@trac3er/oh-my-god 2.0.0 → 2.0.2

package/hooks/policy_engine.ts

@@ -1,156 +0,0 @@
-import { realpathSync } from "node:fs";
-import { basename, normalize } from "node:path";
-
-export type PolicyDecision = {
-  action: "allow" | "ask" | "deny";
-  risk_level: "low" | "med" | "high" | "critical";
-  reason: string;
-  controls: string[];
-};
-
-const DESTRUCTIVE_PATTERNS: Array<[RegExp, string]> = [
-  [/rm\s+-[A-Za-z]*r[A-Za-z]*f[A-Za-z]*\s+\/(\s|$|\*)/, "rm -rf /"],
-  [/rm\s+-[A-Za-z]*r[A-Za-z]*f[A-Za-z]*\s+~\/?(\s|$|\*)/, "rm -rf ~"],
-  [/:\(\)\s*\{\s*:\|:&\s*\}\s*;:/, "fork bomb"],
-  [/sudo\s+(dd|mkfs|fdisk|parted|wipefs)\b/, "destructive disk op"],
-  [/sudo\s+rm\b/, "sudo rm"]
-];
-
-const PIPE_TO_SHELL = [
-  /(curl|wget)\s+.*\|\s*(sudo\s+)?(ba)?sh/,
-  /(curl|wget)\s+.*\|\s*(bun|node)\b/,
-  /base64\s+.*\|\s*(ba)?sh/
-];
-
-const SECRET_PATTERNS = [
-  /\.(env|pem|key|p12|pfx|jks|keystore|netrc|npmrc|pypirc)\b/i,
-  /\/\.aws\/(credentials|config)\b/i,
-  /\/\.kube\/config\b/i,
-  /\/id_(rsa|ed25519|ecdsa)\b/i,
-  /\/\.ssh\//i,
-  /\bsecrets?\//i
-];
-
-const SECRET_FILE_NAMES = new Set([
-  ".env",
-  ".env.local",
-  ".env.development",
-  ".env.production",
-  ".env.staging",
-  ".env.test",
-  ".npmrc",
-  ".netrc",
-  "id_rsa",
-  "id_ed25519",
-  "id_ecdsa",
-  "id_rsa.pub",
-  "id_ed25519.pub",
-  "id_ecdsa.pub"
-]);
-
-const EXAMPLE_ENV_FILES = new Set([".env.example", ".env.sample", ".env.template"]);
-
-const SENSITIVE_PATH_PATTERNS = [
-  /\/\.aws\/(credentials|config)$/i,
-  /\/\.kube\/config$/i,
-  /\/\.ssh\//i,
-  /\/\.gnupg\//i,
-  /\/secrets?\//i,
-  /\.(pem|key|p12|pfx|jks|keystore)$/i,
-  /(^|\/)secret[s]?\./i,
-  /(^|\/)credential[s]?\./i,
-  /(^|\/)password[s]?\./i,
-  /(^|\/)token[s]?\./i,
-  /(^|\/)\.docker\/config\.json$/i,
-  /(^|\/)\.git-credentials$/i
-];
-
-function decision(
-  action: PolicyDecision["action"],
-  risk_level: PolicyDecision["risk_level"],
-  reason: string,
-  controls: string[] = []
-): PolicyDecision {
-  return { action, risk_level, reason, controls };
-}
-
-export function evaluateBashCommand(command: string): PolicyDecision {
-  if (!command.trim()) {
-    return decision("allow", "low", "empty command");
-  }
-  for (const [pattern, label] of DESTRUCTIVE_PATTERNS) {
-    if (pattern.test(command)) {
-      return decision("deny", "critical", `Blocked: ${label}`, ["destructive-op"]);
-    }
-  }
-  for (const pattern of PIPE_TO_SHELL) {
-    if (pattern.test(command)) {
