@codyswann/lisa 1.46.4 → 1.47.1

package/all/copy-overwrite/.claude/hooks/verify-completion.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+# This file is managed by Lisa.
+# Do not edit directly — changes will be overwritten on the next `lisa` run.
+# =============================================================================
+# Verification Level Enforcement Hook (Stop)
+# =============================================================================
+# Checks whether the agent declared a verification level when the session
+# involved code changes. Does NOT re-run lint/typecheck/tests (husky does that).
+#
+# Logic:
+#   1. If no Write/Edit tools were used → exit 0 (research/conversation only)
+#   2. If code was written → check last assistant message for verification level
+#   3. If verification level found → exit 0
+#   4. If missing and stop_hook_active is false → block with instructions
+#   5. If missing and stop_hook_active is true → exit 0 (avoid infinite loops)
+#
+# @see .claude/rules/verfication.md "Self-Correction Loop" section
+# =============================================================================
+
+# Read JSON input from stdin
+INPUT=$(cat)
+
+# Extract transcript path
+TRANSCRIPT_PATH=$(echo "$INPUT" | grep -o '"transcript_path"[[:space:]]*:[[:space:]]*"[^"]*"' | sed 's/.*: *"//' | sed 's/"$//')
+
+# Exit silently if no transcript available
+if [ -z "$TRANSCRIPT_PATH" ] || [ ! -f "$TRANSCRIPT_PATH" ]; then
+    exit 0
+fi
+
+# Check if Write or Edit tools were used during the session
+# Look for tool_use entries with Write or Edit tool names
+if ! grep -q '"tool_name"[[:space:]]*:[[:space:]]*"\(Write\|Edit\|NotebookEdit\)"' "$TRANSCRIPT_PATH" 2>/dev/null; then
+    # No code changes — this was research/conversation, allow stop
+    exit 0
+fi
+
+# Code was written — check if a verification level was declared
+# Extract the last assistant message
+LAST_ASSISTANT=$(awk '/"type"[[:space:]]*:[[:space:]]*"assistant"/{line=$0} END{if(line) print line}' "$TRANSCRIPT_PATH" 2>/dev/null)
+
+if [ -z "$LAST_ASSISTANT" ]; then
+    exit 0
+fi
+
+# Extract the text content from the assistant message
+RESPONSE_TEXT=""
+if command -v jq >/dev/null 2>&1; then
+    RESPONSE_TEXT=$(echo "$LAST_ASSISTANT" | jq -r '.message.content[] | select(.type == "text") | .text' 2>/dev/null)
+else
+    RESPONSE_TEXT=$(echo "$LAST_ASSISTANT" | grep -o '"text"[[:space:]]*:[[:space:]]*"[^"]*"' | sed 's/.*: *"//' | sed 's/"$//')
+fi
+
+if [ -z "$RESPONSE_TEXT" ]; then
+    exit 0
+fi
+
+# Check for verification level keywords (case-insensitive)
+if echo "$RESPONSE_TEXT" | grep -qi "FULLY VERIFIED\|PARTIALLY VERIFIED\|UNVERIFIED"; then
+    exit 0
+fi
+
+# Check if this is a retry (stop_hook_active flag)
+# The stop_hook_active field is set to true when a Stop hook has already blocked once
+STOP_HOOK_ACTIVE=$(echo "$INPUT" | grep -o '"stop_hook_active"[[:space:]]*:[[:space:]]*true' || echo "")
+
+if [ -n "$STOP_HOOK_ACTIVE" ]; then
+    # Already blocked once — allow stop to prevent infinite loop
+    exit 0
+fi
+
+# No verification level declared after code changes — block
+cat << 'EOF'
+{"decision":"block","reason":"You changed code but didn't declare a verification level. Run your verification, then declare FULLY VERIFIED, PARTIALLY VERIFIED, or UNVERIFIED with evidence. See .claude/rules/verfication.md for requirements."}
+EOF
+
+exit 0

