oh-my-customcodex 0.1.0

package/templates/.claude/hooks/scripts/git-delegation-guard.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+# R010 git-delegation-guard hook
+# Warns when git operations are delegated to a non-mgr-gitnerd agent via Agent/Task tool.
+# WARN only - does NOT block (exit 0, passes input through).
+#
+# PPID Scoping Convention:
+#   All session-scoped temp files MUST use $PPID (Claude Code parent PID),
+#   NOT $$ (subprocess PID which changes per hook invocation).
+#   Pattern: /tmp/.codex-{purpose}-${PPID}
+#   See also: agent-teams-advisor.sh, context-budget-advisor.sh, stuck-detector.sh
+
+# Dependency check: exit silently if jq not available
+command -v jq >/dev/null 2>&1 || exit 0
+
+input=$(cat)
+
+agent_type=$(echo "$input" | jq -r '.tool_input.subagent_type // ""')
+prompt=$(echo "$input" | jq -r '.tool_input.prompt // ""')
+
+# R010 violation tracking file (PPID-scoped for session persistence)
+VIOLATION_FILE="/tmp/.codex-r010-violations-${PPID}"
+
+# Only warn when the delegated agent is NOT mgr-gitnerd
+if [ "$agent_type" != "mgr-gitnerd" ]; then
+  git_keywords=(
+    "git add"
+    "git commit"
+    "git push"
+    "git revert"
+    "git merge"
+    "git rebase"
+    "git checkout"
+    "git branch"
+    "git reset"
+    "git cherry-pick"
+    "git tag"
+  )
+
+  for keyword in "${git_keywords[@]}"; do
+    if echo "$prompt" | grep -qi "$keyword"; then
+      echo "[Hook] WARNING: R010 violation detected - git operation ('$keyword') delegated to '$agent_type' instead of 'mgr-gitnerd'" >&2
+      echo "[Hook] Per R010, all git operations (commit/push/branch/merge/etc.) MUST be delegated to mgr-gitnerd" >&2
+
+      # Record violation for R021 promotion tracking
+      echo "$(date -u +%Y-%m-%dT%H:%M:%SZ) $keyword $agent_type" >> "$VIOLATION_FILE"
+      violation_count=$(wc -l < "$VIOLATION_FILE" 2>/dev/null | tr -d ' ')
+      if [ "$violation_count" -ge 3 ]; then
+        echo "[Hook] R010 violations: ${violation_count} this session — R021 promotion threshold reached" >&2
+      fi
+
+      break
+    fi
+  done
+fi
+
+# Always pass through - this hook is advisory only
+echo "$input"

package/templates/.claude/hooks/scripts/model-escalation-advisor.sh

@@ -0,0 +1,106 @@
+#!/bin/bash
+set -euo pipefail
+
+# Dependency check: exit silently if jq not available
+command -v jq >/dev/null 2>&1 || exit 0
+
+# Model Escalation Advisor Hook
+# Trigger: PreToolUse, tool == "Task" || tool == "Agent"
+# Purpose: Advise model escalation when failure patterns detected
+# Protocol: stdin JSON -> process -> stdout pass-through, exit 0 always
+
+input=$(cat)
+
+# Extract current task info
+agent_type=$(echo "$input" | jq -r '.tool_input.subagent_type // "unknown"')
+current_model=$(echo "$input" | jq -r '.tool_input.model // "inherit"')
+
+# Session-scoped outcome log
