@trac3er/oh-my-god 1.0.2

package/hooks/post-tool-failure.py

@@ -0,0 +1,19 @@
+#!/usr/bin/env python3
+"""PostToolUseFailure Hook — Logs tool failures for enhanced tracking."""
+import sys
+import os
+
+sys.path.insert(0, os.path.dirname(__file__))
+
+from _common import setup_crash_handler, json_input, get_feature_flag, log_hook_error
+
+setup_crash_handler('post-tool-failure')
+
+data = json_input()
+tool_name = data.get('tool_name', 'unknown')
+error = data.get('error', data.get('message', 'unknown error'))
+
+# Log to hook-errors.jsonl using the shared utility
+log_hook_error('post-tool-failure', error, context={'tool': tool_name})
+
+sys.exit(0)

package/hooks/post-write.py

@@ -0,0 +1,199 @@
+#!/usr/bin/env python3
+"""
+PostToolUse Hook (Write/Edit/MultiEdit): Auto-Format + Secret Scan (Enterprise)
+1. Auto-format written files if opted-in via .omg/state/quality-gate.json (non-blocking)
+2. Scan written content for hardcoded secrets (blocking: exit 2)
+"""
+import json, sys, os, re, subprocess
+import contextlib
+from datetime import datetime, timezone
+from _common import _resolve_project_dir
+from state_migration import resolve_state_file
+
+try:
+    data = json.load(sys.stdin)
+except (json.JSONDecodeError, EOFError):
+    sys.exit(0)
+
+file_path = data.get("tool_input", {}).get("file_path", "")
+if not file_path:
+    sys.exit(0)
+
+# Resolve relative paths against project dir
+project_dir = _resolve_project_dir()
+if not os.path.isabs(file_path):
+    file_path = os.path.join(project_dir, file_path)
+
+if not os.path.exists(file_path):
+    sys.exit(0)
+
+ext = os.path.splitext(file_path)[1].lower()
+
+# ── 1. AUTO-FORMAT (opt-in via quality-gate.json, non-blocking) ──
+# §4.4: Auto-format only runs if the project has opted in via quality-gate.json.
+# This avoids unintended tool execution (supply-chain risk) on projects without
+# explicit formatter configuration.
+format_enabled = False
+qg_path = resolve_state_file(project_dir, "state/quality-gate.json", "quality-gate.json")
+with contextlib.suppress(Exception):  # intentional: cleanup — format stays disabled on config error
+    if os.path.exists(qg_path):
+        with open(qg_path, "r") as f:
+            qg = json.load(f)
+        # "format" key must exist and not be null/empty
+        if qg.get("format"):
+            format_enabled = True
+
+FORMAT_MAP = {
+    ".ts":  ["npx", "--no-install", "prettier", "--write"],
+    ".tsx": ["npx", "--no-install", "prettier", "--write"],
+    ".js":  ["npx", "--no-install", "prettier", "--write"],
+    ".jsx": ["npx", "--no-install", "prettier", "--write"],
+    ".css": ["npx", "--no-install", "prettier", "--write"],
+    ".json": ["npx", "--no-install", "prettier", "--write"],
+    ".py": ["ruff", "format"], ".go": ["gofmt", "-w"], ".rs": ["rustfmt"],
+}
+if format_enabled and ext in FORMAT_MAP:
+    fmt_cmd = FORMAT_MAP[ext]
+    # Validate formatter binary exists before running (supply-chain defense)
+    import shutil
+    if shutil.which(fmt_cmd[0]):
+        try:
+            subprocess.run(fmt_cmd + [file_path], capture_output=True, timeout=15, cwd=project_dir)
+        except (FileNotFoundError, subprocess.TimeoutExpired, OSError):
+            pass
+
