@stackmemoryai/stackmemory 0.5.57 → 0.5.59

package/dist/src/hooks/linear-task-picker.js

@@ -0,0 +1,186 @@
+import { fileURLToPath as __fileURLToPath } from 'url';
+import { dirname as __pathDirname } from 'path';
+const __filename = __fileURLToPath(import.meta.url);
+const __dirname = __pathDirname(__filename);
+import { LinearClient } from "../integrations/linear/client.js";
+import { LinearAuthManager } from "../integrations/linear/auth.js";
+const TEST_KEYWORDS = [
+  "test",
+  "spec",
+  "unit test",
+  "integration test",
+  "e2e",
+  "end-to-end",
+  "jest",
+  "vitest",
+  "mocha"
+];
+const VALIDATION_KEYWORDS = [
+  "validate",
+  "verify",
+  "verification",
+  "acceptance criteria",
+  "ac:",
+  "acceptance:",
+  "given when then",
+  "criteria:"
+];
+const QA_KEYWORDS = ["qa", "quality", "regression", "coverage", "assertion"];
+const TEST_LABELS = [
+  "needs-tests",
+  "test-required",
+  "qa-review",
+  "has-ac",
+  "acceptance-criteria",
+  "tdd",
+  "testing"
+];
+function containsKeywords(text, keywords) {
+  const lowerText = text.toLowerCase();
+  return keywords.some((kw) => lowerText.includes(kw.toLowerCase()));
+}
+function scoreTask(issue, preferTestTasks) {
+  let score = 0;
+  const description = issue.description || "";
+  const title = issue.title || "";
+  const fullText = `${title} ${description}`;
+  if (containsKeywords(fullText, TEST_KEYWORDS)) {
+    score += preferTestTasks ? 10 : 5;
+  }
+  if (containsKeywords(fullText, VALIDATION_KEYWORDS)) {
+    score += preferTestTasks ? 8 : 4;
+  }
+  if (containsKeywords(fullText, QA_KEYWORDS)) {
+    score += preferTestTasks ? 5 : 2;
+  }
+  const labelNames = issue.labels?.nodes?.map((l) => l.name.toLowerCase()) || [];
+  const hasTestLabel = TEST_LABELS.some(
+    (tl) => labelNames.some((ln) => ln.includes(tl))
+  );
+  if (hasTestLabel) {
+    score += preferTestTasks ? 5 : 3;
+  }
+  if (issue.priority === 1) {
+    score += 5;
+  } else if (issue.priority === 2) {
+    score += 3;
+  } else if (issue.priority === 3) {
+    score += 1;
+  }
+  if (description.includes("## Acceptance") || description.includes("### AC") || description.includes("- [ ]")) {
+    score += 2;
+  }
+  if (issue.estimate) {
+    score += 1;
+  }
+  return score;
+}
+function getLinearClient() {
+  const apiKey = process.env["LINEAR_API_KEY"];
+  if (apiKey && apiKey.startsWith("lin_api_")) {
+    return new LinearClient({ apiKey });
+  }
+  try {
+    const authManager = new LinearAuthManager();
+    const tokens = authManager.loadTokens();
+    if (tokens?.accessToken) {
+      return new LinearClient({ accessToken: tokens.accessToken });
+    }
+  } catch {
+  }
+  return null;
+}
+async function pickNextLinearTask(options = {}) {
+  const client = getLinearClient();
+  if (!client) {
+    return null;
+  }
+  const { teamId, preferTestTasks = true, limit = 20 } = options;
+  try {
+    const [backlogIssues, unstartedIssues] = await Promise.all([
+      client.getIssues({ teamId, stateType: "backlog", limit }),
+      client.getIssues({ teamId, stateType: "unstarted", limit })
+    ]);
+    const allIssues = [...backlogIssues, ...unstartedIssues];
+    const unassignedIssues = allIssues.filter((issue) => !issue.assignee);
+    if (unassignedIssues.length === 0) {
+      if (allIssues.length === 0) {
+        return null;
+      }
+    }
+    const issuesToScore = unassignedIssues.length > 0 ? unassignedIssues : allIssues;
+    const scoredIssues = issuesToScore.map((issue) => ({
+      issue,
+      score: scoreTask(issue, preferTestTasks)
+    }));
+    scoredIssues.sort((a, b) => b.score - a.score);
+    const best = scoredIssues[0];
+    if (!best) {
+      return null;
+    }
+    const description = best.issue.description || "";
+    const hasTestRequirements = containsKeywords(description, TEST_KEYWORDS) || containsKeywords(description, VALIDATION_KEYWORDS);
+    return {
+      id: best.issue.id,
+      identifier: best.issue.identifier,
+      title: best.issue.title,
+      priority: best.issue.priority,
+      hasTestRequirements,
+      estimatedPoints: best.issue.estimate,
+      url: best.issue.url,
+      score: best.score
+    };
+  } catch (error) {
+    const isAuthError = error instanceof Error && (error.message.includes("401") || error.message.includes("403"));
+    if (!isAuthError) {
+      console.error("[linear-task-picker] Error fetching tasks:", error);
+    }
+    return null;
+  }
+}
+async function getTopTaskSuggestions(options = {}, count = 3) {
+  const client = getLinearClient();
+  if (!client) {
+    return [];
+  }
+  const { teamId, preferTestTasks = true, limit = 30 } = options;
+  try {
+    const [backlogIssues, unstartedIssues] = await Promise.all([
+      client.getIssues({ teamId, stateType: "backlog", limit }),
+      client.getIssues({ teamId, stateType: "unstarted", limit })
+    ]);
+    const allIssues = [...backlogIssues, ...unstartedIssues];
+    const unassignedIssues = allIssues.filter((issue) => !issue.assignee);
+    const issuesToScore = unassignedIssues.length > 0 ? unassignedIssues : allIssues;
+    const scoredIssues = issuesToScore.map((issue) => ({
+      issue,
+      score: scoreTask(issue, preferTestTasks)
+    }));
+    scoredIssues.sort((a, b) => b.score - a.score);
+    return scoredIssues.slice(0, count).map(({ issue, score }) => {
+      const description = issue.description || "";
+      const hasTestRequirements = containsKeywords(description, TEST_KEYWORDS) || containsKeywords(description, VALIDATION_KEYWORDS);
+      return {
+        id: issue.id,
+        identifier: issue.identifier,
+        title: issue.title,
+        priority: issue.priority,
+        hasTestRequirements,
+        estimatedPoints: issue.estimate,
+        url: issue.url,
+        score
+      };
+    });
+  } catch (error) {
+    const isAuthError = error instanceof Error && (error.message.includes("401") || error.message.includes("403"));
+    if (!isAuthError) {
+      console.error("[linear-task-picker] Error fetching tasks:", error);
+    }
+    return [];
