omk 0.5.0

A Rust runtime for Kimi CLI. Turns prompts into proof-backed engineering runs with gates, worktrees, and replay.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298

use std::{
    io::ErrorKind,
    path::{Path, PathBuf},
};

use anyhow::Context;
use serde_json::Value;
use tokio::io::AsyncWriteExt;
use tracing::warn;

use crate::kimi_native::hook_spec::{default_project_hooks, HookConfig};
use crate::wire::protocol::{redact_wire_secrets, HookAction, HookRequest, WireHookSubscription};

/// Discover active hook subscriptions for the given project directory.
///
/// Reads `.kimi/config.toml` if it exists, otherwise falls back to
/// `default_project_hooks()`. Only includes subscriptions whose referenced
/// script file exists and is executable.
pub async fn discover_hook_subscriptions(project_dir: Option<&Path>) -> Vec<WireHookSubscription> {
    discover_active_hooks(project_dir)
        .await
        .into_iter()
        .map(|h| h.subscription)
        .collect()
}

/// Internal representation of a discovered hook with its resolved script path.
struct ActiveHook {
    subscription: WireHookSubscription,
    script_path: PathBuf,
    regex: Option<regex::Regex>,
}

/// TOML wrapper for parsing the `[[hooks]]` table.
#[derive(Debug, Clone, serde::Deserialize)]
struct HookConfigWrapper {
    #[serde(default)]
    hooks: Vec<HookConfig>,
}

async fn discover_active_hooks(project_dir: Option<&Path>) -> Vec<ActiveHook> {
    let project_dir = match project_dir {
        Some(p) => p,
        None => return Vec::new(),
    };

    let config_path = project_dir.join(".kimi").join("config.toml");
    let hooks = match tokio::fs::try_exists(&config_path).await {
        Ok(true) => match tokio::fs::read_to_string(&config_path).await {
            Ok(content) => match toml::from_str::<HookConfigWrapper>(&content) {
                Ok(wrapper) => wrapper.hooks,
                Err(e) => {
                    warn!(path = %config_path.display(), error = %e, "Malformed hook config; falling back to defaults");
                    Vec::new()
                }
            },
            Err(e) => {
                warn!(path = %config_path.display(), error = %e, "Cannot read hook config; falling back to defaults");
                Vec::new()
            }
        },
        _ => {
            let defs = default_project_hooks();
            defs.hooks
        }
    };

    let mut active = Vec::new();
    for hook in hooks {
        let script_path = project_dir.join(&hook.command);
        if !is_executable(&script_path).await {
            continue;
        }

        let event_str = serde_json::to_string(&hook.event)
            .ok()
            .and_then(|s| serde_json::from_str::<String>(&s).ok())
            .unwrap_or_default();

        let id = if let Some(ref matcher) = hook.matcher {
            format!("{}-{}", pascal_to_snake(&event_str), matcher.to_lowercase())
        } else {
            pascal_to_snake(&event_str)
        };

        let timeout = hook.timeout.map(|t| t.clamp(1, 300) as u32).unwrap_or(30);

        let regex = hook.matcher.as_ref().and_then(|pattern| {
            match regex::Regex::new(pattern) {
                Ok(re) => Some(re),
                Err(e) => {
                    warn!(pattern = %pattern, error = %e, "Invalid hook matcher regex; matcher will be ignored");
                    None
                }
            }
        });

        active.push(ActiveHook {
            subscription: WireHookSubscription {
                id,
                event: event_str,
                matcher: hook.matcher,
                timeout: Some(timeout),
            },
            script_path,
            regex,
        });
    }

    active
}

/// Convert a PascalCase string to snake_case.
fn pascal_to_snake(s: &str) -> String {
    let mut result = String::with_capacity(s.len() + 4);
    for (i, ch) in s.chars().enumerate() {
        if ch.is_uppercase() && i > 0 {
            result.push('_');
        }
        result.push(ch.to_ascii_lowercase());
    }
    result
}

/// Check whether a path exists and is executable (on Unix, checks permissions;
/// on non-Unix, checks existence only).
async fn is_executable(path: &Path) -> bool {
    #[cfg(unix)]
    {
        use std::os::unix::fs::PermissionsExt;
        match tokio::fs::metadata(path).await {
            Ok(meta) => meta.permissions().mode() & 0o111 != 0,
            Err(_) => false,
        }
    }
    #[cfg(not(unix))]
    {
        match tokio::fs::try_exists(path).await {
            Ok(exists) => exists,
            Err(_) => false,
        }
    }
}

