@trac3er/oh-my-god 2.0.0 → 2.0.2

package/hooks/fetch-rate-limits.py

@@ -0,0 +1,212 @@
+#!/usr/bin/env python3
+"""
+Fetch Claude rate limits from Anthropic OAuth API and cache for HUD.
+
+Reads OAuth credentials from:
+- macOS: Keychain "Claude Code-credentials" (format: {claudeAiOauth: {...}})
+- Linux/fallback: ~/.claude/.credentials.json
+
+Caches to: ~/.claude/omg-runtime/.usage-cache.json
+"""
+
+import json
+import os
+import ssl
+import subprocess
+import sys
+import urllib.error
+import urllib.request
+from datetime import datetime, timezone
+from pathlib import Path
+
+
+def get_claude_config_dir():
+    """Get Claude config directory."""
+    return Path(os.environ.get("CLAUDE_CONFIG_DIR", Path.home() / ".claude"))
+
+
+def get_cache_path():
+    """Get cache file path."""
+    return get_claude_config_dir() / "omg-runtime" / ".usage-cache.json"
+
+
+def read_credentials_from_keychain():
+    """Read OAuth credentials from macOS Keychain."""
+    try:
+        result = subprocess.run(
+            ["security", "find-generic-password", "-s", "Claude Code-credentials", "-w"],
+            capture_output=True,
+            text=True,
+            timeout=5
+        )
+        if result.returncode == 0 and result.stdout.strip():
+            data = json.loads(result.stdout.strip())
+            # Claude Code stores credentials under 'claudeAiOauth' key
+            if "claudeAiOauth" in data:
+                return data["claudeAiOauth"]
+            return data
+    except Exception:
+        pass
+    return None
+
+
+def read_credentials_from_file():
+    """Read OAuth credentials from file."""
+    creds_path = get_claude_config_dir() / ".credentials.json"
+    try:
+        if creds_path.exists():
+            data = json.loads(creds_path.read_text())
+            # Handle nested format if present
+            if "claudeAiOauth" in data:
+                return data["claudeAiOauth"]
+            return data
+    except Exception:
+        pass
+    return None
+
+
+def read_credentials():
+    """Read OAuth credentials from keychain or file."""
+    # Try keychain first (macOS)
+    creds = read_credentials_from_keychain()
+    if creds and creds.get("accessToken"):
+        return creds
+    
+    # Fall back to file
+    creds = read_credentials_from_file()
+    if creds and creds.get("accessToken"):
+        return creds
+    
+    return None
+
+
+def fetch_usage(credentials):
+    """Fetch usage from Anthropic API."""
+    access_token = credentials.get("accessToken")
+    if not access_token:
+        return None
+    
+    # Create HTTPS request
+    ctx = ssl.create_default_context()
+    req = urllib.request.Request(
+        "https://api.anthropic.com/api/oauth/usage",
+        headers={
+            "Authorization": f"Bearer {access_token}",
+            "anthropic-beta": "oauth-2025-04-20",  # Required for OAuth API access
+            "Accept": "application/json"
+        }
+    )
+    
+    try:
+        with urllib.request.urlopen(req, context=ctx, timeout=10) as resp:
+            data = json.loads(resp.read().decode())
+            
+            # Parse response into RateLimits format
+            rate_limits = {}
+            
+            # Five hour (session) limit - API returns percentage 0-100 directly
+            five_hour = data.get("five_hour", {})
+            if five_hour and "utilization" in five_hour:
+                rate_limits["fiveHourPercent"] = float(five_hour["utilization"])
+                if five_hour.get("resets_at"):
+                    rate_limits["fiveHourResetsAt"] = five_hour["resets_at"]
+            
+            # Seven day (weekly) limit - API returns percentage 0-100 directly
+            seven_day = data.get("seven_day", {})
+            if seven_day and "utilization" in seven_day:
+                rate_limits["weeklyPercent"] = float(seven_day["utilization"])
+                if seven_day.get("resets_at"):
+                    rate_limits["weeklyResetsAt"] = seven_day["resets_at"]
+            
+            # Per-model quotas
+            sonnet = data.get("seven_day_sonnet", {})
+            if sonnet and "utilization" in sonnet:
+                rate_limits["sonnetWeeklyPercent"] = float(sonnet["utilization"])
+                if sonnet.get("resets_at"):
+                    rate_limits["sonnetWeeklyResetsAt"] = sonnet["resets_at"]
+            
+            opus = data.get("seven_day_opus", {})
+            if opus and "utilization" in opus:
+                rate_limits["opusWeeklyPercent"] = float(opus["utilization"])
+                if opus.get("resets_at"):
+                    rate_limits["opusWeeklyResetsAt"] = opus["resets_at"]
+            
+            return rate_limits
+            
+    except urllib.error.HTTPError as e:
+        if e.code == 401:
+            # Token expired or invalid
+            pass
+        return None
+    except Exception:
+        return None
+
+
+def write_cache(rate_limits):
+    """Write rate limits to cache file."""
