@bookedsolid/reagent 0.1.0

package/hooks/env-file-protection.sh

@@ -0,0 +1,110 @@
+#!/bin/bash
+# PreToolUse hook: env-file-protection.sh
+# Fires BEFORE every Bash tool call.
+# Blocks commands that read .env* / .envrc files via shell text utilities.
+#
+# Rationale: .env files contain credentials. Reading them via Bash exposes
+# the values in command output, logs, and agent transcripts. Load credentials
+# in code only (process.env, os.environ, etc.) — never via shell reads.
+#
+# Trigger: command matches ALL of:
+#   1. Uses a text-reading utility (list below)
+#   2. References a .env* or .envrc filename
+#
+# Exit codes:
+#   0 = allow
+#   2 = block (env file read detected)
+
+set -uo pipefail
+
+INPUT=$(cat)
+
+# ── Dependency check ──────────────────────────────────────────────────────────
+if ! command -v jq >/dev/null 2>&1; then
+  printf 'REAGENT ERROR: jq is required but not installed.\n' >&2
+  printf 'Install: brew install jq  OR  apt-get install -y jq\n' >&2
+  exit 2
+fi
+
+# ── HALT check ────────────────────────────────────────────────────────────────
+REAGENT_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+HALT_FILE="${REAGENT_ROOT}/.reagent/HALT"
+if [ -f "$HALT_FILE" ]; then
+  printf 'REAGENT HALT: %s\nAll agent operations suspended. Run: reagent unfreeze\n' \
+    "$(cat "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
+  exit 2
+fi
+
+CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+if [[ -z "$CMD" ]]; then
+  exit 0
+fi
+
+truncate_cmd() {
+  local STR="$1"
+  local MAX=100
+  if [[ ${#STR} -gt $MAX ]]; then
+    printf '%s' "${STR:0:$MAX}..."
+  else
+    printf '%s' "$STR"
+  fi
+}
+
+# Text-reading utilities (shell and common alternatives)
+# Defense-in-depth: this list catches the most common shell-based exfiltration
+# vectors. It is NOT exhaustive. Known gaps include:
+#   - Docker volume mounts (docker run -v .env:/...) — separate concern
+#   - Editor commands (vim, nano, code) — not typically used by agents
+#   - Redirects/process substitution (< .env) without a listed utility
+#   - Network tools (curl file://, nc) — low-risk in agent context
+# The goal is to block casual and accidental reads, not defeat a determined
+# adversary with shell access.
+PATTERN_UTILITY='(cat|head|tail|less|more|grep|sed|awk|bat|strings|printf|xargs|tee|jq|python3?[[:space:]]+-c|ruby[[:space:]]+-e)[[:space:]]'
+# Also catch: source/., cp (reads then writes elsewhere)
+PATTERN_SOURCE='(source|\.)[[:space:]]+[^;|&]*\.env'
+PATTERN_CP_ENV='cp[[:space:]]+[^;|&]*\.env'
+# .env* files or .envrc (direnv)
+PATTERN_ENV_FILE='(\.env[a-zA-Z0-9._-]*|\.envrc)([[:space:]]|"|'"'"'|$)'
+
+MATCHES_UTILITY=0
+MATCHES_ENV_FILE=0
+
+if printf '%s' "$CMD" | grep -qE "$PATTERN_UTILITY"; then
+  MATCHES_UTILITY=1
+fi
+
+if printf '%s' "$CMD" | grep -qE "$PATTERN_ENV_FILE"; then
+  MATCHES_ENV_FILE=1
+fi
+
+# Direct source/cp of .env files — always block
+if printf '%s' "$CMD" | grep -qE "$PATTERN_SOURCE" || \
+   printf '%s' "$CMD" | grep -qE "$PATTERN_CP_ENV"; then
+  TRUNCATED_CMD=$(truncate_cmd "$CMD")
+  {
+    printf 'ENV FILE PROTECTION: Direct sourcing or copying of .env files is blocked.\n'
+    printf '\n'
+    printf '  Command: %s\n' "$TRUNCATED_CMD"
+    printf '\n'
+    printf '  Rule: Load credentials in code only — never via shell source or cp.\n'
+    printf '  Use: process.env.VAR_NAME, os.environ["VAR_NAME"], etc.\n'
+  } >&2
+  exit 2
+fi
+
+if [[ $MATCHES_UTILITY -eq 1 && $MATCHES_ENV_FILE -eq 1 ]]; then
+  TRUNCATED_CMD=$(truncate_cmd "$CMD")
+  {
+    printf 'ENV FILE PROTECTION: Reading .env files via Bash is blocked.\n'
+    printf '\n'
+    printf '  Command: %s\n' "$TRUNCATED_CMD"
+    printf '\n'
+    printf '  Rule: Load credentials in code only, never via shell.\n'
+    printf '  Use: process.env.VAR_NAME, os.environ["VAR_NAME"], etc.\n'
+    printf '  .env files must not be read via shell utilities in agent sessions.\n'
+  } >&2
+  exit 2
+fi
+
+exit 0

