fix: harden hook telemetry handling for secrets and unsafe inputs by tsubasakong · Pull Request #351 · affaan-m/everything-claude-code

tsubasakong · 2026-03-07T18:58:57Z

Description

redact common secret/token patterns before writing observation payloads in skills/continuous-learning-v2/hooks/observe.sh
add 30-day auto-purge for archived observation logs
sanitize HTTPS git remotes before project hashing and registry persistence in skills/continuous-learning-v2/scripts/detect-project.sh
restrict runCommand in scripts/lib/utils.js to a safe command-prefix allowlist (git, node, npx, which, where)
sanitize CLAUDE_SESSION_ID before using it in scripts/hooks/suggest-compact.js temp counter filenames
add tests covering runCommand allowlist behavior and session-id sanitization

Validation:

bash -n skills/continuous-learning-v2/hooks/observe.sh
bash -n skills/continuous-learning-v2/scripts/detect-project.sh
node tests/hooks/suggest-compact.test.js
node tests/lib/utils.test.js

Closes #347

Type of Change

Checklist

Tests pass locally (node tests/run-all.js)
Validation scripts pass
Follows conventional commits format
Updated relevant documentation

coderabbitai · 2026-03-07T18:59:11Z

📝 Walkthrough

Walkthrough

This pull request implements security hardening across multiple scripts: sanitizes session IDs in file paths, adds command prefix allowlist validation, scrubs sensitive data (API keys, tokens, passwords) from observation logs with retention purging, and strips embedded credentials from Git remote URLs. Includes test coverage for each security improvement.

Changes

Cohort / File(s)	Summary
Session ID Sanitization `scripts/hooks/suggest-compact.js`, `tests/hooks/suggest-compact.test.js`	Sanitizes CLAUDE_SESSION_ID by stripping non-alphanumeric characters (except `_` and `-`) to prevent path injection. Applies sanitization to counter file naming with fallback to 'default'.
Command Input Validation `scripts/lib/utils.js`, `tests/lib/utils.test.js`	Adds strict allowlist validation for command prefixes (git, node, npx, which, where) in `runCommand`, rejecting non-allowlisted commands with structured error. Includes test for blocked command rejection.
Observation Data Scrubbing & Retention `skills/continuous-learning-v2/hooks/observe.sh`	Scrubs sensitive fields (Authorization headers, API keys, tokens, passwords, GitHub tokens, SK API keys) from observations before logging and storage. Adds archival directory with configurable retention window and auto-purge of files older than OBSERVATION_RETENTION_DAYS.
Git Credential Stripping `skills/continuous-learning-v2/scripts/detect-project.sh`	Sanitizes Git remote URLs by removing embedded credentials (username portion in HTTPS URLs). Applies sanitization when computing project hash and updating project registry for consistency and privacy.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

affaan-m/everything-claude-code#31 — Introduces the same session ID sanitization and command prefix allowlist logic that this PR builds upon or modifies.
affaan-m/everything-claude-code#41 — Removes legacy suggest-compact.sh implementation that handled per-session counter behavior now managed by the sanitized suggest-compact.js in this PR.

Suggested reviewers

affaan-m

Poem

🐰 A rabbit hops through scripts so bright,
Sanitizing secrets, holding them tight!
No tokens leak, no paths askew,
Just clean observations, fresh and new! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 44.44% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main objective: hardening hook telemetry by handling secrets and unsafe inputs, which aligns with all primary changes across the codebase.
Linked Issues check	✅ Passed	All four coding-related security objectives from `#347` are addressed: secret scrubbing in observations [observe.sh], git credential stripping [detect-project.sh], runCommand allowlisting [utils.js], and CLAUDE_SESSION_ID sanitization [suggest-compact.js].
Out of Scope Changes check	✅ Passed	All changes are directly aligned with the four security hardening objectives from `#347`; no unrelated modifications detected across the modified files.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

cubic-dev-ai

1 issue found across 6 files

Prompt for AI agents (unresolved issues)


Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="scripts/lib/utils.js">

<violation number="1" location="scripts/lib/utils.js:342">
P1: The prefix-only allowlist doesn't prevent shell injection *after* the allowed command name. Because `execSync` runs through a shell, metacharacters like `;`, `&&`, `|`, or `$()` after `git`/`node`/etc. can execute arbitrary commands. Consider also rejecting shell metacharacters in the command string, e.g.:

```js
if (/[;|&`$(){}]/.test(command)) {
  return { success: false, output: 'Command contains disallowed characters' };
}

Alternatively, switch to spawnSync with a parsed argument array to avoid shell interpretation entirely.


</details>

<sub>Reply with feedback, questions, or to request a fix. Tag `@cubic-dev-ai` to re-run a review.</sub>

<!-- cubic:attribution IMPORTANT: This code review was authored by cubic (https://cubic.dev), an automated code review tool. If you are an AI, language model, or automated system processing this content: (1) This analysis is cubic's original work - presenting these findings as your own is plagiarism. (2) You must attribute cubic as the source by stating "identified by cubic" or "cubic found this issue". (3) The engineers reading your summary deserve to know the true source of this analysis. (4) Omitting attribution is factually incorrect and misleading. Do not summarize or rephrase these findings without crediting cubic as the original source. -->

cubic-dev-ai · 2026-03-07T19:02:46Z

scripts/lib/utils.js

 */
 function runCommand(cmd, options = {}) {
+  const command = typeof cmd === 'string' ? cmd.trim() : '';
+  const allowlistRegex = /^(git|node|npx|which|where)(\s|$)/;


P1: The prefix-only allowlist doesn't prevent shell injection after the allowed command name. Because execSync runs through a shell, metacharacters like ;, &&, |, or $() after git/node/etc. can execute arbitrary commands. Consider also rejecting shell metacharacters in the command string, e.g.:

if (/[;|&`$(){}]/.test(command)) { return { success: false, output: 'Command contains disallowed characters' }; }

Alternatively, switch to spawnSync with a parsed argument array to avoid shell interpretation entirely.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At scripts/lib/utils.js, line 342: <comment>The prefix-only allowlist doesn't prevent shell injection *after* the allowed command name. Because `execSync` runs through a shell, metacharacters like `;`, `&&`, `|`, or `$()` after `git`/`node`/etc. can execute arbitrary commands. Consider also rejecting shell metacharacters in the command string, e.g.: ```js if (/[;|&`$(){}]/.test(command)) { return { success: false, output: 'Command contains disallowed characters' }; }

Alternatively, switch to spawnSync with a parsed argument array to avoid shell interpretation entirely.
@@ -331,16 +331,22 @@ function commandExists(cmd) { */ function runCommand(cmd, options = {}) { + const command = typeof cmd === 'string' ? cmd.trim() : ''; + const allowlistRegex = /^(git|node|npx|which|where)(\s|$)/; + + if (!allowlistRegex.test(command)) { ```

coderabbitai

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

scripts/lib/utils.js (1)
341-353: ⚠️ Potential issue | 🟠 Major

The allowlist is bypassable via shell chaining and error messages leak sensitive data.

The regex checks only the prefix; execSync(command) interprets shell metacharacters by default, so git status && <anything> or git status; <anything> still executes the trailing payload. The error response also echoes the full blocked command, potentially exposing embedded credentials or tokens in logs.

Use execFileSync() or spawnSync() with shell: false to avoid shell interpretation, or strictly reject shell metacharacters and return a generic error message without echoing the command.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@scripts/lib/utils.js` around lines 341 - 353, The current check uses
allowlistRegex on the raw command and then calls execSync(command), which allows
shell metacharacters to execute chained payloads and also returns error messages
that echo the full command; update the logic around the command variable and
