ai-lens 0.8.43 → 0.8.45

package/.commithash

@@ -1 +1 @@
-eea31dd
+0dbf7ca

package/cli/hooks.js

@@ -115,9 +115,16 @@ export function captureCommand(useTilde = false, rawPath = false, customPath = n
       ? '~/.ai-lens/client/capture.js'
       : CAPTURE_PATH.replace(/\\/g, '/');
   const pathPart = (customPath != null || rawPath) ? capturePath : shellEscape(capturePath);
-  return nodePath === '/usr/bin/env node'
-    ? `/usr/bin/env node ${pathPart}`
-    : `${shellEscape(nodePath.replace(/\\/g, '/'))} ${pathPart}`;
+  if (nodePath === '/usr/bin/env node') return `/usr/bin/env node ${pathPart}`;
+  // Claude Code on Windows executes hooks via cmd.exe. A quoted executable path
+  // at the start of the line (e.g. "C:/Program Files/node.exe" args) is not
+  // recognised as a command by cmd.exe. Use bare `node` for Claude Code hooks
+  // (rawPath=true) when the path contains spaces; Cursor hooks use PowerShell
+  // where quoting works fine.
+  if (process.platform === 'win32' && rawPath && nodePath.includes(' ')) {
+    return `node ${pathPart}`;
+  }
+  return `${shellEscape(nodePath.replace(/\\/g, '/'))} ${pathPart}`;
 }
 
 // Cursor on Windows executes hooks via PowerShell, which treats a quoted path like
@@ -193,22 +200,23 @@ const CLAUDE_CODE_HOOKS = {
   SubagentStop: () => ({ matcher: '', hooks: [{ type: 'command', command: captureCommand(true, true) }] }),
 };
 
-// Use tilde path (~/.ai-lens/...) so settings are portable (no absolute paths).
+// Use absolute path — Cursor does not expand ~ in hook commands (it passes the
+// literal string to Node, which resolves it relative to CWD).
 const CURSOR_HOOKS = {
-  sessionStart: () => ({ command: cursorCaptureCommand(true) }),
-  beforeSubmitPrompt: () => ({ command: cursorCaptureCommand(true) }),
-  postToolUse: () => ({ command: cursorCaptureCommand(true) }),
-  postToolUseFailure: () => ({ command: cursorCaptureCommand(true) }),
-  afterFileEdit: () => ({ command: cursorCaptureCommand(true) }),
-  afterShellExecution: () => ({ command: cursorCaptureCommand(true) }),
-  afterMCPExecution: () => ({ command: cursorCaptureCommand(true) }),
-  subagentStart: () => ({ command: cursorCaptureCommand(true) }),
-  subagentStop: () => ({ command: cursorCaptureCommand(true) }),
-  preCompact: () => ({ command: cursorCaptureCommand(true) }),
-  afterAgentResponse: () => ({ command: cursorCaptureCommand(true) }),
-  afterAgentThought: () => ({ command: cursorCaptureCommand(true) }),
-  stop: () => ({ command: cursorCaptureCommand(true) }),
-  sessionEnd: () => ({ command: cursorCaptureCommand(true) }),
+  sessionStart: () => ({ command: cursorCaptureCommand(false) }),
+  beforeSubmitPrompt: () => ({ command: cursorCaptureCommand(false) }),
+  postToolUse: () => ({ command: cursorCaptureCommand(false) }),
+  postToolUseFailure: () => ({ command: cursorCaptureCommand(false) }),
+  afterFileEdit: () => ({ command: cursorCaptureCommand(false) }),
+  afterShellExecution: () => ({ command: cursorCaptureCommand(false) }),
+  afterMCPExecution: () => ({ command: cursorCaptureCommand(false) }),
+  subagentStart: () => ({ command: cursorCaptureCommand(false) }),
+  subagentStop: () => ({ command: cursorCaptureCommand(false) }),
+  preCompact: () => ({ command: cursorCaptureCommand(false) }),
+  afterAgentResponse: () => ({ command: cursorCaptureCommand(false) }),
+  afterAgentThought: () => ({ command: cursorCaptureCommand(false) }),
+  stop: () => ({ command: cursorCaptureCommand(false) }),
+  sessionEnd: () => ({ command: cursorCaptureCommand(false) }),
 };
 
