cc-safety-net 1.0.2 → 1.0.4

package/README.md

@@ -7,7 +7,7 @@
 [![Claude Code](https://img.shields.io/badge/Claude%20Code-D27656)](#claude-code-installation)
 [![Copilot CLI](https://img.shields.io/badge/Copilot%20CLI-4EA5C9)](#github-copilot-cli-installation)
 [![Gemini CLI](https://img.shields.io/badge/Gemini%20CLI-678AE3)](#gemini-cli-installation)
-[![Kimi CLI](https://img.shields.io/badge/Kimi%20CLI-5587FF)](#kimi-cli-installation)
+[![Kimi Code](https://img.shields.io/badge/Kimi%20Code-5587FF)](#kimi-code-installation)
 [![OpenCode](https://img.shields.io/badge/OpenCode-black)](#opencode-installation)
 [![Pi](https://img.shields.io/badge/Pi%20Coding-22262E)](#pi-installation)
 [![License: MIT](https://img.shields.io/badge/License-MIT-red.svg)](https://opensource.org/licenses/MIT)
@@ -31,7 +31,7 @@ A Coding Agent CLI plugin that acts as a safety net, catching destructive git an
   - [Claude Code Installation](#claude-code-installation)
   - [Gemini CLI Installation](#gemini-cli-installation)
   - [GitHub Copilot CLI Installation](#github-copilot-cli-installation)
-  - [Kimi CLI Installation](#kimi-cli-installation)
+  - [Kimi Code Installation](#kimi-code-installation)
   - [OpenCode Installation](#opencode-installation)
   - [Pi Installation](#pi-installation)
 - [Status Line Integration](#status-line-integration)
@@ -218,12 +218,12 @@ gemini extensions install https://github.com/kenryu42/gemini-safety-net
 
 ---
 
-### Kimi CLI Installation
+### Kimi Code Installation
 
-Install CC Safety Net into your Kimi CLI config:
+Install CC Safety Net into your Kimi Code config:
 
 ```bash
-npx -y cc-safety-net hook install --kimi-cli
+npx -y cc-safety-net hook install --kimi-code
 ```
 
 ---

package/dist/bin/cc-safety-net.js

@@ -3,13 +3,54 @@ var __commonJS = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports,
 
 // node_modules/shell-quote/quote.js
 var require_quote = __commonJS((exports, module) => {
+  var OPS = [
+    "||",
+    "&&",
+    ";;",
+    "|&",
+    "<(",
+    "<<<",
+    ">>",
+    ">&",
+    "<&",
+    "&",
+    ";",
+    "(",
+    ")",
+    "|",
+    "<",
+    ">"
+  ];
+  var LINE_TERMINATORS = /[\n\r\u2028\u2029]/;
+  var GLOB_SHELL_SPECIAL = /[\s#!"$&'():;<=>@\\^`|]/g;
   module.exports = function quote(xs) {
     return xs.map(function(s) {
       if (s === "") {
         return "''";
       }
       if (s && typeof s === "object") {
-        return s.op.replace(/(.)/g, "\\$1");
+        if (s.op === "glob") {
+          if (typeof s.pattern !== "string") {
+            throw new TypeError("glob token requires a string `pattern`");
+          }
+          if (LINE_TERMINATORS.test(s.pattern)) {
+            throw new TypeError("glob `pattern` must not contain line terminators");
+          }
+          return s.pattern.replace(GLOB_SHELL_SPECIAL, "\\$&");
+        }
+        if (typeof s.op === "string") {
+          if (OPS.indexOf(s.op) < 0) {
+            throw new TypeError("invalid `op` value: " + JSON.stringify(s.op));
+          }
+          return s.op.replace(/[\s\S]/g, "\\$&");
+        }
+        if (typeof s.comment === "string") {
+          if (LINE_TERMINATORS.test(s.comment)) {
+            throw new TypeError("`comment` must not contain line terminators");
+          }
+          return "#" + s.comment;
+        }
+        throw new TypeError("unrecognized object token shape");
       }
       if (/["\s\\]/.test(s) && !/'/.test(s)) {
         return "'" + s.replace(/(['])/g, "\\$1") + "'";
@@ -6387,8 +6428,8 @@ var CLAUDE_CODE_HOOK_EVENT = "PreToolUse";
 var CLAUDE_CODE_TOOL_NAME = "Bash";
 var GEMINI_CLI_HOOK_EVENT = "BeforeTool";
 var GEMINI_CLI_TOOL_NAME = "run_shell_command";
-var KIMI_CLI_HOOK_EVENT = "PreToolUse";
-var KIMI_CLI_TOOL_NAME = "Shell";
+var KIMI_CODE_HOOK_EVENT = "PreToolUse";
+var KIMI_CODE_TOOL_NAME = "Shell";
 