package/all/copy-overwrite/.claude/rules/lisa.md

@@ -43,7 +43,8 @@ These directories contain files deployed by Lisa **and** files you create. Do no
 - `eslint-plugin-code-organization/*`, `eslint-plugin-component-structure/*`, `eslint-plugin-ui-standards/*`
 - `.claude/settings.json`
 - `.claude/README.md`
-- `.github/workflows/quality.yml`, `.github/workflows/release.yml`, `.github/workflows/claude.yml`, `.github/workflows/claude-ci-auto-fix.yml`, `.github/workflows/claude-code-review-response.yml`, `.github/workflows/claude-nightly-test-improvement.yml`, `.github/workflows/claude-nightly-test-coverage.yml`, `.github/workflows/claude-nightly-code-complexity.yml`, `.github/workflows/auto-update-pr-branches.yml`
+- `.github/workflows/quality.yml`, `.github/workflows/release.yml`, `.github/workflows/claude.yml`, `.github/workflows/claude-ci-auto-fix.yml`, `.github/workflows/claude-deploy-auto-fix.yml`, `.github/workflows/claude-code-review-response.yml`, `.github/workflows/claude-nightly-test-improvement.yml`, `.github/workflows/claude-nightly-test-coverage.yml`, `.github/workflows/claude-nightly-code-complexity.yml`, `.github/workflows/auto-update-pr-branches.yml`
+- `.github/workflows/create-issue-on-failure.yml`, `.github/workflows/create-github-issue-on-failure.yml`, `.github/workflows/create-jira-issue-on-failure.yml`, `.github/workflows/create-sentry-issue-on-failure.yml`
 - `.github/workflows/build.yml`, `.github/workflows/lighthouse.yml` (Expo)
 - `.github/workflows/load-test.yml`, `.github/workflows/zap-baseline.yml` (NestJS)
 - `.github/dependabot.yml`, `.github/GITHUB_ACTIONS.md`, `.github/k6/*`

package/all/copy-overwrite/.claude/rules/verfication.md

@@ -150,6 +150,61 @@ Agents must follow this sequence unless explicitly instructed otherwise:
 
 ---
 
+## Self-Correction Loop
+
+Verification is not a one-shot activity. Agents operate within a four-layer self-correction architecture that catches errors at increasing scope. Each layer is enforced automatically — agents do not need to invoke them manually.
+
+### Layer 1 — Inline Correction (PostToolUse)
+
+**Trigger:** Every `Write` or `Edit` tool call.
+
+**Pipeline:** prettier → ast-grep → eslint (with `--fix --quiet --cache`).
+
+Each hook runs on the single file just written. Errors are reported immediately so the agent can fix them before writing more files. This prevents error accumulation across multiple files.
+
+- **prettier** formats the file (non-blocking — always exits 0).
+- **ast-grep** scans for structural anti-patterns (blocking — exits 1 on violations).
+- **eslint** auto-fixes what it can, then blocks on unfixable errors (exits 2 on remaining errors).
+
+**Agent responsibility:** When a PostToolUse hook blocks, fix the reported errors in the same file before proceeding to other files. Do not accumulate errors.
+
+### Layer 2 — Commit-Time Enforcement (husky pre-commit)
+
+**Trigger:** Every `git commit`.
+
+**Checks:** lint-staged (eslint + prettier on staged files), gitleaks (secret detection), commitlint (conventional commit format), branch protection (no direct commits to environment branches).
+
+This layer catches errors that span multiple files or involve staged-but-not-yet-linted changes. It runs automatically via husky and cannot be bypassed (`--no-verify` is prohibited).
+
+### Layer 3 — Push-Time Enforcement (husky pre-push)
+
+**Trigger:** Every `git push`.
+
+**Checks:** Full test suite with coverage thresholds, typecheck, security audit, knip (unused exports), integration tests.
+
+This layer validates the complete changeset against the project's quality gates. It is the last automated checkpoint before code reaches the remote.
+
+### Layer 4 — Completion Enforcement (Stop hook)
+
+**Trigger:** Agent attempts to stop or finish a task.
+
+**Check:** If `Write` or `Edit` tools were used during the session, the agent must have declared a verification level (`FULLY VERIFIED`, `PARTIALLY VERIFIED`, or `UNVERIFIED`) in its final message.
+
+If no verification level is declared, the Stop hook blocks once with instructions. On retry, it allows the stop to prevent infinite loops.
+
+**Agent responsibility:** Before finishing any task that involved code changes, run verification and declare the result with evidence.
+
+### Regeneration Over Patching
+
+When the root cause of errors is architectural (wrong abstraction, incorrect data flow, fundamentally broken approach), delete and regenerate rather than incrementally patching. Incremental patches on a broken foundation accumulate tech debt faster than the self-correction loop can catch it.
+
+Signs that regeneration is needed:
+- The same file has been edited 3+ times in the same loop without converging
+- Fixing one error introduces another in the same file
+- The fix requires disabling a lint rule or adding a type assertion
+
+---
+
 ## End-User Verification Patterns
 
