instar 0.26.3 → 0.26.5

package/src/templates/hooks/intercept-imsg-send.js

@@ -0,0 +1,68 @@
+/**
+ * intercept-imsg-send.js — PreToolUse hook to block direct iMessage sending.
+ *
+ * Layer 2 of the 5-layer outbound safety defense-in-depth.
+ *
+ * Blocks: imsg send, osascript+Messages.app, common indirect execution patterns.
+ * Allows: imsg chats, imsg --version, imsg --help (read-only operations).
+ *
+ * Known limitations (Phase 1 accepted risks):
+ * - Scripts written to files and executed bypass inline pattern matching
+ * - Base64-encoded commands bypass regex detection
+ * - macOS Shortcuts.app could be invoked to send messages
+ * - Addressed structurally in Phase 2 (OS-level permission revocation)
+ *
+ * Install: Place in .claude/hooks/ and register as PreToolUse hook on Bash tool.
+ * Integrity: chmod 444 after install. Server verifies SHA-256 hash periodically.
+ */
+
+// Hook receives tool input on stdin
+const input = await new Promise((resolve) => {
+  let data = '';
+  process.stdin.on('data', (chunk) => { data += chunk; });
+  process.stdin.on('end', () => {
+    try { resolve(JSON.parse(data)); }
+    catch { resolve({}); }
+  });
+});
+
+const toolName = input.tool_name || '';
+const toolInput = input.tool_input || {};
+
+// Only intercept Bash tool calls
+if (toolName !== 'Bash') {
+  // Allow all non-Bash tools
+  process.stdout.write(JSON.stringify({ decision: 'allow' }));
+  process.exit(0);
+}
+
+const command = (toolInput.command || '').toString();
+
+// Patterns that indicate direct iMessage sending
+const BLOCKED_PATTERNS = [
+  // Direct imsg send
+  /\bimsg\s+send\b/i,
+  // AppleScript targeting Messages.app
+  /\bosascript\b.*\bMessages\b/i,
+  /\btell\s+application\s+"Messages"/i,
+  /\btell\s+application\s+'Messages'/i,
+  // Indirect execution with iMessage references
+  /\b(?:python3?|node|ruby|perl)\s+(?:-[ce]|--eval)\s+.*\b(?:imsg\s+send|Messages)\b/i,
+  // Piped execution
+  /\becho\s+.*\b(?:imsg\s+send|Messages)\b.*\|\s*(?:ba)?sh/i,
+  // Crontab modification (could schedule sends)
+  /\bcrontab\s+-[elr]/i,
+  // macOS Shortcuts that could send messages
+  /\bshortcuts\s+run\b.*(?:message|sms|imessage|send)/i,
+];
+
+const isBlocked = BLOCKED_PATTERNS.some((p) => p.test(command));
+
+if (isBlocked) {
+  process.stdout.write(JSON.stringify({
+    decision: 'block',
+    reason: 'Direct iMessage sending is blocked. Use imessage-reply.sh for authorized sends.',
+  }));
+} else {
+  process.stdout.write(JSON.stringify({ decision: 'allow' }));
+}

package/src/templates/hooks/settings-template.json

@@ -38,6 +38,17 @@
           }
         ]
       },
+      {
+        "matcher": "mcp__.*",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node .instar/hooks/instar/external-operation-gate.js",
+            "blocking": true,
+            "timeout": 5000
+          }
+        ]
+      },
       {
         "matcher": "AskUserQuestion",
         "hooks": [

