fix: harden local logging and concept tracking

Author: bitfalt

scripts/lib/log-helpers.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+# CodeSensei — Shared Log Helpers
+# Utilities for trimming local logs and redacting sensitive command content.
+
+trim_log_file() {
+  local file_path="$1"
+  local max_lines="$2"
+
+  if [ ! -f "$file_path" ]; then
+    return 0
+  fi
+
+  local line_count
+  line_count=$(wc -l < "$file_path" 2>/dev/null || echo 0)
+  if [ "$line_count" -gt "$max_lines" ]; then
+    tail -n "$max_lines" "$file_path" > "${file_path}.tmp" && mv "${file_path}.tmp" "$file_path"
+  fi
+}
+
+redact_sensitive_command() {
+  local raw_command="$1"
+
+  printf '%s' "$raw_command" | \
+    sed -E \
+      -e 's/([A-Za-z_][A-Za-z0-9_]*(TOKEN|SECRET|PASSWORD|PASSWD|PWD|API_KEY|APIKEY|ACCESS_KEY|ACCESSKEY|PRIVATE_KEY|COOKIE|SESSION)[A-Za-z0-9_]*=)"[^"]*"/\1"[REDACTED]"/Ig' \
+      -e "s/([A-Za-z_][A-Za-z0-9_]*(TOKEN|SECRET|PASSWORD|PASSWD|PWD|API_KEY|APIKEY|ACCESS_KEY|ACCESSKEY|PRIVATE_KEY|COOKIE|SESSION)[A-Za-z0-9_]*=)'[^']*'/\\1'[REDACTED]'/Ig" \
+      -e 's/([A-Za-z_][A-Za-z0-9_]*(TOKEN|SECRET|PASSWORD|PASSWD|PWD|API_KEY|APIKEY|ACCESS_KEY|ACCESSKEY|PRIVATE_KEY|COOKIE|SESSION)[A-Za-z0-9_]*=)[^[:space:]]+/\1[REDACTED]/Ig' \
+      -e 's/(--?(token|secret|password|pass|api-key|apikey|access-key|accesskey|private-key|authorization|cookie|session)(=|[[:space:]]+))[^[:space:]]+/\1[REDACTED]/Ig' \
+      -e "s/(Authorization:[[:space:]]*(Bearer|Basic)[[:space:]]+)[^\"'[:space:]]+/\\1[REDACTED]/Ig" \
+      -e 's#(https?://[^/@[:space:]]+:)[^/@[:space:]]+@#\1[REDACTED]@#g'
+}

scripts/session-start.sh

@@ -9,6 +9,8 @@ SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 source "${SCRIPT_DIR}/lib/profile-io.sh"
 # shellcheck source=lib/date-compat.sh
 source "${SCRIPT_DIR}/lib/date-compat.sh"
+# shellcheck source=lib/log-helpers.sh
+source "${SCRIPT_DIR}/lib/log-helpers.sh"
 
 LIB_DIR="${SCRIPT_DIR}/lib"
 if [ -f "${LIB_DIR}/error-handling.sh" ]; then
@@ -21,6 +23,7 @@ else
 fi
 
 SESSION_LOG="${PROFILE_DIR}/sessions.log"
+SESSION_LOG_MAX_LINES=500
 TODAY=$(date_today)
 
 ensure_profile_dir
@@ -155,6 +158,7 @@ fi
 if ! printf '%s %s session_start\n' "$TODAY" "$(date -u +%H:%M:%S)" >> "$SESSION_LOG" 2>&1; then
   log_error "$SCRIPT_NAME" "Failed to write to session log: $SESSION_LOG"
 fi
+trim_log_file "$SESSION_LOG" "$SESSION_LOG_MAX_LINES"
 
 if [ "$NEW_STREAK" -ge 7 ] && [ "$NEW_STREAK" != "$CURRENT_STREAK" ]; then
   echo "$NEW_STREAK-day streak! Consistency is the Dojo Way."

scripts/session-stop.sh

@@ -7,6 +7,8 @@ SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 
 # shellcheck source=lib/profile-io.sh
 source "${SCRIPT_DIR}/lib/profile-io.sh"
+# shellcheck source=lib/log-helpers.sh
+source "${SCRIPT_DIR}/lib/log-helpers.sh"
 
 LIB_DIR="${SCRIPT_DIR}/lib"
 if [ -f "${LIB_DIR}/error-handling.sh" ]; then
@@ -19,6 +21,7 @@ else
 fi
 
 SESSION_LOG="${PROFILE_DIR}/sessions.log"
+SESSION_LOG_MAX_LINES=500
 SESSION_STATE="${PROFILE_DIR}/session-state.json"
 TODAY=$(date -u +%Y-%m-%d)
 
