Merge remote-tracking branch 'origin/main' into garrytan/gbrain-fix-wave

2026-06-20 16:50:08 +02:00 · 2026-05-30 11:43:33 -07:00
parent b0e14728b6 9562ad4e70
commit f32e1dd538
46 changed files with 4242 additions and 129 deletions
@@ -56,8 +56,23 @@ if [ ! -e "$AGENTS_LINK" ]; then
  ln -s "$REPO_ROOT" "$AGENTS_LINK"
 fi

-# 6. Run setup via the symlink so it detects .claude/skills/ as its parent
-"$GSTACK_LINK/setup"
+# 6. Run setup via the symlink so it detects .claude/skills/ as its parent.
+#
+# Workspace/dev setup MUST be non-interactive: Conductor runs this under a
+# forwarded pty, so any `read` in setup (skill-prefix prompt, plan-tune hook
+# consent) would hang the workspace forever. Detaching stdin makes every setup
+# prompt take its smart non-interactive default (flat skill names, etc.).
+#
+# `--plan-tune-hooks=prompt` is load-bearing, not redundant: stdin alone only
+# suppresses the *prompt* branch. A saved `plan_tune_hooks: yes` or an exported
+# GSTACK_PLAN_TUNE_HOOKS=yes would still resolve to "install" and rewrite the
+# user's global ~/.claude/settings.json to point at THIS ephemeral worktree —
+# which breaks once the workspace is deleted. The flag has highest precedence,
+# so it pins resolution to "prompt", and closed stdin then makes prompt-mode a
+# no-op skip (no install, no decline marker). A dev workspace must never mutate
+# global settings.json. To install the hooks, run `./setup --plan-tune-hooks`
+# directly (outside dev-setup). Saved prefix/other config preferences still apply.
+"$GSTACK_LINK/setup" --plan-tune-hooks=prompt </dev/null

 echo ""
 echo "Dev mode active. Skills resolve from this working tree."
@@ -75,6 +75,16 @@ CONFIG_HEADER='# gstack configuration — edit freely, changes take effect on ne
 #                           # Set to true once the privacy gate has asked the user.
 #                           # Flip back to false to be re-prompted.
 #
+# ─── Plan-tune hooks ─────────────────────────────────────────────────
+# plan_tune_hooks: prompt   # Controls whether ./setup installs the plan-tune
+#                           #   Claude Code hooks (PostToolUse capture +
+#                           #   PreToolUse preference enforcement).
+#                           #   prompt — ask on a real TTY, skip otherwise (default)
+#                           #   yes    — install non-interactively
+#                           #   no     — skip non-interactively
+#                           # Override per-run: ./setup --plan-tune-hooks /
+#                           #   --no-plan-tune-hooks, or env GSTACK_PLAN_TUNE_HOOKS.
+#
 # ─── Advanced ────────────────────────────────────────────────────────
 # codex_reviews: enabled    # disabled = skip Codex adversarial reviews in /ship
 # gstack_contributor: false # true = file field reports when gstack misbehaves
@@ -110,6 +120,10 @@ lookup_default() {
    cross_project_learnings) echo "" ;; # intentionally empty → unset triggers first-time prompt
    artifacts_sync_mode) echo "off" ;;
    artifacts_sync_mode_prompted) echo "false" ;;
+    plan_tune_hooks) echo "prompt" ;; # prompt | yes | no — controls ./setup plan-tune hook install
+
+    redact_repo_visibility) echo "" ;; # empty → fall through to gh/glab detection
+    redact_prepush_hook) echo "false" ;;
    # Brain-aware planning (v1.48 / T5+T10+T16). Defaults documented inline:
    #   brain_trust_policy@<hash>  — unset on fresh install; setup-gbrain
    #                                writes 'personal' for local engines,
@@ -273,6 +287,21 @@ case "${1:-}" in
      echo "Warning: artifacts_sync_mode '$VALUE' not recognized. Valid values: off, artifacts-only, full. Using off." >&2
      VALUE="off"
    fi
+    # redact_repo_visibility: a LOCAL override for repos gh/glab can't read (e.g.
+    # self-hosted GitLab). It lives in ~/.gstack/config.yaml (never committed), so
+    # it can't be used to weaken the gate repo-wide for other contributors.
