@claudemini/shit-cli 1.1.1 → 1.2.0

package/bin/shit.js

@@ -4,20 +4,22 @@ const args = process.argv.slice(2);
 const command = args[0];
 
 const commands = {
-  enable:  'Enable shit-cli in repository',
-  disable: 'Remove shit-cli hooks',
-  status:  'Show current session status',
-  init:    'Initialize hooks in .claude/settings.json',
-  log:     'Log a hook event (called by hooks)',
-  list:    'List all sessions',
-  view:    'View session details',
-  query:   'Query session memory (cross-session)',
-  rewind:  'Rollback to previous checkpoint',
-  resume:  'Resume session from checkpoint',
-  doctor:  'Fix or clean stuck sessions',
-  shadow:  'List shadow branches',
-  clean:   'Clean old sessions',
-  help:    'Show help',
+  enable:     'Enable shit-cli in repository',
+  disable:    'Remove shit-cli hooks',
+  status:     'Show current session status',
+  init:       'Initialize hooks in .claude/settings.json',
+  log:        'Log a hook event (called by hooks)',
+  commit:     'Create checkpoint on git commit (hook)',
+  list:       'List all sessions',
+  checkpoints:'List all checkpoints',
+  view:       'View session details',
+  query:      'Query session memory (cross-session)',
+  rewind:     'Rollback to previous checkpoint',
+  resume:     'Resume session from checkpoint',
+  doctor:     'Fix or clean stuck sessions',
+  shadow:     'List shadow branches',
+  clean:      'Clean old sessions',
+  help:       'Show help',
 };
 