 // Same as CURSOR_HOOKS but command uses ~/.ai-lens/... (for --project-hooks)

package/cli/status.js

@@ -323,11 +323,12 @@ function checkSystem() {
   const arch = osArch() || 'unknown';
   const nodeVersion = process.version || 'unknown';
   const platform = process.platform === 'darwin' ? 'macOS' : process.platform;
+  const cwd = process.cwd();
   const summary = `${platform} ${osVersion} ${arch}, Node ${nodeVersion}`;
   return {
     ok: true,
     summary,
-    detail: `Platform: ${platform}\nOS version: ${osVersion}\nArchitecture: ${arch}\nNode: ${nodeVersion}`,
+    detail: `Platform: ${platform}\nOS version: ${osVersion}\nArchitecture: ${arch}\nNode: ${nodeVersion}\nCWD: ${cwd}`,
   };
 }
 

package/client/capture.js

@@ -191,6 +191,55 @@ function getCachedSessionPath(sessionId) {
   try { return readFileSync(dst, 'utf-8').trim() || null; } catch { return null; }
 }
 
+// =============================================================================
+// Project Path Refinement from Tool Events
+// =============================================================================
+
+/**
+ * Extract an absolute file path from tool input.
+ * Covers Read/Edit/Write (file_path), Glob/Grep (path).
+ */
+function extractFilePath(toolInput) {
+  if (!toolInput || typeof toolInput !== 'object') return null;
+  const p = toolInput.file_path || toolInput.path;
+  return (typeof p === 'string' && p.startsWith('/')) ? p : null;
+}
+
+/**
+ * Walk up from a path to find the nearest .git directory.
+ * Returns the git root (parent of .git) or null.
+ */
+function findGitRoot(filePath) {
+  let dir = dirname(filePath);
+  while (dir && dir !== '/' && dir.length > 1) {
+    try {
+      if (existsSync(join(dir, '.git'))) return dir;
+    } catch {}
+    const parent = dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return null;
+}
+
+/**
+ * Refine project_path using file paths from tool events.
+ * Picks the deepest (most specific) git root — correct for nested repos
+ * like etl-pipelines/bk-reports-automation/.
+ * Only refines "downward" (more specific), never upward.
+ */
+function refineProjectPath(event, projectPath, sessionId) {
+  const toolInput = event.tool_input || event.input;
+  const filePath = extractFilePath(toolInput);
+  if (!filePath) return projectPath;
+  const gitRoot = findGitRoot(filePath);
+  if (gitRoot && (!projectPath || gitRoot.length > projectPath.length)) {
+    if (sessionId) cacheSessionPath(sessionId, gitRoot);
+    return gitRoot;
+  }
+  return projectPath;
+}
+
 // =============================================================================
 // Deduplication: drop consecutive identical event types per session
 // =============================================================================
@@ -354,6 +403,11 @@ function normalizeClaudeCode(event) {
       data = { hook: hookType };
   }
 
+  // Refine project_path from file paths in tool events (ANL-518)
+  if (hookType === 'PostToolUse' || hookType === 'PostToolUseFailure') {
+    projectPath = refineProjectPath(event, projectPath, sessionId);
+  }
+
   if (event.permission_mode) {
     data.permission_mode = event.permission_mode;
   }
@@ -523,6 +577,15 @@ function normalizeCursor(event) {
       data = { hook_event_name: hookName };
   }
 
+  // Refine project_path from file paths in tool events (ANL-518)
+  if (hookName === 'postToolUse' || hookName === 'postToolUseFailure' || hookName === 'afterFileEdit') {
+    // Cursor passes file_path at top level for afterFileEdit
+    const cursorEvent = hookName === 'afterFileEdit' && event.file_path
+      ? { ...event, tool_input: { file_path: event.file_path } }
+      : event;
+    projectPath = refineProjectPath(cursorEvent, projectPath, sessionId);
+  }
+
   if (event.permission_mode) {
     data.permission_mode = event.permission_mode;
   }

package/client/redact.js

@@ -1,5 +1,6 @@
 /**
  * Secret redaction utility (client-side copy).
+ * ⚠️  KEEP IN SYNC with server/utils/redact.js — see test/server/redact.test.js sync test.
  * Replaces tokens, passwords, API keys and other secrets with [REDACTED:TYPE] tags.
  * Standalone — no imports, safe to run on developer machines.
  */
@@ -15,15 +16,63 @@ const PATTERNS = [
   // GitHub tokens (ghp_, gho_, ghu_, ghs_, ghr_)
   { type: 'GITHUB_TOKEN', re: /gh[pousr]_[A-Za-z0-9_]{36,}/g },
 