+    cache_path = get_cache_path()
+    cache_dir = cache_path.parent
+    
+    try:
+        cache_dir.mkdir(parents=True, exist_ok=True)
+        
+        cache_data = {
+            "timestamp": datetime.now(timezone.utc).isoformat(),
+            "data": rate_limits,
+            "source": "anthropic"
+        }
+        
+        # Write to temp file then rename for atomicity
+        temp_path = cache_path.with_suffix(".tmp")
+        temp_path.write_text(json.dumps(cache_data, indent=2))
+        temp_path.rename(cache_path)
+        
+        return True
+    except Exception:
+        return False
+
+
+def read_existing_cache():
+    """Read existing cache if present."""
+    cache_path = get_cache_path()
+    try:
+        if cache_path.exists():
+            return json.loads(cache_path.read_text())
+    except Exception:
+        pass
+    return None
+
+
+def main():
+    """Main entry point."""
+    # Check if cache is fresh (less than 30 seconds old)
+    existing = read_existing_cache()
+    if existing:
+        try:
+            cached_time = datetime.fromisoformat(existing.get("timestamp", ""))
+            age = (datetime.now(timezone.utc) - cached_time).total_seconds()
+            if age < 30:
+                # Cache is fresh, nothing to do
+                sys.exit(0)
+        except Exception:
+            pass
+    
+    # Read credentials
+    credentials = read_credentials()
+    if not credentials:
+        sys.exit(0)  # Silent exit if no credentials
+    
+    # Fetch usage
+    rate_limits = fetch_usage(credentials)
+    if not rate_limits:
+        sys.exit(0)  # Silent exit on API error
+    
+    # Write cache
+    if write_cache(rate_limits):
+        print(f"[OMG] Rate limits updated: daily={rate_limits.get('fiveHourPercent', 'N/A')}%, weekly={rate_limits.get('weeklyPercent', 'N/A')}%")
+    
+    sys.exit(0)
+
+
+if __name__ == "__main__":
+    main()

package/hooks/firewall.py

@@ -0,0 +1,48 @@
+#!/usr/bin/env python3
+"""PreToolUse Hook (Bash): Command Firewall (Enterprise)
+
+Delegates policy logic to policy_engine.py so all command decisions are driven by
+one centralized decision model.
+"""
+import json
+import os
+import sys
+
+HOOKS_DIR = os.path.dirname(__file__)
+if HOOKS_DIR not in sys.path:
+    sys.path.insert(0, HOOKS_DIR)
+
+from _common import setup_crash_handler, json_input, deny_decision, is_bypass_mode
+
+# Fail-closed: deny on crash (security hook)
+setup_crash_handler("firewall", fail_closed=True)
+
+try:
+    from policy_engine import evaluate_bash_command, to_pretool_hook_output
+except Exception as _import_err:
+    print(f"OMG firewall: policy_engine import failed: {_import_err}", file=sys.stderr)
+    deny_decision(f"OMG firewall crash: policy_engine import failed: {_import_err}. Denying for safety.")
