npm - @trieungoctam/vibekit - Versions diffs - 1.0.0 - Mend

@trieungoctam/vibekit 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (352) hide show

package/hooks/lib/git-info-cache.cjs ADDED Viewed

@@ -0,0 +1,143 @@
+#!/usr/bin/env node
+'use strict';
+/**
+ * Git Info Cache - Cross-platform git information batching
+ *
+ * Problem: 5-6 git process spawns per statusline render are slow on Windows (CreateProcess overhead)
+ * Solution: Cache git query results for 3 seconds — subsequent renders read cache (zero processes)
+ *
+ * Performance: 5 spawns per render → event-driven refresh + 30s TTL fallback
+ * Cross-platform: No bash-only syntax (no 2>/dev/null), windowsHide on all exec calls
+ */
+const { execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+// Cache TTL — long fallback for external changes (git checkout outside Claude)
+// Active invalidation happens via PostToolUse hooks after Edit/Write/Bash
+const CACHE_TTL = 30000;
+const CACHE_MISS = Symbol('cache_miss');
+/**
+ * Safe command execution wrapper with optional cwd
+ */
+function execIn(cmd, cwd) {
+  try {
+    return execSync(cmd, {
+      encoding: 'utf8',
+      stdio: ['pipe', 'pipe', 'ignore'],
+      windowsHide: true,
+      cwd: cwd || undefined
+    }).trim();
+  } catch {
+    return '';
+  }
+}
+/**
+ * Get cache file path for current working directory
+ */
+function getCachePath(cwd) {
+  const hash = require('crypto')
+    .createHash('md5')
+    .update(cwd)
+    .digest('hex')
+    .slice(0, 8);
+  return path.join(os.tmpdir(), `ck-git-cache-${hash}.json`);
+}
+/**
+ * Read cache if valid (not expired). Returns CACHE_MISS on miss.
+ * No existsSync check (TOCTOU race) — just try read and catch.
+ */
+function readCache(cachePath) {
+  try {
+    const cache = JSON.parse(fs.readFileSync(cachePath, 'utf8'));
+    if (Date.now() - cache.timestamp < CACHE_TTL) {
+      return cache.data; // Can be null (non-git dir) or object (git info)
+    }
+  } catch {
+    // File missing, corrupted, or expired — all treated as cache miss
+  }
+  return CACHE_MISS;
+}
+/**
+ * Write cache atomically (temp file + rename to avoid partial reads on Windows)
+ */
+function writeCache(cachePath, data) {
+  const tmpPath = cachePath + '.tmp';
+  try {
+    fs.writeFileSync(tmpPath, JSON.stringify({ timestamp: Date.now(), data }));
+    fs.renameSync(tmpPath, cachePath);
+  } catch {
+    try { fs.unlinkSync(tmpPath); } catch {}
+  }
+}
+/**
+ * Count non-empty lines in a newline-delimited string
+ */
+function countLines(str) {
+  if (!str) return 0;
+  return str.split('\n').filter(l => l.trim()).length;
+}
+/**
+ * Fetch git info directly in-process
+ * The cache is what eliminates redundant spawns — not subprocess wrapping
+ * @param {string} cwd - Directory to run git commands in
+ * Returns: { branch, unstaged, staged, ahead, behind } or null if not git repo
+ */
+function fetchGitInfo(cwd) {
+  // Check if git repo (fast check) — run in target cwd, not process.cwd()
+  if (!execIn('git rev-parse --git-dir', cwd)) {
+    return null;
+  }
+  const branch = execIn('git branch --show-current', cwd) || execIn('git rev-parse --short HEAD', cwd);
+  const unstaged = countLines(execIn('git diff --name-only', cwd));
+  const staged = countLines(execIn('git diff --cached --name-only', cwd));
+  // Ahead/behind — no 2>/dev/null (invalid on Windows cmd.exe)
+  let ahead = 0, behind = 0;
+  const aheadBehind = execIn('git rev-list --left-right --count @{u}...HEAD', cwd);
+  if (aheadBehind) {
+    const parts = aheadBehind.split(/\s+/);
+    behind = parseInt(parts[0], 10) || 0;
+    ahead = parseInt(parts[1], 10) || 0;
+  }
+  return { branch, unstaged, staged, ahead, behind };
+}
+/**
+ * Get git info with caching
+ * Main export function used by statusline
+ */
+function getGitInfo(cwd = process.cwd()) {
+  const cachePath = getCachePath(cwd);
+  // Try cache first (includes cached null for non-git dirs)
+  const cached = readCache(cachePath);
+  if (cached !== CACHE_MISS) return cached;
+  // Cache miss or expired, fetch fresh data in target cwd
+  const data = fetchGitInfo(cwd);
+  // Cache both positive and null results (avoids re-spawning git in non-git dirs)
+  writeCache(cachePath, data);
+  return data;
+}
+/**
+ * Invalidate cache for a directory (call after file changes to trigger fresh git query)
+ */
+function invalidateCache(cwd = process.cwd()) {
+  try { fs.unlinkSync(getCachePath(cwd)); } catch {}
+}
+module.exports = { getGitInfo, invalidateCache };

