@massu/core 0.1.0 → 0.1.2

package/src/hooks/pre-delete-check.ts

@@ -0,0 +1,153 @@
+#!/usr/bin/env node
+// Copyright (c) 2026 Massu. All rights reserved.
+// Licensed under BSL 1.1 - see LICENSE file for details.
+
+// ============================================================
+// PreToolUse Hook: Pre-Deletion Feature Impact Check
+// Detects file deletion patterns (rm, git rm, Write with empty content)
+// and runs sentinel impact analysis. Blocks if critical features orphaned.
+// Must complete in <500ms.
+// ============================================================
+
+import Database from 'better-sqlite3';
+import { resolve } from 'path';
+import { existsSync } from 'fs';
+import { getFeatureImpact } from '../sentinel-db.ts';
+import { getProjectRoot, getResolvedPaths } from '../config.ts';
+
+interface HookInput {
+  session_id: string;
+  tool_name: string;
+  tool_input: {
+    command?: string;
+    file_path?: string;
+    content?: string;
+  };
+}
+
+const PROJECT_ROOT = getProjectRoot();
+
+function getDataDb(): Database.Database | null {
+  const dbPath = getResolvedPaths().dataDbPath;
+  if (!existsSync(dbPath)) return null;
+  try {
+    const db = new Database(dbPath, { readonly: true });
+    db.pragma('journal_mode = WAL');
+    return db;
+  } catch {
+    return null;
+  }
+}
+
+function extractDeletedFiles(input: HookInput): string[] {
+  const files: string[] = [];
+
+  if (input.tool_name === 'Bash' && input.tool_input.command) {
+    const cmd = input.tool_input.command;
+
+    // Detect rm commands
+    const rmMatch = cmd.match(/(?:rm|git\s+rm)\s+(?:-[rf]*\s+)*(.+)/);
+    if (rmMatch) {
+      const paths = rmMatch[1].split(/\s+/).filter(p => !p.startsWith('-'));
+      for (const p of paths) {
+        const relPath = p.startsWith('src/') ? p : p.replace(PROJECT_ROOT + '/', '');
+        if (relPath.startsWith('src/')) {
+          files.push(relPath);
+        }
+      }
+    }
+  }
+
+  // Detect Write tool with empty content (file replacement that empties)
+  if (input.tool_name === 'Write' && input.tool_input.file_path) {
+    const content = input.tool_input.content || '';
+    if (content.trim().length === 0) {
+      const relPath = input.tool_input.file_path.replace(PROJECT_ROOT + '/', '');
+      if (relPath.startsWith('src/')) {
+        files.push(relPath);
+      }
+    }
+  }
+
+  return files;
+}
+
+async function main(): Promise<void> {
+  try {
+    const input = await readStdin();
+    const hookInput = JSON.parse(input) as HookInput;
+
+    const deletedFiles = extractDeletedFiles(hookInput);
+    if (deletedFiles.length === 0) {
+      process.exit(0);
+      return;
+    }
+
+    const db = getDataDb();
+    if (!db) {
+      // No database available - can't check
+      process.exit(0);
+      return;
+    }
+
+    try {
+      // Check if any sentinel tables exist
+      const tableExists = db.prepare(
+        "SELECT name FROM sqlite_master WHERE type='table' AND name='massu_sentinel'"
+      ).get();
+
+      if (!tableExists) {
+        process.exit(0);
+        return;
+      }
+
+      const impact = getFeatureImpact(db, deletedFiles);
+
+      if (impact.blocked) {
+        const msg = [
+          `SENTINEL IMPACT WARNING: Deleting ${deletedFiles.length} file(s) would affect features:`,
+          '',
+        ];
+
+        if (impact.orphaned.length > 0) {
+          msg.push(`ORPHANED (${impact.orphaned.length} features - no primary components left):`);
+          for (const item of impact.orphaned) {
+            msg.push(`  - ${item.feature.feature_key} [${item.feature.priority}]: ${item.feature.title}`);
+          }
+        }
+
+        if (impact.degraded.length > 0) {
+          msg.push(`DEGRADED (${impact.degraded.length} features - some components removed):`);
+          for (const item of impact.degraded) {
+            msg.push(`  - ${item.feature.feature_key}: ${item.feature.title}`);
+          }
+        }
+
+        msg.push('');
+        msg.push('Create a migration plan before deleting these files.');
+
+        // Output warning but don't block (user can proceed)
+        process.stdout.write(JSON.stringify({ message: msg.join('\n') }));
+      }
+    } finally {
+      db.close();
+    }
+  } catch {
+    // Hooks must never crash
+  }
+
+  process.exit(0);
+}
+
+function readStdin(): Promise<string> {
+  return new Promise((resolve) => {
+    let data = '';
+    process.stdin.setEncoding('utf-8');
+    process.stdin.on('data', (chunk) => { data += chunk; });
+    process.stdin.on('end', () => resolve(data));
+    // Timeout to prevent hanging
+    setTimeout(() => resolve(data), 400);
+  });
+}
+
+main();