 Agents must choose the pattern that fits the task.

package/all/copy-overwrite/.claude/settings.json

@@ -64,6 +64,10 @@
           {
             "type": "command",
             "command": "$CLAUDE_PROJECT_DIR/.claude/hooks/sg-scan-on-edit.sh"
+          },
+          {
+            "type": "command",
+            "command": "$CLAUDE_PROJECT_DIR/.claude/hooks/lint-on-edit.sh"
           }
         ]
       },
@@ -209,6 +213,24 @@
       }
     ],
     "Stop": [
+      {
+        "matcher": "",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "$CLAUDE_PROJECT_DIR/.claude/hooks/verify-completion.sh"
+          }
+        ]
+      },
+      {
+        "matcher": "",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "$CLAUDE_PROJECT_DIR/.claude/hooks/check-tired-boss.sh"
+          }
+        ]
+      },
       {
         "matcher": "",
         "hooks": [

package/package.json

@@ -95,7 +95,7 @@
     "axios": ">=1.13.5"
   },
   "name": "@codyswann/lisa",
-  "version": "1.46.4",
+  "version": "1.47.1",
   "description": "Claude Code governance framework that applies guardrails, guidance, and automated enforcement to projects",
   "main": "dist/index.js",
   "bin": {

package/typescript/copy-contents/.husky/pre-push

@@ -29,27 +29,86 @@ echo "📦 Using package manager: $PACKAGE_MANAGER"
 # Run security audit
 echo "🔒 Running security audit..."
 
