Lines 366-406shell
366mk_ph() { jq -cn --arg p "$1" --arg cwd "$2" '{prompt:$p,cwd:$cwd,session_id:"smoke1",hook_event_name:"UserPromptSubmit"}'; }
367OUT="$(run_hook memory-prompt-hint.sh "$(mk_ph 'fix the authentication bug' "$PROJ")")"; is_context "$OUT" && ok "prompt matches MEMORY index → hint" || bad "prompt matches MEMORY index → hint" "$OUT"
368B="$(clog_count)"; run_hook memory-prompt-hint.sh "$(mk_ph 'fix the authentication bug' "$PROJ")" >/dev/null 2>&1; NEW="$(clog_new "$B")"
369{ printf '%s\n' "$NEW" | grep -q '"event":"suggest"' && printf '%s\n' "$NEW" | grep -q 'memory/auth.md'; } && ok "hint records a suggest event carrying surfaced filename(s) (A3 prereq)" || bad "suggest event carries filenames" "new=[$NEW]"
370OUT="$(run_hook memory-prompt-hint.sh "$(mk_ph 'bump the version number' "$PROJ")")"; is_empty "$OUT" && ok "prompt no match → silent" || bad "prompt no match → silent" "$OUT"
371OUT="$(run_hook memory-prompt-hint.sh "$(mk_ph 'fix the authentication bug' "$SANDBOX/noproj")")"; is_empty "$OUT" && ok "no MEMORY.md → silent" || bad "no MEMORY.md → silent" "$OUT"
372OUT="$(run_hook memory-prompt-hint.sh "$(mk_ph 'fix billing invoice bug' "$NONGIT/child")")"; is_context "$OUT" && ok "prompt matches parent MEMORY outside git → hint" || bad "prompt matches parent MEMORY outside git → hint" "$OUT"
373# C4: 中文 index trigger words match a 中文 prompt (UTF-8 locale; on LC_ALL=C the
374# CJK class won't match and the hint fails safe rather than firing wrongly).
375printf '%s\n' '- [认证登录](memory/auth.md) — 认证 登录 会话 处理' > "$PROJ/MEMORY.md"
376OUT="$(run_hook memory-prompt-hint.sh "$(mk_ph '修复认证登录的并发问题' "$PROJ")")"; is_context "$OUT" && ok "中文 prompt matches 中文 index → hint" || bad "中文 prompt matches 中文 index → hint" "$OUT"
377OUT="$(run_hook memory-prompt-hint.sh "$(mk_ph '更新版本号' "$PROJ")")"; is_empty "$OUT" && ok "中文 prompt no match → silent" || bad "中文 prompt no match → silent" "$OUT"
379echo "== secrets-scan.sh =="
380if command -v git >/dev/null 2>&1; then
381 SECREPO="$SANDBOX/secrepo"; mkdir -p "$SECREPO"
382 git -C "$SECREPO" init -q >/dev/null 2>&1
383 mk_sec() { jq -cn --arg c "$1" --arg cwd "$2" '{tool_name:"Bash",tool_input:{command:$c},session_id:"smokesecrets",cwd:$cwd}'; }
384 printf 'const x = 1;\n' > "$SECREPO/app.js"; git -C "$SECREPO" add app.js >/dev/null 2>&1
385 OUT="$(run_hook secrets-scan.sh "$(mk_sec 'git commit -m clean' "$SECREPO")")"; is_empty "$OUT" && ok "commit clean staged diff → allow" || bad "commit clean staged diff → allow" "$OUT"
386 printf 'aws = "AKIAIOSFODNN7EXAMPLE"\n' >> "$SECREPO/app.js"; git -C "$SECREPO" add app.js >/dev/null 2>&1
CriticalCritical Secret
Package contains a critical-looking secret pattern.
hooks/tests/smoke.shView on unpkg · L386 387 OUT="$(run_hook secrets-scan.sh "$(mk_sec 'git commit -m addkey' "$SECREPO")")"; is_block "$OUT" && ok "commit staging an AWS-key-shaped secret → block" || bad "commit staging AWS key → block" "$OUT"
388 OUT="$(run_hook secrets-scan.sh "$(mk_sec 'git commit -m addkey [allow-secret]' "$SECREPO")")"; is_empty "$OUT" && ok "commit secret + [allow-secret] bypass → allow" || bad "commit secret + bypass → allow" "$OUT"
389 OUT="$(run_hook secrets-scan.sh "$(mk_sec 'git status' "$SECREPO")")"; is_empty "$OUT" && ok "non-commit git command → allow" || bad "non-commit git → allow" "$OUT"
391 ok "secrets-scan.sh skipped (git not on PATH)"
394echo "== telemetry =="
395LOG="$SANDBOX/.codex/logs/agentsmd.jsonl"
396if [[ -r "$LOG" ]]; then
397 ROWS="$(wc -l < "$LOG" | tr -d ' ')"
398 SECTIONS="$(jq -r '.spec_section // "null"' "$LOG" 2>/dev/null | sort -u | paste -sd, -)"
399 ok "telemetry rows written: $ROWS (sections: $SECTIONS)"
401 bad "telemetry log written" "(no $LOG)"
403# AGENTSMD_TELEMETRY_TAG stamps a `tag` field so verify/sandbox runs are excludable by audit.
404TAGHOME="$SANDBOX/tagtest"; mkdir -p "$TAGHOME/logs"
405CODEX_HOME="$TAGHOME" AGENTSMD_TELEMETRY_TAG=test bash -c 'source hooks/lib/rule-hits.sh; rule_hits_append "h" "block" "null" "§8-rm-rf-var" "sid-abcdefgh"'
406if [[ -r "$TAGHOME/logs/agentsmd.jsonl" ]] && jq -e '.tag=="test"' "$TAGHOME/logs/agentsmd.jsonl" >/dev/null 2>&1; then