oh-my-opencode-unguarded 3.9.4 → 3.10.0

package/dist/cli/index.js

@@ -7109,11 +7109,14 @@ var init_constants = __esm(() => {
 });
 
 // src/features/hook-message-injector/injector.ts
+import { randomBytes } from "crypto";
+var processPrefix;
 var init_injector = __esm(() => {
   init_constants();
   init_logger();
   init_opencode_storage_detection();
   init_shared();
+  processPrefix = randomBytes(4).toString("hex");
 });
 
 // src/features/hook-message-injector/index.ts
@@ -9329,7 +9332,7 @@ var {
 // package.json
 var package_default = {
   name: "oh-my-opencode-unguarded",
-  version: "3.9.4",
+  version: "3.10.0",
   description: "The Best AI Agent Harness - Batteries-Included OpenCode Plugin with Multi-Model Orchestration, Parallel Background Agents, and Crafted LSP/AST Tools",
   main: "dist/index.js",
   types: "dist/index.d.ts",
@@ -9379,10 +9382,6 @@ var package_default = {
     url: "https://github.com/D4ch1au/evil-oh-my-opencode/issues"
   },
   homepage: "https://github.com/D4ch1au/evil-oh-my-opencode#readme",
-  publishConfig: {
-    registry: "https://registry.npmjs.org",
-    access: "public"
-  },
   dependencies: {
     "@ast-grep/cli": "^0.40.0",
     "@ast-grep/napi": "^0.40.0",
@@ -9408,23 +9407,27 @@ var package_default = {
     typescript: "^5.7.3"
   },
   optionalDependencies: {
-    "oh-my-opencode-darwin-arm64": "3.9.0",
-    "oh-my-opencode-darwin-x64": "3.9.0",
-    "oh-my-opencode-darwin-x64-baseline": "3.9.0",
-    "oh-my-opencode-linux-arm64": "3.9.0",
-    "oh-my-opencode-linux-arm64-musl": "3.9.0",
-    "oh-my-opencode-linux-x64": "3.9.0",
-    "oh-my-opencode-linux-x64-baseline": "3.9.0",
-    "oh-my-opencode-linux-x64-musl": "3.9.0",
-    "oh-my-opencode-linux-x64-musl-baseline": "3.9.0",
-    "oh-my-opencode-windows-x64": "3.9.0",
-    "oh-my-opencode-windows-x64-baseline": "3.9.0"
+    "oh-my-opencode-darwin-arm64": "3.10.0",
+    "oh-my-opencode-darwin-x64": "3.10.0",
+    "oh-my-opencode-darwin-x64-baseline": "3.10.0",
+    "oh-my-opencode-linux-arm64": "3.10.0",
+    "oh-my-opencode-linux-arm64-musl": "3.10.0",
+    "oh-my-opencode-linux-x64": "3.10.0",
+    "oh-my-opencode-linux-x64-baseline": "3.10.0",
+    "oh-my-opencode-linux-x64-musl": "3.10.0",
+    "oh-my-opencode-linux-x64-musl-baseline": "3.10.0",
+    "oh-my-opencode-windows-x64": "3.10.0",
+    "oh-my-opencode-windows-x64-baseline": "3.10.0"
   },
   trustedDependencies: [
     "@ast-grep/cli",
     "@ast-grep/napi",
     "@code-yeongyu/comment-checker"
-  ]
+  ],
+  publishConfig: {
+    registry: "https://registry.npmjs.org",
+    access: "public"
+  }
 };
 
 // src/cli/cli-installer.ts
@@ -28259,10 +28262,10 @@ async function findAvailablePort2(startPort = DEFAULT_PORT) {
 
 // src/features/mcp-oauth/oauth-authorization-flow.ts
 import { spawn as spawn2 } from "child_process";
-import { createHash, randomBytes } from "crypto";
+import { createHash, randomBytes as randomBytes2 } from "crypto";
 import { createServer } from "http";
 function generateCodeVerifier() {
-  return randomBytes(32).toString("base64url");
+  return randomBytes2(32).toString("base64url");
 }
 function generateCodeChallenge(verifier) {
   return createHash("sha256").update(verifier).digest("base64url");
@@ -28347,7 +28350,7 @@ function openBrowser(url2) {
 async function runAuthorizationCodeRedirect(options) {
   const verifier = generateCodeVerifier();
   const challenge = generateCodeChallenge(verifier);
-  const state = randomBytes(16).toString("hex");
+  const state = randomBytes2(16).toString("hex");
   const authorizationUrl = buildAuthorizationUrl(options.authorizationEndpoint, {
     clientId: options.clientId,
     redirectUri: options.redirectUri,