 // src/bin/hook/claude-code.ts
 async function runClaudeCodeHook() {
@@ -6437,8 +6478,8 @@ async function runGeminiCLIHook() {
   });
 }
 
-// src/bin/hook/kimi-cli.ts
-async function runKimiCliHook() {
+// src/bin/hook/kimi-code.ts
+async function runKimiCodeHook() {
   await runConfiguredHookAdapter({
     createDenyOutput: (message) => ({
       hookSpecificOutput: {
@@ -6447,7 +6488,7 @@ async function runKimiCliHook() {
         permissionDecisionReason: message
       }
     }),
-    isSupported: (input) => input.hook_event_name === KIMI_CLI_HOOK_EVENT && input.tool_name === KIMI_CLI_TOOL_NAME,
+    isSupported: (input) => input.hook_event_name === KIMI_CODE_HOOK_EVENT && input.tool_name === KIMI_CODE_TOOL_NAME,
     getCommand: (input) => input.tool_input?.command,
     getCwd: (input) => input.cwd,
     getSessionId: (input) => input.session_id
@@ -6495,12 +6536,12 @@ var integrationMetadata = [
     }
   },
   {
-    id: "kimi-cli",
-    displayName: "Kimi CLI",
+    id: "kimi-code",
+    displayName: "Kimi Code",
     doctorVisible: true,
     runtimeHook: {
-      flags: ["-kc", "--kimi-cli"],
-      description: "Run as Kimi CLI PreToolUse hook",
+      flags: ["-kc", "--kimi-code"],
+      description: "Run as Kimi Code PreToolUse hook",
       legacyTopLevel: false,
       order: 4
     }
@@ -6533,7 +6574,7 @@ var hookRunners = {
   "claude-code": runClaudeCodeHook,
   "copilot-cli": runCopilotCliHook,
   "gemini-cli": runGeminiCLIHook,
-  "kimi-cli": runKimiCliHook
+  "kimi-code": runKimiCodeHook
 };
 var hookIntegrations = runtimeHookIntegrationMetadata.map((integration) => ({
   ...integration,
@@ -6557,8 +6598,8 @@ var hookCommand = {
   description: "Run as an agent CLI hook (reads JSON from stdin)",
   usage: "hook <coding cli>",
   subcommands: [
-    { usage: "install --kimi-cli", description: "Install Kimi CLI hook config" },
-    { usage: "uninstall --kimi-cli", description: "Uninstall Kimi CLI hook config" }
+    { usage: "install --kimi-code", description: "Install Kimi Code hook config" },
+    { usage: "uninstall --kimi-code", description: "Uninstall Kimi Code hook config" }
   ],
   options: [
     ...platformOptions,
@@ -6567,7 +6608,7 @@ var hookCommand = {
       description: "Show this help"
     }
   ],
-  examples: [...platformExamples, "cc-safety-net hook install --kimi-cli"]
+  examples: [...platformExamples, "cc-safety-net hook install --kimi-code"]
 };
 
