@bhargavvc/sdd-cc 1.30.1 → 1.35.0

package/hooks/dist/sdd-check-update.js

@@ -11,7 +11,7 @@ const { spawn } = require('child_process');
 const homeDir = os.homedir();
 const cwd = process.cwd();
 
-// Detect runtime config directory (supports Claude, OpenCode, Gemini)
+// Detect runtime config directory (supports Claude, OpenCode, Kilo, Gemini)
 // Respects CLAUDE_CONFIG_DIR for custom config directory setups
 function detectConfigDir(baseDir) {
   // Check env override first (supports multi-account setups)
@@ -19,7 +19,7 @@ function detectConfigDir(baseDir) {
   if (envDir && fs.existsSync(path.join(envDir, 'sdd', 'VERSION'))) {
     return envDir;
   }
-  for (const dir of ['.config/opencode', '.opencode', '.gemini', '.claude']) {
+  for (const dir of ['.claude', '.gemini', '.config/kilo', '.kilo', '.config/opencode', '.opencode']) {
     if (fs.existsSync(path.join(baseDir, dir, 'sdd', 'VERSION'))) {
       return path.join(baseDir, dir);
     }
@@ -29,7 +29,10 @@ function detectConfigDir(baseDir) {
 
 const globalConfigDir = detectConfigDir(homeDir);
 const projectConfigDir = detectConfigDir(cwd);
-const cacheDir = path.join(globalConfigDir, 'cache');
+// Use a shared, tool-agnostic cache directory to avoid multi-runtime
+// resolution mismatches where check-update writes to one runtime's cache
+// but statusline reads from another (#1421).
+const cacheDir = path.join(homeDir, '.cache', 'sdd');
 const cacheFile = path.join(cacheDir, 'sdd-update-check.json');
 
 // VERSION file locations (check project first, then global)
@@ -47,6 +50,18 @@ const child = spawn(process.execPath, ['-e', `
   const path = require('path');
   const { execSync } = require('child_process');
 
+  // Compare semver: true if a > b (a is strictly newer than b)
+  // Strips pre-release suffixes (e.g. '3-beta.1' → '3') to avoid NaN from Number()
+  function isNewer(a, b) {
+    const pa = (a || '').split('.').map(s => Number(s.replace(/-.*/, '')) || 0);
+    const pb = (b || '').split('.').map(s => Number(s.replace(/-.*/, '')) || 0);
+    for (let i = 0; i < 3; i++) {
+      if (pa[i] > pb[i]) return true;
+      if (pa[i] < pb[i]) return false;
+    }
+    return false;
+  }
+
   const cacheFile = ${JSON.stringify(cacheFile)};
   const projectVersionFile = ${JSON.stringify(projectVersionFile)};
   const globalVersionFile = ${JSON.stringify(globalVersionFile)};
@@ -65,20 +80,30 @@ const child = spawn(process.execPath, ['-e', `
   } catch (e) {}
 
   // Check for stale hooks — compare hook version headers against installed VERSION
-  // Hooks live inside sdd/hooks/, not configDir/hooks/
+  // Hooks are installed at configDir/hooks/ (e.g. ~/.claude/hooks/) (#1421)
+  // Only check hooks that SDD currently ships — orphaned files from removed features
+  // (e.g., sdd-intel-*.js) must be ignored to avoid permanent stale warnings (#1750)
+  const MANAGED_HOOKS = [
+    'sdd-check-update.js',
+    'sdd-context-monitor.js',
+    'sdd-prompt-guard.js',
+    'sdd-read-guard.js',
+    'sdd-statusline.js',
+    'sdd-workflow-guard.js',
+  ];
   let staleHooks = [];
   if (configDir) {
-    const hooksDir = path.join(configDir, 'sdd', 'hooks');
+    const hooksDir = path.join(configDir, 'hooks');
     try {
       if (fs.existsSync(hooksDir)) {
-        const hookFiles = fs.readdirSync(hooksDir).filter(f => f.startsWith('sdd-') && f.endsWith('.js'));
+        const hookFiles = fs.readdirSync(hooksDir).filter(f => MANAGED_HOOKS.includes(f));
         for (const hookFile of hookFiles) {
           try {
             const content = fs.readFileSync(path.join(hooksDir, hookFile), 'utf8');
             const versionMatch = content.match(/\\/\\/ sdd-hook-version:\\s*(.+)/);
             if (versionMatch) {
               const hookVersion = versionMatch[1].trim();
-              if (hookVersion !== installed && !hookVersion.includes('{{')) {
+              if (isNewer(installed, hookVersion) && !hookVersion.includes('{{')) {
                 staleHooks.push({ file: hookFile, hookVersion, installedVersion: installed });
               }
             } else {
@@ -97,7 +122,7 @@ const child = spawn(process.execPath, ['-e', `
   } catch (e) {}
 
