mirror of
https://github.com/affaan-m/everything-claude-code.git
synced 2026-03-30 21:53:28 +08:00
9661a6f042
* fix(hooks): scrub secrets and harden hook security - Scrub common secret patterns (api_key, token, password, etc.) from observation logs before persisting to JSONL (observe.sh) - Auto-purge observation files older than 30 days (observe.sh) - Strip embedded credentials from git remote URLs before saving to projects.json (detect-project.sh) - Add command prefix allowlist to runCommand — only git, node, npx, which, where are permitted (utils.js) - Sanitize CLAUDE_SESSION_ID in temp file paths to prevent path traversal (suggest-compact.js) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(hooks): address review feedback from CodeRabbit and Cubic - Reject shell command-chaining operators (;|&`) in runCommand, strip quoted sections before checking to avoid false positives (utils.js) - Remove command string from blocked error message to avoid leaking secrets (utils.js) - Fix Python regex quoting: switch outer shell string from double to single quotes so regex compiles correctly (observe.sh) - Add optional auth scheme match (Bearer, Basic) to secret scrubber regex (observe.sh) - Scope auto-purge to current project dir and match only archived files (observations-*.jsonl), not live queue (observe.sh) - Add second fallback after session ID sanitization to prevent empty string (suggest-compact.js) - Preserve backward compatibility when credential stripping changes project hash — detect and migrate legacy directories (detect-project.sh) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(hooks): block $() substitution, fix Bearer redaction, add security tests - Add $ and \n to blocked shell metacharacters in runCommand to prevent command substitution via $(cmd) and newline injection (utils.js) - Make auth scheme group capturing so Bearer/Basic is preserved in redacted output instead of being silently dropped (observe.sh) - Add 10 unit tests covering runCommand allowlist blocking (rm, curl, bash prefixes) and metacharacter rejection (;|&`$ chaining), plus error message leak prevention (utils.test.js) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(hooks): scrub parse-error fallback, strengthen security tests Address remaining reviewer feedback from CodeRabbit and Cubic: - Scrub secrets in observe.sh parse-error fallback path (was writing raw unsanitized input to observations file) - Remove redundant re.IGNORECASE flag ((?i) inline flag already set) - Add inline comment documenting quote-stripping limitation trade-off - Fix misleading test name for error-output test - Add 5 new security tests: single-quote passthrough, mixed quoted+unquoted metacharacters, prefix boundary (no trailing space), npx acceptance, and newline injection - Improve existing quoted-metacharacter test to actually exercise quote-stripping logic Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(security): block $() and backtick inside quotes in runCommand Shell evaluates $() and backticks inside double quotes, so checking only the unquoted portion was insufficient. Now $ and ` are rejected anywhere in the command string, while ; | & remain quote-aware. Addresses CodeRabbit and Cubic review feedback on PR #348. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
81 lines
2.7 KiB
JavaScript
81 lines
2.7 KiB
JavaScript
#!/usr/bin/env node
|
|
/**
|
|
* Strategic Compact Suggester
|
|
*
|
|
* Cross-platform (Windows, macOS, Linux)
|
|
*
|
|
* Runs on PreToolUse or periodically to suggest manual compaction at logical intervals
|
|
*
|
|
* Why manual over auto-compact:
|
|
* - Auto-compact happens at arbitrary points, often mid-task
|
|
* - Strategic compacting preserves context through logical phases
|
|
* - Compact after exploration, before execution
|
|
* - Compact after completing a milestone, before starting next
|
|
*/
|
|
|
|
const fs = require('fs');
|
|
const path = require('path');
|
|
const {
|
|
getTempDir,
|
|
writeFile,
|
|
log
|
|
} = require('../lib/utils');
|
|
|
|
async function main() {
|
|
// Track tool call count (increment in a temp file)
|
|
// Use a session-specific counter file based on session ID from environment
|
|
// or parent PID as fallback
|
|
const sessionId = (process.env.CLAUDE_SESSION_ID || 'default').replace(/[^a-zA-Z0-9_-]/g, '') || 'default';
|
|
const counterFile = path.join(getTempDir(), `claude-tool-count-${sessionId}`);
|
|
const rawThreshold = parseInt(process.env.COMPACT_THRESHOLD || '50', 10);
|
|
const threshold = Number.isFinite(rawThreshold) && rawThreshold > 0 && rawThreshold <= 10000
|
|
? rawThreshold
|
|
: 50;
|
|
|
|
let count = 1;
|
|
|
|
// Read existing count or start at 1
|
|
// Use fd-based read+write to reduce (but not eliminate) race window
|
|
// between concurrent hook invocations
|
|
try {
|
|
const fd = fs.openSync(counterFile, 'a+');
|
|
try {
|
|
const buf = Buffer.alloc(64);
|
|
const bytesRead = fs.readSync(fd, buf, 0, 64, 0);
|
|
if (bytesRead > 0) {
|
|
const parsed = parseInt(buf.toString('utf8', 0, bytesRead).trim(), 10);
|
|
// Clamp to reasonable range — corrupted files could contain huge values
|
|
// that pass Number.isFinite() (e.g., parseInt('9'.repeat(30)) => 1e+29)
|
|
count = (Number.isFinite(parsed) && parsed > 0 && parsed <= 1000000)
|
|
? parsed + 1
|
|
: 1;
|
|
}
|
|
// Truncate and write new value
|
|
fs.ftruncateSync(fd, 0);
|
|
fs.writeSync(fd, String(count), 0);
|
|
} finally {
|
|
fs.closeSync(fd);
|
|
}
|
|
} catch {
|
|
// Fallback: just use writeFile if fd operations fail
|
|
writeFile(counterFile, String(count));
|
|
}
|
|
|
|
// Suggest compact after threshold tool calls
|
|
if (count === threshold) {
|
|
log(`[StrategicCompact] ${threshold} tool calls reached - consider /compact if transitioning phases`);
|
|
}
|
|
|
|
// Suggest at regular intervals after threshold (every 25 calls from threshold)
|
|
if (count > threshold && (count - threshold) % 25 === 0) {
|
|
log(`[StrategicCompact] ${count} tool calls - good checkpoint for /compact if context is stale`);
|
|
}
|
|
|
|
process.exit(0);
|
|
}
|
|
|
|
main().catch(err => {
|
|
console.error('[StrategicCompact] Error:', err.message);
|
|
process.exit(0);
|
|
});
|