 // src/bin/commands/rule.ts
@@ -7216,7 +7257,7 @@ function formatSystemInfoTable(system) {
     { label: "Codex", value: system.codexCliVersion },
     { label: "Copilot CLI", value: system.copilotCliVersion },
     { label: "Gemini CLI", value: system.geminiCliVersion },
-    { label: "Kimi CLI", value: system.kimiCliVersion },
+    { label: "Kimi Code", value: system.kimiCodeVersion },
     { label: "OpenCode", value: system.openCodeVersion },
     { label: "Pi", value: system.piCliVersion },
     { label: "Node.js", value: system.nodeVersion },
@@ -7260,7 +7301,7 @@ var CLAUDE_PLUGIN_LIST_CONFIG_PATH = "claude plugin list";
 var CLAUDE_SAFETY_NET_PLUGIN_ID = "safety-net@cc-marketplace";
 var GEMINI_EXTENSIONS_LIST_CONFIG_PATH = "gemini extensions list";
 var GEMINI_SAFETY_NET_SOURCE = "https://github.com/kenryu42/gemini-safety-net";
-var KIMI_HOOK_COMMAND_PATTERN = /cc-safety-net\s+hook\s+(?:[^\s]+\s+)*--kimi-cli(\s|["']|$)/;
+var KIMI_HOOK_COMMAND_PATTERN = /cc-safety-net\s+hook\s+(?:[^\s]+\s+)*--kimi-code(\s|["']|$)/;
 var CODEX_PLUGIN_HOOKS_WARNING = "Codex plugin hooks are behind a feature flag. Add `plugin_hooks = true` under [features] in $CODEX_HOME/config.toml.";
 var CODEX_SAFETY_NET_PLUGIN_ID = "safety-net@cc-marketplace";
 var SELF_TEST_CASES = [
@@ -7492,25 +7533,25 @@ function detectGeminiCLI(extensionsListOutput) {
 function _getKimiConfigPath(homeDir) {
   return join10(process.env.KIMI_SHARE_DIR || join10(homeDir, ".kimi"), "config.toml");
 }
-function detectKimiCLI(homeDir) {
+function detectKimiCode(homeDir) {
   const configPath = _getKimiConfigPath(homeDir);
   if (!existsSync13(configPath)) {
-    return { platform: "kimi-cli", status: "n/a", configPath };
+    return { platform: "kimi-code", status: "n/a", configPath };
   }
   try {
     if (!KIMI_HOOK_COMMAND_PATTERN.test(readFileSync10(configPath, "utf-8"))) {
-      return { platform: "kimi-cli", status: "n/a", configPath };
+      return { platform: "kimi-code", status: "n/a", configPath };
     }
   } catch (e) {
     return {
-      platform: "kimi-cli",
+      platform: "kimi-code",
       status: "n/a",
       configPath,
       errors: [`Failed to read ${configPath}: ${e instanceof Error ? e.message : String(e)}`]
     };
   }
   return {
-    platform: "kimi-cli",
+    platform: "kimi-code",
     status: "configured",
     method: "hook config",
     configPath,
@@ -7869,8 +7910,8 @@ function detectAllHooks(cwd, options2) {
         return detectGeminiCLI(options2?.geminiExtensionsListOutput);
       case "copilot-cli":
         return detectCopilotCLI();
-      case "kimi-cli":
-        return detectKimiCLI(homeDir);
+      case "kimi-code":
+        return detectKimiCode(homeDir);
       case "pi":
         return detectPi(options2?.piSafetyNetProbe);
       case "codex":
@@ -7886,7 +7927,7 @@ import { existsSync as existsSync14 } from "node:fs";
 import { mkdtemp, readFile, rm, writeFile } from "node:fs/promises";
 import { tmpdir as tmpdir4 } from "node:os";
 import { delimiter, extname, join as join11 } from "node:path";
-var CURRENT_VERSION = "1.0.2";
+var CURRENT_VERSION = "1.0.4";
 var VERSION_FETCH_TIMEOUT_MS = 2000;
 var PI_PROBE_TIMEOUT_MS = 5000;
 var PI_SENTINEL_COMMAND = "cc-safety-net";
@@ -8249,7 +8290,7 @@ async function getSystemInfo(fetcher = defaultVersionFetcher, options2 = {}) {
     geminiCliVersion: parseVersion(geminiRaw),
     geminiExtensionsListOutput,
     copilotCliVersion: parseVersion(copilotRaw),
-    kimiCliVersion: parseVersion(kimiRaw),
+    kimiCodeVersion: parseVersion(kimiRaw),
     piCliVersion: parseVersion(piRaw),
     nodeVersion: parseVersion(nodeRaw),
     npmVersion: parseVersion(npmRaw),
@@ -9395,7 +9436,7 @@ function formatTraceJson(result) {
   return JSON.stringify(result, null, 2);
 }
 // src/bin/help.ts
-var version = "1.0.2";
+var version = "1.0.4";
 var INDENT = "  ";
 var PROGRAM_NAME = "cc-safety-net";
 function formatOptionFlags(option) {
@@ -9502,7 +9543,7 @@ function showCommandHelp(commandName) {
 // src/bin/hook/install.ts
 import { homedir as homedir6 } from "node:os";
 
