tlc-claude-code 1.3.0 → 1.4.1

package/server/lib/memory-exclusion.js

@@ -0,0 +1,326 @@
+import fs from 'fs';
+import path from 'path';
+
+/**
+ * Memory Exclusion Patterns
+ *
+ * Configures what data to exclude from memory persistence.
+ * Supports both file patterns (glob) and content patterns (regex).
+ */
+
+export const MODE = {
+  WHITELIST: 'whitelist',
+  BLACKLIST: 'blacklist',
+};
+
+export const DEFAULT_FILE_PATTERNS = [
+  '.env',
+  '.env.*',
+  '*.pem',
+  '*.key',
+  '*credentials*',
+  '*secrets*',
+];
+
+export const DEFAULT_CONTENT_PATTERNS = [
+  'password=',
+  'api_key=',
+  'secret=',
+  'token=',
+  'private_key',
+];
+
+/**
+ * Load exclusion patterns from .tlc.json config file
+ * @param {string} projectRoot - The project root directory
+ * @returns {object} - Patterns configuration
+ */
+export function loadPatterns(projectRoot) {
+  const configPath = path.join(projectRoot, '.tlc.json');
+  const defaults = {
+    mode: MODE.BLACKLIST,
+    filePatterns: [...DEFAULT_FILE_PATTERNS],
+    contentPatterns: [...DEFAULT_CONTENT_PATTERNS],
+  };
+
+  try {
+    if (!fs.existsSync(configPath)) {
+      return defaults;
+    }
+
+    const configContent = fs.readFileSync(configPath, 'utf8');
+    const config = JSON.parse(configContent);
+
+    if (!config.memoryExclusion) {
+      return defaults;
+    }
+
+    const exclusionConfig = config.memoryExclusion;
+    const result = {
+      mode: exclusionConfig.mode || MODE.BLACKLIST,
+      filePatterns: [],
+      contentPatterns: [],
+    };
+
+    // Handle merging with defaults
+    if (exclusionConfig.mergeDefaults) {
+      result.filePatterns = [...DEFAULT_FILE_PATTERNS];
+      result.contentPatterns = [...DEFAULT_CONTENT_PATTERNS];
+    }
+
+    // Add custom file patterns
+    if (Array.isArray(exclusionConfig.filePatterns)) {
+      for (const pattern of exclusionConfig.filePatterns) {
+        if (!result.filePatterns.includes(pattern)) {
+          result.filePatterns.push(pattern);
+        }
+      }
+    }
+
+    // Add custom content patterns
+    if (Array.isArray(exclusionConfig.contentPatterns)) {
+      for (const pattern of exclusionConfig.contentPatterns) {
+        if (!result.contentPatterns.includes(pattern)) {
+          result.contentPatterns.push(pattern);
+        }
+      }
+    }
+
+    // Use defaults if no custom patterns were provided
+    if (result.filePatterns.length === 0) {
+      result.filePatterns = [...DEFAULT_FILE_PATTERNS];
+    }
+    if (result.contentPatterns.length === 0) {
+      result.contentPatterns = [...DEFAULT_CONTENT_PATTERNS];
+    }
+
+    return result;
+  } catch {
+    return defaults;
+  }
+}
+
+/**
+ * Convert a glob pattern to a regex
+ * @param {string} pattern - Glob pattern
+ * @returns {RegExp} - Compiled regex
+ */
+function globToRegex(pattern) {
+  // Use placeholders to protect ** patterns during processing
+  let processed = pattern;
+
+  // First, handle single * - convert to placeholder to protect from ** processing
+  // But we need to do this carefully - only convert * that aren't part of **
+  // We'll process ** first with placeholders, then handle remaining *
+
+  // Handle different ** patterns:
+  // 1. **/ at start: matches zero or more directories (including empty)
+  // 2. /** at end: matches everything after
+  // 3. **/ in middle: matches zero or more directories
+
+  // Replace **/ at start with placeholder (matches zero or more dirs)
+  processed = processed.replace(/^\*\*\//, '<<STARSTART>>');
+
+  // Replace /** at end with placeholder (matches rest of path)
+  processed = processed.replace(/\/\*\*$/, '<<STAREND>>');
+
+  // Replace remaining **/ with placeholder (matches zero or more dirs)
+  processed = processed.replace(/\/\*\*\//g, '<<STARMID>>');
+
+  // Replace remaining ** with placeholder (matches anything)
+  processed = processed.replace(/\*\*/g, '<<STARSTAR>>');
+