+  // GitLab tokens (glpat-, gldt-, glrt-, glcbt-, glsoat-)
+  {
+    type: 'GITLAB_TOKEN',
+    re: /gl(?:pat|dt|rt|cbt|soat)-[A-Za-z0-9_-]{20,}/g,
+    replacer: (m) => {
+      const prefix = m.slice(0, m.indexOf('-'));
+      const typeMap = { glpat: 'GITLAB_PAT', gldt: 'GITLAB_DEPLOY_TOKEN', glrt: 'GITLAB_RUNNER_TOKEN', glcbt: 'GITLAB_CLUSTER_TOKEN', glsoat: 'GITLAB_OAUTH_TOKEN' };
+      return `[REDACTED:${typeMap[prefix] || 'GITLAB_TOKEN'}]`;
+    },
+  },
+
   // Anthropic API key
   { type: 'ANTHROPIC_KEY', re: /sk-ant-[A-Za-z0-9_-]{20,}/g },
 
   // OpenAI project key
   { type: 'OPENAI_KEY', re: /sk-proj-[A-Za-z0-9_-]{20,}/g },
 
+  // Google API key (AIzaSy...)
+  { type: 'GOOGLE_API_KEY', re: /AIza[A-Za-z0-9_-]{35}/g },
+
+  // Google OAuth access token (ya29....)
+  { type: 'GOOGLE_OAUTH', re: /ya29\.[A-Za-z0-9_-]{50,}/g },
+
+  // GCP service account email (project-id@project-id.iam.gserviceaccount.com)
+  { type: 'GCP_SERVICE_ACCOUNT', re: /[a-z0-9-]+@[a-z0-9-]+\.iam\.gserviceaccount\.com/g },
+
+  // x-api-key header value
+  {
+    type: 'API_KEY_HEADER',
+    re: /(["']?x-api-key["']?\s*[:=]\s*["']?)[^\s"',)}\]]+/gi,
+    replacer: (m, prefix) => `${prefix}[REDACTED:API_KEY_HEADER]`,
+  },
+
   // Generic sk- key (must come after sk-ant- and sk-proj-)
   { type: 'API_KEY', re: /sk-[A-Za-z0-9_-]{32,}/g },
 
+  // Stripe secret key (live only — test keys intentionally not redacted)
+  { type: 'STRIPE_SECRET', re: /sk_live_[A-Za-z0-9]{24,}/g },
+
+  // Stripe restricted key
+  { type: 'STRIPE_RESTRICTED', re: /rk_live_[A-Za-z0-9]{24,}/g },
+
+  // npm token
+  { type: 'NPM_TOKEN', re: /npm_[A-Za-z0-9]{36,}/g },
+
+  // PyPI token
+  { type: 'PYPI_TOKEN', re: /pypi-[A-Za-z0-9_-]{16,}/g },
+
+  // SendGrid API key (SG.{22}.{43})
+  { type: 'SENDGRID_KEY', re: /SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}/g },
+
+  // Twilio API key (SK + 32 lowercase hex chars)
+  { type: 'TWILIO_KEY', re: /SK[a-f0-9]{32}/g },
+
+  // Telegram bot token (8-10 digit bot ID : 35-char secret)
+  { type: 'TELEGRAM_BOT_TOKEN', re: /\b\d{8,10}:[A-Za-z0-9_-]{35}\b/g },
+
   // Slack tokens (xox{b,p,a,o,s}-)
   { type: 'SLACK_TOKEN', re: /xo[xabposr]{1,2}-[A-Za-z0-9-]{10,}/g },
 
@@ -36,22 +85,46 @@ const PATTERNS = [
   // PEM private keys — full block or truncated (just the header + base64 content)
   { type: 'PRIVATE_KEY', re: /-----BEGIN[A-Z ]*PRIVATE KEY-----[A-Za-z0-9+/=\s\\.]*(?:-----END[A-Z ]*PRIVATE KEY-----)?/g },
 
+  // Meilisearch master/API key (mc_ + 32+ hex chars)
+  { type: 'MEILISEARCH_KEY', re: /\bmc_[0-9a-f]{32,}\b/g },
+
   // Connection string password (://user:password@host) — redacts password only
   { type: 'CONNECTION_STRING', re: /:\/\/([^:@\s]+):([^@\s]{3,})@/g, replacer: (m, user, _pw) => `://${user}:[REDACTED:CONNECTION_STRING]@` },
 
