@jmylchreest/aide-plugin 0.0.39 → 0.0.42

package/src/core/types.ts

@@ -15,6 +15,27 @@ export interface AideConfig {
     /** Auto-export on session end (default: false) */
     autoExport?: boolean;
   };
+  findings?: {
+    /** Complexity analyser settings */
+    complexity?: {
+      /** Cyclomatic complexity threshold (default: 10) */
+      threshold?: number;
+    };
+    /** Import coupling analyser settings */
+    coupling?: {
+      /** Fan-out threshold — max outgoing imports (default: 15) */
+      fanOut?: number;
+      /** Fan-in threshold — max incoming imports (default: 20) */
+      fanIn?: number;
+    };
+    /** Code clone detection settings */
+    clones?: {
+      /** Sliding window size in tokens (default: 50) */
+      windowSize?: number;
+      /** Minimum clone size in lines (default: 6) */
+      minLines?: number;
+    };
+  };
 }
 
 export const DEFAULT_CONFIG: AideConfig = {};

package/src/lib/aide-downloader.ts

@@ -468,14 +468,6 @@ Then restart Claude Code to use the new version.`;
   };
 }
 
-/**
- * Synchronous version for simple existence check (no download, no version check)
- * Use ensureAideBinary() for full functionality
- */
-export function findAideBinarySync(cwd?: string): string | null {
-  return findAideBinary(cwd);
-}
-
 // --- CLI Mode ---
 // Run as standalone script for postinstall or manual download
 

package/src/lib/hook-utils.ts

@@ -1,80 +1,70 @@
 /**
- * Shared utilities for Claude Code hooks
+ * Shared utilities for Claude Code hooks.
  *
- * This module provides common functions used across multiple hooks
- * to reduce code duplication and ensure consistent behavior.
+ * readStdin() is the only unique implementation here. All other functions
+ * are convenience wrappers around src/core/aide-client.ts that resolve the
+ * binary from AIDE_PLUGIN_ROOT / CLAUDE_PLUGIN_ROOT automatically.
  */
 
-import { execSync, execFileSync } from "child_process";
-import { existsSync, realpathSync } from "fs";
-import { join } from "path";
-import { debug } from "./logger.js";
+import {
+  findAideBinary as clientFindBinary,
+  runAide as clientRunAide,
+  setState,
+  getState,
+  deleteState,
+  clearAgentState as clientClearAgentState,
+  sanitizeForLog,
+  shellEscape,
+} from "../core/aide-client.js";
 
-const SOURCE = "hook-utils";
+export { sanitizeForLog, shellEscape };
+
+/** Maximum stdin payload size: 50 MiB. Prevents unbounded memory allocation. */
+const MAX_STDIN_BYTES = 50 * 1024 * 1024;
 
 /**
- * Read JSON input from stdin (used by all hooks)
+ * Read JSON input from stdin (used by all hooks).
+ * Rejects payloads exceeding MAX_STDIN_BYTES.
  */
 export async function readStdin(): Promise<string> {
   const chunks: Buffer[] = [];
+  let totalBytes = 0;
   for await (const chunk of process.stdin) {
+    totalBytes += chunk.length;
+    if (totalBytes > MAX_STDIN_BYTES) {
+      throw new Error(
+        `stdin payload exceeds ${MAX_STDIN_BYTES} bytes, rejecting`,
+      );
+    }
     chunks.push(chunk);
   }
   return Buffer.concat(chunks).toString("utf-8");
 }
 
 /**
- * Find the aide binary — canonical implementation.
- *
- * Search order:
- *   1. <CLAUDE_PLUGIN_ROOT>/bin/aide  (CLAUDE_PLUGIN_ROOT = project root)
- *   2. PATH fallback                  (system-wide install)
+ * Get the plugin root directory from environment variables.
+ */
+function getPluginRoot(): string | undefined {
+  return process.env.AIDE_PLUGIN_ROOT || process.env.CLAUDE_PLUGIN_ROOT;
+}
+
+/**
+ * Find the aide binary — Claude Code convenience wrapper.
  *
- * All hooks and utilities should use this single function.
+ * Reads AIDE_PLUGIN_ROOT / CLAUDE_PLUGIN_ROOT from the environment
+ * and delegates to the platform-agnostic aide-client implementation.
  */
 export function findAideBinary(cwd?: string): string | null {
-  let pluginRoot =
-    process.env.AIDE_PLUGIN_ROOT || process.env.CLAUDE_PLUGIN_ROOT;
-  // Resolve symlinks (e.g., src-office -> dtkr4-cnjjf)
-  if (pluginRoot) {
-    try {
-      pluginRoot = realpathSync(pluginRoot);
-    } catch (err) {
-      debug(SOURCE, `realpath failed for pluginRoot ${pluginRoot}: ${err}`);
-    }
-  }
-  if (pluginRoot) {
-    const pluginBinary = join(pluginRoot, "bin", "aide");
-    if (existsSync(pluginBinary)) {
-      return pluginBinary;
-    }
-  }
-
-  // PATH fallback
-  try {
-    const result = execSync("which aide", { stdio: "pipe", timeout: 2000 })
-      .toString()
-      .trim();
-    if (result) return result;
-  } catch (err) {
-    debug(SOURCE, `aide not found in PATH: ${err}`);
-  }
-
-  return null;
+  return clientFindBinary({ cwd, pluginRoot: getPluginRoot() });
 }
 