-      return decision("deny", "critical", "Blocked: pipe-to-shell", ["remote-code-exec"]);
-    }
-  }
-  if (/\beval\s+["'$`]/.test(command)) {
-    return decision("deny", "high", "Blocked: dynamic eval", ["dynamic-eval"]);
-  }
-  for (const pattern of SECRET_PATTERNS) {
-    if (pattern.test(command) && /\b(cat|less|more|head|tail|grep|awk|bun|node)\b/i.test(command)) {
-      return decision("deny", "critical", "Blocked: reading secret file", ["secret-access"]);
-    }
-  }
-  if (/\b(curl|wget|ssh|scp|rsync)\b/.test(command)) {
-    return decision("ask", "med", `Network or remote operation: ${command.slice(0, 120)}`, ["human-approval"]);
-  }
-  if (/\bgit\s+push\b.*(--force|-f)/.test(command)) {
-    return decision("ask", "med", "Force push", ["human-approval"]);
-  }
-  return decision("allow", "low", "command allowed");
-}
-
-function safeRealPath(path: string): string {
-  try {
-    return realpathSync(path);
-  } catch {
-    return normalize(path);
-  }
-}
-
-export function evaluateFileAccess(tool: string, filePath: string): PolicyDecision {
-  if (!filePath.trim()) {
-    return decision("allow", "low", "no file");
-  }
-
-  const normalizedPath = safeRealPath(filePath);
-  const fileName = basename(normalizedPath).toLowerCase();
-
-  if (EXAMPLE_ENV_FILES.has(fileName) && ["Write", "Edit", "MultiEdit"].includes(tool)) {
-    return decision("deny", "high", `Modifying example env file blocked: ${filePath}`, ["immutable-env-template"]);
-  }
-
-  if (SECRET_FILE_NAMES.has(fileName)) {
-    return decision("deny", "critical", `Secret file blocked: ${filePath}`, ["secret-access"]);
-  }
-
-  if (/^\.env(\..+)?$/i.test(fileName) && !EXAMPLE_ENV_FILES.has(fileName)) {
-    return decision("deny", "critical", `Environment file blocked: ${filePath}`, ["secret-access"]);
-  }
-
-  for (const pattern of SENSITIVE_PATH_PATTERNS) {
-    if (pattern.test(normalizedPath)) {
-      return decision("deny", "critical", `Sensitive path blocked: ${filePath}`, ["secret-access"]);
-    }
-  }
-
-  return decision("allow", "low", "file allowed");
-}
-
-export function toPretoolHookOutput(decisionValue: PolicyDecision): Record<string, unknown> | null {
-  if (decisionValue.action === "allow") {
-    return null;
-  }
-  return {
-    hookSpecificOutput: {
-      hookEventName: "PreToolUse",
-      permissionDecision: decisionValue.action,
-      permissionDecisionReason: decisionValue.reason
-    }
-  };
-}