-if [ "$PACKAGE_MANAGER" = "yarn" ]; then
-  # Check if jq is installed (required for yarn audit filtering)
-  if ! command -v jq >/dev/null 2>&1; then
-    echo ""
-    echo "⚠️  WARNING: jq is not installed - required for yarn audit filtering"
-    echo ""
-    echo "To install jq:"
-    echo "  macOS:    brew install jq"
-    echo "  Windows:  choco install jq  # or scoop install jq"
-    echo "  Linux:    apt-get install jq"
-    echo ""
-    echo "Continuing without security audit..."
-    echo ""
-  else
-    # Excluding GHSA-5j98-mcp5-4vw2 (CVE-2025-64756): glob CLI command injection
-    # This vulnerability only affects the glob CLI (--cmd flag), not library usage
-    # We only use glob as a library through Babel and other tools - never invoke CLI
-    # Risk: None - vulnerable code path is not executed in our application
-    # Run yarn audit and filter for high/critical vulnerabilities (excluding glob CLI vuln)
-    # Filter by both GHSA ID and CVE ID for robustness
-    yarn audit --groups dependencies --json | jq -r 'select(.type == "auditAdvisory") | select(.data.advisory.severity == "high" or .data.advisory.severity == "critical") | select((.data.advisory.github_advisory_id == "GHSA-5j98-mcp5-4vw2" or (.data.advisory.cves | any(. == "CVE-2025-64756"))) | not) | .data.advisory' > high_vulns.json
+# jq is required for all audit paths (JSON config reading, npm/yarn filtering)
+if ! command -v jq >/dev/null 2>&1; then
+  echo ""
+  echo "⚠️  WARNING: jq is not installed - required for security audit"
+  echo ""
+  echo "To install jq:"
+  echo "  macOS:    brew install jq"
+  echo "  Windows:  choco install jq  # or scoop install jq"
+  echo "  Linux:    apt-get install jq"
+  echo ""
+  echo "Continuing without security audit..."
+  echo ""
+else
+  # Load GHSA exclusion IDs from JSON config files (managed + project-local)
+  load_audit_exclusions() {
+    _EXCLUSIONS=""
+    for _config_file in audit.ignore.config.json audit.ignore.local.json; do
+      if [ -f "$_config_file" ]; then
+        _FILE_IDS=$(jq -r '.exclusions[].id' "$_config_file" 2>/dev/null)
+        if [ -n "$_FILE_IDS" ]; then
+          _EXCLUSIONS="$_EXCLUSIONS $_FILE_IDS"
+        fi
+      fi
+    done
+    echo "$_EXCLUSIONS" | tr ' ' '\n' | sort -u | grep -v '^$' | tr '\n' ' '
+  }
+
+  # Load CVE exclusion IDs from JSON config files (for yarn's CVE-based filtering)
+  load_audit_cves() {
+    _CVES=""
+    for _config_file in audit.ignore.config.json audit.ignore.local.json; do
+      if [ -f "$_config_file" ]; then
+        _FILE_CVES=$(jq -r '.exclusions[] | select(.cve != null) | .cve' "$_config_file" 2>/dev/null)
+        if [ -n "$_FILE_CVES" ]; then
+          _CVES="$_CVES $_FILE_CVES"
+        fi
+      fi
+    done
+    echo "$_CVES" | tr ' ' '\n' | sort -u | grep -v '^$' | tr '\n' ' '
+  }
+
+  AUDIT_EXCLUSIONS=$(load_audit_exclusions)
+  AUDIT_CVES=$(load_audit_cves)
+
+  if [ "$PACKAGE_MANAGER" = "yarn" ]; then
+    # Build jq filter for GHSA IDs
+    GHSA_FILTER=""
+    for _id in $AUDIT_EXCLUSIONS; do
+      if [ -n "$GHSA_FILTER" ]; then
+        GHSA_FILTER="$GHSA_FILTER or .data.advisory.github_advisory_id == \"$_id\""
+      else
+        GHSA_FILTER=".data.advisory.github_advisory_id == \"$_id\""
+      fi
+    done
+
+    # Build jq filter for CVE IDs
+    CVE_FILTER=""
+    for _cve in $AUDIT_CVES; do
+      if [ -n "$CVE_FILTER" ]; then
+        CVE_FILTER="$CVE_FILTER or . == \"$_cve\""
+      else
+        CVE_FILTER=". == \"$_cve\""
+      fi
+    done
+
+    # Combine GHSA and CVE filters
+    COMBINED_FILTER=""
+    if [ -n "$GHSA_FILTER" ] && [ -n "$CVE_FILTER" ]; then
+      COMBINED_FILTER="($GHSA_FILTER or (.data.advisory.cves | any($CVE_FILTER)))"
+    elif [ -n "$GHSA_FILTER" ]; then
+      COMBINED_FILTER="($GHSA_FILTER)"
+    elif [ -n "$CVE_FILTER" ]; then
+      COMBINED_FILTER="((.data.advisory.cves | any($CVE_FILTER)))"
+    fi
+
+    if [ -n "$COMBINED_FILTER" ]; then
+      yarn audit --groups dependencies --json | jq -r "select(.type == \"auditAdvisory\") | select(.data.advisory.severity == \"high\" or .data.advisory.severity == \"critical\") | select(($COMBINED_FILTER) | not) | .data.advisory" > high_vulns.json
+    else
+      yarn audit --groups dependencies --json | jq -r 'select(.type == "auditAdvisory") | select(.data.advisory.severity == "high" or .data.advisory.severity == "critical") | .data.advisory' > high_vulns.json
+    fi
 
     if [ -s high_vulns.json ]; then
       echo "❌ High or critical vulnerabilities found in production dependencies!"
@@ -60,91 +119,43 @@ if [ "$PACKAGE_MANAGER" = "yarn" ]; then
 