+  }
+}
+export {
+  getTopTaskSuggestions,
+  pickNextLinearTask
+};
+//# sourceMappingURL=linear-task-picker.js.map

package/dist/src/hooks/linear-task-picker.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/hooks/linear-task-picker.ts"],
+  "sourcesContent": ["/**\n * Linear Task Picker\n * Picks the next best task from Linear queue, prioritizing tasks with test/validation requirements\n */\n\nimport { LinearClient, LinearIssue } from '../integrations/linear/client.js';\nimport { LinearAuthManager } from '../integrations/linear/auth.js';\n\nexport interface TaskSuggestion {\n  id: string;\n  identifier: string; // e.g., \"STA-123\"\n  title: string;\n  priority: number;\n  hasTestRequirements: boolean;\n  estimatedPoints?: number;\n  url: string;\n  score: number;\n}\n\nexport interface PickerOptions {\n  teamId?: string;\n  preferTestTasks?: boolean;\n  limit?: number;\n}\n\n// Keywords indicating test/validation requirements\nconst TEST_KEYWORDS = [\n  'test',\n  'spec',\n  'unit test',\n  'integration test',\n  'e2e',\n  'end-to-end',\n  'jest',\n  'vitest',\n  'mocha',\n];\n\nconst VALIDATION_KEYWORDS = [\n  'validate',\n  'verify',\n  'verification',\n  'acceptance criteria',\n  'ac:',\n  'acceptance:',\n  'given when then',\n  'criteria:',\n];\n\nconst QA_KEYWORDS = ['qa', 'quality', 'regression', 'coverage', 'assertion'];\n\n// Labels that indicate test requirements\nconst TEST_LABELS = [\n  'needs-tests',\n  'test-required',\n  'qa-review',\n  'has-ac',\n  'acceptance-criteria',\n  'tdd',\n  'testing',\n];\n\n/**\n * Check if text contains any of the keywords (case-insensitive)\n */\nfunction containsKeywords(text: string, keywords: string[]): boolean {\n  const lowerText = text.toLowerCase();\n  return keywords.some((kw) => lowerText.includes(kw.toLowerCase()));\n}\n\n/**\n * Score a task based on test/validation requirements\n */\nfunction scoreTask(issue: LinearIssue, preferTestTasks: boolean): number {\n  let score = 0;\n  const description = issue.description || '';\n  const title = issue.title || '';\n  const fullText = `${title} ${description}`;\n\n  // +10 if has test/validation keywords in description\n  if (containsKeywords(fullText, TEST_KEYWORDS)) {\n    score += preferTestTasks ? 10 : 5;\n  }\n\n  if (containsKeywords(fullText, VALIDATION_KEYWORDS)) {\n    score += preferTestTasks ? 8 : 4;\n  }\n\n  if (containsKeywords(fullText, QA_KEYWORDS)) {\n    score += preferTestTasks ? 5 : 2;\n  }\n\n  // +5 if has test-related labels\n  const labelNames =\n    issue.labels?.nodes?.map((l: { name: string }) => l.name.toLowerCase()) ||\n    [];\n  const hasTestLabel = TEST_LABELS.some((tl) =>\n    labelNames.some((ln: string) => ln.includes(tl))\n  );\n  if (hasTestLabel) {\n    score += preferTestTasks ? 5 : 3;\n  }\n\n  // +3 for higher priority (urgent=1, high=2)\n  if (issue.priority === 1) {\n    score += 5; // Urgent\n  } else if (issue.priority === 2) {\n    score += 3; // High\n  } else if (issue.priority === 3) {\n    score += 1; // Medium\n  }\n\n  // +2 if has acceptance criteria pattern\n  if (\n    description.includes('## Acceptance') ||\n    description.includes('### AC') ||\n    description.includes('- [ ]')\n  ) {\n    score += 2;\n  }\n\n  // +1 if has estimate (indicates well-scoped)\n  if (issue.estimate) {\n    score += 1;\n  }\n\n  return score;\n}\n\n/**\n * Get Linear client instance\n * Returns null if credentials are missing or invalid\n */\nfunction getLinearClient(): LinearClient | null {\n  // Try API key first - must be valid format (lin_api_*)\n  const apiKey = process.env['LINEAR_API_KEY'];\n  if (apiKey && apiKey.startsWith('lin_api_')) {\n    return new LinearClient({ apiKey });\n  }\n\n  // Fall back to OAuth\n  try {\n    const authManager = new LinearAuthManager();\n    const tokens = authManager.loadTokens();\n    if (tokens?.accessToken) {\n      return new LinearClient({ accessToken: tokens.accessToken });\n    }\n  } catch {\n    // Auth not available\n  }\n\n  return null;\n}\n\n/**\n * Pick the next best task from Linear\n */\nexport async function pickNextLinearTask(\n  options: PickerOptions = {}\n): Promise<TaskSuggestion | null> {\n  const client = getLinearClient();\n  if (!client) {\n    return null;\n  }\n\n  const { teamId, preferTestTasks = true, limit = 20 } = options;\n\n  try {\n    // Fetch backlog and unstarted issues\n    const [backlogIssues, unstartedIssues] = await Promise.all([\n      client.getIssues({ teamId, stateType: 'backlog', limit }),\n      client.getIssues({ teamId, stateType: 'unstarted', limit }),\n    ]);\n\n    const allIssues = [...backlogIssues, ...unstartedIssues];\n\n    // Filter out assigned issues (we want unassigned ones)\n    const unassignedIssues = allIssues.filter((issue) => !issue.assignee);\n\n    if (unassignedIssues.length === 0) {\n      // If no unassigned, consider all\n      if (allIssues.length === 0) {\n        return null;\n      }\n    }\n\n    const issuesToScore =\n      unassignedIssues.length > 0 ? unassignedIssues : allIssues;\n\n    // Score and sort\n    const scoredIssues = issuesToScore.map((issue) => ({\n      issue,\n      score: scoreTask(issue, preferTestTasks),\n    }));\n\n    scoredIssues.sort((a, b) => b.score - a.score);\n\n    const best = scoredIssues[0];\n    if (!best) {\n      return null;\n    }\n\n    const description = best.issue.description || '';\n    const hasTestRequirements =\n      containsKeywords(description, TEST_KEYWORDS) ||\n      containsKeywords(description, VALIDATION_KEYWORDS);\n\n    return {\n      id: best.issue.id,\n      identifier: best.issue.identifier,\n      title: best.issue.title,\n      priority: best.issue.priority,\n      hasTestRequirements,\n      estimatedPoints: best.issue.estimate,\n      url: best.issue.url,\n      score: best.score,\n    };\n  } catch (error) {\n    // Silent fail for auth errors (401/403) - expected when not configured\n    const isAuthError =\n      error instanceof Error &&\n      (error.message.includes('401') || error.message.includes('403'));\n    if (!isAuthError) {\n      