package/hooks/post-tool-failure.ts

@@ -1,22 +0,0 @@
-#!/usr/bin/env bun
-import { join } from "node:path";
-import { readJsonFromStdin, resolveProjectDir, writeJsonFile } from "./_common.ts";
-
-async function main() {
-  const payload = await readJsonFromStdin<any>({});
-  const output = join(resolveProjectDir(), ".omg", "state", "last-tool-error.json");
-  writeJsonFile(output, {
-    ts: new Date().toISOString(),
-    tool: payload.tool_name || "",
-    tool_input: payload.tool_input || {},
-    tool_response: payload.tool_response || {}
-  });
-}
-
-if (import.meta.main) {
-  try {
-    await main();
-  } catch {
-    process.exit(0);
-  }
-}

package/hooks/post-write.ts

@@ -1,4 +0,0 @@
-#!/usr/bin/env bun
-import { noopHookMain } from "./_common.ts";
-
-noopHookMain();

package/hooks/pre-tool-inject.ts

@@ -1,4 +0,0 @@
-#!/usr/bin/env bun
-import { noopHookMain } from "./_common.ts";
-
-noopHookMain();

package/hooks/prompt-enhancer.ts

@@ -1,46 +0,0 @@
-#!/usr/bin/env bun
-import { BUDGET_PROMPT_TOTAL } from "./_budget.ts";
-import { readJsonFromStdin } from "./_common.ts";
-
-const ZERO_SIGNALS = /^(hello|hi|ok|thanks|yes|no|goodbye|hey there)$/i;
-const KEYWORDS =
-  /\b(fix|bug|implement|review|refactor|auth|login|jwt|oauth|database|deploy|rewrite|redesign|frontend|backend|ui|ux|css|layout)\b|전체|수정|구현|버그|에러|리팩토링/i;
-
-function buildInjection(prompt: string): string {
-  const base = [
-    "OMG Bun runtime context:",
-    "- Preserve proof-oriented workflow.",
-    "- Prefer focused edits and explicit verification.",
-    `- Active prompt: ${prompt}`
-  ].join("\n");
-  return base.length > BUDGET_PROMPT_TOTAL ? base.slice(0, BUDGET_PROMPT_TOTAL) : base;
-}
-
-async function main() {
-  const payload = await readJsonFromStdin<any>({});
-  const prompt = String(payload.user_message || "").trim();
-  if (!prompt || ZERO_SIGNALS.test(prompt)) {
-    return;
-  }
-  if (!KEYWORDS.test(prompt)) {
-    return;
-  }
-  process.stdout.write(
-    `${JSON.stringify(
-      {
-        contextInjection: buildInjection(prompt),
-        sources: ["omg-bun-runtime"]
-      },
-      null,
-      2
-    )}\n`
-  );
-}
-
-if (import.meta.main) {
-  try {
-    await main();
-  } catch {
-    process.exit(0);
-  }
-}

package/hooks/quality-runner.ts

@@ -1,24 +0,0 @@
-#!/usr/bin/env bun
-import { existsSync, readFileSync } from "node:fs";
-import { join } from "node:path";
-import { resolveProjectDir } from "./_common.ts";
-
-const ALLOWLIST = [/^bun test\b/, /^npm test\b/, /^vitest\b/, /^jest\b/];
-
-if (import.meta.main) {
-  try {
-    const configPath = join(resolveProjectDir(), ".omg", "quality-gate.json");
-    if (!existsSync(configPath)) {
-      process.exit(0);
-    }
-    const payload = JSON.parse(readFileSync(configPath, "utf8"));
-    const command = String(payload.test || payload.lint || "");
-    if (command && !ALLOWLIST.some((pattern) => pattern.test(command))) {
-      process.stdout.write(
-        `${JSON.stringify({ status: "blocked", reason: `BLOCKED quality command: ${command}` }, null, 2)}\n`
-      );
-    }
-  } catch {
-    process.exit(0);
-  }
-}

package/hooks/secret-guard.ts

@@ -1,4 +0,0 @@
-#!/usr/bin/env bun
-import { noopHookMain } from "./_common.ts";
-
-noopHookMain();

package/hooks/session-end-capture.ts

@@ -1,19 +0,0 @@
-#!/usr/bin/env bun
-import { join } from "node:path";
-import { readJsonFromStdin, resolveProjectDir, writeJsonFile } from "./_common.ts";
-
-async function main() {
-  const payload = await readJsonFromStdin<any>({});
-  writeJsonFile(join(resolveProjectDir(), ".omg", "state", "session-end.json"), {
-    ts: new Date().toISOString(),
-    payload
-  });
-}
-
-if (import.meta.main) {
-  try {
-    await main();
-  } catch {
-    process.exit(0);
-  }
-}

package/hooks/session-start.ts

@@ -1,19 +0,0 @@
-#!/usr/bin/env bun
-import { join } from "node:path";
-import { readJsonFromStdin, resolveProjectDir, writeJsonFile } from "./_common.ts";
-
-async function main() {
-  const payload = await readJsonFromStdin<any>({});
-  writeJsonFile(join(resolveProjectDir(), ".omg", "state", "session-start.json"), {
-    ts: new Date().toISOString(),
-    payload
-  });
-}
-
-if (import.meta.main) {
-  try {
-    await main();
-  } catch {
-    process.exit(0);
-  }
-}