-// src/bin/hook/install/kimi-cli.ts
+// src/bin/hook/install/kimi-code.ts
 import { existsSync as existsSync16, mkdirSync as mkdirSync4, readFileSync as readFileSync11, writeFileSync as writeFileSync3 } from "node:fs";
 import { dirname as dirname9, join as join12 } from "node:path";
 
@@ -9590,8 +9631,8 @@ function removeArrayRangeItem(content, item) {
   return `${content.slice(0, removeStart)}${content.slice(removeEnd)}`;
 }
 
-// src/bin/hook/install/kimi-cli.ts
-var KIMI_HOOK_COMMAND = "npx -y cc-safety-net hook --kimi-cli";
+// src/bin/hook/install/kimi-code.ts
+var KIMI_HOOK_COMMAND = "npx -y cc-safety-net hook --kimi-code";
 var KIMI_HOOK_BLOCK = `[[hooks]]
 event = "PreToolUse"
 matcher = "Shell"
@@ -9626,8 +9667,8 @@ function skipTomlComment(content, index) {
 function findTomlArrayClose(content, openIndex) {
   return findMatchingBracket(content, openIndex, {
     skipComment: skipTomlComment,
-    stringError: "Unterminated string in Kimi CLI config",
-    bracketError: "Unmatched hooks array in Kimi CLI config"
+    stringError: "Unterminated string in Kimi Code config",
+    bracketError: "Unmatched hooks array in Kimi Code config"
   });
 }
 function findTopLevelInlineHooksArray(content) {
@@ -9686,7 +9727,7 @@ function removeKimiInlineHook(content, hooksRange) {
     end: itemStart + KIMI_INLINE_HOOK.length
   });
 }
-function installKimiCli(homeDir) {
+function installKimiCode(homeDir) {
   const configPath = getKimiConfigPath(homeDir);
   mkdirSync4(dirname9(configPath), { recursive: true });
   if (!existsSync16(configPath)) {
@@ -9700,7 +9741,7 @@ function installKimiCli(homeDir) {
   writeFileSync3(configPath, appendKimiHook(content));
   return { path: configPath, alreadyInstalled: false };
 }
-function uninstallKimiCli(homeDir) {
+function uninstallKimiCode(homeDir) {
   const configPath = getKimiConfigPath(homeDir);
   if (!existsSync16(configPath))
     return { path: configPath, alreadyInstalled: false };
@@ -9719,21 +9760,21 @@ function getHomeDir() {
   return process.env.HOME ?? homedir6();
 }
 function parseInstallTarget(args, action) {
-  const unknownOption = args.find((arg) => arg.startsWith("-") && !["--kimi-cli"].includes(arg));
+  const unknownOption = args.find((arg) => arg.startsWith("-") && !["--kimi-code"].includes(arg));
   if (unknownOption)
     throw new Error(`Unknown install option: ${unknownOption}`);
   const unexpectedArg = args.find((arg) => !arg.startsWith("-"));
   if (unexpectedArg)
     throw new Error(`Unexpected argument for hook ${action}: ${unexpectedArg}`);
-  if (!args.includes("--kimi-cli"))
-    throw new Error("Choose exactly one install target: --kimi-cli");
+  if (!args.includes("--kimi-code"))
+    throw new Error("Choose exactly one install target: --kimi-code");
 }
 function runHookInstallCommand(action, args) {
   try {
     parseInstallTarget(args, action);
     const homeDir = getHomeDir();
-    const result = action === "install" ? installKimiCli(homeDir) : uninstallKimiCli(homeDir);
-    const name = "Kimi CLI";
+    const result = action === "install" ? installKimiCode(homeDir) : uninstallKimiCode(homeDir);
+    const name = "Kimi Code";
     const pastTense = action === "install" ? "Installed" : "Uninstalled";
     console.log(action === "install" && result.alreadyInstalled ? `${name} hook already installed in ${result.path}` : action === "uninstall" && !result.alreadyInstalled ? `${name} hook not installed in ${result.path}` : `${pastTense} ${name} hook ${action === "install" ? "in" : "from"} ${result.path}`);
     return 0;
@@ -10751,7 +10792,7 @@ var commandParsers = {
     const integration = findHookIntegrationByFlag(args);
     if (integration)
       return { mode: "hook", integration };
-    console.error("hook requires a subcommand or integration flag. Try: cc-safety-net hook install --kimi-cli");
+    console.error("hook requires a subcommand or integration flag. Try: cc-safety-net hook install --kimi-code");
     showCommandHelp("hook");
     process.exit(1);
   },

