@trac3er/oh-my-god 1.0.2

package/hooks/test-validator.py

@@ -0,0 +1,138 @@
+#!/usr/bin/env python3
+"""
+Stop Hook: Test Validator (v4) — User-Journey Focused
+Catches not just fake tests, but MEANINGLESS tests.
+
+v4 additions:
+  - Detects "boilerplate-only" test files (only testing existence/types)
+  - Checks if tests align with user stories / working-memory goals
+  - Warns when tests only cover happy path
+
+Callable API:
+  check_test_quality(data, project_dir) -> list[str]
+    Returns list of block reasons (empty = pass).
+"""
+import json, sys, os, re
+
+HOOKS_DIR = os.path.dirname(__file__)
+if HOOKS_DIR not in sys.path:
+    sys.path.insert(0, HOOKS_DIR)
+
+from _common import _resolve_project_dir, should_skip_stop_hooks
+
+
+def check_test_quality(data, project_dir):
+    """Core test-quality validation. Returns list of block-reason strings."""
+    import subprocess
+
+    # Find recently modified test files
+    test_files = []
+    try:
+        result = subprocess.run(
+            ["git", "diff", "--name-only", "--diff-filter=AM"],
+            capture_output=True, text=True, timeout=10, cwd=project_dir
+        )
+        for f in result.stdout.strip().split("\n"):
+            if f and any(p in f.lower() for p in
+                         [".test.", ".spec.", "_test.", "test_", "__tests__", ".tests."]):
+                full = os.path.join(project_dir, f)
+                if os.path.exists(full):
+                    test_files.append(full)
+    except Exception:
+        pass
+
+    if not test_files:
+        return []
+
+    warnings = []
+
+    for tf in test_files:
+        try:
+            with open(tf, "r", encoding="utf-8", errors="ignore") as f:
+                content = f.read()
+        except Exception:
+            continue
+
+        filename = os.path.basename(tf)
+        issues = []
+
+        # === FAKE TEST PATTERNS (from v3, kept) ===
+        fake_patterns = [
+            (r"expect\s*\(\s*true\s*\)\s*\.to(Be|Equal)\s*\(\s*true\s*\)", "assert true === true"),
+            (r"expect\s*\(\s*1\s*\)\s*\.toBe\s*\(\s*1\s*\)", "assert 1 === 1"),
+            (r"assert\s+True\b", "assert True (Python)"),
+            (r"assert\s+1\s*==\s*1", "assert 1 == 1"),
+        ]
+        for pat, label in fake_patterns:
+            if re.search(pat, content):
+                issues.append(f"FAKE: {label}")
+
+        # === BOILERPLATE-ONLY (v4 new) ===
+        # Tests that only check typeof/instanceof/existence
+        type_checks = len(re.findall(
+            r"(typeof\s+\w+|instanceof\s+\w+|toBeDefined|toBeInstanceOf|\.type\b)", content))
+        behavior_checks = len(re.findall(
+            r"(toEqual|toContain|toMatch|toThrow|rejects|resolves|toHaveBeenCalledWith|"
+            r"toHaveProperty|toHaveLength|toBeGreaterThan|toBeLessThan|assert.*==|"
+            r"assertEqual|assertIn|assertRaises|assert_called_with)", content))
+
+        if type_checks > 3 and behavior_checks == 0:
+            issues.append("BOILERPLATE: Only checks types/existence, never tests actual behavior")
+
+        # === HAPPY PATH ONLY (v4 new) ===
+        # Check for error/edge case testing
+        has_error_tests = bool(re.search(
+            r"(toThrow|rejects|assertRaises|error|invalid|empty|null|undefined|"
+            r"edge.case|boundary|overflow|timeout|unauthorized|forbidden|not.found|"
+            r"bad.request|missing|malformed)", content, re.IGNORECASE))
+        test_count = len(re.findall(r"(test|it|describe)\s*\(", content))
+
+        if test_count >= 3 and not has_error_tests:
+            issues.append("HAPPY PATH ONLY: No error/edge case tests. "
+                          "What happens with bad input? Unauthorized? Empty data?")
