@codyswann/lisa 1.0.0

package/package.json

@@ -0,0 +1,124 @@
+{
+  "lint-staged": {
+    "*.{js,ts,tsx}": [
+      "eslint --quiet --cache --fix"
+    ],
+    "*.{js,ts,jsx,tsx,html,css,scss,yaml,yml,graphql}": [
+      "prettier --write"
+    ]
+  },
+  "engines": {
+    "npm": "please-use-bun",
+    "yarn": "please-use-bun",
+    "bun": ">= 1.3.5",
+    "node": ">=18.0.0"
+  },
+  "config": {
+    "commitizen": {
+      "path": "./node_modules/cz-conventional-changelog"
+    }
+  },
+  "scripts": {
+    "//docs": "The following commands MUST be defined for CI/CD to work properly - even if they're no-ops.",
+    "lint": "eslint src --ext .ts",
+    "lint:fix": "eslint . --fix",
+    "build": "tsc",
+    "test": "vitest run",
+    "test:unit": "NODE_ENV=test jest --testPathIgnorePatterns=\"\\.integration\\.test\\.(ts|tsx)$\" --passWithNoTests",
+    "test:integration": "NODE_ENV=test jest --testPathPatterns=\"\\.integration\\.test\\.(ts|tsx)$\" --passWithNoTests",
+    "test:cov": "NODE_ENV=test jest --coverage",
+    "types:check": "tsc --noEmit",
+    "typecheck": "tsc --noEmit",
+    "format:check": "prettier --check .",
+    "format": "prettier --check . --write",
+    "prepare": "npm run build",
+    "//end-docs": "",
+    "start": "node dist/index.js",
+    "dev": "tsx src/index.ts",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage"
+  },
+  "devDependencies": {
+    "@commitlint/cli": "^20.3.1",
+    "@commitlint/config-conventional": "^20.3.1",
+    "@eslint-community/eslint-plugin-eslint-comments": "^4.5.0",
+    "@eslint/eslintrc": "^3.2.0",
+    "@eslint/js": "^9.39.0",
+    "@istanbuljs/nyc-config-typescript": "^1.0.2",
+    "@jest/test-sequencer": "^30.2.0",
+    "@types/jest": "^30.0.0",
+    "commitizen": "^4.3.0",
+    "cz-conventional-changelog": "^3.3.0",
+    "eslint": "^9.39.0",
+    "eslint-config-prettier": "^10.0.0",
+    "eslint-plugin-code-organization": "file:./eslint-plugin-code-organization",
+    "eslint-plugin-functional": "^9.0.0",
+    "eslint-plugin-jsdoc": "^61.5.0",
+    "eslint-plugin-prettier": "^5.5.0",
+    "eslint-plugin-sonarjs": "^3.0.0",
+    "husky": "^8.0.0",
+    "jest": "^30.0.0",
+    "jscodeshift": "0.15.2",
+    "lint-staged": "^16.2.7",
+    "prettier": "^3.3.3",
+    "standard-version": "^9.5.0",
+    "ts-jest": "^29.4.6",
+    "ts-morph": "^27.0.2",
+    "ts-node": "^10.9.2",
+    "typescript": "~5.7.0",
+    "typescript-eslint": "^8.0.0",
+    "@types/fs-extra": "^11.0.0",
+    "@types/lodash.merge": "^4.6.0",
+    "@types/node": "^22.0.0",
+    "@vitest/coverage-v8": "^3.0.0",
+    "memfs": "^4.0.0",
+    "tsx": "^4.0.0",
+    "vitest": "^3.0.0"
+  },
+  "resolutions": {},
+  "trustedDependencies": [
+    "@sentry/cli"
+  ],
+  "name": "@codyswann/lisa",
+  "version": "1.0.0",
+  "description": "Claude Code governance framework that applies guardrails, guidance, and automated enforcement to projects",
+  "type": "module",
+  "main": "dist/index.js",
+  "bin": {
+    "lisa": "dist/index.js"
+  },
+  "keywords": [
+    "claude",
+    "claude-code",
+    "governance",
+    "linting",
+    "configuration"
+  ],
+  "author": "Cody Swann",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/CodySwannGT/lisa.git"
+  },
+  "bugs": {
+    "url": "https://github.com/CodySwannGT/lisa/issues"