+# ── 2. SECRET SCAN (blocking) ──
+# Skip binary files and very large files
+try:
+    file_size = os.path.getsize(file_path)
+    if file_size > 1_000_000:  # 1MB limit
+        sys.exit(0)
+    with open(file_path, "r", encoding="utf-8", errors="ignore") as f:
+        content = f.read()
+except Exception as e:
+    print(f"[OMG] post-write.py: {type(e).__name__}: {e}", file=sys.stderr)
+    sys.exit(0)
+
+# Skip known non-secret file types
+SKIP_EXTENSIONS = {".lock", ".sum", ".svg", ".png", ".jpg", ".gif", ".ico", ".woff", ".woff2", ".ttf"}
+if ext in SKIP_EXTENSIONS:
+    sys.exit(0)
+
+SECRET_PATTERNS = [
+    # AWS
+    (r"AKIA[0-9A-Z]{16}", "AWS Access Key ID"),
+    (r"(?:aws_secret_access_key|AWS_SECRET)\s*[:=]\s*['\"]?[A-Za-z0-9/+=]{40}['\"]?", "AWS Secret Key"),
+    # Private keys
+    (r"-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----", "Private Key"),
+    # Generic API keys/tokens (in assignment context)
+    (r"""(?:api[_-]?key|api[_-]?secret|auth[_-]?token|access[_-]?token|secret[_-]?key)\s*[:=]\s*['"][A-Za-z0-9+/=_\-.]{20,}['"]""", "Hardcoded API Key/Token"),
+    # GitHub
+    (r"gh[ps]_[A-Za-z0-9_]{36,}", "GitHub Token"),
+    (r"github_pat_[A-Za-z0-9_]{22,}", "GitHub Fine-grained PAT"),
+    # Slack
+    (r"xoxb-[0-9]{10,}-[A-Za-z0-9]{20,}", "Slack Bot Token"),
+    (r"xoxp-[0-9]{10,}-[0-9]{10,}-[A-Za-z0-9]{20,}", "Slack User Token"),
+    # Stripe
+    (r"sk_live_[A-Za-z0-9]{20,}", "Stripe Live Secret Key"),
+    (r"rk_live_[A-Za-z0-9]{20,}", "Stripe Restricted Key"),
+    (r"pk_live_[A-Za-z0-9]{20,}", "Stripe Live Publishable Key (should use env)"),
+    # Supabase / Firebase
+    (r"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[A-Za-z0-9_-]{20,}", "Supabase/Firebase Service Key"),
+    # Google
+    (r"AIza[A-Za-z0-9_-]{35}", "Google API Key"),
+    # Twilio
+    (r"SK[A-Za-z0-9]{32}", "Twilio API Key"),
+    # SendGrid
+    (r"SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}", "SendGrid API Key"),
+    # Passwords in config
+    (r"""(?:password|passwd|pwd)\s*[:=]\s*['"][^'"]{8,}['"]""", "Hardcoded Password"),
+    # Generic secret in env-like format
+    (r"""(?:SECRET|TOKEN|PRIVATE_KEY|ENCRYPTION_KEY)\s*=\s*['"]?[A-Za-z0-9+/=_\-.]{16,}['"]?""", "Hardcoded Secret"),
+    # Database connection strings with credentials
+    (r"(?:postgres|mysql|mongodb|redis)://[^:]+:[^@]+@", "Database URL with credentials"),
+    # JWT tokens (3 base64 segments separated by dots)
+    (r"eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}", "JWT Token"),
+    # Hardcoded URLs with credentials
+    (r"https?://[^:]+:[^@]+@", "URL with embedded credentials"),
+    # Webhook URLs (often secret)
+    (r"""(?:webhook[_-]?url|slack[_-]?webhook|discord[_-]?webhook)\s*[:=]\s*['"]https?://""", "Hardcoded Webhook URL"),
+]
+
+# URI / Security anti-patterns (WARNING, not blocking)
+SECURITY_WARNINGS = [
+    (r"cors\s*\(\s*\{[^}]*origin\s*:\s*['\"]?\*['\"]?", "CORS wildcard origin in code — use whitelist in production"),
+    (r"httpOnly\s*:\s*false", "Cookie httpOnly disabled — session cookies should be httpOnly"),
+    (r"secure\s*:\s*false", "Cookie secure flag disabled — use HTTPS in production"),
+    (r"eval\s*\(", "eval() usage — potential code injection risk"),