     echo "✅ No high or critical vulnerabilities found in production dependencies (excluding known false positives)"
     rm -f high_vulns.json
-  fi
-
-elif [ "$PACKAGE_MANAGER" = "npm" ]; then
-  # Run npm audit in JSON mode and filter out known false positives before failing.
-  # npm audit lacks a native --ignore flag, so we parse JSON and exclude by GHSA ID.
-
-  # Excluding GHSA-3ppc-4f35-3m26: minimatch ReDoS via repeated wildcards
-  # Nested dep in aws-cdk-lib; fix requires minimatch v10 (incompatible with ^3.1.2)
-  # Risk: None - dev-time CDK tooling, no production runtime exposure
-
-  # Excluding GHSA-2g4f-4pwh-qvx6: ajv ReDoS with $data option
-  # Nested dep in aws-cdk-lib and eslint; no fix available via npm
-  # Risk: Low - $data option not used in this application
-
-  AUDIT_JSON=$(npm audit --production --json 2>/dev/null || true)
-  UNFIXED_HIGH=$(echo "$AUDIT_JSON" | jq '[.vulnerabilities | to_entries[] | select(.value.severity == "high" or .value.severity == "critical") | .value.via[] | select(type == "object") | .url | ltrimstr("https://github.com/advisories/")] | unique | map(select(. == "GHSA-3ppc-4f35-3m26" or . == "GHSA-2g4f-4pwh-qvx6" | not)) | length')
-  if [ "$UNFIXED_HIGH" -gt 0 ]; then
-    echo "⚠️ Security audit failed. Please fix high/critical vulnerabilities before pushing."
-    exit 1
-  fi
-  echo "✅ No high or critical vulnerabilities found in production dependencies (excluding known false positives)"
-
-elif [ "$PACKAGE_MANAGER" = "bun" ]; then
-  # Excluding GHSA-5j98-mcp5-4vw2 (CVE-2025-64756): glob CLI command injection
-  # This vulnerability only affects the glob CLI (--cmd flag), not library usage
-  # We only use glob as a library through Babel and other tools - never invoke CLI
 
-  # Excluding GHSA-8qq5-rm4j-mr97: node-tar path sanitization vulnerability
-  # Nested dependency in @expo/cli - bun resolves to patched version but audit still flags it
-  # Risk: Low - only affects tar extraction with malicious filenames, not our use case
-
-  # Excluding GHSA-37qj-frw5-hhjh: fast-xml-parser RangeError DoS with numeric entities
-  # Transitive dependency via @react-native-community/cli (Android/iOS build tooling)
-  # Parent packages pin ^4.4.1; fix requires major version 5.x (incompatible)
-  # Risk: None - CLI build tool, not a production runtime dependency
-
-  # Excluding GHSA-3ppc-4f35-3m26: minimatch ReDoS via repeated wildcards
-  # Transitive dependency in devDependencies (eslint, jest, nodemon, ts-morph, etc.)
-  # Fix requires minimatch v10 which changes export shape (object vs function),
-  # breaking test-exclude (used by Jest coverage). No production code path is affected.
-  # Risk: None - only devDependency tooling, never processes untrusted user input
-
-  # Excluding GHSA-jmr7-xgp7-cmfj: fast-xml-parser DoS through entity expansion in DOCTYPE
-  # Transitive dependency via AWS SDK (@aws-sdk/xml-builder) and snowflake-sdk
-  # Resolution to >=5.3.6 set in package.json but bun audit still flags intermediate ranges
-  # Risk: Low - XML parsing of untrusted DOCTYPE content not in our code paths
-
-  # Excluding GHSA-m7jm-9gc2-mpf2: fast-xml-parser entity encoding bypass via regex injection
-  # Same transitive path as GHSA-jmr7-xgp7-cmfj (AWS SDK, snowflake-sdk)
-  # Resolution to >=5.3.6 set in package.json but bun audit still flags intermediate ranges
-  # Risk: Low - no untrusted XML with DOCTYPE entity names processed
-
-  # Excluding GHSA-r6q2-hw4h-h46w: node-tar race condition via Unicode Ligature Collisions on macOS APFS
-  # Transitive via @nestjs/apollo > @apollo/gateway > make-fetch-happen > cacache > tar
-  # Resolution to ^7.5.8 set in package.json but bun audit still flags intermediate ranges
-  # Risk: None - tar extraction not used in production runtime
-
-  # Excluding GHSA-34x7-hfp2-rc4v: node-tar arbitrary file creation via hardlink path traversal
-  # Same transitive path as GHSA-r6q2-hw4h-h46w
-  # Risk: None - tar extraction not used in production runtime
-
-  # Excluding GHSA-83g3-92jg-28cx: node-tar arbitrary file read/write via hardlink target escape
-  # Same transitive path as GHSA-r6q2-hw4h-h46w
-  # Risk: None - tar extraction not used in production runtime
-
-  # Excluding GHSA-3h5v-q93c-6h6q: ws DoS when handling request with many HTTP headers
-  # Transitive via @nestjs/graphql, graphql-ws, openai, serverless-offline, serverless-esbuild
-  # Resolution to ^8.17.1 set in package.json but bun audit still flags intermediate ranges
-  # Risk: Low - WebSocket servers behind API Gateway which limits headers
-
-  # Excluding GHSA-7r86-cg39-jmmj: minimatch ReDoS via multiple non-adjacent GLOBSTAR segments
-  # Same transitive dependency chain as GHSA-3ppc-4f35-3m26 (eslint, jest, ts-morph, etc.)
-  # Fix requires minimatch >=3.1.3 but bun cannot override transitive dependency version ranges
-  # Risk: None - only devDependency tooling, never processes untrusted user input
+  elif [ "$PACKAGE_MANAGER" = "npm" ]; then
+    # Build jq exclusion filter for npm audit GHSA IDs
+    NPM_EXCLUDE_FILTER=""
+    for _id in $AUDIT_EXCLUSIONS; do
+      if [ -n "$NPM_EXCLUDE_FILTER" ]; then
+        NPM_EXCLUDE_FILTER="$NPM_EXCLUDE_FILTER or . == \"$_id\""
+      else
+        NPM_EXCLUDE_FILTER=". == \"$_id\""
+      fi
+    done
+
+    AUDIT_JSON=$(npm audit --production --json 2>/dev/null || true)
+    if [ -n "$NPM_EXCLUDE_FILTER" ]; then
+      UNFIXED_HIGH=$(echo "$AUDIT_JSON" | jq "[.vulnerabilities | to_entries[] | select(.value.severity == \"high\" or .value.severity == \"critical\") | .value.via[] | select(type == \"object\") | .url | ltrimstr(\"https://github.com/advisories/\")] | unique | map(select($NPM_EXCLUDE_FILTER | not)) | length")
+    else
+      UNFIXED_HIGH=$(echo "$AUDIT_JSON" | jq '[.vulnerabilities | to_entries[] | select(.value.severity == "high" or .value.severity == "critical") | .value.via[] | select(type == "object") | .url | ltrimstr("https://github.com/advisories/")] | unique | length')
+    fi
+    if [ "$UNFIXED_HIGH" -gt 0 ]; then
+      echo "⚠️ Security audit failed. Please fix high/critical vulnerabilities before pushing."
+      exit 1
+    fi
+    echo "✅ No high or critical vulnerabilities found in production dependencies (excluding known false positives)"
 