+
+        # === NO ASSERTIONS (v3 kept) ===
+        test_bodies = re.findall(
+            r"(?:test|it)\s*\([^)]+,\s*(?:async\s*)?\(\)\s*=>\s*\{([^}]*)\}",
+            content, re.DOTALL)
+        for body in test_bodies:
+            if body.strip() and not re.search(
+                r"(expect|assert|should|verify|check|toBe|toEqual|toThrow|toHave)",
+                body, re.IGNORECASE):
+                issues.append("EMPTY: Test body has no assertions")
+                break
+
+        # === MOCK EVERYTHING (v3 kept, improved) ===
+        mock_count = len(re.findall(r"(jest\.mock|mock\(|patch\(|MagicMock|stub\(|sinon\.stub)", content))
+        if mock_count > 5 and behavior_checks <= 1:
+            issues.append("OVER-MOCKED: Heavy mocking but barely tests real behavior")
+
+        if issues:
+            warnings.append(f"{filename}: " + "; ".join(issues))
+
+    if warnings:
+        msg = "TEST QUALITY ISSUES:\n" + "\n".join(f"  {w}" for w in warnings)
+        msg += ("\n\nTests should verify what USERS need, not just that code exists.\n"
+                "Ask: 'What does the user expect to happen? What could go wrong?'\n"
+                "Write tests for those scenarios.")
+        return [msg]
+
+    return []
+
+
+# Standalone execution (backward compat: invoked directly by hook runner)
+if __name__ == "__main__":
+    try:
+        data = json.load(sys.stdin)
+    except (json.JSONDecodeError, EOFError):
+        sys.exit(0)
+
+    if should_skip_stop_hooks(data):
+        sys.exit(0)
+
+
+    project_dir = _resolve_project_dir()
+    blocks = check_test_quality(data, project_dir)
+    if blocks:
+        json.dump({"decision": "block", "reason": blocks[0]}, sys.stdout)
+    sys.exit(0)

package/hooks/todo-state-tracker.py

@@ -0,0 +1,114 @@
+#!/usr/bin/env python3
+"""
+PostToolUse Hook: Todo State Tracker (v1)
+
+Parses todo lists from agent responses and tracks completion status.
+Persists state to .omg/state/todo_progress.json for cross-turn tracking.
+
+Feature flag: OMG_TODO_TRACKING_ENABLED (default: False)
+"""
+import json
+import sys
+import os
+import re
+from datetime import datetime, timezone
+
+HOOKS_DIR = os.path.dirname(__file__)
+if HOOKS_DIR not in sys.path:
+    sys.path.insert(0, HOOKS_DIR)
+
+from _common import (
+    setup_crash_handler,
+    json_input,
+    get_project_dir,
+    get_feature_flag,
+    atomic_json_write,
+)
+
+setup_crash_handler("todo-state-tracker", fail_closed=False)
+
+# Feature flag check
+if not get_feature_flag("TODO_TRACKING", default=False):
+    sys.exit(0)
+
+data = json_input()
+
+# Extract response text from various possible fields
+response_text = ""
+if isinstance(data, dict):
+    # PostToolUse hook may have response in different fields
+    response_text = (
+        data.get("response", "")
+        or data.get("tool_response", "")
+        or data.get("message", "")
+        or ""
+    )
+    if isinstance(response_text, dict):
+        response_text = response_text.get("content", "")
+
+if not isinstance(response_text, str):
+    response_text = str(response_text) if response_text else ""
+
+# Parse todo items: regex pattern for markdown todo format
+# Matches: - [ ] task text or - [x] task text
+TODO_PATTERN = r'- \[([ x])\] (.+)'
+matches = re.findall(TODO_PATTERN, response_text, re.IGNORECASE)
+
+if not matches:
+    # No todos found, exit cleanly
+    sys.exit(0)
+
+# Separate incomplete and complete items
