opencode-hashline 1.1.2 → 1.2.0

package/README.en.md

@@ -44,7 +44,12 @@ The AI model can then reference lines by their hash tags for precise editing:
 
 ### 🤔 Why does this help?
 
-Traditional line numbers shift as edits are made, causing off-by-one errors and stale references. Hashline tags are **content-addressable** — they're derived from both the line index and the line's content, so they serve as a stable, verifiable reference that the AI can use to communicate about code locations with precision.
+Hashline solves the fundamental problems of the two existing AI file-editing approaches:
+
+- **`str_replace`** requires an absolutely exact match of `old_string`. Any extra whitespace, wrong indentation, or duplicate lines in the file — and the edit fails with "String to replace not found". This is so common it has a [mega-thread of 27+ related issues on GitHub](https://github.com/anthropics/claude-code/issues).
+- **`apply_patch`** (unified diff) only works on models specifically trained for this format. On other models the results are catastrophic: Grok 4 fails **50.7%** of patches, GLM-4.7 fails **46.2%** ([source](https://habr.com/ru/companies/bothub/news/995986/)).
+
+Hashline addresses each line with a unique `lineNumber:hash`. No string matching, no model-specific training dependency — just precise, verifiable line addressing.
 
 ---
 
@@ -355,22 +360,25 @@ const hl = createHashline({ cacheSize: 50, hashLength: 3 });
 
 ## 📊 Benchmark
 
-### Correctness: hashline vs str_replace
+### Correctness: hashline vs str_replace vs apply_patch
+
+We tested all three approaches on **60 fixtures from [react-edit-benchmark](https://github.com/can1357/oh-my-pi/tree/main/packages/react-edit-benchmark)** — mutated React source files with known bugs (flipped booleans, swapped operators, removed guard clauses, etc.):
 
-We tested both approaches on **60 fixtures from [react-edit-benchmark](https://github.com/can1357/oh-my-pi/tree/main/packages/react-edit-benchmark)** — mutated React source files with known bugs (flipped booleans, swapped operators, removed guard clauses, etc.):
+| | hashline | str_replace | apply_patch |
+|---|:---:|:---:|:---:|
+| **Passed** | **60/60 (100%)** | 58/60 (96.7%) | **60/60 (100%)** |
+| **Failed** | 0 | 2 | 0 |
+| **Ambiguous edits** | 0 | 4 | 0 |
 
-| | hashline | str_replace |
-|---|:---:|:---:|
-| **Passed** | **60/60 (100%)** | 58/60 (96.7%) |
-| **Failed** | 0 | 2 |
-| **Ambiguous edits** | 0 | 4 |
+`apply_patch` with context lines matches hashline's reliability — **when the model generates the patch correctly**. The key weakness of `apply_patch` is its dependency on model-specific training: models not trained on this format produce malformed diffs (missing context lines, wrong indentation), causing patch application to fail.
 
-str_replace fails when the `old_string` appears multiple times in the file (e.g. repeated guard clauses, similar code blocks). Hashline addresses each line uniquely via `lineNumber:hash`, so ambiguity is impossible.
+`str_replace` fails when `old_string` appears multiple times in the file (repeated guard clauses, similar code blocks). Hashline addresses each line uniquely via `lineNumber:hash` — ambiguity is impossible and no model-specific format is required.
 
 ```bash
 # Run yourself:
-npx tsx benchmark/run.ts              # hashline mode
-npx tsx benchmark/run.ts --no-hash    # str_replace mode
+npx tsx benchmark/run.ts               # hashline mode
+npx tsx benchmark/run.ts --no-hash     # str_replace mode
+npx tsx benchmark/run.ts --apply-patch # apply_patch mode
 ```
 