 function showHelp() {

package/lib/checkpoint.js

@@ -0,0 +1,298 @@
+#!/usr/bin/env node
+
+/**
+ * Checkpoint module - manages checkpoints on git commit
+ * Inspired by Entire's approach:
+ *   - Branch: shit/checkpoints/v1/YYYY-MM-DD-<uuid>
+ *   - Each checkpoint is a commit linked to a code commit
+ *   - Supports multiple agents (Claude Code, Gemini CLI, Cursor, etc.)
+ */
+
+import { readdirSync, readFileSync, statSync, writeFileSync } from 'fs';
+import { execSync } from 'child_process';
+import { join, dirname } from 'path';
+import { redactSecrets } from './redact.js';
+
+function git(cmd, cwd) {
+  return execSync(`git ${cmd}`, { cwd, encoding: 'utf-8', timeout: 10000 }).trim();
+}
+
+function gitRaw(cmd, cwd, input) {
+  return execSync(`git ${cmd}`, {
+    cwd, encoding: 'utf-8', timeout: 10000,
+    input,
+  }).trim();
+}
+
+/**
+ * Detect which agent is running based on environment/hooks
+ */
+export function detectAgent() {
+  // Check for Claude Code
+  if (process.env.CLAUDE_AGENT_ID || process.env.CLAUDE_SESSION_ID) {
+    return { type: 'claude-code', name: 'Claude Code' };
+  }
+
+  // Check for Gemini CLI
+  if (process.env.GEMINI_API_KEY || process.env.GEMINI_CLI) {
+    return { type: 'gemini-cli', name: 'Gemini CLI' };
+  }
+
+  // Check for Cursor
+  if (process.env.CURSOR_SESSION_ID) {
+    return { type: 'cursor', name: 'Cursor' };
+  }
+
+  // Check for OpenCode
+  if (process.env.OPENCODE_SESSION_ID) {
+    return { type: 'opencode', name: 'OpenCode' };
+  }
+
+  // Check for common hook files
+  if (existsSync(join(process.cwd(), '.claude', 'settings.json'))) {
+    return { type: 'claude-code', name: 'Claude Code' };
+  }
+  if (existsSync(join(process.cwd(), '.gemini', 'settings.json'))) {
+    return { type: 'gemini-cli', name: 'Gemini CLI' };
+  }
+  if (existsSync(join(process.cwd(), '.cursor', 'hooks.json'))) {
+    return { type: 'cursor', name: 'Cursor' };
+  }
+
+  return { type: 'unknown', name: 'Unknown' };
+}
+
+/**
+ * Get agent-specific hook configuration
+ */
+export function getAgentHooks(agentType) {
+  const hooks = {
+    'claude-code': {
+      settingsFile: '.claude/settings.json',
+      sessionStart: 'SessionStart',
+      sessionEnd: 'SessionEnd',
+      prompt: 'UserPromptSubmit',
+      toolPre: 'PreToolUse',
+      toolPost: 'PostToolUse',
+    },
+    'gemini-cli': {
+      settingsFile: '.gemini/settings.json',
+      sessionStart: 'start',
+      sessionEnd: 'end',
+      prompt: 'prompt',
+      toolPre: 'tool_call',
+      toolPost: 'tool_result',
+    },
+    'cursor': {
+      settingsFile: '.cursor/hooks.json',
+      sessionStart: 'session_start',
+      sessionEnd: 'session_end',
+      prompt: 'user_message',
+      toolPre: 'tool_before',
+      toolPost: 'tool_after',
+    },
+    'opencode': {
+      settingsFile: '.opencode/plugins/shit.ts',
+      sessionStart: 'onSessionStart',
+      sessionEnd: 'onSessionEnd',
+      prompt: 'onUserMessage',
+      toolPre: 'onToolCall',
+      toolPost: 'onToolResult',
+    },
+  };
+
+  return hooks[agentType] || hooks['claude-code'];
+}
+
+/**
+ * Build a git tree from a directory with secret redaction
+ */
+function buildTree(cwd, dirPath, redact = true) {
+  const entries = readdirSync(dirPath);
+  const treeLines = [];
+
+  for (const name of entries) {
+    const fullPath = join(dirPath, name);
+    const stat = statSync(fullPath);
+
+    if (stat.isDirectory()) {
+      const subTreeSha = buildTree(cwd, fullPath, redact);
+      treeLines.push(`040000 tree ${subTreeSha}\t${name}`);
+    } else {
+      let content = readFileSync(fullPath);
+
+      // Redact secrets for sensitive files
+      if (redact && (name === 'events.jsonl' || name === 'prompts.txt')) {
+        content = redactSecrets(content.toString());
+      }
+
+      const blobSha = gitRaw('hash-object -w --stdin', cwd, content);
+      treeLines.push(`100644 blob ${blobSha}\t${name}`);
+    }
+  }
+
+  if (treeLines.length === 0) return null;
+  return gitRaw('mktree', cwd, treeLines.join('\n'));
+}
+
+/**
+ * Commit session checkpoint to shadow branch
+ * Branch format: shit/checkpoints/v1/YYYY-MM-DD-<session-id>
+ */
+export async function commitCheckpoint(projectRoot, sessionDir, sessionId, commitSha = null) {
+  // Verify we're in a git repo
+  try {
+    git('rev-parse --git-dir', projectRoot);
+  } catch {
+    return { success: false, reason: 'not a git repo' };
+  }
+
+  // Branch naming: shit/checkpoints/v1/YYYY-MM-DD-<short-uuid>
+  const datePart = sessionId.split('-').slice(0, 3).join('-');
