Skip to content

chore: bump version to 0.1.8#35

Merged
byapparov merged 3 commits into
masterfrom
chore/release-0.1.8
Mar 3, 2026
Merged

chore: bump version to 0.1.8#35
byapparov merged 3 commits into
masterfrom
chore/release-0.1.8

Conversation

@byapparov
Copy link
Copy Markdown
Contributor

@byapparov byapparov commented Mar 2, 2026

Summary

  • Bump version from 0.1.7 to 0.1.8 to make recent fixes available for other projects' CI/CD pipelines

Test plan

  • npm test passes
  • Tag and release created after merge

🤖 Generated with Claude Code

@claude
chore: bump version to 0.1.8
753f536 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 2, 2026
edited
Loading

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 81.05% 308 / 380
🔵 Statements 80% 332 / 415
🔵 Functions 75.43% 43 / 57
🔵 Branches 70.3% 161 / 229
File Coverage
File Stmts Branches Functions Lines Uncovered Lines
Changed Files
src/plugins/opencode-hush.ts 100% 88.46% 100% 100%
Generated in workflow #109 for commit 33a9ad7 by the Vitest Coverage Report Action

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 2, 2026

PR #35 Review: Version Bump to 0.1.8

This PR contains only a version bump (package.json: 0.1.7 → 0.1.8). No code changes to review. Below is an assessment of the 0.1.7 codebase that this release packages.

1. Redaction Logic ✅ Solid

Strengths:

  • Comprehensive cloud provider key detection (AWS, GCP, GitHub, GitLab, Slack, Stripe, SendGrid, npm, PyPI, Docker, Anthropic, OpenAI, DigitalOcean, HashiCorp Vault, Supabase)
  • Cloud keys matched before generic patterns to prevent partial consumption
  • ReDoS-safe email regex with bounded quantifiers
  • PEM private key detection (multiline)

Edge Cases to Watch:

  • SECRET pattern (/(?:api[-_]?key|secret|password|token|bearer|auth)["']?\s*[:=]\s*["']?([a-zA-Z0-9\-_!@#$%^&*()=+]{16,})["']?/gi) requires 16+ chars and key=value syntax — may miss secrets in JSON ("apiKey": "short") or CLI tables with column alignment
  • IPv4 regex lacks validation for octets >255 (cosmetic only — false positives unlikely)

2. Streaming Integrity ✅ Well-Designed

createStreamingRehydrator() in token-vault.ts:87-225:

  • Correctly holds back partial tokens split across SSE chunks
  • 1MB buffer cap prevents unbounded memory growth
  • Handles both OpenAI (choices[0].delta.content) and Anthropic (delta.text) formats
  • Uses split/join for token replacement — efficient and avoids regex edge cases
  • Distinguishes token brackets [A-Z_] from JSON array brackets

No unnecessary buffering — releases content immediately once tokens are complete or determined non-token.

3. Security ✅ Good Practices

  • Localhost binding by default (127.0.0.1) — prevents network exposure
  • Optional auth token (HUSH_AUTH_TOKEN) with Bearer support
  • structuredClone for safe deep copies in rehydration
  • OpenCode plugin blocks sensitive file reads (.env, *.pem, credentials.*) at tool boundary
  • Shell metacharacter stripping prevents bypass via variable expansion ($HOME/.env)

Note: Vault tokens are stored in-memory with 1-hour TTL. Not encrypted at rest — acceptable for local-only threat model.

4. Reliability ✅ Graceful Error Handling

  • 30-second upstream timeout via AbortSignal.timeout(30000)
  • Upstream errors (4xx/5xx) forwarded with original status and body
  • Backpressure handling in streaming (res.once('drain'))
  • Returns 502 with {"error": "Gateway forwarding failed"} on network failures

Test Status

  • 108/123 tests pass — core functionality verified
  • 15 failures are CLI integration tests requiring dist/cli.js build artifact (not a code issue)

Verdict

Approve — This is a clean release packaging recent fixes. No security regressions or logic concerns in the bump itself.

Reviewed SHA: 753f536

@claude
feat: add MCP tool call redaction via PreToolUse and PostToolUse hooks
a896eb7 
Bidirectional PII redaction for MCP tools: PreToolUse redacts outbound
arguments before they reach the MCP server, PostToolUse redacts inbound
results before the LLM sees them. Built-in tool redaction unchanged.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 2, 2026

PR Review: MCP Tool Call Redaction (feat/hooks-pii-redaction)

Summary

This PR adds PreToolUse and PostToolUse hooks for MCP tools, enabling PII redaction on both outbound tool arguments and inbound tool results. All 136 tests pass with 80%+ coverage.