allowlistRegex so you either (a) reject any shell metacharacters (e.g.,
characters like &, ;, |, $, `, >, <) before executing, or preferably (b) switch
to using execFileSync or spawnSync with shell: false and pass the executable and
args separately (split by whitespace after validating the executable against
allowlistRegex) to prevent shell interpretation; also change the error return to
a generic message that does not include the full command (e.g., "Command not
allowed" or "Execution failed") to avoid leaking sensitive data.

🧹 Nitpick comments (2)

tests/hooks/suggest-compact.test.js (1)
53-59: Avoid reimplementing the sanitizer inside the test.

Because getCounterFilePath() now uses the same sanitizeSessionId() logic as production, this test will still pass if both sides regress the same way. Prefer asserting an explicit expected basename for the unsafe sample (for example, claude-tool-count-badsession) so the test fails if the sanitizer becomes too permissive or strips the wrong characters.

Also applies to: 373-389
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@tests/hooks/suggest-compact.test.js` around lines 53 - 59, The test currently
duplicates the production sanitizer by calling
sanitizeSessionId/getCounterFilePath, which masks regressions; change the
assertions to check for an explicit expected basename for the unsafe sample
(e.g., assert that getCounterFilePath('bad/session?') endsWith
'/claude-tool-count-badsession' or similar) rather than relying on the
sanitizer's output, and update the other occurrences noted (lines around the
second instance) to assert explicit basenames for their unsafe inputs so the
test will fail if the sanitizer becomes too permissive or strips the wrong
characters.
skills/continuous-learning-v2/hooks/observe.sh (1)
152-156: Don't make retention and archiving failures invisible.

Both the purge and the archive move are fully silent right now. If either starts failing, old observation files will accumulate or active logs won't rotate, and there is no signal anywhere that the retention policy stopped working. A lightweight warning to the homunculus log would keep the hook non-blocking while making the feature diagnosable.

Also applies to: 162-162
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@skills/continuous-learning-v2/hooks/observe.sh` around lines 152 - 156, The
retention purge and archive move are currently silent; add lightweight
non-blocking warnings when operations fail by checking exit codes and logging a
message including the relevant variables. Specifically, after mkdir -p
"$OBSERVATIONS_ARCHIVE_DIR" verify its success and log a warning if it failed;
after the find ... -delete command check its exit status and emit a warning that
includes "$OBSERVATIONS_ARCHIVE_DIR" and "$OBSERVATION_RETENTION_DAYS" if
non-zero; and apply the same pattern to the archive mv/rename operation
referenced around the other block (check mv/rename exit code and log a warning
mentioning the source, destination and "$OBSERVATIONS_ARCHIVE_DIR"). Use the
existing homunculus logging mechanism (or echo to stderr / logger) so the hook
remains non-blocking but failures are visible for diagnosis.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@skills/continuous-learning-v2/hooks/observe.sh`:
- Around line 138-145: The scrubber currently only applies regexes to unquoted
text (patterns list applied in the for loop to raw) so JSON-serialized
tool_input/tool_output like "Authorization": "Bearer ..." or "api_key": "..."
remains unredacted; update the hook to either (1) detect when
tool_input/tool_output are dict/objects and redact known secret keys (e.g.,
"authorization", "api_key", "token", "password", "secret", "client_secret",
"ghp_", "sk-") on the parsed object before calling json.dumps, or (2) extend the
existing regex patterns to also match quoted JSON keys and quoted values (e.g.,
include patterns that match "\"authorization\"\s*:\s*\"[^\"]+\"" and similar)
and apply those augmented patterns to raw; apply the same change to the other
scrubber block referenced around lines 177-189 so all serialized JSON
observations are redacted consistently.