   const result = {
-    update_available: latest && installed !== latest,
+    update_available: latest && isNewer(latest, installed),
     installed,
     latest: latest || 'unknown',
     checked: Math.floor(Date.now() / 1000),

package/hooks/dist/sdd-context-monitor.js

@@ -45,17 +45,26 @@ process.stdin.on('end', () => {
       process.exit(0);
     }
 
-    // Check if context warnings are disabled via config
+    // Reject session IDs that contain path traversal sequences or path separators.
+    // session_id is used to construct file paths in /tmp — an unsanitized value
+    // could escape the temp directory and read or write arbitrary files.
+    if (/[/\\]|\.\./.test(sessionId)) {
+      process.exit(0);
+    }
+
+    // Check if context warnings are disabled via config.
+    // Quick sentinel check: skip config read entirely for non-SDD projects (#P2.5).
     const cwd = data.cwd || process.cwd();
-    const configPath = path.join(cwd, '.planning', 'config.json');
-    if (fs.existsSync(configPath)) {
+    const planningDir = path.join(cwd, '.planning');
+    if (fs.existsSync(planningDir)) {
       try {
+        const configPath = path.join(planningDir, 'config.json');
         const config = JSON.parse(fs.readFileSync(configPath, 'utf8'));
         if (config.hooks?.context_warnings === false) {
           process.exit(0);
         }
       } catch (e) {
-        // Ignore config parse errors
+        // Ignore config read/parse errors (config may not exist in .planning/)
       }
     }
 
@@ -117,22 +126,22 @@ process.stdin.on('end', () => {
     fs.writeFileSync(warnPath, JSON.stringify(warnData));
 
     // Detect if SDD is active (has .planning/STATE.md in working directory)
-    const isGsdActive = fs.existsSync(path.join(cwd, '.planning', 'STATE.md'));
+    const isSddActive = fs.existsSync(path.join(cwd, '.planning', 'STATE.md'));
 
     // Build advisory warning message (never use imperative commands that
     // override user preferences — see #884)
     let message;
     if (isCritical) {
-      message = isGsdActive
+      message = isSddActive
         ? `CONTEXT CRITICAL: Usage at ${usedPct}%. Remaining: ${remaining}%. ` +
           'Context is nearly exhausted. Do NOT start new complex work or write handoff files — ' +
           'SDD state is already tracked in STATE.md. Inform the user so they can run ' +
-          '/sdd:pause-work at the next natural stopping point.'
+          '/sdd-pause-work at the next natural stopping point.'
         : `CONTEXT CRITICAL: Usage at ${usedPct}%. Remaining: ${remaining}%. ` +
           'Context is nearly exhausted. Inform the user that context is low and ask how they ' +
           'want to proceed. Do NOT autonomously save state or write handoff files unless the user asks.';
     } else {
-      message = isGsdActive
+      message = isSddActive
         ? `CONTEXT WARNING: Usage at ${usedPct}%. Remaining: ${remaining}%. ` +
           'Context is getting limited. Avoid starting new complex work. If not between ' +
           'defined plan steps, inform the user so they can prepare to pause.'