+    sys.exit(0)
+
+data = json_input()
+
+tool = data.get("tool_name", "")
+if tool != "Bash":
+    sys.exit(0)
+
+cmd = data.get("tool_input", {}).get("command", "")
+if not cmd:
+    sys.exit(0)
+
+decision = evaluate_bash_command(cmd)
+
+# In bypass-permission mode, only enforce hard denials (critical safety).
+# Skip "ask" decisions so the user is not prompted for confirmation.
+if is_bypass_mode(data) and decision.action != "deny":
+    sys.exit(0)
+
+out = to_pretool_hook_output(decision)
+if out:
+    json.dump(out, sys.stdout)
+
+sys.exit(0)

package/hooks/hashline-formatter-bridge.py

@@ -0,0 +1,224 @@
+#!/usr/bin/env python3
+"""Hashline Formatter Bridge — reconciles sidecar hash cache after formatters run.
+
+When a post-write formatter (e.g. prettier, ruff format) modifies a file,
+the cached line hashes become stale.  This bridge detects the change and
+refreshes the sidecar cache so subsequent reads/edits use correct anchors.
+
+Feature flag: OMG_HASHLINE_ENABLED (default: False)
+"""
+import json
+import os
+import sys
+
+HOOKS_DIR = os.path.dirname(__file__)
+if HOOKS_DIR not in sys.path:
+    sys.path.insert(0, HOOKS_DIR)
+
+from _common import (
+    setup_crash_handler,
+    json_input,
+    get_feature_flag,
+)
+
+setup_crash_handler("hashline-formatter-bridge")
+
+
+# --- Feature Flag ---
+
+
+def _is_enabled() -> bool:
+    """Check if hashline features are enabled.
+
+    Resolution order: OMG_HASHLINE_ENABLED env var -> settings.json -> False
+    """
+    env_val = os.environ.get("OMG_HASHLINE_ENABLED", "").lower()
+    if env_val in ("1", "true", "yes"):
+        return True
+    if env_val in ("0", "false", "no"):
+        return False
+    return get_feature_flag("HASHLINE", default=False)
+
+
+# --- Lazy Imports from hashline-injector ---
+
+_injector = None
+
+
+def _get_injector():
+    """Lazy-load hashline-injector module."""
+    global _injector
+    if _injector is None:
+        import importlib
+        _injector = importlib.import_module("hashline-injector")
+    return _injector
+
+
+# --- Core Functions ---
+
+
+def detect_formatter_change(file_path: str, original_content: str, formatted_content: str) -> bool:
+    """Return True if the formatter changed the content.
+
+    Compares stripped versions of each line to ignore trivial
+    trailing-whitespace-only differences while still detecting
+    real structural changes.
+
+    Args:
+        file_path: Path to the file (for context, not read).
+        original_content: Content before formatting.
+        formatted_content: Content after formatting.
+
+    Returns:
+        True if formatted_content differs from original_content.
+    """
+    if original_content == formatted_content:
+        return False
+
+    # Compare stripped lines to ignore trivial whitespace diffs
+    orig_lines = [l.rstrip() for l in original_content.split("\n")]
+    fmt_lines = [l.rstrip() for l in formatted_content.split("\n")]
+    return orig_lines != fmt_lines
+
+
+def refresh_cache_after_format(file_path: str, formatted_content: str) -> bool:
+    """Recompute and save line hashes for newly formatted content.
+
+    Args:
+        file_path: Path to the formatted file.
+        formatted_content: The file content after formatting.
+
+    Returns:
+        True on success (or when feature is disabled), False on error.
