cursordoctrine 0.2.1 → 0.2.3

package/linux/hooks/hook-common.sh

@@ -159,6 +159,9 @@ try:
             q = m.group(1).strip()
             if len(q) > 2000:
                 q = q[:2000] + "..."
+            q = re.sub(r"\bnpm_[A-Za-z0-9]{10,}\b", "[REDACTED_NPM_TOKEN]", q)
+            q = re.sub(r"\b(sk-[A-Za-z0-9]{10,}|ghp_[A-Za-z0-9]{20,}|gho_[A-Za-z0-9]{20,})\b", "[REDACTED_TOKEN]", q)
+            q = re.sub(r"(?i)(api[_-]?key|token|secret|password)\s*[:=]\s*\S+", r"\1=[REDACTED]", q)
             print(q)
             break
 except Exception:
@@ -172,6 +175,7 @@ except Exception:
     printf '%s' "$reversed" |
         grep -m1 -oE '<user_query>[^<]*</user_query>' 2>/dev/null |
         sed -E 's@</?user_query>@@g' |
+        sed -E 's/\bnpm_[A-Za-z0-9]{10,}\b/[REDACTED_NPM_TOKEN]/g' |
         head -c 2000
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cursordoctrine",
-  "version": "0.2.1",
+  "version": "0.2.3",
   "description": "Thin self-review hooks for Cursor — the model is the auditor. Intent-trace final review (Tier 0), unified 13-item anti-slop checklist, operational slop detection.",
   "bin": {
     "cursordoctrine": "bin/cli.mjs"

package/skills/anti-slop/scripts/scan_slop.py

@@ -635,13 +635,15 @@ def collect_defs(rel: str, lines: list[str]) -> list[Finding]:
         nb = normalize_body(raw, lang)
         sb = structural_body(raw, lang)
         # Non-blank lines only: the brace walk pads raw with edge newlines,
-        # and counting them would let `super(props);` pass the 3-line floor.
+        # and counting them would let `super(props);` pad its body_line count.
         body_lines = sum(1 for s in raw.splitlines() if s.strip()) or 1
-        # Exact-dup hash needs substance (>=3 lines or >=60 chars): one-line
-        # boilerplate like `super(props);` is not knowledge worth consolidating.
+        # Exact-dup hash needs substance (>=12 normalized chars). An earlier
+        # >=3-lines-or->=60-chars floor excluded the skill's own marquee case -
+        # tiny predicates like isRecord/isObject (1 line, ~40 chars) whose
+        # byte-identical bodies are exactly the duplication worth surfacing.
+        # Boilerplate like `return;`/`return x;` stays under the 12-char floor.
         # A truncated body is a prefix, not the function - never call it exact.
-        hash_exact = (not truncated and len(nb) >= 12
-                      and (body_lines >= 3 or len(nb) >= 60))
+        hash_exact = (not truncated and len(nb) >= 12)
         defs.append({
             "name": name, "file": rel, "line": i + 1,
             "exported": _is_exported(name, ln, lang),

package/windows/hooks/hook-common.ps1

@@ -73,7 +73,17 @@ function Resolve-AgentPath([string]$p) {
     return ConvertTo-FwdPath $p
 }
 
-# Extract the last user <user_query> from a Cursor transcript JSONL. The
+# Strip secrets from text before embedding in agent-facing followups. Intent
+# trace must not re-broadcast tokens the user pasted in chat.
+function Redact-SecretsFromIntent([string]$text) {
+    if (-not $text) { return $text }
+    $text = $text -replace '\bnpm_[A-Za-z0-9]{10,}\b', '[REDACTED_NPM_TOKEN]'
+    $text = $text -replace '\b(sk-[A-Za-z0-9]{10,}|ghp_[A-Za-z0-9]{20,}|gho_[A-Za-z0-9]{20,})\b', '[REDACTED_TOKEN]'
+    $text = $text -replace '(?i)(api[_-]?key|token|secret|password)\s*[:=]\s*\S+', '$1=[REDACTED]'
+    return $text
+}
+
+# Extract the last user <user_query> from a Cursor transcript JSONL.
 # transcript is an array of {role, message} records; we walk backward from the
 # end, find the last user turn whose content has a <user_query> tag, and return
 # its text. Returns '' if there is no transcript or no user_query. Capped at
@@ -108,7 +118,7 @@ function Get-LastUserQuery($obj) {
         if ($text -match '(?s)<user_query>\s*(.+?)\s*</user_query>') {
             $q = $Matches[1].Trim()
             if ($q.Length -gt 2000) { $q = $q.Substring(0, 2000) + '...' }
-            return $q
+            return (Redact-SecretsFromIntent $q)
         }
     }
     return ''