+    if [ "$KEY" = "redact_repo_visibility" ] && [ "$VALUE" != "public" ] && [ "$VALUE" != "private" ] && [ "$VALUE" != "unknown" ]; then
+      echo "Warning: redact_repo_visibility '$VALUE' not recognized. Valid values: public, private, unknown. Using unknown." >&2
+      VALUE="unknown"
+    fi
+    if [ "$KEY" = "redact_prepush_hook" ] && [ "$VALUE" != "true" ] && [ "$VALUE" != "false" ]; then
+      echo "Warning: redact_prepush_hook '$VALUE' not recognized. Valid values: true, false. Using false." >&2
+      VALUE="false"
+    fi
+    if [ "$KEY" = "plan_tune_hooks" ] && [ "$VALUE" != "prompt" ] && [ "$VALUE" != "yes" ] && [ "$VALUE" != "no" ]; then
+      echo "Warning: plan_tune_hooks '$VALUE' not recognized. Valid values: prompt, yes, no. Using prompt." >&2
+      VALUE="prompt"
+    fi
    mkdir -p "$STATE_DIR"
    # Write annotated header on first creation
    if [ ! -f "$CONFIG_FILE" ]; then
@@ -302,7 +331,7 @@ case "${1:-}" in
    for KEY in proactive routing_declined telemetry auto_upgrade update_check \
               skill_prefix checkpoint_mode checkpoint_push explain_level \
               codex_reviews gstack_contributor skip_eng_review workspace_root \
-               artifacts_sync_mode artifacts_sync_mode_prompted; do
+               artifacts_sync_mode artifacts_sync_mode_prompted plan_tune_hooks; do
      VALUE=$(grep -E "^${KEY}:" "$CONFIG_FILE" 2>/dev/null | tail -1 | awk '{print $2}' | tr -d '[:space:]' || true)
      SOURCE="default"
      if [ -n "$VALUE" ]; then
@@ -318,7 +347,7 @@ case "${1:-}" in
    for KEY in proactive routing_declined telemetry auto_upgrade update_check \
               skill_prefix checkpoint_mode checkpoint_push explain_level \
               codex_reviews gstack_contributor skip_eng_review workspace_root \
-               artifacts_sync_mode artifacts_sync_mode_prompted; do
+               artifacts_sync_mode artifacts_sync_mode_prompted plan_tune_hooks; do
      printf '  %-24s %s\n' "$KEY:" "$(lookup_default "$KEY")"
    done
    ;;
@@ -0,0 +1,228 @@
+#!/usr/bin/env bun
+/**
+ * gstack-redact — scan text for secrets/PII/legal content via the shared engine.
+ *
+ * Skill-facing CLI over lib/redact-engine.ts. Reads from stdin (default) or
+ * --from-file, scans, and prints findings as JSON (--json) or a human table.
+ *
+ * Exit codes (consumed by skill bash to gate dispatch/file/edit/commit):
+ *   0  clean (no HIGH, no MEDIUM)
+ *   2  MEDIUM present (no HIGH) — skill runs the per-finding AskUserQuestion
+ *   3  HIGH present            — skill blocks
+ *
+ * WARN findings (tool-fence-degraded credentials) never change the exit code.
+ *
+ * Flags:
+ *   --json                       Emit JSON {findings, counts, repoVisibility, oversize}
+ *   --repo-visibility V          public | private | unknown (default unknown=public-strict wording)
+ *   --from-file PATH             Read input from PATH instead of stdin
+ *   --allowlist PATH             Newline-delimited exact spans to suppress
+ *   --self-email EMAIL           Suppress this email (the invoking user's own)
+ *   --repo-public-emails PATH    Newline-delimited repo-public emails to suppress
+ *   --auto-redact IDS            Comma-separated finding ids to auto-redact;
+ *                                prints the redacted body to stdout + diff to stderr.
+ *   --max-bytes N                Override the fail-closed size cap (default 1 MiB).
+ *
+ * Security note: this is a GUARDRAIL, not airtight enforcement. A determined
+ * user can always bypass it (direct gh/git). It catches accidents.
+ */
+import * as fs from "fs";
+import * as path from "path";
+import { spawnSync } from "child_process";
+import {
+  scan,
+  applyRedactions,
+  exitCodeFor,
+  type RepoVisibility,
+  type ScanOptions,
+  type Finding,
+} from "../lib/redact-engine";
+
+const MAX_STDIN_BYTES = 16 * 1024 * 1024; // hard ceiling before the engine cap
+
+// ── pre-push hook install/uninstall (chains any existing hook) ────────────────
+
+const MANAGED_MARKER = "# gstack-redact pre-push (managed)";
+
+function hooksPath(): string {
+  const r = spawnSync("git", ["rev-parse", "--git-path", "hooks"], { encoding: "utf8" });
+  if (r.status !== 0) {
+    process.stderr.write("gstack-redact: not in a git repo\n");
+    process.exit(1);
+  }
+  return r.stdout.trim();
+}
+
+function installPrepushHook(): void {
+  const dir = hooksPath();
+  fs.mkdirSync(dir, { recursive: true });
+  const hookPath = path.join(dir, "pre-push");
+  const prepushBin = path.join(import.meta.dir, "gstack-redact-prepush");
+
+  // If a non-managed hook exists, preserve it as pre-push.local and chain it.