console.error('[linear-task-picker] Error fetching tasks:', error);\n    }\n    return null;\n  }\n}\n\n/**\n * Get multiple task suggestions (for showing options)\n */\nexport async function getTopTaskSuggestions(\n  options: PickerOptions = {},\n  count: number = 3\n): Promise<TaskSuggestion[]> {\n  const client = getLinearClient();\n  if (!client) {\n    return [];\n  }\n\n  const { teamId, preferTestTasks = true, limit = 30 } = options;\n\n  try {\n    const [backlogIssues, unstartedIssues] = await Promise.all([\n      client.getIssues({ teamId, stateType: 'backlog', limit }),\n      client.getIssues({ teamId, stateType: 'unstarted', limit }),\n    ]);\n\n    const allIssues = [...backlogIssues, ...unstartedIssues];\n    const unassignedIssues = allIssues.filter((issue) => !issue.assignee);\n    const issuesToScore =\n      unassignedIssues.length > 0 ? unassignedIssues : allIssues;\n\n    const scoredIssues = issuesToScore.map((issue) => ({\n      issue,\n      score: scoreTask(issue, preferTestTasks),\n    }));\n\n    scoredIssues.sort((a, b) => b.score - a.score);\n\n    return scoredIssues.slice(0, count).map(({ issue, score }) => {\n      const description = issue.description || '';\n      const hasTestRequirements =\n        containsKeywords(description, TEST_KEYWORDS) ||\n        containsKeywords(description, VALIDATION_KEYWORDS);\n\n      return {\n        id: issue.id,\n        identifier: issue.identifier,\n        title: issue.title,\n        priority: issue.priority,\n        hasTestRequirements,\n        estimatedPoints: issue.estimate,\n        url: issue.url,\n        score,\n      };\n    });\n  } catch (error) {\n    // Silent fail for auth errors (401/403) - expected when not configured\n    const isAuthError =\n      error instanceof Error &&\n      (error.message.includes('401') || error.message.includes('403'));\n    if (!isAuthError) {\n      console.error('[linear-task-picker] Error fetching tasks:', error);\n    }\n    return [];\n  }\n}\n"],
+  "mappings": ";;;;AAKA,SAAS,oBAAiC;AAC1C,SAAS,yBAAyB;AAoBlC,MAAM,gBAAgB;AAAA,EACpB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEA,MAAM,sBAAsB;AAAA,EAC1B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEA,MAAM,cAAc,CAAC,MAAM,WAAW,cAAc,YAAY,WAAW;AAG3E,MAAM,cAAc;AAAA,EAClB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAKA,SAAS,iBAAiB,MAAc,UAA6B;AACnE,QAAM,YAAY,KAAK,YAAY;AACnC,SAAO,SAAS,KAAK,CAAC,OAAO,UAAU,SAAS,GAAG,YAAY,CAAC,CAAC;AACnE;AAKA,SAAS,UAAU,OAAoB,iBAAkC;AACvE,MAAI,QAAQ;AACZ,QAAM,cAAc,MAAM,eAAe;AACzC,QAAM,QAAQ,MAAM,SAAS;AAC7B,QAAM,WAAW,GAAG,KAAK,IAAI,WAAW;AAGxC,MAAI,iBAAiB,UAAU,aAAa,GAAG;AAC7C,aAAS,kBAAkB,KAAK;AAAA,EAClC;AAEA,MAAI,iBAAiB,UAAU,mBAAmB,GAAG;AACnD,aAAS,kBAAkB,IAAI;AAAA,EACjC;AAEA,MAAI,iBAAiB,UAAU,WAAW,GAAG;AAC3C,aAAS,kBAAkB,IAAI;AAAA,EACjC;AAGA,QAAM,aACJ,MAAM,QAAQ,OAAO,IAAI,CAAC,MAAwB,EAAE,KAAK,YAAY,CAAC,KACtE,CAAC;AACH,QAAM,eAAe,YAAY;AAAA,IAAK,CAAC,OACrC,WAAW,KAAK,CAAC,OAAe,GAAG,SAAS,EAAE,CAAC;AAAA,EACjD;AACA,MAAI,cAAc;AAChB,aAAS,kBAAkB,IAAI;AAAA,EACjC;AAGA,MAAI,MAAM,aAAa,GAAG;AACxB,aAAS;AAAA,EACX,WAAW,MAAM,aAAa,GAAG;AAC/B,aAAS;AAAA,EACX,WAAW,MAAM,aAAa,GAAG;AAC/B,aAAS;AAAA,EACX;AAGA,MACE,YAAY,SAAS,eAAe,KACpC,YAAY,SAAS,QAAQ,KAC7B,YAAY,SAAS,OAAO,GAC5B;AACA,aAAS;AAAA,EACX;AAGA,MAAI,MAAM,UAAU;AAClB,aAAS;AAAA,EACX;AAEA,SAAO;AACT;AAMA,SAAS,kBAAuC;AAE9C,QAAM,SAAS,QAAQ,IAAI,gBAAgB;AAC3C,MAAI,UAAU,OAAO,WAAW,UAAU,GAAG;AAC3C,WAAO,IAAI,aAAa,EAAE,OAAO,CAAC;AAAA,EACpC;AAGA,MAAI;AACF,UAAM,cAAc,IAAI,kBAAkB;AAC1C,UAAM,SAAS,YAAY,WAAW;AACtC,QAAI,QAAQ,aAAa;AACvB,aAAO,IAAI,aAAa,EAAE,aAAa,OAAO,YAAY,CAAC;AAAA,IAC7D;AAAA,EACF,QAAQ;AAAA,EAER;AAEA,SAAO;AACT;AAKA,eAAsB,mBACpB,UAAyB,CAAC,GACM;AAChC,QAAM,SAAS,gBAAgB;AAC/B,MAAI,CAAC,QAAQ;AACX,WAAO;AAAA,EACT;AAEA,QAAM,EAAE,QAAQ,kBAAkB,MAAM,QAAQ,GAAG,IAAI;AAEvD,MAAI;AAEF,UAAM,CAAC,eAAe,eAAe,IAAI,MAAM,QAAQ,IAAI;AAAA,MACzD,OAAO,UAAU,EAAE,QAAQ,WAAW,WAAW,MAAM,CAAC;AAAA,MACxD,OAAO,UAAU,EAAE,QAAQ,WAAW,aAAa,MAAM,CAAC;AAAA,IAC5D,CAAC;AAED,UAAM,YAAY,CAAC,GAAG,eAAe,GAAG,eAAe;AAGvD,UAAM,mBAAmB,UAAU,OAAO,CAAC,UAAU,CAAC,MAAM,QAAQ;AAEpE,QAAI,iBAAiB,WAAW,GAAG;AAEjC,UAAI,UAAU,WAAW,GAAG;AAC1B,eAAO;AAAA,MACT;AAAA,IACF;AAEA,UAAM,gBACJ,iBAAiB,SAAS,IAAI,mBAAmB;AAGnD,UAAM,eAAe,cAAc,IAAI,CAAC,WAAW;AAAA,MACjD;AAAA,MACA,OAAO,UAAU,OAAO,eAAe;AAAA,IACzC,EAAE;AAEF,iBAAa,KAAK,CAAC,GAAG,MAAM,EAAE,QAAQ,EAAE,KAAK;AAE7C,UAAM,OAAO,aAAa,CAAC;AAC3B,QAAI,CAAC,MAAM;AACT,aAAO;AAAA,IACT;AAEA,UAAM,cAAc,KAAK,MAAM,eAAe;AAC9C,UAAM,sBACJ,iBAAiB,aAAa,aAAa,KAC3C,iBAAiB,aAAa,mBAAmB;AAEnD,WAAO;AAAA,MACL,IAAI,KAAK,MAAM;AAAA,MACf,YAAY,KAAK,MAAM;AAAA,MACvB,OAAO,KAAK,MAAM;AAAA,MAClB,UAAU,KAAK,MAAM;AAAA,MACrB;AAAA,MACA,iBAAiB,KAAK,MAAM;AAAA,MAC5B,KAAK,KAAK,MAAM;AAAA,MAChB,OAAO,KAAK;AAAA,IACd;AAAA,EACF,SAAS,OAAO;AAEd,UAAM,cACJ,iBAAiB,UAChB,MAAM,QAAQ,SAAS,KAAK,KAAK,MAAM,QAAQ,SAAS,KAAK;AAChE,QAAI,CAAC,aAAa;AAChB,cAAQ,MAAM,8CAA8C,KAAK;AAAA,IACnE;AACA,WAAO;AAAA,EACT;AACF;AAKA,eAAsB,sBACpB,UAAyB,CAAC,GAC1B,QAAgB,GACW;AAC3B,QAAM,SAAS,gBAAgB;AAC/B,MAAI,CAAC,QAAQ;AACX,WAAO,CAAC;AAAA,EACV;AAEA,QAAM,EAAE,QAAQ,kBAAkB,MAAM,QAAQ,GAAG,IAAI;AAEvD,MAAI;AACF,UAAM,CAAC,eAAe,eAAe,IAAI,MAAM,QAAQ,IAAI;AAAA,MACzD,OAAO,UAAU,EAAE,QAAQ,WAAW,WAAW,MAAM,CAAC;AAAA,MACxD,OAAO,UAAU,EAAE,QAAQ,WAAW,aAAa,MAAM,CAAC;AAAA,IAC5D,CAAC;AAED,UAAM,YAAY,CAAC,GAAG,eAAe,GAAG,eAAe;AACvD,UAAM,mBAAmB,UAAU,OAAO,CAAC,UAAU,CAAC,MAAM,QAAQ;AACpE,UAAM,gBACJ,iBAAiB,SAAS,IAAI,mBAAmB;AAEnD,UAAM,eAAe,cAAc,IAAI,CAAC,WAAW;AAAA,MACjD;AAAA,MACA,OAAO,UAAU,OAAO,eAAe;AAAA,IACzC,EAAE;AAEF,iBAAa,KAAK,CAAC,GAAG,MAAM,EAAE,QAAQ,EAAE,KAAK;AAE7C,WAAO,aAAa,MAAM,GAAG,KAAK,EAAE,IAAI,CAAC,EAAE,OAAO,MAAM,MAAM;AAC5D,YAAM,cAAc,MAAM,eAAe;AACzC,YAAM,sBACJ,iBAAiB,aAAa,aAAa,KAC3C,iBAAiB,aAAa,mBAAmB;AAEnD,aAAO;AAAA,QACL,IAAI,MAAM;AAAA,QACV,YAAY,MAAM;AAAA,QAClB,OAAO,MAAM;AAAA,QACb,UAAU,MAAM;AAAA,QAChB;AAAA,QACA,iBAAiB,MAAM;AAAA,QACvB,KAAK,MAAM;AAAA,QACX;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH,SAAS,OAAO;AAEd,UAAM,cACJ,iBAAiB,UAChB,MAAM,QAAQ,SAAS,KAAK,KAAK,MAAM,QAAQ,SAAS,KAAK;AAChE,QAAI,CAAC,aAAa;AAChB,cAAQ,MAAM,8CAA8C,KAAK;AAAA,IACnE;AACA,WAAO,CAAC;AAAA,EACV;AACF;",
+  "names": []
+}

package/dist/src/hooks/schemas.js

@@ -0,0 +1,197 @@