 <details>

package/README.md

@@ -44,7 +44,12 @@ AI-модель может ссылаться на строки по их хеш
 
 ### 🤔 Почему это помогает?
 
-Традиционные номера строк сдвигаются при редактировании, вызывая ошибки смещения и устаревшие ссылки. Хеш-теги Hashline **контентно-адресуемы** — они вычисляются из индекса строки и её содержимого, что делает их стабильной, верифицируемой ссылкой для точной коммуникации о местоположении в коде.
+Hashline решает фундаментальные проблемы двух существующих подходов к редактированию файлов AI:
+
+- **`str_replace`** требует абсолютно точного совпадения `old_string`. Любой лишний пробел, неверный отступ или дублирующиеся строки в файле — и редактирование завершается ошибкой «String to replace not found». Это настолько распространённая проблема, что у неё есть [мегатред на 27+ тикетов на GitHub](https://github.com/anthropics/claude-code/issues).
+- **`apply_patch`** (unified diff) работает только на моделях, специально обученных этому формату. На других моделях результаты катастрофические: Grok 4 проваливает **50.7%** патчей, GLM-4.7 — **46.2%** ([источник](https://habr.com/ru/companies/bothub/news/995986/)).
+
+Hashline адресует каждую строку уникальным хешем `lineNumber:hash`. Никакого строкового совпадения, никакой зависимости от специального обучения модели — только точная, верифицируемая адресация.
 
 ---
 
@@ -330,22 +335,25 @@ const hl = createHashline({ cacheSize: 50, hashLength: 3 });
 
 ## 📊 Бенчмарк
 
-### Корректность: hashline vs str_replace
+### Корректность: hashline vs str_replace vs apply_patch
+
+Все три подхода протестированы на **60 фикстурах из [react-edit-benchmark](https://github.com/can1357/oh-my-pi/tree/main/packages/react-edit-benchmark)** — мутированных файлах React с известными багами (инвертированные булевы, перепутанные операторы, удалённые guard-клаузы и т.д.):
 
-Оба подхода протестированы на **60 фикстурах из [react-edit-benchmark](https://github.com/can1357/oh-my-pi/tree/main/packages/react-edit-benchmark)** — мутированных файлах React с известными багами (инвертированные булевы, перепутанные операторы, удалённые guard-клаузы и т.д.):
+| | hashline | str_replace | apply_patch |
+|---|:---:|:---:|:---:|
+| **Прошло** | **60/60 (100%)** | 58/60 (96.7%) | **60/60 (100%)** |
+| **Провалено** | 0 | 2 | 0 |
+| **Неоднозначные правки** | 0 | 4 | 0 |
 
-| | hashline | str_replace |
-|---|:---:|:---:|
-| **Прошло** | **60/60 (100%)** | 58/60 (96.7%) |
-| **Провалено** | 0 | 2 |
-| **Неоднозначные правки** | 0 | 4 |
+`apply_patch` с контекстными строками работает так же надёжно, как hashline — **при условии, что модель правильно генерирует патч**. Слабое место `apply_patch` — зависимость от обучения конкретной модели: не обученные под этот формат модели производят некорректные diff-ы (пропускают контекст, путают отступы), что приводит к провалу применения патча.
 
-str_replace ломается, когда `old_string` встречается в файле несколько раз (например, повторяющиеся guard-клаузы, похожие блоки кода). Hashline адресует каждую строку уникально через `lineNumber:hash`, поэтому неоднозначность исключена.
+`str_replace` ломается, когда `old_string` встречается в файле несколько раз (повторяющиеся guard-клаузы, похожие блоки кода). Hashline адресует каждую строку уникально через `lineNumber:hash` — неоднозначность исключена, модельный формат не нужен.
 
 ```bash
 # Запустите сами:
-npx tsx benchmark/run.ts              # режим hashline
-npx tsx benchmark/run.ts --no-hash    # режим str_replace
+npx tsx benchmark/run.ts               # режим hashline
+npx tsx benchmark/run.ts --no-hash     # режим str_replace
+npx tsx benchmark/run.ts --apply-patch # режим apply_patch
 ```
 
