@link-assistant/hive-mind 1.64.1 → 1.64.3

package/src/solve.results.lib.mjs

@@ -28,6 +28,14 @@ import { safeExit } from './exit-handler.lib.mjs';
 const githubLib = await import('./github.lib.mjs');
 const { sanitizeLogContent, attachLogToGitHub } = githubLib;
 
+// Issue #1745: process-wide sanitization counters used to print a one-line
+// "we masked N secrets" summary at the end of each run.
+const { formatSanitizationSummary } = await import('./token-sanitization.lib.mjs');
+// Issue #1745: post-finish retroactive sanitization of bot-authored PR
+// comments and the PR description. Runs by default; can be skipped via
+// --dangerously-skip-output-sanitization.
+const { runPostFinishSweep } = await import('./post-finish-sanitization-sweep.lib.mjs');
+
 // Import continuation functions (session resumption, PR detection)
 const autoContinue = await import('./solve.auto-continue.lib.mjs');
 const { autoContinueWhenLimitResets } = autoContinue;
@@ -556,6 +564,17 @@ export const cleanupClaudeFile = async (tempDir, branchName, claudeCommitHash =
 export const showSessionSummary = async (sessionId, limitReached, argv, issueUrl, tempDir, shouldAttachLogs = false) => {
   await log('\n=== Session Summary ===');
 
+  // Issue #1745: report how many tokens were masked during this run, with the
+  // "use --dangerously-skip-output-sanitization to skip" hint when > 0.
+  try {
+    const sanitizationSummary = formatSanitizationSummary();
+    if (sanitizationSummary) {
+      await log(sanitizationSummary);
+    }
+  } catch {
+    /* never fail the summary because of this */
+  }
+
   if (sessionId) {
     await log(`✅ Session ID: ${sessionId}`);
     // Always use absolute path for log file display
@@ -622,6 +641,39 @@ export const showSessionSummary = async (sessionId, limitReached, argv, issueUrl
     const logFilePath = path.resolve(getLogFile());
     await log(`📁 Log file available: ${logFilePath}`);
   }
+
+  // Issue #1745: post-finish retroactive sanitization sweep. Re-reads
+  // bot-authored PR comments and the PR description, runs them through
+  // sanitizeOutput, and edits in place if a leak slipped past the live
+  // sanitizer. Honors --dangerously-skip-output-sanitization and the related
+  // active-tokens flag.
+  try {
+    const owner = argv.owner;
+    const repo = argv.repo;
+    const prNumber = argv.prNumber;
+    const skipOutputSanitization = argv['dangerously-skip-output-sanitization'] === true;
+    const skipActiveTokensOutputSanitization = argv['dangerously-skip-active-tokens-output-sanitization'] === true;
+    if (owner && repo && prNumber && !skipOutputSanitization) {
+      const sweepResult = await runPostFinishSweep({
+        $,
+        owner,
+        repo,
+        prNumber,
+        log,
+        sanitizationOptions: {
+          warnOnMismatch: false,
+          skipActiveTokensOutputSanitization,
+        },
+      });
+      if (sweepResult.totalEdited > 0) {
+        await log(`🔒 Post-finish sweep: edited ${sweepResult.totalEdited} bot-authored item(s) to mask leaked tokens.`);
+        const followup = formatSanitizationSummary(sweepResult.sanitizationStatsAfter);
+        if (followup) await log(followup);
+      }
+    }
+  } catch (sweepErr) {
+    await log(`⚠️ Post-finish sanitization sweep failed: ${sweepErr.message || sweepErr}`);
+  }
 };
 
 // Verify results by searching for new PRs and comments

package/src/telegram-bot.mjs

@@ -1109,6 +1109,46 @@ registerStartStopCommands(bot, sharedCommandOpts);
 await registerLogCommand(bot, sharedCommandOpts);
 await registerTerminalWatchCommand(bot, sharedCommandOpts);
 
