@tekyzinc/gsd-t 2.23.0 → 2.24.6

package/scripts/gsd-t-heartbeat.js

@@ -1,201 +1,180 @@
-#!/usr/bin/env node
-
-/**
- * GSD-T Heartbeat — Claude Code Hook Event Writer
- *
- * Writes structured events to .gsd-t/heartbeat-{session_id}.jsonl
- * Installed as an async hook for multiple Claude Code events.
- *
- * Events captured:
- *   SessionStart, PostToolUse, SubagentStart, SubagentStop,
- *   TaskCompleted, TeammateIdle, Notification, Stop, SessionEnd
- */
-
-const fs = require("fs");
-const path = require("path");
-
-const MAX_STDIN = 1024 * 1024; // 1MB — prevent OOM from unbounded input
-const SAFE_SID = /^[a-zA-Z0-9_-]+$/; // Allowlist for session_id — blocks path traversal
-const MAX_AGE_MS = 7 * 24 * 60 * 60 * 1000; // 7 days — auto-cleanup threshold
-
-let input = "";
-let aborted = false;
-process.stdin.setEncoding("utf8");
-process.stdin.on("data", (d) => {
-  input += d;
-  if (input.length > MAX_STDIN) {
-    aborted = true;
-    process.stdin.destroy();
-  }
-});
-process.stdin.on("end", () => {
-  if (aborted) return; // Silently discard oversized input
-  try {
-    const hook = JSON.parse(input);
-    const dir = hook.cwd || process.cwd();
-
-    // Validate cwd is absolute path
-    if (!path.isAbsolute(dir)) return;
-
-    const gsdtDir = path.join(dir, ".gsd-t");
-    if (!fs.existsSync(gsdtDir)) return;
-
-    const sid = hook.session_id || "unknown";
-
-    // Validate session_id — block path traversal (e.g., "../../etc/evil")
-    if (!SAFE_SID.test(sid)) return;
-
-    const file = path.join(gsdtDir, `heartbeat-${sid}.jsonl`);
-
-    // Verify resolved path is still within .gsd-t/ directory
-    const resolvedFile = path.resolve(file);
-    const resolvedDir = path.resolve(gsdtDir);
-    if (!resolvedFile.startsWith(resolvedDir + path.sep)) return;
-
-    const event = buildEvent(hook);
-    if (event) {
-      cleanupOldHeartbeats(gsdtDir);
-      // Symlink check — prevent redirection of event data to arbitrary files
-      try { if (fs.lstatSync(file).isSymbolicLink()) return; } catch { /* file doesn't exist yet — safe */ }
-      fs.appendFileSync(file, JSON.stringify(event) + "\n");
-    }
-  } catch (e) {
-    // Silent failure — never interfere with Claude Code
-  }
-});
-
-function cleanupOldHeartbeats(gsdtDir) {
-  try {
-    const files = fs.readdirSync(gsdtDir);
-    const now = Date.now();
-    for (const f of files) {
-      if (!f.startsWith("heartbeat-") || !f.endsWith(".jsonl")) continue;
-      const fp = path.join(gsdtDir, f);
-      const stat = fs.lstatSync(fp);
-      if (stat.isSymbolicLink()) continue; // Don't follow symlinks
-      if (now - stat.mtimeMs > MAX_AGE_MS) {
-        fs.unlinkSync(fp);
-      }
-    }
-  } catch {
-    // Silent failure — never interfere with Claude Code
-  }
-}
-
-function buildEvent(hook) {
-  const base = {
-    ts: new Date().toISOString(),
-    sid: hook.session_id,
-  };
-
-  switch (hook.hook_event_name) {
-    case "SessionStart":
-      return {
-        ...base,
-        evt: "session_start",
-        data: { source: hook.source, model: hook.model },
-      };
-
-    case "PostToolUse":
-      return {
-        ...base,
-        evt: "tool",
-        tool: hook.tool_name,
-        data: summarize(hook.tool_name, hook.tool_input),
-      };
-
-    case "SubagentStart":
-      return {
-        ...base,
-        evt: "agent_spawn",
-        data: { agent_id: hook.agent_id, agent_type: hook.agent_type },
-      };
-
-    case "SubagentStop":
-      return {
-        ...base,
-        evt: "agent_stop",
-        data: { agent_id: hook.agent_id, agent_type: hook.agent_type },
-      };
-
-    case "TaskCompleted":
-      return {
-        ...base,
-        evt: "task_done",
-        data: { task: hook.task_subject, agent: hook.teammate_name },
-      };
-
-    case "TeammateIdle":
-      return {
-        ...base,
-        evt: "agent_idle",
-        data: { agent: hook.teammate_name, team: hook.team_name },
-      };
-
-    case "Notification":