+  if (fs.existsSync(hookPath)) {
+    const existing = fs.readFileSync(hookPath, "utf8");
+    if (existing.includes(MANAGED_MARKER)) {
+      process.stdout.write("gstack-redact: pre-push hook already installed.\n");
+      return;
+    }
+    const localPath = path.join(dir, "pre-push.local");
+    fs.renameSync(hookPath, localPath);
+    fs.chmodSync(localPath, 0o755);
+    process.stdout.write("gstack-redact: preserved existing hook as pre-push.local (chained).\n");
+  }
+
+  // stdin is single-consume: capture it once, feed both the chained hook and ours.
+  const wrapper = `#!/usr/bin/env bash
+${MANAGED_MARKER}
+set -euo pipefail
+_input="$(cat)"
+_local="$(git rev-parse --git-path hooks/pre-push.local)"
+if [ -x "$_local" ]; then
+  printf '%s' "$_input" | "$_local" "$@" || exit $?
+fi
+printf '%s' "$_input" | bun "${prepushBin}" "$@"
+`;
+  fs.writeFileSync(hookPath, wrapper, { mode: 0o755 });
+  fs.chmodSync(hookPath, 0o755);
+  process.stdout.write(`gstack-redact: installed pre-push hook at ${hookPath}\n`);
+}
+
+function uninstallPrepushHook(): void {
+  const dir = hooksPath();
+  const hookPath = path.join(dir, "pre-push");
+  const localPath = path.join(dir, "pre-push.local");
+  if (!fs.existsSync(hookPath) || !fs.readFileSync(hookPath, "utf8").includes(MANAGED_MARKER)) {
+    process.stdout.write("gstack-redact: no managed pre-push hook to remove.\n");
+    return;
+  }
+  if (fs.existsSync(localPath)) {
+    fs.renameSync(localPath, hookPath); // restore the chained original
+    process.stdout.write("gstack-redact: removed managed hook, restored pre-push.local.\n");
+  } else {
+    fs.unlinkSync(hookPath);
+    process.stdout.write("gstack-redact: removed managed pre-push hook.\n");
+  }
+}
+
+function arg(name: string): string | undefined {
+  const i = process.argv.indexOf(name);
+  return i >= 0 ? process.argv[i + 1] : undefined;
+}
+function flag(name: string): boolean {
+  return process.argv.includes(name);
+}
+
+function readInput(): string {
+  const file = arg("--from-file");
+  if (file) {
+    const st = fs.statSync(file);
+    if (st.size > MAX_STDIN_BYTES) {
+      // Don't even read it — fail closed at the CLI boundary.
+      process.stderr.write(`gstack-redact: input file too large (${st.size} bytes)\n`);
+      process.exit(3);
+    }
+    return fs.readFileSync(file, "utf8");
+  }
+  // stdin
+  const chunks: Buffer[] = [];
+  let total = 0;
+  const fd = 0;
+  const buf = Buffer.alloc(65536);
+  while (true) {
+    let n = 0;
+    try {
+      n = fs.readSync(fd, buf, 0, buf.length, null);
+    } catch (e: any) {
+      if (e.code === "EAGAIN") continue;
+      if (e.code === "EOF") break;
+      throw e;
+    }
+    if (n === 0) break;
+    total += n;
+    if (total > MAX_STDIN_BYTES) {
+      process.stderr.write("gstack-redact: stdin too large\n");
+      process.exit(3);
+    }
+    chunks.push(Buffer.from(buf.subarray(0, n)));
+  }
+  return Buffer.concat(chunks).toString("utf8");
+}
+
+function readLines(path: string | undefined): string[] | undefined {
+  if (!path || !fs.existsSync(path)) return undefined;
+  return fs
+    .readFileSync(path, "utf8")
+    .split("\n")
+    .map((l) => l.trim())
+    .filter(Boolean);
+}
+
+function buildOpts(): ScanOptions {
+  const vis = (arg("--repo-visibility") as RepoVisibility) || "unknown";
+  const maxBytes = arg("--max-bytes");
+  return {
+    repoVisibility: ["public", "private", "unknown"].includes(vis) ? vis : "unknown",
+    allowlist: readLines(arg("--allowlist")),
+    selfEmail: arg("--self-email"),
+    repoPublicEmails: readLines(arg("--repo-public-emails")),
+    ...(maxBytes ? { maxBytes: parseInt(maxBytes, 10) } : {}),
+  };
+}
+
+function humanTable(findings: Finding[]): string {
+  if (!findings.length) return "  (no findings)";
+  const rows = findings.map(
+    (f) =>
+      `  ${f.severity.padEnd(6)} ${f.id.padEnd(24)} ${String(f.line).padStart(4)}:${String(
+        f.col,
+      ).padEnd(3)} ${f.preview}`,
+  );
+  return rows.join("\n");
+}
+
+function main() {
+  // Subcommands (positional, not flags).