+OUTCOME_FILE="/tmp/.codex-task-outcomes-${PPID}"
+
+# Skip if no history
+if [ ! -f "$OUTCOME_FILE" ]; then
+  echo "$input"
+  exit 0
+fi
+
+# Thresholds
+FAILURE_THRESHOLD=2
+CONSECUTIVE_THRESHOLD=3
+COOLDOWN=5
+
+# Count failures for this agent type
+agent_failures=0
+if [ -n "$agent_type" ] && [ "$agent_type" != "unknown" ]; then
+  agent_failures=$(grep -c "\"agent_type\":\"${agent_type}\".*\"outcome\":\"failure\"" "$OUTCOME_FILE" 2>/dev/null || echo "0")
+fi
+
+# Count consecutive failures (tail entries)
+consecutive_failures=$(tail -${CONSECUTIVE_THRESHOLD} "$OUTCOME_FILE" 2>/dev/null | grep -c '"outcome":"failure"' 2>/dev/null || echo "0")
+
+# Escalation path
+next_model=""
+cost_multiplier=""
+case "$current_model" in
+  haiku)
+    next_model="sonnet"
+    cost_multiplier="~3-5x"
+    ;;
+  sonnet)
+    next_model="opus"
+    cost_multiplier="~5-10x"
+    ;;
+  *)
+    next_model=""
+    ;;
+esac
+
+# Advise escalation
+if [ -n "$next_model" ]; then
+  should_advise=false
+  reason=""
+
+  if [ "$agent_failures" -ge "$FAILURE_THRESHOLD" ]; then
+    should_advise=true
+    reason="${agent_type} failed ${agent_failures}x with ${current_model}"
+  elif [ "$consecutive_failures" -ge "$CONSECUTIVE_THRESHOLD" ]; then
+    should_advise=true
+    reason="${consecutive_failures} consecutive failures"
+  fi
+
+  if [ "$should_advise" = true ]; then
+    echo "" >&2
+    echo "--- [Model Escalation Advisory] ---" >&2
+    echo "  Agent type: ${agent_type}" >&2
+    echo "  Current model: ${current_model}" >&2
+    echo "  ⚡ Recommended: Escalate to ${next_model}" >&2
+    echo "  Cost impact: ${cost_multiplier} per task" >&2
+    echo "  Reason: ${reason}" >&2
+    echo "------------------------------------" >&2
+  fi
+fi
+
+# De-escalation check
+if [ "$current_model" != "haiku" ] && [ "$current_model" != "inherit" ] && [ "$current_model" != "" ]; then
+  recent_successes=$(tail -${COOLDOWN} "$OUTCOME_FILE" 2>/dev/null | grep -c '"outcome":"success"' 2>/dev/null || echo "0")
+
+  if [ "$recent_successes" -ge "$COOLDOWN" ]; then
+    lower_model=""
+    case "$current_model" in
+      opus) lower_model="sonnet" ;;
+      sonnet) lower_model="haiku" ;;
+    esac
+
+    if [ -n "$lower_model" ]; then
+      echo "" >&2
+      echo "--- [Model De-escalation Advisory] ---" >&2
+      echo "  ↓ Consider: ${current_model} → ${lower_model}" >&2
+      echo "  ${recent_successes} consecutive successes" >&2
+      echo "--------------------------------------" >&2
+    fi
+  fi
+fi
+
+# Pass through
+echo "$input"
+exit 0

package/templates/.claude/hooks/scripts/omcodex-auto-update.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+# Canonical wrapper for the child-package SessionStart auto-update hook.
+# Keep the legacy script name as an implementation alias for compatibility.