package/dist/bin/doctor/types.d.ts

@@ -122,8 +122,8 @@ export interface SystemInfo {
     geminiExtensionsListOutput: string | null;
     /** Copilot CLI version (from `copilot --binary-version`, falling back to `copilot --version`) */
     copilotCliVersion: string | null;
-    /** Kimi CLI version (from `kimi --version`) */
-    kimiCliVersion: string | null;
+    /** Kimi Code version (from `kimi --version`) */
+    kimiCodeVersion: string | null;
     /** Pi CLI version (from `pi --version`) */
     piCliVersion: string | null;
     /** Node.js version (from `node --version`) */

package/dist/bin/hook/constants.d.ts

@@ -2,5 +2,5 @@ export declare const CLAUDE_CODE_HOOK_EVENT = "PreToolUse";
 export declare const CLAUDE_CODE_TOOL_NAME = "Bash";
 export declare const GEMINI_CLI_HOOK_EVENT = "BeforeTool";
 export declare const GEMINI_CLI_TOOL_NAME = "run_shell_command";
-export declare const KIMI_CLI_HOOK_EVENT = "PreToolUse";
-export declare const KIMI_CLI_TOOL_NAME = "Shell";
+export declare const KIMI_CODE_HOOK_EVENT = "PreToolUse";
+export declare const KIMI_CODE_TOOL_NAME = "Shell";

package/dist/bin/hook/install/kimi-code.d.ts

@@ -0,0 +1,3 @@
+import type { InstallResult } from '@/bin/hook/install/types';
+export declare function installKimiCode(homeDir: string): InstallResult;
+export declare function uninstallKimiCode(homeDir: string): InstallResult;

package/dist/bin/hook/kimi-code.d.ts

@@ -0,0 +1 @@
+export declare function runKimiCodeHook(): Promise<void>;

package/dist/bin/integration-metadata.d.ts

@@ -33,12 +33,12 @@ declare const integrationMetadata: readonly [{
         readonly order: 3;
     };
 }, {
-    readonly id: "kimi-cli";
-    readonly displayName: "Kimi CLI";
+    readonly id: "kimi-code";
+    readonly displayName: "Kimi Code";
     readonly doctorVisible: true;
     readonly runtimeHook: {
-        readonly flags: readonly ["-kc", "--kimi-cli"];
-        readonly description: "Run as Kimi CLI PreToolUse hook";
+        readonly flags: readonly ["-kc", "--kimi-code"];
+        readonly description: "Run as Kimi Code PreToolUse hook";
         readonly legacyTopLevel: false;
         readonly order: 4;
     };
@@ -56,12 +56,12 @@ type RuntimeHookIntegrationMetadata = Extract<(typeof integrationMetadata)[numbe
     runtimeHook: object;
 }>;
 export type RuntimeHookIntegrationId = RuntimeHookIntegrationMetadata['id'];
-export declare const doctorIntegrationOrder: ("claude-code" | "codex" | "copilot-cli" | "gemini-cli" | "kimi-cli" | "opencode" | "pi")[];
+export declare const doctorIntegrationOrder: ("claude-code" | "codex" | "copilot-cli" | "gemini-cli" | "kimi-code" | "opencode" | "pi")[];
 export declare const runtimeHookIntegrationMetadata: {
-    id: "claude-code" | "copilot-cli" | "gemini-cli" | "kimi-cli";
-    displayName: "Claude Code" | "Copilot CLI" | "Gemini CLI" | "Kimi CLI";
-    flags: readonly ["-cc", "--claude-code"] | readonly ["-cp", "--copilot-cli"] | readonly ["-gc", "--gemini-cli"] | readonly ["-kc", "--kimi-cli"];
-    description: "Run as Claude Code PreToolUse hook" | "Run as Copilot CLI PreToolUse hook" | "Run as Gemini CLI BeforeTool hook" | "Run as Kimi CLI PreToolUse hook";
+    id: "claude-code" | "copilot-cli" | "gemini-cli" | "kimi-code";
+    displayName: "Claude Code" | "Copilot CLI" | "Gemini CLI" | "Kimi Code";
+    flags: readonly ["-cc", "--claude-code"] | readonly ["-cp", "--copilot-cli"] | readonly ["-gc", "--gemini-cli"] | readonly ["-kc", "--kimi-code"];
+    description: "Run as Claude Code PreToolUse hook" | "Run as Copilot CLI PreToolUse hook" | "Run as Gemini CLI BeforeTool hook" | "Run as Kimi Code PreToolUse hook";
     legacyTopLevel: boolean;
 }[];
 export declare function getIntegrationDisplayName(id: IntegrationId): string;

