKEN)[":\s=]+["']?[a-zA-Z0-9_\-]{30,}["']?/gi, 'npm_token: [REDACTED]'],
+
+  // OpenAI / Anthropic
+  [/(sk-[a-zA-Z0-9]{20,}|sk-ant-[a-zA-Z0-9_\-]{50,})/gi, '[AI_API_KEY_REDACTED]'],
+  [/(openai[_-]?key|openai[_-]?token|anthropic[_-]?key)[":\s=]+["']?[a-zA-Z0-9_\-]{20,}["']?/gi, '$1: [REDACTED]'],
+
+  // Database URLs with credentials
+  [/(mysql|postgres|postgresql|mongodb|redis):\/\/[^:]+:[^@]+@/gi, '$1://[REDACTED]@'],
+
+  // JWT Tokens
+  [/eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*/gi, '[JWT_REDACTED]'],
+
+  // Generic Bearer tokens
+  [/bearer\s+[a-zA-Z0-9_\-\.]{20,}/gi, 'bearer [TOKEN_REDACTED]'],
+
+  // Private keys
+  [/-----BEGIN [A-Z ]+ PRIVATE KEY-----[\s\S]*?-----END [A-Z ]+ PRIVATE KEY-----/gi, '[PRIVATE_KEY_REDACTED]'],
+
+  // Slack tokens
+  [/xox[baprs]-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}/gi, '[SLACK_TOKEN_REDACTED]'],
+
+  // Stripe keys
+  [/(sk|pk)_(live|test)_[a-zA-Z0-9]{24,}/gi, '[STRIPE_KEY_REDACTED]'],
+
+  // Environment variables with secrets
+  [/^(AWS_|AZURE_|GOOGLE_|STRIPE_|SENTRY_|DATADOG_)[A-Z_]+=.+$/gim, '$1[REDACTED]'],
+
+  // Generic "password" fields
+  [/"password"\s*:\s*"[^"]+"/gi, '"password": "[REDACTED]"'],
+  [/'password'\s*:\s*'[^']+'/gi, "'password': '[REDACTED]'"],
+
+  // Generic "secret" fields
+  [/"secret"\s*:\s*"[^"]+"/gi, '"secret": "[REDACTED]"'],
+  [/'secret'\s*:\s*'[^']+'/gi, "'secret': '[REDACTED]'"],
+
+  // Generic "token" fields
+  [/"token"\s*:\s*"[^"]+"/gi, '"token": "[REDACTED]"'],
+  [/'token'\s*:\s*'[^']+'/gi, "'token': '[REDACTED]'"],
+
+  // Authorization headers
+  [/authorization:\s*[bB]earer\s+[a-zA-Z0-9_\-\.]{20,}/gi, 'authorization: Bearer [TOKEN_REDACTED]'],
+  [/authorization:\s*[bB]asic\s+[a-zA-Z0-9_\-\.]{20,}/gi, 'authorization: Basic [CREDENTIALS_REDACTED]'],
+];
+
+/**
+ * Redact secrets from text content
+ * @param {string} content - The content to redact
+ * @returns {string} - Content with secrets redacted
+ */
+export function redactSecrets(content) {
+  if (!content || typeof content !== 'string') {
+    return content;
+  }
+
+  let redacted = content;
+
+  for (const [pattern, replacement] of SECRET_PATTERNS) {
+    // Reset lastIndex for global patterns
+    pattern.lastIndex = 0;
+    redacted = redacted.replace(pattern, replacement);
+  }
+
+  return redacted;
+}
+
+/**
+ * Redact secrets from an object (recursive)
+ * @param {object} obj - The object to redact
+ * @param {string[]} skipKeys - Keys to skip redaction
+ * @returns {object} - Object with secrets redacted
+ */
+export function redactObject(obj, skipKeys = ['path', 'filename', 'name']) {
+  if (!obj || typeof obj !== 'object') {
+    return obj;
+  }
+
+  if (Array.isArray(obj)) {
+    return obj.map(item => redactObject(item, skipKeys));
+  }
+
+  const redacted = {};
+  const secretKeys = ['password', 'secret', 'token', 'key', 'credential', 'auth', 'authorization', 'api_key', 'apikey'];
+
+  for (const [key, value] of Object.entries(obj)) {
+    // Skip non-secret keys
+    const lowerKey = key.toLowerCase();
+    if (skipKeys.some(skip => lowerKey.includes(skip.toLowerCase()))) {
+      redacted[key] = value;
+      continue;
+    }
+
+    // Check if this key might contain a secret
+    const isSecretKey = secretKeys.some(secret => lowerKey.includes(secret));
+
+    if (isSecretKey && typeof value === 'string') {
+      redacted[key] = '[REDACTED]';
+    } else if (typeof value === 'object' && value !== null) {
+      redacted[key] = redactObject(value, skipKeys);
+    } else {
+      redacted[key] = value;
+    }
+  }
+
+  return redacted;
+}
+
+/**
+ * Redact secrets from a JSON string
+ * @param {string} jsonString - The JSON string to redact
+ * @returns {string} - JSON with secrets redacted
+ */
+export function redactJson(jsonString) {
+  try {
+    const obj = JSON.parse(jsonString);
+    const redacted = redactObject(obj);
+    return JSON.stringify(redacted, null, 2);
+  } catch {
+    // Not valid JSON, try as plain text
+    return redactSecrets(jsonString);
+  }
+}
+
+/**
+ * Check if content likely contains secrets (for logging)
+ * @param {string} content - The content to check
+ * @returns {boolean} - True if secrets are likely present
+ */
+export function likelyContainsSecrets(content) {
+  if (!content || typeof content !== 'string') {
+    return false;
+  }
+
+  const secretIndicators = [
+    /api[_-]?key/i,
+    /password/i,
+    /secret/i,
+    /token/i,
+    /credential/i,
+    /authorization/i,
+    /private[_-]?key/i,
+    /xox[baprs]/,
+    /sk-[a-zA-Z0-9]/,
+    /eyJ[a-zA-Z0-9_-]*\./,
+  ];
+
+  return secretIndicators.some(pattern => pattern.test(content));
+}