package/hooks/secret-scanner.sh

@@ -0,0 +1,229 @@
+#!/bin/bash
+# PreToolUse hook: secret-scanner.sh
+# Fires BEFORE every Write or Edit tool call.
+# Scans content about to be written for credential patterns and blocks (exit 2)
+# if real secrets are detected — before they ever touch disk.
+#
+# Content extraction:
+#   Write tool → tool_input.content
+#   Edit tool  → tool_input.new_string
+#
+# NOTE: This hook is a last-resort pre-write guard. The primary secret gate is
+# gitleaks running in the pre-commit hook. This hook stops obvious credentials
+# before they hit disk. It cannot catch all encoding tricks — rely on gitleaks
+# for comprehensive coverage.
+#
+# Exit codes:
+#   0 = no secrets detected — allow the tool to proceed
+#   2 = secrets detected    — block the tool call
+
+set -uo pipefail
+
+INPUT=$(cat)
+
+# ── Dependency check ──────────────────────────────────────────────────────────
+if ! command -v jq >/dev/null 2>&1; then
+  printf 'REAGENT ERROR: jq is required but not installed.\n' >&2
+  printf 'Install: brew install jq  OR  apt-get install -y jq\n' >&2
+  exit 2
+fi
+
+# ── HALT check ────────────────────────────────────────────────────────────────
+REAGENT_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+HALT_FILE="${REAGENT_ROOT}/.reagent/HALT"
+if [ -f "$HALT_FILE" ]; then
+  printf 'REAGENT HALT: %s\nAll agent operations suspended. Run: reagent unfreeze\n' \
+    "$(cat "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
+  exit 2
+fi
+
+FILE_PATH=$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+CONTENT_WRITE=$(printf '%s' "$INPUT" | jq -r '.tool_input.content // empty' 2>/dev/null)
+CONTENT_EDIT=$(printf '%s' "$INPUT"  | jq -r '.tool_input.new_string // empty' 2>/dev/null)
+
+if [[ -n "$CONTENT_WRITE" ]]; then
+  CONTENT="$CONTENT_WRITE"
+elif [[ -n "$CONTENT_EDIT" ]]; then
+  CONTENT="$CONTENT_EDIT"
+else
+  exit 0
+fi
+
+# Smart file-path exclusions (suffix-based only — no directory exclusions)
+if [[ -n "$FILE_PATH" ]]; then
+  if [[ "$FILE_PATH" == *.env.example || "$FILE_PATH" == *.env.sample ]]; then
+    exit 0
+  fi
+  # Test files are NOT excluded — real secrets in test files must be caught.
+  # The is_placeholder() function handles false positives from test fixtures.
+fi
+
+# Build line-filtered content
+# Strip: shell comment lines (#) and lines where process.env.VAR is the RHS of an assignment
+# NOT stripped: lines that merely mention process.env somewhere (bypass vector if too broad)
+FILTERED_FILE=$(mktemp "${TMPDIR:-/tmp}/reagent-secret-scan-XXXXXX") || {
+  printf 'SECRET-SCAN ERROR: Failed to create temp file — blocking write (fail-secure)\n' >&2
+  exit 2
+}
+
+VIOLATIONS_FILE=""
+
+cleanup() {
+  rm -f "$FILTERED_FILE"
+  [[ -n "$VIOLATIONS_FILE" ]] && rm -f "$VIOLATIONS_FILE"
+}
+trap cleanup EXIT
