release: v0.1.13 — lifecycle hooks + security hardening#4
Merged
Merged
release: v0.1.13 — lifecycle hooks + security hardening#4
Conversation
Lifecycle hooks feature with security hardening from code review. Security: - Hooks run with a redacted environment (no ORBCODE_TOKEN/API_KEY or credential-pattern vars); prevents API token exfiltration - ORBCODE_TRUST_PROJECT_HOOKS=1 only honored in non-TTY (CI) mode; strict '1' value only - Hook-injected context wrapped in <hook_context> tags + system prompt treats contents as untrusted (prompt-injection defense) - PreToolUse updatedInput rewrites now emit a visible system message - Matcher regexes auto-anchored so 'execute_command' no longer matches 'execute_command_extra' Performance: - Default hook timeout 60s -> 10s - additionalContext capped at ~8 KB - Timeout/endAndExit timers unref'd Bugs: - pendingStartContext consumed in /compact; reset in Agent.clear() - PostToolUse stopAll emits a system message - Notification hooks tracked and awaited on endSession (no leaked children) - endAndExit guarded against double-invocation - /logout clears pending hook-trust state - HookTrustPrompt documents Enter = keep disabled Tests: 41 checks across test-hooks, test-hook-env, test-hook-trust, test-hook-integration (env redaction, auto-anchoring, SIGKILL escalation, context cap, strict trust value, PreToolUse ask/allow + updatedInput).
Contributor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release v0.1.13
Lifecycle hooks feature (Claude-Code-compatible) plus security hardening from the four-expert code review.
Security
ORBCODE_TOKEN,ORBCODE_API_KEY,ORBCODE_CONFIG_DIR,ORBCODE_BACKEND_URL,ORBCODE_APP_URL, and any variable matching a credential pattern (*TOKEN*,*KEY*,*SECRET*,*PASSWORD*,*CREDENTIAL*,*PRIVATE_KEY*) is stripped. Non-credential vars (PATH,HOME,ORBCODE_PROJECT_DIR, …) preserved.ORBCODE_TRUST_PROJECT_HOOKS=1only honored when stdin is not a TTY — a strayexportin a shell rc can no longer disable the project-hook trust gate interactively. Strict"1"value only (not"true").additionalContextis wrapped in<hook_context>tags and capped at ~8 KB; the system prompt tells the model to treat the contents as untrusted (prompt-injection defense).PreToolUsehook rewriting tool input viaupdatedInputemits a visible system message."execute_command"matches exactly that tool name, not"execute_command_extra".Performance
additionalContextcapped at ~8 KB.endAndExittimers.unref()'d.Bugs
pendingStartContextconsumed in/compact; reset inAgent.clear().stopAllemits a system message before aborting.endSession— no leaked child processes.endAndExitguarded against double-invocation (Ctrl+D spam)./logoutclears pending hook-trust state and deferred prompt.HookTrustPromptdocuments Enter = keep disabled.Tests
41 checks across
test-hooks.mjs,test-hook-env.mjs,test-hook-trust.mjs,test-hook-integration.mjs:ORBCODE_TRUST_PROJECT_HOOKSvalueask/allow+updatedInputinteractionsVerification
tsc --noEmit: cleannpm run build: cleanDocs
docs/HOOKS.md: env redaction policy, 10s default, auto-anchored matchers, non-TTY restriction, hook_context sandboxing, rewrite logging.README.md: 10s default, auto-anchoring, redacted-env + hook_context summary.CHANGELOG.md: [0.1.13] entry.Merge to
mainand tagv0.1.13to trigger the npm publish workflow.