package/src/templates/scripts/imessage-reply.sh

@@ -0,0 +1,130 @@
+#!/bin/bash
+# imessage-reply.sh — Send a reply via iMessage with validate-before-send safety.
+#
+# Usage:
+#   ./imessage-reply.sh RECIPIENT "message text"
+#   echo "message text" | ./imessage-reply.sh RECIPIENT
+#   cat <<'EOF' | ./imessage-reply.sh RECIPIENT
+#   Multi-line message here
+#   EOF
+#
+# RECIPIENT is a phone number (+14081234567) or email (user@icloud.com).
+#
+# This script implements Layer 1 of the 5-layer outbound safety defense:
+#   1. Validates recipient with server BEFORE sending (gets single-use token)
+#   2. Sends the iMessage via `imsg send` CLI (requires Automation permission)
+#   3. Confirms delivery to server with token (for logging + stall tracking)
+#
+# If validation fails, the message is NOT sent. This is the reverse of the
+# original flow which sent first and notified second.
+
+RECIPIENT="$1"
+shift
+
+if [ -z "$RECIPIENT" ]; then
+  echo "Usage: imessage-reply.sh RECIPIENT [message]" >&2
+  exit 1
+fi
+
+# Read message from args or stdin
+if [ $# -gt 0 ]; then
+  MSG="$*"
+else
+  MSG="$(cat)"
+fi
+
+if [ -z "$MSG" ]; then
+  echo "No message provided" >&2
+  exit 1
+fi
+
+# ── Setup ─────────────────────────────────────────────────────────────
+
+PORT="${INSTAR_PORT:-4042}"
+
+AUTH_TOKEN=""
+if [ -f ".instar/config.json" ]; then
+  AUTH_TOKEN=$(python3 -c "import json; print(json.load(open('.instar/config.json')).get('authToken',''))" 2>/dev/null)
+fi
+
+# Escape message for JSON
+JSON_MSG=$(printf '%s' "$MSG" | python3 -c 'import sys,json; print(json.dumps(sys.stdin.read()))' 2>/dev/null)
+if [ -z "$JSON_MSG" ]; then
+  JSON_MSG="\"$(printf '%s' "$MSG" | sed 's/\\/\\\\/g; s/"/\\"/g; s/\n/\\n/g')\""
+fi
+
+# URL-encode the recipient
+ENCODED_RECIPIENT=$(printf '%s' "$RECIPIENT" | python3 -c 'import sys,urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip(), safe=""))' 2>/dev/null)
+if [ -z "$ENCODED_RECIPIENT" ]; then
+  ENCODED_RECIPIENT="$RECIPIENT"
+fi
+
+AUTH_HEADER=""
+if [ -n "$AUTH_TOKEN" ]; then
+  AUTH_HEADER="Authorization: Bearer ${AUTH_TOKEN}"
+fi
+
+# ── Step 1: Validate with server BEFORE sending (get single-use token) ──
+
+VALIDATE_RESPONSE=$(curl -s -w "\n%{http_code}" \
+  -X POST "http://localhost:${PORT}/imessage/validate-send/${ENCODED_RECIPIENT}" \
+  ${AUTH_HEADER:+-H "$AUTH_HEADER"} \
+  -H 'Content-Type: application/json' \
+  -d "{\"text\":${JSON_MSG}}" 2>/dev/null)
+
+VALIDATE_BODY=$(echo "$VALIDATE_RESPONSE" | head -n -1)
+VALIDATE_CODE=$(echo "$VALIDATE_RESPONSE" | tail -n 1)
+
+if [ "$VALIDATE_CODE" != "200" ]; then
+  # Validation failed — DO NOT SEND
+  REASON=$(echo "$VALIDATE_BODY" | python3 -c 'import sys,json; print(json.load(sys.stdin).get("reason","unknown"))' 2>/dev/null || echo "unknown")
+  echo "BLOCKED: $REASON" >&2
+
+  # Log blocked attempt locally as backup
+  echo "{\"blocked\":true,\"recipient\":\"${RECIPIENT}\",\"reason\":\"${REASON}\",\"ts\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"}" >> .instar/imessage-outbound-local.jsonl 2>/dev/null
+
+  exit 1
+fi
+
+# Extract send token
+SEND_TOKEN=$(echo "$VALIDATE_BODY" | python3 -c 'import sys,json; print(json.load(sys.stdin).get("token",""))' 2>/dev/null)
+
+if [ -z "$SEND_TOKEN" ]; then
+  echo "BLOCKED: no send token received from server" >&2
+  exit 1
+fi
+
+# ── Step 2: Send via imsg CLI (only after validation passes) ──────────
+
+IMSG="${IMSG_PATH:-imsg}"
+if ! command -v "$IMSG" &>/dev/null; then
+  for candidate in /opt/homebrew/bin/imsg /usr/local/bin/imsg "$HOME/homebrew/bin/imsg"; do
+    if [ -x "$candidate" ]; then
+      IMSG="$candidate"
+      break
+    fi
+  done
+fi
+
+if ! command -v "$IMSG" &>/dev/null && [ ! -x "$IMSG" ]; then
+  echo "imsg not found. Install: brew install steipete/tap/imsg" >&2
+  exit 1
+fi
+
+"$IMSG" send --to "$RECIPIENT" --text "$MSG" --service imessage 2>/dev/null
+SEND_STATUS=$?
+
+if [ $SEND_STATUS -ne 0 ]; then
+  echo "imsg send failed (exit $SEND_STATUS)" >&2
+  exit 1
+fi
+
+# ── Step 3: Confirm delivery to server (with token to bind validate→send) ──
+
+curl -s -o /dev/null -w "" -X POST "http://localhost:${PORT}/imessage/reply/${ENCODED_RECIPIENT}" \
+  ${AUTH_HEADER:+-H "$AUTH_HEADER"} \
+  -H 'Content-Type: application/json' \
+  -d "{\"text\":${JSON_MSG},\"sendToken\":\"${SEND_TOKEN}\"}" 2>/dev/null || \
+  echo "Warning: server confirmation failed (message was sent)" >&2
+
+echo "Sent $(echo "$MSG" | wc -c | tr -d ' ') chars to $RECIPIENT"

