create-merlin-brain 5.3.8 → 5.4.0

package/files/hooks/pre-edit-sights-check.sh

@@ -99,14 +99,29 @@ fi
 
 # ─────────────────────────────────────────────────────────────────────────────
 # 3. FILE-BASED FALLBACK — guardian unreachable, use timestamp file
+#
+# IMPORTANT: Only block when a live Sights/guardian session genuinely existed
+# (i.e. the timestamp file is present and non-empty, meaning a prior check
+# happened this session) but is now stale.
+#
+# When there is NO guardian, NO API key, or the user is offline / running in
+# Lite mode (timestamp file absent), fall through to ALLOW — we must not brick
+# users who have no way to satisfy the "call merlin_get_context" instruction.
 # ─────────────────────────────────────────────────────────────────────────────
 if declare -f sights_was_checked_recently >/dev/null 2>&1; then
-  if ! sights_was_checked_recently 120; then
+  # Determine whether a Sights timestamp file exists at all (proxy for "active session")
+  SIGHTS_TS_FILE="${HOME}/.claude/merlin/.sights-last-check"
+  _sights_session_active=false
+  if [ -f "${SIGHTS_TS_FILE}" ] && [ -s "${SIGHTS_TS_FILE}" ]; then
+    _sights_session_active=true
+  fi
+
+  if $_sights_session_active && ! sights_was_checked_recently 120; then
     if declare -f log_event >/dev/null 2>&1; then
       log_event "sights_skip_warning" "$(printf '{"file":"%s","source":"fallback"}' "${file_path:-unknown}")"
     fi
-    # BLOCK the edit — stale context means the agent skipped merlin_get_context
-    # This is the structural enforcement: you cannot edit without fresh Sights context
+    # BLOCK the edit — a prior Sights check existed but context is now stale.
+    # The user HAS a working Sights setup and can satisfy the requirement.
     _BADGE="$("${HOME}/.claude/scripts/duo-badge.sh" 2>/dev/null || echo "⟡🔮 MERLIN ›")"
     if command -v jq >/dev/null 2>&1; then
       jq -n --arg badge "$_BADGE" '{
@@ -121,6 +136,7 @@ if declare -f sights_was_checked_recently >/dev/null 2>&1; then
     fi
     exit 0
   fi
+  # No timestamp file → offline/Lite/no-API-key user — fall through and allow.
 fi
 
 # Log the pre-edit event

package/files/hooks/security-scanner.sh

@@ -113,10 +113,9 @@ if echo "$content" | grep -qE 'sk-ant-[a-zA-Z0-9_\-]{90,}' 2>/dev/null; then
 fi
 
 # OpenAI key (sk- with 48+ chars, but not sk-ant-)
-if echo "$content" | grep -qE 'sk-(?!ant-)[a-zA-Z0-9]{48,}' 2>/dev/null; then
-  _block "OpenAI API key" "sk-..."
-elif echo "$content" | grep -qE 'sk-[a-zA-Z0-9]{48,}' 2>/dev/null; then
-  # Fallback for grep without PCRE: exclude sk-ant- manually
+# Uses ERE only (no PCRE lookahead — not portable across GNU and BSD grep).
+# Anthropic keys (sk-ant-) are already caught by the rule above; exclude them here.
+if echo "$content" | grep -qE 'sk-[a-zA-Z0-9_-]{48,}' 2>/dev/null; then
   if ! echo "$content" | grep -qE 'sk-ant-' 2>/dev/null; then
     _block "OpenAI API key" "sk-..."
   fi