package/dist/index.js

@@ -18032,8 +18032,10 @@ function isAnyProviderConnected(providers, availableModels) {
 }
 // src/features/hook-message-injector/injector.ts
 import { existsSync as existsSync11, mkdirSync as mkdirSync4, readFileSync as readFileSync7, readdirSync, writeFileSync as writeFileSync4 } from "fs";
+import { randomBytes } from "crypto";
 import { join as join12 } from "path";
 init_logger();
+var processPrefix = randomBytes(4).toString("hex");
 function convertSDKMessageToStoredMessage(msg) {
   const info = msg.info;
   if (!info)
@@ -36667,6 +36669,7 @@ function isHookCommandDisabled(eventType, command, config2) {
 
 // src/hooks/claude-code-hooks/execute-http-hook.ts
 var DEFAULT_HTTP_HOOK_TIMEOUT_S = 30;
+var ALLOWED_SCHEMES = new Set(["http:", "https:"]);
 function interpolateEnvVars(value, allowedEnvVars) {
   const allowedSet = new Set(allowedEnvVars);
   return value.replace(/\$\{(\w+)\}|\$(\w+)/g, (_match, bracedVar, bareVar) => {
@@ -36690,6 +36693,17 @@ function resolveHeaders(hook) {
   return headers;
 }
 async function executeHttpHook(hook, stdin) {
+  try {
+    const parsed = new URL(hook.url);
+    if (!ALLOWED_SCHEMES.has(parsed.protocol)) {
+      return {
+        exitCode: 1,
+        stderr: `HTTP hook URL scheme "${parsed.protocol}" is not allowed. Only http: and https: are permitted.`
+      };
+    }
+  } catch {
+    return { exitCode: 1, stderr: `HTTP hook URL is invalid: ${hook.url}` };
+  }
   const timeoutS = hook.timeout ?? DEFAULT_HTTP_HOOK_TIMEOUT_S;
   const headers = resolveHeaders(hook);
   try {
@@ -36779,8 +36793,9 @@ async function executeUserPromptSubmitHooks(ctx, config2, extendedConfig) {
     for (const hook of matcher.hooks) {
       if (hook.type !== "command" && hook.type !== "http")
         continue;
-      if (hook.type === "command" && isHookCommandDisabled("UserPromptSubmit", hook.command, extendedConfig ?? null)) {
-        log("UserPromptSubmit hook command skipped (disabled by config)", { command: hook.command });
+      const hookName = getHookIdentifier(hook);
+      if (isHookCommandDisabled("UserPromptSubmit", hookName, extendedConfig ?? null)) {
+        log("UserPromptSubmit hook command skipped (disabled by config)", { command: hookName });
         continue;
       }
       const result = await dispatchHook(hook, JSON.stringify(stdinData), ctx.cwd);
@@ -37062,11 +37077,11 @@ async function executePreCompactHooks(ctx, config2, extendedConfig) {
     for (const hook of matcher.hooks) {
       if (hook.type !== "command" && hook.type !== "http")
         continue;
-      if (hook.type === "command" && isHookCommandDisabled("PreCompact", hook.command, extendedConfig ?? null)) {
-        log("PreCompact hook command skipped (disabled by config)", { command: hook.command });
+      const hookName = getHookIdentifier(hook);
+      if (isHookCommandDisabled("PreCompact", hookName, extendedConfig ?? null)) {
+        log("PreCompact hook command skipped (disabled by config)", { command: hookName });
         continue;
       }
-      const hookName = getHookIdentifier(hook);
       if (!firstHookName)
         firstHookName = hookName;
       const result = await dispatchHook(hook, JSON.stringify(stdinData), ctx.cwd);
@@ -37169,8 +37184,9 @@ async function executeStopHooks(ctx, config2, extendedConfig) {
     for (const hook of matcher.hooks) {
       if (hook.type !== "command" && hook.type !== "http")
         continue;
-      if (hook.type === "command" && isHookCommandDisabled("Stop", hook.command, extendedConfig ?? null)) {
-        log("Stop hook command skipped (disabled by config)", { command: hook.command });
+      const hookName = getHookIdentifier(hook);
+      if (isHookCommandDisabled("Stop", hookName, extendedConfig ?? null)) {
+        log("Stop hook command skipped (disabled by config)", { command: hookName });
         continue;
       }
       const result = await dispatchHook(hook, JSON.stringify(stdinData), ctx.cwd);
@@ -37324,11 +37340,11 @@ async function executePostToolUseHooks(ctx, config2, extendedConfig) {
       for (const hook of matcher.hooks) {
         if (hook.type !== "command" && hook.type !== "http")
           continue;
-        if (hook.type === "command" && isHookCommandDisabled("PostToolUse", hook.command, extendedConfig ?? null)) {
-          log("PostToolUse hook command skipped (disabled by config)", { command: hook.command, toolName: ctx.toolName });
+        const hookName = getHookIdentifier(hook);
+        if (isHookCommandDisabled("PostToolUse", hookName, extendedConfig ?? null)) {
+          log("PostToolUse hook command skipped (disabled by config)", { command: hookName, toolName: ctx.toolName });
           continue;
         }
-        const hookName = getHookIdentifier(hook);
         if (!firstHookName)
           firstHookName = hookName;
         const result = await dispatchHook(hook, JSON.stringify(stdinData), ctx.cwd);
@@ -37561,11 +37577,11 @@ async function executePreToolUseHooks(ctx, config2, extendedConfig) {
     for (const hook of matcher.hooks) {
       if (hook.type !== "command" && hook.type !== "http")
         continue;
-      if (hook.type === "command" && isHookCommandDisabled("PreToolUse", hook.command, extendedConfig ?? null)) {
-        log("PreToolUse hook command skipped (disabled by config)", { command: hook.command, toolName: ctx.toolName });
+      const hookName = getHookIdentifier(hook);
+      if (isHookCommandDisabled("PreToolUse", hookName, extendedConfig ?? null)) {
+        log("PreToolUse hook command skipped (disabled by config)", { command: hookName, toolName: ctx.toolName });
         continue;
       }
-      const hookName = getHookIdentifier(hook);
       if (!firstHookName)
         firstHookName = hookName;
       const result = await dispatchHook(hook, JSON.stringify(stdinData), ctx.cwd);
@@ -49955,6 +49971,8 @@ function extractBase64Data(imageData) {
 }
 