+    (r"innerHTML\s*=", "innerHTML assignment — potential XSS risk"),
+    (r"dangerouslySetInnerHTML", "dangerouslySetInnerHTML — verify input is sanitized"),
+]
+
+findings = []
+patterns_matched = []
+for i, line in enumerate(content.split("\n"), 1):
+    stripped = line.strip()
+    # Skip lines that are entirely comments (bare "*" removed — too broad)
+    if stripped.startswith(("#", "//", "/*", "* ", "<!--", "%", ";")):
+        continue
+    # Skip test files: check parent DIRECTORY for test dirs, not just filename
+    lowpath = file_path.lower()
+    is_test_file = any(d in lowpath for d in ["/__tests__/", "/test/", "/tests/", "/fixtures/", "/mocks/", "/__mocks__/"])
+    if not is_test_file:
+        basename = os.path.basename(file_path).lower()
+        is_test_file = any(p in basename for p in [".test.", ".spec.", "_test.", "test_"])
+    if is_test_file:
+        continue
+    for pattern, label in SECRET_PATTERNS:
+        if re.search(pattern, line, re.IGNORECASE):
+            findings.append(f"  Line {i}: {label}")
+            if label not in patterns_matched:
+                patterns_matched.append(label)
+            break  # One finding per line is enough
+
+if findings:
+    try:
+        proj_dir = _resolve_project_dir()
+        state_dir = os.path.join(proj_dir, ".omg", "state")
+        os.makedirs(state_dir, exist_ok=True)
+        signal_path = os.path.join(state_dir, "secret-detected.json")
+        signal_payload = {
+            "timestamp": datetime.now(timezone.utc).isoformat(),
+            "file": file_path,
+            "patterns_matched": patterns_matched,
+            "action": "blocked",
+        }
+        with open(signal_path, "w", encoding="utf-8") as f:
+            json.dump(signal_payload, f)
+    except Exception as e:
+        print(f"[OMG] post-write.py: {type(e).__name__}: {e}", file=sys.stderr)
+    print(
+        f"⚠ SECRET DETECTED in {file_path}. Signal written to .omg/state/secret-detected.json",
+        file=sys.stderr,
+    )
+    msg = f"SECRET DETECTED in {file_path}:\n" + "\n".join(findings[:10])
+    if len(findings) > 10:
+        msg += f"\n  ... and {len(findings) - 10} more"
+    msg += "\n\nRemove hardcoded secrets. Use environment variables or a secret manager."
+    print(msg, file=sys.stderr)
+    # NOTE: exit(0), not exit(2). Non-zero exits crash sibling hooks
+    # ("Sibling tool call errored"). The warning in stderr is still visible.
+    sys.exit(0)
+
+# ── 3. SECURITY WARNING SCAN (non-blocking, advisory) ──
+sec_warnings = []
+for i, line in enumerate(content.split("\n"), 1):
+    stripped = line.strip()
+    if stripped.startswith(("#", "//", "/*", "*", "<!--")):
+        continue
+    for pattern, label in SECURITY_WARNINGS:
+        if re.search(pattern, line, re.IGNORECASE):
+            sec_warnings.append(f"  Line {i}: ⚠ {label}")
+            break
+
+if sec_warnings:
+    msg = f"SECURITY WARNINGS in {file_path}:\n" + "\n".join(sec_warnings[:5])
+    msg += "\n\nConsider running /OMG:security-review for a full audit."
+    print(msg, file=sys.stderr)
+
+sys.exit(0)

package/hooks/pre-compact.py

@@ -0,0 +1,204 @@
+#!/usr/bin/env python3
+"""PreCompact Hook — OMG Standalone state preservation.