 /**
- * Escape a string for safe shell usage
+ * Run an aide command with the auto-discovered binary.
  */
-export function shellEscape(str: string): string {
-  return str
-    .replace(/\\/g, "\\\\")
-    .replace(/"/g, '\\"')
-    .replace(/\$/g, "\\$")
-    .replace(/`/g, "\\`")
-    .replace(/!/g, "\\!")
-    .replace(/\n/g, " ")
-    .slice(0, 1000);
+export function runAide(cwd: string, args: string[]): string | null {
+  const binary = findAideBinary(cwd);
+  if (!binary) return null;
+  return clientRunAide(binary, cwd, args);
 }
 
 /**
@@ -88,16 +78,7 @@ export function setMemoryState(
 ): boolean {
   const binary = findAideBinary(cwd);
   if (!binary) return false;
-
-  try {
-    const args = ["state", "set", key, value];
-    if (agentId) args.push(`--agent=${agentId}`);
-    execFileSync(binary, args, { cwd, stdio: "pipe", timeout: 5000 });
-    return true;
-  } catch (err) {
-    debug(SOURCE, `setMemoryState failed for key=${key}: ${err}`);
-    return false;
-  }
+  return setState(binary, cwd, key, value, agentId);
 }
 
 /**
@@ -110,22 +91,7 @@ export function getMemoryState(
 ): string | null {
   const binary = findAideBinary(cwd);
   if (!binary) return null;
-
-  try {
-    const args = ["state", "get", key];
-    if (agentId) args.push(`--agent=${agentId}`);
-    const output = execFileSync(binary, args, {
-      cwd,
-      encoding: "utf-8",
-      timeout: 5000,
-    });
-    // Parse output format: "key = value" or "[agent] key = value"
-    const match = output.match(/=\s*(.+)$/m);
-    return match ? match[1].trim() : null;
-  } catch (err) {
-    debug(SOURCE, `getMemoryState failed for key=${key}: ${err}`);
-    return null;
-  }
+  return getState(binary, cwd, key, agentId);
 }
 
 /**
@@ -138,16 +104,7 @@ export function deleteMemoryState(
 ): boolean {
   const binary = findAideBinary(cwd);
   if (!binary) return false;
-
-  try {
-    // For agent-specific keys, we need to construct the full key
-    const fullKey = agentId ? `agent:${agentId}:${key}` : key;
-    execFileSync(binary, ["state", "delete", fullKey], { cwd, stdio: "pipe" });
-    return true;
-  } catch (err) {
-    debug(SOURCE, `deleteMemoryState failed for key=${key}: ${err}`);
-    return false;
-  }
+  return deleteState(binary, cwd, key, agentId);
 }
 
 /**
@@ -156,30 +113,5 @@ export function deleteMemoryState(
 export function clearAgentState(cwd: string, agentId: string): boolean {
   const binary = findAideBinary(cwd);
   if (!binary) return false;
-
-  try {
-    execFileSync(binary, ["state", "clear", `--agent=${agentId}`], {
-      cwd,
-      stdio: "pipe",
-    });
-    return true;
-  } catch (err) {
-    debug(SOURCE, `clearAgentState failed for agent=${agentId}: ${err}`);
-    return false;
-  }
-}
-
-/**
- * Run an aide command with proper escaping
- */
-export function runAide(cwd: string, args: string[]): string | null {
-  const binary = findAideBinary(cwd);
-  if (!binary) return null;
-
-  try {
-    return execFileSync(binary, args, { cwd, encoding: "utf-8" });
-  } catch (err) {
-    debug(SOURCE, `runAide failed: ${args.join(" ")}: ${err}`);
-    return null;
-  }
+  return clientClearAgentState(binary, cwd, agentId);
 }

package/src/lib/hud.ts

@@ -97,7 +97,7 @@ const ICONS = {
 };
 