+
+printf '%s' "$CONTENT" | awk '
+{
+  line = $0
+  trimmed = line
+  sub(/^[[:space:]]+/, "", trimmed)
+  # Skip shell comment lines only
+  if (substr(trimmed, 1, 1) == "#") next
+  # Skip lines where process.env.VAR is the RHS of an assignment
+  # Pattern: = process.env.SOMETHING  (not just any mention of process.env)
+  if (trimmed ~ /=[[:space:]]*process\.env\.[A-Z_]+[^a-zA-Z]?$/) next
+  if (trimmed ~ /=[[:space:]]*process\.env\.[A-Z_]+[[:space:]]*[;,)]/) next
+  if (trimmed ~ /os\.environ\[/) next
+  print line
+}
+' > "$FILTERED_FILE" 2>/dev/null
+
+if [[ ! -s "$FILTERED_FILE" ]]; then
+  exit 0
+fi
+
+is_placeholder() {
+  local MATCH
+  MATCH=$(printf '%s' "$1" | tr '[:upper:]' '[:lower:]')
+  [[ "$MATCH" =~ \<[a-z_]+\> ]] && return 0
+  [[ "$MATCH" =~ your_key_here  ]] && return 0
+  [[ "$MATCH" =~ your_api_key   ]] && return 0
+  [[ "$MATCH" =~ your_secret    ]] && return 0
+  [[ "$MATCH" =~ placeholder    ]] && return 0
+  [[ "$MATCH" =~ changeme       ]] && return 0
+  [[ "$MATCH" =~ insert.*here   ]] && return 0
+  # Prefix checks: require full placeholder compound, not just a prefix
+  [[ "$MATCH" =~ ^(test|fake|mock|demo|example)_(key|token|secret|credential|api)$ ]] && return 0
+  [[ "$MATCH" =~ ^test_[a-z_]+_key$ ]] && return 0
+  # Repeated-character dummies (aaaaaaa, 1111111, etc.)
+  if printf '%s' "$MATCH" | grep -qE '^(.)\1{7,}$'; then return 0; fi
+  return 1
+}
+
+VIOLATIONS_FILE=$(mktemp "${TMPDIR:-/tmp}/reagent-secret-violations-XXXXXX") || {
+  printf 'SECRET-SCAN ERROR: Failed to create violations file — blocking write (fail-secure)\n' >&2
+  exit 2
+}
+
+scan_pattern() {
+  local SEVERITY="$1"
+  local LABEL="$2"
+  local PATTERN="$3"
+  local MATCHES GREP_EXIT MATCH SNIPPET
+  MATCHES=$(grep -oE -e "$PATTERN" "$FILTERED_FILE" 2>/dev/null)
+  GREP_EXIT=$?
+  [[ $GREP_EXIT -ne 0 ]] && return 0
+  [[ -z "$MATCHES" ]]    && return 0
+  MATCHES=$(printf '%s\n' "$MATCHES" | head -5)
+  while IFS= read -r MATCH; do
+    [[ -z "$MATCH" ]] && continue
+    if is_placeholder "$MATCH"; then continue; fi
+    if [[ ${#MATCH} -gt 60 ]]; then
+      SNIPPET="${MATCH:0:60}..."
+    else
+      SNIPPET="$MATCH"
+    fi
+    printf '%s|%s|%s\n' "$SEVERITY" "$LABEL" "$SNIPPET" >> "$VIOLATIONS_FILE"
+  done <<< "$MATCHES"
+}
+
+# ── HIGH severity patterns ─────────────────────────────────────────────────────
+
+scan_pattern "HIGH" "AWS Access Key ID" \
+  'AKIA[0-9A-Z]{16}'
+
+scan_pattern "HIGH" "AWS Secret Access Key" \
+  '[Aa][Ww][Ss]_SECRET_ACCESS_KEY[[:space:]]*=[[:space:]]*[A-Za-z0-9/+]{40}'
+
+scan_pattern "HIGH" "Private key block" \
+  '-----BEGIN (RSA|EC|OPENSSH|PGP) PRIVATE KEY-----'
+
+scan_pattern "HIGH" "Anthropic API key" \
+  'sk-ant-api03-[A-Za-z0-9_-]{93}'
+
+scan_pattern "HIGH" "Anthropic OAuth token" \