+exec "$(dirname "$0")/omcustom-auto-update.sh" "$@"

package/templates/.claude/hooks/scripts/omcustom-auto-update.sh

@@ -0,0 +1,177 @@
+#!/usr/bin/env bash
+# SessionStart auto-update hook — interactive omcodex update check
+# Trigger: SessionStart (runs BEFORE session-env-check.sh)
+# Purpose: Check for oh-my-customcodex updates, prompt user, optionally update
+# Protocol: stdin JSON -> stdout pass-through, exit 0 ALWAYS
+# Design: GitHub issue #752
+
+# Pass through stdin immediately — capture for later output
+input=$(cat)
+
+# --- Guard: skip conditions ---
+
+# Skip if explicitly disabled
+if [ "${OMCODEX_SKIP_AUTO_UPDATE:-${OMCUSTOM_SKIP_AUTO_UPDATE:-}}" = "true" ]; then
+  echo "$input"
+  exit 0
+fi
+
+# Skip if /dev/tty not available (CI, Docker, non-interactive)
+if ! [ -c /dev/tty ] 2>/dev/null; then
+  echo "$input"
+  exit 0
+fi
+
+# --- Configuration ---
+CACHE_DIR="$HOME/.oh-my-customcodex"
+LEGACY_CACHE_DIR="$HOME/.oh-my-customcode"
+CACHE_FILE="${CACHE_DIR}/self-update-cache.json"
+CACHE_MAX_AGE=3600  # 1 hour in seconds
+NPM_TIMEOUT=3       # seconds for npm view
+INPUT_TIMEOUT=10     # seconds for user prompt
+PACKAGE_NAME="oh-my-customcodex"
+
+# --- Helper: semantic version compare ---
+# Returns 0 if $1 < $2 (update available)
+version_lt() {
+  local older
+  older=$(printf '%s\n' "$1" "$2" | sort -V | head -1)
+  [ "$older" = "$1" ] && [ "$1" != "$2" ]
+}
+
+# --- Step 1: Get current installed version ---
+CURRENT_VERSION=""
+
+# Try project rc file in current directory (legacy .omcustomrc.json retained for compatibility)
+if [ -f ".omcodexrc.json" ]; then
+  CURRENT_VERSION=$(grep -o '"version"[[:space:]]*:[[:space:]]*"[^"]*"' .omcodexrc.json 2>/dev/null | head -1 | grep -o '"[^"]*"$' | tr -d '"')
+elif [ -f ".omcustomrc.json" ]; then
+  CURRENT_VERSION=$(grep -o '"version"[[:space:]]*:[[:space:]]*"[^"]*"' .omcustomrc.json 2>/dev/null | head -1 | grep -o '"[^"]*"$' | tr -d '"')
+fi
+
+# Fallback: try npm list
+if [ -z "$CURRENT_VERSION" ]; then
+  CURRENT_VERSION=$(npm list -g "$PACKAGE_NAME" --depth=0 2>/dev/null | grep -o "${PACKAGE_NAME}@[^ ]*" | cut -d'@' -f2)
+fi
+
+# Cannot determine current version — skip
+if [ -z "$CURRENT_VERSION" ]; then
+  echo "$input"
+  exit 0
+fi
+
+# --- Step 2: Get latest version (cache-first, network fallback) ---
+LATEST_VERSION=""
+CACHE_HIT=false
+
+# Ensure cache directory exists
+mkdir -p "$CACHE_DIR" 2>/dev/null
+
+if [ ! -f "$CACHE_FILE" ] && [ -f "${LEGACY_CACHE_DIR}/self-update-cache.json" ]; then
+  CACHE_FILE="${LEGACY_CACHE_DIR}/self-update-cache.json"
+fi
+
+# Check cache freshness
+if [ -f "$CACHE_FILE" ]; then
+  CACHE_TIMESTAMP=$(grep -o '"timestamp"[[:space:]]*:[[:space:]]*[0-9]*' "$CACHE_FILE" 2>/dev/null | grep -o '[0-9]*$')
+  CACHED_VERSION=$(grep -o '"version"[[:space:]]*:[[:space:]]*"[^"]*"' "$CACHE_FILE" 2>/dev/null | grep -o '"[^"]*"$' | tr -d '"')
+
+  if [ -n "$CACHE_TIMESTAMP" ] && [ -n "$CACHED_VERSION" ]; then
+    NOW=$(date +%s)
+    AGE=$((NOW - CACHE_TIMESTAMP))
+
+    if [ "$AGE" -lt "$CACHE_MAX_AGE" ]; then
+      LATEST_VERSION="$CACHED_VERSION"
+      CACHE_HIT=true
+    fi
+  fi
+fi
+
+# Cache miss or stale — fetch from npm registry
+if [ "$CACHE_HIT" = false ]; then
+  if command -v npm >/dev/null 2>&1; then
+    LATEST_VERSION=$(timeout "$NPM_TIMEOUT" npm view "$PACKAGE_NAME" version 2>/dev/null || echo "")
+
+    # Update cache on successful fetch