 <details>

package/dist/{chunk-X4NVISKE.js → chunk-I6RACR3D.js}

@@ -28,7 +28,24 @@ var DEFAULT_EXCLUDE_PATTERNS = [
   "**/*.exe",
   "**/*.dll",
   "**/*.so",
-  "**/*.dylib"
+  "**/*.dylib",
+  // Sensitive credential and secret files
+  "**/.env",
+  "**/.env.*",
+  "**/*.pem",
+  "**/*.key",
+  "**/*.p12",
+  "**/*.pfx",
+  "**/id_rsa",
+  "**/id_rsa.pub",
+  "**/id_ed25519",
+  "**/id_ed25519.pub",
+  "**/id_ecdsa",
+  "**/id_ecdsa.pub",
+  "**/.npmrc",
+  "**/.netrc",
+  "**/credentials",
+  "**/credentials.json"
 ];
 var DEFAULT_PREFIX = "#HL ";
 var DEFAULT_CONFIG = {
@@ -94,11 +111,18 @@ function formatFileWithHashes(content, hashLen, prefix) {
   const effectivePrefix = prefix === void 0 ? DEFAULT_PREFIX : prefix === false ? "" : prefix;
   const hashes = new Array(lines.length);
   const seen = /* @__PURE__ */ new Map();
+  const upgraded = /* @__PURE__ */ new Set();
   for (let idx = 0; idx < lines.length; idx++) {
     const hash = computeLineHash(idx, lines[idx], effectiveLen);
     if (seen.has(hash)) {
       const longerLen = Math.min(effectiveLen + 1, 8);
+      const prevIdx = seen.get(hash);
+      if (!upgraded.has(prevIdx)) {
+        hashes[prevIdx] = computeLineHash(prevIdx, lines[prevIdx], longerLen);
+        upgraded.add(prevIdx);
+      }
       hashes[idx] = computeLineHash(idx, lines[idx], longerLen);
+      upgraded.add(idx);
     } else {
       seen.set(hash, idx);
       hashes[idx] = hash;
@@ -132,7 +156,8 @@ function stripHashes(content, prefix) {
 function parseHashRef(ref) {
   const match = ref.match(/^(\d+):([0-9a-f]{2,8})$/);
   if (!match) {
-    throw new Error(`Invalid hash reference: "${ref}". Expected format: "<line>:<2-8 char hex>"`);
+    const display = ref.length > 100 ? `${ref.slice(0, 100)}\u2026` : ref;
+    throw new Error(`Invalid hash reference: "${display}". Expected format: "<line>:<2-8 char hex>"`);
   }
   return {
     line: parseInt(match[1], 10),
@@ -149,8 +174,9 @@ function normalizeHashRef(ref) {
   if (annotated) {
     return `${parseInt(annotated[1], 10)}:${annotated[2].toLowerCase()}`;
   }
+  const display = ref.length > 100 ? `${ref.slice(0, 100)}\u2026` : ref;
   throw new Error(
-    `Invalid hash reference: "${ref}". Expected "<line>:<hash>" or an annotated line like "#HL <line>:<hash>|..."`
+    `Invalid hash reference: "${display}". Expected "<line>:<hash>" or an annotated line like "#HL <line>:<hash>|..."`
   );
 }
 function buildHashMap(content, hashLen) {
@@ -336,10 +362,15 @@ var HashlineCache = class {
     return this.cache.size;
   }
 };
+var globMatcherCache = /* @__PURE__ */ new Map();
 function matchesGlob(filePath, pattern) {
   const normalizedPath = filePath.replace(/\\/g, "/");
   const normalizedPattern = pattern.replace(/\\/g, "/");
-  const isMatch = picomatch(normalizedPattern, { dot: true });
+  let isMatch = globMatcherCache.get(normalizedPattern);
+  if (!isMatch) {
+    isMatch = picomatch(normalizedPattern, { dot: true });
+    globMatcherCache.set(normalizedPattern, isMatch);
+  }
   return isMatch(normalizedPath);
 }
 function shouldExclude(filePath, patterns) {

package/dist/{chunk-MKNRMMMR.js → chunk-VPCMHCTB.js}

@@ -4,7 +4,7 @@ import {
   resolveConfig,
   shouldExclude,
   stripHashes
-} from "./chunk-X4NVISKE.js";
+} from "./chunk-I6RACR3D.js";
 
