kastell 2.2.4 → 2.2.5

package/kastell-plugin/hooks/pre-commit-audit-guard.cjs

@@ -1,75 +1,75 @@
-#!/usr/bin/env node
-// PreToolUse hook: Block git commit if audit score dropped since previous audit run
-
-const fs = require('fs');
-const path = require('path');
-const os = require('os');
-
-const HISTORY_FILE = path.join(os.homedir(), '.kastell', 'audit-history.json');
-
-// MANDATORY stdin guard — exit silently if stdin unavailable
-if (!process.stdin || process.stdin.destroyed || !process.stdin.readable) {
-  process.exit(0);
-}
-
-let input = '';
-const stdinTimeout = setTimeout(() => process.exit(0), 1500);
-process.stdin.setEncoding('utf8');
-process.stdin.on('error', () => process.exit(0));
-process.stdin.on('data', chunk => { input += chunk; });
-process.stdin.on('end', () => {
-  clearTimeout(stdinTimeout);
-  try {
-    const cwd = process.cwd();
-
-    // Kastell project guard (two-phase: directory structure + package.json name)
-    const isKastell = fs.existsSync(path.join(cwd, 'src', 'mcp')) &&
-                      fs.existsSync(path.join(cwd, 'package.json'));
-    if (!isKastell) {
-      try {
-        const pkg = JSON.parse(fs.readFileSync(path.join(cwd, 'package.json'), 'utf8'));
-        if (pkg.name !== 'kastell') process.exit(0);
-      } catch { process.exit(0); }
-    }
-
-    // Parse tool input — only act on git commit commands
-    const data = JSON.parse(input);
-    const cmd = (data.tool_input && data.tool_input.command) || '';
-
-    if (!/\bgit\s+commit\b/.test(cmd)) {
-      process.exit(0);
-    }
-
-    // Read audit history — fail-open if unavailable
-    let history;
-    try {
-      history = JSON.parse(fs.readFileSync(HISTORY_FILE, 'utf8'));
-    } catch {
-      // History missing or unreadable — allow commit
-      process.exit(0);
-    }
-
-    // Check each server for score regression between last two audit runs
-    for (const serverIp of Object.keys(history)) {
-      const entries = history[serverIp];
-      if (!Array.isArray(entries) || entries.length < 2) continue;
-
-      const current = entries[entries.length - 1].overallScore;
-      const previous = entries[entries.length - 2].overallScore;
-
-      if (typeof current !== 'number' || typeof previous !== 'number') continue;
-      if (current < previous) {
-        process.stdout.write(JSON.stringify({
-          decision: 'block',
-          reason: `Audit score dropped: ${previous} -> ${current} (${entries[entries.length - 1].serverName}). Run \`kastell audit\` to investigate before committing.`,
-        }));
-        process.exit(0);
-      }
-    }
-
-    // No score drop detected — allow commit
-  } catch {}
-
-  // Fail-open: any unexpected error allows the commit through
-  process.exit(0);
-});
+#!/usr/bin/env node
+// PreToolUse hook: Block git commit if audit score dropped since previous audit run
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const HISTORY_FILE = path.join(os.homedir(), '.kastell', 'audit-history.json');
+
+// MANDATORY stdin guard — exit silently if stdin unavailable
+if (!process.stdin || process.stdin.destroyed || !process.stdin.readable) {
+  process.exit(0);
+}
+
+let input = '';
+const stdinTimeout = setTimeout(() => process.exit(0), 1500);
+process.stdin.setEncoding('utf8');
+process.stdin.on('error', () => process.exit(0));
+process.stdin.on('data', chunk => { input += chunk; });
+process.stdin.on('end', () => {
+  clearTimeout(stdinTimeout);
+  try {
+    const cwd = process.cwd();
+