-  # Excluding GHSA-23c5-xmqv-rm74: minimatch ReDoS via nested *() extglobs
-  # Same transitive dependency chain as GHSA-3ppc-4f35-3m26 (eslint, jest, ts-morph, etc.)
-  # Fix requires minimatch >=3.1.3 but bun cannot override transitive dependency version ranges
-  # Risk: None - only devDependency tooling, never processes untrusted user input
+  elif [ "$PACKAGE_MANAGER" = "bun" ]; then
+    # Build --ignore flags dynamically from exclusion list
+    BUN_IGNORE_FLAGS=""
+    for _id in $AUDIT_EXCLUSIONS; do
+      BUN_IGNORE_FLAGS="$BUN_IGNORE_FLAGS --ignore $_id"
+    done
 
-  if ! bun audit --audit-level=high --ignore GHSA-5j98-mcp5-4vw2 --ignore GHSA-8qq5-rm4j-mr97 --ignore GHSA-37qj-frw5-hhjh --ignore GHSA-3ppc-4f35-3m26 --ignore GHSA-jmr7-xgp7-cmfj --ignore GHSA-m7jm-9gc2-mpf2 --ignore GHSA-r6q2-hw4h-h46w --ignore GHSA-34x7-hfp2-rc4v --ignore GHSA-83g3-92jg-28cx --ignore GHSA-3h5v-q93c-6h6q --ignore GHSA-7r86-cg39-jmmj --ignore GHSA-23c5-xmqv-rm74; then
-    echo "⚠️ Security audit failed. Please fix high/critical vulnerabilities before pushing."
-    exit 1
+    if ! bun audit --audit-level=high $BUN_IGNORE_FLAGS; then
+      echo "⚠️ Security audit failed. Please fix high/critical vulnerabilities before pushing."
+      exit 1
+    fi
+    echo "✅ No high or critical vulnerabilities found in production dependencies"
   fi
-  echo "✅ No high or critical vulnerabilities found in production dependencies"
 fi
 