package/hooks/lib/hook-logger.cjs ADDED Viewed

@@ -0,0 +1,92 @@
+/**
+ * hook-logger.cjs - Zero-dependency structured logger for hooks
+ *
+ * Logs to .claude/hooks/.logs/hook-log.jsonl (JSON Lines format)
+ * Auto-creates .logs/ directory and handles rotation (1000 lines max → 500 last)
+ * Uses only Node builtins (fs, path) — no external dependencies
+ *
+ * Export: logHook(hookName, data), createHookTimer(hookName)
+ */
+const fs = require('fs');
+const path = require('path');
+const LOG_DIR = path.join(__dirname, '..', '.logs');
+const LOG_FILE = path.join(LOG_DIR, 'hook-log.jsonl');
+const MAX_LINES = 1000;
+const TRUNCATE_TO = 500;
+/**
+ * Ensure log directory exists
+ */
+function ensureLogDir() {
+  try {
+    if (!fs.existsSync(LOG_DIR)) {
+      fs.mkdirSync(LOG_DIR, { recursive: true });
+    }
+  } catch (_) {
+    // Fail silently — never crash
+  }
+}
+/**
+ * Rotate log file if it exceeds MAX_LINES
+ */
+function rotateIfNeeded() {
+  try {
+    if (!fs.existsSync(LOG_FILE)) return;
+    const lines = fs.readFileSync(LOG_FILE, 'utf-8').split('\n').filter(Boolean);
+    if (lines.length >= MAX_LINES) {
+      const truncated = lines.slice(-TRUNCATE_TO).join('\n') + '\n';
+      fs.writeFileSync(LOG_FILE, truncated, 'utf-8');
+    }
+  } catch (_) {
+    // Fail silently
+  }
+}
+/**
+ * Log a hook event
+ * @param {string} hookName - Hook filename (e.g., 'scout-block')
+ * @param {object} data - Log data { tool?, dur?, status, exit?, error? }
+ */
+function logHook(hookName, data) {
+  try {
+    ensureLogDir();
+    rotateIfNeeded();
+    const entry = {
+      ts: new Date().toISOString(),
+      hook: hookName,
+      tool: data.tool || '',
+      dur: data.dur || 0,
+      status: data.status || 'ok',
+      exit: data.exit !== undefined ? data.exit : 0,
+      error: data.error || ''
+    };
+    fs.appendFileSync(LOG_FILE, JSON.stringify(entry) + '\n', 'utf-8');
+  } catch (_) {
+    // Never crash — fail silently
+  }
+}
+/**
+ * Create a duration timer for a hook
+ * @param {string} hookName - Hook filename
+ * @returns {{ end: (data) => void }} Timer object with end() method
+ */
+function createHookTimer(hookName) {
+  const start = Date.now();
+  return {
+    end(data = {}) {
+      const dur = Date.now() - start;
+      logHook(hookName, { ...data, dur });
+    }
+  };
+}
+module.exports = {
+  logHook,
+  createHookTimer
+};