 // src/hooks.ts
 import { appendFileSync } from "fs";

package/dist/{hashline-6YDKBNND.js → hashline-5PFAXY3H.js}

@@ -20,7 +20,7 @@ import {
   shouldExclude,
   stripHashes,
   verifyHash
-} from "./chunk-X4NVISKE.js";
+} from "./chunk-I6RACR3D.js";
 export {
   DEFAULT_CONFIG,
   DEFAULT_EXCLUDE_PATTERNS,

package/dist/opencode-hashline.cjs

@@ -107,11 +107,18 @@ function formatFileWithHashes(content, hashLen, prefix) {
   const effectivePrefix = prefix === void 0 ? DEFAULT_PREFIX : prefix === false ? "" : prefix;
   const hashes = new Array(lines.length);
   const seen = /* @__PURE__ */ new Map();
+  const upgraded = /* @__PURE__ */ new Set();
   for (let idx = 0; idx < lines.length; idx++) {
     const hash = computeLineHash(idx, lines[idx], effectiveLen);
     if (seen.has(hash)) {
       const longerLen = Math.min(effectiveLen + 1, 8);
+      const prevIdx = seen.get(hash);
+      if (!upgraded.has(prevIdx)) {
+        hashes[prevIdx] = computeLineHash(prevIdx, lines[prevIdx], longerLen);
+        upgraded.add(prevIdx);
+      }
       hashes[idx] = computeLineHash(idx, lines[idx], longerLen);
+      upgraded.add(idx);
     } else {
       seen.set(hash, idx);
       hashes[idx] = hash;
@@ -144,7 +151,8 @@ function stripHashes(content, prefix) {
 function parseHashRef(ref) {
   const match = ref.match(/^(\d+):([0-9a-f]{2,8})$/);
   if (!match) {
-    throw new Error(`Invalid hash reference: "${ref}". Expected format: "<line>:<2-8 char hex>"`);
+    const display = ref.length > 100 ? `${ref.slice(0, 100)}\u2026` : ref;
+    throw new Error(`Invalid hash reference: "${display}". Expected format: "<line>:<2-8 char hex>"`);
   }
   return {
     line: parseInt(match[1], 10),
@@ -161,8 +169,9 @@ function normalizeHashRef(ref) {
   if (annotated) {
     return `${parseInt(annotated[1], 10)}:${annotated[2].toLowerCase()}`;
   }
+  const display = ref.length > 100 ? `${ref.slice(0, 100)}\u2026` : ref;
   throw new Error(
-    `Invalid hash reference: "${ref}". Expected "<line>:<hash>" or an annotated line like "#HL <line>:<hash>|..."`
+    `Invalid hash reference: "${display}". Expected "<line>:<hash>" or an annotated line like "#HL <line>:<hash>|..."`
   );
 }
 function buildHashMap(content, hashLen) {
@@ -292,7 +301,11 @@ function applyHashEdit(input, content, hashLen) {
 function matchesGlob(filePath, pattern) {
   const normalizedPath = filePath.replace(/\\/g, "/");
   const normalizedPattern = pattern.replace(/\\/g, "/");
-  const isMatch = (0, import_picomatch.default)(normalizedPattern, { dot: true });
+  let isMatch = globMatcherCache.get(normalizedPattern);
+  if (!isMatch) {
+    isMatch = (0, import_picomatch.default)(normalizedPattern, { dot: true });
+    globMatcherCache.set(normalizedPattern, isMatch);
+  }
   return isMatch(normalizedPath);
 }
 function shouldExclude(filePath, patterns) {
@@ -355,7 +368,7 @@ function createHashline(config) {
     }
   };
 }
-var import_picomatch, DEFAULT_EXCLUDE_PATTERNS, DEFAULT_PREFIX, DEFAULT_CONFIG, modulusCache, stripRegexCache, HashlineCache, textEncoder;
+var import_picomatch, DEFAULT_EXCLUDE_PATTERNS, DEFAULT_PREFIX, DEFAULT_CONFIG, modulusCache, stripRegexCache, HashlineCache, globMatcherCache, textEncoder;
 var init_hashline = __esm({
   "src/hashline.ts"() {
     "use strict";
@@ -388,7 +401,24 @@ var init_hashline = __esm({
       "**/*.exe",
       "**/*.dll",
       "**/*.so",
-      "**/*.dylib"
+      "**/*.dylib",
+      // Sensitive credential and secret files
+      "**/.env",
+      "**/.env.*",
+      "**/*.pem",
+      "**/*.key",
+      "**/*.p12",
+      "**/*.pfx",
+      "**/id_rsa",
+      "**/id_rsa.pub",
+      "**/id_ed25519",
+      "**/id_ed25519.pub",
+      "**/id_ecdsa",
+      "**/id_ecdsa.pub",
+      "**/.npmrc",
+      "**/.netrc",
+      "**/credentials",
+      "**/credentials.json"
     ];
     DEFAULT_PREFIX = "#HL ";
     DEFAULT_CONFIG = {
@@ -462,6 +492,7 @@ var init_hashline = __esm({
         return this.cache.size;
       }
     };
+    globMatcherCache = /* @__PURE__ */ new Map();
     textEncoder = new TextEncoder();
   }
 });
@@ -705,23 +736,37 @@ function createHashlineEditTool(config, cache) {
       operation: import_zod.z.enum(["replace", "delete", "insert_before", "insert_after"]).describe("Edit operation"),
       startRef: import_zod.z.string().describe('Start hash reference, e.g. "5:a3f" or "#HL 5:a3f|const x = 1;"'),
       endRef: import_zod.z.string().optional().describe("End hash reference for range operations. Defaults to startRef when omitted."),
-      replacement: import_zod.z.string().optional().describe("Replacement/inserted content. Required for replace/insert operations.")
+      replacement: import_zod.z.string().max(1e7).optional().describe("Replacement/inserted content. Required for replace/insert operations.")
     },
     async execute(args, context) {
       const { path, operation, startRef, endRef, replacement } = args;
       const absPath = (0, import_path2.isAbsolute)(path) ? path : (0, import_path2.resolve)(context.directory, path);
-      let realAbs;
-      try {
-        realAbs = (0, import_fs2.realpathSync)(absPath);
-      } catch {
-        realAbs = (0, import_path2.resolve)(absPath);
-      }
       const realDirectory = (0, import_fs2.realpathSync)((0, import_path2.resolve)(context.directory));
       const realWorktree = (0, import_fs2.realpathSync)((0, import_path2.resolve)(context.worktree));
       function isWithin(filePath, dir) {
         if (dir === import_path2.sep) return false;
+        if (process.platform === "win32") {
+          if (/^[A-Za-z]:\\$/.test(dir)) return false;
+          if (/^\\\\[^\\]+\\[^\\]+$/.test(dir)) return false;
+        }
         return filePath === dir || filePath.startsWith(dir + import_path2.sep);
       }
+      let realAbs;
+      try {
+        realAbs = (0, import_fs2.realpathSync)(absPath);
+      } catch {
+        const parentDir = (0, import_path2.dirname)(absPath);
+        let realParent;
+        try {
+          realParent = (0, import_fs2.realpathSync)(parentDir);
+        } catch {
+          throw new Error(`Access denied: cannot verify parent directory for "${path}"`);
+        }
+        if (!isWithin(realParent, realDirectory) && !isWithin(realParent, realWorktree)) {
+          throw new Error(`Access denied: "${path}" resolves outside the project directory`);
+        }
+        realAbs = (0, import_path2.resolve)(absPath);
+      }
       if (!isWithin(realAbs, realDirectory) && !isWithin(realAbs, realWorktree)) {
         throw new Error(`Access denied: "${path}" resolves outside the project directory`);
       }
@@ -734,6 +779,11 @@ function createHashlineEditTool(config, cache) {
         const reason = error instanceof Error ? error.message : String(error);
         throw new Error(`Failed to read "${displayPath}": ${reason}`);
       }
+      if (config.maxFileSize > 0 && getByteLength(current) > config.maxFileSize) {
+        throw new Error(
+          `File "${displayPath}" exceeds the configured maximum size (${config.maxFileSize} bytes)`
+        );
+      }
       let nextContent;
       let startLine;
       let endLine;
@@ -788,10 +838,40 @@ function createHashlineEditTool(config, cache) {
 
