@syntesseraai/opencode-feature-factory 0.1.18 → 0.1.20

package/package.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://json.schemastore.org/package.json",
   "name": "@syntesseraai/opencode-feature-factory",
-  "version": "0.1.18",
+  "version": "0.1.20",
   "description": "OpenCode plugin for Feature Factory agents - provides planning, implementation, review, testing, and validation agents",
   "type": "module",
   "license": "MIT",
@@ -28,6 +28,7 @@
     "@opencode-ai/plugin": "^1.1.23"
   },
   "devDependencies": {
+    "@types/bun": "^1.2.6",
     "@types/node": "^22.0.0",
     "typescript": "^5.0.0"
   }

package/src/index.ts

@@ -1,10 +1,38 @@
-import type { Plugin, Hooks } from '@opencode-ai/plugin';
+import type { Plugin, Hooks, PluginInput } from '@opencode-ai/plugin';
 import * as path from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { mkdir, access, writeFile, readFile } from 'node:fs/promises';
 import { constants as fsConstants } from 'node:fs';
 import { createQualityGateHooks } from './stop-quality-gate';
 
+const SERVICE_NAME = 'feature-factory';
+
+type Client = PluginInput['client'];
+
+/**
+ * Log a message using the OpenCode client's structured logging.
+ * Silently fails if logging is unavailable.
+ */
+async function log(
+  client: Client,
+  level: 'debug' | 'info' | 'warn' | 'error',
+  message: string,
+  extra?: Record<string, unknown>
+): Promise<void> {
+  try {
+    await client.app.log({
+      body: {
+        service: SERVICE_NAME,
+        level,
+        message,
+        extra,
+      },
+    });
+  } catch {
+    // Logging failure should not affect plugin operation
+  }
+}
+
 /**
  * List of agent templates to sync to projects.
  * Each entry maps a destination filename to its template path relative to this module.
@@ -147,7 +175,7 @@ function mergeHooks(...hookSets: Partial<Hooks>[]): Hooks {
  * - If management/ci.sh does not exist, quality gate does not run
  */
 export const FeatureFactoryPlugin: Plugin = async (input) => {
-  const { worktree, directory } = input;
+  const { worktree, directory, client } = input;
   const rootDir = resolveRootDir({ worktree, directory });
 
   // Skip if no valid directory (e.g., global config with no project)
@@ -158,16 +186,21 @@ export const FeatureFactoryPlugin: Plugin = async (input) => {
   // Run initial sync on plugin load (silent - errors are swallowed)
   try {
     await ensureAgentsInstalled(rootDir);
-  } catch {
-    // Silent autosync shouldn't crash OpenCode startup
+  } catch (error) {
+    await log(client, 'warn', 'agent-sync.init-error', {
+      rootDir,
+      error: String(error),
+    });
   }
 
   // Create quality gate hooks
   let qualityGateHooks: Partial<Hooks> = {};
   try {
     qualityGateHooks = await createQualityGateHooks(input);
-  } catch {
-    // Silent failure - quality gate shouldn't crash OpenCode startup
+  } catch (error) {
+    await log(client, 'error', 'quality-gate.init-error', {
+      error: String(error),
+    });
   }
 
   // Agent sync hooks
@@ -177,8 +210,11 @@ export const FeatureFactoryPlugin: Plugin = async (input) => {
       if (event.type === 'installation.updated') {
         try {
           await ensureAgentsInstalled(rootDir);
-        } catch {
-          // Silent failure
+        } catch (error) {
+          await log(client, 'warn', 'agent-sync.update-error', {
+            rootDir,
+            error: String(error),
+          });
         }
       }
     },

package/src/stop-quality-gate.test.ts

@@ -6,33 +6,7 @@
  * - isSessionReadOnly: determines if session has write permissions
  */
 