+  const sub = process.argv[2];
+  if (sub === "install-prepush-hook") return installPrepushHook();
+  if (sub === "uninstall-prepush-hook") return uninstallPrepushHook();
+
+  const opts = buildOpts();
+  const input = readInput();
+
+  // Auto-redact mode: print redacted body to stdout, diff to stderr, exit 0.
+  const autoIds = arg("--auto-redact");
+  if (autoIds) {
+    const { body, diff, skipped } = applyRedactions(input, autoIds.split(","), opts);
+    process.stdout.write(body);
+    if (diff) process.stderr.write(diff + "\n");
+    if (skipped.length) {
+      process.stderr.write(
+        `\ngstack-redact: ${skipped.length} finding(s) could not be auto-redacted (structural) — edit manually:\n` +
+          skipped.map((f) => `  ${f.id} @ ${f.line}:${f.col}`).join("\n") +
+          "\n",
+      );
+    }
+    process.exit(0);
+  }
+
+  const result = scan(input, opts);
+  const code = exitCodeFor(result);
+
+  if (flag("--json")) {
+    process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+  } else {
+    const vis = result.repoVisibility.toUpperCase();
+    process.stdout.write(`gstack-redact scan — repo ${vis}\n`);
+    if (result.oversize) {
+      process.stdout.write("  BLOCKED — input too large to scan safely (fail-closed)\n");
+    } else {
+      process.stdout.write(humanTable(result.findings) + "\n");
+      const { HIGH, MEDIUM, LOW, WARN } = result.counts;
+      process.stdout.write(`  HIGH=${HIGH} MEDIUM=${MEDIUM} LOW=${LOW} WARN=${WARN}\n`);
+    }
+  }
+  process.exit(code);
+}
+
+main();
@@ -0,0 +1,146 @@
+#!/usr/bin/env bun
+/**
+ * gstack-redact-prepush — git pre-push hook that scans the diff being pushed for
+ * HIGH-severity credentials and blocks the push on a hit.
+ *
+ * THIS IS A GUARDRAIL, NOT ENFORCEMENT. `git push --no-verify` bypasses it, as
+ * does `GSTACK_REDACT_PREPUSH=skip`. It catches accidental credential pushes,
+ * the most common real-world leak. It does NOT scan history, binary/LFS/submodule
+ * files, or non-added lines. History scanning is /cso's job.
+ *
+ * Git pre-push interface: refs are read from STDIN, one per line:
+ *   <local ref> <local sha> <remote ref> <remote sha>
+ * We scan the ADDED lines of <remote sha>..<local sha> per ref (what's being
+ * pushed). Special cases:
+ *   - remote sha all-zeroes  → new branch: diff against merge-base with the
+ *     remote's default branch (fallback: scan all commits unique to local ref).
+ *   - local sha all-zeroes   → branch delete: nothing to scan, skip.
+ *   - force-push             → remote..local still gives the net new content.
+ *
+ * Behavior:
+ *   - HIGH finding in added lines → print + exit 1 (block), for public AND private.
+ *   - MEDIUM → warn (non-blocking). LOW/WARN → silent.
+ *   - GSTACK_REDACT_PREPUSH=skip → log + exit 0 (escape valve).
+ *
+ * Installed/uninstalled via `gstack-redact install-prepush-hook` (see the
+ * gstack-redact CLI), which chains any pre-existing hook.
+ */
+import { spawnSync } from "child_process";
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
+import { scan, type Finding } from "../lib/redact-engine";
+
+const ZERO = /^0+$/;
+// The canonical empty-tree object; diffing against it yields all content as added.
+const EMPTY_TREE = "4b825dc642cb6eb9a060e54bf8d69288fbee4904";
+
+function git(args: string[]): string {
+  const r = spawnSync("git", args, { encoding: "utf8", maxBuffer: 64 * 1024 * 1024 });
+  return r.status === 0 ? (r.stdout ?? "") : "";
+}
+
+function defaultRemoteBranch(): string {
+  // origin/HEAD → origin/main, fall back to main/master.