+
+1) Snapshot key files from .omg/state (fallback .omc via migration)
+2) Auto-generate handoff files in .omg/state
+"""
+import json
+import importlib
+import os
+import shutil
+import subprocess
+import sys
+from datetime import datetime
+
+try:
+    from hooks.state_migration import resolve_state_file, resolve_state_dir
+    from hooks._common import _resolve_project_dir
+except ImportError:
+    _state_migration = importlib.import_module("state_migration")
+    _common = importlib.import_module("_common")
+    resolve_state_file = _state_migration.resolve_state_file
+    resolve_state_dir = _state_migration.resolve_state_dir
+    _resolve_project_dir = _common._resolve_project_dir
+
+
+MAX_SNAPSHOT_BYTES = int(os.environ.get("OMG_PRECOMPACT_MAX_SNAPSHOT_BYTES", "262144"))
+GIT_DIFF_TIMEOUT_SEC = int(os.environ.get("OMG_PRECOMPACT_GIT_DIFF_TIMEOUT_SEC", "1"))
+
+
+try:
+    data = json.load(sys.stdin)
+except (json.JSONDecodeError, EOFError):
+    sys.exit(0)
+
+project_dir = _resolve_project_dir()
+ts = datetime.now().strftime("%Y%m%d_%H%M%S")
+state_dir = resolve_state_dir(project_dir, "state", "")
+snapshot_dir = os.path.join(state_dir, "snapshots", ts)
+
+
+def read_file(path, max_lines=None):
+    try:
+        if not os.path.exists(path):
+            return None
+        with open(path, "r", encoding="utf-8", errors="ignore") as f:
+            content = f.read().strip()
+        if not content:
+            return None
+        if max_lines:
+            return "\n".join(content.split("\n")[:max_lines])
+        return content
+    except Exception:
+        return None
+
+
+def read_cache(paths):
+    cache = {}
+    for path in paths:
+        cache[path] = read_file(path)
+    return cache
+
+
+def first_lines(text, max_lines):
+    if not text:
+        return None
+    if not max_lines:
+        return text
+    return "\n".join(text.splitlines()[:max_lines])
+
+
+def snapshot_file(src_path, dst_path, max_bytes):
+    os.makedirs(os.path.dirname(dst_path), exist_ok=True)
+    try:
+        size = os.path.getsize(src_path)
+    except OSError:
+        return False
+
+    if max_bytes <= 0 or size <= max_bytes:
+        shutil.copy2(src_path, dst_path)
+        return True
+
+    with open(src_path, "rb") as src_f:
+        data = src_f.read(max_bytes)
+    note = (
+        f"\n\n[TRUNCATED by pre-compact: original_bytes={size}, kept_bytes={len(data)}]"
+    ).encode("utf-8")
+    with open(dst_path, "wb") as dst_f:
+        dst_f.write(data)
+        dst_f.write(note)
+    return True
+
+
+snapshot_files = [
+    resolve_state_file(project_dir, "state/profile.yaml", "profile.yaml"),
+    resolve_state_file(project_dir, "state/working-memory.md", "working-memory.md"),
+    resolve_state_file(project_dir, "state/_plan.md", "_plan.md"),
+    resolve_state_file(project_dir, "state/_checklist.md", "_checklist.md"),
+    resolve_state_file(project_dir, "state/quality-gate.json", "quality-gate.json"),
+    resolve_state_file(project_dir, "state/ledger/tool-ledger.jsonl", "ledger/tool-ledger.jsonl"),
+    resolve_state_file(project_dir, "state/ledger/failure-tracker.json", "ledger/failure-tracker.json"),
+    resolve_state_file(project_dir, "state/ralph-loop.json", "ralph-loop.json"),
+]
+cached = read_cache(snapshot_files)
+saved = []
+for src in snapshot_files:
+    if cached.get(src) is not None:
+        dst = os.path.join(snapshot_dir, os.path.basename(src))
+        if snapshot_file(src, dst, MAX_SNAPSHOT_BYTES):
+            saved.append(os.path.basename(src))
+
+profile = first_lines(cached.get(resolve_state_file(project_dir, "state/profile.yaml", "profile.yaml")), 20)
+wm = first_lines(cached.get(resolve_state_file(project_dir, "state/working-memory.md", "working-memory.md")), 15)