+  const uuidPart = sessionId.split('-').slice(3).join('-').slice(0, 8);
+  const branchName = `shit/checkpoints/v1/${datePart}-${uuidPart}`;
+  const refPath = `refs/heads/${branchName}`;
+
+  // Get linked commit SHA
+  const linkedCommit = commitSha || git('rev-parse HEAD', projectRoot);
+  const linkedCommitShort = linkedCommit.slice(0, 12);
+
+  // Build tree from session directory with redaction
+  const sessionTree = buildTree(projectRoot, sessionDir, true);
+  if (!sessionTree) {
+    return { success: false, reason: 'empty session' };
+  }
+
+  // Wrap session files: .shit-logs/<session-id>/files
+  const wrapperLine = `040000 tree ${sessionTree}\t${sessionId}`;
+  const logsTree = gitRaw('mktree', projectRoot, wrapperLine);
+  const rootLine = `040000 tree ${logsTree}\t.shit-logs`;
+  const rootTree = gitRaw('mktree', projectRoot, rootLine);
+
+  // Check if branch already exists (for parent chaining)
+  let parentArg = '';
+  try {
+    const existing = git(`rev-parse ${refPath}`, projectRoot);
+    parentArg = `-p ${existing}`;
+  } catch {
+    // orphan - no parent
+  }
+
+  // Create commit message with linked commit
+  const timestamp = new Date().toISOString().replace('T', ' ').split('.')[0];
+  const message = `checkpoint ${sessionId.slice(0, 8)} @ ${linkedCommitShort} | ${timestamp}`;
+
+  const commitHash = git(
+    `commit-tree ${rootTree} ${parentArg} -m "${message}"`,
+    projectRoot
+  );
+
+  // Update branch ref
+  git(`update-ref ${refPath} ${commitHash}`, projectRoot);
+
+  // Save checkpoint info to state
+  const stateFile = join(sessionDir, 'state.json');
+  try {
+    let state = JSON.parse(readFileSync(stateFile, 'utf-8'));
+    state.checkpoints = state.checkpoints || [];
+    state.checkpoints.push({
+      branch: branchName,
+      commit: commitHash,
+      linked_commit: linkedCommit,
+      timestamp: new Date().toISOString(),
+    });
+    writeFileSync(stateFile, JSON.stringify(state, null, 2));
+  } catch {
+    // best effort
+  }
+
+  return {
+    success: true,
+    branch: branchName,
+    commit: commitHash,
+    linked_commit: linkedCommit,
+  };
+}
+
+/**
+ * List all checkpoints in the repo
+ */
+export function listCheckpoints(projectRoot) {
+  try {
+    const output = git('branch --list "shit/checkpoints/v1/*"', projectRoot);
+    const branches = output.split('\n').map(b => b.trim().replace(/^\*?\s*/, '')).filter(Boolean);
+
+    const checkpoints = [];
+
+    for (const branch of branches) {
+      try {
+        // Extract session info from branch name
+        const match = branch.match(/^shit\/checkpoints\/v1\/(\d{4}-\d{2}-\d{2})-([a-f0-9]+)$/);
+        if (match) {
+          const [, date, uuidShort] = match;
+
+          // Get commit info
+          const log = git(`log ${branch} --oneline -1`, projectRoot);
+          const commitMatch = log.match(/^([a-f0-9]+)\s+checkpoint/);
+          const commit = commitMatch ? commitMatch[1] : log.split(' ')[0];
+
+          // Get linked commit from message
+          const fullLog = git(`log ${branch} --format=%B -1`, projectRoot);
+          const linkedMatch = fullLog.match(/@ ([a-f0-9]+)/);
+          const linkedCommit = linkedMatch ? linkedMatch[1] : null;
+
+          checkpoints.push({
+            branch,
+            commit: commit.slice(0, 12),
+            linked_commit: linkedCommit,
+            date,
+            uuid: uuidShort,
+          });
+        }
+      } catch {
+        // Skip invalid branches
+      }
+    }
+
+    return checkpoints.sort((a, b) => b.date.localeCompare(a.date));
+  } catch {
+    return [];
+  }
+}
+
+/**
+ * Get checkpoint details
+ */
+export function getCheckpoint(projectRoot, branchOrCommit) {
+  try {
+    // Try as branch first
+    let branch = branchOrCommit;
+    try {
+      git('rev-parse --verify ' + branch, projectRoot);
+    } catch {
+      // Try as short commit
+      try {
+        branch = git('rev-parse --verify ' + branchOrCommit + '^{commit}', projectRoot);
+      } catch {
+        return null;
+      }
+    }
+
+    const log = git(`log ${branch} --format=%B -1`, projectRoot);
+    const files = git(`ls-tree -r --name-only ${branch}`, projectRoot);
+
+    // Extract linked commit
+    const linkedMatch = log.match(/@ ([a-f0-9]+)/);
+    const linkedCommit = linkedMatch ? linkedMatch[1] : null;
+
+    return {
+      branch,
+      commit: branch.slice(0, 12),
+      linked_commit: linkedCommit,
+      message: log,
+      files: files.split('\n').filter(Boolean),
+    };
+  } catch {
+    return null;
+  }
+}