package/dist/index.d.ts

@@ -1,2 +1,15 @@
-import type { Plugin } from '@opencode-ai/plugin';
-export declare const CCSafetyNetPlugin: Plugin;
+import type { PluginInput } from '@opencode-ai/plugin';
+type CCSafetyNetPluginInput = PluginInput & {
+    homeDir?: string;
+};
+export declare const CCSafetyNetPlugin: ({ directory, homeDir }: CCSafetyNetPluginInput) => Promise<{
+    config: (opencodeConfig: Record<string, unknown>) => Promise<void>;
+    'tool.execute.before': (input: {
+        tool: string;
+        sessionID: string;
+        callID: string;
+    }, output: {
+        args: any;
+    }) => Promise<void>;
+}>;
+export {};

package/dist/index.js

@@ -2,13 +2,54 @@ var __commonJS = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports,
 
 // node_modules/shell-quote/quote.js
 var require_quote = __commonJS((exports, module) => {
+  var OPS = [
+    "||",
+    "&&",
+    ";;",
+    "|&",
+    "<(",
+    "<<<",
+    ">>",
+    ">&",
+    "<&",
+    "&",
+    ";",
+    "(",
+    ")",
+    "|",
+    "<",
+    ">"
+  ];
+  var LINE_TERMINATORS = /[\n\r\u2028\u2029]/;
+  var GLOB_SHELL_SPECIAL = /[\s#!"$&'():;<=>@\\^`|]/g;
   module.exports = function quote(xs) {
     return xs.map(function(s) {
       if (s === "") {
         return "''";
       }
       if (s && typeof s === "object") {
-        return s.op.replace(/(.)/g, "\\$1");
+        if (s.op === "glob") {
+          if (typeof s.pattern !== "string") {
+            throw new TypeError("glob token requires a string `pattern`");
+          }
+          if (LINE_TERMINATORS.test(s.pattern)) {
+            throw new TypeError("glob `pattern` must not contain line terminators");
+          }
+          return s.pattern.replace(GLOB_SHELL_SPECIAL, "\\$&");
+        }
+        if (typeof s.op === "string") {
+          if (OPS.indexOf(s.op) < 0) {
+            throw new TypeError("invalid `op` value: " + JSON.stringify(s.op));
+          }
+          return s.op.replace(/[\s\S]/g, "\\$&");
+        }
+        if (typeof s.comment === "string") {
+          if (LINE_TERMINATORS.test(s.comment)) {
+            throw new TypeError("`comment` must not contain line terminators");
+          }
+          return "#" + s.comment;
+        }
+        throw new TypeError("unrecognized object token shape");
       }
       if (/["\s\\]/.test(s) && !/'/.test(s)) {
         return "'" + s.replace(/(['])/g, "\\$1") + "'";
@@ -6146,6 +6187,66 @@ function analyzeCommand(command2, options2 = {}) {
   return analyzeCommandInternal(command2, 0, { ...options2, config });
 }
 