@@ -53,6 +56,7 @@ if ! printf '%s %s session_stop concepts=%s xp=%s belt=%s\n' \
 then
   log_error "$SCRIPT_NAME" "Failed to write to session log: $SESSION_LOG"
 fi
+trim_log_file "$SESSION_LOG" "$SESSION_LOG_MAX_LINES"
 
 if ! update_profile '.session_concepts = []'; then
   log_error "$SCRIPT_NAME" "Failed clearing session_concepts during session stop"

scripts/track-code-change.sh

@@ -8,11 +8,14 @@ SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 
 # shellcheck source=lib/profile-io.sh
 source "${SCRIPT_DIR}/lib/profile-io.sh"
+# shellcheck source=lib/log-helpers.sh
+source "${SCRIPT_DIR}/lib/log-helpers.sh"
 
 CHANGES_LOG="${PROFILE_DIR}/session-changes.jsonl"
 SESSION_STATE="${PROFILE_DIR}/session-state.json"
 RATE_LIMIT_INTERVAL=30
 SESSION_CAP=12
+CHANGES_LOG_MAX_LINES=1000
 
 LIB_DIR="${SCRIPT_DIR}/lib"
 if [ -f "${LIB_DIR}/error-handling.sh" ]; then
@@ -78,40 +81,51 @@ case "$EXTENSION" in
   *) TECH="other" ;;
 esac
 
+TRACKED_CONCEPT="$TECH"
+case "$TECH" in
+  javascript) TRACKED_CONCEPT="js-basics" ;;
+  react) TRACKED_CONCEPT="react-components" ;;
+  sql) TRACKED_CONCEPT="sql-basics" ;;
+  shell) TRACKED_CONCEPT="terminal-navigation" ;;
+  other) TRACKED_CONCEPT="" ;;
+esac
+
 SAFE_FILE_PATH=$(printf '%s' "$FILE_PATH" | sed 's/\\/\\\\/g; s/"/\\"/g')
 SAFE_TOOL_NAME=$(printf '%s' "$TOOL_NAME" | sed 's/\\/\\\\/g; s/"/\\"/g')
-if ! printf '{"timestamp":"%s","tool":"%s","file":"%s","extension":"%s","tech":"%s"}\n' \
-  "$TIMESTAMP" "$SAFE_TOOL_NAME" "$SAFE_FILE_PATH" "$EXTENSION" "$TECH" >> "$CHANGES_LOG" 2>&1
+SAFE_TRACKED_CONCEPT=$(printf '%s' "$TRACKED_CONCEPT" | sed 's/\\/\\\\/g; s/"/\\"/g')
+if ! printf '{"timestamp":"%s","tool":"%s","file":"%s","extension":"%s","tech":"%s","concept":"%s"}\n' \
+  "$TIMESTAMP" "$SAFE_TOOL_NAME" "$SAFE_FILE_PATH" "$EXTENSION" "$TECH" "$SAFE_TRACKED_CONCEPT" >> "$CHANGES_LOG" 2>&1
 then
   log_error "$SCRIPT_NAME" "Failed to write to changes log: $CHANGES_LOG"
 fi
+trim_log_file "$CHANGES_LOG" "$CHANGES_LOG_MAX_LINES"
 
 IS_FIRST_EVER="false"
-if [ -f "$PROFILE_FILE" ] && [ "$TECH" != "other" ]; then
-  ALREADY_IN_SESSION=$(jq --arg tech "$TECH" '.session_concepts | index($tech)' "$PROFILE_FILE" 2>&1)
+if [ -f "$PROFILE_FILE" ] && [ -n "$TRACKED_CONCEPT" ]; then
+  ALREADY_IN_SESSION=$(jq --arg concept "$TRACKED_CONCEPT" '.session_concepts | index($concept)' "$PROFILE_FILE" 2>&1)
   if [ $? -ne 0 ]; then
-    log_error "$SCRIPT_NAME" "jq failed checking session_concepts for $TECH: $ALREADY_IN_SESSION"
+    log_error "$SCRIPT_NAME" "jq failed checking session_concepts for $TRACKED_CONCEPT: $ALREADY_IN_SESSION"
     ALREADY_IN_SESSION="0"
   fi
 