package/lib/checkpoints.js

@@ -0,0 +1,66 @@
+#!/usr/bin/env node
+
+/**
+ * List checkpoints - shows all checkpoints created on git commits
+ * Inspired by Entire's checkpoint system
+ */
+
+import { existsSync } from 'fs';
+import { join } from 'path';
+import { listCheckpoints, getCheckpoint } from './checkpoint.js';
+
+function findProjectRoot() {
+  let dir = process.cwd();
+  while (dir !== '/') {
+    if (existsSync(join(dir, '.git'))) {
+      return dir;
+    }
+    dir = join(dir, '..');
+  }
+  throw new Error('Not in a git repository');
+}
+
+export default async function checkpoints(args) {
+  try {
+    const projectRoot = findProjectRoot();
+    const verbose = args.includes('--verbose') || args.includes('-v');
+    const json = args.includes('--json');
+
+    const list = listCheckpoints(projectRoot);
+
+    if (list.length === 0) {
+      if (json) {
+        console.log(JSON.stringify({ checkpoints: [] }));
+      } else {
+        console.log('No checkpoints found.');
+        console.log('Checkpoints are created when you run "shit commit" after git commit.');
+      }
+      return;
+    }
+
+    if (json) {
+      console.log(JSON.stringify({ checkpoints: list }, null, 2));
+      return;
+    }
+
+    console.log(`📸 Found ${list.length} checkpoint(s):\n`);
+
+    for (const cp of list) {
+      console.log(`Branch: ${cp.branch}`);
+      console.log(`  Commit: ${cp.commit}`);
+      console.log(`  Linked: ${cp.linked_commit || 'none'}`);
+      console.log(`  Date: ${cp.date}`);
+      console.log();
+    }
+
+    if (verbose) {
+      console.log('💡 Usage:');
+      console.log('  shit rewind <branch>     # Rollback to checkpoint');
+      console.log('  shit view <checkpoint>  # View checkpoint details');
+    }
+
+  } catch (error) {
+    console.error('❌ Failed to list checkpoints:', error.message);
+    process.exit(1);
+  }
+}

package/lib/commit.js

@@ -0,0 +1,68 @@
+#!/usr/bin/env node
+
+/**
+ * Git commit hook - creates checkpoint on every git commit
+ * Similar to Entire's approach: checkpoint created on git commit
+ */
+
+import { existsSync, readFileSync, writeFileSync } from 'fs';
+import { join } from 'path';
+import { execSync } from 'child_process';
+import { commitCheckpoint } from './checkpoint.js';
+
+function findProjectRoot() {
+  let dir = process.cwd();
+  while (dir !== '/') {
+    if (existsSync(join(dir, '.git'))) {
+      return dir;
+    }
+    dir = join(dir, '..');
+  }
+  throw new Error('Not in a git repository');
+}
+
+export default async function commitHook(args) {
+  try {
+    const projectRoot = findProjectRoot();
+
+    // Get the commit that was just created
+    const commitSha = args[0] || execSync('git rev-parse HEAD', { cwd: projectRoot, encoding: 'utf-8' }).trim();
+    const commitShort = commitSha.slice(0, 12);
+
+    console.log(`📸 Creating checkpoint for commit ${commitShort}...`);
+
+    // Find active session
+    const shitLogsDir = join(projectRoot, '.shit-logs');
+    if (!existsSync(shitLogsDir)) {
+      console.log('No .shit-logs directory found, skipping checkpoint');
+      return;
+    }
+
+    // Find the most recent session
+    const { readdirSync, statSync } = await import('fs');
+    const sessions = readdirSync(shitLogsDir)
+      .filter(name => name.match(/^\d{4}-\d{2}-\d{2}-[a-f0-9-]+$/))
+      .map(name => ({
+        name,
+        path: join(shitLogsDir, name),
+        mtime: statSync(join(shitLogsDir, name)).mtime
+      }))
+      .sort((a, b) => b.mtime - a.mtime);
+
+    if (sessions.length === 0) {
+      console.log('No active session found, skipping checkpoint');
+      return;
+    }
+
+    const activeSession = sessions[0];
+
+    // Create checkpoint
+    await commitCheckpoint(projectRoot, activeSession.path, activeSession.name, commitSha);
+
+    console.log(`✅ Checkpoint created for session ${activeSession.name}`);
+
+  } catch (error) {
+    console.error('Checkpoint creation failed:', error.message);
+    // Don't exit with error - checkpoint is best-effort
+  }
+}

package/lib/enable.js

@@ -3,6 +3,7 @@
 /**
  * Enable shit-cli in repository
  * Similar to 'entire enable' - sets up hooks and configuration
+ * Supports multiple agents: Claude Code, Gemini CLI, Cursor, OpenCode
  */
 
 import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs';
@@ -20,13 +21,68 @@ function findProjectRoot() {
   throw new Error('Not in a git repository');
 }
 
