fix(ide): harden OpenCode plugin for cross-platform and security

- Replace curl subprocess with Node.js http/https modules for Windows compat
- Fix command injection in hook plugins (use shell:true with constant arg)
- Fix JSONC comment stripping to handle inline comments
- Add message.updated event handling and conditional final flag
- Cap sessionState Map to prevent memory leaks in long-lived processes
- Remove duplicate plugin source from CLI (delegate to server)
- Validate URLs in HTTP hook plugin generation
- Fix detect_hooks to not rely on Path.cwd()
- Fix frontmatter parsing to only match top-level keys
- Restore test coverage for session.created and message.updated
- Bump HOOKS_SPEC_VERSION to 2

Author: Lokesh7025

observal-server/services/ide/helpers.py

@@ -202,9 +202,10 @@ def _opencode_plugin_js() -> str:
 // Auto-generated by `observal pull` / `observal doctor patch`
 // Do not edit manually - regenerated on upgrade.
 
-import { execFileSync } from "child_process";
 import { readFileSync, existsSync } from "fs";
 import { join } from "path";
+import { request as httpRequest } from "http";
+import { request as httpsRequest } from "https";
 
 const CONFIG_PATH = join(
   process.env.HOME || process.env.USERPROFILE || "~",
@@ -232,28 +233,45 @@ def _opencode_plugin_js() -> str:
   const body = JSON.stringify(payload);
 
   try {
-    execFileSync("curl", [
-      "-s", "-X", "POST",
-      "-H", "Content-Type: application/json",
-      "-H", `Authorization: Bearer ${config.access_token}`,
-      "--max-time", "10",
-      "-d", body,
-      url,
-    ], { stdio: ["pipe", "pipe", "pipe"], timeout: 12000 });
+    const parsed = new URL(url);
+    const reqFn = parsed.protocol === "https:" ? httpsRequest : httpRequest;
+    const req = reqFn(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${config.access_token}`,
+        "Content-Length": Buffer.byteLength(body),
+      },
+      timeout: 10000,
+    });
+    req.on("error", () => {});
+    req.on("timeout", () => { req.destroy(); });
+    req.write(body);
+    req.end();
   } catch {
     // Non-blocking: never break the session
   }
 }
 
 const sessionState = new Map();
+const MAX_TRACKED_SESSIONS = 50;
 
 function getState(sessionId) {
   if (!sessionState.has(sessionId)) {
+    // Evict oldest sessions if we exceed the cap
+    if (sessionState.size >= MAX_TRACKED_SESSIONS) {
+      const oldest = sessionState.keys().next().value;
+      sessionState.delete(oldest);
+    }
     sessionState.set(sessionId, { pushedMessageIds: new Set(), lineOffset: 0 });
   }
   return sessionState.get(sessionId);
 }
 
+function cleanupSession(sessionId) {
+  sessionState.delete(sessionId);
+}
+
 function messagesToLines(messages) {
   const lines = [];
   for (const msg of messages) {
@@ -276,6 +294,7 @@ def _opencode_plugin_js() -> str:
     if (info.createdAt && typeof info.createdAt === "string") { ts = info.createdAt; }
     else if (info.time && typeof info.time === "object" && info.time.created) { ts = new Date(info.time.created).toISOString(); }
     else if (info.time && typeof info.time === "string") { ts = info.time; }
+    else if (info.timestamp && typeof info.timestamp === "string") { ts = info.timestamp; }
     const line = {
       type: role === "user" ? "user" : "assistant",
       timestamp: ts,
@@ -298,9 +317,9 @@ def _opencode_plugin_js() -> str:
 }
 
 export const ObservalPlugin = async ({ project, client, directory }) => {
-  // Built-in agents that should NOT be tracked
   const BUILTIN_AGENTS = new Set(["build", "plan", "general", "explore", "scout", "compaction", "title", "summary"]);
   const agentSessions = new Map();
+  const pendingPush = new Map();
 