-  // Environment variables: UPPER_CASE_VAR with secret keyword = value
-  // Catches AI_LENS_AUTH_TOKEN=..., PGPASSWORD=..., AWS_SECRET_ACCESS_KEY=..., etc.
+  // MySQL/mysqldump CLI -p<password> syntax (mysql -u user -pSECRET dbname)
+  { type: 'MYSQL_PASSWORD', re: /(\bmysql\w*\b[^\n]*\s-p)(\S{8,})/g, replacer: (m, prefix, _pw) => `${prefix}[REDACTED:MYSQL_PASSWORD]` },
+
+  // Environment variables with PASSWORD/PASSWD keyword — lower 6-char minimum
+  // Catches BASIC_AUTH_PASSWORD=236716, db_password=secret, etc.
+  {
+    type: 'ENV_VAR',
+    re: /([A-Za-z_]{0,50}(?:PASSWORD|PASSWD)[A-Za-z_]{0,50}\s*=\s*["']?)([^\s"';\\\`|>{}\[\]]{6,})/gi,
+    replacer: (m, prefix, _val) => `${prefix}[REDACTED:ENV_VAR]`,
+  },
+
+  // Environment variables with other secret keywords — standard 8-char minimum
+  // Catches aws_secret_access_key=..., AI_LENS_AUTH_TOKEN=..., RUSTAT_KEY=..., etc.
+  // Case-insensitive to catch lowercase config files. _KEY added for API key vars.
   // Skips template refs like ${VAR} since value excludes { } chars.
   {
     type: 'ENV_VAR',
-    re: /([A-Z_]*(?:SECRET|TOKEN|PASSWORD|PASSWD|API_KEY|APIKEY)[A-Z_]*\s*=\s*["']?)([^\s"';\\\`|>{}\[\]]{8,})/g,
+    re: /([A-Za-z_]{0,50}(?:SECRET|TOKEN|API_KEY|APIKEY|_KEY)[A-Za-z_]{0,50}\s*=\s*["']?)([^\s"';\\\`|>{}\[\]]{8,})/gi,
     replacer: (m, prefix, _val) => `${prefix}[REDACTED:ENV_VAR]`,
   },
 
   // Key-value pairs: password=..., token: ..., etc.
+  // Uses \w* prefix/suffix to match compound names like aws_secret_access_key
+  {
+    type: 'KEY_VALUE',
+    re: /(\b\w{0,30}(?:password|passwd|token|secret|api_key|apikey|api_secret|access_token|auth_token|private_key|client_secret|credential|authorization|session_key|encryption_key|signing_key|refresh_token|id_token)\w{0,30}["']?\s*[:=]\s*["']?)([^\s"',;\[\]{}]{8,})/gi,
+    replacer: (m, prefix, _val) => `${prefix}[REDACTED:KEY_VALUE]`,
+  },
+
+  // Russian key-value pairs: пароль=..., секрет: ..., токен: ..., ключ: ...
+  // Separate pattern because \b does not work with Cyrillic (\w is ASCII-only)
   {
     type: 'KEY_VALUE',
-    re: /(\b["']?(?:password|passwd|token|secret|api_key|apikey|api_secret|access_token|auth_token|private_key|client_secret)["']?\s*[:=]\s*["']?)([^\s"',;\[\]{}]{8,})/gi,
+    re: /((?:^|[\s"',:={}([\-])(?:пароль|парол[а-я]*|секрет[а-я]*|токен[а-я]*|ключ[а-я]*)["']?\s*[:=\-—–]?\s*["']?)([^\s"',;\[\]{}]{6,})/gi,
     replacer: (m, prefix, _val) => `${prefix}[REDACTED:KEY_VALUE]`,
   },
 ];

package/client/sender.js

@@ -60,7 +60,7 @@ export function rotateLog(logPath = LOG_PATH, maxAgeDays = LOG_MAX_AGE_DAYS) {
 }
 
 export const MAX_QUEUE_SIZE  = 10_000;
-export const MAX_CHUNK_BYTES = 4 * 1024 * 1024; // 4 MB per POST (Express limit is 50 MB)
+export const MAX_CHUNK_BYTES = 512 * 1024; // 512 KB per POST — small chunks avoid ECONNRESET on corporate proxies/TLS inspection
 export const LOCK_MAX_AGE_MS = 5 * 60 * 1000;   // 5 minutes
 
 // =============================================================================

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-lens",
-  "version": "0.8.43",
+  "version": "0.8.45",
   "type": "module",
   "description": "Centralized session analytics for AI coding tools",
   "bin": {