feat: add OpenCode hush plugin and GitLab E2E pipeline#23
Merged
Conversation
Adds `hush redact-hook` command that runs as a Claude Code PostToolUse hook, redacting PII from tool outputs before Claude ever sees them. Works standalone or alongside the proxy for defense-in-depth. - `hush redact-hook`: stdin/stdout hook handler using existing Redactor - `hush init --hooks`: generates/merges hook config into settings.json - CLI subcommand routing with dynamic imports (no heavy deps for hooks) - 14 new tests (redact-hook + init integration tests) - README: Hooks Mode section with setup, diagram, comparison table - Team config example updated with defense-in-depth setup Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Use `tool_response` field (not `tool_output`) matching actual payload - Use `decision: "block"` + `reason` output format (PostToolUse has no outputOverride — confirmed via spec and closed GitHub issues #4635, #18594) - Handle Read tool's nested `file.content` response shape - Add Grep content field test case (10 tests total) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add tool.execute.before plugin for OpenCode that blocks reads of sensitive files (.env, *.pem, credentials.*, id_rsa, etc.) before the AI model sees them. Includes GitLab CI pipeline with two E2E scenarios: plugin blocks .env read, and proxy redacts PII in normal files. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Coverage Report
File Coverage
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PR Review: OpenCode Plugin + E2E PipelineSummaryThis PR adds defense-in-depth PII protection via an OpenCode plugin (blocks sensitive file reads pre-execution) + GitLab CI E2E tests. Overall architecture is solid. Minor issues noted below. 1. Redaction Logic✅ Strengths:
Suggestion: Add patterns for cloud provider keys: AWS_ACCESS_KEY: /\bAKIA[0-9A-Z]{16}\b/g,
GCP_SERVICE_KEY: /\bAIza[0-9A-Za-z\-_]{35}\b/g,2. Streaming Integrity✅ Strengths:
Suggestion: Consider a max buffer size with truncation warning for defensive streaming. 3. Security✅ Strengths:
Suggestion: Add to /\.p12$/, /\.pfx$/, /\.jks$/, /\.keystore$/, /\.asc$/,4. Reliability✅ Strengths:
Suggestion: Include upstream status in error response when available: res.status(502).json({ error: 'Gateway forwarding failed', upstream: error.message });Test Coverage
VerdictApprove with minor suggestions. Core security model is sound. Consider the secret pattern and keystore file additions as follow-ups. Reviewed SHA: 14ad65d |
…ve file detection Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Code Review: Hush Semantic Gateway PR #23SummaryThis PR adds defense-in-depth capabilities via OpenCode plugin blocking + Claude Code hooks for PII redaction. Overall architecture is sound, but I identified several areas for improvement. 1. Redaction Logic✅ Good:
Suggestion: Add a 2. Streaming Integrity✅ Good:
Suggestion: Add explicit 3. Security✅ Good:
4. Reliability✅ Good:
5. Plugin Implementation (New in this PR)✅ Good:
Test Coverage
VerdictApprove with minor suggestions. The implementation is solid for the primary use case. Consider addressing the shell expansion bypass and adding 8-char tokens for production scale. Reviewed SHA: b2d167f |
…turn 502 with upstream context - Add Tier 1 cloud provider key patterns (AWS, GCP, GitHub, GitLab, Slack, Stripe, SendGrid, npm, Anthropic, OpenAI, DigitalOcean, etc.) and PEM private key detection to redactor - Run cloud key patterns before generic SECRET/CREDIT_CARD to prevent partial matches eating prefixed keys - Fix streaming token-vault: partial token detection now checks for uppercase prefix after '[' to avoid false-positives on JSON arrays - Cap contentBuffers at 1MB per field to prevent unbounded memory growth - Return 502 (not 500) with upstream error message for debugging Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This was referenced Mar 2, 2026
- Expand $HOME/.env, ${VAR}/.env, and ~/.env before checking sensitive
patterns so `cat $HOME/.env` is blocked
- Add `batcat` (Ubuntu symlink for bat) to read command detection
- 6 new test cases for shell expansion and batcat
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Harden commandReadsSensitiveFile: split on <> redirects, strip shell
metacharacters (backticks, quotes, $(), {}) before isSensitivePath,
detect redirect patterns like `cat <.env`
- Trim whitespace in isSensitivePath
- Remove upstream message from 502 JSON response to avoid leaking
internal infrastructure details (kept in server-side log)
- Remove dead ~/ and $HOME expansion code — isSensitivePath already
uses basename-only matching
- Hold back bare `[` at buffer boundary in token-vault (not just
[A-Z_ prefixed)
- Rename TMPDIR → WORK_DIR in E2E scripts to avoid POSIX collision
- Wrap opencode calls with timeout 120 in both E2E scripts
- Replace node_modules/ artifact with cache keyed on package-lock.json
in GitLab CI
- Set PORT=$GATEWAY_PORT explicitly in e2e-proxy-live.sh
- Add tests for shell metacharacter bypass (subshells, backticks,
redirects, quotes)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
tool.execute.beforeOpenCode plugin that blocks reads of sensitive files (.env,*.pem,credentials.*,id_rsa,.netrc,.pgpass) before the AI model executes them.gitlab-ci.yml) with two E2E scenarios: plugin blocks.envread (Scenario A), proxy redacts PII in normal files (Scenario B)@aictrl/hush/opencode-pluginnpm export, drop-in example atexamples/team-config/.opencode/plugins/hush.ts, and 50 unit testsTest plan
npm run buildcompiles cleanly (including new plugin exports)npm test— all 95 tests pass (50 new plugin tests)import('@aictrl/hush/opencode-plugin')resolves to{ HushPlugin }scripts/e2e-plugin-block.sh— plugin blocks.env, PII never in outputscripts/e2e-proxy-live.sh— proxy redacts PII, vault has tokens🤖 Generated with Claude Code