+  'sk-ant-oat01-[A-Za-z0-9_-]{86}'
+
+scan_pattern "HIGH" "GitHub classic Personal Access Token" \
+  'gh[puors]_[A-Za-z0-9]{36}'
+
+scan_pattern "HIGH" "GitHub fine-grained Personal Access Token" \
+  'github_pat_[A-Za-z0-9_]{82}'
+
+scan_pattern "HIGH" "Stripe live secret/restricted key" \
+  '(sk|rk)_live_[A-Za-z0-9]{24,}'
+
+scan_pattern "HIGH" "Stripe webhook signing secret" \
+  'whsec_[A-Za-z0-9+/]{40,}'
+
+scan_pattern "HIGH" "Generic secret assignment (double-quoted)" \
+  '(SECRET|PASSWORD|PRIVATE_KEY|API_SECRET)[[:space:]]*=[[:space:]]*"[^"]{20,}"'
+
+scan_pattern "HIGH" "Generic secret assignment (single-quoted)" \
+  "(SECRET|PASSWORD|PRIVATE_KEY|API_SECRET)[[:space:]]*=[[:space:]]*'[^']{20,}'"
+
+scan_pattern "HIGH" "Supabase service role key (JWT)" \
+  'SUPABASE_SERVICE_ROLE_KEY[[:space:]]*=[[:space:]]*["\'"'"']eyJ[A-Za-z0-9._-]{50,}'
+
+# ── MEDIUM severity patterns ───────────────────────────────────────────────────
+
+scan_pattern "MEDIUM" ".env credential assignment" \
+  '^(ANTHROPIC_API_KEY|SUPABASE_SERVICE_ROLE_KEY|DATABASE_URL|STRIPE_SECRET)[[:space:]]*=[[:space:]]*[^[:space:]]+'
+
+scan_pattern "MEDIUM" "Stripe test API key (real credential, test env)" \
+  '(sk|pk|rk)_test_[A-Za-z0-9]{24,}'
+
+scan_pattern "MEDIUM" "Stripe live publishable key" \
+  'pk_live_[A-Za-z0-9]{24,}'
+
+scan_pattern "MEDIUM" "Hardcoded DB connection string with password" \
+  'postgresql://[^:]+:[^@]{8,}@'
+
+scan_pattern "MEDIUM" "Supabase anon key in non-client context" \
+  'SUPABASE_ANON_KEY[[:space:]]*=[[:space:]]*["\'"'"']eyJ[A-Za-z0-9._-]{50,}'
+
+if [[ ! -s "$VIOLATIONS_FILE" ]]; then
+  exit 0
+fi
+
+FILE_BASENAME=$(basename "${FILE_PATH:-unknown}")
+HIGH_COUNT=$(grep -cF 'HIGH|' "$VIOLATIONS_FILE" 2>/dev/null || true)
+: "${HIGH_COUNT:=0}"
+
+if [[ "$HIGH_COUNT" -gt 0 ]]; then
+  {
+    printf 'SECRET DETECTED: Potential credential in %s\n' "$FILE_BASENAME"
+    COUNT=0
+    while IFS='|' read -r SEVERITY LABEL SNIPPET; do
+      [[ -z "$SEVERITY" ]] && continue
+      COUNT=$(( COUNT + 1 ))
+      if [[ $COUNT -gt 5 ]]; then break; fi
+      printf '  %s: %s — '"'"'%s'"'"'\n' "$SEVERITY" "$LABEL" "$SNIPPET"
+    done < "$VIOLATIONS_FILE"
+    printf 'Block reason: Writing credentials to disk risks exposure via git history.\n'
+    printf 'Fix: Load credentials from environment variables — never hardcode secrets.\n'
+  } >&2
+  exit 2
+fi
+
+{
+  printf 'SECRET-SCAN WARN: Low-confidence credential pattern in %s (advisory — not blocking)\n' "$FILE_BASENAME"
+  while IFS='|' read -r SEVERITY LABEL SNIPPET; do
+    [[ -z "$SEVERITY" ]] && continue
+    printf '  %s: %s — '"'"'%s'"'"'\n' "$SEVERITY" "$LABEL" "$SNIPPET"
+  done < "$VIOLATIONS_FILE"
+  printf 'Note: Heuristic match — may be a false positive. If real, load from environment.\n'
+} >&2
+exit 0