 // src/index.ts
 var CONFIG_FILENAME = "opencode-hashline.json";
+function sanitizeConfig(raw) {
+  if (typeof raw !== "object" || raw === null || Array.isArray(raw)) return {};
+  const r = raw;
+  const result = {};
+  if (Array.isArray(r.exclude)) {
+    result.exclude = r.exclude.filter(
+      (p) => typeof p === "string" && p.length <= 512
+    );
+  }
+  if (typeof r.maxFileSize === "number" && Number.isFinite(r.maxFileSize) && r.maxFileSize >= 0) {
+    result.maxFileSize = r.maxFileSize;
+  }
+  if (typeof r.hashLength === "number" && Number.isFinite(r.hashLength)) {
+    result.hashLength = Math.max(0, Math.min(8, Math.floor(r.hashLength)));
+  }
+  if (typeof r.cacheSize === "number" && Number.isFinite(r.cacheSize) && r.cacheSize > 0) {
+    result.cacheSize = Math.min(Math.floor(r.cacheSize), 1e4);
+  }
+  if (r.prefix === false) {
+    result.prefix = false;
+  } else if (typeof r.prefix === "string") {
+    if (/^[\x20-\x7E]{0,20}$/.test(r.prefix)) {
+      result.prefix = r.prefix;
+    }
+  }
+  if (typeof r.debug === "boolean") {
+    result.debug = r.debug;
+  }
+  return result;
+}
 function loadConfigFile(filePath) {
   try {
     const raw = (0, import_fs3.readFileSync)(filePath, "utf-8");
-    return JSON.parse(raw);
+    return sanitizeConfig(JSON.parse(raw));
   } catch {
     return void 0;
   }