-function setupClaudeHooks(projectRoot) {
-  const claudeDir = join(projectRoot, '.claude');
-  const settingsFile = join(claudeDir, 'settings.json');
+// Agent-specific hook configurations
+const AGENT_HOOKS = {
+  'claude-code': {
+    dir: '.claude',
+    settingsFile: '.claude/settings.json',
+    hooks: {
+      'SessionStart': 'shit log session-start',
+      'SessionEnd': 'shit log session-end',
+      'UserPromptSubmit': 'shit log user-prompt-submit',
+      'PreToolUse': 'shit log pre-tool-use',
+      'PostToolUse': 'shit log post-tool-use',
+      'Stop': 'shit log stop',
+      'Notification': 'shit log notification',
+    }
+  },
+  'gemini-cli': {
+    dir: '.gemini',
+    settingsFile: '.gemini/settings.json',
+    hooks: {
+      'start': 'shit log start',
+      'end': 'shit log end',
+      'prompt': 'shit log prompt',
+      'tool_call': 'shit log tool_call',
+      'tool_result': 'shit log tool_result',
+    }
+  },
+  'cursor': {
+    dir: '.cursor',
+    settingsFile: '.cursor/hooks.json',
+    hooks: {
+      'session_start': 'shit log session_start',
+      'session_end': 'shit log session_end',
+      'user_message': 'shit log user_message',
+      'tool_before': 'shit log tool_before',
+      'tool_after': 'shit log tool_after',
+    }
+  },
+  'opencode': {
+    dir: '.opencode',
+    settingsFile: '.opencode/plugins/shit.ts',
+    hooks: {
+      'onSessionStart': 'shit log onSessionStart',
+      'onSessionEnd': 'shit log onSessionEnd',
+      'onUserMessage': 'shit log onUserMessage',
+      'onToolCall': 'shit log onToolCall',
+      'onToolResult': 'shit log onToolResult',
+    }
+  }
+};
 
-  // Create .claude directory if it doesn't exist
-  if (!existsSync(claudeDir)) {
-    mkdirSync(claudeDir, { recursive: true });
+function setupAgentHooks(projectRoot, agentType) {
+  const config = AGENT_HOOKS[agentType];
+  if (!config) {
+    throw new Error(`Unknown agent: ${agentType}. Supported: ${Object.keys(AGENT_HOOKS).join(', ')}`);
+  }
+
+  const agentDir = join(projectRoot, config.dir);
+  const settingsFile = join(projectRoot, config.settingsFile);
+
+  // Create agent directory if it doesn't exist
+  if (!existsSync(agentDir)) {
+    mkdirSync(agentDir, { recursive: true });
   }
 
   let settings = {};
@@ -41,15 +97,52 @@ function setupClaudeHooks(projectRoot) {
   // Add shit-cli hooks
   if (!settings.hooks) settings.hooks = {};
 
-  settings.hooks.session_start = 'shit log session_start';
-  settings.hooks.session_end = 'shit log session_end';
-  settings.hooks.tool_use = 'shit log tool_use';
-  settings.hooks.edit_applied = 'shit log edit_applied';
+  for (const [hookName, command] of Object.entries(config.hooks)) {
+    settings.hooks[hookName] = command;
+  }
+
+  // Ensure directory structure for opencode
+  if (agentType === 'opencode') {
+    const pluginsDir = join(projectRoot, '.opencode', 'plugins');
+    if (!existsSync(pluginsDir)) {
+      mkdirSync(pluginsDir, { recursive: true });
+    }
+  }
 
   writeFileSync(settingsFile, JSON.stringify(settings, null, 2));
   return settingsFile;
 }
 
