claude-cli-advanced-starter-pack 1.0.16 → 1.8.0

package/templates/scripts/autonomous-decision-logger.js

@@ -0,0 +1,277 @@
+#!/usr/bin/env node
+/**
+ * Autonomous Decision Logger
+ *
+ * Creates JSONL audit trail for agent decisions.
+ * Tracks reasoning, confidence, and outcomes.
+ *
+ * Usage:
+ *   // Import in your hook or script
+ *   import { DecisionLogger } from './autonomous-decision-logger.js';
+ *
+ *   const logger = new DecisionLogger('.claude/logs/decisions.jsonl');
+ *   logger.logDecision({
+ *     agent: 'deployment-checker',
+ *     decision: 'deploy',
+ *     reasoning: 'All tests passed, no conflicts',
+ *     confidence: 0.95,
+ *   });
+ */
+
+import { appendFileSync, existsSync, mkdirSync, readFileSync } from 'fs';
+import { dirname, resolve } from 'path';
+
+export class DecisionLogger {
+  constructor(logPath = '.claude/logs/decisions.jsonl') {
+    this.logPath = resolve(process.cwd(), logPath);
+    this.sessionId = this.generateSessionId();
+    this.ensureLogDirectory();
+  }
+
+  generateSessionId() {
+    const timestamp = Date.now().toString(36);
+    const random = Math.random().toString(36).substring(2, 8);
+    return `${timestamp}-${random}`;
+  }
+
+  ensureLogDirectory() {
+    const dir = dirname(this.logPath);
+    if (!existsSync(dir)) {
+      mkdirSync(dir, { recursive: true });
+    }
+  }
+
+  /**
+   * Log a decision with full context
+   *
+   * @param {Object} decision
+   * @param {string} decision.agent - Agent/component making decision
+   * @param {string} decision.decision - The decision made
+   * @param {string} decision.reasoning - Why this decision was made
+   * @param {number} decision.confidence - Confidence level 0-1
+   * @param {Object} [decision.context] - Additional context
+   * @param {string} [decision.outcome] - Result (success/failure/pending)
+   * @param {Array} [decision.alternatives] - Other options considered
+   */
+  logDecision(decision) {
+    const entry = {
+      timestamp: new Date().toISOString(),
+      sessionId: this.sessionId,
+      pid: process.pid,
+      ...decision,
+    };
+
+    this.writeEntry(entry);
+    return entry;
+  }
+
+  /**
+   * Log an action taken by an agent
+   */
+  logAction(agent, action, details = {}) {
+    return this.logDecision({
+      agent,
+      type: 'action',
+      decision: action,
+      ...details,
+    });
+  }
+
+  /**
+   * Log an observation or analysis
+   */
+  logObservation(agent, observation, details = {}) {
+    return this.logDecision({
+      agent,
+      type: 'observation',
+      decision: observation,
+      ...details,
+    });
+  }
+
+  /**
+   * Log an error or failure
+   */
+  logError(agent, error, context = {}) {
+    return this.logDecision({
+      agent,
+      type: 'error',
+      decision: 'error',
+      reasoning: error.message || error,
+      outcome: 'failure',
+      context: {
+        ...context,
+        stack: error.stack,
+      },
+    });
+  }
+
+  /**
+   * Log a phase transition
+   */
+  logPhaseTransition(fromPhase, toPhase, reason, validation = {}) {
+    return this.logDecision({
+      agent: 'phase-controller',
+      type: 'phase_transition',
+      decision: `${fromPhase} -> ${toPhase}`,
+      reasoning: reason,
+      context: { fromPhase, toPhase, validation },
+      outcome: 'success',
+    });
+  }
+
+  /**
+   * Log agent spawn/delegation
+   */
+  logDelegation(parentAgent, childAgent, task, options = {}) {
+    return this.logDecision({
+      agent: parentAgent,
+      type: 'delegation',
+      decision: `spawn:${childAgent}`,
+      reasoning: `Delegating: ${task}`,
+      context: {
+        childAgent,
+        task,
+        model: options.model,
+        runInBackground: options.runInBackground,
+      },
+    });
+  }
+
+  writeEntry(entry) {
+    const line = JSON.stringify(entry) + '\n';
+    appendFileSync(this.logPath, line);
+  }
+
+  /**
+   * Read all decisions for current session
+   */
+  getSessionDecisions() {