1. Redaction Logic ✅

Strengths:

  • Cloud key patterns are comprehensive (Tier 1: AWS, GCP, GitHub, GitLab, Slack, Stripe, etc.)
  • Pattern ordering is correct: cloud keys run before generic SECRET pattern to prevent partial matching
  • ReDoS-safe email regex with bounded quantifiers
  • Deep traversal handles nested objects in MCP tool inputs

Observations:

  • redact-hook.ts:115 - The redactor.redact(contentArray) call correctly handles MCP content block arrays via JSON round-trip
  • Edge case: CLI table output with | delimiters containing emails/IPs is handled since redaction operates on raw strings before structure parsing

Minor note: IPv4 pattern at redactor.ts:38 could match version numbers (e.g., 1.2.3.4) but this is acceptable given the token format makes it distinguishable from actual IPs in context.

2. Streaming Integrity ✅

SSE Handling (token-vault.ts:87-225):

  • Correctly detects SSE vs raw text mode via data: prefix
  • Buffer holdback logic for split tokens is sound — holds back partial [PREFIX_* segments
  • Uses [ detection with uppercase letter check to distinguish tokens from JSON arrays
  • MAX_BUFFER_SIZE (1MB) cap prevents unbounded memory growth
  • Backpressure handling in index.ts:141-145 with res.once('drain') is correct

Rehydration Flow:

  • createStreamingRehydrator() returns a stateful function that maintains buffer across chunks
  • Content fields (content, reasoning_content, partial_json) are accumulated and flushed correctly
  • Anthropic and OpenAI delta formats both supported (index.ts:169-174)

3. Security ✅

Token Handling:

  • token-vault.ts:45-53 - Uses structuredClone for safe deep copies (addresses prior review concerns)
  • TTL-based pruning prevents stale token accumulation
  • Tokens use SHA-256 hash (6 chars) — not reversible without vault access

Auth:

  • HUSH_AUTH_TOKEN checked against both raw and Bearer prefixed values (index.ts:46)
  • Localhost-only binding by default (127.0.0.1)
  • Health endpoint bypasses auth as expected
  • DEBUG mode vault size exposure is opt-in

No PII Leaks Found:

  • Hook output only contains redacted tokens, never original values
  • Tokens map stays local to vault; not logged or exposed via API

4. Reliability ✅

Error Handling:

  • index.ts:160-163 - Catches fetch errors, returns 502 with generic message
  • index.ts:112-116 - Upstream non-2xx responses are proxied with original status/body
  • redact-hook.ts:178-184 - Invalid JSON exits with code 2 (per Claude Code hooks spec)
  • AbortSignal timeout (30s) prevents hanging requests

Backward Compatibility:

  • redact-hook.ts:203-204 - Falls back to PostToolUse built-in when hook_event_name is absent
  • init.ts:67-85 - mergeHookEntries() prevents duplicate hook entries on re-runs

Suggestions (Non-blocking)

  1. Pattern testing for JSON edge cases: Consider adding a test for redaction within JSON string values that contain escaped characters (e.g., {"note": "email: \"test@foo.com\""})

  2. Streaming rehydrator edge case: If a stream ends mid-token (connection drop), the partial token stays in buffer indefinitely. Consider adding a flush() method or timeout-based flush for the rehydrator.

  3. Cloud key pattern maintenance: The list is comprehensive but will need updates as providers change key formats. Consider a comment linking to sources (gitleaks, trufflehog) for maintainers.

Verdict

Approved — Well-structured implementation with solid test coverage. The dual PreToolUse/PostToolUse architecture correctly handles the MCP tool lifecycle.

Reviewed SHA: a896eb7

@claude
feat: add MCP tool call redaction for OpenCode and Gemini CLI
33a9ad7 
Add bidirectional PII redaction for two new AI coding clients:

- OpenCode plugin: redact PII in tool args (before) and tool outputs (after)
  for both built-in tools and MCP content blocks via in-place mutation
- Gemini CLI hooks: add BeforeTool/AfterTool event dispatch in redact-hook
  with Gemini-specific response format (deny/reason instead of block)
- Init command: add --gemini flag to write .gemini/settings.json with
  BeforeTool/AfterTool hook configuration
- Refactor redact-hook.ts to extract shared helpers, reducing duplication
  between Claude Code and Gemini event handlers

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@byapparov byapparov merged commit 0a64002 into master Mar 3, 2026
8 checks passed
@byapparov byapparov deleted the chore/release-0.1.8 branch March 3, 2026 10:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@byapparov