package/husky/commit-msg.sh

@@ -0,0 +1,50 @@
+#!/bin/sh
+# .husky/commit-msg — strips AI attribution from commit messages
+#
+# Removes lines added by AI coding assistants (Claude Code, etc.) that would
+# expose AI tooling in client-facing or public git history.
+#
+# Stripped patterns:
+#   Co-Authored-By: Claude ...
+#   Co-Authored-By: Sonnet ...
+#   Generated with Claude Code
+#   🤖 Generated with ...
+#   claude.ai
+#
+# SAFETY: set -e ensures any unexpected error BLOCKS the commit rather than
+# silently passing a message with attribution intact.
+
+set -e
+
+COMMIT_MSG_FILE="$1"
+
+# Validate input
+if [ -z "$COMMIT_MSG_FILE" ]; then
+  echo "ERROR: commit-msg hook received no file path" >&2
+  exit 1
+fi
+if [ ! -f "$COMMIT_MSG_FILE" ]; then
+  echo "ERROR: commit message file not found: $COMMIT_MSG_FILE" >&2
+  exit 1
+fi
+
+# Atomic write: grep to temp, mv to original (no partial-write risk)
+TMPFILE=$(mktemp) || { echo "ERROR: mktemp failed" >&2; exit 1; }
+cleanup() { rm -f "$TMPFILE"; }
+trap cleanup EXIT
+
+grep -v \
+  -e "Co-Authored-By: Claude" \
+  -e "Co-Authored-By: Sonnet" \
+  -e "Generated with Claude Code" \
+  -e "🤖 Generated with" \
+  -e "claude.ai" \
+  "$COMMIT_MSG_FILE" > "$TMPFILE" || true
+# grep -v exits 1 when no lines survive (empty file after stripping) — that's OK
+
+mv "$TMPFILE" "$COMMIT_MSG_FILE" || { echo "ERROR: could not write cleaned message" >&2; exit 1; }
+
+# Normalize trailing newlines (cosmetic, non-fatal)
+perl -i -0777 -pe 's/\n+$/\n/' "$COMMIT_MSG_FILE" 2>/dev/null || true
+
+exit 0