+plan = first_lines(cached.get(resolve_state_file(project_dir, "state/_plan.md", "_plan.md")), 10)
+checklist = first_lines(cached.get(resolve_state_file(project_dir, "state/_checklist.md", "_checklist.md")), 50)
+tracker = cached.get(resolve_state_file(project_dir, "state/ledger/failure-tracker.json", "ledger/failure-tracker.json"))
+ralph_loop = cached.get(resolve_state_file(project_dir, "state/ralph-loop.json", "ralph-loop.json"))
+
+parts = [
+    f"# Handoff -- {datetime.now().strftime('%Y-%m-%d %H:%M')}",
+    "Auto-generated before context compaction.",
+]
+if profile:
+    parts.append("<!-- section: working-state -->")
+    parts.append("## Project\n" + profile)
+if wm:
+    parts.append("## Working State\n" + wm)
+if plan:
+    parts.append("## Plan\n" + plan)
+if checklist:
+    lines = checklist.split("\n")
+    done = sum(1 for l in lines if "[x]" in l.lower())
+    total = sum(1 for l in lines if l.strip().startswith(("[", "- [")))
+    pending = [l.strip() for l in lines if "[ ]" in l][:3]
+    parts.append("<!-- section: progress -->")
+    parts.append(f"## Progress: {done}/{total}")
+    if pending:
+        parts.append("Next:\n" + "\n".join(pending))
+if tracker:
+    try:
+        t = json.loads(tracker)
+        active = {k: v for k, v in t.items() if isinstance(v, dict) and v.get("count", 0) >= 2}
+        if active:
+            warns = [f"- {k}: {v['count']}x" for k, v in list(active.items())[:5]]
+            parts.append("## Failed Approaches\n" + "\n".join(warns))
+    except Exception:
+        pass
+if ralph_loop:
+    try:
+        rl = json.loads(ralph_loop)
+        if rl.get("active"):
+            rl_iter = rl.get("iteration", 0)
+            rl_max = rl.get("max_iterations", 50)
+            rl_goal = rl.get("original_prompt", "")[:80]
+            parts.append(f"## Ralph Loop\nIteration: {rl_iter}/{rl_max} | Goal: {rl_goal}")
+    except Exception:
+        pass
+
+try:
+    diff_names = subprocess.run(
+        ["git", "diff", "--name-only"],
+        capture_output=True,
+        text=True,
+        timeout=GIT_DIFF_TIMEOUT_SEC,
+        cwd=project_dir,
+    )
+    changed = [l for l in diff_names.stdout.strip().split("\n") if l]
+    if changed:
+        parts.append("## Uncommitted\n" + "\n".join(f"- {x}" for x in changed[:5]))
+except Exception:
+    pass
+
+parts.append("## Resume Instructions")
+parts.append("Read .omg/state/profile.yaml + this file.")
+parts.append("\n---\n*Auto-generated before context compaction.*")
+handoff = "\n\n".join(parts)
+handoff_lines = handoff.split("\n")
+if len(handoff_lines) > 120:
+    handoff = "\n".join(handoff_lines[:120]) + "\n\n(truncated)"
+
+os.makedirs(state_dir, exist_ok=True)
+with open(os.path.join(state_dir, "handoff.md"), "w", encoding="utf-8") as f:
+    f.write(handoff)
+
+portable = handoff + "\n\nSelf-contained handoff for other platforms."
+portable_lines = portable.split("\n")
+if len(portable_lines) > 150:
+    portable = "\n".join(portable_lines[:150]) + "\n\n(truncated)"
+with open(os.path.join(state_dir, "handoff-portable.md"), "w", encoding="utf-8") as f:
+    f.write(portable)
+
+# Keep latest 5 snapshots
+snapshots_parent = os.path.join(state_dir, "snapshots")
+try:
+    if os.path.isdir(snapshots_parent):
+        entries = sorted(
+            [d for d in os.listdir(snapshots_parent) if os.path.isdir(os.path.join(snapshots_parent, d))]
+        )
+        for old in entries[:-5]:
+            shutil.rmtree(os.path.join(snapshots_parent, old), ignore_errors=True)
+except Exception:
+    pass
+
+print(f"[OMG pre-compact] Snapshotted {len(saved)} files -> {snapshot_dir}", file=sys.stderr)
+sys.exit(0)

package/hooks/pre-tool-inject.py

@@ -0,0 +1,98 @@
+#!/usr/bin/env python3
+"""PreToolUse Hook — Injects plan reminder before each tool call.