+  },
+  "homepage": "https://github.com/CodySwannGT/lisa#readme",
+  "dependencies": {
+    "@inquirer/prompts": "^7.0.0",
+    "commander": "^12.0.0",
+    "fs-extra": "^11.0.0",
+    "lodash.merge": "^4.6.2",
+    "picocolors": "^1.0.0"
+  },
+  "files": [
+    "dist",
+    "all",
+    "typescript",
+    "expo",
+    "nestjs",
+    "cdk",
+    "eslint-plugin-code-organization",
+    "lisa.sh"
+  ]
+}

package/typescript/copy-contents/.husky/commit-msg

@@ -0,0 +1,91 @@
+# BEGIN: AI GUARDRAILS 
+
+# Detect package manager (check if tool is available before using it)
+# Priority: bun > yarn > npm (bun first since package.json engines prefer it)
+if ([ -f "bun.lockb" ] || [ -f "bun.lock" ]) && command -v bun >/dev/null 2>&1; then
+  PACKAGE_MANAGER="bun"
+  EXECUTOR="bunx"
+elif [ -f "yarn.lock" ] && command -v yarn >/dev/null 2>&1; then
+  PACKAGE_MANAGER="yarn"
+  EXECUTOR="yarn"
+elif [ -f "package-lock.json" ]; then
+  PACKAGE_MANAGER="npm"
+  EXECUTOR="npx"
+else
+  # Default to npm if no lock file is found or tool is not available
+  PACKAGE_MANAGER="npm"
+  EXECUTOR="npx"
+fi
+
+# Get the commit message file path
+COMMIT_MSG_FILE=$1
+
+# Get the current branch name
+BRANCH_NAME=$(git branch --show-current)
+
+# Extract Jira key from branch name if present
+# Default pattern matches common Jira project keys (2-10 uppercase letters followed by a hyphen and numbers)
+# Can be overridden with JIRA_PROJECT_KEY environment variable (e.g., JIRA_PROJECT_KEY="SE|PROJ|ABC")
+JIRA_PROJECT_KEY=${JIRA_PROJECT_KEY:-"[A-Z]{2,10}"}
+
+# Extract Jira key from branch name using grep
+# Matches patterns like: feat/SE-2397-description, SE-2397-description, chore/PROJ-123-something
+JIRA_KEY=$(echo "$BRANCH_NAME" | grep -E "(^|/)($JIRA_PROJECT_KEY)-[0-9]+" | grep -E "($JIRA_PROJECT_KEY)-[0-9]+" -o | head -1)
+
+if [ -n "$JIRA_KEY" ]; then
+  # Read the current commit message
+  COMMIT_MSG=$(cat "$COMMIT_MSG_FILE")
+  
+  # Check if the Jira key is already in the commit message
+  if ! echo "$COMMIT_MSG" | grep -q "\[$JIRA_KEY\]"; then
+    # Append the Jira key to the commit message
+    echo "$COMMIT_MSG [$JIRA_KEY]" > "$COMMIT_MSG_FILE"
+    echo "🎫 Auto-appended Jira key: [$JIRA_KEY]"
+  fi
+fi
+
+echo "📝 Validating commit message with commitlint..."
+$EXECUTOR commitlint --edit $1
+
+if [ $? -ne 0 ]; then
+  echo ""
+  echo "❌ Commit message does not follow conventional commits format!"
+  echo ""
+  echo "📖 Examples of valid commit messages:"
+  echo "  - feat: add new feature"
+  echo "  - fix: resolve bug in login"
+  echo "  - docs: update README"
+  echo "  - style: format code"
+  echo "  - refactor: restructure auth module"
+  echo "  - test: add unit tests for utils"
+  echo "  - chore: update dependencies"
+  echo ""
+  echo "Format: <type>(<optional scope>): <subject>"
+  echo ""
+  echo "For more info, see: https://www.conventionalcommits.org/"
+  exit 1
+fi
+
+# Check for Co-Authored-By line (skip for merge commits)
+COMMIT_MSG=$(cat "$COMMIT_MSG_FILE")
+
+# Skip AI co-authorship check for merge commits (e.g., from git pull)
+if echo "$COMMIT_MSG" | grep -qE "^Merge (branch|pull request|remote-tracking)"; then
+  echo "🔀 Merge commit detected, skipping AI co-authorship check"
+  exit 0
+fi
+
+echo "🤖 Checking for AI co-authorship..."