package/hooks/dist/sdd-phase-boundary.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+# sdd-phase-boundary.sh — PostToolUse hook: detect .planning/ file writes
+# Outputs a reminder when planning files are modified outside normal workflow.
+# Uses Node.js for JSON parsing (always available in SDD projects, no jq dependency).
+#
+# OPT-IN: This hook is a no-op unless config.json has hooks.community: true.
+# Enable with: "hooks": { "community": true } in .planning/config.json
+
+# Check opt-in config — exit silently if not enabled
+if [ -f .planning/config.json ]; then
+  ENABLED=$(node -e "try{const c=require('./.planning/config.json');process.stdout.write(c.hooks?.community===true?'1':'0')}catch{process.stdout.write('0')}" 2>/dev/null)
+  if [ "$ENABLED" != "1" ]; then exit 0; fi
+else
+  exit 0
+fi
+
+INPUT=$(cat)
+
+# Extract file_path from JSON using Node (handles escaping correctly)
+FILE=$(echo "$INPUT" | node -e "let d='';process.stdin.on('data',c=>d+=c);process.stdin.on('end',()=>{try{process.stdout.write(JSON.parse(d).tool_input?.file_path||'')}catch{}})" 2>/dev/null)
+
+if [[ "$FILE" == *.planning/* ]] || [[ "$FILE" == .planning/* ]]; then
+  echo ".planning/ file modified: $FILE"
+  echo "Check: Should STATE.md be updated to reflect this change?"
+fi
+
+exit 0

package/hooks/dist/sdd-prompt-guard.js

@@ -22,6 +22,7 @@ const INJECTION_PATTERNS = [
   /forget\s+(all\s+)?(your\s+)?instructions/i,
   /override\s+(system|previous)\s+(prompt|instructions)/i,
   /you\s+are\s+now\s+(?:a|an|the)\s+/i,
+  /act\s+as\s+(?:a|an|the)\s+(?!plan|phase|wave)/i,
   /pretend\s+(?:you(?:'re| are)\s+|to\s+be\s+)/i,
   /from\s+now\s+on,?\s+you\s+(?:are|will|should|must)/i,
   /(?:print|output|reveal|show|display|repeat)\s+(?:your\s+)?(?:system\s+)?(?:prompt|instructions)/i,

package/hooks/dist/sdd-read-guard.js

@@ -0,0 +1,82 @@
+#!/usr/bin/env node
+// sdd-hook-version: {{SDD_VERSION}}
+// SDD Read Guard — PreToolUse hook
+// Injects advisory guidance when Write/Edit targets an existing file,
+// reminding the model to Read the file first.
+//
+// Background: Non-Claude models (e.g. MiniMax M2.5 on OpenCode) don't
+// natively follow the read-before-edit pattern. When they attempt to
+// Write/Edit an existing file without reading it, the runtime rejects
+// with "You must read file before overwriting it." The model retries
+// without reading, creating an infinite loop that burns through usage.
+//
+// This hook prevents that loop by injecting clear guidance BEFORE the
+// tool call reaches the runtime. The model sees the advisory and can
+// issue a Read call on the next turn.
+//
+// Triggers on: Write and Edit tool calls
+// Action: Advisory (does not block) — injects read-first guidance
+// Only fires when the target file already exists on disk.
+
+const fs = require('fs');
+const path = require('path');
+
+let input = '';
+const stdinTimeout = setTimeout(() => process.exit(0), 3000);
+process.stdin.setEncoding('utf8');
+process.stdin.on('data', chunk => input += chunk);
+process.stdin.on('end', () => {
+  clearTimeout(stdinTimeout);
+  try {
+    const data = JSON.parse(input);
+    const toolName = data.tool_name;
+
+    // Only intercept Write and Edit tool calls
+    if (toolName !== 'Write' && toolName !== 'Edit') {
+      process.exit(0);
+    }
+
+    // Claude Code natively enforces read-before-edit — skip the advisory (#1984)
+    if (process.env.CLAUDE_SESSION_ID) {
+      process.exit(0);
+    }
+
+    const filePath = data.tool_input?.file_path || '';
+    if (!filePath) {
+      process.exit(0);
+    }
+
+    // Only inject guidance when the file already exists.
+    // New files don't need a prior Read — the runtime allows creating them directly.
+    let fileExists = false;
+    try {
+      fs.accessSync(filePath, fs.constants.F_OK);
+      fileExists = true;
+    } catch {
+      // File does not exist — no guidance needed
+    }
+
+    if (!fileExists) {
+      process.exit(0);
+    }
+
+    const fileName = path.basename(filePath);
+
+    // Advisory guidance — does not block the operation
+    const output = {
+      hookSpecificOutput: {
+        hookEventName: 'PreToolUse',
+        additionalContext:
+          `READ-BEFORE-EDIT REMINDER: You are about to modify "${fileName}" which already exists. ` +
+          'If you have not already used the Read tool to read this file in the current session, ' +
+          'you MUST Read it first before editing. The runtime will reject edits to files that ' +
+          'have not been read. Use the Read tool on this file path, then retry your edit.',
+      },
+    };
+
+    process.stdout.write(JSON.stringify(output));
+  } catch {
+    // Silent fail — never block tool execution
+    process.exit(0);
+  }
+});