package/hooks/shadow_manager.ts

@@ -1,81 +0,0 @@
-import { copyFileSync, existsSync, readdirSync, readFileSync, rmSync, statSync } from "node:fs";
-import { dirname, join, relative } from "node:path";
-import { ensureDir, writeJsonFile } from "./_common.ts";
-
-function shadowRoot(projectDir: string): string {
-  return join(projectDir, ".omg", "shadow");
-}
-
-function evidenceRoot(projectDir: string): string {
-  return join(projectDir, ".omg", "evidence");
-}
-
-export function createEvidencePack(
-  projectDir: string,
-  runId: string,
-  options: {
-    tests?: unknown[];
-    security_scans?: unknown[];
-    diff_summary?: Record<string, unknown>;
-    reproducibility?: Record<string, unknown>;
-    unresolved_risks?: string[];
-  } = {}
-): string {
-  ensureDir(evidenceRoot(projectDir));
-  const output = join(evidenceRoot(projectDir), `${runId}.json`);
-  writeJsonFile(output, {
-    schema: "EvidencePack",
-    run_id: runId,
-    created_at: new Date().toISOString(),
-    tests: options.tests || [],
-    security_scans: options.security_scans || [],
-    diff_summary: options.diff_summary || {},
-    reproducibility: options.reproducibility || {},
-    unresolved_risks: options.unresolved_risks || []
-  });
-  return output;
-}
-
-export function hasRecentEvidence(projectDir: string, hours = 24): boolean {
-  const base = evidenceRoot(projectDir);
-  if (!existsSync(base)) {
-    return false;
-  }
-  const maxAge = hours * 60 * 60 * 1000;
-  return readdirSync(base).some((name) => {
-    if (!name.endsWith(".json")) {
-      return false;
-    }
-    const age = Date.now() - statSync(join(base, name)).mtimeMs;
-    return age <= maxAge;
-  });
-}
-
-export function recordShadowWrite(projectDir: string, runId: string, filePath: string, source = "tool") {
-  const runDir = join(shadowRoot(projectDir), runId);
-  const overlayPath = join(runDir, "overlay", relative(projectDir, filePath).replace(/\.\./g, "_up_"));
-  ensureDir(join(runDir, "overlay"));
-  if (existsSync(filePath)) {
-    ensureDir(dirname(overlayPath));
-    copyFileSync(filePath, overlayPath);
-  }
-  const manifestPath = join(runDir, "manifest.json");
-  const manifest = existsSync(manifestPath)
-    ? JSON.parse(readFileSync(manifestPath, "utf8"))
-    : { run_id: runId, created_at: new Date().toISOString(), status: "open", files: [] };
-  manifest.files = Array.isArray(manifest.files) ? manifest.files.filter((entry: any) => entry.file !== filePath) : [];
-  manifest.files.push({
-    file: filePath,
-    shadow_file: relative(runDir, overlayPath),
-    recorded_at: new Date().toISOString(),
-    source
-  });
-  writeJsonFile(manifestPath, manifest);
-  return manifest;
-}
-
-export function dropShadow(projectDir: string, runId: string) {
-  const runDir = join(shadowRoot(projectDir), runId);
-  rmSync(runDir, { recursive: true, force: true });
-  return { run_id: runId, dropped: true };
-}

package/hooks/stop-gate.ts

@@ -1,22 +0,0 @@
-#!/usr/bin/env bun
-import { readJsonFromStdin } from "./_common.ts";
-import { runStopDispatcher } from "./stop_dispatcher.ts";
-
-async function main() {
-  const payload = await readJsonFromStdin<any>({});
-  if (payload.stop_hook_active) {
-    return;
-  }
-  const blocks = runStopDispatcher(payload);
-  if (blocks.length > 0) {
-    process.stdout.write(`${JSON.stringify({ status: "blocked", blocks }, null, 2)}\n`);
-  }
-}
-
-if (import.meta.main) {
-  try {
-    await main();
-  } catch {
-    process.exit(0);
-  }
-}