+
+if ! echo "$COMMIT_MSG" | grep -q "Co-Authored-By:.*Claude"; then
+  echo ""
+  echo "❌ Commit message must include AI co-authorship!"
+  echo ""
+  echo "All commits must include a Co-Authored-By line for Claude."
+  echo ""
+  echo "If you're using Claude Code, use the /git:commit command"
+  echo ""
+  exit 1
+fi
+
+# END: AI GUARDRAILS

package/typescript/copy-contents/.husky/pre-commit

@@ -0,0 +1,96 @@
+# BEGIN: AI GUARDRAILS 
+# Detect package manager (check if tool is available before using it)
+# Priority: bun > yarn > npm (bun first since package.json engines prefer it)
+if ([ -f "bun.lockb" ] || [ -f "bun.lock" ]) && command -v bun >/dev/null 2>&1; then
+  PACKAGE_MANAGER="bun"
+  RUNNER="bun run"
+  EXECUTOR="bunx"
+elif [ -f "yarn.lock" ] && command -v yarn >/dev/null 2>&1; then
+  PACKAGE_MANAGER="yarn"
+  RUNNER="yarn"
+  EXECUTOR="yarn"
+elif [ -f "package-lock.json" ]; then
+  PACKAGE_MANAGER="npm"
+  RUNNER="npm run"
+  EXECUTOR="npx"
+else
+  # Default to npm if no lock file is found or tool is not available
+  PACKAGE_MANAGER="npm"
+  RUNNER="npm run"
+  EXECUTOR="npx"
+fi
+
+echo "📦 Using package manager: $PACKAGE_MANAGER"
+
+# Check for direct commits to environment branches
+echo "🔒 Checking branch protection..."
+BRANCH_NAME=$(git branch --show-current)
+
+# Skip check if running in CI (GitHub Actions sets CI=true)
+if [ "$CI" = "true" ]; then
+  echo "⚠️  Running in CI, skipping branch protection check"
+# Skip check if in detached HEAD state (empty branch name)
+elif [ -z "$BRANCH_NAME" ]; then
+  echo "⚠️  In detached HEAD state, skipping branch check"
+else
+  # Check if current branch is an environment branch
+  if [ "$BRANCH_NAME" = "dev" ] || [ "$BRANCH_NAME" = "staging" ] || [ "$BRANCH_NAME" = "main" ]; then
+    echo ""
+    echo "❌ You are not allowed to commit directly to $BRANCH_NAME because it is an environment branch."
+    echo "   Instead, create a new branch and open a pull request to $BRANCH_NAME"
+    echo ""
+    exit 1
+  fi
+fi
+
+# Check for Gitleaks and run secret detection
+echo "🔐 Checking for secrets with Gitleaks..."
+if command -v gitleaks >/dev/null 2>&1; then
+  # Run gitleaks on staged files
+  gitleaks protect --staged --redact -v
+  if [ $? -ne 0 ]; then
+    echo ""
+    echo "❌ Secrets detected in staged files!"
+    echo ""
+    echo "Please remove any secrets from your code before committing."
+    echo "If this is a false positive, you can add it to .gitleaksignore"
+    echo ""
+    exit 1
+  fi
+  echo "✅ No secrets detected"
+else
+  echo ""
+  echo "⚠️  WARNING: Gitleaks is not installed!"
+  echo ""
+  echo "Gitleaks helps prevent secrets from being committed to your repository."
+  echo ""
+  echo "To install Gitleaks:"
+  echo "  macOS:    brew install gitleaks"
+  echo "  Windows:  scoop install gitleaks  # or choco install gitleaks"
+  echo "  Linux:    See https://github.com/gitleaks/gitleaks#installing"
+  echo ""
+  echo "After installation, your commits will be automatically scanned for secrets."
+  echo ""
+  echo "Continuing without secret scanning..."