package/src/hooks/quality-event.ts

@@ -0,0 +1,127 @@
+#!/usr/bin/env node
+// Copyright (c) 2026 Massu. All rights reserved.
+// Licensed under BSL 1.1 - see LICENSE file for details.
+
+// ============================================================
+// PostToolUse Hook: Quality Event Recorder
+// Parses tool responses for quality signals (test failures,
+// type errors, build failures) and records them for analytics.
+// Must complete in <500ms.
+// ============================================================
+
+import { getMemoryDb } from '../memory-db.ts';
+
+interface HookInput {
+  session_id: string;
+  transcript_path: string;
+  cwd: string;
+  hook_event_name: string;
+  tool_name: string;
+  tool_input: Record<string, unknown>;
+  tool_response: string;
+}
+
+interface QualitySignal {
+  event_type: string;
+  details: string;
+}
+
+const TEST_FAILURE_PATTERNS: RegExp[] = [
+  /\bFAIL\b/,
+  /✗/,
+  /\bfailed\b/i,
+  /\bError:/,
+];
+
+const TYPE_ERROR_PATTERNS: RegExp[] = [
+  /error TS\d+/,
+  /\btsc\b.*error/i,
+];
+
+const BUILD_FAILURE_PATTERNS: RegExp[] = [
+  /Build failed/i,
+  /\besbuild\b.*error/i,
+  /\besbuild\b.*failed/i,
+];
+
+function detectQualitySignals(toolResponse: string): QualitySignal[] {
+  const signals: QualitySignal[] = [];
+  const response = toolResponse ?? '';
+
+  for (const pattern of TEST_FAILURE_PATTERNS) {
+    if (pattern.test(response)) {
+      const match = response.match(pattern);
+      signals.push({
+        event_type: 'test_failure',
+        details: match ? match[0].slice(0, 500) : 'Test failure detected',
+      });
+      break; // One signal per category
+    }
+  }
+
+  for (const pattern of TYPE_ERROR_PATTERNS) {
+    if (pattern.test(response)) {
+      const match = response.match(pattern);
+      signals.push({
+        event_type: 'type_error',
+        details: match ? match[0].slice(0, 500) : 'TypeScript error detected',
+      });
+      break;
+    }
+  }
+
+  for (const pattern of BUILD_FAILURE_PATTERNS) {
+    if (pattern.test(response)) {
+      const match = response.match(pattern);
+      signals.push({
+        event_type: 'build_failure',
+        details: match ? match[0].slice(0, 500) : 'Build failure detected',
+      });
+      break;
+    }
+  }
+
+  return signals;
+}
+
+async function main(): Promise<void> {
+  try {
+    const input = await readStdin();
+    const hookInput = JSON.parse(input) as HookInput;
+    const { session_id, tool_name, tool_response } = hookInput;
+
+    const signals = detectQualitySignals(tool_response);
+    if (signals.length === 0) {
+      process.exit(0);
+      return;
+    }
+
+    const db = getMemoryDb();
+    try {
+      const stmt = db.prepare(`
+        INSERT INTO quality_events (session_id, event_type, tool_name, details)
+        VALUES (?, ?, ?, ?)
+      `);
+      for (const signal of signals) {
+        stmt.run(session_id, signal.event_type, tool_name, signal.details);
+      }
+    } finally {
+      db.close();
+    }
+  } catch (_e) {
+    // Best-effort: never block Claude Code
+  }
+  process.exit(0);
+}
+
+function readStdin(): Promise<string> {
+  return new Promise((resolve) => {
+    let data = '';
+    process.stdin.setEncoding('utf-8');
+    process.stdin.on('data', (chunk: string) => { data += chunk; });
+    process.stdin.on('end', () => resolve(data));
+    setTimeout(() => resolve(data), 3000);
+  });
+}
+
+main();