+// Issue #1745: hidden /tokens command for chat owners (private DMs only,
+// undocumented, masked output). Lets operators audit which local tokens are
+// live in the bot's environment so they can search for accidental leaks.
+const { registerTokensCommand } = await import('./telegram-tokens-command.lib.mjs');
+registerTokensCommand(bot, { ...sharedCommandOpts, allowedChats });
+
+// Issue #1745: register the leak-warning DM hook. The interactive bridge
+// fires reportInteractiveLeak() whenever it has to mask a known-local token
+// in an outbound PR comment. We DM every operator (chat creator) of every
+// allowlisted chat so at least one of them sees it quickly.
+const { registerLeakNotifier } = await import('./telegram-leak-notifier.lib.mjs');
+registerLeakNotifier(async ({ owner, repo, prNumber, tokenHits = [] }) => {
+  if (!allowedChats || allowedChats.length === 0) return;
+  const where = prNumber ? `${owner}/${repo}#${prNumber}` : `${owner}/${repo}`;
+  const sources = tokenHits.length ? tokenHits.map(h => `${h.name} (${h.source})`).join(', ') : 'unknown';
+  const text = `🚨 *Token-leak event*\n\nA known local token was about to be published in *${where}* and was masked by the sanitizer just in time.\n\nTokens detected: ${sources}\n\nRotate the affected secret(s) now and check public surfaces (GitHub comments, gists, Slack) for any prior copies.`;
+  for (const chatId of allowedChats) {
+    try {
+      const member = await bot.telegram.getChatMember(chatId, chatId).catch(() => null);
+      // For groups, getChatMember(chatId, chatId) returns the chat itself; we
+      // really want the creator. Fall back to getChatAdministrators.
+      let ownerUserId = null;
+      if (member && member.status === 'creator' && member.user?.id) {
+        ownerUserId = member.user.id;
+      } else {
+        const admins = await bot.telegram.getChatAdministrators(chatId).catch(() => []);
+        const creator = (admins || []).find(a => a.status === 'creator');
+        if (creator && creator.user?.id) ownerUserId = creator.user.id;
+      }
+      if (ownerUserId) {
+        await bot.telegram.sendMessage(ownerUserId, text, { parse_mode: 'Markdown' }).catch(err => {
+          console.warn(`[telegram-leak-notifier] DM to user ${ownerUserId} (chat ${chatId}) failed: ${err.message}`);
+        });
+      }
+    } catch (err) {
+      console.warn(`[telegram-leak-notifier] could not notify owner of chat ${chatId}: ${err.message}`);
+    }
+  }
+});
+
 // Add message listener for verbose debugging
 if (VERBOSE) {
   bot.on('message', (ctx, next) => {