+  // Now replace remaining single * with placeholder
+  processed = processed.replace(/\*/g, '<<SINGLE>>');
+
+  // Replace ? with placeholder
+  processed = processed.replace(/\?/g, '<<QUESTION>>');
+
+  // Escape special regex characters
+  processed = processed.replace(/[.+^${}()|[\]\\]/g, '\\$&');
+
+  // Restore and convert placeholders to regex patterns
+  // <<STARSTART>> = matches zero or more directories at start (optional)
+  processed = processed.replace(/<<STARSTART>>/g, '(?:.*\\/)?');
+
+  // <<STAREND>> = matches rest of path (including slashes)
+  processed = processed.replace(/<<STAREND>>/g, '(?:\\/.*)?');
+
+  // <<STARMID>> = matches zero or more directories in middle
+  processed = processed.replace(/<<STARMID>>/g, '(?:\\/(?:.*\\/)?)?');
+
+  // <<STARSTAR>> = matches anything including slashes
+  processed = processed.replace(/<<STARSTAR>>/g, '.*');
+
+  // <<SINGLE>> = matches anything except path separator
+  processed = processed.replace(/<<SINGLE>>/g, '[^/]*');
+
+  // <<QUESTION>> = matches single character
+  processed = processed.replace(/<<QUESTION>>/g, '.');
+
+  // Build regex that matches the pattern
+  return new RegExp(`^${processed}$`);
+}
+
+/**
+ * Check if a value matches a pattern
+ * @param {string} value - The value to test
+ * @param {string|RegExp} pattern - The pattern to match against
+ * @param {object} options - Options for matching
+ * @param {boolean} options.ignoreCase - Case insensitive matching
+ * @param {boolean} options.isContent - Whether this is content matching (uses substring)
+ * @returns {boolean} - Whether the value matches the pattern
+ */
+export function matchesPattern(value, pattern, options = {}) {
+  if (!value) {
+    return false;
+  }
+
+  const { ignoreCase = false, isContent = false } = options;
+
+  // Handle RegExp objects
+  if (pattern instanceof RegExp) {
+    const flags = ignoreCase && !pattern.flags.includes('i') ? pattern.flags + 'i' : pattern.flags;
+    const testPattern = new RegExp(pattern.source, flags);
+    return testPattern.test(value);
+  }
+
+  // Handle regex: prefix for string patterns
+  if (pattern.startsWith('regex:')) {
+    const regexStr = pattern.slice(6);
+    const regex = ignoreCase ? new RegExp(regexStr, 'i') : new RegExp(regexStr);
+    return regex.test(value);
+  }
+
+  // For content matching without wildcards, use substring match
+  if (isContent && !pattern.includes('*') && !pattern.includes('?')) {
+    const testValue = ignoreCase ? value.toLowerCase() : value;
+    const testPattern = ignoreCase ? pattern.toLowerCase() : pattern;
+    return testValue.includes(testPattern);
+  }
+
+  // Handle exact match for file patterns without wildcards
+  if (!pattern.includes('*') && !pattern.includes('?')) {
+    const testValue = ignoreCase ? value.toLowerCase() : value;
+    const testPattern = ignoreCase ? pattern.toLowerCase() : pattern;
+    // Only check for exact match - no basename matching for exact patterns
+    return testValue === testPattern;
+  }
+
+  // Handle glob pattern
+  const regex = globToRegex(pattern);
+  const testPattern = ignoreCase ? new RegExp(regex.source, 'i') : regex;
+  return testPattern.test(value);
+}
+
+/**
+ * Check if a file path matches a pattern (for use in shouldExclude)
+ * This also checks basename for non-glob patterns
+ * @param {string} filePath - The file path to check
+ * @param {string} pattern - The pattern to match
+ * @returns {boolean} - Whether the file matches
+ */
+function matchesFilePattern(filePath, pattern) {
+  // First try direct match
+  if (matchesPattern(filePath, pattern)) {
+    return true;
+  }
+
+  // For patterns without path separators and without wildcards,
+  // also check against the basename
+  if (!pattern.includes('/') && !pattern.includes('*') && !pattern.includes('?')) {
+    const basename = filePath.split('/').pop();
+    if (matchesPattern(basename, pattern)) {