package/hooks/dist/sdd-session-state.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# sdd-session-state.sh — SessionStart hook: inject project state reminder
+# Outputs STATE.md head on every session start for orientation.
+#
+# OPT-IN: This hook is a no-op unless config.json has hooks.community: true.
+# Enable with: "hooks": { "community": true } in .planning/config.json
+
+# Check opt-in config — exit silently if not enabled
+if [ -f .planning/config.json ]; then
+  ENABLED=$(node -e "try{const c=require('./.planning/config.json');process.stdout.write(c.hooks?.community===true?'1':'0')}catch{process.stdout.write('0')}" 2>/dev/null)
+  if [ "$ENABLED" != "1" ]; then exit 0; fi
+else
+  exit 0
+fi
+
+echo '## Project State Reminder'
+echo ''
+
+if [ -f .planning/STATE.md ]; then
+  echo 'STATE.md exists - check for blockers and current phase.'
+  head -20 .planning/STATE.md
+else
+  echo 'No .planning/ found - suggest /sdd-new-project if starting new work.'
+fi
+
+echo ''
+
+if [ -f .planning/config.json ]; then
+  MODE=$(grep -o '"mode"[[:space:]]*:[[:space:]]*"[^"]*"' .planning/config.json 2>/dev/null || echo '"mode": "unknown"')
+  echo "Config: $MODE"
+fi
+
+exit 0

package/hooks/dist/sdd-statusline.js

@@ -1,20 +1,120 @@
 #!/usr/bin/env node
 // sdd-hook-version: {{SDD_VERSION}}
 // Claude Code Statusline - SDD Edition
-// Shows: model | current task | directory | context usage
+// Shows: model | current task (or SDD state) | directory | context usage
 
 const fs = require('fs');
 const path = require('path');
 const os = require('os');
 
