Lines 242-282shell
242echo "== memory-prompt-hint.sh =="
243printf '%s\n' '- [auth-flow](memory/auth.md) — authentication and login handling' > "$PROJ/MEMORY.md"
244mk_ph() { jq -cn --arg p "$1" --arg cwd "$2" '{prompt:$p,cwd:$cwd,session_id:"smoke1",hook_event_name:"UserPromptSubmit"}'; }
245OUT="$(run_hook memory-prompt-hint.sh "$(mk_ph 'fix the authentication bug' "$PROJ")")"; is_context "$OUT" && ok "prompt matches MEMORY index → hint" || bad "prompt matches MEMORY index → hint" "$OUT"
246OUT="$(run_hook memory-prompt-hint.sh "$(mk_ph 'bump the version number' "$PROJ")")"; is_empty "$OUT" && ok "prompt no match → silent" || bad "prompt no match → silent" "$OUT"
247OUT="$(run_hook memory-prompt-hint.sh "$(mk_ph 'fix the authentication bug' "$SANDBOX/noproj")")"; is_empty "$OUT" && ok "no MEMORY.md → silent" || bad "no MEMORY.md → silent" "$OUT"
248OUT="$(run_hook memory-prompt-hint.sh "$(mk_ph 'fix billing invoice bug' "$NONGIT/child")")"; is_context "$OUT" && ok "prompt matches parent MEMORY outside git → hint" || bad "prompt matches parent MEMORY outside git → hint" "$OUT"
249# C4: 中文 index trigger words match a 中文 prompt (UTF-8 locale; on LC_ALL=C the
250# CJK class won't match and the hint fails safe rather than firing wrongly).
251printf '%s\n' '- [认证登录](memory/auth.md) — 认证 登录 会话 处理' > "$PROJ/MEMORY.md"
252OUT="$(run_hook memory-prompt-hint.sh "$(mk_ph '修复认证登录的并发问题' "$PROJ")")"; is_context "$OUT" && ok "中文 prompt matches 中文 index → hint" || bad "中文 prompt matches 中文 index → hint" "$OUT"
253OUT="$(run_hook memory-prompt-hint.sh "$(mk_ph '更新版本号' "$PROJ")")"; is_empty "$OUT" && ok "中文 prompt no match → silent" || bad "中文 prompt no match → silent" "$OUT"
255echo "== secrets-scan.sh =="
256if command -v git >/dev/null 2>&1; then
257 SECREPO="$SANDBOX/secrepo"; mkdir -p "$SECREPO"
258 git -C "$SECREPO" init -q >/dev/null 2>&1
259 mk_sec() { jq -cn --arg c "$1" --arg cwd "$2" '{tool_name:"Bash",tool_input:{command:$c},session_id:"smokesecrets",cwd:$cwd}'; }
260 printf 'const x = 1;\n' > "$SECREPO/app.js"; git -C "$SECREPO" add app.js >/dev/null 2>&1
261 OUT="$(run_hook secrets-scan.sh "$(mk_sec 'git commit -m clean' "$SECREPO")")"; is_empty "$OUT" && ok "commit clean staged diff → allow" || bad "commit clean staged diff → allow" "$OUT"
262 printf 'aws = "AKIAIOSFODNN7EXAMPLE"\n' >> "$SECREPO/app.js"; git -C "$SECREPO" add app.js >/dev/null 2>&1
CriticalCritical Secret
Package contains a critical-looking secret pattern.
hooks/tests/smoke.shView on unpkg · L262 263 OUT="$(run_hook secrets-scan.sh "$(mk_sec 'git commit -m addkey' "$SECREPO")")"; is_block "$OUT" && ok "commit staging an AWS-key-shaped secret → block" || bad "commit staging AWS key → block" "$OUT"
264 OUT="$(run_hook secrets-scan.sh "$(mk_sec 'git commit -m addkey [allow-secret]' "$SECREPO")")"; is_empty "$OUT" && ok "commit secret + [allow-secret] bypass → allow" || bad "commit secret + bypass → allow" "$OUT"
265 OUT="$(run_hook secrets-scan.sh "$(mk_sec 'git status' "$SECREPO")")"; is_empty "$OUT" && ok "non-commit git command → allow" || bad "non-commit git → allow" "$OUT"
267 ok "secrets-scan.sh skipped (git not on PATH)"
270echo "== telemetry =="
271LOG="$SANDBOX/.codex/logs/agentsmd.jsonl"
272if [[ -r "$LOG" ]]; then
273 ROWS="$(wc -l < "$LOG" | tr -d ' ')"
274 SECTIONS="$(jq -r '.spec_section // "null"' "$LOG" 2>/dev/null | sort -u | paste -sd, -)"
275 ok "telemetry rows written: $ROWS (sections: $SECTIONS)"
277 bad "telemetry log written" "(no $LOG)"
279# AGENTSMD_TELEMETRY_TAG stamps a `tag` field so verify/sandbox runs are excludable by audit.
280TAGHOME="$SANDBOX/tagtest"; mkdir -p "$TAGHOME/logs"
281CODEX_HOME="$TAGHOME" AGENTSMD_TELEMETRY_TAG=test bash -c 'source hooks/lib/rule-hits.sh; rule_hits_append "h" "block" "null" "§8-rm-rf-var" "sid-abcdefgh"'
282if [[ -r "$TAGHOME/logs/agentsmd.jsonl" ]] && jq -e '.tag=="test"' "$TAGHOME/logs/agentsmd.jsonl" >/dev/null 2>&1; then