 // src/hooks/read-image-resizer/image-dimensions.ts
+var HEADER_BYTES = 32768;
+var HEADER_BASE64_CHARS = Math.ceil(HEADER_BYTES / 3) * 4;
 function toImageDimensions(width, height) {
   if (!Number.isFinite(width) || !Number.isFinite(height)) {
     return null;
@@ -50068,7 +50086,8 @@ function parseImageDimensions(base64DataUrl, mimeType) {
     if (!rawBase64) {
       return null;
     }
-    const buffer = Buffer.from(rawBase64, "base64");
+    const headerBase64 = rawBase64.length > HEADER_BASE64_CHARS ? rawBase64.slice(0, HEADER_BASE64_CHARS) : rawBase64;
+    const buffer = Buffer.from(headerBase64, "base64");
     if (buffer.length === 0) {
       return null;
     }
@@ -59656,7 +59675,7 @@ function createToolGuardHooks(args) {
   const rulesInjector = isHookEnabled("rules-injector") ? safeHook("rules-injector", () => createRulesInjectorHook(ctx, modelCacheState)) : null;
   const tasksTodowriteDisabler = isHookEnabled("tasks-todowrite-disabler") ? safeHook("tasks-todowrite-disabler", () => createTasksTodowriteDisablerHook({ experimental: pluginConfig.experimental })) : null;
   const writeExistingFileGuard = isHookEnabled("write-existing-file-guard") ? safeHook("write-existing-file-guard", () => createWriteExistingFileGuardHook(ctx)) : null;
-  const hashlineReadEnhancer = isHookEnabled("hashline-read-enhancer") ? safeHook("hashline-read-enhancer", () => createHashlineReadEnhancerHook(ctx, { hashline_edit: { enabled: pluginConfig.hashline_edit ?? true } })) : null;
+  const hashlineReadEnhancer = isHookEnabled("hashline-read-enhancer") ? safeHook("hashline-read-enhancer", () => createHashlineReadEnhancerHook(ctx, { hashline_edit: { enabled: pluginConfig.hashline_edit ?? false } })) : null;
   const jsonErrorRecovery = isHookEnabled("json-error-recovery") ? safeHook("json-error-recovery", () => createJsonErrorRecoveryHook(ctx)) : null;
   const readImageResizer = isHookEnabled("read-image-resizer") ? safeHook("read-image-resizer", () => createReadImageResizerHook(ctx)) : null;
   return {
@@ -64382,8 +64401,8 @@ async function random(size) {
   const evenDistCutoff = Math.pow(2, 8) - Math.pow(2, 8) % mask.length;
   let result = "";
   while (result.length < size) {
-    const randomBytes = await getRandomValues(size - result.length);
-    for (const randomByte of randomBytes) {
+    const randomBytes2 = await getRandomValues(size - result.length);
+    for (const randomByte of randomBytes2) {
       if (randomByte < evenDistCutoff) {
         result += mask[randomByte % mask.length];
       }
@@ -65888,10 +65907,10 @@ async function findAvailablePort2(startPort = DEFAULT_PORT) {
 