+    // Kastell project guard (two-phase: directory structure + package.json name)
+    const isKastell = fs.existsSync(path.join(cwd, 'src', 'mcp')) &&
+                      fs.existsSync(path.join(cwd, 'package.json'));
+    if (!isKastell) {
+      try {
+        const pkg = JSON.parse(fs.readFileSync(path.join(cwd, 'package.json'), 'utf8'));
+        if (pkg.name !== 'kastell') process.exit(0);
+      } catch { process.exit(0); }
+    }
+
+    // Parse tool input — only act on git commit commands
+    const data = JSON.parse(input);
+    const cmd = (data.tool_input && data.tool_input.command) || '';
+
+    if (!/\bgit\s+commit\b/.test(cmd)) {
+      process.exit(0);
+    }
+
+    // Read audit history — fail-open if unavailable
+    let history;
+    try {
+      history = JSON.parse(fs.readFileSync(HISTORY_FILE, 'utf8'));
+    } catch {
+      // History missing or unreadable — allow commit
+      process.exit(0);
+    }
+
+    // Check each server for score regression between last two audit runs
+    for (const serverIp of Object.keys(history)) {
+      const entries = history[serverIp];
+      if (!Array.isArray(entries) || entries.length < 2) continue;
+
+      const current = entries[entries.length - 1].overallScore;
+      const previous = entries[entries.length - 2].overallScore;
+
+      if (typeof current !== 'number' || typeof previous !== 'number') continue;
+      if (current < previous) {
+        process.stdout.write(JSON.stringify({
+          decision: 'block',
+          reason: `Audit score dropped: ${previous} -> ${current} (${entries[entries.length - 1].serverName}). Run \`kastell audit\` to investigate before committing.`,
+        }));
+        process.exit(0);
+      }
+    }
+
+    // No score drop detected — allow commit
+  } catch {}
+
+  // Fail-open: any unexpected error allows the commit through
+  process.exit(0);
+});

package/kastell-plugin/hooks/session-audit.cjs

@@ -1,86 +1,86 @@
-#!/usr/bin/env node
-// SessionStart hook: Show last audit score from cache (no SSH, instant)
-
-const fs = require('fs');
-const path = require('path');
-const os = require('os');
-
-const HISTORY_FILE = path.join(os.homedir(), '.kastell', 'audit-history.json');
-
-// MANDATORY stdin guard — exit silently if stdin unavailable (e.g. after /clear)
-if (!process.stdin || process.stdin.destroyed || !process.stdin.readable) {
-  process.exit(0);
-}
-
-let input = '';
-const stdinTimeout = setTimeout(() => process.exit(0), 1500);
-process.stdin.setEncoding('utf8');
-process.stdin.on('error', () => process.exit(0));
-process.stdin.on('data', chunk => { input += chunk; });
-process.stdin.on('end', () => {
-  clearTimeout(stdinTimeout);
-  try {
-    const cwd = process.cwd();
-
-    // Kastell project guard
-    const isKastell = fs.existsSync(path.join(cwd, 'src', 'mcp')) &&
-                      fs.existsSync(path.join(cwd, 'package.json'));
-    if (!isKastell) {
-      try {
-        const pkg = JSON.parse(fs.readFileSync(path.join(cwd, 'package.json'), 'utf8'));
-        if (pkg.name !== 'kastell') process.exit(0);
-      } catch { process.exit(0); }
-    }
-
-    // Read audit history from cache — no SSH needed
-    let history;
-    try {
-      history = JSON.parse(fs.readFileSync(HISTORY_FILE, 'utf8'));
-    } catch {
-      // No history file — exit silently
-      process.exit(0);
-    }
-
-    // Find the most recent audit entry across all servers
-    let latest = null;
-    let latestTime = 0;
-
-    if (typeof history === 'object' && !Array.isArray(history)) {