-// Re-implement the functions here for testing since they're not exported
-// This allows us to test the logic without modifying the source file exports
-
-const SECRET_PATTERNS: Array<{ pattern: RegExp; replacement: string }> = [
-  // AWS Access Key IDs
-  { pattern: /AKIA[0-9A-Z]{16}/g, replacement: '[REDACTED_AWS_KEY]' },
-  // Bearer tokens
-  { pattern: /Bearer\s+[\w\-.]+/gi, replacement: 'Bearer [REDACTED]' },
-  // API keys (api_key, api-key, apikey, apikeys, etc.)
-  { pattern: /api[_-]?keys?[=:\s]+['"]?[\w-]+['"]?/gi, replacement: 'api_key=[REDACTED]' },
-  // Tokens (token, tokens)
-  { pattern: /tokens?[=:\s]+['"]?[\w-]+['"]?/gi, replacement: 'token=[REDACTED]' },
-  // Passwords
-  { pattern: /passwords?[=:\s]+['"]?[^\s'"]+['"]?/gi, replacement: 'password=[REDACTED]' },
-  // Generic secrets
-  { pattern: /secrets?[=:\s]+['"]?[^\s'"]+['"]?/gi, replacement: 'secret=[REDACTED]' },
-  // Base64-encoded long strings that look like secrets (40+ chars of base64 alphabet)
-  { pattern: /[A-Za-z0-9+/]{40,}={0,2}/g, replacement: '[REDACTED_BASE64]' },
-];
-
-function sanitizeOutput(output: string): string {
-  let sanitized = output;
-  for (const { pattern, replacement } of SECRET_PATTERNS) {
-    sanitized = sanitized.replace(pattern, replacement);
-  }
-  return sanitized;
-}
+import { SECRET_PATTERNS, sanitizeOutput } from './stop-quality-gate';
 
 interface PermissionRule {
   permission: string;
@@ -68,6 +42,78 @@ describe('sanitizeOutput', () => {
     });
   });
 
+  describe('GitHub tokens', () => {
+    it('should redact GitHub Personal Access Tokens (classic)', () => {
+      const input = 'Using ghp_aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('Using [REDACTED_GH_TOKEN]');
+    });
+
+    it('should redact GitHub Personal Access Tokens (fine-grained)', () => {
+      const input = 'Using github_pat_11ABCDEFG_abcdefghijklmnopqrstuvwxyz';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('Using [REDACTED_GH_TOKEN]');
+    });
+
+    it('should redact GitHub OAuth tokens', () => {
+      const input = 'oauth=gho_aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('oauth=[REDACTED_GH_TOKEN]');
+    });
+
+    it('should redact GitHub App user-to-server tokens', () => {
+      const input = 'Using ghu_aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('Using [REDACTED_GH_TOKEN]');
+    });
+
+    it('should redact GitHub App server-to-server tokens', () => {
+      const input = 'Using ghs_aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('Using [REDACTED_GH_TOKEN]');
+    });
+
+    it('should not redact partial GitHub token patterns', () => {
+      const input = 'ghp_abc'; // Too short
+      const result = sanitizeOutput(input);
+      expect(result).toBe('ghp_abc');
+    });
+  });
+
+  describe('GitLab tokens', () => {
+    it('should redact GitLab Personal Access Tokens', () => {
+      const input = 'Using glpat-abcdefghij1234567890';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('Using [REDACTED_GITLAB_TOKEN]');
+    });
+
+    it('should redact GitLab tokens with hyphens', () => {
+      const input = 'Using glpat-abc-def-ghi-jkl-mnop-qrs';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('Using [REDACTED_GITLAB_TOKEN]');
+    });
+
+    it('should not redact partial GitLab token patterns', () => {
+      const input = 'glpat-short'; // Too short
+      const result = sanitizeOutput(input);
+      expect(result).toBe('glpat-short');
+    });
+  });
+
+  describe('npm tokens', () => {
+    it('should redact npm tokens', () => {
+      const input = 'Using npm_aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('Using [REDACTED_NPM_TOKEN]');
+    });
+
+    it('should not redact partial npm token patterns', () => {
+      const input = 'npm_abc'; // Too short
+      const result = sanitizeOutput(input);
+      expect(result).toBe('npm_abc');
+    });
+  });
+
   describe('Bearer tokens', () => {
     it('should redact Bearer tokens', () => {
       const input = 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9';
@@ -109,14 +155,44 @@ describe('sanitizeOutput', () => {
   });
 
   describe('tokens', () => {
-    it('should redact token assignments', () => {
+    it('should redact token assignments with 8+ char values', () => {
       const input = 'token=ghp_xxxxxxxxxxxxxxxxxxxx';
       const result = sanitizeOutput(input);
       expect(result).toBe('token=[REDACTED]');
     });
 