+  echo ""
+fi
+
+# Check if native changes require runtime version bump
+# echo "🔍 Checking for native dependency changes..."
+# node scripts/check-runtime-version.js
+# if [ $? -ne 0 ]; then
+#   exit 1
+# fi
+
+# Run type check on entire project (can't be done incrementally)
+echo "🔍 Running type check..."
+$RUNNER typecheck
+if [ $? -ne 0 ]; then
+  echo "❌ Type check failed. Please fix TypeScript errors before committing."
+  exit 1
+fi
+
+# Run lint-staged for incremental lint and format checks
+echo "🚀 Running lint-staged..."
+$EXECUTOR lint-staged --config package.json
+# END: AI GUARDRAILS

package/typescript/copy-contents/.husky/pre-push

@@ -0,0 +1,211 @@
+# BEGIN: AI GUARDRAILS 
+
+# Detect package manager (check if tool is available before using it)
+# Priority: bun > yarn > npm (bun first since package.json engines prefer it)
+if ([ -f "bun.lockb" ] || [ -f "bun.lock" ]) && command -v bun >/dev/null 2>&1; then
+  PACKAGE_MANAGER="bun"
+  RUNNER="bun run"
+elif [ -f "yarn.lock" ] && command -v yarn >/dev/null 2>&1; then
+  PACKAGE_MANAGER="yarn"
+  RUNNER="yarn"
+elif [ -f "package-lock.json" ]; then
+  PACKAGE_MANAGER="npm"
+  RUNNER="npm run"
+else
+  # Default to npm if no lock file is found or tool is not available
+  PACKAGE_MANAGER="npm"
+  RUNNER="npm run"
+fi
+
+echo "📦 Using package manager: $PACKAGE_MANAGER"
+
+# Run security audit
+echo "🔒 Running security audit..."
+
+if [ "$PACKAGE_MANAGER" = "yarn" ]; then
+  # Check if jq is installed (required for yarn audit filtering)
+  if ! command -v jq >/dev/null 2>&1; then
+    echo ""
+    echo "⚠️  WARNING: jq is not installed - required for yarn audit filtering"
+    echo ""
+    echo "To install jq:"
+    echo "  macOS:    brew install jq"
+    echo "  Windows:  choco install jq  # or scoop install jq"
+    echo "  Linux:    apt-get install jq"
+    echo ""
+    echo "Continuing without security audit..."
+    echo ""
+  else
+    # Excluding GHSA-5j98-mcp5-4vw2 (CVE-2025-64756): glob CLI command injection
+    # This vulnerability only affects the glob CLI (--cmd flag), not library usage
+    # We only use glob as a library through Babel and other tools - never invoke CLI
+    # Risk: None - vulnerable code path is not executed in our application
+    # Run yarn audit and filter for high/critical vulnerabilities (excluding glob CLI vuln)
+    # Filter by both GHSA ID and CVE ID for robustness
+    yarn audit --groups dependencies --json | jq -r 'select(.type == "auditAdvisory") | select(.data.advisory.severity == "high" or .data.advisory.severity == "critical") | select((.data.advisory.github_advisory_id == "GHSA-5j98-mcp5-4vw2" or (.data.advisory.cves | any(. == "CVE-2025-64756"))) | not) | .data.advisory' > high_vulns.json
+
+    if [ -s high_vulns.json ]; then
+      echo "❌ High or critical vulnerabilities found in production dependencies!"
+      cat high_vulns.json
+      rm high_vulns.json
+      exit 1
+    fi
+
+    echo "✅ No high or critical vulnerabilities found in production dependencies (excluding known false positives)"
+    rm -f high_vulns.json
+  fi
+
+elif [ "$PACKAGE_MANAGER" = "npm" ]; then
+  # Run npm audit and only fail on high or critical vulnerabilities
+  npm audit --production --audit-level=high
+  if [ $? -ne 0 ]; then
+    echo "⚠️ Security audit failed. Please fix high/critical vulnerabilities before pushing."