+import { fileURLToPath as __fileURLToPath } from 'url';
+import { dirname as __pathDirname } from 'path';
+const __filename = __fileURLToPath(import.meta.url);
+const __dirname = __pathDirname(__filename);
+import { z } from "zod";
+import { logConfigInvalid } from "./security-logger.js";
+const PromptOptionSchema = z.object({
+  key: z.string().max(10),
+  label: z.string().max(200),
+  action: z.string().max(500).optional()
+});
+const PendingPromptSchema = z.object({
+  id: z.string().max(32),
+  timestamp: z.string().datetime({ offset: true }).or(z.string().regex(/^\d{4}-\d{2}-\d{2}T/)),
+  message: z.string().max(1e3),
+  options: z.array(PromptOptionSchema).max(10),
+  type: z.enum(["options", "yesno", "freeform"]),
+  callback: z.string().max(500).optional(),
+  expiresAt: z.string().datetime({ offset: true }).or(z.string().regex(/^\d{4}-\d{2}-\d{2}T/))
+});
+const NotifyOnSchema = z.object({
+  taskComplete: z.boolean(),
+  reviewReady: z.boolean(),
+  error: z.boolean(),
+  custom: z.boolean(),
+  contextSync: z.boolean().optional().default(true)
+});
+const QuietHoursSchema = z.object({
+  enabled: z.boolean(),
+  start: z.string().regex(/^\d{2}:\d{2}$/),
+  end: z.string().regex(/^\d{2}:\d{2}$/)
+});
+const SMSConfigSchema = z.object({
+  enabled: z.boolean(),
+  channel: z.enum(["whatsapp", "sms"]),
+  accountSid: z.string().max(100).optional(),
+  authToken: z.string().max(100).optional(),
+  smsFromNumber: z.string().max(20).optional(),
+  smsToNumber: z.string().max(20).optional(),
+  whatsappFromNumber: z.string().max(30).optional(),
+  whatsappToNumber: z.string().max(30).optional(),
+  fromNumber: z.string().max(20).optional(),
+  toNumber: z.string().max(20).optional(),
+  webhookUrl: z.string().url().max(500).optional(),
+  notifyOn: NotifyOnSchema,
+  quietHours: QuietHoursSchema.optional(),
+  responseTimeout: z.number().int().min(30).max(3600),
+  pendingPrompts: z.array(PendingPromptSchema).max(100)
+});
+const PendingActionSchema = z.object({
+  id: z.string().max(32),
+  promptId: z.string().max(32),
+  response: z.string().max(1e3),
+  action: z.string().max(500),
+  timestamp: z.string().datetime({ offset: true }).or(z.string().regex(/^\d{4}-\d{2}-\d{2}T/)),
+  status: z.enum(["pending", "running", "completed", "failed"]),
+  result: z.string().max(1e4).optional(),
+  error: z.string().max(1e3).optional()
+});
+const ActionQueueSchema = z.object({
+  actions: z.array(PendingActionSchema).max(1e3),
+  lastChecked: z.string().datetime({ offset: true }).or(z.string().regex(/^\d{4}-\d{2}-\d{2}T/))
+});
+const AutoBackgroundConfigSchema = z.object({
+  enabled: z.boolean(),
+  timeoutMs: z.number().int().min(1e3).max(6e5),
+  alwaysBackground: z.array(z.string().max(200)).max(100),
+  neverBackground: z.array(z.string().max(200)).max(100),
+  verbose: z.boolean().optional()
+});
+const SyncOptionsSchema = z.object({
+  autoSyncOnClose: z.boolean(),
+  minFrameDuration: z.number().int().min(0).max(3600),
+  // 0 to 1 hour
+  includeDecisions: z.boolean(),
+  includeFiles: z.boolean(),
+  includeTests: z.boolean(),
+  maxDigestLength: z.number().int().min(100).max(1e3)
+  // WhatsApp limit ~4096 chars
+});
+const ScheduleConfigSchema = z.object({
+  type: z.enum(["daily", "hourly", "interval"]),
+  time: z.string().regex(/^\d{2}:\d{2}$/).optional(),
+  // "HH:MM" for daily
+  intervalMinutes: z.number().int().min(5).max(1440).optional(),
+  // 5 min to 24 hours
+  includeInactive: z.boolean(),
+  // Include when no activity
+  quietHoursRespect: z.boolean()
+  // Respect quiet hours setting
+});
+const ScheduleSchema = z.object({
+  id: z.string().max(32),
+  config: ScheduleConfigSchema,
+  enabled: z.boolean(),
+  lastRun: z.string().datetime({ offset: true }).or(z.string().regex(/^\d{4}-\d{2}-\d{2}T/)).optional(),
+  nextRun: z.string().datetime({ offset: true }).or(z.string().regex(/^\d{4}-\d{2}-\d{2}T/)).optional(),
+  createdAt: z.string().datetime({ offset: true }).or(z.string().regex(/^\d{4}-\d{2}-\d{2}T/))
+});
+const ScheduleStorageSchema = z.object({
+  schedules: z.array(ScheduleSchema).max(10),
+  lastChecked: z.string().datetime({ offset: true }).or(z.string().regex(/^\d{4}-\d{2}-\d{2}T/))
+});
+const WhatsAppCommandSchema = z.object({
+  name: z.string().max(50),
+  description: z.string().max(200),
+  enabled: z.boolean(),
+  action: z.string().max(500).optional(),
+  // Safe action to execute
+  requiresArg: z.boolean().optional(),
+  argPattern: z.string().max(100).optional()
+  // Regex pattern for arg validation
+});
+const WhatsAppCommandsConfigSchema = z.object({
+  enabled: z.boolean(),
+  commands: z.array(WhatsAppCommandSchema).max(50)
+});
+const ModelProviderSchema = z.enum([
+  "anthropic",
+  "qwen",
+  "openai",
+  "ollama",
+  "custom"
+]);
+const ModelConfigSchema = z.object({
+  provider: ModelProviderSchema,
+  model: z.string().max(100),
+  baseUrl: z.string().url().max(500).optional(),
+  apiKeyEnv: z.string().max(100),
+  headers: z.record(z.string().max(500)).optional(),
+  params: z.record(z.unknown()).optional()
+});
+const ModelRouterConfigSchema = z.object({
+  enabled: z.boolean(),
+  defaultProvider: ModelProviderSchema,
+  taskRouting: z.object({
+    plan: ModelProviderSchema.optional(),
+    think: ModelProviderSchema.optional(),
+    code: ModelProviderSchema.optional(),
+    review: ModelProviderSchema.optional()
+  }).optional().default({}),
+  fallback: z.object({
+    enabled: z.boolean(),
+    provider: ModelProviderSchema,
+    onRateLimit: z.boolean(),
+    onError: z.boolean(),
+    onTimeout: z.boolean(),
+    maxRetries: z.number().int().min(0).max(10),
+    retryDelayMs: z.number().int().min(100).max(3e4)
+  }),
+  providers: z.object({
+    anthropic: ModelConfigSchema.optional(),
+    qwen: ModelConfigSchema.optional(),
+    openai: ModelConfigSchema.optional(),
+    ollama: ModelConfigSchema.optional(),
+    custom: ModelConfigSchema.optional()
+  }).optional().default({}),
+  thinkingMode: z.object({
+    enabled: z.boolean(),
+    budget: z.number().int().min(1e3).max(1e5).optional(),