package/husky/pre-commit.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+# .husky/pre-commit — secret scan on staged files before commit
+#
+# Gates (in order):
+#   1. gitleaks protect --staged (REQUIRED — hard fail if not installed)
+#   2. .env and .envrc staged file check (always — no gitleaks dependency)
+#
+# Exit codes:
+#   0 = all gates passed
+#   1 = gate failed — commit blocked
+
+set -euo pipefail
+
+# ── Gate 1: gitleaks staged scan ──────────────────────────────────────────────
+if command -v gitleaks >/dev/null 2>&1; then
+  echo "pre-commit: running gitleaks on staged files..."
+  if ! gitleaks protect --staged --no-banner 2>&1; then
+    echo ""
+    echo "ERROR: gitleaks detected potential secrets in staged files."
+    echo "Review the output above, remove credentials, then re-stage."
+    echo ""
+    echo "To allowlist a false positive, add it to .gitleaks.toml [allowlist]"
+    exit 1
+  fi
+  echo "pre-commit: gitleaks scan passed"
+else
+  echo ""
+  echo "ERROR: gitleaks is required but not installed."
+  echo "Install: https://github.com/gitleaks/gitleaks#installing"
+  echo "  macOS:  brew install gitleaks"
+  echo "  Linux:  download from GitHub releases"
+  echo ""
+  echo "Secret scanning is mandatory. Install gitleaks and retry."
+  exit 1
+fi
+
+# ── Gate 2: .env / .envrc staged file check ───────────────────────────────────
+# Check for .env* or .envrc files anywhere in the repo (including subdirectories)
+STAGED_ENV=$(git diff --cached --name-only 2>/dev/null \
+  | grep -E '(^|/)\.env(rc|$|\.)' \
+  | grep -v '\.example$' \
+  | grep -v '\.sample$' \
+  || true)
+
+if [ -n "$STAGED_ENV" ]; then
+  echo ""
+  echo "ERROR: Staged files include credential files:"
+  echo "$STAGED_ENV" | while IFS= read -r f; do echo "  $f"; done
+  echo ""
+  echo "These files must not be committed. Add them to .gitignore:"
+  echo "  echo '.env' >> .gitignore"
+  echo "  echo '.envrc' >> .gitignore"
+  echo ""
+  exit 1
+fi
+
+exit 0

package/husky/pre-push.sh

@@ -0,0 +1,75 @@
+#!/bin/bash
+# .husky/pre-push — full quality gate before push
+#
+# Enforces zero-bad-code policy: NOTHING reaches the remote without passing
+# all available quality gates. Every gate that exists in the project runs.
+#
+# Gates (skipped gracefully if script not present in package.json):
+#   1. Format check  (prettier --check .)
+#   2. Lint          (eslint .)
+#   3. Type check    (tsc --noEmit)
+#   4. Tests         (vitest run / jest / node --test)
+#   5. Build         (build script)
+#
+# Exit codes:
+#   0 = all applicable gates passed
+#   1 = a gate failed — push blocked
+
+set -euo pipefail
+
+if [ ! -f "package.json" ]; then
+  echo "pre-push: no package.json found — quality gates skipped (non-npm project)"
+  echo "pre-push: consider adding project-specific gates to .husky/pre-push"
+  exit 0
+fi
+
+# Detect package manager
+PKG_MANAGER="npm"
+if [ -f "pnpm-lock.yaml" ]; then
+  PKG_MANAGER="pnpm"
+elif [ -f "yarn.lock" ]; then
+  PKG_MANAGER="yarn"
+fi
+
+FAILED=""
+OUT=$(mktemp)
+cleanup() { rm -f "$OUT"; }
+trap cleanup EXIT
+
+script_exists() {
+  local SCRIPT_NAME="$1"
+  node -e "const p=require('./package.json');if(!p.scripts||!p.scripts[process.argv[1]])process.exit(1);" "$SCRIPT_NAME" 2>/dev/null
+}
+
+run_gate() {
+  local SCRIPT_NAME="$1"
+  local LABEL="$2"
+
+  if script_exists "$SCRIPT_NAME"; then
+    echo "pre-push: running ${LABEL}..."
+    if ! $PKG_MANAGER run "$SCRIPT_NAME" > "$OUT" 2>&1; then
+      echo ""
+      echo "GATE FAILED: ${LABEL}"
+      cat "$OUT"
+      echo ""
+      FAILED="${FAILED} ${SCRIPT_NAME}"
+    fi
+  fi
+}
+
+# ── Gates ─────────────────────────────────────────────────────────────────────
+run_gate "format:check" "Prettier format check"
+run_gate "lint"         "ESLint"
+run_gate "type-check"   "TypeScript type check"
+run_gate "test"         "Test suite"
+run_gate "build"        "Build"
+
+# ── Report ────────────────────────────────────────────────────────────────────
+if [ -n "$FAILED" ]; then
+  echo "pre-push: FAILED gates:${FAILED}"
+  echo "All quality gates must pass before push. Fix failures and retry."
+  exit 1
+fi
+
+echo "pre-push: all quality gates passed"
+exit 0