package/files/hooks/session-end.sh

@@ -140,36 +140,39 @@ COST_FILE="${HOME}/.claude/merlin/session-cost.json"
 if [ -f "${COST_FILE}" ]; then
   COST_SUMMARY=""
   if command -v node >/dev/null 2>&1; then
-    COST_SUMMARY="$(node -e "
+    # Pass COST_FILE as process.argv[1] — never interpolate paths inside the script body.
+    COST_SUMMARY="$(node -e '
 try {
-  const d = JSON.parse(require('fs').readFileSync('${COST_FILE}', 'utf8'));
+  var f = process.argv[1];
+  var d = JSON.parse(require("fs").readFileSync(f, "utf8"));
   if (d.totalCalls > 0) {
-    const tot = (d.totalEstimatedCost || 0).toFixed(4);
-    const calls = d.totalCalls || 0;
-    const tc = d.tokenCounts || {};
-    const tokens = (tc.totalInput || 0) + (tc.totalOutput || 0);
-    const tokStr = tokens > 0 ? ', ' + Math.round(tokens/1000) + 'K tokens' : '';
-    process.stdout.write('Session cost: \$' + tot + ' (' + calls + ' call' + (calls !== 1 ? 's' : '') + tokStr + ')');
+    var tot = (d.totalEstimatedCost || 0).toFixed(4);
+    var calls = d.totalCalls || 0;
+    var tc = d.tokenCounts || {};
+    var tokens = (tc.totalInput || 0) + (tc.totalOutput || 0);
+    var tokStr = tokens > 0 ? ", " + Math.round(tokens/1000) + "K tokens" : "";
+    process.stdout.write("Session cost: $" + tot + " (" + calls + " call" + (calls !== 1 ? "s" : "") + tokStr + ")");
   }
 } catch(e) {}
-" 2>/dev/null || true)"
+' "$COST_FILE" 2>/dev/null || true)"
   elif command -v python3 >/dev/null 2>&1; then
-    COST_SUMMARY="$(python3 -c "
+    # Pass COST_FILE as sys.argv[1] — never interpolate paths inside the script body.
+    COST_SUMMARY="$(python3 -c '
 import json, sys
 try:
-    with open('${COST_FILE}') as f:
+    with open(sys.argv[1]) as f:
         d = json.load(f)
-    if d.get('totalCalls', 0) > 0:
-        tot = d.get('totalEstimatedCost', 0)
-        calls = d.get('totalCalls', 0)
-        tc = d.get('tokenCounts', {})
-        tokens = tc.get('totalInput', 0) + tc.get('totalOutput', 0)
-        tok_str = (', ' + str(round(tokens/1000)) + 'K tokens') if tokens > 0 else ''
-        plural = '' if calls == 1 else 's'
-        sys.stdout.write(f'Session cost: \${tot:.4f} ({calls} call{plural}{tok_str})')
+    if d.get("totalCalls", 0) > 0:
+        tot = d.get("totalEstimatedCost", 0)
+        calls = d.get("totalCalls", 0)
+        tc = d.get("tokenCounts", {})
+        tokens = tc.get("totalInput", 0) + tc.get("totalOutput", 0)
+        tok_str = (", " + str(round(tokens/1000)) + "K tokens") if tokens > 0 else ""
+        plural = "" if calls == 1 else "s"
+        sys.stdout.write("Session cost: ${:.4f} ({} call{}{})".format(tot, calls, plural, tok_str))
 except Exception:
     pass
-" 2>/dev/null || true)"
+' "$COST_FILE" 2>/dev/null || true)"
   fi
   if [ -n "${COST_SUMMARY}" ]; then
     echo "[merlin] ${COST_SUMMARY}" >&2
@@ -249,19 +252,29 @@ if command -v jq >/dev/null 2>&1 && command -v git >/dev/null 2>&1; then
     echo "${outcome_line}" >> "${OUTCOME_FILE}" 2>/dev/null || true
   fi
 