package/hooks/stop_dispatcher.ts

@@ -1,147 +0,0 @@
-#!/usr/bin/env bun
-import { readFileSync, existsSync } from "node:fs";
-import { join } from "node:path";
-import { getFeatureFlag, readJsonFromStdin, resolveProjectDir } from "./_common.ts";
-
-type StopData = Record<string, any>;
-
-function recentCommands(data: StopData): string[] {
-  return Array.isArray(data?._stop_ctx?.recent_commands) ? data._stop_ctx.recent_commands.map(String) : [];
-}
-
-export function checkVerification(data: StopData): string[] {
-  if (!getFeatureFlag("STOP_GATE", true)) {
-    return [];
-  }
-  if (!data?._stop_ctx?.has_source_writes) {
-    return [];
-  }
-  const hasVerification = recentCommands(data).some((command) => /\b(bun test|npm test|vitest|jest|cargo test|go test)\b/.test(command));
-  return hasVerification ? [] : ["NO verification commands were executed after source writes."];
-}
-
-export function checkDiffBudget(_data: StopData, projectDir: string): string[] {
-  if (!getFeatureFlag("STOP_GATE", true)) {
-    return [];
-  }
-  const names = Bun.spawnSync({ cmd: ["git", "diff", "--name-only"], cwd: projectDir, stdout: "pipe", stderr: "ignore" });
-  const files = names.stdout.toString().split(/\r?\n/).filter(Boolean);
-  const stats = Bun.spawnSync({ cmd: ["git", "diff", "--numstat"], cwd: projectDir, stdout: "pipe", stderr: "ignore" });
-  const lineCount = stats.stdout
-    .toString()
-    .split(/\r?\n/)
-    .filter(Boolean)
-    .reduce((total: number, line: string) => {
-      const [added, removed] = line.split("\t");
-      return total + Number(added || 0) + Number(removed || 0);
-    }, 0);
-  return files.length > 3 || lineCount > 150 ? [`Diff exceeds budget (${files.length} files, ${lineCount} lines).`] : [];
-}
-
-export function checkRecentFailures(data: StopData): string[] {
-  if (!getFeatureFlag("STOP_GATE", true)) {
-    return [];
-  }
-  const entries = Array.isArray(data?._stop_ctx?.recent_entries) ? data._stop_ctx.recent_entries.slice(-3) : [];
-  if (entries.length === 3 && entries.every((entry: any) => Number(entry.exit_code ?? 0) !== 0)) {
-    return ["Last 3 commands ALL FAILED."];
-  }
-  return [];
-}
-
-export function checkTestExecution(data: StopData): string[] {
-  if (!getFeatureFlag("STOP_GATE", true)) {
-    return [];
-  }
-  const changed = Array.isArray(data?._changed_files) ? data._changed_files.map(String) : [];
-  const changedTests = changed.some((path) => /(^|\/)(tests?|__tests__)\//.test(path));
-  return data?._stop_ctx?.has_material_writes && changedTests && !data?._has_test
-    ? ["Tests changed but the test suite was never executed."]
-    : [];
-}
-
-export function checkTestValidatorCoverage(data: StopData): string[] {
-  if (!getFeatureFlag("STOP_GATE", true)) {
-    return [];
-  }
-  const changed = Array.isArray(data?._changed_files) ? data._changed_files.map(String) : [];
-  const touchedSource = changed.some((path) => /(^|\/)src\//.test(path) || /\.(ts|tsx|js|jsx)$/.test(path));
-  const touchedTests = changed.some((path) => /(^|\/)(tests?|__tests__)\//.test(path) || /\.test\.(ts|tsx|js|jsx)$/.test(path));
-  return data?._stop_ctx?.has_source_writes && touchedSource && !touchedTests
-    ? ["TEST-VALIDATOR: source changed without matching test updates."]
-    : [];
-}
-
-export function checkFalseFix(data: StopData): string[] {
-  if (!getFeatureFlag("STOP_GATE", true)) {
-    return [];
-  }
-  const changed = Array.isArray(data?._changed_files) ? data._changed_files.map(String) : [];