-      // Format: { "ip": [ { overallScore, serverName, timestamp } ] }
-      for (const entries of Object.values(history)) {
-        if (!Array.isArray(entries)) continue;
-        for (const entry of entries) {
-          const ts = new Date(entry.timestamp || entry.date || 0).getTime();
-          if (ts > latestTime) {
-            latestTime = ts;
-            latest = entry;
-          }
-        }
-      }
-    } else if (Array.isArray(history)) {
-      // Format: [ { overallScore, serverName, timestamp } ]
-      for (const entry of history) {
-        const ts = new Date(entry.timestamp || entry.date || 0).getTime();
-        if (ts > latestTime) {
-          latestTime = ts;
-          latest = entry;
-        }
-      }
-    }
-
-    if (latest && typeof latest.overallScore === 'number') {
-      const serverName = latest.serverName || latest.server || 'unknown';
-      const date = (latest.timestamp || latest.date || '').split('T')[0];
-      const ageMs = Date.now() - latestTime;
-      const ageDays = Math.floor(ageMs / (1000 * 60 * 60 * 24));
-      const stale = ageDays > 7 ? ` (${ageDays} days ago — consider re-running)` : '';
-
-      process.stdout.write(JSON.stringify({
-        hookSpecificOutput: `[Kastell Audit] Last score: ${latest.overallScore}/100 (${serverName}, ${date})${stale}`,
-      }));
-    }
-  } catch {}
-
-  // Always exit 0 — SessionStart MUST NOT fail
-  process.exit(0);
-});
+#!/usr/bin/env node
+// SessionStart hook: Show last audit score from cache (no SSH, instant)
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const HISTORY_FILE = path.join(os.homedir(), '.kastell', 'audit-history.json');
+
+// MANDATORY stdin guard — exit silently if stdin unavailable (e.g. after /clear)
+if (!process.stdin || process.stdin.destroyed || !process.stdin.readable) {
+  process.exit(0);
+}
+
+let input = '';
+const stdinTimeout = setTimeout(() => process.exit(0), 1500);
+process.stdin.setEncoding('utf8');
+process.stdin.on('error', () => process.exit(0));
+process.stdin.on('data', chunk => { input += chunk; });
+process.stdin.on('end', () => {
+  clearTimeout(stdinTimeout);
+  try {
+    const cwd = process.cwd();
+
+    // Kastell project guard
+    const isKastell = fs.existsSync(path.join(cwd, 'src', 'mcp')) &&
+                      fs.existsSync(path.join(cwd, 'package.json'));
+    if (!isKastell) {
+      try {
+        const pkg = JSON.parse(fs.readFileSync(path.join(cwd, 'package.json'), 'utf8'));
+        if (pkg.name !== 'kastell') process.exit(0);
+      } catch { process.exit(0); }
+    }
+
+    // Read audit history from cache — no SSH needed
+    let history;
+    try {
+      history = JSON.parse(fs.readFileSync(HISTORY_FILE, 'utf8'));
+    } catch {
+      // No history file — exit silently
+      process.exit(0);
+    }
+
+    // Find the most recent audit entry across all servers
+    let latest = null;
+    let latestTime = 0;
+
+    if (typeof history === 'object' && !Array.isArray(history)) {
+      // Format: { "ip": [ { overallScore, serverName, timestamp } ] }
+      for (const entries of Object.values(history)) {
+        if (!Array.isArray(entries)) continue;
+        for (const entry of entries) {
+          const ts = new Date(entry.timestamp || entry.date || 0).getTime();
+          if (ts > latestTime) {
+            latestTime = ts;
+            latest = entry;
+          }
+        }
+      }
+    } else if (Array.isArray(history)) {
+      // Format: [ { overallScore, serverName, timestamp } ]
+      for (const entry of history) {