+    if (!existsSync(this.logPath)) return [];
+
+    const content = readFileSync(this.logPath, 'utf8');
+    return content
+      .split('\n')
+      .filter(line => line.trim())
+      .map(line => JSON.parse(line))
+      .filter(entry => entry.sessionId === this.sessionId);
+  }
+
+  /**
+   * Get summary statistics
+   */
+  getSummary() {
+    const decisions = this.getSessionDecisions();
+
+    const summary = {
+      sessionId: this.sessionId,
+      totalDecisions: decisions.length,
+      byType: {},
+      byAgent: {},
+      byOutcome: {},
+      avgConfidence: 0,
+    };
+
+    let confidenceSum = 0;
+    let confidenceCount = 0;
+
+    for (const d of decisions) {
+      // Count by type
+      const type = d.type || 'decision';
+      summary.byType[type] = (summary.byType[type] || 0) + 1;
+
+      // Count by agent
+      summary.byAgent[d.agent] = (summary.byAgent[d.agent] || 0) + 1;
+
+      // Count by outcome
+      if (d.outcome) {
+        summary.byOutcome[d.outcome] = (summary.byOutcome[d.outcome] || 0) + 1;
+      }
+
+      // Average confidence
+      if (typeof d.confidence === 'number') {
+        confidenceSum += d.confidence;
+        confidenceCount++;
+      }
+    }
+
+    if (confidenceCount > 0) {
+      summary.avgConfidence = (confidenceSum / confidenceCount).toFixed(2);
+    }
+
+    return summary;
+  }
+}
+
+// CLI mode - print summary if run directly
+async function main() {
+  const args = process.argv.slice(2);
+  const logPath = args[0] || '.claude/logs/decisions.jsonl';
+
+  if (!existsSync(logPath)) {
+    console.log(`No log file found at: ${logPath}`);
+    console.log('\nUsage: node autonomous-decision-logger.js [log-path]');
+    console.log('\nTo create logs, import DecisionLogger in your code:');
+    console.log("  import { DecisionLogger } from './autonomous-decision-logger.js';");
+    console.log("  const logger = new DecisionLogger();");
+    console.log("  logger.logDecision({ agent: 'my-agent', decision: 'proceed', confidence: 0.9 });");
+    return;
+  }
+
+  // Read and summarize log
+  const content = readFileSync(logPath, 'utf8');
+  const entries = content
+    .split('\n')
+    .filter(line => line.trim())
+    .map(line => JSON.parse(line));
+
+  console.log('\n📋 Decision Log Summary\n');
+  console.log(`Log file: ${logPath}`);
+  console.log(`Total entries: ${entries.length}`);
+
+  // Group by session
+  const sessions = {};
+  for (const entry of entries) {
+    const sid = entry.sessionId || 'unknown';
+    if (!sessions[sid]) {
+      sessions[sid] = [];
+    }
+    sessions[sid].push(entry);
+  }
+
+  console.log(`Sessions: ${Object.keys(sessions).length}`);
+
+  // Show last 10 decisions
+  console.log('\n📜 Last 10 Decisions:\n');
+  const recent = entries.slice(-10);
+  for (const entry of recent) {
+    const time = new Date(entry.timestamp).toLocaleTimeString();
+    const conf = entry.confidence ? ` (${(entry.confidence * 100).toFixed(0)}%)` : '';
+    console.log(`  [${time}] ${entry.agent}: ${entry.decision}${conf}`);
+    if (entry.reasoning) {
+      console.log(`           └─ ${entry.reasoning.substring(0, 60)}`);
+    }
+  }
+
+  // By type
+  const typeCount = {};
+  for (const entry of entries) {
+    const type = entry.type || 'decision';
+    typeCount[type] = (typeCount[type] || 0) + 1;
+  }
+
+  console.log('\n📊 By Type:');
+  for (const [type, count] of Object.entries(typeCount).sort((a, b) => b[1] - a[1])) {
+    console.log(`  ${type}: ${count}`);
+  }
+
+  console.log('');
+}
+
+// Export for use as module
+export default DecisionLogger;
+
+// Run CLI if called directly
+if (import.meta.url === `file://${process.argv[1].replace(/\\/g, '/')}`) {
+  main().catch(console.error);
+}

package/templates/scripts/git-history-analyzer.py

@@ -0,0 +1,269 @@
+#!/usr/bin/env python3
+"""
+Git History Analyzer
+
+Security audit for sensitive data in git history.
+Scans commits for passwords, API keys, tokens, and other secrets.