 /**
- * Get all agent states from aide-memory
+ * Get all agent states from aide state store
  */
 export function getAgentStates(cwd: string): AgentState[] {
   const output = runAide(cwd, ["state", "list"]);
@@ -165,7 +165,7 @@ export function loadHudConfig(cwd: string): HudConfig {
 }
 
 /**
- * Get current session state from aide-memory
+ * Get current session state from aide state store
  */
 export function getSessionState(cwd: string): SessionState {
   const state: SessionState = {

package/src/lib/skills-registry.ts

@@ -31,7 +31,7 @@ import {
   copyFileSync,
   unlinkSync,
 } from "fs";
-import { join, basename } from "path";
+import { join, basename, resolve } from "path";
 import { homedir } from "os";
 
 export interface SkillMetadata {
@@ -121,6 +121,30 @@ export function saveRegistry(cwd: string, registry: SkillsRegistry): void {
   writeFileSync(join(cwd, REGISTRY_FILE), JSON.stringify(registry, null, 2));
 }
 
+/**
+ * Sanitize a skill name to prevent path traversal.
+ * Strips path separators and rejects names that would escape the target directory.
+ */
+function sanitizeSkillName(name: string): string {
+  // Take only the basename to strip any directory components
+  const safe = basename(name).replace(/[^a-zA-Z0-9._-]/g, "_");
+  if (!safe || safe === "." || safe === "..") {
+    throw new Error(`Invalid skill name: ${name}`);
+  }
+  return safe;
+}
+
+/**
+ * Validate that a resolved path stays within the expected directory.
+ */
+function assertWithinDir(filePath: string, dir: string): void {
+  const resolved = resolve(filePath);
+  const resolvedDir = resolve(dir);
+  if (!resolved.startsWith(resolvedDir + "/") && resolved !== resolvedDir) {
+    throw new Error(`Path traversal detected: ${filePath} escapes ${dir}`);
+  }
+}
+
 /**
  * Install a skill from skills.sh or a URL
  *
@@ -201,8 +225,10 @@ export async function installSkill(
     version = meta.version || version;
   }
 
-  // Write skill file
+  // Sanitize name and write skill file
+  name = sanitizeSkillName(name);
   const skillPath = join(targetDir, `${name}.md`);
+  assertWithinDir(skillPath, targetDir);
   writeFileSync(skillPath, content);
 
   // Update registry
@@ -242,8 +268,10 @@ export function uninstallSkill(cwd: string, name: string): boolean {
     return false;
   }
 
-  // Remove file
-  const skillPath = join(cwd, SKILLS_DIR, `${name}.md`);
+  // Sanitize name and remove file
+  const safeName = sanitizeSkillName(name);
+  const skillPath = join(cwd, SKILLS_DIR, `${safeName}.md`);
+  assertWithinDir(skillPath, join(cwd, SKILLS_DIR));
   if (existsSync(skillPath)) {
     try {
       unlinkSync(skillPath);

package/src/lib/worktree.ts

@@ -23,7 +23,7 @@
  * 3. Error handling and edge cases are better tested
  */
 
-import { execSync, execFileSync } from "child_process";
+import { execFileSync } from "child_process";
 import {
   existsSync,
   mkdirSync,
@@ -34,6 +34,9 @@ import {
   statSync,
 } from "fs";
 import { join } from "path";
+import { debug } from "./logger.js";
+
+const SOURCE = "worktree";
 
 export type WorktreeStatus = "active" | "agent-complete" | "merged";
 
@@ -129,7 +132,7 @@ export function createWorktree(
   agentId: string,
 ): Worktree | null {
   if (!isGitRepo(cwd)) {
-    console.error("Not a git repository");
+    debug(SOURCE, "Not a git repository");
     return null;
   }
 
@@ -184,7 +187,7 @@ export function createWorktree(
 
     return worktree;
   } catch (error) {
-    console.error(`Failed to create worktree: ${error}`);
+    debug(SOURCE, `Failed to create worktree: ${error}`);
     return null;
   }
 }
@@ -197,7 +200,7 @@ export function removeWorktree(cwd: string, name: string): boolean {
   const worktree = state.active.find((w) => w.name === name);
 
   if (!worktree) {
-    console.error(`Worktree not found: ${name}`);
+    debug(SOURCE, `Worktree not found: ${name}`);
     return false;
   }
 