+// src/core/audit.ts
+import { appendFileSync, existsSync as existsSync10, mkdirSync as mkdirSync3 } from "node:fs";
+import { homedir as homedir3 } from "node:os";
+import { join as join8 } from "node:path";
+function sanitizeSessionIdForFilename(sessionId) {
+  const raw = sessionId.trim();
+  if (!raw) {
+    return null;
+  }
+  let safe = raw.replace(/[^A-Za-z0-9_.-]+/g, "_");
+  safe = safe.replace(/^[._-]+|[._-]+$/g, "").slice(0, 128);
+  if (!safe || safe === "." || safe === "..") {
+    return null;
+  }
+  return safe;
+}
+function writeAuditLog(sessionId, command2, segment, reason, cwd, options2 = {}) {
+  const safeSessionId = sanitizeSessionIdForFilename(sessionId);
+  if (!safeSessionId) {
+    return;
+  }
+  const home = options2.homeDir ?? process.env.HOME ?? homedir3();
+  const logsDir = join8(home, ".cc-safety-net", "logs");
+  try {
+    if (!existsSync10(logsDir)) {
+      mkdirSync3(logsDir, { recursive: true });
+    }
+    const logFile = join8(logsDir, `${safeSessionId}.jsonl`);
+    const entry = {
+      ts: new Date().toISOString(),
+      decision: options2.decision ?? "deny",
+      command: redactSecrets(command2).slice(0, 300),
+      segment: redactSecrets(segment).slice(0, 300),
+      reason,
+      cwd
+    };
+    appendFileSync(logFile, `${JSON.stringify(entry)}
+`, "utf-8");
+  } catch {}
+}
+function redactSecrets(text) {
+  let result = text;
+  result = result.replace(/-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g, "<redacted>");
+  result = result.replace(/\b((?:DATABASE|POSTGRES|POSTGRESQL|MYSQL|MARIADB|REDIS|MONGO(?:DB)?|DB)_URL)=([^\s]+)/gi, "$1=<redacted>");
+  result = result.replace(/\b([A-Z0-9_]*(?:TOKEN|SECRET|PASSWORD|PASS|KEY|CREDENTIALS)[A-Z0-9_]*)=([^\s]+)/gi, "$1=<redacted>");
+  result = result.replace(/(['"]?\s*(?:authorization|cookie|x-api-key|api-key)\s*:\s*)([^'"\r\n]+)(['"]?)/gi, "$1<redacted>$3");
+  result = result.replace(/(['"]?\s*authorization\s*:\s*)([^'"]+)(['"]?)/gi, "$1<redacted>$3");
+  result = result.replace(/(authorization\s*:\s*)([^\s"']+)(\s+[^\s"']+)?/gi, "$1<redacted>");
+  result = result.replace(/\b([a-z][a-z0-9+.-]*:\/\/)([^\s/:@]+):([^\s@/]+)@/gi, "$1<redacted>:<redacted>@");
+  result = result.replace(/\b([a-z][a-z0-9+.-]*:\/\/)([^\s/@:]+)@/gi, "$1<redacted>@");
+  result = result.replace(/\bgh[pousr]_[A-Za-z0-9]{20,}\b/g, "<redacted>");
+  result = result.replace(/\bxoxb-[A-Za-z0-9-]{20,}\b/g, "<redacted>");
+  result = result.replace(/\bnpm_[A-Za-z0-9_]{20,}\b/g, "<redacted>");
+  result = result.replace(/\b[rs]k_(?:live|test)_[A-Za-z0-9_]{20,}\b/g, "<redacted>");
+  result = result.replace(/\bpypi-[A-Za-z0-9_-]{20,}\b/g, "<redacted>");
+  result = result.replace(/\b[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{6,}\b/g, "<redacted>");
+  result = result.replace(/\b(?:AKIA|ASIA)[A-Z0-9]{16}\b/g, "<redacted>");
+  return result;
+}
+
 // src/core/format.ts
 function formatBlockedMessage(input) {
   const { reason, command: command2, segment } = input;
@@ -6235,7 +6336,7 @@ function loadBuiltinCommands(disabledCommands) {
 }
 // src/index.ts
 var REASON_SAFETY_NET_FAILED_CLOSED = "CC Safety Net failed closed because command analysis failed unexpectedly.";
-var CCSafetyNetPlugin = async ({ directory }) => {
+var CCSafetyNetPlugin = async ({ directory, homeDir }) => {
   const modes = getCCSafetyNetEnvModes();
   return {
     config: async (opencodeConfig) => {
@@ -6267,6 +6368,11 @@ var CCSafetyNetPlugin = async ({ directory }) => {
           }));
         }
         if (result) {
+          if (input.sessionID) {
+            writeAuditLog(input.sessionID, command2, result.segment, result.reason, directory, {
+              homeDir
+            });
+          }
           const message = formatBlockedMessage({
             reason: result.reason,
             command: command2,

