mirror of
https://github.com/affaan-m/everything-claude-code.git
synced 2026-03-30 13:43:26 +08:00
68fc85ea49
cubic-dev-ai P2: dev_mode now defaults to "false" (strict mode). Users opt in to dev mode by setting INSAITS_DEV_MODE=true. cubic-dev-ai P2: Move null-status check above stdout/stderr writes in wrapper so partial/corrupt output is never leaked. Pass through original raw input on signal kill, matching the result.error path. coderabbit major: Wrap insAItsMonitor() and send_message() in try/except so SDK errors don't crash the hook. Logs warning and exits 0 (fail-open) on exception. coderabbit nitpick: write_audit now creates a new dict (enriched) instead of mutating the caller's event dict. coderabbit nitpick: Extract magic numbers to named constants: MIN_CONTENT_LENGTH=10, MAX_SCAN_LENGTH=4000, DEFAULT_MODEL. Also: added env var documentation to module docstring. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
80 lines
2.5 KiB
JavaScript
80 lines
2.5 KiB
JavaScript
#!/usr/bin/env node
|
|
/**
|
|
* InsAIts Security Monitor — wrapper for run-with-flags compatibility.
|
|
*
|
|
* This thin wrapper receives stdin from the hooks infrastructure and
|
|
* delegates to the Python-based insaits-security-monitor.py script.
|
|
*
|
|
* The wrapper exists because run-with-flags.js spawns child scripts
|
|
* via `node`, so a JS entry point is needed to bridge to Python.
|
|
*/
|
|
|
|
'use strict';
|
|
|
|
const path = require('path');
|
|
const { spawnSync } = require('child_process');
|
|
|
|
const MAX_STDIN = 1024 * 1024;
|
|
|
|
let raw = '';
|
|
process.stdin.setEncoding('utf8');
|
|
process.stdin.on('data', chunk => {
|
|
if (raw.length < MAX_STDIN) {
|
|
raw += chunk.substring(0, MAX_STDIN - raw.length);
|
|
}
|
|
});
|
|
|
|
process.stdin.on('end', () => {
|
|
const scriptDir = __dirname;
|
|
const pyScript = path.join(scriptDir, 'insaits-security-monitor.py');
|
|
|
|
// Try python3 first (macOS/Linux), fall back to python (Windows)
|
|
const pythonCandidates = ['python3', 'python'];
|
|
let result;
|
|
|
|
for (const pythonBin of pythonCandidates) {
|
|
result = spawnSync(pythonBin, [pyScript], {
|
|
input: raw,
|
|
encoding: 'utf8',
|
|
env: process.env,
|
|
cwd: process.cwd(),
|
|
timeout: 14000,
|
|
});
|
|
|
|
// ENOENT means binary not found — try next candidate
|
|
if (result.error && result.error.code === 'ENOENT') {
|
|
continue;
|
|
}
|
|
break;
|
|
}
|
|
|
|
if (!result || (result.error && result.error.code === 'ENOENT')) {
|
|
process.stderr.write('[InsAIts] python3/python not found. Install Python 3.9+ and: pip install insa-its\n');
|
|
process.stdout.write(raw);
|
|
process.exit(0);
|
|
}
|
|
|
|
// Log non-ENOENT spawn errors (timeout, signal kill, etc.) so users
|
|
// know the security monitor did not run — fail-open with a warning.
|
|
if (result.error) {
|
|
process.stderr.write(`[InsAIts] Security monitor failed to run: ${result.error.message}\n`);
|
|
process.stdout.write(raw);
|
|
process.exit(0);
|
|
}
|
|
|
|
// result.status is null when the process was killed by a signal or
|
|
// timed out. Check BEFORE writing stdout to avoid leaking partial
|
|
// or corrupt monitor output. Pass through original raw input instead.
|
|
if (!Number.isInteger(result.status)) {
|
|
const signal = result.signal || 'unknown';
|
|
process.stderr.write(`[InsAIts] Security monitor killed (signal: ${signal}). Tool execution continues.\n`);
|
|
process.stdout.write(raw);
|
|
process.exit(0);
|
|
}
|
|
|
|
if (result.stdout) process.stdout.write(result.stdout);
|
|
if (result.stderr) process.stderr.write(result.stderr);
|
|
|
|
process.exit(result.status);
|
|
});
|