package/upgrades/0.26.4.md

@@ -0,0 +1,17 @@
+# v0.26.4 — Inline Slack Text Snippets
+
+## What Changed
+
+**Text snippet inlining** — When users share text-based content in Slack (code snippets, meeting transcripts, plain text, markdown, CSV, JSON, etc.), the content is now inlined directly into the message as a code block. Previously, snippets were saved as file references that sessions often did not read, causing agents to hallucinate content instead of working with the actual snippet.
+
+Detects text-based mimetypes and Slack-specific filetypes (text, snippet, post). Content up to 10KB is inlined. Larger content is truncated with a reference to the full file.
+
+## What to Tell Your User
+
+When you share text snippets or code blocks in Slack, the bot now reads and processes the actual content instead of just noting that a file was attached. This means meeting transcripts, code snippets, and other text content will be analyzed correctly.
+
+## Summary of New Capabilities
+
+| Capability | How to Use |
+|-----------|-----------|
+| Snippet inlining | Share a text snippet or code block in Slack — content is read directly |

package/upgrades/0.26.5.md

@@ -0,0 +1,15 @@
+# v0.26.5 — Fix Slack Snippet Content Retrieval
+
+## What Changed
+
+**Three-tier snippet content resolution** — Slack snippet downloads were returning HTML pages instead of actual content (auth/redirect issue). Now uses a three-tier approach: (1) check file preview from the event payload, (2) use files.info API to get content directly, (3) fall back to downloaded file but reject HTML responses. This prevents agents from hallucinating based on HTML markup.
+
+## What to Tell Your User
+
+Fixed an issue where text snippets shared in Slack were not being read correctly. The bot now properly retrieves snippet content using multiple fallback methods, so it will respond based on what you actually shared rather than making up content.
+
+## Summary of New Capabilities
+
+| Capability | How to Use |
+|-----------|-----------|
+| Reliable snippet reading | Share a text snippet in Slack — content is now reliably retrieved |