-  # Keep outcomes.jsonl bounded — drop lines older than 90 days
+  # Keep outcomes.jsonl bounded — drop lines older than 90 days.
+  # Single awk pass: no per-line subprocess, ISO-8601 UTC strings sort lexicographically.
+  # On any parse uncertainty, the line is KEPT (never silently dropped).
   if [ -f "${OUTCOME_FILE}" ]; then
-    cutoff_epoch="$(date -u -v-90d +%s 2>/dev/null || date -u -d '90 days ago' +%s 2>/dev/null || echo 0)"
-    if [ "${cutoff_epoch}" -gt 0 ] 2>/dev/null; then
-      tmp_out="${OUTCOME_FILE}.tmp"
-      while IFS= read -r line; do
-        line_ts="$(echo "${line}" | jq -r '.timestamp // ""' 2>/dev/null || echo "")"
-        if [ -z "${line_ts}" ]; then continue; fi
-        line_epoch="$(date -u -d "${line_ts}" +%s 2>/dev/null || date -u -j -f "%Y-%m-%dT%H:%M:%SZ" "${line_ts}" +%s 2>/dev/null || echo 0)"
-        if [ "${line_epoch}" -ge "${cutoff_epoch}" ] 2>/dev/null; then
-          echo "${line}"
-        fi
-      done < "${OUTCOME_FILE}" > "${tmp_out}" 2>/dev/null && mv "${tmp_out}" "${OUTCOME_FILE}" 2>/dev/null || true
+    cutoff="$(date -u -v-90d +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -d '90 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || echo "")"
+    if [ -n "${cutoff}" ]; then
+      tmp_out="${OUTCOME_FILE}.tmp.$$"
+      # 2-arg match() only — portable to BSD awk (macOS default) AND gawk.
+      # The gawk-only 3-arg form `match($0, re, arr)` is a syntax error on BSD
+      # awk and would make the whole rotation a silent no-op.
+      awk -v cutoff="${cutoff}" '
+        {
+          ts = ""
+          # "timestamp":"<value>"  → the literal prefix is 13 chars, trailing quote 1.
+          if (match($0, /"timestamp":"[^"]+"/)) {
+            ts = substr($0, RSTART + 13, RLENGTH - 14)
+          }
+          # Keep line if timestamp missing/unparseable OR >= cutoff (ISO string compare)
+          if (ts == "" || ts >= cutoff) print
+        }
+      ' "${OUTCOME_FILE}" > "${tmp_out}" 2>/dev/null \
+        && mv "${tmp_out}" "${OUTCOME_FILE}" 2>/dev/null \
+        || rm -f "${tmp_out}" 2>/dev/null || true
     fi
   fi
 fi

package/files/hooks/smart-approve.sh

@@ -146,6 +146,8 @@ fi
 # ─────────────────────────────────────────────────────────────────────────────
 
 # Safe base command list (exact match on first word)
+# NOTE: curl, wget, nc, scp, ssh, telnet are intentionally excluded — network egress
+# must never be auto-approved; even a seemingly-safe command could pipe to a network tool.
 SAFE_CMDS="cat|head|tail|less|more|wc|file|stat|du|df|which|type|whereis|man|echo|printf|ls|find|tree|fd|grep|rg|ag|ack|fzf|jest|vitest|mocha|pytest|cargo|go|npm|yarn|pnpm|make|tsc|prettier|eslint|rustfmt|black|flake8|mypy|rubocop|uname|hostname|whoami|id|env|printenv|date|uptime|ps|top|git|node|python|python3"
 
 # Git read-only subcommands
@@ -244,16 +246,22 @@ _is_safe_segment() {
   return 0
 }
 
-# Split on pipe, semicolon, &&, || and check each segment
-# Replace separators with newlines, then iterate
+# Split on shell operators (&&, ||, ;, |, &) treating two-char tokens first.
+# Strategy: normalize &&  and || to newlines first (so they are not left as stray &/|),
+# then normalize remaining ; | & to newlines.  Each resulting segment is checked
+# independently — the whole command is safe only when ALL segments are safe.
 all_safe=true
 while IFS= read -r segment; do
+  segment=$(echo "$segment" | xargs 2>/dev/null || echo "$segment")  # trim whitespace
   [ -z "$segment" ] && continue
   if ! _is_safe_segment "$segment"; then
     all_safe=false
     break
   fi
-done < <(echo "$command_str" | tr '|;&' '\n')
+done < <(echo "$command_str" | sed -E 's/\|\|/\
+/g; s/&&/\
+/g; s/[;|&]/\
+/g')
 