-// Read JSON from stdin
-let input = '';
-// Timeout guard: if stdin doesn't close within 3s (e.g. pipe issues on
-// Windows/Git Bash), exit silently instead of hanging. See #775.
-const stdinTimeout = setTimeout(() => process.exit(0), 3000);
-process.stdin.setEncoding('utf8');
-process.stdin.on('data', chunk => input += chunk);
-process.stdin.on('end', () => {
+// --- SDD state reader -------------------------------------------------------
+
+/**
+ * Walk up from dir looking for .planning/STATE.md.
+ * Returns parsed state object or null.
+ */
+function readSddState(dir) {
+  const home = os.homedir();
+  let current = dir;
+  for (let i = 0; i < 10; i++) {
+    const candidate = path.join(current, '.planning', 'STATE.md');
+    if (fs.existsSync(candidate)) {
+      try {
+        return parseStateMd(fs.readFileSync(candidate, 'utf8'));
+      } catch (e) {
+        return null;
+      }
+    }
+    const parent = path.dirname(current);
+    if (parent === current || current === home) break;
+    current = parent;
+  }
+  return null;
+}
+
+/**
+ * Parse STATE.md frontmatter + Phase line from body.
+ * Returns { status, milestone, milestoneName, phaseNum, phaseTotal, phaseName }
+ */
+function parseStateMd(content) {
+  const state = {};
+
+  // YAML frontmatter between --- markers
+  const fmMatch = content.match(/^---\n([\s\S]*?)\n---/);
+  if (fmMatch) {
+    for (const line of fmMatch[1].split('\n')) {
+      const m = line.match(/^(\w+):\s*(.+)/);
+      if (!m) continue;
+      const [, key, val] = m;
+      const v = val.trim().replace(/^["']|["']$/g, '');
+      if (key === 'status') state.status = v === 'null' ? null : v;
+      if (key === 'milestone') state.milestone = v === 'null' ? null : v;
+      if (key === 'milestone_name') state.milestoneName = v === 'null' ? null : v;
+    }
+  }
+
+  // Phase: N of M (name)  or  Phase: none active (...)
+  const phaseMatch = content.match(/^Phase:\s*(\d+)\s+of\s+(\d+)(?:\s+\(([^)]+)\))?/m);
+  if (phaseMatch) {
+    state.phaseNum = phaseMatch[1];
+    state.phaseTotal = phaseMatch[2];
+    state.phaseName = phaseMatch[3] || null;
+  }
+
+  // Fallback: parse Status: from body when frontmatter is absent
+  if (!state.status) {
+    const bodyStatus = content.match(/^Status:\s*(.+)/m);
+    if (bodyStatus) {
+      const raw = bodyStatus[1].trim().toLowerCase();
+      if (raw.includes('ready to plan') || raw.includes('planning')) state.status = 'planning';
+      else if (raw.includes('execut')) state.status = 'executing';
+      else if (raw.includes('complet') || raw.includes('archived')) state.status = 'complete';
+    }
+  }
+
+  return state;
+}
+
+/**
+ * Format SDD state into display string.
+ * Format: "v1.9 Code Quality · executing · fix-graphiti-deployment (1/5)"
+ * Gracefully degrades when parts are missing.
+ */
+function formatSddState(s) {
+  const parts = [];
+
+  // Milestone: version + name (skip placeholder "milestone")
+  if (s.milestone || s.milestoneName) {
+    const ver = s.milestone || '';
+    const name = (s.milestoneName && s.milestoneName !== 'milestone') ? s.milestoneName : '';
+    const ms = [ver, name].filter(Boolean).join(' ');
+    if (ms) parts.push(ms);
+  }
+
+  // Status
+  if (s.status) parts.push(s.status);
+
+  // Phase
+  if (s.phaseNum && s.phaseTotal) {
+    const phase = s.phaseName
+      ? `${s.phaseName} (${s.phaseNum}/${s.phaseTotal})`
+      : `ph ${s.phaseNum}/${s.phaseTotal}`;
+    parts.push(phase);
+  }
+
+  return parts.join(' · ');
+}
+
+// --- stdin ------------------------------------------------------------------
+
+function runStatusline() {
+  let input = '';
+  // Timeout guard: if stdin doesn't close within 3s (e.g. pipe issues on
+  // Windows/Git Bash), exit silently instead of hanging. See #775.
+  const stdinTimeout = setTimeout(() => process.exit(0), 3000);
+  process.stdin.setEncoding('utf8');
+  process.stdin.on('data', chunk => input += chunk);
+  process.stdin.on('end', () => {
   clearTimeout(stdinTimeout);
   try {
     const data = JSON.parse(input);
@@ -35,7 +135,10 @@ process.stdin.on('end', () => {
 