package/src/hooks/security-gate.ts

@@ -0,0 +1,121 @@
+#!/usr/bin/env node
+// Copyright (c) 2026 Massu. All rights reserved.
+// Licensed under BSL 1.1 - see LICENSE file for details.
+
+// ============================================================
+// PreToolUse Hook: Security Gate
+// Validates tool calls against security policies.
+// Checks Bash commands for dangerous patterns and Write/Edit
+// tool calls for protected file paths.
+// Must complete in <500ms.
+// ============================================================
+
+// Force module mode for TypeScript (no external deps needed)
+export {};
+
+interface HookInput {
+  session_id: string;
+  tool_name: string;
+  tool_input: {
+    command?: string;
+    file_path?: string;
+    content?: string;
+  };
+}
+
+const DANGEROUS_BASH_PATTERNS: Array<{ pattern: RegExp; label: string }> = [
+  { pattern: /rm\s+-[a-z]*r[a-z]*f[a-z]*\s+\/(?:\s|$)/, label: 'rm -rf /' },
+  { pattern: /rm\s+-[a-z]*f[a-z]*r[a-z]*\s+\/(?:\s|$)/, label: 'rm -rf /' },
+  { pattern: /curl\s+.*\|\s*(?:bash|sh|zsh)/, label: 'curl | bash (remote code execution)' },
+  { pattern: /wget\s+.*\|\s*(?:bash|sh|zsh)/, label: 'wget | bash (remote code execution)' },
+  { pattern: /chmod\s+777/, label: 'chmod 777 (world-writable permissions)' },
+  { pattern: /chmod\s+-R\s+777/, label: 'chmod -R 777 (world-writable permissions)' },
+  { pattern: />\s*\/etc\/passwd/, label: 'write to /etc/passwd' },
+  { pattern: />\s*\/etc\/shadow/, label: 'write to /etc/shadow' },
+  { pattern: />\s*\/etc\/sudoers/, label: 'write to /etc/sudoers' },
+  { pattern: /dd\s+if=.*of=\/dev\/(?:sda|sdb|hda|hdb|nvme)/, label: 'dd to raw device' },
+  { pattern: /mkfs\s+\/dev\//, label: 'format disk device' },
+  { pattern: /:\(\)\s*\{\s*:\|:\s*&\s*\}/, label: 'fork bomb' },
+  { pattern: /eval\s+.*\$\(.*curl/, label: 'eval with remote curl' },
+  { pattern: /base64\s+-d\s+.*\|\s*(?:bash|sh|zsh)/, label: 'base64 decoded shell exec' },
+];
+
+const PROTECTED_FILE_PATTERNS: Array<{ pattern: RegExp; label: string }> = [
+  { pattern: /\.env$/, label: '.env file' },
+  { pattern: /\.env\./, label: '.env.* file' },
+  { pattern: /credentials(?:\.json)?$/, label: 'credentials file' },
+  { pattern: /\.pem$/, label: '.pem certificate/key file' },
+  { pattern: /\.key$/, label: '.key file' },
+  { pattern: /\.p12$/, label: '.p12 keystore file' },
+  { pattern: /\.pfx$/, label: '.pfx keystore file' },
+  { pattern: /id_rsa$/, label: 'RSA private key' },
+  { pattern: /id_ed25519$/, label: 'Ed25519 private key' },
+  { pattern: /id_ecdsa$/, label: 'ECDSA private key' },
+  { pattern: /\.ssh\/config$/, label: 'SSH config file' },
+  { pattern: /secrets\.yaml$/, label: 'secrets.yaml file' },
+  { pattern: /secrets\.yml$/, label: 'secrets.yml file' },
+  { pattern: /\.netrc$/, label: '.netrc credentials file' },
+  { pattern: /aws\/credentials$/, label: 'AWS credentials file' },
+  { pattern: /kubeconfig$/, label: 'Kubernetes config file' },
+];
+
+function checkBashCommand(command: string): string | null {
+  for (const { pattern, label } of DANGEROUS_BASH_PATTERNS) {
+    if (pattern.test(command)) {
+      return label;
+    }
+  }
+  return null;
+}
+
+function checkFilePath(filePath: string): string | null {
+  for (const { pattern, label } of PROTECTED_FILE_PATTERNS) {
+    if (pattern.test(filePath)) {
+      return label;
+    }
+  }
+  return null;
+}
+
+async function main(): Promise<void> {
+  try {
+    const input = await readStdin();
+    const hookInput = JSON.parse(input) as HookInput;
+    const { tool_name, tool_input } = hookInput;
+
+    if (tool_name === 'Bash' && tool_input.command) {
+      const violation = checkBashCommand(tool_input.command);
+      if (violation) {
+        process.stdout.write(JSON.stringify({
+          message: `SECURITY GATE: Dangerous command pattern detected: ${violation}\nCommand: ${tool_input.command.slice(0, 200)}\nReview carefully before proceeding.`,
+        }));
+      }
+    }
+
+    if ((tool_name === 'Write' || tool_name === 'Edit') && tool_input.file_path) {
+      const violation = checkFilePath(tool_input.file_path);
+      if (violation) {
+        process.stdout.write(JSON.stringify({
+          message: `SECURITY GATE: Attempt to write to protected file: ${violation}\nPath: ${tool_input.file_path}\nEnsure this is intentional and no secrets will be exposed.`,
+        }));
+      }
+    }
+  } catch {
+    // Hooks must never crash
+  }
+
+  process.exit(0);
+}
+
+function readStdin(): Promise<string> {
+  return new Promise((resolve) => {
+    let data = '';
+    process.stdin.setEncoding('utf-8');
+    process.stdin.on('data', (chunk) => { data += chunk; });
+    process.stdin.on('end', () => resolve(data));
+    // Timeout to prevent hanging
+    setTimeout(() => resolve(data), 400);
+  });
+}
+
+main();