package/hooks/lib/privacy-checker.cjs ADDED Viewed

@@ -0,0 +1,297 @@
+#!/usr/bin/env node
+/**
+ * privacy-checker.cjs - Privacy pattern matching logic for sensitive file detection
+ *
+ * Extracted from privacy-block.cjs for reuse in both Claude hooks and OpenCode plugins.
+ * Pure logic module - no stdin/stdout, no exit codes.
+ *
+ * @module privacy-checker
+ */
+const path = require('path');
+const fs = require('fs');
+// ═══════════════════════════════════════════════════════════════════════════
+// CONSTANTS
+// ═══════════════════════════════════════════════════════════════════════════
+const APPROVED_PREFIX = 'APPROVED:';
+// Safe file patterns - exempt from privacy checks (documentation/template files)
+const SAFE_PATTERNS = [
+  /\.example$/i,   // .env.example, config.example
+  /\.sample$/i,    // .env.sample
+  /\.template$/i,  // .env.template
+];
+// Privacy-sensitive patterns
+const PRIVACY_PATTERNS = [
+  /^\.env$/,              // .env
+  /^\.env\./,             // .env.local, .env.production, etc.
+  /\.env$/,               // path/to/.env
+  /\/\.env\./,            // path/to/.env.local
+  /credentials/i,         // credentials.json, etc.
+  /secrets?\.ya?ml$/i,    // secrets.yaml, secret.yml
+  /\.pem$/,               // Private keys
+  /\.key$/,               // Private keys
+  /id_rsa/,               // SSH keys
+  /id_ed25519/,           // SSH keys
+];
+// ═══════════════════════════════════════════════════════════════════════════
+// HELPER FUNCTIONS
+// ═══════════════════════════════════════════════════════════════════════════
+/**
+ * Check if path is a safe file (example/sample/template)
+ * @param {string} testPath - Path to check
+ * @returns {boolean} true if file matches safe patterns
+ */
+function isSafeFile(testPath) {
+  if (!testPath) return false;
+  const basename = path.basename(testPath);
+  return SAFE_PATTERNS.some(p => p.test(basename));
+}
+/**
+ * Check if path has APPROVED: prefix
+ * @param {string} testPath - Path to check
+ * @returns {boolean} true if path starts with APPROVED:
+ */
+function hasApprovalPrefix(testPath) {
+  return testPath && testPath.startsWith(APPROVED_PREFIX);
+}
+/**
+ * Strip APPROVED: prefix from path
+ * @param {string} testPath - Path to process
+ * @returns {string} Path without APPROVED: prefix
+ */
+function stripApprovalPrefix(testPath) {
+  if (hasApprovalPrefix(testPath)) {
+    return testPath.slice(APPROVED_PREFIX.length);
+  }
+  return testPath;
+}
+/**
+ * Check if stripped path is suspicious (path traversal or absolute)
+ * @param {string} strippedPath - Path after stripping APPROVED: prefix
+ * @returns {boolean} true if path looks suspicious
+ */
+function isSuspiciousPath(strippedPath) {
+  return strippedPath.includes('..') || path.isAbsolute(strippedPath);
+}
+/**
+ * Check if path matches privacy patterns
+ * @param {string} testPath - Path to check
+ * @returns {boolean} true if path matches privacy-sensitive patterns
+ */
+function isPrivacySensitive(testPath) {
+  if (!testPath) return false;
+  // Strip prefix for pattern matching
+  const cleanPath = stripApprovalPrefix(testPath);
+  let normalized = cleanPath.replace(/\\/g, '/');
+  // Decode URI components to catch obfuscated paths (%2e = '.')
+  try {
+    normalized = decodeURIComponent(normalized);
+  } catch (e) {
+    // Invalid encoding, use as-is
+  }
+  // Check safe patterns first - exempt example/sample/template files
+  if (isSafeFile(normalized)) {
+    return false;
+  }
+  const basename = path.basename(normalized);
+  for (const pattern of PRIVACY_PATTERNS) {
+    if (pattern.test(basename) || pattern.test(normalized)) {
+      return true;
+    }
+  }
+  return false;
+}
+/**
+ * Extract paths from tool input
+ * @param {Object} toolInput - Tool input object with file_path, path, pattern, or command
+ * @returns {Array<{value: string, field: string}>} Array of extracted paths with field names
+ */
+function extractPaths(toolInput) {
+  const paths = [];
+  if (!toolInput) return paths;
+  if (toolInput.file_path) paths.push({ value: toolInput.file_path, field: 'file_path' });
+  if (toolInput.path) paths.push({ value: toolInput.path, field: 'path' });
+  if (toolInput.pattern) paths.push({ value: toolInput.pattern, field: 'pattern' });
+  // Check bash commands for file paths
+  if (toolInput.command) {
+    // Look for APPROVED:.env or .env patterns
+    const approvedMatch = toolInput.command.match(/APPROVED:[^\s]+/g) || [];
+    approvedMatch.forEach(p => paths.push({ value: p, field: 'command' }));
+    // Only look for .env if no APPROVED: version found
+    if (approvedMatch.length === 0) {
+      const envMatch = toolInput.command.match(/\.env[^\s]*/g) || [];
+      envMatch.forEach(p => paths.push({ value: p, field: 'command' }));
+      // Also check bash variable assignments (FILE=.env, ENV_FILE=.env.local)