+    """
+    if not _is_enabled():
+        return True
+
+    try:
+        injector = _get_injector()
+        _line_hash_id = injector._line_hash_id
+        _cache_hashes = injector._cache_hashes
+    except Exception:
+        return False
+
+    try:
+        lines = formatted_content.split("\n")
+        line_hashes = {}
+        for i, line in enumerate(lines, start=1):
+            line_hashes[str(i)] = _line_hash_id(line)
+
+        _cache_hashes(file_path, line_hashes)
+        return True
+    except Exception:
+        return False
+
+
+def reconcile_post_format(file_path: str) -> dict:
+    """Reconcile hash cache with the current file on disk.
+
+    Reads the file, checks whether the cached mtime is stale
+    (indicating a formatter ran after the last cache write),
+    and refreshes the cache if needed.
+
+    Args:
+        file_path: Path to the file to reconcile.
+
+    Returns:
+        dict with reconciliation result:
+        - ``{"skipped": True}`` when feature is disabled
+        - ``{"refreshed": True/False, "lines_updated": int, "file": str}``
+    """
+    if not _is_enabled():
+        return {"skipped": True}
+
+    try:
+        injector = _get_injector()
+        _get_cached_hashes = injector._get_cached_hashes
+        _line_hash_id = injector._line_hash_id
+        _cache_hashes = injector._cache_hashes
+    except Exception:
+        return {"refreshed": False, "lines_updated": 0, "file": file_path}
+
+    try:
+        abs_path = os.path.abspath(file_path)
+        if not os.path.exists(abs_path):
+            return {"refreshed": False, "lines_updated": 0, "file": file_path}
+
+        # Read current content from disk
+        with open(abs_path, "r", encoding="utf-8", errors="replace") as f:
+            content = f.read()
+
+        # Check if cache exists — if _get_cached_hashes returns None,
+        # cache is either missing or mtime doesn't match (formatter ran).
+        cached = _get_cached_hashes(file_path)
+        if cached is not None:
+            # Cache is still valid (mtime matches) — no refresh needed
+            return {"refreshed": False, "lines_updated": 0, "file": file_path}
+
+        # Cache is stale or missing — refresh
+        lines = content.split("\n")
+        line_hashes = {}
+        for i, line in enumerate(lines, start=1):
+            line_hashes[str(i)] = _line_hash_id(line)
+
+        _cache_hashes(file_path, line_hashes)
+        return {"refreshed": True, "lines_updated": len(lines), "file": file_path}
+    except Exception:
+        return {"refreshed": False, "lines_updated": 0, "file": file_path}
+
+
+# --- Write-tool names that trigger reconciliation ---
+
+_WRITE_TOOLS = frozenset({
+    "Write", "Edit", "MultiEdit",
+    "mcp__filesystem__write_file",
+    "mcp__filesystem__edit_file",
+})
+
+
+# --- Hook Entry Point ---
+
+
+def main():
+    """PostToolUse hook stdin/stdout entry point.
+
+    Reads JSON from stdin::
+
+        {"tool_name": "Write", "tool_input": {"file_path": "..."}}
+
+    If tool_name is a write tool and OMG_HASHLINE_ENABLED is set,
+    runs ``reconcile_post_format`` to refresh the hash cache after
+    any post-write formatter may have modified the file.
+
+    Always exits 0 — never raises.
+    """
+    if not _is_enabled():
+        sys.exit(0)
+
+    data = json_input()
+    if not isinstance(data, dict):
+        sys.exit(0)
+
+    tool_name = data.get("tool_name", "")
+    if tool_name not in _WRITE_TOOLS:
+        sys.exit(0)
+
+    tool_input = data.get("tool_input", {})
+    if not isinstance(tool_input, dict):
+        sys.exit(0)
+
+    file_path = tool_input.get("file_path", tool_input.get("filePath", ""))
+    if not file_path:
+        sys.exit(0)
+
+    try:
+        result = reconcile_post_format(file_path)
+        json.dump(result, sys.stdout)
+    except Exception:
+        pass  # Graceful degradation — never crash
+
+    sys.exit(0)
+
+
+if __name__ == "__main__":
+    main()