 # Run slow lint rules - only if script exists

package/typescript/copy-overwrite/.claude/hooks/lint-on-edit.sh

@@ -1,105 +1,81 @@
 #!/bin/bash
 # This file is managed by Lisa.
 # Do not edit directly — changes will be overwritten on the next `lisa` run.
-
-# Hook script to lint and auto-fix files with ESLint after Claude edits them
-# This script receives JSON input via stdin with tool information
-# Reference: https://docs.claude.com/en/docs/claude-code/hooks
-
-# Read the JSON input from stdin
-JSON_INPUT=$(cat)
-
-# Extract the file path from the tool_input
-# The Edit tool input contains a "file_path" field in the tool_input object
-FILE_PATH=$(echo "$JSON_INPUT" | grep -o '"tool_input":{[^}]*"file_path":"[^"]*"' | grep -o '"file_path":"[^"]*"' | cut -d'"' -f4)
-
-# Check if we successfully extracted a file path
-if [ -z "$FILE_PATH" ]; then
-    echo "⚠ Skipping ESLint: Could not extract file path from Edit tool input" >&2
-    exit 0  # Exit gracefully to not interrupt Claude's workflow
+# =============================================================================
+# ESLint Lint-on-Edit Hook (PostToolUse - Write|Edit)
+# =============================================================================
+# Runs ESLint --fix with --quiet --cache on each edited TypeScript file.
+# Part of the inline self-correction pipeline: prettier → ast-grep → eslint.
+#
+# Behavior:
+#   - Exit 0: lint passes or auto-fix resolved all errors
+#   - Exit 2: unfixable errors remain — blocks Claude so it fixes them immediately
+#
+# @see .claude/rules/verfication.md "Self-Correction Loop" section
+# =============================================================================
+
+# Extract file path from JSON input
+FILE_PATH=$(cat | grep -o '"file_path":"[^"]*"' | head -1 | cut -d'"' -f4)
+
+if [ -z "$FILE_PATH" ] || [ ! -f "$FILE_PATH" ]; then
+    exit 0
 fi
 
-# Check if the file exists
-if [ ! -f "$FILE_PATH" ]; then
-    echo "⚠ Skipping ESLint: File does not exist: $FILE_PATH" >&2
-    exit 0  # Exit gracefully
-fi
-
-# Get the file extension
-FILE_EXT="${FILE_PATH##*.}"
-
-# Check if this is a TypeScript file that should be linted
-# Based on package.json lint command: "eslint \"{src,apps,libs,test}/**/*.ts\""
-case "$FILE_EXT" in
-    ts|tsx)
-        # File type is supported for linting
-        ;;
-    *)
-        echo "ℹ Skipping ESLint: File type .$FILE_EXT is not configured for linting"
-        exit 0
-        ;;
+# Check if file type is supported (TypeScript only)
+case "${FILE_PATH##*.}" in
+    ts|tsx) ;;
+    *) exit 0 ;;
 esac
 
-# Check if the file is in a directory that should be linted
-# Extract the relative path from the project directory
-RELATIVE_PATH="${FILE_PATH#$CLAUDE_PROJECT_DIR/}"
+# Validate project directory
+if [ -z "${CLAUDE_PROJECT_DIR:-}" ]; then
+    exit 0
+fi
 
-# Check if the file is in src, apps, libs, or test directories
+# Check if file is in a source directory
+RELATIVE_PATH="${FILE_PATH#$CLAUDE_PROJECT_DIR/}"
 case "$RELATIVE_PATH" in
-    src/*|apps/*|libs/*|test/*|features/*|components/*|hooks/*|screens/*|app/*|constants/*|utils/*|providers/*|stores/*)
-        # File is in a directory configured for linting
-        ;;
-    *)
-        echo "ℹ Skipping ESLint: File is not in src/, apps/, libs/, or test/ directory"
-        exit 0
-        ;;
+    src/*|apps/*|libs/*|test/*|tests/*|features/*|components/*|hooks/*|screens/*|app/*|constants/*|utils/*|providers/*|stores/*) ;;
+    *) exit 0 ;;
 esac
 
-# Change to the project directory to ensure package manager commands work
 cd "$CLAUDE_PROJECT_DIR" || exit 0
 