       // Write context metrics to bridge file for the context-monitor PostToolUse hook.
       // The monitor reads this file to inject agent-facing warnings when context is low.
-      if (session) {
+      // Reject session IDs with path separators or traversal sequences to prevent
+      // a malicious session_id from writing files outside the temp directory.
+      const sessionSafe = session && !/[/\\]|\.\./.test(session);
+      if (sessionSafe) {
         try {
           const bridgePath = path.join(os.tmpdir(), `claude-ctx-${session}.json`);
           const bridgeData = JSON.stringify({
@@ -91,25 +194,38 @@ process.stdin.on('end', () => {
       }
     }
 
+    // SDD state (milestone · status · phase) — shown when no todo task
+    const sddStateStr = task ? '' : formatSddState(readSddState(dir) || {});
+
     // SDD update available?
+    // Check shared cache first (#1421), fall back to runtime-specific cache for
+    // backward compatibility with older sdd-check-update.js versions.
     let sddUpdate = '';
-    const cacheFile = path.join(claudeDir, 'cache', 'sdd-update-check.json');
+    const sharedCacheFile = path.join(homeDir, '.cache', 'sdd', 'sdd-update-check.json');
+    const legacyCacheFile = path.join(claudeDir, 'cache', 'sdd-update-check.json');
+    const cacheFile = fs.existsSync(sharedCacheFile) ? sharedCacheFile : legacyCacheFile;
     if (fs.existsSync(cacheFile)) {
       try {
         const cache = JSON.parse(fs.readFileSync(cacheFile, 'utf8'));
         if (cache.update_available) {
-          sddUpdate = '\x1b[33m⬆ /sdd:update\x1b[0m │ ';
+          sddUpdate = '\x1b[33m⬆ /sdd-update\x1b[0m │ ';
         }
         if (cache.stale_hooks && cache.stale_hooks.length > 0) {
-          sddUpdate += '\x1b[31m⚠ stale hooks — run /sdd:update\x1b[0m │ ';
+          sddUpdate += '\x1b[31m⚠ stale hooks — run /sdd-update\x1b[0m │ ';
         }
       } catch (e) {}
     }
 
     // Output
     const dirname = path.basename(dir);
-    if (task) {
-      process.stdout.write(`${sddUpdate}\x1b[2m${model}\x1b[0m │ \x1b[1m${task}\x1b[0m │ \x1b[2m${dirname}\x1b[0m${ctx}`);
+    const middle = task
+      ? `\x1b[1m${task}\x1b[0m`
+      : sddStateStr
+        ? `\x1b[2m${sddStateStr}\x1b[0m`
+        : null;
+
+    if (middle) {
+      process.stdout.write(`${sddUpdate}\x1b[2m${model}\x1b[0m │ ${middle} │ \x1b[2m${dirname}\x1b[0m${ctx}`);
     } else {
       process.stdout.write(`${sddUpdate}\x1b[2m${model}\x1b[0m │ \x1b[2m${dirname}\x1b[0m${ctx}`);
     }
@@ -117,3 +233,9 @@ process.stdin.on('end', () => {
     // Silent fail - don't break statusline on parse errors
   }
 });
+}
+
+// Export helpers for unit tests. Harmless when run as a script.
+module.exports = { readSddState, parseStateMd, formatSddState };
+
+if (require.main === module) runStatusline();