+
+Usage:
+    python git-history-analyzer.py
+    python git-history-analyzer.py --patterns "password|secret|api.key"
+    python git-history-analyzer.py --since "2024-01-01" --output json
+"""
+
+import subprocess
+import re
+import sys
+import json
+import argparse
+from datetime import datetime
+from pathlib import Path
+
+# Default patterns for sensitive data
+DEFAULT_PATTERNS = [
+    # API keys and tokens
+    r'(?i)(api[_-]?key|apikey)\s*[:=]\s*["\']?[\w-]{20,}',
+    r'(?i)(access[_-]?token|auth[_-]?token)\s*[:=]\s*["\']?[\w-]{20,}',
+    r'(?i)(secret[_-]?key|private[_-]?key)\s*[:=]\s*["\']?[\w-]{20,}',
+
+    # Passwords
+    r'(?i)password\s*[:=]\s*["\'][^"\']{4,}["\']',
+    r'(?i)passwd\s*[:=]\s*["\'][^"\']{4,}["\']',
+
+    # AWS
+    r'AKIA[0-9A-Z]{16}',  # AWS Access Key
+    r'(?i)aws[_-]?secret[_-]?access[_-]?key\s*[:=]',
+
+    # GitHub
+    r'ghp_[a-zA-Z0-9]{36}',  # GitHub Personal Access Token
+    r'github[_-]?token\s*[:=]',
+
+    # Generic secrets
+    r'(?i)bearer\s+[a-zA-Z0-9\-._~+/]+=*',
+    r'(?i)-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----',
+
+    # Database URLs
+    r'(?i)(postgres|mysql|mongodb|redis)://[^\s"\']+',
+
+    # Environment variables with sensitive names
+    r'(?i)(DB_PASSWORD|DATABASE_PASSWORD|MYSQL_ROOT_PASSWORD)\s*=',
+    r'(?i)(JWT_SECRET|SESSION_SECRET|ENCRYPTION_KEY)\s*=',
+]
+
+
+class GitHistoryAnalyzer:
+    def __init__(self, patterns=None, since=None, verbose=False):
+        self.patterns = patterns or DEFAULT_PATTERNS
+        self.compiled_patterns = [re.compile(p) for p in self.patterns]
+        self.since = since
+        self.verbose = verbose
+        self.findings = []
+
+    def run(self):
+        """Run the analysis."""
+        print("\n🔍 Git History Security Audit\n")
+
+        if not self._is_git_repo():
+            print("❌ Not a git repository")
+            return False
+
+        print(f"Scanning {len(self.patterns)} patterns...")
+        if self.since:
+            print(f"Since: {self.since}")
+        print()
+
+        commits = self._get_commits()
+        print(f"Found {len(commits)} commits to analyze\n")
+
+        for i, commit in enumerate(commits, 1):
+            if self.verbose:
+                print(f"[{i}/{len(commits)}] {commit['hash'][:8]}", end='\r')
+            self._analyze_commit(commit)
+
+        if self.verbose:
+            print()
+
+        return self.findings
+
+    def _is_git_repo(self):
+        """Check if current directory is a git repository."""
+        try:
+            subprocess.run(
+                ['git', 'rev-parse', '--git-dir'],
+                capture_output=True,
+                check=True
+            )
+            return True
+        except subprocess.CalledProcessError:
+            return False
+
+    def _get_commits(self):
+        """Get list of commits to analyze."""
+        cmd = ['git', 'log', '--pretty=format:%H|%an|%ae|%ad|%s', '--date=iso']
+
+        if self.since:
+            cmd.extend(['--since', self.since])
+
+        result = subprocess.run(cmd, capture_output=True, text=True)
+        commits = []
+
+        for line in result.stdout.strip().split('\n'):
+            if line:
+                parts = line.split('|', 4)
+                if len(parts) == 5:
+                    commits.append({
+                        'hash': parts[0],
+                        'author': parts[1],
+                        'email': parts[2],
+                        'date': parts[3],
+                        'message': parts[4],
+                    })
+
+        return commits
+
+    def _analyze_commit(self, commit):
+        """Analyze a single commit for sensitive data."""