+    if [ -n "$LATEST_VERSION" ]; then
+      NOW=$(date +%s)
+      cat > "$CACHE_FILE" << EOF
+{
+  "version": "${LATEST_VERSION}",
+  "timestamp": ${NOW},
+  "source": "npm-registry"
+}
+EOF
+    fi
+  fi
+fi
+
+# Could not determine latest version — skip
+if [ -z "$LATEST_VERSION" ]; then
+  echo "$input"
+  exit 0
+fi
+
+# --- Step 3: Compare versions ---
+if ! version_lt "$CURRENT_VERSION" "$LATEST_VERSION"; then
+  # Already up to date
+  echo "$input"
+  exit 0
+fi
+
+# --- Step 4: Prompt user for update ---
+echo "" >&2
+echo "--- [oh-my-customcodex Update Available] ---" >&2
+echo "  New version: v${LATEST_VERSION} (current: v${CURRENT_VERSION})" >&2
+echo "" >&2
+
+# Interactive prompt via /dev/tty (SessionStart stdin is JSON pipe)
+printf "  Update oh-my-customcodex to v%s? [y/N] " "$LATEST_VERSION" >/dev/tty 2>/dev/null
+if read -r -t "$INPUT_TIMEOUT" answer </dev/tty 2>/dev/null; then
+  case "$answer" in
+    [yY]|[yY][eE][sS])
+      echo "  Installing oh-my-customcodex@${LATEST_VERSION}..." >&2
+      if npm install -g "${PACKAGE_NAME}@latest" >&2 2>&1; then
+        echo "  ✓ Updated to v${LATEST_VERSION}" >&2
+
+        # Check if project harness should be updated too
+        if [ -f ".omcustomrc.json" ]; then
+          printf "  Update project harness too? [y/N] " >/dev/tty 2>/dev/null
+          if read -r -t "$INPUT_TIMEOUT" harness_answer </dev/tty 2>/dev/null; then
+            case "$harness_answer" in
+              [yY]|[yY][eE][sS])
+                echo "  Updating project harness..." >&2
+                if command -v omcustom >/dev/null 2>&1; then
+                  omcustom update --force >&2 2>&1 || echo "  ⚠ Harness update failed (non-blocking)" >&2
+                  echo "  ✓ Project harness updated" >&2
+                else
+                  echo "  ⚠ omcustom command not found after install" >&2
+                fi
+                ;;
+              *)
+                echo "  Skipped harness update" >&2
+                ;;
+            esac
+          else
+            echo "" >&2
+            echo "  Timed out — skipped harness update" >&2
+          fi
+        fi
+      else
+        echo "  ⚠ Update failed (non-blocking, continuing session)" >&2
+      fi
+      ;;
+    *)
+      echo "  Skipped update" >&2
+      ;;
+  esac
+else
+  echo "" >&2
+  echo "  Timed out — skipped update" >&2
+fi
+
+echo "------------------------------------" >&2
+
+# Always pass through and exit 0
+echo "$input"
+exit 0

package/templates/.claude/hooks/scripts/rtk-intercept.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+# RTK Auto-Intercept Hook
+# Trigger: PreToolUse (Bash matcher)
+# Purpose: Transparently rewrite CLI commands through RTK proxy
+# Protocol: stdin JSON → stdout modified JSON, exit 0 always
+
+set -euo pipefail
+
+input=$(cat)
+
+# Only intercept Bash tool calls
+tool_name=$(echo "$input" | jq -r '.tool // empty' 2>/dev/null || echo "")
+if [ "$tool_name" != "Bash" ]; then
+  echo "$input"
+  exit 0
+fi
+
+# Check RTK availability
+RTK_AVAILABLE=false
+STATUS_FILE="/tmp/.codex-env-status-${PPID}"
+if [ -f "$STATUS_FILE" ] && grep -q "rtk=available" "$STATUS_FILE" 2>/dev/null; then
+  RTK_AVAILABLE=true
+elif command -v rtk >/dev/null 2>&1; then
+  RTK_AVAILABLE=true
+fi
+
+if [ "$RTK_AVAILABLE" != "true" ]; then
+  echo "$input"
+  exit 0
+fi
+
+# Extract command