+      return true;
+    }
+  }
+
+  // For glob patterns, also try matching the basename
+  if (pattern.includes('*') || pattern.includes('?')) {
+    const basename = filePath.split('/').pop();
+    if (matchesPattern(basename, pattern)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+/**
+ * Check if a file or content should be excluded from memory
+ * @param {string} filePath - The file path to check
+ * @param {string|null} content - Optional content to check
+ * @param {object|null} config - Optional configuration override
+ * @returns {boolean} - Whether to exclude this file/content
+ */
+export function shouldExclude(filePath, content = null, config = null) {
+  const patterns = config || {
+    mode: MODE.BLACKLIST,
+    filePatterns: DEFAULT_FILE_PATTERNS,
+    contentPatterns: DEFAULT_CONTENT_PATTERNS,
+    enforceDefaults: true,
+  };
+
+  const mode = patterns.mode || MODE.BLACKLIST;
+  // Support both 'patterns' (shorthand) and 'filePatterns' (explicit)
+  const filePatterns = patterns.filePatterns || patterns.patterns || [];
+  const contentPatterns = patterns.contentPatterns || [];
+  const enforceDefaults = patterns.enforceDefaults !== false;
+
+  // In whitelist mode, only allow files that match patterns
+  if (mode === MODE.WHITELIST) {
+    // Always exclude sensitive files if enforceDefaults is true
+    if (enforceDefaults) {
+      for (const pattern of DEFAULT_FILE_PATTERNS) {
+        if (matchesFilePattern(filePath, pattern)) {
+          return true;
+        }
+      }
+    }
+
+    // Check if file matches any whitelist pattern
+    let allowed = false;
+    for (const pattern of filePatterns) {
+      if (matchesFilePattern(filePath, pattern)) {
+        allowed = true;
+        break;
+      }
+    }
+
+    return !allowed;
+  }
+
+  // In blacklist mode, exclude files that match patterns
+  // Check default patterns first
+  for (const pattern of DEFAULT_FILE_PATTERNS) {
+    if (matchesFilePattern(filePath, pattern)) {
+      return true;
+    }
+  }
+
+  // Check custom file patterns
+  for (const pattern of filePatterns) {
+    if (matchesFilePattern(filePath, pattern)) {
+      return true;
+    }
+  }
+
+  // Check content patterns if content is provided
+  if (content) {
+    // Check default content patterns
+    for (const pattern of DEFAULT_CONTENT_PATTERNS) {
+      if (matchesPattern(content, pattern, { isContent: true })) {
+        return true;
+      }
+    }
+
+    // Check custom content patterns
+    for (const pattern of contentPatterns) {
+      if (matchesPattern(content, pattern, { isContent: true })) {
+        return true;
+      }
+    }
+  }
+
+  return false;
+}

package/server/lib/memory-exclusion.test.js

@@ -0,0 +1,241 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import fs from 'fs';
+import path from 'path';
+import os from 'os';
+import {
+  shouldExclude,
+  matchesPattern,
+  loadPatterns,
+  DEFAULT_FILE_PATTERNS,
+  DEFAULT_CONTENT_PATTERNS,
+  MODE,
+} from './memory-exclusion.js';
+
+describe('memory-exclusion', () => {
+  let testDir;
+
+  beforeEach(() => {
+    testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'tlc-memory-exclusion-test-'));
+  });
+
+  afterEach(() => {
+    fs.rmSync(testDir, { recursive: true, force: true });
+  });
+
+  describe('shouldExclude', () => {
+    it('returns true for .env files', () => {
+      expect(shouldExclude('.env')).toBe(true);
+      expect(shouldExclude('.env.local')).toBe(true);
+      expect(shouldExclude('.env.production')).toBe(true);
+      expect(shouldExclude('src/.env')).toBe(true);
+    });
+
+    it('returns true for matching content patterns', () => {
+      expect(shouldExclude('config.js', 'password=secret123')).toBe(true);
+      expect(shouldExclude('config.js', 'api_key=abc123')).toBe(true);
+      expect(shouldExclude('config.js', 'secret=mysecret')).toBe(true);