+  const sym = git(["symbolic-ref", "refs/remotes/origin/HEAD"]).trim();
+  if (sym) return sym.replace("refs/remotes/", "");
+  for (const b of ["origin/main", "origin/master"]) {
+    if (git(["rev-parse", "--verify", b]).trim()) return b;
+  }
+  return "origin/main";
+}
+
+/** Return the added-line text for a ref update being pushed. */
+function addedLinesFor(localSha: string, remoteSha: string): string {
+  let range: string;
+  if (ZERO.test(remoteSha)) {
+    // New branch: prefer what's unique to localSha vs the remote default branch.
+    // With no merge-base (e.g. no remote yet), diff against the empty tree so ALL
+    // branch content is scanned as added — fail-safe (scans more, never less).
+    const base = git(["merge-base", localSha, defaultRemoteBranch()]).trim();
+    range = base ? `${base}..${localSha}` : `${EMPTY_TREE}..${localSha}`;
+  } else {
+    // Existing branch (incl. force-push): net new content remote..local.
+    range = `${remoteSha}..${localSha}`;
+  }
+  // -U0: only changed lines; we keep lines starting with '+' (added), drop the
+  // +++ file header. Unified diff added lines start with a single '+'.
+  const diff = git(["diff", "--unified=0", "--no-color", range]);
+  const added: string[] = [];
+  for (const line of diff.split("\n")) {
+    if (line.startsWith("+") && !line.startsWith("+++")) {
+      added.push(line.slice(1));
+    }
+  }
+  return added.join("\n");
+}
+
+function logSkip(reason: string): void {
+  try {
+    const home = process.env.GSTACK_HOME || path.join(os.homedir(), ".gstack");
+    const dir = path.join(home, "security");
+    fs.mkdirSync(dir, { recursive: true });
+    fs.appendFileSync(
+      path.join(dir, "prepush-skip.jsonl"),
+      JSON.stringify({ ts: new Date().toISOString(), reason }) + "\n",
+    );
+  } catch {
+    // best-effort; never block a push because logging failed
+  }
+}
+
+function main() {
+  if ((process.env.GSTACK_REDACT_PREPUSH || "").toLowerCase() === "skip") {
+    logSkip(process.env.GSTACK_REDACT_PREPUSH_REASON || "env-skip");
+    process.stderr.write("gstack-redact-prepush: skipped via GSTACK_REDACT_PREPUSH=skip\n");
+    process.exit(0);
+  }
+
+  const stdin = fs.readFileSync(0, "utf8");
+  const refs = stdin
+    .split("\n")
+    .map((l) => l.trim())
+    .filter(Boolean)
+    .map((l) => l.split(/\s+/));
+
+  const allHigh: Finding[] = [];
+  let mediumCount = 0;
+
+  for (const [, localSha, , remoteSha] of refs) {
+    if (!localSha || ZERO.test(localSha)) continue; // branch delete → nothing pushed
+    const added = addedLinesFor(localSha, remoteSha || "0");
+    if (!added.trim()) continue;
+    // Visibility doesn't change HIGH behavior; pass private so nothing is treated
+    // as public-strict (HIGH blocks regardless either way).
+    const result = scan(added, { repoVisibility: "private" });
+    for (const f of result.findings) {
+      if (f.severity === "HIGH") allHigh.push(f);
+      else if (f.severity === "MEDIUM") mediumCount++;
+    }
+  }
+
+  if (mediumCount > 0) {
+    process.stderr.write(
+      `gstack-redact-prepush: ${mediumCount} MEDIUM finding(s) in pushed diff (PII/internal). ` +
+        "Not blocking. Review before this becomes public.\n",
+    );
+  }
+
+  if (allHigh.length > 0) {
+    process.stderr.write(
+      "\n⛔ gstack-redact-prepush BLOCKED the push — credential(s) in the pushed diff:\n\n",
+    );
+    for (const f of allHigh) {
+      process.stderr.write(`  HIGH  ${f.id}  ${f.preview}\n`);
+    }
+    process.stderr.write(
+      "\nRotate the credential (a pushed secret is compromised) and remove it from the diff.\n" +
+        "This is a guardrail: `git push --no-verify` or `GSTACK_REDACT_PREPUSH=skip git push` bypass it.\n",
+    );
+    process.exit(1);
+  }
+
+  process.exit(0);
+}
+
+main();