   return {
     event: async ({ event }) => {
@@ -309,13 +328,25 @@ def _opencode_plugin_js() -> str:
         const agent = event?.properties?.info?.agent || "";
         if (sessionId && agent && !BUILTIN_AGENTS.has(agent)) {
           agentSessions.set(sessionId, agent);
+          pendingPush.set(sessionId, true);
         }
       }
+
+      if (event?.type === "message.updated") {
+        const sessionId = event?.properties?.sessionID || "";
+        if (sessionId && agentSessions.has(sessionId)) {
+          pendingPush.set(sessionId, true);
+        }
+      }
+
       if (event?.type === "session.idle") {
         const sessionId = event?.properties?.sessionID || "";
         if (!sessionId) return;
         const agent = agentSessions.get(sessionId);
         if (!agent) return;
+        if (!pendingPush.get(sessionId)) return;
+        pendingPush.delete(sessionId);
+
         try {
           const messagesResult = await client.session.messages({ path: { id: sessionId } });
           const messages = messagesResult?.data || messagesResult || [];
@@ -325,14 +356,19 @@ def _opencode_plugin_js() -> str:
           if (newMessages.length === 0) return;
           const lines = messagesToLines(newMessages);
           if (lines.length === 0) return;
+          const isFinal = event?.properties?.final === true || event?.properties?.reason === "completed";
           pushToServer({
             session_id: sessionId, ide: "opencode", lines, agent_id: agent,
             start_offset: state.lineOffset, hook_event: "session.idle",
-            final: true, total_line_count: state.lineOffset + lines.length,
+            final: isFinal, total_line_count: state.lineOffset + lines.length,
             total_offset: state.lineOffset + lines.length,
           });
           for (const m of newMessages) state.pushedMessageIds.add(m.info?.id || m.id);
           state.lineOffset += lines.length;
+          if (isFinal) {
+            cleanupSession(sessionId);
+            agentSessions.delete(sessionId);
+          }
         } catch { /* Non-blocking */ }
       }
     },
@@ -740,22 +776,27 @@ def _collect_opencode_hook_plugins(hook_configs: list[dict]) -> list[dict]:
 
 def _opencode_command_hook_plugin(name: str, event: str, command: str) -> str:
     """Generate a plugin file that runs a shell command on an OpenCode event."""
-    cmd_escaped = command.replace("\\", "\\\\").replace('"', '\\"').replace("`", "\\`")
+    import json as _json
+
+    cmd_json = _json.dumps(command)
     return f"""// Observal hook plugin: {name}
 // Event: {event}
 // Auto-generated by `observal pull`
 
 import {{ execSync }} from "child_process";
 
+const HOOK_COMMAND = {cmd_json};
+
 export const Hook_{name.replace("-", "_")} = async (ctx) => {{
   return {{
     event: async ({{ event }}) => {{
       if (event?.type === "{event}") {{
         try {{
-          execSync("{cmd_escaped}", {{
+          execSync(HOOK_COMMAND, {{
             cwd: ctx.directory,
             timeout: 10000,
             stdio: ["pipe", "pipe", "pipe"],
+            shell: true,
           }});
         }} catch {{
           // Non-blocking: don't break the session
@@ -769,25 +810,39 @@ def _opencode_command_hook_plugin(name: str, event: str, command: str) -> str:
 
 def _opencode_http_hook_plugin(name: str, event: str, url: str, timeout: int = 10) -> str:
     """Generate a plugin file that makes an HTTP request on an OpenCode event."""
-    url_escaped = url.replace("\\", "\\\\").replace('"', '\\"')
+    from urllib.parse import urlparse
+
+    parsed = urlparse(url)
+    if parsed.scheme not in ("http", "https") or not parsed.netloc:
+        return f"// Observal hook plugin: {name} — SKIPPED (invalid URL)\nexport {{}};\n"
+    import json as _json
+
+    url_json = _json.dumps(url)
+    is_https = url.startswith("https")
+    req_module = "https" if is_https else "http"
     return f"""// Observal hook plugin: {name}
 // Event: {event}
 // Auto-generated by `observal pull`
 
-import {{ execFileSync }} from "child_process";
+import {{ request }} from "{req_module}";
+
+const HOOK_URL = {url_json};
 
 export const Hook_{name.replace("-", "_")} = async (ctx) => {{
   return {{
     event: async ({{ event }}) => {{
       if (event?.type === "{event}") {{
         try {{
-          execFileSync("curl", [
-            "-s", "-X", "POST",
-            "-H", "Content-Type: application/json",
-            "--max-time", "{timeout}",
-            "-d", JSON.stringify({{ event: event?.type, properties: event?.properties || {{}} }}),
-            "{url_escaped}",
-          ], {{ timeout: {timeout * 1000 + 2000}, stdio: ["pipe", "pipe", "pipe"] }});
+          const body = JSON.stringify({{ event: event?.type, properties: event?.properties || {{}} }});
+          const req = request(HOOK_URL, {{
+            method: "POST",
+            headers: {{ "Content-Type": "application/json", "Content-Length": Buffer.byteLength(body) }},
+            timeout: {timeout * 1000},
+          }});
+          req.on("error", () => {{}});
+          req.on("timeout", () => {{ req.destroy(); }});
+          req.write(body);
+          req.end();
         }} catch {{
           // Non-blocking
         }}