+    temperature: z.number().min(0).max(2).optional(),
+    topP: z.number().min(0).max(1).optional()
+  })
+});
+function parseConfigSafe(schema, data, defaultValue, configName) {
+  const result = schema.safeParse(data);
+  if (result.success) {
+    return result.data;
+  }
+  const errors = result.error.issues.map(
+    (i) => `${i.path.join(".")}: ${i.message}`
+  );
+  logConfigInvalid(configName, errors);
+  console.error(`[hooks] Invalid ${configName} config:`, errors.join(", "));
+  return defaultValue;
+}
+export {
+  ActionQueueSchema,
+  AutoBackgroundConfigSchema,
+  ModelConfigSchema,
+  ModelProviderSchema,
+  ModelRouterConfigSchema,
+  NotifyOnSchema,
+  PendingActionSchema,
+  PendingPromptSchema,
+  PromptOptionSchema,
+  QuietHoursSchema,
+  SMSConfigSchema,
+  ScheduleConfigSchema,
+  ScheduleSchema,
+  ScheduleStorageSchema,
+  SyncOptionsSchema,
+  WhatsAppCommandSchema,
+  WhatsAppCommandsConfigSchema,
+  parseConfigSafe
+};
+//# sourceMappingURL=schemas.js.map

package/dist/src/hooks/schemas.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/hooks/schemas.ts"],
+  "sourcesContent": ["/**\n * Zod schemas for hook configuration validation\n * Prevents malformed or malicious configs from being loaded\n */\n\nimport { z } from 'zod';\nimport { logConfigInvalid } from './security-logger.js';\n\n// SMS/WhatsApp notification schemas\nexport const PromptOptionSchema = z.object({\n  key: z.string().max(10),\n  label: z.string().max(200),\n  action: z.string().max(500).optional(),\n});\n\nexport const PendingPromptSchema = z.object({\n  id: z.string().max(32),\n  timestamp: z\n    .string()\n    .datetime({ offset: true })\n    .or(z.string().regex(/^\\d{4}-\\d{2}-\\d{2}T/)),\n  message: z.string().max(1000),\n  options: z.array(PromptOptionSchema).max(10),\n  type: z.enum(['options', 'yesno', 'freeform']),\n  callback: z.string().max(500).optional(),\n  expiresAt: z\n    .string()\n    .datetime({ offset: true })\n    .or(z.string().regex(/^\\d{4}-\\d{2}-\\d{2}T/)),\n});\n\nexport const NotifyOnSchema = z.object({\n  taskComplete: z.boolean(),\n  reviewReady: z.boolean(),\n  error: z.boolean(),\n  custom: z.boolean(),\n  contextSync: z.boolean().optional().default(true),\n});\n\nexport const QuietHoursSchema = z.object({\n  enabled: z.boolean(),\n  start: z.string().regex(/^\\d{2}:\\d{2}$/),\n  end: z.string().regex(/^\\d{2}:\\d{2}$/),\n});\n\nexport const SMSConfigSchema = z.object({\n  enabled: z.boolean(),\n  channel: z.enum(['whatsapp', 'sms']),\n  accountSid: z.string().max(100).optional(),\n  authToken: z.string().max(100).optional(),\n  smsFromNumber: z.string().max(20).optional(),\n  smsToNumber: z.string().max(20).optional(),\n  whatsappFromNumber: z.string().max(30).optional(),\n  whatsappToNumber: z.string().max(30).optional(),\n  fromNumber: z.string().max(20).optional(),\n  toNumber: z.string().max(20).optional(),\n  webhookUrl: z.string().url().max(500).optional(),\n  notifyOn: NotifyOnSchema,\n  quietHours: QuietHoursSchema.optional(),\n  responseTimeout: z.number().int().min(30).max(3600),\n  pendingPrompts: z.array(PendingPromptSchema).max(100),\n});\n\n// Action queue schemas\nexport const PendingActionSchema = z.object({\n  id: z.string().max(32),\n  promptId: z.string().max(32),\n  response: z.string().max(1000),\n  action: z.string().max(500),\n  timestamp: z\n    .string()\n    .datetime({ offset: true })\n    .or(z.string().regex(/^\\d{4}-\\d{2}-\\d{2}T/)),\n  status: z.enum(['pending', 'running', 'completed', 'failed']),\n  result: z.string().max(10000).optional(),\n  error: z.string().max(1000).optional(),\n});\n\nexport const ActionQueueSchema = z.object({\n  actions: z.array(PendingActionSchema).max(1000),\n  lastChecked: z\n    .string()\n    .datetime({ offset: true })\n    .or(z.string().regex(/^\\d{4}-\\d{2}-\\d{2}T/)),\n});\n\n// Auto-background config schema\nexport const AutoBackgroundConfigSchema = z.object({\n  enabled: z.boolean(),\n  timeoutMs: z.number().int().min(1000).max(600000),\n  alwaysBackground: z.array(z.string().max(200)).max(100),\n  neverBackground: z.array(z.string().max(200)).max(100),\n  verbose: z.boolean().optional(),\n});\n\n// WhatsApp Sync Options schema\nexport const SyncOptionsSchema = z.object({\n  autoSyncOnClose: z.boolean(),\n  minFrameDuration: z.number().int().min(0).max(3600), // 0 to 1 hour\n  includeDecisions: z.boolean(),\n  includeFiles: z.boolean(),\n  includeTests: z.boolean(),\n  maxDigestLength: z.number().int().min(100).max(1000), // WhatsApp limit ~4096 chars\n});\n\n// WhatsApp Schedule Config schema\nexport const ScheduleConfigSchema = z.object({\n  type: z.enum(['daily', 'hourly', 'interval']),\n  time: z\n    .string()\n    .regex(/^\\d{2}:\\d{2}$/)\n    .optional(), // \"HH:MM\" for daily\n  intervalMinutes: z.number().int().min(5).max(1440).optional(), // 5 min to 24 hours\n  includeInactive: z.boolean(), // Include when no activity\n  quietHoursRespect: z.boolean(), // Respect quiet hours setting\n});\n\n// WhatsApp Schedule storage schema\nexport const ScheduleSchema = z.object({\n  id: z.string().max(32),\n  config: ScheduleConfigSchema,\n  enabled: z.boolean(),\n  lastRun: z\n    .string()\n    .datetime({ offset: true })\n    .or(z.string().regex(/^\\d{4}-\\d{2}-\\d{2}T/))\n    .optional(),\n  nextRun: z\n    .string()\n    .datetime({ offset: true })\n    .or(z.string().regex(/^\\d{4}-\\d{2}-\\d{2}T/))\n    .optional(),\n  createdAt: z\n    .string()\n    .datetime({ offset: true })\n    .or(z.string().regex(/^\\d{4}-\\d{2}-\\d{2}T/)),\n});\n\nexport const ScheduleStorageSchema = z.object({\n  schedules: z.array(ScheduleSchema).max(10),\n  lastChecked: z\n    .string()\n    .datetime({ offset: true })\n    .or(z.string().regex(/^\\d{4}-\\d{2}-\\d{2}T/)),\n});\n\n// WhatsApp Command schema\nexport const WhatsAppCommandSchema = z.object({\n  name: z.string().max(50),\n  description: z.string().max(200),\n  enabled: z.boolean(),\n  action: z.string().max(500).optional(), // Safe action to execute\n  requiresArg: z.boolean().optional(),\n  argPattern: z.string().max(100).optional(), // Regex