+function setupGitCommitHook(projectRoot) {
+  // Add a git alias for automatic checkpoint on commit
+  const gitConfigFile = join(projectRoot, '.git', 'config');
+
+  try {
+    // Check if alias already exists
+    const config = existsSync(gitConfigFile) ? readFileSync(gitConfigFile, 'utf-8') : '';
+
+    if (!config.includes('shit-commit')) {
+      // Create a post-commit hook instead of using alias
+      const hooksDir = join(projectRoot, '.git', 'hooks');
+      if (!existsSync(hooksDir)) {
+        mkdirSync(hooksDir, { recursive: true });
+      }
+
+      const postCommitHook = join(hooksDir, 'post-commit');
+      const hookContent = `#!/bin/bash
+# shit-cli: Create checkpoint on git commit
+shit commit $GIT_COMMIT 2>/dev/null || true
+`;
+
+      writeFileSync(postCommitHook, hookContent);
+      execSync(`chmod +x "${postCommitHook}"`, { stdio: 'ignore' });
+      console.log('✅ Created post-commit hook for automatic checkpoints');
+    }
+  } catch {
+    // Best effort - git hooks are optional
+  }
+}
+
 function initializeShitLogs(projectRoot) {
   const shitDir = join(projectRoot, '.shit-logs');
   if (!existsSync(shitDir)) {
@@ -73,11 +166,43 @@ export default async function enable(args) {
   try {
     const projectRoot = findProjectRoot();
 
-    console.log('🔧 Enabling shit-cli in repository...');
+    // Parse arguments
+    const agents = [];
+    let addCheckpointHook = false;
+
+    for (const arg of args) {
+      if (arg === '--all') {
+        // Enable for all supported agents
+        agents.push(...Object.keys(AGENT_HOOKS));
+      } else if (arg === '--checkpoint' || arg === '-c') {
+        addCheckpointHook = true;
+      } else if (!arg.startsWith('-')) {
+        // Assume it's an agent name
+        if (AGENT_HOOKS[arg]) {
+          agents.push(arg);
+        } else {
+          console.log(`⚠️  Unknown agent: ${arg}. Supported: ${Object.keys(AGENT_HOOKS).join(', ')}`);
+        }
+      }
+    }
+
+    // Default to Claude Code if no agent specified
+    if (agents.length === 0) {
+      agents.push('claude-code');
+    }
+
+    console.log('🔧 Enabling shit-cli in repository...\n');
 
-    // Setup Claude Code hooks
-    const settingsFile = setupClaudeHooks(projectRoot);
-    console.log(`✅ Updated Claude hooks in ${settingsFile}`);
+    // Setup hooks for each agent
+    for (const agent of agents) {
+      const settingsFile = setupAgentHooks(projectRoot, agent);
+      console.log(`✅ Enabled ${AGENT_HOOKS[agent].dir} hooks: ${settingsFile}`);
+    }
+
+    // Setup git commit hook for checkpoints
+    if (addCheckpointHook) {
+      setupGitCommitHook(projectRoot);
+    }
 
     // Initialize .shit-logs directory
     initializeShitLogs(projectRoot);
@@ -97,10 +222,14 @@ export default async function enable(args) {
     }
 
     console.log('\n🎉 shit-cli enabled successfully!');
-    console.log('\nNext steps:');
-    console.log('  1. Start a Claude Code session');
-    console.log('  2. Use "shit status" to check session tracking');
-    console.log('  3. Use "shit list" to view logged sessions');
+    console.log('\nUsage:');
+    console.log('  shit status          # Show current session');
+    console.log('  shit list            # List all sessions');
+    console.log('  shit checkpoints    # List all checkpoints');
+    console.log('  shit commit          # Manually create checkpoint after git commit');
+    console.log('\nOptions:');
+    console.log('  --all               # Enable for all supported agents');
+    console.log('  --checkpoint, -c    # Enable automatic checkpoint on git commit');
 
   } catch (error) {
     console.error('❌ Failed to enable shit-cli:', error.message);

package/lib/log.js

@@ -50,12 +50,12 @@ export default async function log(args) {
   const classification = classifySession(intent, changes);
   generateReports(sessionDir, sessionId, state, intent, changes, classification);
 