-  ALREADY_IN_LIFETIME=$(jq --arg tech "$TECH" '.concepts_seen | index($tech)' "$PROFILE_FILE" 2>&1)
+  ALREADY_IN_LIFETIME=$(jq --arg concept "$TRACKED_CONCEPT" '.concepts_seen | index($concept)' "$PROFILE_FILE" 2>&1)
   if [ $? -ne 0 ]; then
-    log_error "$SCRIPT_NAME" "jq failed checking concepts_seen for $TECH: $ALREADY_IN_LIFETIME"
+    log_error "$SCRIPT_NAME" "jq failed checking concepts_seen for $TRACKED_CONCEPT: $ALREADY_IN_LIFETIME"
     ALREADY_IN_LIFETIME="0"
   fi
 
   if [ "$ALREADY_IN_LIFETIME" = "null" ]; then
     IS_FIRST_EVER="true"
-    if ! update_profile --arg tech "$TECH" '
-      .session_concepts += (if (.session_concepts | index($tech)) == null then [$tech] else [] end) |
-      .concepts_seen += (if (.concepts_seen | index($tech)) == null then [$tech] else [] end)
+    if ! update_profile --arg concept "$TRACKED_CONCEPT" '
+      .session_concepts += (if (.session_concepts | index($concept)) == null then [$concept] else [] end) |
+      .concepts_seen += (if (.concepts_seen | index($concept)) == null then [$concept] else [] end)
     '; then
-      log_error "$SCRIPT_NAME" "Failed updating profile for first-time technology: $TECH"
+      log_error "$SCRIPT_NAME" "Failed updating profile for first-time concept: $TRACKED_CONCEPT"
       IS_FIRST_EVER="false"
     fi
   elif [ "$ALREADY_IN_SESSION" = "null" ]; then
-    if ! update_profile --arg tech "$TECH" '.session_concepts += [$tech]'; then
-      log_error "$SCRIPT_NAME" "Failed updating session_concepts for technology: $TECH"
+    if ! update_profile --arg concept "$TRACKED_CONCEPT" '.session_concepts += [$concept]'; then
+      log_error "$SCRIPT_NAME" "Failed updating session_concepts for concept: $TRACKED_CONCEPT"
     fi
   fi
 fi
@@ -182,8 +196,9 @@ LESSON_ID="${TIMESTAMP}-$(printf '%05d' $$)"
 LESSON_FILE="${PENDING_DIR}/${LESSON_ID}.json"
 SAFE_FILE_PATH_LESSON=$(printf '%s' "$FILE_PATH" | sed 's/\\/\\\\/g; s/"/\\"/g')
 SAFE_TOOL_NAME_LESSON=$(printf '%s' "$TOOL_NAME" | sed 's/\\/\\\\/g; s/"/\\"/g')
-if ! printf '{"timestamp":"%s","type":"%s","tech":"%s","file":"%s","tool":"%s","belt":"%s","firstEncounter":%s}\n' \
-  "$TIMESTAMP" "$LESSON_TYPE" "$TECH" "$SAFE_FILE_PATH_LESSON" "$SAFE_TOOL_NAME_LESSON" "$BELT" "$IS_FIRST_EVER" > "$LESSON_FILE"
+SAFE_TRACKED_CONCEPT_LESSON=$(printf '%s' "$TRACKED_CONCEPT" | sed 's/\\/\\\\/g; s/"/\\"/g')
+if ! printf '{"timestamp":"%s","type":"%s","tech":"%s","concept":"%s","file":"%s","tool":"%s","belt":"%s","firstEncounter":%s}\n' \
+  "$TIMESTAMP" "$LESSON_TYPE" "$TECH" "$SAFE_TRACKED_CONCEPT_LESSON" "$SAFE_FILE_PATH_LESSON" "$SAFE_TOOL_NAME_LESSON" "$BELT" "$IS_FIRST_EVER" > "$LESSON_FILE"
 then
   log_error "$SCRIPT_NAME" "Failed to write pending lesson: $LESSON_FILE"
 fi

scripts/track-command.sh

@@ -8,11 +8,14 @@ SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 
 # shellcheck source=lib/profile-io.sh
 source "${SCRIPT_DIR}/lib/profile-io.sh"
+# shellcheck source=lib/log-helpers.sh
+source "${SCRIPT_DIR}/lib/log-helpers.sh"
 
 COMMANDS_LOG="${PROFILE_DIR}/session-commands.jsonl"
 SESSION_STATE="${PROFILE_DIR}/session-state.json"
 RATE_LIMIT_INTERVAL=30
 SESSION_CAP=12
+COMMANDS_LOG_MAX_LINES=1000
 TRIVIAL_COMMANDS="cd ls pwd clear echo cat which man help exit history alias type file wc whoami hostname uname true false"
 
 LIB_DIR="${SCRIPT_DIR}/lib"
@@ -100,13 +103,16 @@ for trivial in $TRIVIAL_COMMANDS; do
   fi
 done
 