package/dist/opencode-hashline.js

@@ -3,12 +3,13 @@ import {
   createFileReadAfterHook,
   createSystemPromptHook,
   setDebug
-} from "./chunk-MKNRMMMR.js";
+} from "./chunk-VPCMHCTB.js";
 import {
   HashlineCache,
   applyHashEdit,
+  getByteLength,
   resolveConfig
-} from "./chunk-X4NVISKE.js";
+} from "./chunk-I6RACR3D.js";
 
 // src/index.ts
 import { readFileSync as readFileSync2, realpathSync as realpathSync2, unlinkSync, writeFileSync as writeFileSync2 } from "fs";
@@ -18,7 +19,7 @@ import { fileURLToPath } from "url";
 
 // src/hashline-tool.ts
 import { readFileSync, realpathSync, writeFileSync } from "fs";
-import { isAbsolute, relative, resolve, sep } from "path";
+import { dirname, isAbsolute, relative, resolve, sep } from "path";
 import { z } from "zod";
 function createHashlineEditTool(config, cache) {
   return {
@@ -28,23 +29,37 @@ function createHashlineEditTool(config, cache) {
       operation: z.enum(["replace", "delete", "insert_before", "insert_after"]).describe("Edit operation"),
       startRef: z.string().describe('Start hash reference, e.g. "5:a3f" or "#HL 5:a3f|const x = 1;"'),
       endRef: z.string().optional().describe("End hash reference for range operations. Defaults to startRef when omitted."),
-      replacement: z.string().optional().describe("Replacement/inserted content. Required for replace/insert operations.")
+      replacement: z.string().max(1e7).optional().describe("Replacement/inserted content. Required for replace/insert operations.")
     },
     async execute(args, context) {
       const { path, operation, startRef, endRef, replacement } = args;
       const absPath = isAbsolute(path) ? path : resolve(context.directory, path);
-      let realAbs;
-      try {
-        realAbs = realpathSync(absPath);
-      } catch {
-        realAbs = resolve(absPath);
-      }
       const realDirectory = realpathSync(resolve(context.directory));
       const realWorktree = realpathSync(resolve(context.worktree));
       function isWithin(filePath, dir) {
         if (dir === sep) return false;
+        if (process.platform === "win32") {
+          if (/^[A-Za-z]:\\$/.test(dir)) return false;
+          if (/^\\\\[^\\]+\\[^\\]+$/.test(dir)) return false;
+        }
         return filePath === dir || filePath.startsWith(dir + sep);
       }
+      let realAbs;
+      try {
+        realAbs = realpathSync(absPath);
+      } catch {
+        const parentDir = dirname(absPath);
+        let realParent;
+        try {
+          realParent = realpathSync(parentDir);
+        } catch {
+          throw new Error(`Access denied: cannot verify parent directory for "${path}"`);
+        }
+        if (!isWithin(realParent, realDirectory) && !isWithin(realParent, realWorktree)) {
+          throw new Error(`Access denied: "${path}" resolves outside the project directory`);
+        }
+        realAbs = resolve(absPath);
+      }
       if (!isWithin(realAbs, realDirectory) && !isWithin(realAbs, realWorktree)) {
         throw new Error(`Access denied: "${path}" resolves outside the project directory`);
       }
@@ -57,6 +72,11 @@ function createHashlineEditTool(config, cache) {
         const reason = error instanceof Error ? error.message : String(error);
         throw new Error(`Failed to read "${displayPath}": ${reason}`);
       }
+      if (config.maxFileSize > 0 && getByteLength(current) > config.maxFileSize) {
+        throw new Error(
+          `File "${displayPath}" exceeds the configured maximum size (${config.maxFileSize} bytes)`
+        );
+      }
       let nextContent;
       let startLine;
       let endLine;
@@ -111,10 +131,40 @@ function createHashlineEditTool(config, cache) {
 