+    exit 1
+  fi
+  echo "✅ No high or critical vulnerabilities found in production dependencies"
+
+elif [ "$PACKAGE_MANAGER" = "bun" ]; then
+  # Bun's 'bun pm scan' requires a configured scanner in bunfig.toml
+  # Fall back to npm audit which works with package.json
+  echo "   (using npm audit fallback for bun projects)"
+
+  # Check if jq is installed (required for filtering vulnerabilities)
+  if ! command -v jq >/dev/null 2>&1; then
+    echo ""
+    echo "⚠️  WARNING: jq is not installed - required for vulnerability filtering"
+    echo ""
+    echo "To install jq:"
+    echo "  macOS:    brew install jq"
+    echo "  Windows:  choco install jq  # or scoop install jq"
+    echo "  Linux:    apt-get install jq"
+    echo ""
+    echo "Continuing without security audit..."
+    echo ""
+  else
+    # npm audit requires a lockfile - generate temporary one if needed
+    TEMP_LOCKFILE=false
+    if [ ! -f "package-lock.json" ]; then
+      echo "   Generating temporary package-lock.json for audit..."
+      npm i --package-lock-only --ignore-scripts --legacy-peer-deps --silent 2>/dev/null
+      TEMP_LOCKFILE=true
+    fi
+
+    # Excluding GHSA-8qq5-rm4j-mr97: node-tar path sanitization vulnerability
+    # This is a nested dependency in @expo/cli that bun resolves to the patched version (7.5.3)
+    # npm audit generates its own lockfile and doesn't respect bun's resolutions
+    # Risk: None - bun.lock shows tar@7.5.3 is used, not the vulnerable version
+    VULN_COUNT=$(npm audit --omit=dev --json 2>/dev/null | jq '
+      .vulnerabilities | to_entries | map(select(
+        .value.severity == "high" or .value.severity == "critical"
+      )) | map(select(
+        .value.via | all(. | if type == "object" then (.url == "https://github.com/advisories/GHSA-8qq5-rm4j-mr97" | not) else true end)
+      )) | length
+    ')
+    if [ "$VULN_COUNT" -gt 0 ] 2>/dev/null; then
+      AUDIT_EXIT=1
+    else
+      AUDIT_EXIT=0
+    fi
+
+    # Clean up temporary lockfile
+    if [ "$TEMP_LOCKFILE" = "true" ]; then
+      rm -f package-lock.json
+    fi
+
+    if [ $AUDIT_EXIT -ne 0 ]; then
+      # Re-run to show the actual vulnerabilities (excluding the known one)
+      echo "⚠️ Security audit found high/critical vulnerabilities:"
+      npm audit --omit=dev 2>/dev/null | grep -v "GHSA-8qq5-rm4j-mr97" || true
+      exit 1
+    fi
+    echo "✅ No high or critical vulnerabilities found in production dependencies (excluding known false positives)"
+  fi
+fi
+
+# Run unit tests with coverage
+echo "🧪 Running unit tests with coverage..."
+$RUNNER test:cov
+if [ $? -ne 0 ]; then
+  echo "❌ Unit tests or coverage thresholds failed. Please fix before pushing."
+  exit 1
+fi
+
+# Run integration tests
+echo "🧪 Running integration tests..."
+$RUNNER test:integration
+if [ $? -ne 0 ]; then
+  echo "❌ Integration tests failed. Please fix failing tests before pushing."
+  exit 1
+fi
+
+# Run Lighthouse CI performance audit (only if installed)
+# Check if lighthouse:check script exists in package.json
+if ! grep -q '"lighthouse:check"' package.json 2>/dev/null; then
+  echo ""
+  echo "ℹ️  Skipping Lighthouse CI audit (not configured for this project)"
+  echo ""
+else
+  # Check if Chrome is available (required for Lighthouse)
+  CHROME_AVAILABLE=false
+  if command -v google-chrome >/dev/null 2>&1 || \
+     command -v google-chrome-stable >/dev/null 2>&1 || \
+     command -v chromium >/dev/null 2>&1 || \
+     command -v chromium-browser >/dev/null 2>&1 || \
+     [ -x "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" ]; then
+    CHROME_AVAILABLE=true
+  fi
+
+  if [ "$CHROME_AVAILABLE" = "false" ]; then
+    echo ""
+    echo "⚠️  WARNING: Chrome/Chromium not found - skipping Lighthouse CI audit"
+    echo ""
+    echo "To enable Lighthouse performance audits, install Chrome:"
+    echo "  macOS:    brew install --cask google-chrome"
+    echo "  Linux:    apt-get install chromium-browser  # or google-chrome-stable"
+    echo "  Windows:  choco install googlechrome"
+    echo ""
+    echo "Continuing without Lighthouse audit..."