-  // 4. On session end: shadow branch + update index
+  // 4. On session end: checkpoint + update index
   if (hookType === 'session-end' || hookType === 'stop') {
     try {
-      const { commitShadow } = await import('./git-shadow.js');
-      await commitShadow(projectRoot, sessionDir, sessionId);
-    } catch { /* shadow is best-effort */ }
+      const { commitCheckpoint } = await import('./checkpoint.js');
+      await commitCheckpoint(projectRoot, sessionDir, sessionId);
+    } catch { /* checkpoint is best-effort */ }
 
     try {
       updateIndex(logDir, sessionId, intent, classification, changes, state);

package/lib/redact.js

@@ -0,0 +1,170 @@
+#!/usr/bin/env node
+
+/**
+ * Secrets redaction module
+ * Best-effort redaction of sensitive information from logs
+ * Reference: Entire's security approach
+ */
+
+// Common secret patterns
+const SECRET_PATTERNS = [
+  // API Keys
+  [/(api[_-]?key|apikey|api[_-]?secret)[":\s=]+["']?([a-zA-Z0-9_\-]{20,})["']?/gi, '$1: [REDACTED]'],
+
+  // AWS
+  [/(aws[_-]?access[_-]?key[_-]?id|aws[_-]?secret[_-]?access[_-]?key)[":\s=]+["']?([A-Z0-9]{20,})["']?/gi, '$1: [REDACTED]'],
+  [/(AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY)["\s=]+["']?([A-Za-z0-9\/+]{40})["']?/gi, '$1: [REDACTED]'],
+
+  // GitHub Tokens
+  [/(ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36,}/gi, '[GITHUB_TOKEN_REDACTED]'],
+  [/github[_-]?(token|pat)[":\s=]+["']?[a-zA-Z0-9_]{36,}["']?/gi, 'github_token: [REDACTED]'],
+
+  // NPM Tokens
+  [/(npm|NPM)[_-]?[a-zA-Z0-9]{30,}/gi, '[NPM_TOKEN_REDACTED]'],
+  [/(npm[_-]?token|NPM_AUTH_TOKEN)[":\s=]+["']?[a-zA-Z0-9_\-]{30,}["']?/gi, 'npm_token: [REDACTED]'],
+
+  // OpenAI / Anthropic
+  [/(sk-[a-zA-Z0-9]{20,}|sk-ant-[a-zA-Z0-9_\-]{50,})/gi, '[AI_API_KEY_REDACTED]'],
+  [/(openai[_-]?key|openai[_-]?token|anthropic[_-]?key)[":\s=]+["']?[a-zA-Z0-9_\-]{20,}["']?/gi, '$1: [REDACTED]'],
+
+  // Database URLs with credentials
+  [/(mysql|postgres|postgresql|mongodb|redis):\/\/[^:]+:[^@]+@/gi, '$1://[REDACTED]@'],
+
+  // JWT Tokens
+  [/eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*/gi, '[JWT_REDACTED]'],
+
+  // Generic Bearer tokens
+  [/bearer\s+[a-zA-Z0-9_\-\.]{20,}/gi, 'bearer [TOKEN_REDACTED]'],
+
+  // Private keys
+  [/-----BEGIN [A-Z ]+ PRIVATE KEY-----[\s\S]*?-----END [A-Z ]+ PRIVATE KEY-----/gi, '[PRIVATE_KEY_REDACTED]'],
+
+  // Slack tokens
+  [/xox[baprs]-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}/gi, '[SLACK_TOKEN_REDACTED]'],
+
+  // Stripe keys
+  [/(sk|pk)_(live|test)_[a-zA-Z0-9]{24,}/gi, '[STRIPE_KEY_REDACTED]'],
+
+  // Environment variables with secrets
+  [/^(AWS_|AZURE_|GOOGLE_|STRIPE_|SENTRY_|DATADOG_)[A-Z_]+=.+$/gim, '$1[REDACTED]'],
+
+  // Generic "password" fields
+  [/"password"\s*:\s*"[^"]+"/gi, '"password": "[REDACTED]"'],
+  [/'password'\s*:\s*'[^']+'/gi, "'password': '[REDACTED]'"],
+
+  // Generic "secret" fields
+  [/"secret"\s*:\s*"[^"]+"/gi, '"secret": "[REDACTED]"'],
+  [/'secret'\s*:\s*'[^']+'/gi, "'secret': '[REDACTED]'"],
+
+  // Generic "token" fields
+  [/"token"\s*:\s*"[^"]+"/gi, '"token": "[REDACTED]"'],
+  [/'token'\s*:\s*'[^']+'/gi, "'token': '[REDACTED]'"],
+
+  // Authorization headers
+  [/authorization:\s*[bB]earer\s+[a-zA-Z0-9_\-\.]{20,}/gi, 'authorization: Bearer [TOKEN_REDACTED]'],