 // src/index.ts
 var CONFIG_FILENAME = "opencode-hashline.json";
+function sanitizeConfig(raw) {
+  if (typeof raw !== "object" || raw === null || Array.isArray(raw)) return {};
+  const r = raw;
+  const result = {};
+  if (Array.isArray(r.exclude)) {
+    result.exclude = r.exclude.filter(
+      (p) => typeof p === "string" && p.length <= 512
+    );
+  }
+  if (typeof r.maxFileSize === "number" && Number.isFinite(r.maxFileSize) && r.maxFileSize >= 0) {
+    result.maxFileSize = r.maxFileSize;
+  }
+  if (typeof r.hashLength === "number" && Number.isFinite(r.hashLength)) {
+    result.hashLength = Math.max(0, Math.min(8, Math.floor(r.hashLength)));
+  }
+  if (typeof r.cacheSize === "number" && Number.isFinite(r.cacheSize) && r.cacheSize > 0) {
+    result.cacheSize = Math.min(Math.floor(r.cacheSize), 1e4);
+  }
+  if (r.prefix === false) {
+    result.prefix = false;
+  } else if (typeof r.prefix === "string") {
+    if (/^[\x20-\x7E]{0,20}$/.test(r.prefix)) {
+      result.prefix = r.prefix;
+    }
+  }
+  if (typeof r.debug === "boolean") {
+    result.debug = r.debug;
+  }
+  return result;
+}
 function loadConfigFile(filePath) {
   try {
     const raw = readFileSync2(filePath, "utf-8");
-    return JSON.parse(raw);
+    return sanitizeConfig(JSON.parse(raw));
   } catch {
     return void 0;
   }
@@ -172,7 +222,7 @@ function createHashlinePlugin(userConfig) {
           const out = output;
           const hashLen = config.hashLength || 0;
           const prefix = config.prefix;
-          const { formatFileWithHashes, shouldExclude, getByteLength } = await import("./hashline-6YDKBNND.js");
+          const { formatFileWithHashes, shouldExclude, getByteLength: getByteLength2 } = await import("./hashline-5PFAXY3H.js");
           for (const p of out.parts ?? []) {
             if (p.type !== "file") continue;
             if (!p.url || !p.mime?.startsWith("text/")) continue;
@@ -199,7 +249,7 @@ function createHashlinePlugin(userConfig) {
             } catch {
               continue;
             }
-            if (config.maxFileSize > 0 && getByteLength(content) > config.maxFileSize) continue;
+            if (config.maxFileSize > 0 && getByteLength2(content) > config.maxFileSize) continue;
             const cached = cache.get(filePath, content);
             if (cached) {
               const tmpPath2 = join(tmpdir(), `hashline-${p.id}.txt`);