pattern for arg validation\n});\n\nexport const WhatsAppCommandsConfigSchema = z.object({\n  enabled: z.boolean(),\n  commands: z.array(WhatsAppCommandSchema).max(50),\n});\n\n// Model Router schemas\nexport const ModelProviderSchema = z.enum([\n  'anthropic',\n  'qwen',\n  'openai',\n  'ollama',\n  'custom',\n]);\n\nexport const ModelConfigSchema = z.object({\n  provider: ModelProviderSchema,\n  model: z.string().max(100),\n  baseUrl: z.string().url().max(500).optional(),\n  apiKeyEnv: z.string().max(100),\n  headers: z.record(z.string().max(500)).optional(),\n  params: z.record(z.unknown()).optional(),\n});\n\nexport const ModelRouterConfigSchema = z.object({\n  enabled: z.boolean(),\n  defaultProvider: ModelProviderSchema,\n  taskRouting: z\n    .object({\n      plan: ModelProviderSchema.optional(),\n      think: ModelProviderSchema.optional(),\n      code: ModelProviderSchema.optional(),\n      review: ModelProviderSchema.optional(),\n    })\n    .optional()\n    .default({}),\n  fallback: z.object({\n    enabled: z.boolean(),\n    provider: ModelProviderSchema,\n    onRateLimit: z.boolean(),\n    onError: z.boolean(),\n    onTimeout: z.boolean(),\n    maxRetries: z.number().int().min(0).max(10),\n    retryDelayMs: z.number().int().min(100).max(30000),\n  }),\n  providers: z\n    .object({\n      anthropic: ModelConfigSchema.optional(),\n      qwen: ModelConfigSchema.optional(),\n      openai: ModelConfigSchema.optional(),\n      ollama: ModelConfigSchema.optional(),\n      custom: ModelConfigSchema.optional(),\n    })\n    .optional()\n    .default({}),\n  thinkingMode: z.object({\n    enabled: z.boolean(),\n    budget: z.number().int().min(1000).max(100000).optional(),\n    temperature: z.number().min(0).max(2).optional(),\n    topP: z.number().min(0).max(1).optional(),\n  }),\n});\n\n// Type exports\nexport type ModelRouterConfigValidated = z.infer<\n  typeof ModelRouterConfigSchema\n>;\nexport type SMSConfigValidated = z.infer<typeof SMSConfigSchema>;\nexport type ActionQueueValidated = z.infer<typeof ActionQueueSchema>;\nexport type AutoBackgroundConfigValidated = z.infer<\n  typeof AutoBackgroundConfigSchema\n>;\nexport type SyncOptionsValidated = z.infer<typeof SyncOptionsSchema>;\nexport type ScheduleConfigValidated = z.infer<typeof ScheduleConfigSchema>;\nexport type ScheduleValidated = z.infer<typeof ScheduleSchema>;\nexport type ScheduleStorageValidated = z.infer<typeof ScheduleStorageSchema>;\nexport type WhatsAppCommandValidated = z.infer<typeof WhatsAppCommandSchema>;\nexport type WhatsAppCommandsConfigValidated = z.infer<\n  typeof WhatsAppCommandsConfigSchema\n>;\n\n/**\n * Safely parse and validate config, returning default on failure\n */\nexport function parseConfigSafe<T>(\n  schema: z.ZodSchema<T>,\n  data: unknown,\n  defaultValue: T,\n  configName: string\n): T {\n  const result = schema.safeParse(data);\n  if (result.success) {\n    return result.data;\n  }\n  const errors = result.error.issues.map(\n    (i) => `${i.path.join('.')}: ${i.message}`\n  );\n  logConfigInvalid(configName, errors);\n  console.error(`[hooks] Invalid ${configName} config:`, errors.join(', '));\n  return defaultValue;\n}\n"],
+  "mappings": ";;;;AAKA,SAAS,SAAS;AAClB,SAAS,wBAAwB;AAG1B,MAAM,qBAAqB,EAAE,OAAO;AAAA,EACzC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE;AAAA,EACtB,OAAO,EAAE,OAAO,EAAE,IAAI,GAAG;AAAA,EACzB,QAAQ,EAAE,OAAO,EAAE,IAAI,GAAG,EAAE,SAAS;AACvC,CAAC;AAEM,MAAM,sBAAsB,EAAE,OAAO;AAAA,EAC1C,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE;AAAA,EACrB,WAAW,EACR,OAAO,EACP,SAAS,EAAE,QAAQ,KAAK,CAAC,EACzB,GAAG,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAAA,EAC7C,SAAS,EAAE,OAAO,EAAE,IAAI,GAAI;AAAA,EAC5B,SAAS,EAAE,MAAM,kBAAkB,EAAE,IAAI,EAAE;AAAA,EAC3C,MAAM,EAAE,KAAK,CAAC,WAAW,SAAS,UAAU,CAAC;AAAA,EAC7C,UAAU,EAAE,OAAO,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,EACvC,WAAW,EACR,OAAO,EACP,SAAS,EAAE,QAAQ,KAAK,CAAC,EACzB,GAAG,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAC/C,CAAC;AAEM,MAAM,iBAAiB,EAAE,OAAO;AAAA,EACrC,cAAc,EAAE,QAAQ;AAAA,EACxB,aAAa,EAAE,QAAQ;AAAA,EACvB,OAAO,EAAE,QAAQ;AAAA,EACjB,QAAQ,EAAE,QAAQ;AAAA,EAClB,aAAa,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,IAAI;AAClD,CAAC;AAEM,MAAM,mBAAmB,EAAE,OAAO;AAAA,EACvC,SAAS,EAAE,QAAQ;AAAA,EACnB,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe;AAAA,EACvC,KAAK,EAAE,OAAO,EAAE,MAAM,eAAe;AACvC,CAAC;AAEM,MAAM,kBAAkB,EAAE,OAAO;AAAA,EACtC,SAAS,EAAE,QAAQ;AAAA,EACnB,SAAS,EAAE,KAAK,CAAC,YAAY,KAAK,CAAC;AAAA,EACnC,YAAY,EAAE,OAAO,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,EACzC,WAAW,EAAE,OAAO,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,EACxC,eAAe,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,SAAS;AAAA,EAC3C,aAAa,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,SAAS;AAAA,EACzC,oBAAoB,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,SAAS;AAAA,EAChD,kBAAkB,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,SAAS;AAAA,EAC9C,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,SAAS;AAAA,EACxC,UAAU,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,SAAS;AAAA,EACtC,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,EAC/C,UAAU;AAAA,EACV,YAAY,iBAAiB,SAAS;AAAA,EACtC,iBAAiB,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,IAAI,IAAI;AAAA,EAClD,gBAAgB,EAAE,MAAM,mBAAmB,EAAE,IAAI,GAAG;AACtD,CAAC;AAGM,MAAM,sBAAsB,EAAE,OAAO;AAAA,EAC1C,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE;AAAA,EACrB,UAAU,EAAE,OAAO,EAAE,IAAI,EAAE;AAAA,EAC3B,UAAU,EAAE,OAAO,EAAE,IAAI,GAAI;AAAA,EAC7B,QAAQ,EAAE,OAAO,EAAE,IAAI,GAAG;AAAA,EAC1B,WAAW,EACR,OAAO,EACP,SAAS,EAAE,QAAQ,KAAK,CAAC,EACzB,GAAG,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAAA,EAC7C,QAAQ,EAAE,KAAK,CAAC,WAAW,WAAW,aAAa,QAAQ,CAAC;AAAA,EAC5D,QAAQ,EAAE,OAAO,EAAE,IAAI,GAAK,EAAE,SAAS;AAAA,EACvC,OAAO,EAAE,OAAO,EAAE,IAAI,GAAI,EAAE,SAAS;AACvC,CAAC;AAEM,MAAM,oBAAoB,EAAE,OAAO;AAAA,EACxC,SAAS,EAAE,MAAM,mBAAmB,EAAE,IAAI,GAAI;AAAA,EAC9C,aAAa,EACV,OAAO,EACP,SAAS,EAAE,QAAQ,KAAK,CAAC,EACzB,GAAG,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAC/C,CAAC;AAGM,MAAM,6BAA6B,EAAE,OAAO;AAAA,