package/dist/pi/index.js

@@ -2,13 +2,54 @@ var __commonJS = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports,
 
 // node_modules/shell-quote/quote.js
 var require_quote = __commonJS((exports, module) => {
+  var OPS = [
+    "||",
+    "&&",
+    ";;",
+    "|&",
+    "<(",
+    "<<<",
+    ">>",
+    ">&",
+    "<&",
+    "&",
+    ";",
+    "(",
+    ")",
+    "|",
+    "<",
+    ">"
+  ];
+  var LINE_TERMINATORS = /[\n\r\u2028\u2029]/;
+  var GLOB_SHELL_SPECIAL = /[\s#!"$&'():;<=>@\\^`|]/g;
   module.exports = function quote(xs) {
     return xs.map(function(s) {
       if (s === "") {
         return "''";
       }
       if (s && typeof s === "object") {
-        return s.op.replace(/(.)/g, "\\$1");
+        if (s.op === "glob") {
+          if (typeof s.pattern !== "string") {
+            throw new TypeError("glob token requires a string `pattern`");
+          }
+          if (LINE_TERMINATORS.test(s.pattern)) {
+            throw new TypeError("glob `pattern` must not contain line terminators");
+          }
+          return s.pattern.replace(GLOB_SHELL_SPECIAL, "\\$&");
+        }
+        if (typeof s.op === "string") {
+          if (OPS.indexOf(s.op) < 0) {
+            throw new TypeError("invalid `op` value: " + JSON.stringify(s.op));
+          }
+          return s.op.replace(/[\s\S]/g, "\\$&");
+        }
+        if (typeof s.comment === "string") {
+          if (LINE_TERMINATORS.test(s.comment)) {
+            throw new TypeError("`comment` must not contain line terminators");
+          }
+          return "#" + s.comment;
+        }
+        throw new TypeError("unrecognized object token shape");
       }
       if (/["\s\\]/.test(s) && !/'/.test(s)) {
         return "'" + s.replace(/(['])/g, "\\$1") + "'";

package/dist/types.d.ts

@@ -83,8 +83,8 @@ export interface GeminiHookOutput {
     stopReason?: string;
     suppressOutput?: boolean;
 }
-/** Kimi CLI hook input format */
-export interface KimiCliHookInput {
+/** Kimi Code hook input format */
+export interface KimiCodeHookInput {
     session_id?: string;
     cwd?: string;
     hook_event_name: string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safety-net",
-  "version": "1.0.2",
+  "version": "1.0.4",
   "description": "A coding agent CLI hook - block destructive git and filesystem commands before execution",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -64,7 +64,7 @@
     ]
   },
   "dependencies": {
-    "shell-quote": "^1.8.3"
+    "shell-quote": "^1.8.4"
   },
   "trustedDependencies": [
     "@ast-grep/cli"

package/dist/bin/hook/install/kimi-cli.d.ts

@@ -1,3 +0,0 @@
-import type { InstallResult } from '@/bin/hook/install/types';
-export declare function installKimiCli(homeDir: string): InstallResult;
-export declare function uninstallKimiCli(homeDir: string): InstallResult;

package/dist/bin/hook/kimi-cli.d.ts

@@ -1 +0,0 @@
-export declare function runKimiCliHook(): Promise<void>;