package/dist/utils.cjs

@@ -87,7 +87,24 @@ var DEFAULT_EXCLUDE_PATTERNS = [
   "**/*.exe",
   "**/*.dll",
   "**/*.so",
-  "**/*.dylib"
+  "**/*.dylib",
+  // Sensitive credential and secret files
+  "**/.env",
+  "**/.env.*",
+  "**/*.pem",
+  "**/*.key",
+  "**/*.p12",
+  "**/*.pfx",
+  "**/id_rsa",
+  "**/id_rsa.pub",
+  "**/id_ed25519",
+  "**/id_ed25519.pub",
+  "**/id_ecdsa",
+  "**/id_ecdsa.pub",
+  "**/.npmrc",
+  "**/.netrc",
+  "**/credentials",
+  "**/credentials.json"
 ];
 var DEFAULT_PREFIX = "#HL ";
 var DEFAULT_CONFIG = {
@@ -153,11 +170,18 @@ function formatFileWithHashes(content, hashLen, prefix) {
   const effectivePrefix = prefix === void 0 ? DEFAULT_PREFIX : prefix === false ? "" : prefix;
   const hashes = new Array(lines.length);
   const seen = /* @__PURE__ */ new Map();
+  const upgraded = /* @__PURE__ */ new Set();
   for (let idx = 0; idx < lines.length; idx++) {
     const hash = computeLineHash(idx, lines[idx], effectiveLen);
     if (seen.has(hash)) {
       const longerLen = Math.min(effectiveLen + 1, 8);
+      const prevIdx = seen.get(hash);
+      if (!upgraded.has(prevIdx)) {
+        hashes[prevIdx] = computeLineHash(prevIdx, lines[prevIdx], longerLen);
+        upgraded.add(prevIdx);
+      }
       hashes[idx] = computeLineHash(idx, lines[idx], longerLen);
+      upgraded.add(idx);
     } else {
       seen.set(hash, idx);
       hashes[idx] = hash;
@@ -191,7 +215,8 @@ function stripHashes(content, prefix) {
 function parseHashRef(ref) {
   const match = ref.match(/^(\d+):([0-9a-f]{2,8})$/);
   if (!match) {
-    throw new Error(`Invalid hash reference: "${ref}". Expected format: "<line>:<2-8 char hex>"`);
+    const display = ref.length > 100 ? `${ref.slice(0, 100)}\u2026` : ref;
+    throw new Error(`Invalid hash reference: "${display}". Expected format: "<line>:<2-8 char hex>"`);
   }
   return {
     line: parseInt(match[1], 10),
@@ -208,8 +233,9 @@ function normalizeHashRef(ref) {
   if (annotated) {
     return `${parseInt(annotated[1], 10)}:${annotated[2].toLowerCase()}`;
   }
+  const display = ref.length > 100 ? `${ref.slice(0, 100)}\u2026` : ref;
   throw new Error(
-    `Invalid hash reference: "${ref}". Expected "<line>:<hash>" or an annotated line like "#HL <line>:<hash>|..."`
+    `Invalid hash reference: "${display}". Expected "<line>:<hash>" or an annotated line like "#HL <line>:<hash>|..."`
   );
 }
 function buildHashMap(content, hashLen) {
@@ -395,10 +421,15 @@ var HashlineCache = class {
     return this.cache.size;
   }
 };
+var globMatcherCache = /* @__PURE__ */ new Map();
 function matchesGlob(filePath, pattern) {
   const normalizedPath = filePath.replace(/\\/g, "/");
   const normalizedPattern = pattern.replace(/\\/g, "/");
-  const isMatch = (0, import_picomatch.default)(normalizedPattern, { dot: true });
+  let isMatch = globMatcherCache.get(normalizedPattern);
+  if (!isMatch) {
+    isMatch = (0, import_picomatch.default)(normalizedPattern, { dot: true });
+    globMatcherCache.set(normalizedPattern, isMatch);
+  }
   return isMatch(normalizedPath);
 }
 function shouldExclude(filePath, patterns) {

package/dist/utils.js

@@ -3,7 +3,7 @@ import {
   createFileReadAfterHook,
   createSystemPromptHook,
   isFileReadTool
-} from "./chunk-MKNRMMMR.js";
+} from "./chunk-VPCMHCTB.js";
 import {
   DEFAULT_CONFIG,
   DEFAULT_EXCLUDE_PATTERNS,
@@ -25,7 +25,7 @@ import {
   shouldExclude,
   stripHashes,
   verifyHash
-} from "./chunk-X4NVISKE.js";
+} from "./chunk-I6RACR3D.js";
 export {
   DEFAULT_CONFIG,
   DEFAULT_EXCLUDE_PATTERNS,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-hashline",
-  "version": "1.1.2",
+  "version": "1.2.0",
   "description": "Hashline plugin for OpenCode — content-addressable line hashing for precise AI code editing",
   "main": "dist/opencode-hashline.cjs",
   "module": "dist/opencode-hashline.js",