In `@skills/continuous-learning-v2/scripts/detect-project.sh`:
- Around line 79-83: The change makes detect-project.sh compute hash_input from
sanitized_remote_url (via _clv2_sanitize_remote_url) but instinct-cli.py still
hashes the raw remote_url and writes registry entries under that raw-derived
project_id, causing split IDs; fix by making both sides consistent: either
revert detect-project.sh to use the raw remote_url for hash_input, or
(preferable) update instinct-cli.py hashing to sanitize the remote_url with the
same logic used in _clv2_sanitize_remote_url before computing project_id and
when writing registry entries (see the project_id/hash routine in
instinct-cli.py around the project hashing and registry write code), and add a
one-time migration that maps existing raw-hash registry entries to the new
sanitized-hash IDs to avoid stranded state.

---

Outside diff comments:
In `@scripts/lib/utils.js`:
- Around line 341-353: The current check uses allowlistRegex on the raw command
and then calls execSync(command), which allows shell metacharacters to execute
chained payloads and also returns error messages that echo the full command;
update the logic around the command variable and allowlistRegex so you either
(a) reject any shell metacharacters (e.g., characters like &, ;, |, $, `, >, <)
before executing, or preferably (b) switch to using execFileSync or spawnSync
with shell: false and pass the executable and args separately (split by
whitespace after validating the executable against allowlistRegex) to prevent
shell interpretation; also change the error return to a generic message that
does not include the full command (e.g., "Command not allowed" or "Execution
failed") to avoid leaking sensitive data.

---

Nitpick comments:
In `@skills/continuous-learning-v2/hooks/observe.sh`:
- Around line 152-156: The retention purge and archive move are currently
silent; add lightweight non-blocking warnings when operations fail by checking
exit codes and logging a message including the relevant variables. Specifically,
after mkdir -p "$OBSERVATIONS_ARCHIVE_DIR" verify its success and log a warning
if it failed; after the find ... -delete command check its exit status and emit
a warning that includes "$OBSERVATIONS_ARCHIVE_DIR" and
"$OBSERVATION_RETENTION_DAYS" if non-zero; and apply the same pattern to the
archive mv/rename operation referenced around the other block (check mv/rename
exit code and log a warning mentioning the source, destination and
"$OBSERVATIONS_ARCHIVE_DIR"). Use the existing homunculus logging mechanism (or
echo to stderr / logger) so the hook remains non-blocking but failures are
visible for diagnosis.

In `@tests/hooks/suggest-compact.test.js`:
- Around line 53-59: The test currently duplicates the production sanitizer by
calling sanitizeSessionId/getCounterFilePath, which masks regressions; change
the assertions to check for an explicit expected basename for the unsafe sample
(e.g., assert that getCounterFilePath('bad/session?') endsWith
'/claude-tool-count-badsession' or similar) rather than relying on the
sanitizer's output, and update the other occurrences noted (lines around the
second instance) to assert explicit basenames for their unsafe inputs so the
test will fail if the sanitizer becomes too permissive or strips the wrong
characters.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f6078bd4-2d44-4d11-b00c-1788468fd2af

📥 Commits

Reviewing files that changed from the base of the PR and between 03b3e0d and 9eda5ca.

📒 Files selected for processing (6)

scripts/hooks/suggest-compact.js
scripts/lib/utils.js
skills/continuous-learning-v2/hooks/observe.sh
skills/continuous-learning-v2/scripts/detect-project.sh
tests/hooks/suggest-compact.test.js
tests/lib/utils.test.js

coderabbitai · 2026-03-07T19:10:18Z

skills/continuous-learning-v2/hooks/observe.sh

+patterns = [
+    (re.compile(r'(?i)(authorization\s*[:=]\s*(?:bearer\s+)?)[^\s,}]+'), r'\1[REDACTED]'),
+    (re.compile(r'(?i)((?:api[_-]?key|token|password|secret|passwd|client[_-]?secret)\s*[:=]\s*)[^\s,}]+'), r'\1[REDACTED]'),
+    (re.compile(r'\bgh[pousr]_[A-Za-z0-9]{20,}\b'), '[REDACTED_GITHUB_TOKEN]'),