-      return {
-        ...base,
-        evt: "notification",
-        data: { message: hook.message, title: hook.title },
-      };
-
-    case "Stop":
-      return { ...base, evt: "session_stop" };
-
-    case "SessionEnd":
-      return {
-        ...base,
-        evt: "session_end",
-        data: { reason: hook.reason },
-      };
-
-    default:
-      return null;
-  }
-}
-
-function summarize(tool, input) {
-  if (!tool || !input) return {};
-  switch (tool) {
-    case "Read":
-      return { file: shortPath(input.file_path) };
-    case "Edit":
-      return { file: shortPath(input.file_path) };
-    case "Write":
-      return { file: shortPath(input.file_path) };
-    case "Bash":
-      return {
-        cmd: (input.command || "").slice(0, 150),
-        desc: input.description,
-      };
-    case "Grep":
-      return { pattern: input.pattern, path: shortPath(input.path) };
-    case "Glob":
-      return { pattern: input.pattern };
-    case "Task":
-      return { desc: input.description, type: input.subagent_type };
-    case "WebSearch":
-      return { query: input.query };
-    case "WebFetch":
-      return { url: input.url };
-    case "NotebookEdit":
-      return { file: shortPath(input.notebook_path) };
-    default:
-      return {};
-  }
-}
-
-function shortPath(p) {
-  if (!p) return null;
-  // Convert absolute paths to relative for readability
-  const cwd = process.cwd();
-  if (p.startsWith(cwd)) {
-    return p.slice(cwd.length + 1).replace(/\\/g, "/");
-  }
-  // For home-dir paths, abbreviate
-  const home = require("os").homedir();
-  if (p.startsWith(home)) {
-    return "~" + p.slice(home.length).replace(/\\/g, "/");
-  }
-  return p.replace(/\\/g, "/");
-}
+#!/usr/bin/env node
+
+/**
+ * GSD-T Heartbeat — Claude Code Hook Event Writer
+ *
+ * Writes structured events to .gsd-t/heartbeat-{session_id}.jsonl
+ * Installed as an async hook for multiple Claude Code events.
+ *
+ * Events captured:
+ *   SessionStart, PostToolUse, SubagentStart, SubagentStop,
+ *   TaskCompleted, TeammateIdle, Notification, Stop, SessionEnd
+ */
+
+const fs = require("fs");
+const path = require("path");
+
+const MAX_STDIN = 1024 * 1024; // 1MB — prevent OOM from unbounded input
+const SAFE_SID = /^[a-zA-Z0-9_-]+$/; // Allowlist for session_id — blocks path traversal
+const MAX_AGE_MS = 7 * 24 * 60 * 60 * 1000; // 7 days — auto-cleanup threshold
+
+// ─── Exports (for testing) ───────────────────────────────────────────────────
+module.exports = { scrubSecrets, scrubUrl, buildEvent, summarize, shortPath };
+
+// ─── Main (stdin processing) ─────────────────────────────────────────────────
+if (require.main === module) {
+
+let input = "";
+let aborted = false;
+process.stdin.setEncoding("utf8");
+process.stdin.on("data", (d) => {
+  input += d;
+  if (input.length > MAX_STDIN) {
+    aborted = true;
+    process.stdin.destroy();
+  }
+});
+process.stdin.on("end", () => {
+  if (aborted) return; // Silently discard oversized input
+  try {
+    const hook = JSON.parse(input);
+    const dir = hook.cwd || process.cwd();
+
+    // Validate cwd is absolute path
+    if (!path.isAbsolute(dir)) return;
+
+    const gsdtDir = path.join(dir, ".gsd-t");
+    if (!fs.existsSync(gsdtDir)) return;
+
+    const sid = hook.session_id || "unknown";
+
+    // Validate session_id — block path traversal (e.g., "../../etc/evil")
+    if (!SAFE_SID.test(sid)) return;
+
+    const file = path.join(gsdtDir, `heartbeat-${sid}.jsonl`);
+
+    // Verify resolved path is still within .gsd-t/ directory
+    const resolvedFile = path.resolve(file);
+    const resolvedDir = path.resolve(gsdtDir);
+    if (!resolvedFile.startsWith(resolvedDir + path.sep)) return;
+
+    const event = buildEvent(hook);
+    if (event) {
+      if (hook.hook_event_name === "SessionStart") cleanupOldHeartbeats(gsdtDir);
+      // Symlink check — prevent redirection of event data to arbitrary files
+      try { if (fs.lstatSync(file).isSymbolicLink()) return; } catch { /* file doesn't exist yet — safe */ }