+        # Get diff for this commit
+        cmd = ['git', 'show', '--pretty=', '--diff-filter=AM', commit['hash']]
+        result = subprocess.run(cmd, capture_output=True, text=True)
+
+        diff = result.stdout
+
+        # Check each pattern
+        for i, pattern in enumerate(self.compiled_patterns):
+            matches = pattern.findall(diff)
+            if matches:
+                for match in matches:
+                    finding = {
+                        'commit': commit['hash'],
+                        'author': commit['author'],
+                        'date': commit['date'],
+                        'message': commit['message'],
+                        'pattern': self.patterns[i],
+                        'match': match if isinstance(match, str) else match[0],
+                        'severity': self._get_severity(self.patterns[i]),
+                    }
+                    self.findings.append(finding)
+
+    def _get_severity(self, pattern):
+        """Determine severity based on pattern type."""
+        high_severity = ['password', 'private.key', 'aws', 'secret']
+        medium_severity = ['api.key', 'token', 'bearer']
+
+        pattern_lower = pattern.lower()
+
+        if any(s in pattern_lower for s in high_severity):
+            return 'HIGH'
+        elif any(s in pattern_lower for s in medium_severity):
+            return 'MEDIUM'
+        else:
+            return 'LOW'
+
+    def print_report(self):
+        """Print human-readable report."""
+        if not self.findings:
+            print("✅ No sensitive data found in git history\n")
+            return
+
+        print(f"\n⚠️  Found {len(self.findings)} potential issues\n")
+        print("=" * 70)
+
+        # Group by severity
+        by_severity = {'HIGH': [], 'MEDIUM': [], 'LOW': []}
+        for finding in self.findings:
+            by_severity[finding['severity']].append(finding)
+
+        for severity in ['HIGH', 'MEDIUM', 'LOW']:
+            findings = by_severity[severity]
+            if findings:
+                icon = '🔴' if severity == 'HIGH' else '🟡' if severity == 'MEDIUM' else '🔵'
+                print(f"\n{icon} {severity} Severity ({len(findings)} issues)\n")
+
+                for f in findings[:10]:  # Limit to 10 per severity
+                    print(f"  Commit: {f['commit'][:8]}")
+                    print(f"  Date:   {f['date']}")
+                    print(f"  Author: {f['author']}")
+                    print(f"  Match:  {f['match'][:50]}...")
+                    print()
+
+                if len(findings) > 10:
+                    print(f"  ... and {len(findings) - 10} more\n")
+
+        print("=" * 70)
+        print("\n📋 Recommendations:\n")
+
+        if by_severity['HIGH']:
+            print("  1. Immediately rotate any exposed credentials")
+            print("  2. Consider using git-filter-repo to remove sensitive commits")
+            print("  3. Add patterns to .gitignore and pre-commit hooks")
+
+        print("  4. Use environment variables for secrets")
+        print("  5. Consider using a secrets manager (Vault, AWS Secrets Manager)")
+        print()
+
+    def to_json(self):
+        """Return findings as JSON."""
+        return json.dumps({
+            'scannedAt': datetime.now().isoformat(),
+            'totalFindings': len(self.findings),
+            'bySeverity': {
+                'HIGH': len([f for f in self.findings if f['severity'] == 'HIGH']),
+                'MEDIUM': len([f for f in self.findings if f['severity'] == 'MEDIUM']),
+                'LOW': len([f for f in self.findings if f['severity'] == 'LOW']),
+            },
+            'findings': self.findings,
+        }, indent=2)
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description='Scan git history for sensitive data'
+    )
+    parser.add_argument(
+        '--patterns',
+        help='Custom regex patterns (pipe-separated)',
+        default=None
+    )
+    parser.add_argument(
+        '--since',
+        help='Only scan commits since date (e.g., "2024-01-01")',
+        default=None
+    )
+    parser.add_argument(
+        '--output',
+        choices=['text', 'json'],
+        default='text',
+        help='Output format'
+    )
+    parser.add_argument(
+        '--verbose', '-v',
+        action='store_true',
+        help='Show progress'
+    )
+
+    args = parser.parse_args()
+
+    patterns = None
+    if args.patterns:
+        patterns = args.patterns.split('|')
+
+    analyzer = GitHistoryAnalyzer(
+        patterns=patterns,
+        since=args.since,
+        verbose=args.verbose
+    )
+
+    findings = analyzer.run()
+
+    if args.output == 'json':
+        print(analyzer.to_json())
+    else:
+        analyzer.print_report()
+
+    # Exit with error code if HIGH severity findings
+    high_count = len([f for f in findings if f.get('severity') == 'HIGH'])
+    sys.exit(1 if high_count > 0 else 0)
+
+
+if __name__ == '__main__':
+    main()