+  [/authorization:\s*[bB]asic\s+[a-zA-Z0-9_\-\.]{20,}/gi, 'authorization: Basic [CREDENTIALS_REDACTED]'],
+];
+
+/**
+ * Redact secrets from text content
+ * @param {string} content - The content to redact
+ * @returns {string} - Content with secrets redacted
+ */
+export function redactSecrets(content) {
+  if (!content || typeof content !== 'string') {
+    return content;
+  }
+
+  let redacted = content;
+
+  for (const [pattern, replacement] of SECRET_PATTERNS) {
+    // Reset lastIndex for global patterns
+    pattern.lastIndex = 0;
+    redacted = redacted.replace(pattern, replacement);
+  }
+
+  return redacted;
+}
+
+/**
+ * Redact secrets from an object (recursive)
+ * @param {object} obj - The object to redact
+ * @param {string[]} skipKeys - Keys to skip redaction
+ * @returns {object} - Object with secrets redacted
+ */
+export function redactObject(obj, skipKeys = ['path', 'filename', 'name']) {
+  if (!obj || typeof obj !== 'object') {
+    return obj;
+  }
+
+  if (Array.isArray(obj)) {
+    return obj.map(item => redactObject(item, skipKeys));
+  }
+
+  const redacted = {};
+  const secretKeys = ['password', 'secret', 'token', 'key', 'credential', 'auth', 'authorization', 'api_key', 'apikey'];
+
+  for (const [key, value] of Object.entries(obj)) {
+    // Skip non-secret keys
+    const lowerKey = key.toLowerCase();
+    if (skipKeys.some(skip => lowerKey.includes(skip.toLowerCase()))) {
+      redacted[key] = value;
+      continue;
+    }
+
+    // Check if this key might contain a secret
+    const isSecretKey = secretKeys.some(secret => lowerKey.includes(secret));
+
+    if (isSecretKey && typeof value === 'string') {
+      redacted[key] = '[REDACTED]';
+    } else if (typeof value === 'object' && value !== null) {
+      redacted[key] = redactObject(value, skipKeys);
+    } else {
+      redacted[key] = value;
+    }
+  }
+
+  return redacted;
+}
+
+/**
+ * Redact secrets from a JSON string
+ * @param {string} jsonString - The JSON string to redact
+ * @returns {string} - JSON with secrets redacted
+ */
+export function redactJson(jsonString) {
+  try {
+    const obj = JSON.parse(jsonString);
+    const redacted = redactObject(obj);
+    return JSON.stringify(redacted, null, 2);
+  } catch {
+    // Not valid JSON, try as plain text
+    return redactSecrets(jsonString);
+  }
+}
+
+/**
+ * Check if content likely contains secrets (for logging)
+ * @param {string} content - The content to check
+ * @returns {boolean} - True if secrets are likely present
+ */
+export function likelyContainsSecrets(content) {
+  if (!content || typeof content !== 'string') {
+    return false;
+  }
+
+  const secretIndicators = [
+    /api[_-]?key/i,
+    /password/i,
+    /secret/i,
+    /token/i,
+    /credential/i,
+    /authorization/i,
+    /private[_-]?key/i,
+    /xox[baprs]/,
+    /sk-[a-zA-Z0-9]/,
+    /eyJ[a-zA-Z0-9_-]*\./,
+  ];
+
+  return secretIndicators.some(pattern => pattern.test(content));
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@claudemini/shit-cli",
-  "version": "1.1.1",
+  "version": "1.2.0",
   "description": "Session-based Hook Intelligence Tracker - CLI tool for logging Claude Code hooks",
   "type": "module",
   "bin": {