/// Executor for Kimi Wire Protocol hook requests.
#[derive(Debug, Clone)]
pub struct HookExecutor {
    project_dir: PathBuf,
}

impl HookExecutor {
    /// Create a new hook executor for the given project directory.
    pub fn new(project_dir: impl Into<PathBuf>) -> Self {
        Self {
            project_dir: project_dir.into(),
        }
    }

    /// Run the hook matching the given request.
    ///
    /// Discovers active subscriptions, finds the one matching the request's
    /// event and target, spawns the corresponding script, and translates the
    /// exit code into a `HookResult`.
    pub async fn run(&self, request: &HookRequest) -> anyhow::Result<HookResult> {
        let active_hooks = discover_active_hooks(Some(&self.project_dir)).await;

        let matched = active_hooks.iter().find(|h| {
            // Prefer matching by subscription_id if the request carries one.
            if !request.subscription_id.is_empty() && h.subscription.id == request.subscription_id {
                return true;
            }
            h.subscription.event == request.event
                && h.regex
                    .as_ref()
                    .map_or(true, |re| re.is_match(&request.target))
        });

        let matched = match matched {
            Some(m) => m,
            None => return Ok(HookResult::default_allow()),
        };

        let timeout =
            std::time::Duration::from_secs(matched.subscription.timeout.unwrap_or(30) as u64);

        let redacted_input = redact_wire_secrets(&request.input_data);
        let input_json = serde_json::to_string(&redacted_input)
            .context("Failed to serialize hook input data")?;

        let mut child = match tokio::process::Command::new(&matched.script_path)
            .current_dir(&self.project_dir)
            .stdin(std::process::Stdio::piped())
            .stdout(std::process::Stdio::piped())
            .stderr(std::process::Stdio::piped())
            .kill_on_drop(true)
            .spawn()
        {
            Ok(c) => c,
            Err(e) => {
                return Ok(HookResult {
                    action: HookAction::Block,
                    reason: format!("failed to spawn hook: {e}"),
                });
            }
        };

        if let Some(mut stdin) = child.stdin.take() {
            if let Err(e) = stdin.write_all(input_json.as_bytes()).await {
                if e.kind() != ErrorKind::BrokenPipe {
                    return Ok(HookResult {
                        action: HookAction::Block,
                        reason: format!("failed to write hook input: {e}"),
                    });
                }
            } else if let Err(e) = stdin.flush().await {
                if e.kind() != ErrorKind::BrokenPipe {
                    return Ok(HookResult {
                        action: HookAction::Block,
                        reason: format!("failed to flush hook input: {e}"),
                    });
                }
            }
            // Dropping stdin closes the pipe and signals EOF to hooks that read stdin.
        }

        let output_result = tokio::time::timeout(timeout, child.wait_with_output()).await;

        match output_result {
            Ok(Ok(output)) => {
                let stdout = String::from_utf8_lossy(&output.stdout).trim().to_string();
                let stderr = String::from_utf8_lossy(&output.stderr).trim().to_string();

                match output.status.code() {
                    Some(0) => Ok(HookResult {
                        action: HookAction::Allow,
                        reason: stdout,
                    }),
                    Some(1) => Ok(HookResult {
                        action: HookAction::Block,
                        reason: if stdout.is_empty() { stderr } else { stdout },
                    }),
                    Some(code) => {
                        let detail = if stderr.is_empty() { &stdout } else { &stderr };
                        Ok(HookResult {
                            action: HookAction::Block,
                            reason: format!("hook exited with code {code}: {detail}"),
                        })
                    }
                    None => {
                        let detail = if stderr.is_empty() { &stdout } else { &stderr };
                        Ok(HookResult {
                            action: HookAction::Block,
                            reason: format!("hook terminated without exit code: {detail}"),
                        })
                    }
                }
            }
            Ok(Err(e)) => Ok(HookResult {
                action: HookAction::Block,
                reason: format!("failed to collect hook output: {e}"),
            }),
            Err(_) => Ok(HookResult {
                action: HookAction::Block,
                reason: format!("hook timed out after {timeout:?}"),
            }),
        }
    }
}

/// Result of executing a hook script.
#[derive(Debug, Clone)]
pub struct HookResult {
    pub action: HookAction,
    pub reason: String,
}

impl HookResult {
    /// Default allow result when no matching hook is configured.
    pub fn default_allow() -> Self {
        Self {
            action: HookAction::Allow,
            reason: "No matching hook configured.".to_string(),
        }
    }

    /// Serialize this result into a JSON response value for the wire protocol.
    pub fn to_response_value(&self, request_id: &str) -> Value {
        let action_str = match self.action {
            HookAction::Allow => "allow",
            HookAction::Block => "block",
        };
        serde_json::json!({
            "request_id": request_id,
            "action": action_str,
            "reason": &self.reason,
        })
    }
}