+cmd=$(echo "$input" | jq -r '.tool_input.command // empty' 2>/dev/null || echo "")
+if [ -z "$cmd" ]; then
+  echo "$input"
+  exit 0
+fi
+
+# Skip if already using rtk
+if echo "$cmd" | grep -qE '^rtk\b'; then
+  echo "$input"
+  exit 0
+fi
+
+# Skip complex commands (pipes, redirections, background, subshells, semicolons with multiple commands)
+if echo "$cmd" | grep -qE '[|><&]|;\s*\w'; then
+  echo "$input"
+  exit 0
+fi
+
+# RTK-supported command prefixes
+RTK_CMDS="ls find tree du cat head tail wc grep rg git cargo npm pnpm bun pip pytest vitest jest rspec eslint tsc ruff docker kubectl"
+
+# Extract first word of command (skip env var assignments like FOO=bar)
+first_word=$(echo "$cmd" | sed 's/^[A-Z_]*=[^ ]* //' | awk '{print $1}')
+
+# Check if command is RTK-supported
+SUPPORTED=false
+for rtk_cmd in $RTK_CMDS; do
+  if [ "$first_word" = "$rtk_cmd" ]; then
+    SUPPORTED=true
+    break
+  fi
+done
+
+if [ "$SUPPORTED" != "true" ]; then
+  echo "$input"
+  exit 0
+fi
+
+# Rewrite command with rtk prefix
+new_cmd="rtk $cmd"
+echo "[RTK] Intercepted: $cmd → $new_cmd" >&2
+
+# Output modified JSON
+echo "$input" | jq --arg new_cmd "$new_cmd" '.tool_input.command = $new_cmd'
+exit 0

package/templates/.claude/hooks/scripts/rule-deletion-guard.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# rule-deletion-guard.sh — Block rule file deletion without individual user confirmation
+# Requires: jq
+
+set -uo pipefail
+
+input=$(cat)
+
+# Dependency check — allow if jq missing
+if ! command -v jq &>/dev/null; then
+  echo "$input"
+  exit 0
+fi
+
+# Parse tool input
+tool=$(echo "$input" | jq -r '.tool // ""' 2>/dev/null) || { echo "$input"; exit 0; }
+cmd=$(echo "$input" | jq -r '.tool_input.command // ""' 2>/dev/null) || { echo "$input"; exit 0; }
+
+# Only check Bash tool
+if [ "$tool" != "Bash" ]; then
+  echo "$input"
+  exit 0
+fi
+
+# Check if command would delete parent directories containing rules
+if echo "$cmd" | grep -qE '(^|\s)(rm|git\s+rm|mv|unlink)\s' && echo "$cmd" | grep -qE '\.codex/?(\s|$)'; then
+  echo "[Hook] ⛔ RULE DELETION BLOCKED — Parent directory deletion detected" >&2
+  echo "[Hook] This command would delete the entire .codex/ directory including all rules." >&2
+  echo "[Hook] Delete rules individually with user confirmation." >&2
+  exit 2
+fi
+
+# Check if command targets .codex/rules/ for deletion (including mv, unlink)
+if echo "$cmd" | grep -qE '(^|\s)(rm|git\s+rm|mv|unlink)\s' && echo "$cmd" | grep -qE '\.codex/rules(/|\s|$)'; then
+  # Extract target files
+  targets=$(echo "$cmd" | grep -oE '\.codex/rules/[^ ]+' | tr '\n' ', ' | sed 's/,$//')
+  target_count=$(echo "$cmd" | grep -oE '\.codex/rules/[^ ]+' | wc -l | tr -d ' ')
+
+  # Check for glob/wildcard patterns or multiple targets
+  if echo "$cmd" | grep -qE '\.codex/rules/\*|\.codex/rules/[^ ]*\*' || [ "$target_count" -gt 1 ]; then
+    echo "[Hook] ⛔ RULE DELETION BLOCKED — Multiple rules detected" >&2
+    echo "[Hook] Targets: $targets" >&2
+    echo "[Hook] Rule files must be deleted ONE AT A TIME with user confirmation." >&2
+    echo "[Hook] Delete each rule individually after asking: \"정말 {파일명}을(를) 삭제하시겠습니까?\"" >&2
+    exit 2
+  fi
+
+  # Single rule file
+  filename=$(basename "$targets" 2>/dev/null || echo "$targets")
+  echo "[Hook] ⛔ RULE DELETION BLOCKED" >&2
+  echo "[Hook] Target: $filename" >&2