package/package.json

@@ -0,0 +1,60 @@
+{
+  "name": "@bookedsolid/reagent",
+  "version": "0.1.0",
+  "description": "Zero-trust agentic infrastructure — hooks, cursor rules, attribution removal, and behavioral enforcement for any AI-assisted project",
+  "license": "MIT",
+  "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",
+  "homepage": "https://github.com/bookedsolidtech/reagent#readme",
+  "bugs": {
+    "url": "https://github.com/bookedsolidtech/reagent/issues"
+  },
+  "type": "commonjs",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/bookedsolidtech/reagent.git"
+  },
+  "bin": {
+    "reagent": "bin/init.js"
+  },
+  "engines": {
+    "node": ">=22"
+  },
+  "files": [
+    "bin/",
+    "hooks/",
+    "cursor/",
+    "husky/",
+    "profiles/",
+    "templates/",
+    "agents/",
+    "commands/"
+  ],
+  "scripts": {
+    "prepare": "husky",
+    "prepublishOnly": "node scripts/block-local-publish.mjs",
+    "preflight": "./scripts/preflight.sh",
+    "changeset": "changeset",
+    "changeset:version": "changeset version",
+    "changeset:publish": "changeset publish",
+    "lint": "eslint .",
+    "format": "prettier --write .",
+    "format:check": "prettier --check .",
+    "test": "echo 'No tests yet — add tests before 0.2.0' && exit 0",
+    "type-check": "echo 'No TypeScript config — skipping' && exit 0"
+  },
+  "keywords": [
+    "claude",
+    "ai-safety",
+    "hooks",
+    "cursor",
+    "attribution",
+    "zero-trust",
+    "agentic"
+  ],
+  "devDependencies": {
+    "@changesets/cli": "^2.30.0",
+    "eslint": "^10.2.0",
+    "husky": "^9.1.7",
+    "prettier": "^3.8.1"
+  }
+}

package/profiles/bst-internal.json

@@ -0,0 +1,30 @@
+{
+  "name": "bst-internal",
+  "description": "BST internal project setup — full safety hooks, CI enforcement, attribution stripper",
+  "huskyCommitMsg": true,
+  "huskyPreCommit": true,
+  "huskyPrePush": true,
+  "cursorRules": ["001-no-hallucination", "002-verify-before-act", "003-attribution"],
+  "gitignoreEntries": [".claude/agents/", ".claude/hooks/", ".claude/settings.json", "RESTART.md"],
+  "claudeMd": {
+    "preflightCmd": "pnpm preflight",
+    "attributionRule": "Attribution in internal BST projects is permitted in `.claude/` files and approved team documentation. Strip attribution from any client-facing commits, PR bodies, and public-facing content."
+  },
+  "claudeHooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": ["dangerous-bash-interceptor", "env-file-protection"]
+      },
+      {
+        "matcher": "Write|Edit",
+        "hooks": ["secret-scanner"]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": ["attribution-advisory"]
+      }
+    ],
+    "PostToolUse": []
+  }
+}

package/profiles/client-engagement.json

@@ -0,0 +1,30 @@
+{
+  "name": "client-engagement",
+  "description": "Zero-trust setup for client project engagements — no AI attribution, hallucination guards, safety hooks",
+  "huskyCommitMsg": true,
+  "huskyPreCommit": true,
+  "huskyPrePush": true,
+  "cursorRules": ["001-no-hallucination", "002-verify-before-act", "003-attribution"],
+  "gitignoreEntries": [".claude/agents/", ".claude/hooks/", ".claude/settings.json", "RESTART.md"],
+  "claudeMd": {
+    "preflightCmd": "pnpm preflight",
+    "attributionRule": "Do NOT include AI attribution in commits, PR bodies, code comments, or any client-facing content. The commit-msg hook strips attribution from git commits automatically. PR bodies and code comments must be cleaned manually before submission."
+  },
+  "claudeHooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": ["dangerous-bash-interceptor", "env-file-protection"]
+      },
+      {
+        "matcher": "Write|Edit",
+        "hooks": ["secret-scanner"]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": ["attribution-advisory"]
+      }
+    ],
+    "PostToolUse": []
+  }
+}