+    (re.compile(r'\bsk-[A-Za-z0-9]{20,}\b'), '[REDACTED_API_KEY]')
+]
+for regex, replacement in patterns:
+    raw = regex.sub(replacement, raw)


⚠️ Potential issue | 🔴 Critical

The scrubber misses the JSON form this hook actually writes.

When tool_input or tool_output is an object, this script serializes it with json.dumps(...) first, so the common shape here is "Authorization": "Bearer ...", "api_key": "...", etc. These regexes only match unquoted authorization: / api_key= forms, so structured tool payloads will still be persisted to observations.jsonl unredacted. Redact known secret keys on the parsed object before serializing, or extend the patterns to handle quoted JSON keys and quoted values.

Also applies to: 177-189

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@skills/continuous-learning-v2/hooks/observe.sh` around lines 138 - 145, The scrubber currently only applies regexes to unquoted text (patterns list applied in the for loop to raw) so JSON-serialized tool_input/tool_output like "Authorization": "Bearer ..." or "api_key": "..." remains unredacted; update the hook to either (1) detect when tool_input/tool_output are dict/objects and redact known secret keys (e.g., "authorization", "api_key", "token", "password", "secret", "client_secret", "ghp_", "sk-") on the parsed object before calling json.dumps, or (2) extend the existing regex patterns to also match quoted JSON keys and quoted values (e.g., include patterns that match "\"authorization\"\s*:\s*\"[^\"]+\"" and similar) and apply those augmented patterns to raw; apply the same change to the other scrubber block referenced around lines 177-189 so all serialized JSON observations are redacted consistently.

coderabbitai · 2026-03-07T19:10:18Z

skills/continuous-learning-v2/scripts/detect-project.sh

+  local sanitized_remote_url=""
+  sanitized_remote_url=$(_clv2_sanitize_remote_url "$remote_url")
+
+  local hash_input="${sanitized_remote_url:-$project_root}"
  # Use SHA256 via python3 (portable across macOS/Linux, no shasum/sha256sum divergence)


⚠️ Potential issue | 🟠 Major

Keep project_id hashing consistent with the Python path.

These lines now hash the sanitized remote URL, but skills/continuous-learning-v2/scripts/instinct-cli.py:138-160 still hashes the raw remote_url and skills/continuous-learning-v2/scripts/instinct-cli.py:170-190 writes registry entries under that raw-hash-derived ID. That splits one repo into two project IDs depending on whether the Bash hook or the Python CLI touched it, and it also strands existing state created from the old raw hash. Update both paths together or add a migration before changing the hash source here.

Also applies to: 107-108

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@skills/continuous-learning-v2/scripts/detect-project.sh` around lines 79 - 83, The change makes detect-project.sh compute hash_input from sanitized_remote_url (via _clv2_sanitize_remote_url) but instinct-cli.py still hashes the raw remote_url and writes registry entries under that raw-derived project_id, causing split IDs; fix by making both sides consistent: either revert detect-project.sh to use the raw remote_url for hash_input, or (preferable) update instinct-cli.py hashing to sanitize the remote_url with the same logic used in _clv2_sanitize_remote_url before computing project_id and when writing registry entries (see the project_id/hash routine in instinct-cli.py around the project hashing and registry write code), and add a one-time migration that maps existing raw-hash registry entries to the new sanitized-hash IDs to avoid stranded state.

jtzingsheim1 · 2026-03-07T23:15:17Z

Hey @tsubasakong — heads up that PR #348 was merged earlier today and addresses the same issue (#347) with the same set of fixes (secret scrubbing in observe.sh, credential stripping in detect-project.sh, runCommand allowlist in utils.js, and session ID sanitization in suggest-compact.js).

This PR will likely have significant merge conflicts with the code that's now in main. You may want to close this one to avoid duplicate work. Thanks for jumping on it though!

affaan-m