+incomplete_items = []
+complete_items = []
+
+for status, task_text in matches:
+    task_text = task_text.strip()
+    if status.lower() == 'x':
+        complete_items.append(task_text)
+    else:
+        incomplete_items.append(task_text)
+
+# Load existing state
+project_dir = get_project_dir()
+state_path = os.path.join(project_dir, ".omg", "state", "todo_progress.json")
+
+existing_state = {}
+if os.path.exists(state_path):
+    try:
+        with open(state_path, "r", encoding="utf-8") as f:
+            existing_state = json.load(f)
+    except Exception:
+        existing_state = {}
+
+# Ensure existing_state is a dict
+if not isinstance(existing_state, dict):
+    existing_state = {}
+
+# Cross-turn merge strategy:
+# - Keep existing complete items (don't regress)
+# - Add new complete items
+# - Update incomplete items (replace with current turn's findings)
+# - Preserve session_id if available
+
+merged_complete = list(set(existing_state.get("complete", []) + complete_items))
+merged_incomplete = incomplete_items  # Replace with current turn's findings
+
+# Build new state
+new_state = {
+    "incomplete": merged_incomplete,
+    "complete": merged_complete,
+    "total": len(merged_incomplete) + len(merged_complete),
+    "last_updated": datetime.now(timezone.utc).isoformat(),
+}
+
+# Preserve session_id if available
+if "session_id" in existing_state:
+    new_state["session_id"] = existing_state["session_id"]
+elif "session_id" in data:
+    new_state["session_id"] = data.get("session_id")
+
+# Atomically write state
+atomic_json_write(state_path, new_state)
+
+sys.exit(0)

package/hooks/tool-ledger.py

@@ -0,0 +1,126 @@
+#!/usr/bin/env python3
+"""
+PostToolUse Hook (*): Tool Execution Ledger (Enterprise)
+Logs every tool execution to .omg/state/ledger/tool-ledger.jsonl.
+Evidence trail for stop-gate.py and claim verification.
+Includes log rotation to prevent unbounded growth.
+"""
+import json, sys, os, re, shutil
+from datetime import datetime, timezone
+
+HOOKS_DIR = os.path.dirname(__file__)
+if HOOKS_DIR not in sys.path:
+    sys.path.insert(0, HOOKS_DIR)
+
+from _common import setup_crash_handler, json_input, get_project_dir
+from state_migration import resolve_state_dir
+
+setup_crash_handler("tool-ledger", fail_closed=False)
+
+data = json_input()
+
+project_dir = get_project_dir()
+ledger_dir = resolve_state_dir(project_dir, "state/ledger", "ledger")
+os.makedirs(ledger_dir, exist_ok=True)
+
+ledger_path = os.path.join(ledger_dir, "tool-ledger.jsonl")
+
+# ── Log rotation: size-only heuristic (avoids O(n) line-count scan) ──
+MAX_BYTES = 5 * 1024 * 1024  # 5MB
+try:
+    if os.path.exists(ledger_path):
+        size = os.path.getsize(ledger_path)
+        needs_rotation = size > MAX_BYTES
+
+        if needs_rotation:
+            archive = ledger_path + ".1"
+            # Keep only one archive
+            if os.path.exists(archive):
+                try:
+                    os.remove(archive)
+                except OSError:
+                    pass
+            shutil.move(ledger_path, archive)
+except Exception:
+    pass
+
+tool_name = data.get("tool_name", "")
+tool_input = data.get("tool_input", {})
+tool_response = data.get("tool_response", {})
+
+entry = {
+    "ts": datetime.now(timezone.utc).isoformat(),
+    "pid": os.getpid(),
+    "tool": tool_name,
+}
+
+# Link ledger entries to OMG v1 run/evidence artifacts when available.