 // src/features/mcp-oauth/oauth-authorization-flow.ts
 import { spawn as spawn13 } from "child_process";
-import { createHash as createHash2, randomBytes } from "crypto";
+import { createHash as createHash2, randomBytes as randomBytes2 } from "crypto";
 import { createServer } from "http";
 function generateCodeVerifier() {
-  return randomBytes(32).toString("base64url");
+  return randomBytes2(32).toString("base64url");
 }
 function generateCodeChallenge(verifier) {
   return createHash2("sha256").update(verifier).digest("base64url");
@@ -65976,7 +65995,7 @@ function openBrowser(url2) {
 async function runAuthorizationCodeRedirect(options) {
   const verifier = generateCodeVerifier();
   const challenge = generateCodeChallenge(verifier);
-  const state3 = randomBytes(16).toString("hex");
+  const state3 = randomBytes2(16).toString("hex");
   const authorizationUrl = buildAuthorizationUrl(options.authorizationEndpoint, {
     clientId: options.clientId,
     redirectUri: options.redirectUri,
@@ -76530,7 +76549,7 @@ function createToolRegistry(args) {
     task_list: createTaskList(pluginConfig),
     task_update: createTaskUpdateTool(pluginConfig, ctx)
   } : {};
-  const hashlineEnabled = pluginConfig.hashline_edit ?? true;
+  const hashlineEnabled = pluginConfig.hashline_edit ?? false;
   const hashlineToolsRecord = hashlineEnabled ? { edit: createHashlineEditTool() } : {};
   const allTools = {
     ...builtinTools,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oh-my-opencode-unguarded",
-  "version": "3.9.4",
+  "version": "3.10.0",
   "description": "The Best AI Agent Harness - Batteries-Included OpenCode Plugin with Multi-Model Orchestration, Parallel Background Agents, and Crafted LSP/AST Tools",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -50,10 +50,6 @@
     "url": "https://github.com/D4ch1au/evil-oh-my-opencode/issues"
   },
   "homepage": "https://github.com/D4ch1au/evil-oh-my-opencode#readme",
-  "publishConfig": {
-    "registry": "https://registry.npmjs.org",
-    "access": "public"
-  },
   "dependencies": {
     "@ast-grep/cli": "^0.40.0",
     "@ast-grep/napi": "^0.40.0",
@@ -79,21 +75,25 @@
     "typescript": "^5.7.3"
   },
   "optionalDependencies": {
-    "oh-my-opencode-darwin-arm64": "3.9.0",
-    "oh-my-opencode-darwin-x64": "3.9.0",
-    "oh-my-opencode-darwin-x64-baseline": "3.9.0",
-    "oh-my-opencode-linux-arm64": "3.9.0",
-    "oh-my-opencode-linux-arm64-musl": "3.9.0",
-    "oh-my-opencode-linux-x64": "3.9.0",
-    "oh-my-opencode-linux-x64-baseline": "3.9.0",
-    "oh-my-opencode-linux-x64-musl": "3.9.0",
-    "oh-my-opencode-linux-x64-musl-baseline": "3.9.0",
-    "oh-my-opencode-windows-x64": "3.9.0",
-    "oh-my-opencode-windows-x64-baseline": "3.9.0"
+    "oh-my-opencode-darwin-arm64": "3.10.0",
+    "oh-my-opencode-darwin-x64": "3.10.0",
+    "oh-my-opencode-darwin-x64-baseline": "3.10.0",
+    "oh-my-opencode-linux-arm64": "3.10.0",
+    "oh-my-opencode-linux-arm64-musl": "3.10.0",
+    "oh-my-opencode-linux-x64": "3.10.0",
+    "oh-my-opencode-linux-x64-baseline": "3.10.0",
+    "oh-my-opencode-linux-x64-musl": "3.10.0",
+    "oh-my-opencode-linux-x64-musl-baseline": "3.10.0",
+    "oh-my-opencode-windows-x64": "3.10.0",
+    "oh-my-opencode-windows-x64-baseline": "3.10.0"
   },
   "trustedDependencies": [
     "@ast-grep/cli",
     "@ast-grep/napi",
     "@code-yeongyu/comment-checker"
-  ]
+  ],
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org",
+    "access": "public"
+  }
 }