fix: patch xml2js CVE + route OpenCode review through hush gateway

.github/workflows/opencode-review.yml

@@ -69,33 +69,67 @@ jobs:
             echo "skip=false" >> $GITHUB_OUTPUT
           fi
 
+      - name: Setup Node.js
+        if: steps.check_changes.outputs.skip != 'true'
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - name: Start Hush Gateway
+        if: steps.check_changes.outputs.skip != 'true'
+        run: |
+          npm install -g @aictrl/hush@0.1.7
+          HUSH_BIN="$(npm prefix -g)/bin/hush"
+          PORT=4000 HUSH_HOST=127.0.0.1 "$HUSH_BIN" &
+          # Wait for gateway to be ready
+          for i in $(seq 1 20); do
+            curl -sf http://127.0.0.1:4000/health > /dev/null 2>&1 && break
+            sleep 0.5
+          done
+          curl -sf http://127.0.0.1:4000/health || { echo "::error::Hush gateway failed to start"; exit 1; }
+          echo "Hush gateway running on :4000"
+
+      - name: Build project
+        if: steps.check_changes.outputs.skip != 'true'
+        run: npm ci && npm run build
+
       - name: Setup OpenCode
         if: steps.check_changes.outputs.skip != 'true'
         env:
           ZHIPU_API_KEY: ${{ secrets.ZHIPUAI_API_KEY }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          # Use GITHUB_TOKEN to avoid rate limits when fetching version info
+          # Install OpenCode
           curl -fsSL https://opencode.ai/install | bash -s -- --no-modify-path
           echo "$HOME/.opencode/bin" >> $GITHUB_PATH
 
+          # Configure OpenCode to route through hush proxy + hush plugin
+          mkdir -p .opencode/plugins
+          cp examples/team-config/.opencode/plugins/hush.ts .opencode/plugins/hush.ts
+          printf '%s\n' '{"provider":{"zai-coding-plan":{"options":{"baseURL":"http://127.0.0.1:4000/api/coding/paas/v4"}}},"plugin":[".opencode/plugins/hush.ts"]}' > opencode.json
+
       - name: Direct OpenCode Review
         if: steps.check_changes.outputs.skip != 'true'
+        timeout-minutes: 15
         env:
           ZHIPU_API_KEY: ${{ secrets.ZHIPUAI_API_KEY }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           SHA=${{ github.event.pull_request.head.sha || github.sha }}
           echo "Starting review with GLM-5 for SHA $SHA..."
-
+          echo "opencode.json:"; cat opencode.json
+          echo "Hush health:"; curl -sf http://127.0.0.1:4000/health || echo "gateway unreachable"
+
           $HOME/.opencode/bin/opencode run --model zai-coding-plan/glm-5 "Review the changes in this PR for the Hush Semantic Gateway.
 
+          **IMPORTANT**: This is a code review only. Do NOT run tests, npm commands, or build commands. Only read source files and git diffs.
+
           Focus areas:
           1. **Redaction Logic**: Ensure PII patterns are robust and handle edge cases in tool outputs (like JSON or CLI tables).
           2. **Streaming Integrity**: Check that the SSE/streaming proxy logic doesn't buffer unnecessarily or break the rehydration flow.
           3. **Security**: Look for potential PII leaks or insecure token handling in the vault.
           4. **Reliability**: Ensure the proxy handles upstream errors gracefully.
-          
-          Keep the summary concise but technical. Post findings as a markdown comment on the PR.
-          
+
+          Keep the summary concise but technical. Post findings as a single markdown comment on the PR using gh pr comment, then stop.
+
           **CRITICAL**: Include the string 'Reviewed SHA: $SHA' at the very end of your comment so I can track which commits have been reviewed."

package.json

@@ -52,6 +52,9 @@
     "pino": "^10.3.1",
     "pino-pretty": "^13.1.3"
   },
+  "overrides": {
+    "xml2js": "^0.6.2"
+  },
   "devDependencies": {
     "@types/blessed": "^0.1.27",
     "@types/cors": "^2.8.19",