-  if (!data?._stop_ctx?.has_material_writes || changed.length === 0) {
-    return [];
-  }
-  const onlyTestsAndScripts = changed.every((path) => /(^|\/)(tests?|scripts)\//.test(path) || path.endsWith(".md"));
-  return onlyTestsAndScripts ? ["FALSE FIX DETECTED: no source files changed."] : [];
-}
-
-export function checkWriteFailures(data: StopData): string[] {
-  if (!getFeatureFlag("STOP_GATE", true)) {
-    return [];
-  }
-  const entries = Array.isArray(data?._stop_ctx?.recent_entries) ? data._stop_ctx.recent_entries : [];
-  const failed = entries.find((entry: any) => (entry.tool === "Write" || entry.tool === "Edit") && entry.success === false);
-  return failed ? [`WRITE/EDIT FAILURE DETECTED: ${failed.file}`] : [];
-}
-
-export function checkSimplifier(data: StopData): string[] {
-  const entries = Array.isArray(data?._stop_ctx?.source_write_entries) ? data._stop_ctx.source_write_entries : [];
-  for (const entry of entries) {
-    const path = String(entry.file || "");
-    if (!path || !existsSync(path)) {
-      continue;
-    }
-    const content = readFileSync(path, "utf8");
-    const lines = content.split(/\r?\n/).filter(Boolean);
-    if (lines.length === 0) {
-      continue;
-    }
-    const commentLines = lines.filter((line) => line.trim().startsWith("//") || line.trim().startsWith("#")).length;
-    if (commentLines / lines.length > 0.4) {
-      process.stderr.write(`@simplifier advisory: ${commentLines} comment lines in ${path}\n`);
-    }
-  }
-  return [];
-}
-
-export function runStopDispatcher(data: StopData, projectDir = resolveProjectDir()): string[] {
-  return [
-    ...checkVerification(data),
-    ...checkDiffBudget(data, projectDir),
-    ...checkRecentFailures(data),
-    ...checkTestExecution(data),
-    ...checkTestValidatorCoverage(data),
-    ...checkFalseFix(data),
-    ...checkWriteFailures(data),
-    ...checkSimplifier(data)
-  ];
-}
-
-async function main() {
-  const data = await readJsonFromStdin<StopData>({});
-  if (data.stop_hook_active) {
-    return;
-  }
-  const projectDir = resolveProjectDir();
-  const blocks = runStopDispatcher(data, projectDir);
-  if (blocks.length > 0) {
-    process.stdout.write(`${JSON.stringify({ status: "blocked", blocks }, null, 2)}\n`);
-  }
-}
-
-if (import.meta.main) {
-  try {
-    await main();
-  } catch {
-    process.exit(0);
-  }
-}

package/hooks/test-generator-hook.ts

@@ -1,4 +0,0 @@
-#!/usr/bin/env bun
-import { noopHookMain } from "./_common.ts";
-
-noopHookMain();

package/hooks/tool-ledger.ts

@@ -1,27 +0,0 @@
-#!/usr/bin/env bun
-import { appendFileSync } from "node:fs";
-import { ledgerPath, readJsonFromStdin, resolveProjectDir, ensureParent } from "./_common.ts";
-
-async function main() {
-  const payload = await readJsonFromStdin<any>({});
-  const projectDir = resolveProjectDir();
-  const path = ledgerPath(projectDir, "tool-ledger.jsonl");
-  const record = {
-    ts: new Date().toISOString(),
-    tool: payload.tool_name || "",
-    file: payload.tool_input?.file_path || payload.tool_input?.filePath || "",
-    command: payload.tool_input?.command || "",
-    success: payload.tool_response?.success,
-    exit_code: payload.tool_response?.exitCode ?? payload.tool_response?.exit_code
-  };
-  ensureParent(path);
-  appendFileSync(path, `${JSON.stringify(record)}\n`, "utf8");
-}
-
-if (import.meta.main) {
-  try {
-    await main();
-  } catch {
-    process.exit(0);
-  }
-}