-# Detect package manager based on lock file presence
-detect_package_manager() {
-    if [ -f "bun.lockb" ] || [ -f "bun.lock" ]; then
-        echo "bun"
-    elif [ -f "pnpm-lock.yaml" ]; then
-        echo "pnpm"
-    elif [ -f "yarn.lock" ]; then
-        echo "yarn"
-    elif [ -f "package-lock.json" ]; then
-        echo "npm"
-    else
-        echo "npm"  # Default fallback
-    fi
-}
+# Detect package manager
+if [ -f "bun.lockb" ] || [ -f "bun.lock" ]; then
+    PKG_MANAGER="bun"
+elif [ -f "pnpm-lock.yaml" ]; then
+    PKG_MANAGER="pnpm"
+elif [ -f "yarn.lock" ]; then
+    PKG_MANAGER="yarn"
+else
+    PKG_MANAGER="npm"
+fi
 
-PKG_MANAGER=$(detect_package_manager)
+# Run ESLint with --fix --quiet --cache on the specific file
+# --quiet: suppress warnings, only show errors
+# --cache: use ESLint cache for performance
+echo "Running ESLint --fix on: $FILE_PATH"
 
-# Run ESLint with --fix on the specific file
-echo "🔍 Running ESLint --fix on: $FILE_PATH"
+# First pass: attempt auto-fix
+OUTPUT=$($PKG_MANAGER eslint --fix --quiet --cache "$FILE_PATH" 2>&1)
+FIX_EXIT=$?
 
-# Run ESLint with fix flag and capture output
-$PKG_MANAGER run lint --fix "$FILE_PATH" 2>&1 | while IFS= read -r line; do
-    # Filter out common noise from package manager output
-    if [[ ! "$line" =~ ^$ ]] && \
-       [[ ! "$line" =~ "Need to install the following packages" ]] && \
-       [[ ! "$line" =~ "Ok to proceed" ]]; then
-        echo "$line"
-    fi
-done
+if [ $FIX_EXIT -eq 0 ]; then
+    echo "ESLint: No errors in $(basename "$FILE_PATH")"
+    exit 0
+fi
 
-# Check the exit status (use PIPESTATUS to get the eslint exit code, not the while loop)
-EXIT_CODE=${PIPESTATUS[0]}
+# Auto-fix resolved some issues but errors remain — re-run to get remaining errors
+OUTPUT=$($PKG_MANAGER eslint --quiet --cache "$FILE_PATH" 2>&1)
+LINT_EXIT=$?
 
-if [ $EXIT_CODE -eq 0 ]; then
-    echo "✓ ESLint: No issues found in $(basename "$FILE_PATH")"
-elif [ $EXIT_CODE -eq 1 ]; then
-    echo "✓ ESLint: Fixed issues in $(basename "$FILE_PATH")"
-    echo "  Some issues were automatically fixed. Please review the changes."
-else
-    echo "⚠ ESLint found issues that couldn't be auto-fixed in: $FILE_PATH" >&2
-    echo "  You may need to run '$PKG_MANAGER run lint:fix' manually or fix the issues by hand." >&2
+if [ $LINT_EXIT -eq 0 ]; then
+    echo "ESLint: Auto-fixed all errors in $(basename "$FILE_PATH")"
+    exit 0
 fi
 
-# Always exit successfully to not interrupt Claude's workflow
-exit 0
+# Unfixable errors remain — block with feedback
+echo "ESLint found unfixable errors in: $FILE_PATH" >&2
+echo "$OUTPUT" >&2
+exit 2

package/typescript/copy-overwrite/.claude/settings.json

@@ -63,6 +63,10 @@
           {
             "type": "command",
             "command": "$CLAUDE_PROJECT_DIR/.claude/hooks/sg-scan-on-edit.sh"
+          },
+          {
+            "type": "command",
+            "command": "$CLAUDE_PROJECT_DIR/.claude/hooks/lint-on-edit.sh"
           }
         ]
       },
@@ -208,6 +212,24 @@
       }
     ],
     "Stop": [
+      {
+        "matcher": "",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "$CLAUDE_PROJECT_DIR/.claude/hooks/verify-completion.sh"
+          }
+        ]
+      },
+      {
+        "matcher": "",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "$CLAUDE_PROJECT_DIR/.claude/hooks/check-tired-boss.sh"
+          }
+        ]
+      },
       {
         "matcher": "",
         "hooks": [