package/hooks/dist/sdd-validate-commit.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+# sdd-validate-commit.sh — PreToolUse hook: enforce Conventional Commits format
+# Blocks git commit commands with non-conforming messages (exit 2).
+# Allows conforming messages and all non-commit commands (exit 0).
+# Uses Node.js for JSON parsing (always available in SDD projects, no jq dependency).
+#
+# OPT-IN: This hook is a no-op unless config.json has hooks.community: true.
+# Enable with: "hooks": { "community": true } in .planning/config.json
+
+# Check opt-in config — exit silently if not enabled
+if [ -f .planning/config.json ]; then
+  ENABLED=$(node -e "try{const c=require('./.planning/config.json');process.stdout.write(c.hooks?.community===true?'1':'0')}catch{process.stdout.write('0')}" 2>/dev/null)
+  if [ "$ENABLED" != "1" ]; then exit 0; fi
+else
+  exit 0
+fi
+
+INPUT=$(cat)
+
+# Extract command from JSON using Node (handles escaping correctly, no jq needed)
+CMD=$(echo "$INPUT" | node -e "let d='';process.stdin.on('data',c=>d+=c);process.stdin.on('end',()=>{try{process.stdout.write(JSON.parse(d).tool_input?.command||'')}catch{}})" 2>/dev/null)
+
+# Only check git commit commands
+if [[ "$CMD" =~ ^git[[:space:]]+commit ]]; then
+  # Extract message from -m flag
+  MSG=""
+  if [[ "$CMD" =~ -m[[:space:]]+\"([^\"]+)\" ]]; then
+    MSG="${BASH_REMATCH[1]}"
+  elif [[ "$CMD" =~ -m[[:space:]]+\'([^\']+)\' ]]; then
+    MSG="${BASH_REMATCH[1]}"
+  fi
+
+  if [ -n "$MSG" ]; then
+    SUBJECT=$(echo "$MSG" | head -1)
+    # Validate Conventional Commits format
+    if ! [[ "$SUBJECT" =~ ^(feat|fix|docs|style|refactor|perf|test|build|ci|chore)(\(.+\))?:[[:space:]].+ ]]; then
+      echo '{"decision": "block", "reason": "Commit message must follow Conventional Commits: <type>(<scope>): <subject>. Valid types: feat, fix, docs, style, refactor, perf, test, build, ci, chore. Subject must be <=72 chars, lowercase, imperative mood, no trailing period."}'
+      exit 2
+    fi
+    if [ ${#SUBJECT} -gt 72 ]; then
+      echo '{"decision": "block", "reason": "Commit subject must be 72 characters or less."}'
+      exit 2
+    fi
+  fi
+fi
+
+exit 0

package/hooks/dist/sdd-workflow-guard.js

@@ -2,10 +2,10 @@
 // sdd-hook-version: {{SDD_VERSION}}
 // SDD Workflow Guard — PreToolUse hook
 // Detects when Claude attempts file edits outside a SDD workflow context
-// (no active /sdd: command or Task subagent) and injects an advisory warning.
+// (no active /sdd- skill or Task subagent) and injects an advisory warning.
 //
 // This is a SOFT guard — it advises, not blocks. The edit still proceeds.
-// The warning nudges Claude to use /sdd:quick or /sdd:fast instead of
+// The warning nudges Claude to use /sdd-quick or /sdd-fast instead of
 // making direct edits that bypass state tracking.
 //
 // Enable via config: hooks.workflow_guard: true (default: false)
@@ -29,7 +29,7 @@ process.stdin.on('end', () => {
       process.exit(0);
     }
 
-    // Check if we're inside a SDD workflow (Task subagent or /sdd: command)
+    // Check if we're inside a SDD workflow (Task subagent or /sdd- skill)
     // Subagents have a session_id that differs from the parent
     // and typically have a description field set by the orchestrator
     if (data.tool_input?.is_subagent || data.session_type === 'task') {
@@ -80,7 +80,7 @@ process.stdin.on('end', () => {
         hookEventName: "PreToolUse",
         additionalContext: `⚠️ WORKFLOW ADVISORY: You're editing ${path.basename(filePath)} directly without a SDD command. ` +
           'This edit will not be tracked in STATE.md or produce a SUMMARY.md. ' +
-          'Consider using /sdd:fast for trivial fixes or /sdd:quick for larger changes ' +
+          'Consider using /sdd-fast for trivial fixes or /sdd-quick for larger changes ' +
           'to maintain project state tracking. ' +
           'If this is intentional (e.g., user explicitly asked for a direct edit), proceed normally.'
       }