+    echo ""
+  else
+    echo "🔦 Building web export for Lighthouse..."
+    $RUNNER export:web
+    if [ $? -ne 0 ]; then
+      echo "❌ Web export failed. Please fix build errors before pushing."
+      exit 1
+    fi
+
+    echo "🔦 Running Lighthouse CI performance audit..."
+    LIGHTHOUSE_OUTPUT=$($RUNNER lighthouse:check 2>&1)
+    LIGHTHOUSE_EXIT=$?
+    echo "$LIGHTHOUSE_OUTPUT"
+
+    # Extract report URL from output
+    REPORT_URL=$(echo "$LIGHTHOUSE_OUTPUT" | grep -o 'https://storage.googleapis.com/[^ ]*\.html' | head -1)
+
+    if [ $LIGHTHOUSE_EXIT -ne 0 ]; then
+      echo ""
+      echo "❌ Lighthouse CI performance audit failed!"
+      echo ""
+      echo "Your changes caused performance regressions that exceed the allowed thresholds."
+      echo ""
+      if [ -n "$REPORT_URL" ]; then
+        echo "📊 View full report: $REPORT_URL"
+        echo ""
+      fi
+      echo "Common fixes:"
+      echo "  • Bundle size too large → Remove unused dependencies, add code splitting"
+      echo "  • LCP/FCP too slow → Optimize images, reduce render-blocking resources"
+      echo "  • CLS too high → Add explicit dimensions to images/containers"
+      echo "  • Too much unused JS → Implement lazy loading for non-critical code"
+      echo ""
+      echo "See lighthouserc.js for threshold details."
+      echo ""
+      exit 1
+    fi
+    echo "✅ Lighthouse CI performance audit passed"
+  fi
+fi
+
+exit 0
+
+# END: AI GUARDRAILS

package/typescript/copy-overwrite/.claude/hooks/format-on-edit.sh

@@ -0,0 +1,74 @@
+#!/bin/bash
+
+# Hook script to format files with Prettier after Claude edits them
+# This script receives JSON input via stdin with tool information
+# Reference: https://docs.claude.com/en/docs/claude-code/hooks
+
+# Read the JSON input from stdin
+JSON_INPUT=$(cat)
+
+# Extract the file path from the tool_input
+# The Edit tool input contains a "file_path" field in the tool_input object
+FILE_PATH=$(echo "$JSON_INPUT" | grep -o '"tool_input":{[^}]*"file_path":"[^"]*"' | grep -o '"file_path":"[^"]*"' | cut -d'"' -f4)
+
+# Check if we successfully extracted a file path
+if [ -z "$FILE_PATH" ]; then
+    echo "⚠ Skipping Prettier: Could not extract file path from Edit tool input" >&2
+    exit 0  # Exit gracefully to not interrupt Claude's workflow
+fi
+
+# Check if the file exists
+if [ ! -f "$FILE_PATH" ]; then
+    echo "⚠ Skipping Prettier: File does not exist: $FILE_PATH" >&2
+    exit 0  # Exit gracefully
+fi
+
+# Get the file extension
+FILE_EXT="${FILE_PATH##*.}"
+
+# Check if this is a TypeScript or JavaScript file that should be formatted
+# Based on package.json format command: "prettier --write \"src/**/*.ts\" \"test/**/*.ts\""
+case "$FILE_EXT" in
+    ts|tsx|js|jsx|json)
+        # File type is supported for formatting
+        ;;
+    *)
+        echo "ℹ Skipping Prettier: File type .$FILE_EXT is not configured for auto-formatting"
+        exit 0
+        ;;
+esac
+
+# Change to the project directory to ensure package manager commands work
+cd "$CLAUDE_PROJECT_DIR" || exit 0
+
+# Detect package manager based on lock file presence
+detect_package_manager() {