+      const varAssignments = toolInput.command.match(/\w+=[^\s]*\.env[^\s]*/g) || [];
+      varAssignments.forEach(a => {
+        const value = a.split('=')[1];
+        if (value) paths.push({ value, field: 'command' });
+      });
+      // Check command substitution containing sensitive patterns - extract .env from inside
+      const cmdSubst = toolInput.command.match(/\$\([^)]*?(\.env[^\s)]*)[^)]*\)/g) || [];
+      for (const subst of cmdSubst) {
+        const inner = subst.match(/\.env[^\s)]*/);
+        if (inner) paths.push({ value: inner[0], field: 'command' });
+      }
+    }
+  }
+  return paths.filter(p => p.value);
+}
+/**
+ * Load .ck.json config to check if privacy block is disabled
+ * @param {string} [configDir] - Directory containing .ck.json (defaults to .claude in cwd)
+ * @returns {boolean} true if privacy block should be skipped
+ */
+function isPrivacyBlockDisabled(configDir) {
+  try {
+    const configPath = configDir
+      ? path.join(configDir, '.ck.json')
+      : path.join(process.cwd(), '.claude', '.ck.json');
+    const config = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+    return config.privacyBlock === false;
+  } catch {
+    return false; // Default to enabled on error (file not found or invalid JSON)
+  }
+}
+/**
+ * Build prompt data for AskUserQuestion tool
+ * @param {string} filePath - Blocked file path
+ * @returns {Object} Prompt data object
+ */
+function buildPromptData(filePath) {
+  const basename = path.basename(filePath);
+  return {
+    type: 'PRIVACY_PROMPT',
+    file: filePath,
+    basename: basename,
+    question: {
+      header: 'File Access',
+      text: `I need to read "${basename}" which may contain sensitive data (API keys, passwords, tokens). Do you approve?`,
+      options: [
+        { label: 'Yes, approve access', description: `Allow reading ${basename} this time` },
+        { label: 'No, skip this file', description: 'Continue without accessing this file' }
+      ]
+    }
+  };
+}
+// ═══════════════════════════════════════════════════════════════════════════
+// MAIN ENTRY POINT
+// ═══════════════════════════════════════════════════════════════════════════
+/**
+ * Check if a tool call accesses privacy-sensitive files
+ *
+ * @param {Object} params
+ * @param {string} params.toolName - Name of tool (Read, Write, Bash, etc.)
+ * @param {Object} params.toolInput - Tool input with file_path, path, command, etc.
+ * @param {Object} [params.options]
+ * @param {boolean} [params.options.disabled] - Skip checks if true
+ * @param {string} [params.options.configDir] - Directory for .ck.json config
+ * @param {boolean} [params.options.allowBash] - Allow Bash tool without blocking (default: true)
+ * @returns {{
+ *   blocked: boolean,
+ *   filePath?: string,
+ *   reason?: string,
+ *   approved?: boolean,
+ *   isBash?: boolean,
+ *   suspicious?: boolean,
+ *   promptData?: Object
+ * }}
+ */
+function checkPrivacy({ toolName, toolInput, options = {} }) {
+  const { disabled, configDir, allowBash = true } = options;
+  // Check if disabled via options or config
+  if (disabled || isPrivacyBlockDisabled(configDir)) {
+    return { blocked: false };
+  }
+  const isBashTool = toolName === 'Bash';
+  const paths = extractPaths(toolInput);
+  // Check each path
+  for (const { value: testPath } of paths) {
+    if (!isPrivacySensitive(testPath)) continue;
+    // Check for approval prefix
+    if (hasApprovalPrefix(testPath)) {
+      const strippedPath = stripApprovalPrefix(testPath);
+      return {
+        blocked: false,
+        approved: true,
+        filePath: strippedPath,
+        suspicious: isSuspiciousPath(strippedPath)
+      };
+    }
+    // For Bash: warn but don't block (allows "Yes → bash cat" flow)
+    if (isBashTool && allowBash) {
+      return {
+        blocked: false,
+        isBash: true,
+        filePath: testPath,
+        reason: `Bash command accesses sensitive file: ${testPath}`
+      };
+    }
+    // Block - sensitive file without approval
+    return {
+      blocked: true,
+      filePath: testPath,
+      reason: `Sensitive file access requires user approval`,
+      promptData: buildPromptData(testPath)
+    };
+  }
+  // No sensitive paths found
+  return { blocked: false };
+}
+// ═══════════════════════════════════════════════════════════════════════════
+// EXPORTS
+// ═══════════════════════════════════════════════════════════════════════════
+module.exports = {
+  // Main entry point
+  checkPrivacy,
+  // Helper functions (for testing and direct use)
+  isSafeFile,
+  isPrivacySensitive,
+  hasApprovalPrefix,
+  stripApprovalPrefix,
+  isSuspiciousPath,
+  extractPaths,
+  isPrivacyBlockDisabled,
+  buildPromptData,
+  // Constants
+  APPROVED_PREFIX,
+  SAFE_PATTERNS,
+  PRIVACY_PATTERNS
+};