+      expect(shouldExclude('config.js', 'token=xyz789')).toBe(true);
+      expect(shouldExclude('config.js', 'private_key=-----BEGIN')).toBe(true);
+    });
+
+    it('returns false for safe content', () => {
+      expect(shouldExclude('src/index.js')).toBe(false);
+      expect(shouldExclude('src/utils.js', 'function add(a, b) { return a + b; }')).toBe(false);
+      expect(shouldExclude('README.md', '# My Project')).toBe(false);
+      expect(shouldExclude('package.json', '{"name": "my-app"}')).toBe(false);
+    });
+
+    it('returns true for .pem and .key files', () => {
+      expect(shouldExclude('server.pem')).toBe(true);
+      expect(shouldExclude('private.key')).toBe(true);
+      expect(shouldExclude('certs/server.pem')).toBe(true);
+    });
+
+    it('returns true for files with credentials or secrets in name', () => {
+      expect(shouldExclude('credentials.json')).toBe(true);
+      expect(shouldExclude('my-credentials.yaml')).toBe(true);
+      expect(shouldExclude('secrets.json')).toBe(true);
+      expect(shouldExclude('app-secrets.yaml')).toBe(true);
+    });
+  });
+
+  describe('whitelist mode', () => {
+    it('only allows listed patterns', () => {
+      const config = {
+        mode: MODE.WHITELIST,
+        patterns: ['*.js', '*.ts', 'package.json'],
+      };
+
+      expect(shouldExclude('src/index.js', null, config)).toBe(false);
+      expect(shouldExclude('src/app.ts', null, config)).toBe(false);
+      expect(shouldExclude('package.json', null, config)).toBe(false);
+      expect(shouldExclude('config.yaml', null, config)).toBe(true);
+      expect(shouldExclude('README.md', null, config)).toBe(true);
+    });
+
+    it('still excludes sensitive files even in whitelist mode', () => {
+      const config = {
+        mode: MODE.WHITELIST,
+        patterns: ['*'],
+        enforceDefaults: true,
+      };
+
+      expect(shouldExclude('.env', null, config)).toBe(true);
+      expect(shouldExclude('server.pem', null, config)).toBe(true);
+    });
+  });
+
+  describe('blacklist mode', () => {
+    it('excludes listed patterns', () => {
+      const config = {
+        mode: MODE.BLACKLIST,
+        patterns: ['*.log', '*.tmp', 'node_modules/**'],
+      };
+
+      expect(shouldExclude('debug.log', null, config)).toBe(true);
+      expect(shouldExclude('temp.tmp', null, config)).toBe(true);
+      expect(shouldExclude('node_modules/lodash/index.js', null, config)).toBe(true);
+      expect(shouldExclude('src/index.js', null, config)).toBe(false);
+    });
+
+    it('combines with default patterns in blacklist mode', () => {
+      const config = {
+        mode: MODE.BLACKLIST,
+        patterns: ['*.log'],
+      };
+
+      expect(shouldExclude('debug.log', null, config)).toBe(true);
+      expect(shouldExclude('.env', null, config)).toBe(true);
+    });
+  });
+
+  describe('loadPatterns', () => {
+    it('reads patterns from config file', () => {
+      const configPath = path.join(testDir, '.tlc.json');
+      const config = {
+        memoryExclusion: {
+          mode: 'blacklist',
+          filePatterns: ['*.log', '*.tmp'],
+          contentPatterns: ['secret=', 'password='],
+        },
+      };
+      fs.writeFileSync(configPath, JSON.stringify(config, null, 2));
+
+      const patterns = loadPatterns(testDir);
+
+      expect(patterns.mode).toBe(MODE.BLACKLIST);
+      expect(patterns.filePatterns).toContain('*.log');
+      expect(patterns.filePatterns).toContain('*.tmp');
+      expect(patterns.contentPatterns).toContain('secret=');
+    });
+
+    it('uses defaults when no config file exists', () => {
+      const patterns = loadPatterns(testDir);
+
+      expect(patterns.mode).toBe(MODE.BLACKLIST);
+      expect(patterns.filePatterns).toEqual(DEFAULT_FILE_PATTERNS);
+      expect(patterns.contentPatterns).toEqual(DEFAULT_CONTENT_PATTERNS);
+    });
+
+    it('uses defaults when config has no memoryExclusion section', () => {