+      fs.appendFileSync(file, JSON.stringify(event) + "\n");
+    }
+  } catch (e) {
+    // Silent failure — never interfere with Claude Code
+  }
+});
+
+} // end require.main
+
+function cleanupOldHeartbeats(gsdtDir) {
+  try {
+    const files = fs.readdirSync(gsdtDir);
+    const now = Date.now();
+    for (const f of files) {
+      if (!f.startsWith("heartbeat-") || !f.endsWith(".jsonl")) continue;
+      const fp = path.join(gsdtDir, f);
+      const stat = fs.lstatSync(fp);
+      if (stat.isSymbolicLink()) continue; // Don't follow symlinks
+      if (now - stat.mtimeMs > MAX_AGE_MS) {
+        fs.unlinkSync(fp);
+      }
+    }
+  } catch {
+    // Silent failure — never interfere with Claude Code
+  }
+}
+
+const EVENT_HANDLERS = {
+  SessionStart: (h) => ({ evt: "session_start", data: { source: h.source, model: h.model } }),
+  PostToolUse: (h) => ({ evt: "tool", tool: h.tool_name, data: summarize(h.tool_name, h.tool_input) }),
+  SubagentStart: (h) => ({ evt: "agent_spawn", data: { agent_id: h.agent_id, agent_type: h.agent_type } }),
+  SubagentStop: (h) => ({ evt: "agent_stop", data: { agent_id: h.agent_id, agent_type: h.agent_type } }),
+  TaskCompleted: (h) => ({ evt: "task_done", data: { task: h.task_subject, agent: h.teammate_name } }),
+  TeammateIdle: (h) => ({ evt: "agent_idle", data: { agent: h.teammate_name, team: h.team_name } }),
+  Notification: (h) => ({ evt: "notification", data: { message: scrubSecrets(h.message), title: scrubSecrets(h.title) } }),
+  Stop: () => ({ evt: "session_stop" }),
+  SessionEnd: (h) => ({ evt: "session_end", data: { reason: h.reason } }),
+};
+
+function buildEvent(hook) {
+  const handler = EVENT_HANDLERS[hook.hook_event_name];
+  if (!handler) return null;
+  return { ts: new Date().toISOString(), sid: hook.session_id, ...handler(hook) };
+}
+
+// Patterns that indicate sensitive values in CLI commands
+const SECRET_FLAGS = /(--(password|token|secret|api[-_]?key|auth|credential|private[-_]?key)[\s=])\S+/gi;
+const SECRET_SHORT = /(\s-p\s)\S+/gi;
+const SECRET_ENV = /((API_KEY|SECRET|TOKEN|PASSWORD|BEARER|AUTH_TOKEN|PRIVATE_KEY|ACCESS_KEY|SECRET_KEY)=)\S+/gi;
+const BEARER_HEADER = /(bearer\s+)\S+/gi;
+
+function scrubSecrets(cmd) {
+  if (!cmd) return cmd;
+  return cmd
+    .replace(SECRET_FLAGS, "$1***")
+    .replace(SECRET_SHORT, "$1***")
+    .replace(SECRET_ENV, "$1***")
+    .replace(BEARER_HEADER, "$1***");
+}
+
+function scrubUrl(url) {
+  if (!url) return url;
+  try {
+    const u = new URL(url);
+    if (!u.search) return url;
+    for (const key of u.searchParams.keys()) {
+      u.searchParams.set(key, "***");
+    }
+    return u.toString();
+  } catch { return url; }
+}
+
+function summarize(tool, input) {
+  if (!tool || !input) return {};
+  switch (tool) {
+    case "Read":
+    case "Edit":
+    case "Write":
+      return { file: shortPath(input.file_path) };
+    case "Bash":
+      return {
+        cmd: scrubSecrets((input.command || "").slice(0, 150)),
+        desc: input.description,
+      };
+    case "Grep":
+      return { pattern: input.pattern, path: shortPath(input.path) };
+    case "Glob":
+      return { pattern: input.pattern };
+    case "Task":
+      return { desc: input.description, type: input.subagent_type };
+    case "WebSearch":
+      return { query: input.query };
+    case "WebFetch":
+      return { url: scrubUrl(input.url) };
+    case "NotebookEdit":
+      return { file: shortPath(input.notebook_path) };
+    default:
+      return {};
+  }
+}
+
+function shortPath(p) {
+  if (!p) return null;
+  // Convert absolute paths to relative for readability
+  const cwd = process.cwd();
+  if (p.startsWith(cwd)) {
+    return p.slice(cwd.length + 1).replace(/\\/g, "/");
+  }
+  // For home-dir paths, abbreviate
+  const home = require("os").homedir();
+  if (p.startsWith(home)) {
+    return "~" + p.slice(home.length).replace(/\\/g, "/");
+  }
+  return p.replace(/\\/g, "/");
+}