-    it('should redact tokens plural', () => {
-      const input = 'tokens: secret123';
+    it('should redact tokens plural with 8+ char values', () => {
+      const input = 'tokens: secret12345';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('token=[REDACTED]');
+    });
+
+    it('should NOT redact token with short values (less than 8 chars)', () => {
+      const input = 'token=abc123';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('token=abc123');
+    });
+
+    it('should NOT redact phrases like "token count: 5" (value too short)', () => {
+      const input = 'token count: 5';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('token count: 5');
+    });
+
+    it('should NOT redact "token: abc" (value too short)', () => {
+      const input = 'token: abc';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('token: abc');
+    });
+
+    it('should redact actual token values that are 8+ chars', () => {
+      const input = 'token=abcd1234efgh';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('token=[REDACTED]');
+    });
+
+    it('should redact quoted tokens with 8+ char values', () => {
+      const input = 'token="my-secret-token-value"';
       const result = sanitizeOutput(input);
       expect(result).toBe('token=[REDACTED]');
     });
@@ -175,6 +251,33 @@ describe('sanitizeOutput', () => {
       const result = sanitizeOutput(base64);
       expect(result).toBe('[REDACTED_BASE64]');
     });
+
+    it('should redact base64 strings up to 500 chars (ReDoS prevention)', () => {
+      // Generate a 500-char base64 string
+      const base64 = 'A'.repeat(500);
+      const result = sanitizeOutput(base64);
+      expect(result).toBe('[REDACTED_BASE64]');
+    });
+
+    it('should handle base64 strings over 500 chars by matching only first 500 (ReDoS prevention)', () => {
+      // Generate a 501-char base64 string - only first 500 chars match
+      const base64 = 'A'.repeat(501);
+      const result = sanitizeOutput(base64);
+      // Pattern matches the first 500 chars, leaving 1 char behind
+      expect(result).toBe('[REDACTED_BASE64]A');
+    });
+
+    it('should handle base64 at exactly 40 chars (minimum threshold)', () => {
+      const base64 = 'A'.repeat(40);
+      const result = sanitizeOutput(base64);
+      expect(result).toBe('[REDACTED_BASE64]');
+    });
+
+    it('should NOT redact base64 strings under 40 chars', () => {
+      const base64 = 'A'.repeat(39);
+      const result = sanitizeOutput(base64);
+      expect(result).toBe(base64);
+    });
   });
 
   describe('multiple secrets', () => {
@@ -194,6 +297,232 @@ describe('sanitizeOutput', () => {
     });
   });
 