EACjD,SAAS,EAAE,QAAQ;AAAA,EACnB,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,GAAI,EAAE,IAAI,GAAM;AAAA,EAChD,kBAAkB,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,GAAG,CAAC,EAAE,IAAI,GAAG;AAAA,EACtD,iBAAiB,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,GAAG,CAAC,EAAE,IAAI,GAAG;AAAA,EACrD,SAAS,EAAE,QAAQ,EAAE,SAAS;AAChC,CAAC;AAGM,MAAM,oBAAoB,EAAE,OAAO;AAAA,EACxC,iBAAiB,EAAE,QAAQ;AAAA,EAC3B,kBAAkB,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,IAAI,IAAI;AAAA;AAAA,EAClD,kBAAkB,EAAE,QAAQ;AAAA,EAC5B,cAAc,EAAE,QAAQ;AAAA,EACxB,cAAc,EAAE,QAAQ;AAAA,EACxB,iBAAiB,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,GAAG,EAAE,IAAI,GAAI;AAAA;AACrD,CAAC;AAGM,MAAM,uBAAuB,EAAE,OAAO;AAAA,EAC3C,MAAM,EAAE,KAAK,CAAC,SAAS,UAAU,UAAU,CAAC;AAAA,EAC5C,MAAM,EACH,OAAO,EACP,MAAM,eAAe,EACrB,SAAS;AAAA;AAAA,EACZ,iBAAiB,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,IAAI,IAAI,EAAE,SAAS;AAAA;AAAA,EAC5D,iBAAiB,EAAE,QAAQ;AAAA;AAAA,EAC3B,mBAAmB,EAAE,QAAQ;AAAA;AAC/B,CAAC;AAGM,MAAM,iBAAiB,EAAE,OAAO;AAAA,EACrC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE;AAAA,EACrB,QAAQ;AAAA,EACR,SAAS,EAAE,QAAQ;AAAA,EACnB,SAAS,EACN,OAAO,EACP,SAAS,EAAE,QAAQ,KAAK,CAAC,EACzB,GAAG,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC,EAC1C,SAAS;AAAA,EACZ,SAAS,EACN,OAAO,EACP,SAAS,EAAE,QAAQ,KAAK,CAAC,EACzB,GAAG,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC,EAC1C,SAAS;AAAA,EACZ,WAAW,EACR,OAAO,EACP,SAAS,EAAE,QAAQ,KAAK,CAAC,EACzB,GAAG,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAC/C,CAAC;AAEM,MAAM,wBAAwB,EAAE,OAAO;AAAA,EAC5C,WAAW,EAAE,MAAM,cAAc,EAAE,IAAI,EAAE;AAAA,EACzC,aAAa,EACV,OAAO,EACP,SAAS,EAAE,QAAQ,KAAK,CAAC,EACzB,GAAG,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAC/C,CAAC;AAGM,MAAM,wBAAwB,EAAE,OAAO;AAAA,EAC5C,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE;AAAA,EACvB,aAAa,EAAE,OAAO,EAAE,IAAI,GAAG;AAAA,EAC/B,SAAS,EAAE,QAAQ;AAAA,EACnB,QAAQ,EAAE,OAAO,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA;AAAA,EACrC,aAAa,EAAE,QAAQ,EAAE,SAAS;AAAA,EAClC,YAAY,EAAE,OAAO,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA;AAC3C,CAAC;AAEM,MAAM,+BAA+B,EAAE,OAAO;AAAA,EACnD,SAAS,EAAE,QAAQ;AAAA,EACnB,UAAU,EAAE,MAAM,qBAAqB,EAAE,IAAI,EAAE;AACjD,CAAC;AAGM,MAAM,sBAAsB,EAAE,KAAK;AAAA,EACxC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAEM,MAAM,oBAAoB,EAAE,OAAO;AAAA,EACxC,UAAU;AAAA,EACV,OAAO,EAAE,OAAO,EAAE,IAAI,GAAG;AAAA,EACzB,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,EAC5C,WAAW,EAAE,OAAO,EAAE,IAAI,GAAG;AAAA,EAC7B,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,GAAG,CAAC,EAAE,SAAS;AAAA,EAChD,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,SAAS;AACzC,CAAC;AAEM,MAAM,0BAA0B,EAAE,OAAO;AAAA,EAC9C,SAAS,EAAE,QAAQ;AAAA,EACnB,iBAAiB;AAAA,EACjB,aAAa,EACV,OAAO;AAAA,IACN,MAAM,oBAAoB,SAAS;AAAA,IACnC,OAAO,oBAAoB,SAAS;AAAA,IACpC,MAAM,oBAAoB,SAAS;AAAA,IACnC,QAAQ,oBAAoB,SAAS;AAAA,EACvC,CAAC,EACA,SAAS,EACT,QAAQ,CAAC,CAAC;AAAA,EACb,UAAU,EAAE,OAAO;AAAA,IACjB,SAAS,EAAE,QAAQ;AAAA,IACnB,UAAU;AAAA,IACV,aAAa,EAAE,QAAQ;AAAA,IACvB,SAAS,EAAE,QAAQ;AAAA,IACnB,WAAW,EAAE,QAAQ;AAAA,IACrB,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,IAAI,EAAE;AAAA,IAC1C,cAAc,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,GAAG,EAAE,IAAI,GAAK;AAAA,EACnD,CAAC;AAAA,EACD,WAAW,EACR,OAAO;AAAA,IACN,WAAW,kBAAkB,SAAS;AAAA,IACtC,MAAM,kBAAkB,SAAS;AAAA,IACjC,QAAQ,kBAAkB,SAAS;AAAA,IACnC,QAAQ,kBAAkB,SAAS;AAAA,IACnC,QAAQ,kBAAkB,SAAS;AAAA,EACrC,CAAC,EACA,SAAS,EACT,QAAQ,CAAC,CAAC;AAAA,EACb,cAAc,EAAE,OAAO;AAAA,IACrB,SAAS,EAAE,QAAQ;AAAA,IACnB,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,GAAI,EAAE,IAAI,GAAM,EAAE,SAAS;AAAA,IACxD,aAAa,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,SAAS;AAAA,IAC/C,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,SAAS;AAAA,EAC1C,CAAC;AACH,CAAC;AAuBM,SAAS,gBACd,QACA,MACA,cACA,YACG;AACH,QAAM,SAAS,OAAO,UAAU,IAAI;AACpC,MAAI,OAAO,SAAS;AAClB,WAAO,OAAO;AAAA,EAChB;AACA,QAAM,SAAS,OAAO,MAAM,OAAO;AAAA,IACjC,CAAC,MAAM,GAAG,EAAE,KAAK,KAAK,GAAG,CAAC,KAAK,EAAE,OAAO;AAAA,EAC1C;AACA,mBAAiB,YAAY,MAAM;AACnC,UAAQ,MAAM,mBAAmB,UAAU,YAAY,OAAO,KAAK,IAAI,CAAC;AACxE,SAAO;AACT;",
+  "names": []
+}

package/dist/src/hooks/secure-fs.js

@@ -0,0 +1,49 @@
+import { fileURLToPath as __fileURLToPath } from 'url';
+import { dirname as __pathDirname } from 'path';
+const __filename = __fileURLToPath(import.meta.url);
+const __dirname = __pathDirname(__filename);
+import {
+  writeFileSync,
+  mkdirSync,
+  chmodSync,
+  existsSync,
+  renameSync,
+  unlinkSync
+} from "fs";
+import { dirname, join } from "path";
+import { randomBytes } from "crypto";
+function writeFileSecure(filePath, data) {
+  const dir = dirname(filePath);
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true, mode: 448 });
+  }
+  const tempPath = join(dir, `.tmp-${randomBytes(8).toString("hex")}`);
+  try {
+    writeFileSync(tempPath, data);
+    chmodSync(tempPath, 384);
+    renameSync(tempPath, filePath);
+  } catch (error) {
+    try {
+      if (existsSync(tempPath)) {
+        unlinkSync(tempPath);
+      }
+    } catch {
+    }
+    throw error;
+  }
+}
+function ensureSecureDir(dirPath) {
+  if (!existsSync(dirPath)) {
+    mkdirSync(dirPath, { recursive: true, mode: 448 });
+  } else {
+    try {
+      chmodSync(dirPath, 448);
+    } catch {
+    }
+  }
+}
+export {
+  ensureSecureDir,
+  writeFileSecure
+};
+//# sourceMappingURL=secure-fs.js.map

package/dist/src/hooks/secure-fs.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/hooks/secure-fs.ts"],