+      const configPath = path.join(testDir, '.tlc.json');
+      fs.writeFileSync(configPath, JSON.stringify({ project: 'test' }, null, 2));
+
+      const patterns = loadPatterns(testDir);
+
+      expect(patterns.filePatterns).toEqual(DEFAULT_FILE_PATTERNS);
+      expect(patterns.contentPatterns).toEqual(DEFAULT_CONTENT_PATTERNS);
+    });
+
+    it('merges custom patterns with defaults', () => {
+      const configPath = path.join(testDir, '.tlc.json');
+      const config = {
+        memoryExclusion: {
+          filePatterns: ['*.custom'],
+          mergeDefaults: true,
+        },
+      };
+      fs.writeFileSync(configPath, JSON.stringify(config, null, 2));
+
+      const patterns = loadPatterns(testDir);
+
+      expect(patterns.filePatterns).toContain('*.custom');
+      expect(patterns.filePatterns).toContain('.env');
+    });
+  });
+
+  describe('matchesPattern', () => {
+    it('handles glob patterns', () => {
+      expect(matchesPattern('test.env', '*.env')).toBe(true);
+      expect(matchesPattern('config.js', '*.env')).toBe(false);
+      expect(matchesPattern('.env.local', '.env.*')).toBe(true);
+    });
+
+    it('handles double star glob patterns', () => {
+      expect(matchesPattern('src/config/.secrets/key.txt', '**/.secrets/*')).toBe(true);
+      expect(matchesPattern('.secrets/key.txt', '**/.secrets/*')).toBe(true);
+      expect(matchesPattern('src/index.js', '**/.secrets/*')).toBe(false);
+    });
+
+    it('handles regex patterns', () => {
+      expect(matchesPattern('password=123', /password=/)).toBe(true);
+      expect(matchesPattern('api_key=abc', /api_key=/)).toBe(true);
+      expect(matchesPattern('normal content', /password=/)).toBe(false);
+    });
+
+    it('handles regex patterns as strings with regex: prefix', () => {
+      expect(matchesPattern('password=123', 'regex:password=')).toBe(true);
+      expect(matchesPattern('api_key=abc', 'regex:api_key=')).toBe(true);
+      expect(matchesPattern('normal content', 'regex:password=')).toBe(false);
+    });
+
+    it('handles case-insensitive matching', () => {
+      expect(matchesPattern('PASSWORD=123', 'regex:password=', { ignoreCase: true })).toBe(true);
+      expect(matchesPattern('Api_Key=abc', 'regex:api_key=', { ignoreCase: true })).toBe(true);
+    });
+
+    it('handles exact match patterns', () => {
+      expect(matchesPattern('.env', '.env')).toBe(true);
+      expect(matchesPattern('src/.env', '.env')).toBe(false);
+    });
+
+    it('handles patterns with special characters', () => {
+      expect(matchesPattern('file.test.js', '*.test.js')).toBe(true);
+      expect(matchesPattern('credentials.json', '*credentials*')).toBe(true);
+    });
+  });
+
+  describe('DEFAULT_FILE_PATTERNS', () => {
+    it('includes .env patterns', () => {
+      expect(DEFAULT_FILE_PATTERNS).toContain('.env');
+      expect(DEFAULT_FILE_PATTERNS).toContain('.env.*');
+    });
+
+    it('includes certificate patterns', () => {
+      expect(DEFAULT_FILE_PATTERNS).toContain('*.pem');
+      expect(DEFAULT_FILE_PATTERNS).toContain('*.key');
+    });
+
+    it('includes credential patterns', () => {
+      expect(DEFAULT_FILE_PATTERNS).toContain('*credentials*');
+      expect(DEFAULT_FILE_PATTERNS).toContain('*secrets*');
+    });
+  });
+
+  describe('DEFAULT_CONTENT_PATTERNS', () => {
+    it('includes sensitive content patterns', () => {
+      expect(DEFAULT_CONTENT_PATTERNS).toContain('password=');
+      expect(DEFAULT_CONTENT_PATTERNS).toContain('api_key=');
+      expect(DEFAULT_CONTENT_PATTERNS).toContain('secret=');
+      expect(DEFAULT_CONTENT_PATTERNS).toContain('token=');
+      expect(DEFAULT_CONTENT_PATTERNS).toContain('private_key');
+    });
+  });
+
+  describe('MODE', () => {
+    it('exports mode constants', () => {
+      expect(MODE.WHITELIST).toBe('whitelist');
+      expect(MODE.BLACKLIST).toBe('blacklist');
+    });
+  });
+});