package/src/telegram-leak-notifier.lib.mjs

@@ -0,0 +1,79 @@
+#!/usr/bin/env node
+/**
+ * Telegram leak-notifier (Issue #1745)
+ *
+ * The interactive AI bridge calls `reportInteractiveLeak()` whenever it
+ * detects that a comment body it was about to publish contained a
+ * known-local token. The sanitizer masks the token before it goes out, but
+ * we still want the chat owner who started the session to know — quickly,
+ * out-of-band — so they can rotate the token immediately.
+ *
+ * The Telegram bot calls `registerLeakNotifier()` on startup with a callback
+ * that knows how to DM the chat owner. We keep this contract intentionally
+ * small (callback-based, no direct telegraf import) so:
+ *
+ *   1. interactive-mode.lib.mjs doesn't have to depend on telegraf at all
+ *      (avoids a heavy import in the AI subprocess).
+ *   2. Tests can register a no-op (or assertion-collecting) notifier.
+ *   3. solve.mjs running outside the Telegram bot process degrades gracefully
+ *      to a console warning.
+ *
+ * @see docs/case-studies/issue-1745/analysis.md
+ * @module telegram-leak-notifier
+ */
+
+let registeredNotifier = null;
+
+/**
+ * Telegram bot calls this once during startup so the AI bridge has a way
+ * to send out-of-band leak warnings.
+ *
+ * @param {Function} notifier  async ({ owner, repo, prNumber, tokenHits }) => void
+ */
+export const registerLeakNotifier = notifier => {
+  registeredNotifier = typeof notifier === 'function' ? notifier : null;
+};
+
+/** Test hook — clear the registered notifier between tests. */
+export const clearLeakNotifierForTests = () => {
+  registeredNotifier = null;
+};
+
+/**
+ * Issue #1745 — fired by interactive-mode.lib.mjs when it had to mask a
+ * known-local token in an outbound comment.
+ *
+ * Always succeeds. If no notifier is registered (we're running outside the
+ * Telegram bot process) it falls back to a structured console warning.
+ *
+ * @param {Object} params
+ * @param {string} params.owner       repo owner
+ * @param {string} params.repo        repo name
+ * @param {number} [params.prNumber]  pull-request number, when applicable
+ * @param {Array<{name: string, source: string}>} [params.tokenHits]
+ *   list of token identifiers (NEVER the values) that were detected.
+ * @param {Function} [params.log]     async logger from interactive-mode
+ */
+export const reportInteractiveLeak = async ({ owner, repo, prNumber, tokenHits = [], log } = {}) => {
+  const fallbackLog = log || (async msg => console.warn(msg));
+
+  const summary = tokenHits.length ? tokenHits.map(h => `${h.name} (${h.source})`).join(', ') : 'unknown';
+
+  const where = prNumber ? `${owner}/${repo}#${prNumber}` : `${owner}/${repo}`;
+
+  await fallbackLog(`🚨 Token-leak event: ${summary} found in outbound comment for ${where} (sanitizer masked it).`);
+
+  if (registeredNotifier) {
+    try {
+      await registeredNotifier({ owner, repo, prNumber, tokenHits });
+    } catch (err) {
+      await fallbackLog(`⚠️ Telegram leak notifier threw: ${err.message}`);
+    }
+  }
+};
+
+export default {
+  registerLeakNotifier,
+  reportInteractiveLeak,
+  clearLeakNotifierForTests,
+};