+
+Inspired by planning-with-files: forces re-read of plan on every tool call.
+OMG version: lighter — checklist-aware, tool-filtered, max 200 chars.
+Only injects for mutation tools (Write/Edit/Bash), not read-only tools.
+"""
+import json
+import os
+import re
+import sys
+
+HOOKS_DIR = os.path.dirname(__file__)
+if HOOKS_DIR not in sys.path:
+    sys.path.insert(0, HOOKS_DIR)
+
+from _common import setup_crash_handler, json_input, get_feature_flag, _resolve_project_dir
+from state_migration import resolve_state_file
+
+setup_crash_handler("pre-tool-inject")
+
+MAX_INJECTION = 200  # Total injection budget (chars)
+
+# Read-only tools that don't need plan reminders
+READ_ONLY_TOOLS = {
+    'Read', 'Glob', 'Grep', 'LS', 'NotebookRead', 'WebFetch', 'WebSearch',
+    'TodoRead', 'mcp__filesystem__read_file', 'mcp__filesystem__list_directory',
+}
+
+
+def should_inject(tool_name):
+    """Return True if this tool call should get a plan reminder."""
+    if not tool_name:
+        return True  # unknown tool → inject (safe default)
+    return tool_name not in READ_ONLY_TOOLS
+
+
+def get_checklist_progress(checklist_path):
+    """Return (done, total, first_pending) from checklist file."""
+    if not os.path.exists(checklist_path):
+        return None, None, None
+    try:
+        with open(checklist_path, "r", encoding="utf-8", errors="ignore") as f:
+            lines = f.readlines()
+        total = sum(1 for l in lines if re.search(r'^\s*-\s*\[[ x!]\]', l))
+        done = sum(1 for l in lines if re.search(r'^\s*-\s*\[x\]', l, re.IGNORECASE))
+        # Find first pending item text
+        first_pending = None
+        for l in lines:
+            if re.search(r'^\s*-\s*\[ \]', l):
+                first_pending = re.sub(r'^\s*-\s*\[ \]\s*', '', l).strip()[:50]
+                break
+        return done, total, first_pending
+    except OSError:
+        return None, None, None
+
+
+data = json_input()
+
+if not get_feature_flag("planning_enforcement"):
+    sys.exit(0)
+
+# Tool filtering: skip injection for read-only tools
+tool_name = data.get("tool_name") if isinstance(data, dict) else None
+if not should_inject(tool_name):
+    sys.exit(0)
+
+project_dir = _resolve_project_dir()
+
+# Try to find _plan.md
+plan_path = resolve_state_file(project_dir, "state/_plan.md", "_plan.md")
+
+if not os.path.exists(plan_path):
+    sys.exit(0)
+
+try:
+    # Check for checklist progress
+    checklist_path = resolve_state_file(project_dir, "state/_checklist.md", "_checklist.md")
+    done, total, first_pending = get_checklist_progress(checklist_path)
+
+    if total is not None and total > 0:
+        # Checklist-aware format
+        reminder = f"{done}/{total} done"
+        if first_pending:
+            reminder += f" | Next: {first_pending}"
+        injection = f"@plan-reminder: {reminder}"[:MAX_INJECTION]
+    else:
+        # Fallback: first 15 lines of plan
+        with open(plan_path, "r", encoding="utf-8", errors="ignore") as f:
+            lines = f.readlines()[:15]
+        head = "".join(lines)[:MAX_INJECTION]
+        injection = f"@plan-reminder: {head}"[:MAX_INJECTION]
+
+    json.dump({"contextInjection": injection}, sys.stdout)
+except Exception:
+    pass  # Graceful degradation
+
+sys.exit(0)