+SANITIZED_COMMAND=$(redact_sensitive_command "$COMMAND")
+
 if [ "$IS_TRIVIAL" = "true" ]; then
-  SAFE_LOG_CMD=$(printf '%s' "$COMMAND" | head -c 200 | sed 's/\\/\\\\/g; s/"/\\"/g')
+  SAFE_LOG_CMD=$(printf '%s' "$SANITIZED_COMMAND" | head -c 200 | sed 's/\\/\\\\/g; s/"/\\"/g')
   if ! printf '{"timestamp":"%s","command":"%s","concept":"","skipped":"trivial"}\n' \
     "$TIMESTAMP" "$SAFE_LOG_CMD" >> "$COMMANDS_LOG" 2>&1
   then
     log_error "$SCRIPT_NAME" "Failed to write trivial command log: $COMMANDS_LOG"
   fi
+  trim_log_file "$COMMANDS_LOG" "$COMMANDS_LOG_MAX_LINES"
   printf '{}\n'
   exit 0
 fi
@@ -115,34 +121,34 @@ CONCEPT=""
 case "$COMMAND" in
   *"npm install"*|*"npm i "*|*"yarn add"*|*"pnpm add"*)
     CONCEPT="package-management"
-    PACKAGE=$(printf '%s' "$COMMAND" | sed -E 's/.*(npm install|npm i|yarn add|pnpm add)[[:space:]]+([^[:space:]]+).*/\2/' | head -1)
     ;;
   *"pip install"*|*"pip3 install"*) CONCEPT="package-management" ;;
   *"git "*) CONCEPT="git" ;;
   *"docker "*) CONCEPT="docker" ;;
-  *"curl "*|*"wget "*) CONCEPT="http-requests" ;;
-  *"mkdir "*|*"touch "*|*"cp "*|*"mv "*|*"rm "*) CONCEPT="file-system" ;;
-  *"node "*|*"npx "*) CONCEPT="nodejs-runtime" ;;
-  *"python "*|*"python3 "*) CONCEPT="python-runtime" ;;
-  *"psql "*|*"mysql "*|*"sqlite3 "*) CONCEPT="database-cli" ;;
+  *"curl "*|*"wget "*) CONCEPT="rest-apis" ;;
+  *"mkdir "*|*"touch "*|*"cp "*|*"mv "*|*"rm "*) CONCEPT="terminal-navigation" ;;
+  *"node "*|*"npx "*) CONCEPT="js-basics" ;;
+  *"python "*|*"python3 "*) CONCEPT="python" ;;
+  *"psql "*|*"mysql "*|*"sqlite3 "*) CONCEPT="sql-basics" ;;
   *"cd "*|*"ls "*|*"pwd"*) CONCEPT="terminal-navigation" ;;
-  *"chmod "*|*"chown "*) CONCEPT="permissions" ;;
-  *"ssh "*|*"scp "*) CONCEPT="remote-access" ;;
+  *"chmod "*|*"chown "*) CONCEPT="terminal-navigation" ;;
+  *"ssh "*|*"scp "*) CONCEPT="hosting" ;;
   *"env "*|*"export "*) CONCEPT="environment-variables" ;;
   *"test "*|*"jest "*|*"vitest "*|*"pytest "*) CONCEPT="testing" ;;
   *) CONCEPT="" ;;
 esac
 
-CMD_TRUNCATED=$(printf '%s' "$COMMAND" | head -c 200)
+CMD_TRUNCATED=$(printf '%s' "$SANITIZED_COMMAND" | head -c 200)
 SAFE_LOG_CMD=$(printf '%s' "$CMD_TRUNCATED" | sed 's/\\/\\\\/g; s/"/\\"/g')
 SAFE_CONCEPT=$(printf '%s' "$CONCEPT" | sed 's/\\/\\\\/g; s/"/\\"/g')
 if ! printf '{"timestamp":"%s","command":"%s","concept":"%s"}\n' \
   "$TIMESTAMP" "$SAFE_LOG_CMD" "$SAFE_CONCEPT" >> "$COMMANDS_LOG" 2>&1
 then
   log_error "$SCRIPT_NAME" "Failed to write to commands log: $COMMANDS_LOG"
 fi
+trim_log_file "$COMMANDS_LOG" "$COMMANDS_LOG_MAX_LINES"
 
-SAFE_CMD=$(printf '%s' "$COMMAND" | head -c 80 | tr '"' "'" | tr '\\' '/')
+SAFE_CMD=$(printf '%s' "$SANITIZED_COMMAND" | head -c 80 | tr '"' "'" | tr '\\' '/')
 
 IS_TEST_RUNNER="false"
 case "$COMMAND" in