package/scripts/gsd-t-update-check.js

@@ -0,0 +1,79 @@
+#!/usr/bin/env node
+/**
+ * GSD-T SessionStart hook — shows version banner, auto-updates if needed.
+ * Always outputs a version line. Auto-installs new versions when available.
+ */
+const fs = require("fs");
+const path = require("path");
+const os = require("os");
+
+const CLAUDE_DIR = path.join(os.homedir(), ".claude");
+const VERSION_FILE = path.join(CLAUDE_DIR, ".gsd-t-version");
+const CACHE_FILE = path.join(CLAUDE_DIR, ".gsd-t-update-check");
+const CHANGELOG = "https://github.com/Tekyz-Inc/get-stuff-done-teams/blob/main/CHANGELOG.md";
+
+function isNewer(a, b) {
+  const ap = a.split(".").map(Number);
+  const bp = b.split(".").map(Number);
+  for (let i = 0; i < 3; i++) {
+    if ((ap[i] || 0) > (bp[i] || 0)) return true;
+    if ((ap[i] || 0) < (bp[i] || 0)) return false;
+  }
+  return false;
+}
+
+try {
+  // Read installed version
+  if (!fs.existsSync(VERSION_FILE)) process.exit(0);
+  const installed = fs.readFileSync(VERSION_FILE, "utf8").trim();
+  if (!installed) process.exit(0);
+
+  // Read or create cache
+  let cached = null;
+  try {
+    if (fs.existsSync(CACHE_FILE)) {
+      cached = JSON.parse(fs.readFileSync(CACHE_FILE, "utf8"));
+    }
+  } catch { /* ignore */ }
+
+  // Refresh cache if stale (>1h) or missing
+  const isStale = !cached || (Date.now() - cached.timestamp) > 3600000;
+  if (isStale) {
+    const { execSync } = require("child_process");
+    try {
+      const result = execSync(
+        `"${process.execPath}" -e "const h=require('https');h.get('https://registry.npmjs.org/@tekyzinc/gsd-t/latest',{timeout:5000},(r)=>{let d='';r.on('data',(c)=>d+=c);r.on('end',()=>{try{process.stdout.write(JSON.parse(d).version)}catch{}})}).on('error',()=>{})"`,
+        { timeout: 8000, encoding: "utf8" }
+      ).trim();
+      if (result) {
+        cached = { latest: result, timestamp: Date.now() };
+        fs.writeFileSync(CACHE_FILE, JSON.stringify(cached));
+      }
+    } catch { /* network error — skip */ }
+  }
+
+  // Auto-update if newer version available
+  if (cached && cached.latest && isNewer(cached.latest, installed)) {
+    const latest = cached.latest;
+    const { execSync } = require("child_process");
+    try {
+      // Install new version globally, then run update-all
+      execSync(`npm install -g @tekyzinc/gsd-t@${latest}`, {
+        timeout: 60000, encoding: "utf8", stdio: "pipe"
+      });
+      execSync("gsd-t update-all", {
+        timeout: 60000, encoding: "utf8", stdio: "pipe"
+      });
+      // Re-read version after update
+      const updated = fs.existsSync(VERSION_FILE)
+        ? fs.readFileSync(VERSION_FILE, "utf8").trim()
+        : latest;
+      console.log(`[GSD-T AUTO-UPDATE] v${installed} → v${updated}. Changelog: ${CHANGELOG}`);
+    } catch {
+      // Auto-update failed — fall back to manual notice
+      console.log(`[GSD-T UPDATE] v${installed} — update available (v${installed} → v${latest}). Auto-update failed — run manually: /user:gsd-t-version-update-all. Changelog: ${CHANGELOG}`);
+    }
+  } else {
+    console.log(`[GSD-T] v${installed} — up to date. Changelog: ${CHANGELOG}`);
+  }
+} catch { /* graceful failure — don't block session start */ }