observal_cli/ide/opencode.py

@@ -10,6 +10,7 @@
 from __future__ import annotations
 
 import json
+import re
 from pathlib import Path
 from typing import Any
 
@@ -24,6 +25,20 @@
 )
 from observal_cli.ide.base import BaseAdapter
 
+_JSONC_COMMENT_RE = re.compile(
+    r'("(?:[^"\\]|\\.)*")|//[^\n]*|/\*.*?\*/',
+    re.DOTALL,
+)
+
+
+def _strip_jsonc_comments(text: str) -> str:
+    """Strip // and /* */ comments from JSONC, preserving strings."""
+    def _replacer(m: re.Match) -> str:
+        if m.group(1) is not None:
+            return m.group(1)
+        return ""
+    return _JSONC_COMMENT_RE.sub(_replacer, text)
+
 
 class OpenCodeAdapter(BaseAdapter):
     """Adapter for OpenCode."""
@@ -84,31 +99,26 @@ def generate_hook_config(
     def detect_hooks(self, config_dir: Path) -> str:
         """Detect if the Observal plugin is installed in OpenCode.
 
-        Checks both project-level and global plugin directories.
+        Checks the global plugin directory (config_dir/plugins) which is
+        the canonical install location for `observal pull` with user scope.
         """
-        # Check project-level plugins
-        project_plugin = Path.cwd() / ".opencode" / "plugins"
-        global_plugin = config_dir / "plugins"
+        plugins_dir = config_dir / "plugins"
+        if not plugins_dir.exists():
+            return "missing"
 
-        found = 0
-        for plugins_dir in (project_plugin, global_plugin):
-            if not plugins_dir.exists():
+        for plugin_file in plugins_dir.iterdir():
+            if not plugin_file.is_file():
+                continue
+            if plugin_file.suffix not in (".ts", ".js", ".mjs"):
+                continue
+            try:
+                content = plugin_file.read_text(errors="ignore")
+                if "ObservalPlugin" in content or "observal" in content.lower():
+                    return "installed"
+            except OSError:
                 continue
-            for plugin_file in plugins_dir.iterdir():
-                if not plugin_file.is_file():
-                    continue
-                if plugin_file.suffix not in (".ts", ".js", ".mjs"):
-                    continue
-                try:
-                    content = plugin_file.read_text(errors="ignore")
-                    if "ObservalPlugin" in content or "observal" in content.lower():
-                        found += 1
-                except OSError:
-                    continue
-
-        if found == 0:
-            return "missing"
-        return "installed"
+
+        return "missing"
 
     def shim_status(self, mcps: list[DiscoveredMcp]) -> str:
         return super().shim_status(mcps)
@@ -170,14 +180,7 @@ def _parse_opencode_config(self, config_file: Path, source: str) -> ScanResult:
         """Parse an opencode.json config and extract MCP servers."""
         try:
             raw = config_file.read_text()
-            # Strip JSONC comments (single-line // comments)
-            lines = []
-            for line in raw.splitlines():
-                stripped = line.lstrip()
-                if stripped.startswith("//"):
-                    continue
-                lines.append(line)
-            data = json.loads("\n".join(lines))
+            data = json.loads(_strip_jsonc_comments(raw))
             servers = data.get("mcp", {})
             mcps = []
             for srv_name, srv_config in servers.items():
@@ -281,21 +284,25 @@ def _scan_plugins_dir(self, plugins_dir: Path, source: str) -> list[DiscoveredHo
         return hooks
 
     def _extract_frontmatter_field(self, content: str, field: str) -> str | None:
-        """Extract a field from YAML frontmatter in a markdown file."""
+        """Extract a top-level field from YAML frontmatter in a markdown file."""
         if not content.startswith("---"):
             return None
         parts = content.split("---", 2)
         if len(parts) < 3:
             return None
         frontmatter = parts[1]
+        prefix = f"{field}:"
         for line in frontmatter.splitlines():
-            line = line.strip()
-            if line.startswith(f"{field}:"):
-                value = line[len(f"{field}:") :].strip()
-                # Remove surrounding quotes if present
-                if value and value[0] in ('"', "'") and value[-1] == value[0]:
-                    value = value[1:-1]
-                return value
+            # Only match top-level keys (no leading whitespace)
+            if line.startswith((" ", "\t")):
+                continue
+            stripped = line.strip()
+            if not stripped.startswith(prefix):
+                continue
+            value = stripped[len(prefix):].strip()
+            if value and value[0] in ('"', "'") and value[-1] == value[0]:
+                value = value[1:-1]
+            return value
         return None