+  describe('private keys', () => {
+    it('should redact RSA private keys', () => {
+      const input = `-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA0Z3VS5JJcds3xfn/ygWyF8PbnGy
+-----END RSA PRIVATE KEY-----`;
+      const result = sanitizeOutput(input);
+      expect(result).toBe('[REDACTED_PRIVATE_KEY]');
+    });
+
+    it('should redact OpenSSH private keys', () => {
+      const input = `-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAA
+-----END OPENSSH PRIVATE KEY-----`;
+      const result = sanitizeOutput(input);
+      expect(result).toBe('[REDACTED_PRIVATE_KEY]');
+    });
+
+    it('should redact EC private keys', () => {
+      const input = `-----BEGIN EC PRIVATE KEY-----
+MHQCAQEEICg7E4NN6YPWoU6/FXa5ON6Pt6LKBfA8WL
+-----END EC PRIVATE KEY-----`;
+      const result = sanitizeOutput(input);
+      expect(result).toBe('[REDACTED_PRIVATE_KEY]');
+    });
+
+    it('should redact generic private keys', () => {
+      const input = `-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASC
+-----END PRIVATE KEY-----`;
+      const result = sanitizeOutput(input);
+      expect(result).toBe('[REDACTED_PRIVATE_KEY]');
+    });
+
+    it('should redact private keys embedded in output', () => {
+      const input = `Loading configuration...
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA0Z3VS5JJcds3xfn/ygWyF8PbnGy
+-----END RSA PRIVATE KEY-----
+Done loading.`;
+      const result = sanitizeOutput(input);
+      expect(result).toBe(`Loading configuration...
+[REDACTED_PRIVATE_KEY]
+Done loading.`);
+    });
+  });
+
+  describe('GCP credentials', () => {
+    it('should redact GCP API keys', () => {
+      const input = 'Using GCP key: AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('Using GCP key: [REDACTED_GCP_KEY]');
+    });
+
+    it('should redact multiple GCP API keys', () => {
+      const input =
+        'Key1: AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe Key2: AIzaSyB-1234567890abcdefghijklmnopqrstu';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('Key1: [REDACTED_GCP_KEY] Key2: [REDACTED_GCP_KEY]');
+    });
+
+    it('should not redact partial GCP API key patterns', () => {
+      const input = 'AIza123'; // Too short
+      const result = sanitizeOutput(input);
+      expect(result).toBe('AIza123');
+    });
+
+    it('should redact GCP OAuth tokens', () => {
+      const input = 'Authorization: ya29.a0AfH6SMBx-example-token-value_123';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('Authorization: [REDACTED_GCP_TOKEN]');
+    });
+
+    it('should redact GCP OAuth tokens with various characters', () => {
+      const input = 'token=ya29.Gl-abc_XYZ-123';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('token=[REDACTED_GCP_TOKEN]');
+    });
+  });
+
+  describe('Slack tokens', () => {
+    it('should redact Slack bot tokens', () => {
+      const input = 'SLACK_BOT_TOKEN=xoxb-123456789012-1234567890123-AbCdEfGhIjKlMnOpQrStUvWx';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('SLACK_BOT_TOKEN=[REDACTED_SLACK_TOKEN]');
+    });
+
+    it('should redact Slack user tokens', () => {
+      const input =
+        'Using xoxp-123456789012-123456789012-123456789012-abcdef1234567890abcdef1234567890';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('Using [REDACTED_SLACK_TOKEN]');
+    });
+
+    it('should redact Slack app tokens', () => {
+      const input =
+        'APP_TOKEN=xapp-1-A0123BCDEFG-1234567890123-abcdefghijklmnopqrstuvwxyz0123456789';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('APP_TOKEN=[REDACTED_SLACK_TOKEN]');
+    });
+
+    it('should redact Slack webhook URLs', () => {
+      const input =
+        'Webhook: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('Webhook: https://[REDACTED_SLACK_WEBHOOK]');
+    });
+
+    it('should redact multiple different Slack token types', () => {
+      const input = `
+        Bot: xoxb-123-456-abc
+        User: xoxp-789-012-def
+        App: xapp-345-ghi
+      `;
+      const result = sanitizeOutput(input);
+      expect(result).toContain('[REDACTED_SLACK_TOKEN]');
+      expect(result).not.toContain('xoxb-');
+      expect(result).not.toContain('xoxp-');
+      expect(result).not.toContain('xapp-');
+    });
+  });
+
+  describe('Stripe keys', () => {
+    it('should redact Stripe live secret keys', () => {
+      // 24 chars after sk_live_: 51ABC123DEF456GHI789JKLM
