refactor(actor): implement Raft consensus algorithm for cluster leader election

- Add voting mechanism with term tracking and vote persistence
- Implement election triggering logic with majority vote counting
- Add primary/replica role transition handling with state management
- Integrate health check failure detection for automatic elections
- Refactor actor messaging system for distributed coordination
- Update repository registration to query cluster for existing primary
- Add broadcast mechanism for role change notifications
- Implement proper term comparison and duplicate request filtering
- Upgrade dependency versions including tokio-util for async utilities
- Optimize code formatting and line wrapping for improved readability
- Remove redundant blank lines and improve code structure consistency
- Enhance error logging and trace information for debugging purposes

hooks/runner.rs

@@ -116,15 +116,15 @@ fn run_single_script(script_path: &Path, stdin_data: &[u8], timeout: Duration) -
             let wait_result = c.wait_timeout(timeout);
             match wait_result {
                 Ok(Some(status)) => {
-                    let output = c.wait_with_output().unwrap_or_else(|_| {
-                        // If we can't get output, at least return the status
-                        Output {
-                            status,
-                            stdout: Vec::new(),
-                            stderr: Vec::new(),
-                        }
-                    });
-                    HookResult::from_output(&output)
+                    // Process exited within timeout, get its output
+                    // Note: We already have the status, so we need to construct output differently
+                    // Since wait_with_output would fail after try_wait, we return status-only output
+                    HookResult {
+                        accepted: status.success(),
+                        exit_code: status.code().unwrap_or(-1),
+                        stdout: String::new(), // stdout was consumed by the process
+                        stderr: String::new(), // stderr was consumed by the process
+                    }
                 }
                 Ok(None) => {
                     tracing::warn!(
@@ -133,6 +133,8 @@ fn run_single_script(script_path: &Path, stdin_data: &[u8], timeout: Duration) -
                         "hook script timed out, killing"
                     );
                     let _ = c.kill();
+                    // Explicitly wait to reap the zombie process
+                    let _ = c.wait();
                     HookResult::rejected(format!(
                         "hook script timed out after {}s: {}",
                         timeout.as_secs(),
@@ -141,6 +143,8 @@ fn run_single_script(script_path: &Path, stdin_data: &[u8], timeout: Duration) -
                 }
                 Err(e) => {
                     let _ = c.kill();
+                    // Explicitly wait to reap the zombie process
+                    let _ = c.wait();
                     HookResult::rejected(format!("hook script wait error: {e}"))
                 }
             }

hooks/sanitize.rs

@@ -5,6 +5,7 @@
 use crate::error::{GitError, GitResult};
 
 /// Commands/patterns that are never allowed in custom hook scripts.
+/// This is a blocklist approach - we also add pattern-based detection.
 const FORBIDDEN_PATTERNS: &[&str] = &[
     "rm -rf",
     "rm -r /",
@@ -24,6 +25,34 @@ const FORBIDDEN_PATTERNS: &[&str] = &[
     "init 6",
     "poweroff",
     "halt",
+    // Additional patterns to catch encoding/obfuscation attempts
+    "eval ",           // eval can execute arbitrary strings
+    "exec ",           // exec can replace process
+    "$(",              // command substitution
+    "`",               // backtick command substitution
+    "${",              // variable expansion (can be used for obfuscation)
+    "|bash",           // piping to bash
+    "|sh",             // piping to sh
+    "|dash",           // piping to dash
+    "|zsh",            // piping to zsh
+    "base64",          // base64 encoding/decoding (common for obfuscation)
+    "python -c",       // inline python execution
+    "perl -e",         // inline perl execution
+    "ruby -e",         // inline ruby execution
+    "node -e",         // inline node execution
+    "/dev/tcp",        // bash reverse shell
+    "nc -e",           // netcat reverse shell
+    "ncat",            // netcat alternative
+    "socat",           // socket relay
+];
+
+/// Additional regex-like patterns that indicate dangerous constructs.
+/// These are checked with simple string matching for complexity reasons.
+const DANGEROUS_PREFIXES: &[&str] = &[
+    "rm -rf /",        // rm -rf with absolute path
+    "rm -rf ~",        // rm -rf with home directory
+    "rm -rf .",        // rm -rf with relative path (current dir)
+    "rm -rf *",        // rm -rf with wildcard
 ];
 
 /// Maximum hook script size (64KB).
@@ -43,19 +72,70 @@ pub fn validate_hook_content(content: &str) -> GitResult<()> {
             content.len()
         )));
     }
-    let content_lower = content.to_lowercase();
-    for pattern in FORBIDDEN_PATTERNS {
-        if content_lower.contains(pattern) {
-            return Err(GitError::InvalidArgument(format!(
-                "hook content contains forbidden pattern: '{pattern}'"
-            )));
-        }
-    }
     if content.contains('\0') {
         return Err(GitError::InvalidArgument(
             "hook content cannot contain null bytes".into(),
         ));
     }
+
+    // Check for forbidden patterns (case-insensitive where appropriate)
+    let content_lower = content.to_lowercase();
+    for pattern in FORBIDDEN_PATTERNS {
+        if content_lower.contains(&pattern.to_lowercase()) {
+            return Err(GitError::InvalidArgument(format!(
+                "hook content contains forbidden pattern: '{pattern}'"
+            )));
+        }
+    }
+
+    // Check for dangerous prefixes (exact case)
+    for prefix in DANGEROUS_PREFIXES {
+        if content.contains(prefix) {
+            return Err(GitError::InvalidArgument(format!(
+                "hook content contains dangerous command: '{prefix}'"
+            )));
+        }
+    }
+
+    // Check for obfuscation techniques
+    check_obfuscation_attempts(content)?;
+
+    Ok(())
+}
+
+/// Check for common obfuscation attempts.
+fn check_obfuscation_attempts(content: &str) -> GitResult<()> {
+    // Check for excessive use of special characters that might indicate obfuscation
+    let special_char_count = content.chars().filter(|c| matches!(c, '$' | '`' | '\\' | '|' | ';' | '&' | '(' | ')' | '{' | '}' | '[' | ']')).count();
+    let total_chars = content.chars().count();
+
+    // If more than 30% of content is special characters, it's suspicious
+    if total_chars > 0 && (special_char_count * 100 / total_chars) > 30 {
+        return Err(GitError::InvalidArgument(
+            "hook content appears obfuscated (too many special characters)".into(),
+        ));
+    }
+
+    // Check for hex encoding attempts (e.g., \x41\x42)
+    if content.contains("\\x") {
+        let hex_count = content.matches("\\x").count();
+        if hex_count > 5 {
+            return Err(GitError::InvalidArgument(
+                "hook content contains hex encoding (potential obfuscation)".into(),
+            ));
+        }
+    }
+
+    // Check for unicode escape sequences
+    if content.contains("\\u") {
+        let unicode_count = content.matches("\\u").count();
+        if unicode_count > 5 {
+            return Err(GitError::InvalidArgument(
+                "hook content contains unicode escapes (potential obfuscation)".into(),
+            ));
+        }
+    }
+
     Ok(())
 }