package/scripts/npm-update-check.js

@@ -1,27 +1,42 @@
-#!/usr/bin/env node
-
-/**
- * Background update check — spawned detached by the CLI to refresh the version cache.
- * Usage: node npm-update-check.js <cache-file-path>
- */
-
-const https = require("https");
-const fs = require("fs");
-
-const cacheFile = process.argv[2];
-if (!cacheFile) process.exit(1);
-
-https.get("https://registry.npmjs.org/@tekyzinc/gsd-t/latest",
-  { timeout: 5000 }, (res) => {
-  let d = "";
-  res.on("data", (c) => d += c);
-  res.on("end", () => {
-    try {
-      const v = JSON.parse(d).version;
-      if (v && /^\d+\.\d+\.\d+(-[a-zA-Z0-9.]+)?$/.test(v)) {
-        fs.writeFileSync(cacheFile,
-          JSON.stringify({ latest: v, timestamp: Date.now() }));
-      }
-    } catch { /* malformed response — skip */ }
-  });
-}).on("error", () => {});
+#!/usr/bin/env node
+
+/**
+ * Background update check — spawned detached by the CLI to refresh the version cache.
+ * Usage: node npm-update-check.js <cache-file-path>
+ */
+
+const https = require("https");
+const fs = require("fs");
+const path = require("path");
+const os = require("os");
+
+const cacheFile = process.argv[2];
+if (!cacheFile) process.exit(1);
+
+// Validate cache path is within ~/.claude/ to prevent arbitrary file writes
+const resolved = path.resolve(cacheFile);
+const claudeDir = path.join(os.homedir(), ".claude");
+if (!resolved.startsWith(claudeDir + path.sep) && resolved !== claudeDir) {
+  process.exit(1);
+}
+
+https.get("https://registry.npmjs.org/@tekyzinc/gsd-t/latest",
+  { timeout: 5000 }, (res) => {
+  const MAX_RESPONSE = 1024 * 1024; // 1MB limit
+  let d = "";
+  res.on("data", (c) => {
+    d += c;
+    if (d.length > MAX_RESPONSE) { res.destroy(); return; }
+  });
+  res.on("end", () => {
+    try {
+      const v = JSON.parse(d).version;
+      if (v && /^\d+\.\d+\.\d+(-[a-zA-Z0-9.]+)?$/.test(v)) {
+        // Symlink check — prevent redirection to arbitrary files
+        try { if (fs.lstatSync(cacheFile).isSymbolicLink()) return; } catch { /* doesn't exist yet — safe */ }
+        fs.writeFileSync(cacheFile,
+          JSON.stringify({ latest: v, timestamp: Date.now() }));
+      }
+    } catch { /* malformed response — skip */ }
+  });
+}).on("error", () => {});

package/templates/CLAUDE-global.md

@@ -159,11 +159,17 @@ Even in development, the user may have:
 
 ## Update Notices
 
-On session start, a version check hook outputs one of two messages. Show the result to the user at the **beginning** of your first response:
+On session start, a version check hook auto-updates GSD-T and outputs a status message. Show the result to the user at the **beginning** of your first response:
 
-- If `[GSD-T UPDATE]` appears → update is available. Show:
+- If `[GSD-T AUTO-UPDATE]` appears → GSD-T was just auto-updated. Show:
   ```
-  ⬆️  GSD-T update available: {installed} → {latest}
+  ✅ GSD-T auto-updated: v{old} → v{new}
+     Changelog: https://github.com/Tekyz-Inc/get-stuff-done-teams/blob/main/CHANGELOG.md
+  ```
+
+- If `[GSD-T UPDATE]` appears → update available but auto-update failed. Show:
+  ```
+  ⬆️  GSD-T update available: v{installed} → v{latest} (auto-update failed)
      Run: /user:gsd-t-version-update-all
      Changelog: https://github.com/Tekyz-Inc/get-stuff-done-teams/blob/main/CHANGELOG.md
   ```
@@ -172,6 +178,7 @@ On session start, a version check hook outputs one of two messages. Show the res
 - If `[GSD-T]` appears → up to date. Show:
   ```
   GSD-T v{version} — up to date
+  Changelog: https://github.com/Tekyz-Inc/get-stuff-done-teams/blob/main/CHANGELOG.md
   ```
 
 ## Conversation vs. Work