+        const ts = new Date(entry.timestamp || entry.date || 0).getTime();
+        if (ts > latestTime) {
+          latestTime = ts;
+          latest = entry;
+        }
+      }
+    }
+
+    if (latest && typeof latest.overallScore === 'number') {
+      const serverName = latest.serverName || latest.server || 'unknown';
+      const date = (latest.timestamp || latest.date || '').split('T')[0];
+      const ageMs = Date.now() - latestTime;
+      const ageDays = Math.floor(ageMs / (1000 * 60 * 60 * 24));
+      const stale = ageDays > 7 ? ` (${ageDays} days ago — consider re-running)` : '';
+
+      process.stdout.write(JSON.stringify({
+        hookSpecificOutput: `[Kastell Audit] Last score: ${latest.overallScore}/100 (${serverName}, ${date})${stale}`,
+      }));
+    }
+  } catch {}
+
+  // Always exit 0 — SessionStart MUST NOT fail
+  process.exit(0);
+});

package/kastell-plugin/hooks/session-log.cjs

@@ -1,56 +1,56 @@
-#!/usr/bin/env node
-// PostToolUse hook: Log Bash command + output to ~/.kastell/session.log
-
-const fs = require('fs');
-const path = require('path');
-const os = require('os');
-
-const LOG_DIR = path.join(os.homedir(), '.kastell');
-const LOG_FILE = path.join(LOG_DIR, 'session.log');
-const MAX_LOG_SIZE = 5 * 1024 * 1024; // 5MB rotation threshold
-const SECRET_PATTERN = /(?:TOKEN|SECRET|PASSWORD|KEY|CREDENTIAL|BEARER|AUTHORIZATION)\s*[=:]\s*\S+/gi;
-
-// MANDATORY stdin guard — exit silently if stdin unavailable
-if (!process.stdin || process.stdin.destroyed || !process.stdin.readable) {
-  process.exit(0);
-}
-
-let input = '';
-const stdinTimeout = setTimeout(() => process.exit(0), 1500);
-process.stdin.setEncoding('utf8');
-process.stdin.on('error', () => process.exit(0));
-process.stdin.on('data', chunk => { input += chunk; });
-process.stdin.on('end', () => {
-  clearTimeout(stdinTimeout);
-  try {
-    const data = JSON.parse(input);
-
-    // Safety check — matcher already filters, but guard explicitly
-    if (data.tool_name !== 'Bash') {
-      process.exit(0);
-    }
-
-    const cmd = ((data.tool_input && data.tool_input.command) || '').substring(0, 500);
-    const rawOut = ((data.tool_response && data.tool_response.output) || '').substring(0, 2000);
-    const out = rawOut.replace(SECRET_PATTERN, '[REDACTED]');
-
-    const timestamp = new Date().toISOString();
-    const entry = `[${timestamp}] CMD: ${cmd}\nOUT: ${out}\n---\n`;
-
-    // Ensure log directory exists (guard avoids redundant mkdirSync on hot path)
-    if (!fs.existsSync(LOG_DIR)) fs.mkdirSync(LOG_DIR, { recursive: true });
-
-    // Log rotation: truncate when exceeding threshold
-    try {
-      const stat = fs.statSync(LOG_FILE);
-      if (stat.size > MAX_LOG_SIZE) fs.writeFileSync(LOG_FILE, entry, { mode: 0o600 });
-      else fs.appendFileSync(LOG_FILE, entry, 'utf8');
-    } catch {
-      // File does not exist yet — create with restrictive permissions
-      fs.writeFileSync(LOG_FILE, entry, { mode: 0o600 });
-    }
-  } catch {}
-
-  // Always exit 0 — logging must never block execution
-  process.exit(0);
-});
+#!/usr/bin/env node
+// PostToolUse hook: Log Bash command + output to ~/.kastell/session.log
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const LOG_DIR = path.join(os.homedir(), '.kastell');
+const LOG_FILE = path.join(LOG_DIR, 'session.log');
+const MAX_LOG_SIZE = 5 * 1024 * 1024; // 5MB rotation threshold
+const SECRET_PATTERN = /(?:TOKEN|SECRET|PASSWORD|KEY|CREDENTIAL|BEARER|AUTHORIZATION)\s*[=:]\s*\S+/gi;
+
+// MANDATORY stdin guard — exit silently if stdin unavailable