package/src/telegram-tokens-command.lib.mjs

@@ -0,0 +1,151 @@
+#!/usr/bin/env node
+/**
+ * Telegram /tokens command — hidden, owner-only, private-chat only.
+ *
+ * Lists every known LOCAL token the bot can see (env vars + GitHub CLI
+ * tokens), already masked via `maskToken` (3-char prefix/suffix per
+ * issue #1745). Useful for spot-checking which secrets are live in the
+ * bot's environment so the operator can search for them in public places
+ * before they become a leak.
+ *
+ * Privacy / safety guarantees:
+ *
+ *  - Hidden command. Not advertised in /help. Not part of the BotFather
+ *    command list.
+ *  - Private-chat only. Never echoes tokens (even masked) into a group chat.
+ *  - Authenticated. The user must own (`status === 'creator'`) at least one
+ *    chat that is on the allowlist — i.e. they're an actual operator of
+ *    this bot, not a random DMer.
+ *  - Output is always masked. We never print raw values.
+ *
+ * @see https://github.com/link-assistant/hive-mind/issues/1745
+ * @module telegram-tokens-command
+ */
+
+import { getAllKnownLocalTokens } from './token-sanitization.lib.mjs';
+import { maskToken } from './lib.mjs';
+
+/**
+ * Resolve allowed chat IDs into an array of numeric IDs the user could own.
+ * Accepts:
+ *   - Array<number|string>
+ *   - Function returning Array<number|string>
+ *   - undefined / null  (treated as "any" — useful in private bot deployments)
+ *
+ * @param {Array|Function|null|undefined} allowedChats
+ * @returns {Array<string>}  numeric chat IDs as strings
+ */
+const resolveAllowedChatIds = allowedChats => {
+  if (!allowedChats) return [];
+  const raw = typeof allowedChats === 'function' ? allowedChats() : allowedChats;
+  if (!Array.isArray(raw)) return [];
+  return raw.map(v => String(v)).filter(Boolean);
+};
+
+/**
+ * Returns true if `userId` is the creator of any chat in `allowedChatIds`.
+ * Returns true unconditionally when `allowedChatIds` is empty (private
+ * deployment — no allowlist means any DM is fine).
+ */
+const isOperatorOfAnyAllowedChat = async ({ telegram, userId, allowedChatIds }) => {
+  if (!allowedChatIds || allowedChatIds.length === 0) {
+    return true;
+  }
+  for (const chatId of allowedChatIds) {
+    try {
+      const member = await telegram.getChatMember(chatId, userId);
+      if (member && member.status === 'creator') {
+        return true;
+      }
+    } catch {
+      // Bot may have been removed from the chat; skip and try the next one.
+    }
+  }
+  return false;
+};
+
+/**
+ * Format the token list for display. Each line: `name (source): masked`.
+ * The masked form is `first-3 *** last-3` per maskToken's new default.
+ */
+export const formatTokenList = tokens => {
+  if (!tokens || tokens.length === 0) {
+    return 'No known local tokens found in this bot process.';
+  }
+  const lines = tokens.map(t => {
+    const masked = maskToken(t.value);
+    return `• ${t.name} (${t.source}): \`${masked}\``;
+  });
+  return ['🔐 *Active local tokens (masked):*', '', ...lines, '', '_Use this list to search public places (GitHub, Slack, etc.) for accidentally leaked tokens before they become a problem. Tokens are masked with first 3 + last 3 characters per issue #1745._'].join('\n');
+};
+
+/**
+ * Registers the hidden /tokens command on the bot.
+ *
+ * @param {Object} bot - Telegraf bot
+ * @param {Object} options
+ * @param {boolean} [options.VERBOSE]
+ * @param {Function} [options.isOldMessage]
+ * @param {Array|Function} [options.allowedChats] — used for owner-of-allowed-chat check
+ * @param {Function} [options.fetchTokens] — test override for getAllKnownLocalTokens
+ */
+export const registerTokensCommand = (bot, options = {}) => {
+  const { VERBOSE = false, isOldMessage, allowedChats } = options;
+  const fetchTokens = options.fetchTokens || getAllKnownLocalTokens;
+
+  bot.command('tokens', async ctx => {
+    if (isOldMessage && isOldMessage(ctx)) {
+      VERBOSE && console.log('[VERBOSE] /tokens ignored: old message');
+      return;
+    }
+
+    const chat = ctx.chat;
+    if (!chat || !ctx.from) return;
+
+    // Step 1: private-chat only. Silently no-op in groups so the command stays
+    // truly hidden — a curious group member never gets a hint that it exists.
+    if (chat.type !== 'private') {
+      VERBOSE && console.log(`[VERBOSE] /tokens ignored: chat type ${chat.type} (private only)`);
+      return;
+    }
+
+    // Step 2: authenticate by ownership of an allowlisted chat.
+    const allowedChatIds = resolveAllowedChatIds(allowedChats);
+    let isOperator = false;
+    try {
+      isOperator = await isOperatorOfAnyAllowedChat({
+        telegram: ctx.telegram,
+        userId: ctx.from.id,
+        allowedChatIds,
+      });
+    } catch (err) {
+      VERBOSE && console.error('[VERBOSE] /tokens auth check failed:', err);
+      isOperator = false;
+    }
+
+    if (!isOperator) {
+      VERBOSE && console.log(`[VERBOSE] /tokens denied: user ${ctx.from.id} is not creator of any allowed chat`);
+      // Reply with a generic "unknown command"-shaped message so the command
+      // stays undiscoverable to non-operators.
+      return;
+    }
+
+    // Step 3: gather and emit.
+    let tokens;
+    try {
+      tokens = await fetchTokens();
+    } catch (err) {
+      VERBOSE && console.error('[VERBOSE] /tokens: fetchTokens failed:', err);
+      await ctx.reply('❌ Failed to gather local tokens.');
+      return;
+    }
+
+    const message = formatTokenList(tokens);
+    await ctx.reply(message, { parse_mode: 'Markdown' });
+  });
+};
+
+export default {
+  registerTokensCommand,
+  formatTokenList,
+};