+      const input = 'STRIPE_SECRET_KEY=sk_live_51ABC123DEF456GHI789JKLM';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('STRIPE_SECRET_KEY=[REDACTED_STRIPE_KEY]');
+    });
+
+    it('should redact Stripe test secret keys', () => {
+      // 24 chars after sk_test_: 51ABC123DEF456GHI789JKLM
+      const input = 'Using sk_test_51ABC123DEF456GHI789JKLM for testing';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('Using [REDACTED_STRIPE_KEY] for testing');
+    });
+
+    it('should redact Stripe live restricted keys', () => {
+      // 24 chars after rk_live_: 51ABC123DEF456GHI789JKLM
+      const input = 'RESTRICTED_KEY=rk_live_51ABC123DEF456GHI789JKLM';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('RESTRICTED_KEY=[REDACTED_STRIPE_KEY]');
+    });
+
+    it('should redact Stripe test restricted keys', () => {
+      // 24 chars after rk_test_: 51ABC123DEF456GHI789JKLM
+      const input = 'Using rk_test_51ABC123DEF456GHI789JKLM for testing';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('Using [REDACTED_STRIPE_KEY] for testing');
+    });
+
+    it('should not redact Stripe keys that are too short', () => {
+      const input = 'sk_live_short'; // Less than 24 characters after prefix
+      const result = sanitizeOutput(input);
+      expect(result).toBe('sk_live_short');
+    });
+
+    it('should redact multiple Stripe keys', () => {
+      // 24 chars after each prefix
+      const input = 'Live: sk_live_51ABC123DEF456GHI789JKLM Test: sk_test_51XYZ789ABC123DEF456GHIJ';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('Live: [REDACTED_STRIPE_KEY] Test: [REDACTED_STRIPE_KEY]');
+    });
+
+    it('should redact long Stripe keys', () => {
+      const input = 'sk_live_51ABC123DEF456GHI789JKLmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOP';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('[REDACTED_STRIPE_KEY]');
+    });
+  });
+
+  describe('database connection strings', () => {
+    it('should redact PostgreSQL connection strings', () => {
+      const input = 'DATABASE_URL=postgres://admin:secretpass123@db.example.com:5432/mydb';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('DATABASE_URL=[REDACTED_CONNECTION_STRING]');
+    });
+
+    it('should redact MongoDB connection strings with +srv', () => {
+      const input = 'Connecting to mongodb+srv://user:p@ssw0rd@cluster.mongodb.net/database';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('Connecting to [REDACTED_CONNECTION_STRING]');
+    });
+
+    it('should redact Redis connection strings', () => {
+      const input = 'REDIS_URL=redis://default:myredispassword@redis.example.com:6379';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('REDIS_URL=[REDACTED_CONNECTION_STRING]');
+    });
+
+    it('should redact MySQL connection strings', () => {
+      const input = 'mysql://root:rootpassword@localhost:3306/testdb';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('[REDACTED_CONNECTION_STRING]');
+    });
+
+    it('should redact rediss (TLS) connection strings', () => {
+      const input = 'rediss://user:password@secure-redis.example.com:6380';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('[REDACTED_CONNECTION_STRING]');
+    });
+
+    it('should redact connection strings with URL-encoded passwords', () => {
+      const input = 'mongodb://user:p%40ss%23word@host/db';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('[REDACTED_CONNECTION_STRING]');
+    });
+
+    it('should redact PostgreSQL with URL-encoded @ in password', () => {
+      const input = 'postgres://admin:secret%40pass@db.example.com:5432/mydb';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('[REDACTED_CONNECTION_STRING]');
+    });
+
+    it('should redact connection strings with multiple URL-encoded characters', () => {
+      const input = 'mysql://root:p%40ss%3Dw%26rd%21@localhost:3306/testdb';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('[REDACTED_CONNECTION_STRING]');
+    });
+
+    it('should redact MongoDB+srv with URL-encoded password', () => {
+      const input = 'mongodb+srv://user:my%40complex%23pass@cluster.mongodb.net/database';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('[REDACTED_CONNECTION_STRING]');
+    });
+  });
+
   describe('non-secret content', () => {
     it('should preserve normal log output', () => {
       const input = 'Build completed successfully in 2.5s';