+    if [ -f "bun.lockb" ] || [ -f "bun.lock" ]; then
+        echo "bun"
+    elif [ -f "pnpm-lock.yaml" ]; then
+        echo "pnpm"
+    elif [ -f "yarn.lock" ]; then
+        echo "yarn"
+    elif [ -f "package-lock.json" ]; then
+        echo "npm"
+    else
+        echo "npm"  # Default fallback
+    fi
+}
+
+PKG_MANAGER=$(detect_package_manager)
+
+# Run Prettier on the specific file
+echo "🎨 Running Prettier on: $FILE_PATH"
+$PKG_MANAGER prettier --write "$FILE_PATH" 2>&1 | grep -v "run v" | grep -v "Done in"
+
+# Check the exit status
+if [ ${PIPESTATUS[0]} -eq 0 ]; then
+    echo "✓ Successfully formatted: $(basename "$FILE_PATH")"
+else
+    echo "⚠ Prettier formatting failed for: $FILE_PATH" >&2
+    echo "  You may need to run '$PKG_MANAGER run format' manually to fix formatting issues." >&2
+fi
+
+# Always exit successfully to not interrupt Claude's workflow
+exit 0

package/typescript/copy-overwrite/.claude/hooks/install_pkgs.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+
+# Only run package installation in remote (Claude Code web) environment
+# node_modules are gitignored, so they need to be installed remotely
+if [ "$CLAUDE_CODE_REMOTE" != "true" ]; then
+  exit 0
+fi
+
+# Detect package manager based on lock file presence
+if [ -f "bun.lockb" ] || [ -f "bun.lock" ]; then
+  bun install
+elif [ -f "pnpm-lock.yaml" ]; then
+  pnpm install
+elif [ -f "yarn.lock" ]; then
+  yarn install
+elif [ -f "package-lock.json" ]; then
+  npm install
+else
+  npm install
+fi
+
+# Install Gitleaks for secret detection (pre-commit hook)
+echo "Installing Gitleaks for secret detection..."
+GITLEAKS_VERSION="8.18.4"
+curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | tar -xz -C /usr/local/bin gitleaks
+echo "Gitleaks installed: $(gitleaks version)"
+
+# Install Chromium for Lighthouse CI (pre-push hook)
+# Playwright's bundled Chromium works with @lhci/cli
+echo "Installing Chromium for Lighthouse CI..."
+npx playwright install chromium
+
+# Find and export CHROME_PATH for Lighthouse CI
+# Use sort to ensure deterministic selection of the latest version
+CHROME_PATH=$(find ~/.cache/ms-playwright -name "chrome" -type f 2>/dev/null | grep "chrome-linux" | sort | tail -n 1)
+if [ -n "$CHROME_PATH" ]; then
+  # Write to .claude/env.local for project-specific env (preferred)
+  ENV_LOCAL="$CLAUDE_PROJECT_DIR/.claude/env.local"
+  if [ -f "$ENV_LOCAL" ]; then
+    # Remove old CHROME_PATH entries and add new one
+    grep -v "^export CHROME_PATH=" "$ENV_LOCAL" > "$ENV_LOCAL.tmp" 2>/dev/null || true
+    mv "$ENV_LOCAL.tmp" "$ENV_LOCAL"
+  fi
+  echo "export CHROME_PATH=\"$CHROME_PATH\"" >> "$ENV_LOCAL"
+
+  # Also append to ~/.bashrc for shell sessions (idempotent)
+  if ! grep -q "export CHROME_PATH=" ~/.bashrc 2>/dev/null; then
+    echo "export CHROME_PATH=\"$CHROME_PATH\"" >> ~/.bashrc
+  else
+    # Update existing CHROME_PATH in bashrc
+    sed -i "s|^export CHROME_PATH=.*|export CHROME_PATH=\"$CHROME_PATH\"|" ~/.bashrc
+  fi
+
+  export CHROME_PATH="$CHROME_PATH"
+  echo "Chromium installed at: $CHROME_PATH"
+  echo "CHROME_PATH exported to: $ENV_LOCAL and ~/.bashrc"
+fi
+
+exit 0