+  echo "[Hook] Rule files require individual user confirmation before deletion." >&2
+  echo "[Hook] Ask the user: \"정말 ${filename}을(를) 삭제하시겠습니까?\"" >&2
+  echo "[Hook] Only proceed after explicit user approval." >&2
+  exit 2
+fi
+
+# Not a rule deletion — pass through
+echo "$input"
+exit 0

package/templates/.claude/hooks/scripts/schema-validator.sh

@@ -0,0 +1,106 @@
+#!/bin/bash
+# Schema Validator Hook — PreToolUse input validation
+# Trigger: PreToolUse on Write, Edit, Bash
+# Purpose: Validate tool inputs against JSON Schema definitions
+# Phase 1: Advisory only (exit 0 with stderr warning)
+# Protocol: stdin JSON -> validate -> stdout pass-through
+
+set -euo pipefail
+
+# Dependency check: exit silently if jq not available
+command -v jq >/dev/null 2>&1 || exit 0
+
+input=$(cat)
+
+# Extract tool info
+tool_name=$(echo "$input" | jq -r '.tool_name // "unknown"')
+tool_input=$(echo "$input" | jq -r '.tool_input // {}')
+
+SCHEMA_FILE=".codex/schemas/tool-inputs.json"
+
+# Skip if schema file doesn't exist
+if [ ! -f "$SCHEMA_FILE" ]; then
+  echo "$input"
+  exit 0
+fi
+
+warnings=()
+
+case "$tool_name" in
+  "Write")
+    file_path=$(echo "$tool_input" | jq -r '.file_path // ""')
+    content=$(echo "$tool_input" | jq -r '.content // ""')
+
+    if [ -z "$file_path" ]; then
+      warnings+=("[Schema] Write: file_path is empty or missing")
+    fi
+    if [ -z "$content" ]; then
+      warnings+=("[Schema] Write: content is empty — creating empty file?")
+    fi
+    ;;
+
+  "Edit")
+    file_path=$(echo "$tool_input" | jq -r '.file_path // ""')
+    old_string=$(echo "$tool_input" | jq -r '.old_string // ""')
+    new_string=$(echo "$tool_input" | jq -r '.new_string // ""')
+
+    if [ -z "$file_path" ]; then
+      warnings+=("[Schema] Edit: file_path is empty or missing")
+    fi
+    if [ -z "$old_string" ]; then
+      warnings+=("[Schema] Edit: old_string is empty")
+    fi
+    if [ "$old_string" = "$new_string" ]; then
+      warnings+=("[Schema] Edit: old_string equals new_string — no-op edit")
+    fi
+    ;;
+
+  "Bash")
+    command=$(echo "$tool_input" | jq -r '.command // ""')
+
+    if [ -z "$command" ]; then
+      warnings+=("[Schema] Bash: command is empty")
+    fi
+
+    # Check dangerous patterns
+    if echo "$command" | grep -qE 'rm\s+-rf\s+/[^.]'; then
+      warnings+=("[Schema] Bash: DANGER — recursive delete from root detected")
+    fi
+    if echo "$command" | grep -qE '^\s*sudo\s+'; then
+      warnings+=("[Schema] Bash: elevated privilege command detected")
+    fi
+    if echo "$command" | grep -qE '> /dev/sd'; then
+      warnings+=("[Schema] Bash: direct disk write detected")
+    fi
+    if echo "$command" | grep -qE 'mkfs\.'; then
+      warnings+=("[Schema] Bash: filesystem format command detected")
+    fi
+    # Remote code execution via pipe
+    if echo "$command" | grep -qE 'curl\s+.*\|\s*(ba)?sh'; then
+      warnings+=("[Schema] Bash: remote code execution pattern (curl | bash) detected")
+    fi
+    if echo "$command" | grep -qE 'wget\s+.*\|\s*(ba)?sh'; then
+      warnings+=("[Schema] Bash: remote code execution pattern (wget | sh) detected")
+    fi
+    # Dynamic code execution
+    if echo "$command" | grep -qE 'eval\s+\$\('; then
+      warnings+=("[Schema] Bash: dynamic code execution (eval) detected")
+    fi
+    # Broad permission grant
+    if echo "$command" | grep -qE 'chmod\s+777'; then
