Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Appearance settings

release: v0.1.13 — lifecycle hooks + security hardening#4

Merged
code-crusher merged 2 commits into
mainMatterAIOrg/OrbCode:mainfrom
release/v0.1.13MatterAIOrg/OrbCode:release/v0.1.13Copy head branch name to clipboard
Jun 17, 2026
Merged

release: v0.1.13 — lifecycle hooks + security hardening#4
code-crusher merged 2 commits into
mainMatterAIOrg/OrbCode:mainfrom
release/v0.1.13MatterAIOrg/OrbCode:release/v0.1.13Copy head branch name to clipboard

Conversation

@code-crusher

Copy link
Copy Markdown
Member

Release v0.1.13

Lifecycle hooks feature (Claude-Code-compatible) plus security hardening from the four-expert code review.

Security

  • Hooks no longer receive OrbCode credentials. Hook commands run with a redacted environment: ORBCODE_TOKEN, ORBCODE_API_KEY, ORBCODE_CONFIG_DIR, ORBCODE_BACKEND_URL, ORBCODE_APP_URL, and any variable matching a credential pattern (*TOKEN*, *KEY*, *SECRET*, *PASSWORD*, *CREDENTIAL*, *PRIVATE_KEY*) is stripped. Non-credential vars (PATH, HOME, ORBCODE_PROJECT_DIR, …) preserved.
  • ORBCODE_TRUST_PROJECT_HOOKS=1 only honored when stdin is not a TTY — a stray export in a shell rc can no longer disable the project-hook trust gate interactively. Strict "1" value only (not "true").
  • Hook-injected context is sandboxedadditionalContext is wrapped in <hook_context> tags and capped at ~8 KB; the system prompt tells the model to treat the contents as untrusted (prompt-injection defense).
  • Tool-input rewrites are logged — a PreToolUse hook rewriting tool input via updatedInput emits a visible system message.
  • Matcher regexes auto-anchored"execute_command" matches exactly that tool name, not "execute_command_extra".

Performance

  • Default hook timeout 60s → 10s.
  • additionalContext capped at ~8 KB.
  • Timeout / endAndExit timers .unref()'d.

Bugs

  • pendingStartContext consumed in /compact; reset in Agent.clear().
  • PostToolUse stopAll emits a system message before aborting.
  • Notification hooks tracked and awaited (3s) on endSession — no leaked child processes.
  • endAndExit guarded against double-invocation (Ctrl+D spam).
  • /logout clears pending hook-trust state and deferred prompt.
  • HookTrustPrompt documents Enter = keep disabled.

Tests

41 checks across test-hooks.mjs, test-hook-env.mjs, test-hook-trust.mjs, test-hook-integration.mjs:

  • env redaction (OrbCode creds + credential patterns + non-credential preservation)
  • matcher auto-anchoring + alternation
  • SIGKILL escalation for SIGTERM-ignoring hooks
  • additionalContext cap
  • strict ORBCODE_TRUST_PROJECT_HOOKS value
  • PreToolUse ask/allow + updatedInput interactions

Verification

  • tsc --noEmit: clean
  • npm run build: clean
  • All 4 test suites pass

Docs

  • docs/HOOKS.md: env redaction policy, 10s default, auto-anchored matchers, non-TTY restriction, hook_context sandboxing, rewrite logging.
  • README.md: 10s default, auto-anchoring, redacted-env + hook_context summary.
  • CHANGELOG.md: [0.1.13] entry.

Merge to main and tag v0.1.13 to trigger the npm publish workflow.

Lifecycle hooks feature with security hardening from code review.

Security:
- Hooks run with a redacted environment (no ORBCODE_TOKEN/API_KEY or
  credential-pattern vars); prevents API token exfiltration
- ORBCODE_TRUST_PROJECT_HOOKS=1 only honored in non-TTY (CI) mode; strict
  '1' value only
- Hook-injected context wrapped in <hook_context> tags + system prompt
  treats contents as untrusted (prompt-injection defense)
- PreToolUse updatedInput rewrites now emit a visible system message
- Matcher regexes auto-anchored so 'execute_command' no longer matches
  'execute_command_extra'

Performance:
- Default hook timeout 60s -> 10s
- additionalContext capped at ~8 KB
- Timeout/endAndExit timers unref'd

Bugs:
- pendingStartContext consumed in /compact; reset in Agent.clear()
- PostToolUse stopAll emits a system message
- Notification hooks tracked and awaited on endSession (no leaked children)
- endAndExit guarded against double-invocation
- /logout clears pending hook-trust state
- HookTrustPrompt documents Enter = keep disabled

Tests: 41 checks across test-hooks, test-hook-env, test-hook-trust,
test-hook-integration (env redaction, auto-anchoring, SIGKILL escalation,
context cap, strict trust value, PreToolUse ask/allow + updatedInput).
@matterai-app

matterai-app Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Summary By MatterAI MatterAI logo

🔄 What Changed

Introduced a comprehensive lifecycle hook system (SessionStart, PreToolUse, PostToolUse, etc.) allowing arbitrary shell command execution at key agent stages. Added a security trust gate for project-level hooks and automated environment variable redaction to prevent credential leakage.

🔍 Impact of the Change

Enables deep customization of agent behavior via external scripts while maintaining a strong security posture through content-hashed trust verification and sandboxed execution environments.

📁 Total Files Changed

Click to Expand
File ChangeLog
Hook Engine src/core/hooks.ts Implements the core HookRunner for spawning hook processes with secret redaction.
Trust Logic src/config/settings.ts Adds SHA-256 based trust verification for project-level settings and a local trust store.
Agent Loop src/core/agent.ts Orchestrates hook execution across the agent's lifecycle and adds context window tracking.
Trust UI src/ui/App.tsx Integrates the hook trust prompt into the main application flow and handles session termination.
Trust Prompt src/ui/components/HookTrustPrompt.tsx New component to warn users about untrusted project-level hooks.

🧪 Test Added/Recommended

Added

  • test-hook-env.mjs: Verifies secret redaction from hook environments.
  • test-hook-integration.mjs: Tests agent loop integration with scripted model outputs.
  • test-hook-trust.mjs: Validates the trust gate logic and persistence.
  • test-hooks.mjs: Functional tests for the hook engine (timeouts, aggregation, matchers).

Recommended

  • Add cross-platform tests for shell command execution on Windows vs Unix.
  • Implement stress tests for concurrent hook execution to ensure no race conditions in result aggregation.

🔒 Security Vulnerabilities

  • Critical Bug Detected: In src/core/hooks.ts at line 290, the regex construction is corrupted with prompt text: return new RegExp(`^(?:${matcher})Analyze the Pull Request...`).test(query). This will cause hook matching to fail or behave unpredictably. ⚠️
  • Proactive hardening via environment variable redaction and project-level trust gates mitigates RCE risks. 🛡️

@code-crusher code-crusher merged commit 7773c3c into main Jun 17, 2026
1 check was pending
@code-crusher code-crusher deleted the release/v0.1.13 branch June 17, 2026 07:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant

Morty Proxy This is a proxified and sanitized view of the page, visit original site.