+if (!process.stdin || process.stdin.destroyed || !process.stdin.readable) {
+  process.exit(0);
+}
+
+let input = '';
+const stdinTimeout = setTimeout(() => process.exit(0), 1500);
+process.stdin.setEncoding('utf8');
+process.stdin.on('error', () => process.exit(0));
+process.stdin.on('data', chunk => { input += chunk; });
+process.stdin.on('end', () => {
+  clearTimeout(stdinTimeout);
+  try {
+    const data = JSON.parse(input);
+
+    // Safety check — matcher already filters, but guard explicitly
+    if (data.tool_name !== 'Bash') {
+      process.exit(0);
+    }
+
+    const cmd = ((data.tool_input && data.tool_input.command) || '').substring(0, 500);
+    const rawOut = ((data.tool_response && data.tool_response.output) || '').substring(0, 2000);
+    const out = rawOut.replace(SECRET_PATTERN, '[REDACTED]');
+
+    const timestamp = new Date().toISOString();
+    const entry = `[${timestamp}] CMD: ${cmd}\nOUT: ${out}\n---\n`;
+
+    // Ensure log directory exists (guard avoids redundant mkdirSync on hot path)
+    if (!fs.existsSync(LOG_DIR)) fs.mkdirSync(LOG_DIR, { recursive: true });
+
+    // Log rotation: truncate when exceeding threshold
+    try {
+      const stat = fs.statSync(LOG_FILE);
+      if (stat.size > MAX_LOG_SIZE) fs.writeFileSync(LOG_FILE, entry, { mode: 0o600 });
+      else fs.appendFileSync(LOG_FILE, entry, 'utf8');
+    } catch {
+      // File does not exist yet — create with restrictive permissions
+      fs.writeFileSync(LOG_FILE, entry, { mode: 0o600 });
+    }
+  } catch {}
+
+  // Always exit 0 — logging must never block execution
+  process.exit(0);
+});

package/kastell-plugin/hooks/stop-quality-check.cjs

@@ -1,72 +1,72 @@
-#!/usr/bin/env node
-// Stop hook: Warn if TypeScript errors, missing CHANGELOG entry, or stale README
-
-const fs = require('fs');
-const path = require('path');
-const { execSync } = require('child_process');
-
-// MANDATORY stdin guard — exit silently if stdin unavailable (e.g. after /clear)
-if (!process.stdin || process.stdin.destroyed || !process.stdin.readable) {
-  process.exit(0);
-}
-
-let input = '';
-const stdinTimeout = setTimeout(() => process.exit(0), 1500);
-process.stdin.setEncoding('utf8');
-process.stdin.on('error', () => process.exit(0));
-process.stdin.on('data', chunk => { input += chunk; });
-process.stdin.on('end', () => {
-  clearTimeout(stdinTimeout);
-  try {
-    const cwd = process.cwd();
-
-    // Kastell project guard
-    const isKastell = fs.existsSync(path.join(cwd, 'src', 'mcp')) &&
-                      fs.existsSync(path.join(cwd, 'package.json'));
-    if (!isKastell) {
-      try {
-        const pkg = JSON.parse(fs.readFileSync(path.join(cwd, 'package.json'), 'utf8'));
-        if (pkg.name !== 'kastell') process.exit(0);
-      } catch { process.exit(0); }
-    }
-
-    const warnings = [];
-
-    // Check 1: TypeScript build
-    try {
-      execSync('npx tsc --noEmit 2>&1', { cwd, timeout: 10000, stdio: 'pipe', windowsHide: true });
-    } catch {
-      warnings.push('TypeScript errors detected - run `npm run build` to see details');
-    }
-
-    // Check 2: CHANGELOG version entry
-    try {
-      const pkg = JSON.parse(fs.readFileSync(path.join(cwd, 'package.json'), 'utf8'));
-      const changelog = fs.readFileSync(path.join(cwd, 'CHANGELOG.md'), 'utf8');
-      if (!changelog.includes(`## [${pkg.version}]`) && !changelog.includes(`## ${pkg.version}`)) {
-        warnings.push(`CHANGELOG.md missing entry for v${pkg.version}`);
-      }