package/src/stop-quality-gate.ts

@@ -6,28 +6,73 @@ const CI_TIMEOUT_MS = 300000; // 5 minutes
 const SESSION_TTL_MS = 3600000; // 1 hour
 const CLEANUP_INTERVAL_MS = 600000; // 10 minutes
 
-const SECRET_PATTERNS: Array<{ pattern: RegExp; replacement: string }> = [
+export const SECRET_PATTERNS: Array<{ pattern: RegExp; replacement: string }> = [
   // AWS Access Key IDs
   { pattern: /AKIA[0-9A-Z]{16}/g, replacement: '[REDACTED_AWS_KEY]' },
+  // GitHub Personal Access Tokens (classic)
+  { pattern: /ghp_[A-Za-z0-9]{36}/g, replacement: '[REDACTED_GH_TOKEN]' },
+  // GitHub Personal Access Tokens (fine-grained)
+  { pattern: /github_pat_[A-Za-z0-9_]{22,}/g, replacement: '[REDACTED_GH_TOKEN]' },
+  // GitHub OAuth tokens
+  { pattern: /gho_[A-Za-z0-9]{36}/g, replacement: '[REDACTED_GH_TOKEN]' },
+  // GitHub App tokens (user-to-server and server-to-server)
+  { pattern: /ghu_[A-Za-z0-9]{36}/g, replacement: '[REDACTED_GH_TOKEN]' },
+  { pattern: /ghs_[A-Za-z0-9]{36}/g, replacement: '[REDACTED_GH_TOKEN]' },
+  // GitLab Personal Access Tokens
+  { pattern: /glpat-[A-Za-z0-9-]{20,}/g, replacement: '[REDACTED_GITLAB_TOKEN]' },
+  // npm tokens
+  { pattern: /npm_[A-Za-z0-9]{36}/g, replacement: '[REDACTED_NPM_TOKEN]' },
+  // Slack bot tokens
+  { pattern: /xoxb-[0-9A-Za-z-]+/g, replacement: '[REDACTED_SLACK_TOKEN]' },
+  // Slack user tokens
+  { pattern: /xoxp-[0-9A-Za-z-]+/g, replacement: '[REDACTED_SLACK_TOKEN]' },
+  // Slack app tokens
+  { pattern: /xapp-[0-9A-Za-z-]+/g, replacement: '[REDACTED_SLACK_TOKEN]' },
+  // Slack webhook URLs
+  { pattern: /hooks\.slack\.com\/services\/[A-Z0-9/]+/g, replacement: '[REDACTED_SLACK_WEBHOOK]' },
+  // Stripe live secret keys
+  { pattern: /sk_live_[0-9a-zA-Z]{24,}/g, replacement: '[REDACTED_STRIPE_KEY]' },
+  // Stripe test secret keys
+  { pattern: /sk_test_[0-9a-zA-Z]{24,}/g, replacement: '[REDACTED_STRIPE_KEY]' },
+  // Stripe live restricted keys
+  { pattern: /rk_live_[0-9a-zA-Z]{24,}/g, replacement: '[REDACTED_STRIPE_KEY]' },
+  // Stripe test restricted keys
+  { pattern: /rk_test_[0-9a-zA-Z]{24,}/g, replacement: '[REDACTED_STRIPE_KEY]' },
   // Bearer tokens
   { pattern: /Bearer\s+[\w\-.]+/gi, replacement: 'Bearer [REDACTED]' },
   // API keys (api_key, api-key, apikey, apikeys, etc.)
   { pattern: /api[_-]?keys?[=:\s]+['"]?[\w-]+['"]?/gi, replacement: 'api_key=[REDACTED]' },
-  // Tokens (token, tokens)
-  { pattern: /tokens?[=:\s]+['"]?[\w-]+['"]?/gi, replacement: 'token=[REDACTED]' },
+  // Tokens (token, tokens) - require minimum 8 char value to reduce false positives
+  { pattern: /tokens?[=:\s]+['"]?([A-Za-z0-9_-]{8,})['"]?/gi, replacement: 'token=[REDACTED]' },
   // Passwords
   { pattern: /passwords?[=:\s]+['"]?[^\s'"]+['"]?/gi, replacement: 'password=[REDACTED]' },
   // Generic secrets
   { pattern: /secrets?[=:\s]+['"]?[^\s'"]+['"]?/gi, replacement: 'secret=[REDACTED]' },
-  // Base64-encoded long strings that look like secrets (40+ chars of base64 alphabet)
-  { pattern: /[A-Za-z0-9+/]{40,}={0,2}/g, replacement: '[REDACTED_BASE64]' },
+  // Base64-encoded long strings that look like secrets (40-500 chars to prevent ReDoS)
+  { pattern: /[A-Za-z0-9+/]{40,500}={0,2}/g, replacement: '[REDACTED_BASE64]' },
+  // Private keys (RSA, DSA, EC, OpenSSH, etc.)
+  {
+    pattern: /-----BEGIN[\s\w]+PRIVATE KEY-----[\s\S]*?-----END[\s\w]+PRIVATE KEY-----/g,
+    replacement: '[REDACTED_PRIVATE_KEY]',
+  },
+  // Database connection strings with credentials (postgres, postgresql, mysql, mongodb, redis)
+  // Password portion handles URL-encoded characters like %40 (for @) and %23 (for #)
+  {
+    pattern:
+      /(postgres|postgresql|mysql|mongodb(\+srv)?|rediss?):\/\/[^\s/:]+:(?:[^@\s]|%[0-9A-Fa-f]{2})+@[^\s]+/gi,
+    replacement: '[REDACTED_CONNECTION_STRING]',
+  },
+  // GCP API keys
+  { pattern: /AIza[0-9A-Za-z_-]{35}/g, replacement: '[REDACTED_GCP_KEY]' },
+  // GCP OAuth tokens
+  { pattern: /ya29\.[0-9A-Za-z_-]+/g, replacement: '[REDACTED_GCP_TOKEN]' },
 ];
 