 if $all_safe; then
   if declare -f log_event >/dev/null 2>&1; then

package/files/hooks/user-prompt-router.sh

@@ -82,15 +82,36 @@ fi
 [ -z "$suggestion" ] && echo "{}" && exit 0
 
 # ── Emit routing hint ─────────────────────────────────────────────────────────
-_BADGE="$("${HOME}/.claude/scripts/duo-badge.sh" 2>/dev/null || echo "⟡🔮 MERLIN ›")"
+# Cache the badge for the session to avoid spawning duo-badge.sh on every prompt.
+# Cache key: the Claude Code session_id (stable for the whole session) parsed
+# from the stdin JSON we already captured. $$ is a FRESH pid per hook spawn —
+# it would never hit and would leak a temp file every prompt — so fall back to
+# $PPID (stable across prompts in one session), never $$.
+_SESSION_KEY=""
+if command -v jq >/dev/null 2>&1; then
+  _SESSION_KEY=$(printf '%s' "$input" | jq -r '.session_id // empty' 2>/dev/null || true)
+else
+  _SESSION_KEY=$(printf '%s' "$input" | grep -o '"session_id"[[:space:]]*:[[:space:]]*"[^"]*"' | head -1 | sed 's/.*"\([^"]*\)"$/\1/' 2>/dev/null || true)
+fi
+[ -z "${_SESSION_KEY}" ] && _SESSION_KEY="ppid-${PPID}"
+# Sanitize the key so it is safe as a filename fragment.
+_SESSION_KEY=$(printf '%s' "${_SESSION_KEY}" | tr -c 'A-Za-z0-9._-' '_')
+_BADGE_CACHE="${TMPDIR:-/tmp}/.merlin-badge-${_SESSION_KEY}"
+if [ -f "${_BADGE_CACHE}" ]; then
+  _BADGE="$(cat "${_BADGE_CACHE}" 2>/dev/null || echo "⟡🔮 MERLIN ›")"
+else
+  _BADGE="$("${HOME}/.claude/scripts/duo-badge.sh" 2>/dev/null || echo "⟡🔮 MERLIN ›")"
+  printf '%s' "${_BADGE}" > "${_BADGE_CACHE}" 2>/dev/null || true
+fi
+
 _ctx="${_BADGE} ROUTING: ${suggestion}. Remember: YOU are the orchestrator. Answer codebase questions via Sights. Route implementation to agents. Badge every action."
 
 if command -v jq >/dev/null 2>&1; then
   jq -n --arg ctx "$_ctx" \
     '{hookSpecificOutput:{hookEventName:"UserPromptSubmit",additionalContext:$ctx}}'
 else
-  # jq not available — emit via printf, escaping the double-quotes in suggestion
-  _ctx_escaped=$(printf '%s' "$_ctx" | sed 's/"/\\"/g')
+  # jq not available — escape backslashes first, then quotes, then strip control chars
+  _ctx_escaped=$(printf '%s' "$_ctx" | sed 's/\\/\\\\/g; s/"/\\"/g' | tr -d '\000-\037')
   printf '{"hookSpecificOutput":{"hookEventName":"UserPromptSubmit","additionalContext":"%s"}}\n' "$_ctx_escaped"
 fi
 

package/files/merlin/VERSION

@@ -1 +1 @@
-3.22.0
+5.4.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-merlin-brain",
-  "version": "5.3.8",
+  "version": "5.4.0",
   "description": "Merlin - The Ultimate AI Brain for Claude Code, Codex, and other AI CLIs. One install: workflows, agents, loop, and Sights MCP server.",
   "type": "module",
   "main": "./dist/server/index.js",
@@ -51,7 +51,7 @@
     "README.md"
   ],
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.0.0",
+    "@modelcontextprotocol/sdk": "^1.27.1",
     "simple-git": "^3.21.0",
     "zod": "^3.25.0"
   },

package/dist/server/tools/context.d.ts

@@ -1,7 +0,0 @@
-/**
- * Context and Search Tools
- * Tools for getting codebase context, searching, and asking questions
- */
-import type { ToolContext } from './types.js';
-export declare function registerContextTools(ctx: ToolContext): void;
-//# sourceMappingURL=context.d.ts.map

package/dist/server/tools/context.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"context.d.ts","sourceRoot":"","sources":["../../../src/server/tools/context.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAMH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAyC9C,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,WAAW,GAAG,IAAI,CAsoB3D"}