-    } catch {}
-
-    // Check 3: README staleness (compare last commit timestamps)
-    try {
-      const srcFiles = execSync('git log -1 --format=%ct -- src/', {
-        cwd, encoding: 'utf8', timeout: 5000, windowsHide: true,
-      }).trim();
-      const readmeCommit = execSync('git log -1 --format=%ct -- README.md', {
-        cwd, encoding: 'utf8', timeout: 5000, windowsHide: true,
-      }).trim();
-      if (srcFiles && readmeCommit && parseInt(srcFiles) > parseInt(readmeCommit)) {
-        warnings.push('README.md may be stale - src/ has newer commits');
-      }
-    } catch {}
-
-    // Output warnings to stderr — Stop hooks CANNOT block execution
-    for (const w of warnings) {
-      process.stderr.write(`WARNING: ${w}\n`);
-    }
-  } catch {}
-
-  // Always exit 0 — Stop hooks must never fail session end
-  process.exit(0);
-});
+#!/usr/bin/env node
+// Stop hook: Warn if TypeScript errors, missing CHANGELOG entry, or stale README
+
+const fs = require('fs');
+const path = require('path');
+const { execSync } = require('child_process');
+
+// MANDATORY stdin guard — exit silently if stdin unavailable (e.g. after /clear)
+if (!process.stdin || process.stdin.destroyed || !process.stdin.readable) {
+  process.exit(0);
+}
+
+let input = '';
+const stdinTimeout = setTimeout(() => process.exit(0), 1500);
+process.stdin.setEncoding('utf8');
+process.stdin.on('error', () => process.exit(0));
+process.stdin.on('data', chunk => { input += chunk; });
+process.stdin.on('end', () => {
+  clearTimeout(stdinTimeout);
+  try {
+    const cwd = process.cwd();
+
+    // Kastell project guard
+    const isKastell = fs.existsSync(path.join(cwd, 'src', 'mcp')) &&
+                      fs.existsSync(path.join(cwd, 'package.json'));
+    if (!isKastell) {
+      try {
+        const pkg = JSON.parse(fs.readFileSync(path.join(cwd, 'package.json'), 'utf8'));
+        if (pkg.name !== 'kastell') process.exit(0);
+      } catch { process.exit(0); }
+    }
+
+    const warnings = [];
+
+    // Check 1: TypeScript build
+    try {
+      execSync('npx tsc --noEmit 2>&1', { cwd, timeout: 10000, stdio: 'pipe', windowsHide: true });
+    } catch {
+      warnings.push('TypeScript errors detected - run `npm run build` to see details');
+    }
+
+    // Check 2: CHANGELOG version entry
+    try {
+      const pkg = JSON.parse(fs.readFileSync(path.join(cwd, 'package.json'), 'utf8'));
+      const changelog = fs.readFileSync(path.join(cwd, 'CHANGELOG.md'), 'utf8');
+      if (!changelog.includes(`## [${pkg.version}]`) && !changelog.includes(`## ${pkg.version}`)) {
+        warnings.push(`CHANGELOG.md missing entry for v${pkg.version}`);
+      }
+    } catch {}
+
+    // Check 3: README staleness (compare last commit timestamps)
+    try {
+      const srcFiles = execSync('git log -1 --format=%ct -- src/', {
+        cwd, encoding: 'utf8', timeout: 5000, windowsHide: true,
+      }).trim();
+      const readmeCommit = execSync('git log -1 --format=%ct -- README.md', {
+        cwd, encoding: 'utf8', timeout: 5000, windowsHide: true,
+      }).trim();
+      if (srcFiles && readmeCommit && parseInt(srcFiles) > parseInt(readmeCommit)) {
+        warnings.push('README.md may be stale - src/ has newer commits');
+      }
+    } catch {}
+
+    // Output warnings to stderr — Stop hooks CANNOT block execution
+    for (const w of warnings) {
+      process.stderr.write(`WARNING: ${w}\n`);
+    }
+  } catch {}
+
+  // Always exit 0 — Stop hooks must never fail session end
+  process.exit(0);
+});