 /**
  * Sanitizes CI output by redacting common secret patterns before sending to the LLM.
  * This helps prevent accidental exposure of sensitive information in prompts.
  */
-function sanitizeOutput(output: string): string {
+export function sanitizeOutput(output: string): string {
   let sanitized = output;
   for (const { pattern, replacement } of SECRET_PATTERNS) {
     sanitized = sanitized.replace(pattern, replacement);
@@ -202,44 +247,61 @@ export async function createQualityGateHooks(input: PluginInput): Promise<Partia
       let ciPassed = false;
       let timedOut = false;
 
-      const ciExecution = async (): Promise<{ passed: boolean; output: string }> => {
-        try {
-          const result = await $`cd ${directory} && bash management/ci.sh`.quiet();
-          const stdout = result.stdout;
-          const output = typeof stdout === 'string' ? stdout : stdout?.toString() || '';
-          return { passed: true, output };
-        } catch (err) {
-          const stdout = (err as { stdout?: unknown }).stdout;
-          const output = typeof stdout === 'string' ? stdout : stdout?.toString() || String(err);
-          return { passed: false, output };
-        }
-      };
-
-      const timeoutPromise = new Promise<{ passed: boolean; output: string; timedOut: true }>(
-        (resolve) => {
-          setTimeout(() => {
-            resolve({
-              passed: false,
-              output: `CI execution timed out after ${CI_TIMEOUT_MS / 1000} seconds`,
-              timedOut: true,
-            });
-          }, CI_TIMEOUT_MS);
-        }
-      );
+      const ciPath = `${directory}/management/ci.sh`;
+      // eslint-disable-next-line no-undef
+      const proc = Bun.spawn(['bash', ciPath], {
+        cwd: directory,
+        stdout: 'pipe',
+        stderr: 'pipe',
+      });
+
+      let timeoutId: ReturnType<typeof setTimeout> | null = null;
+      let forceKillTimeoutId: ReturnType<typeof setTimeout> | null = null;
+      const timeoutPromise = new Promise<void>((resolve) => {
+        timeoutId = setTimeout(() => {
+          timedOut = true;
+          // Graceful termination: SIGTERM first, then SIGKILL after grace period
+          proc.kill('SIGTERM');
+          forceKillTimeoutId = setTimeout(() => {
+            // Force kill if still running after grace period
+            try {
+              proc.kill('SIGKILL');
+            } catch {
+              // Process already terminated
+            }
+          }, 5000);
+          resolve();
+        }, CI_TIMEOUT_MS);
+      });
 
-      const result = await Promise.race([ciExecution(), timeoutPromise]);
+      // Race the process completion against the timeout
+      await Promise.race([proc.exited, timeoutPromise]);
 
-      if ('timedOut' in result && result.timedOut) {
-        timedOut = true;
+      // Clear timeouts if process completed before timeout
+      if (timeoutId) {
+        clearTimeout(timeoutId);
+      }
+      if (forceKillTimeoutId) {
+        clearTimeout(forceKillTimeoutId);
+      }
+
+      const exitCode = proc.exitCode;
+      const stdout = await new Response(proc.stdout).text();
+      const stderr = await new Response(proc.stderr).text();
+
+      if (timedOut) {
         await log(client, 'warn', 'quality-gate.timeout', {
           sessionId,
           timeoutMs: CI_TIMEOUT_MS,
         });
+        ciOutput =
+          `CI execution timed out after ${CI_TIMEOUT_MS / 1000} seconds\n\n${stdout}\n${stderr}`.trim();
+        ciPassed = false;
+      } else {
+        ciOutput = stdout + (stderr ? `\n${stderr}` : '');
+        ciPassed = exitCode === 0;
       }
 
-      ciOutput = result.output;
-      ciPassed = result.passed;
-
       state.lastRunAt = Date.now();
       state.dirty = false;
       state.qualityGatePassed = ciPassed;