+run_id = os.environ.get("OMG_RUN_ID")
+if not run_id:
+    active_run = os.path.join(project_dir, ".omg", "shadow", "active-run")
+    if os.path.exists(active_run):
+        try:
+            with open(active_run, "r", encoding="utf-8") as f:
+                run_id = f.read().strip()
+        except Exception:
+            run_id = None
+if run_id:
+    entry["run_id"] = run_id
+
+if tool_name == "Bash":
+    entry["command"] = tool_input.get("command", "")[:500]
+    if isinstance(tool_response, dict):
+        entry["exit_code"] = tool_response.get("exitCode", tool_response.get("exit_code"))
+        snippet = str(tool_response.get("stdout", ""))[:200]
+        # Mask potential secrets in stdout before logging
+        # Aligned with post-write.py SECRET_PATTERNS for consistent coverage
+        SECRET_PATTERNS = [
+            (r'(?i)(api[_-]?key|token|secret|password|passwd|credential|auth)[=:]\s*\S+', r'\1=***'),
+            (r'AKIA[0-9A-Z]{16}', '***AWS_KEY***'),
+            (r'(?:aws_secret_access_key|AWS_SECRET)\s*[:=]\s*[\'"]?[A-Za-z0-9/+=]{40}', '***AWS_SECRET***'),
+            (r'-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----', '***PRIVATE_KEY***'),
+            (r'sk-[a-zA-Z0-9]{20,}', '***API_KEY***'),
+            (r'gh[ps]_[A-Za-z0-9_]{36,}', '***GH_TOKEN***'),
+            (r'github_pat_[A-Za-z0-9_]{22,}', '***GH_PAT***'),
+            (r'xox[bp]-[0-9]{10,}-[A-Za-z0-9]{20,}', '***SLACK_TOKEN***'),
+            (r'sk_live_[A-Za-z0-9]{20,}', '***STRIPE_KEY***'),
+            (r'rk_live_[A-Za-z0-9]{20,}', '***STRIPE_KEY***'),
+            (r'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[A-Za-z0-9_-]{20,}', '***SERVICE_KEY***'),
+            (r'AIza[A-Za-z0-9_-]{35}', '***GOOGLE_KEY***'),
+            (r'SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}', '***SENDGRID_KEY***'),
+            (r'eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}', '***JWT***'),
+            (r'(?:postgres|mysql|mongodb|redis)://[^:]+:[^@]+@', '***DB_URL***'),
+            (r'https?://[^:]+:[^@]+@', '***URL_CREDS***'),
+        ]
+        for pattern, replacement in SECRET_PATTERNS:
+            snippet = re.sub(pattern, replacement, snippet)
+        entry["stdout_snippet"] = snippet
+elif tool_name in ("Write", "Edit", "MultiEdit"):
+    entry["file"] = tool_input.get("file_path", "")
+    entry["success"] = tool_response.get("success") if isinstance(tool_response, dict) else None
+elif tool_name == "Read":
+    entry["file"] = tool_input.get("file_path", "")
+
+# Attach the latest evidence file path if one exists for this run.
+if run_id:
+    ev_path = os.path.join(project_dir, ".omg", "evidence", f"{run_id}.json")
+    if os.path.exists(ev_path):
+        entry["evidence_path"] = os.path.relpath(ev_path, project_dir)
+
+try:
+    import fcntl
+    fd = open(ledger_path, "a")
+    fcntl.flock(fd.fileno(), fcntl.LOCK_EX | fcntl.LOCK_NB)
+    fd.write(json.dumps(entry, separators=(",", ":")) + "\n")
+    fcntl.flock(fd.fileno(), fcntl.LOCK_UN)
+    fd.close()
+except (ImportError, BlockingIOError):
+    try:
+        with open(ledger_path, "a") as f:
+            f.write(json.dumps(entry, separators=(",", ":")) + "\n")
+    except Exception:
+        pass
+except Exception:
+    pass  # Non-blocking: don't fail the tool call
+
+sys.exit(0)