+      warnings+=("[Schema] Bash: broad permission grant (chmod 777) detected")
+    fi
+    ;;
+esac
+
+# Output warnings (advisory only)
+if [ ${#warnings[@]} -gt 0 ]; then
+  for w in "${warnings[@]}"; do
+    echo "$w" >&2
+  done
+  echo "[Schema] Phase 1: advisory only — not blocking" >&2
+fi
+
+# Always pass through (Phase 1)
+echo "$input"
+exit 0

package/templates/.claude/hooks/scripts/secret-filter.sh

@@ -0,0 +1,100 @@
+#!/bin/bash
+# Secret Output Filter Hook — Detect potential secrets in tool output
+# Trigger: PostToolUse on Bash, Read, Grep
+# Purpose: Advisory warning when potential secrets detected in output
+# Protocol: stdin JSON -> scan -> stdout pass-through
+# Always exits 0 (advisory only, never blocks)
+
+set -euo pipefail
+
+# Dependency check: exit silently if jq not available
+command -v jq >/dev/null 2>&1 || exit 0
+
+input=$(cat)
+
+# Extract output to scan
+tool_name=$(echo "$input" | jq -r '.tool_name // "unknown"')
+output=$(echo "$input" | jq -r '.tool_output.output // ""')
+
+# Skip if no output
+if [ -z "$output" ] || [ "$output" = "null" ]; then
+  echo "$input"
+  exit 0
+fi
+
+# Secret patterns to detect
+detected=false
+
+# AWS Access Key ID
+if echo "$output" | grep -qE 'AKIA[0-9A-Z]{16}'; then
+  echo "[Security] Potential AWS Access Key detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+# OpenAI/Anthropic API Key
+if echo "$output" | grep -qE 'sk-[a-zA-Z0-9]{32,}'; then
+  echo "[Security] Potential API key (sk-*) detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+# GitHub Personal Access Token
+if echo "$output" | grep -qE 'ghp_[a-zA-Z0-9]{36}'; then
+  echo "[Security] Potential GitHub PAT detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+# Private Key
+if echo "$output" | grep -qE '-----BEGIN.*PRIVATE KEY-----'; then
+  echo "[Security] Potential private key detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+# Bearer Token (long)
+if echo "$output" | grep -qE 'Bearer [a-zA-Z0-9._-]{20,}'; then
+  echo "[Security] Potential Bearer token detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+# GitHub OAuth Token
+if echo "$output" | grep -qE 'gho_[a-zA-Z0-9]{36}'; then
+  echo "[Security] Potential GitHub OAuth token detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+# GitHub Fine-Grained PAT
+if echo "$output" | grep -qE 'github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}'; then
+  echo "[Security] Potential GitHub Fine-Grained PAT detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+# GitHub Actions Token
+if echo "$output" | grep -qE 'ghs_[a-zA-Z0-9]{36}'; then
+  echo "[Security] Potential GitHub Actions token detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+# npm Token
+if echo "$output" | grep -qE 'npm_[a-zA-Z0-9]{36}'; then
+  echo "[Security] Potential npm token detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+# Slack Token
+if echo "$output" | grep -qE 'xox[bsarp]-[a-zA-Z0-9-]{10,}'; then
+  echo "[Security] Potential Slack token detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+# Docker Hub PAT
+if echo "$output" | grep -qE 'dckr_pat_[a-zA-Z0-9_-]{20,}'; then
+  echo "[Security] Potential Docker Hub PAT detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+if [ "$detected" = true ]; then
+  echo "[Security] Review output carefully — do NOT commit or expose secrets" >&2
+fi
+
+# Pass through (always)
+echo "$input"
+exit 0