@@ -220,7 +223,7 @@ export function removeWorktree(cwd: string, name: string): boolean {
 
     return true;
   } catch (error) {
-    console.error(`Failed to remove worktree: ${error}`);
+    debug(SOURCE, `Failed to remove worktree: ${error}`);
     return false;
   }
 }
@@ -233,7 +236,7 @@ export function mergeWorktree(cwd: string, name: string): boolean {
   const worktree = state.active.find((w) => w.name === name);
 
   if (!worktree) {
-    console.error(`Worktree not found: ${name}`);
+    debug(SOURCE, `Worktree not found: ${name}`);
     return false;
   }
 
@@ -250,7 +253,7 @@ export function mergeWorktree(cwd: string, name: string): boolean {
 
     return true;
   } catch (error) {
-    console.error(`Failed to merge worktree: ${error}`);
+    debug(SOURCE, `Failed to merge worktree: ${error}`);
     return false;
   }
 }
@@ -315,7 +318,7 @@ export function registerWorktree(
   agentId: string,
 ): Worktree | null {
   if (!existsSync(worktreePath)) {
-    console.error(`Worktree path does not exist: ${worktreePath}`);
+    debug(SOURCE, `Worktree path does not exist: ${worktreePath}`);
     return null;
   }
 
@@ -452,32 +455,3 @@ export function getWorktreesReadyForMerge(cwd: string): Worktree[] {
   const state = loadWorktreeState(cwd);
   return state.active.filter((w) => w.status === "agent-complete");
 }
-
-/**
- * Execute command in a worktree
- * WARNING: This function executes arbitrary shell commands. Only call with trusted input.
- * Used internally for running git commands and build tools in isolated worktrees.
- */
-export function execInWorktree(
-  cwd: string,
-  name: string,
-  command: string,
-): string | null {
-  const state = loadWorktreeState(cwd);
-  const worktree = state.active.find((w) => w.name === name);
-
-  if (!worktree) {
-    console.error(`Worktree not found: ${name}`);
-    return null;
-  }
-
-  try {
-    return execSync(command, {
-      cwd: worktree.path,
-      encoding: "utf-8",
-    });
-  } catch (error) {
-    console.error(`Command failed in worktree: ${error}`);
-    return null;
-  }
-}

package/src/opencode/hooks.ts

@@ -372,6 +372,18 @@ async function handleSessionCreated(
   if (state.initializedSessions.has(sessionId)) return;
   state.initializedSessions.add(sessionId);
 
+  // Defensive cap: if sessions leak without cleanup, evict oldest entries.
+  // Normal operation has only 1-2 concurrent sessions.
+  if (state.initializedSessions.size > 100) {
+    const entries = Array.from(state.initializedSessions);
+    const keepFrom = Math.floor(entries.length / 2);
+    state.initializedSessions.clear();
+    for (let i = keepFrom; i < entries.length; i++) {
+      state.initializedSessions.add(entries[i]);
+    }
+    debug(SOURCE, `Evicted ${keepFrom} stale entries from initializedSessions`);
+  }
+
   state.sessionState = initializeSession(sessionId, state.cwd);
 
   // Track this session for per-session context injection
@@ -380,6 +392,16 @@ async function handleSessionCreated(
     createdAt: new Date().toISOString(),
   });
 
+  // Defensive cap for sessionInfoMap (mirrors initializedSessions cap)
+  if (state.sessionInfoMap.size > 100) {
+    const entries = Array.from(state.sessionInfoMap.keys());
+    const keepFrom = Math.floor(entries.length / 2);
+    for (let i = 0; i < keepFrom; i++) {
+      state.sessionInfoMap.delete(entries[i]);
+    }
+    debug(SOURCE, `Evicted ${keepFrom} stale entries from sessionInfoMap`);
+  }
+
   // Register session as an "agent" in aide state for visibility
   if (state.binary) {
     try {
@@ -427,7 +449,11 @@ async function handleSessionIdle(
   // Check persistence: if ralph/autopilot mode is active, re-prompt the session
   if (state.binary) {
     try {
-      const persistResult = checkPersistence(state.binary, state.cwd);
+      const persistResult = checkPersistence(
+        state.binary,
+        state.cwd,
+        sessionId,
+      );
       if (persistResult) {
         const activeMode = getActiveMode(state.binary, state.cwd);
         debug(