+  "sourcesContent": ["/**\n * Secure file system utilities for hooks\n * Ensures config files have restricted permissions (0600)\n */\n\nimport {\n  writeFileSync,\n  mkdirSync,\n  chmodSync,\n  existsSync,\n  renameSync,\n  unlinkSync,\n} from 'fs';\nimport { dirname, join } from 'path';\nimport { randomBytes } from 'crypto';\n\n/**\n * Write file with secure permissions (0600 - user read/write only)\n * Uses atomic write pattern: write to temp file, then rename\n * This prevents corruption if process crashes mid-write\n */\nexport function writeFileSecure(filePath: string, data: string): void {\n  const dir = dirname(filePath);\n\n  // Create directory with secure permissions if needed\n  if (!existsSync(dir)) {\n    mkdirSync(dir, { recursive: true, mode: 0o700 });\n  }\n\n  // Generate temp file path in same directory (required for atomic rename)\n  const tempPath = join(dir, `.tmp-${randomBytes(8).toString('hex')}`);\n\n  try {\n    // Write to temp file first\n    writeFileSync(tempPath, data);\n\n    // Set secure permissions on temp file\n    chmodSync(tempPath, 0o600);\n\n    // Atomic rename (same filesystem, so this is atomic on POSIX)\n    renameSync(tempPath, filePath);\n  } catch (error) {\n    // Clean up temp file on failure\n    try {\n      if (existsSync(tempPath)) {\n        unlinkSync(tempPath);\n      }\n    } catch {\n      // Ignore cleanup errors\n    }\n    throw error;\n  }\n}\n\n/**\n * Ensure directory exists with secure permissions (0700)\n */\nexport function ensureSecureDir(dirPath: string): void {\n  if (!existsSync(dirPath)) {\n    mkdirSync(dirPath, { recursive: true, mode: 0o700 });\n  } else {\n    // Set permissions on existing directory\n    try {\n      chmodSync(dirPath, 0o700);\n    } catch {\n      // Ignore if we can't change permissions (not owner)\n    }\n  }\n}\n"],
+  "mappings": ";;;;AAKA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,SAAS,YAAY;AAC9B,SAAS,mBAAmB;AAOrB,SAAS,gBAAgB,UAAkB,MAAoB;AACpE,QAAM,MAAM,QAAQ,QAAQ;AAG5B,MAAI,CAAC,WAAW,GAAG,GAAG;AACpB,cAAU,KAAK,EAAE,WAAW,MAAM,MAAM,IAAM,CAAC;AAAA,EACjD;AAGA,QAAM,WAAW,KAAK,KAAK,QAAQ,YAAY,CAAC,EAAE,SAAS,KAAK,CAAC,EAAE;AAEnE,MAAI;AAEF,kBAAc,UAAU,IAAI;AAG5B,cAAU,UAAU,GAAK;AAGzB,eAAW,UAAU,QAAQ;AAAA,EAC/B,SAAS,OAAO;AAEd,QAAI;AACF,UAAI,WAAW,QAAQ,GAAG;AACxB,mBAAW,QAAQ;AAAA,MACrB;AAAA,IACF,QAAQ;AAAA,IAER;AACA,UAAM;AAAA,EACR;AACF;AAKO,SAAS,gBAAgB,SAAuB;AACrD,MAAI,CAAC,WAAW,OAAO,GAAG;AACxB,cAAU,SAAS,EAAE,WAAW,MAAM,MAAM,IAAM,CAAC;AAAA,EACrD,OAAO;AAEL,QAAI;AACF,gBAAU,SAAS,GAAK;AAAA,IAC1B,QAAQ;AAAA,IAER;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/src/hooks/security-logger.js

@@ -0,0 +1,155 @@
+import { fileURLToPath as __fileURLToPath } from 'url';
+import { dirname as __pathDirname } from 'path';
+const __filename = __fileURLToPath(import.meta.url);
+const __dirname = __pathDirname(__filename);
+import { appendFileSync, existsSync, readFileSync, writeFileSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+import { ensureSecureDir } from "./secure-fs.js";
+const LOG_DIR = join(homedir(), ".stackmemory", "logs");
+const SECURITY_LOG = join(LOG_DIR, "security.log");
+const MAX_LOG_ENTRIES = 1e4;
+let logCount = 0;
+function logSecurityEvent(type, source, message, details, ip) {
+  try {
+    ensureSecureDir(LOG_DIR);
+    const event = {
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      type,
+      source,
+      message,
+      ...details && { details },
+      ...ip && { ip: maskIp(ip) }
+    };
+    const logLine = JSON.stringify(event) + "\n";
+    appendFileSync(SECURITY_LOG, logLine, { mode: 384 });
+    logCount++;
+    if (logCount > MAX_LOG_ENTRIES) {
+      rotateLog();
+    }
+  } catch {
+  }
+}
+function maskIp(ip) {
+  if (!ip) return "unknown";
+  if (ip === "::1" || ip === "::ffff:127.0.0.1") return "127.0.0.x";
+  const parts = ip.replace("::ffff:", "").split(".");
+  if (parts.length === 4) {
+    return `${parts[0]}.${parts[1]}.x.x`;
+  }
+  if (ip.includes(":")) {
+    const segments = ip.split(":");
+    if (segments.length >= 4) {
+      return segments.slice(0, 4).join(":") + ":x:x:x:x";
+    }
+  }
+  return "masked";
+}
+function rotateLog() {
+  try {
+    if (existsSync(SECURITY_LOG)) {
+      const content = readFileSync(SECURITY_LOG, "utf8");
+      const lines = content.trim().split("\n");
+      const keepLines = lines.slice(-MAX_LOG_ENTRIES / 2);
+      writeFileSync(SECURITY_LOG, keepLines.join("\n") + "\n", { mode: 384 });
+      logCount = keepLines.length;
+    }
+  } catch {
+  }
+}
+function logAuthSuccess(source, details) {
+  logSecurityEvent(
+    "auth_success",
+    source,
+    "Authentication successful",
+    details
+  );
+}
+function logAuthFailure(source, reason, ip, details) {
+  logSecurityEvent(
+    "auth_failure",
+    source,
+    `Authentication failed: ${reason}`,
+    details,
+    ip
+  );
+}
+function logRateLimit(source, ip) {
+  logSecurityEvent("rate_limit", source, "Rate limit exceeded", void 0, ip);
+}
+function logActionAllowed(source, action) {
+  logSecurityEvent(
+    "action_allowed",
+    source,
+    `Action executed: ${action.substring(0, 100)}`
+  );
+}
+function logActionBlocked(source, action, reason) {
+  logSecurityEvent("action_blocked", source, `Action blocked: ${reason}`, {
+    action: action.substring(0, 100)
+  });
+}
+function logConfigInvalid(source, errors) {
+  logSecurityEvent("config_invalid", source, "Invalid config rejected", {
+    errors: errors.slice(0, 5)
+  });
+}
+function logWebhookRequest(source, method, path, ip) {
+  logSecurityEvent(
+    "webhook_request",
+    source,
+    `${method} ${path}`,
+    void 0,
+    ip
+  );
+}
+function logSignatureInvalid(source, ip) {
+  logSecurityEvent(
+    "signature_invalid",
+    source,
+    "Invalid request signature",
+    void 0,
+    ip
+  );
+}
+function logBodyTooLarge(source, size, ip) {
+  logSecurityEvent(
+    "body_too_large",
+    source,
+    `Request body too large: ${size} bytes`,
+    void 0,
+    ip
+  );
+}
+function logContentTypeInvalid(source, contentType, ip) {
+  logSecurityEvent(
+    "content_type_invalid",
+    source,
+    `Invalid content type: ${contentType}`,
+    void 0,
+    ip
+  );
+}
+function logCleanup(source, expiredPrompts, oldActions) {
+  if (expiredPrompts > 0 || oldActions > 0) {
+    logSecurityEvent("cleanup", source, "Cleanup completed", {
+      expiredPrompts,
+      oldActions
+    });
+  }
+}
+export {
+  logActionAllowed,
+  logActionBlocked,
+  logAuthFailure,
+  logAuthSuccess,
+  logBodyTooLarge,
+  logCleanup,
+  logConfigInvalid,
+  logContentTypeInvalid,
+  logRateLimit,
+  logSecurityEvent,
+  logSignatureInvalid,
+  logWebhookRequest
+};
+//# sourceMappingURL=security-logger.js.map