@codyswann/lisa 2.159.9 → 2.161.0

package/dist/configs/eslint/harper-fabric.js

@@ -11,8 +11,8 @@ export const defaultHarperFabricIgnores = [
     "*.config.local.ts",
     "harper-app/resources.js",
     "harper-app/resource-*.js",
-    "harper-app/web/**/*.js",
-    "harper-app/web/**/*.js.map",
+    "harper-app/web/**",
+    "harper-app/lib/**",
 ];
 /**
  * Creates the Harper/Fabric ESLint configuration.

package/dist/configs/eslint/harper-fabric.js.map

@@ -1 +1 @@
-{"version":3,"file":"harper-fabric.js","sourceRoot":"","sources":["../../../src/configs/eslint/harper-fabric.ts"],"names":[],"mappings":"AAQA,OAAO,EACL,cAAc,EACd,iBAAiB,EACjB,mBAAmB,GACpB,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,CAAC;AAE7C;;GAEG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAG;IACxC,GAAG,cAAc;IACjB,WAAW;IACX,UAAU;IACV,WAAW;IACX,mBAAmB;IACnB,yBAAyB;IACzB,0BAA0B;IAC1B,wBAAwB;IACxB,4BAA4B;CAC7B,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,UAAU,qBAAqB,CAAC,EACpC,eAAe,EACf,cAAc,GAAG,0BAA0B,EAC3C,UAAU,GAAG,iBAAiB,GAK/B;IACC,OAAO;QACL,GAAG,mBAAmB,CAAC;YACrB,eAAe;YACf,cAAc;YACd,UAAU;SACX,CAAC;QACF;YACE,KAAK,EAAE,CAAC,aAAa,CAAC;YACtB,KAAK,EAAE;gBACL,2BAA2B,EAAE,OAAO;gBACpC,mBAAmB,EAAE,OAAO;gBAC5B,iCAAiC,EAAE,OAAO;gBAC1C,0BAA0B,EAAE,OAAO;gBACnC,0CAA0C,EAAE,OAAO;aACpD;SACF;QACD;YACE,KAAK,EAAE,CAAC,oBAAoB,EAAE,oBAAoB,CAAC;YACnD,KAAK,EAAE;gBACL,2BAA2B,EAAE,KAAK;gBAClC,mBAAmB,EAAE,KAAK;gBAC1B,iCAAiC,EAAE,KAAK;gBACxC,0BAA0B,EAAE,KAAK;gBACjC,0CAA0C,EAAE,KAAK;aAClD;SACF;QACD;YACE,KAAK,EAAE,CAAC,qBAAqB,EAAE,eAAe,CAAC;YAC/C,KAAK,EAAE;gBACL,sBAAsB,EAAE,KAAK;aAC9B;SACF;KACiB,CAAC;AACvB,CAAC"}
+{"version":3,"file":"harper-fabric.js","sourceRoot":"","sources":["../../../src/configs/eslint/harper-fabric.ts"],"names":[],"mappings":"AAQA,OAAO,EACL,cAAc,EACd,iBAAiB,EACjB,mBAAmB,GACpB,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,CAAC;AAE7C;;GAEG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAG;IACxC,GAAG,cAAc;IACjB,WAAW;IACX,UAAU;IACV,WAAW;IACX,mBAAmB;IACnB,yBAAyB;IACzB,0BAA0B;IAC1B,mBAAmB;IACnB,mBAAmB;CACpB,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,UAAU,qBAAqB,CAAC,EACpC,eAAe,EACf,cAAc,GAAG,0BAA0B,EAC3C,UAAU,GAAG,iBAAiB,GAK/B;IACC,OAAO;QACL,GAAG,mBAAmB,CAAC;YACrB,eAAe;YACf,cAAc;YACd,UAAU;SACX,CAAC;QACF;YACE,KAAK,EAAE,CAAC,aAAa,CAAC;YACtB,KAAK,EAAE;gBACL,2BAA2B,EAAE,OAAO;gBACpC,mBAAmB,EAAE,OAAO;gBAC5B,iCAAiC,EAAE,OAAO;gBAC1C,0BAA0B,EAAE,OAAO;gBACnC,0CAA0C,EAAE,OAAO;aACpD;SACF;QACD;YACE,KAAK,EAAE,CAAC,oBAAoB,EAAE,oBAAoB,CAAC;YACnD,KAAK,EAAE;gBACL,2BAA2B,EAAE,KAAK;gBAClC,mBAAmB,EAAE,KAAK;gBAC1B,iCAAiC,EAAE,KAAK;gBACxC,0BAA0B,EAAE,KAAK;gBACjC,0CAA0C,EAAE,KAAK;aAClD;SACF;QACD;YACE,KAAK,EAAE,CAAC,qBAAqB,EAAE,eAAe,CAAC;YAC/C,KAAK,EAAE;gBACL,sBAAsB,EAAE,KAAK;aAC9B;SACF;KACiB,CAAC;AACvB,CAAC"}

package/harper-fabric/copy-contents/.prettierignore

@@ -2,7 +2,10 @@
 
 # Harper/Fabric generated web output and scraped research captures are not
 # source formatting inputs.
-harper-app/web/
+harper-app/resources.js
+harper-app/resource-*.js
+harper-app/web/**
+harper-app/lib/**
 research/articles/
 
 # END: AI GUARDRAILS HARPER-FABRIC

package/harper-fabric/copy-overwrite/knip.json

@@ -15,7 +15,8 @@
     "**/node_modules/**",
     "harper-app/resources.js",
     "harper-app/resource-*.js",
-    "harper-app/web/**/*.js"
+    "harper-app/web/**",
+    "harper-app/lib/**"
   ],
   "ignoreIssues": {
     "src/types/harper-schema.ts": ["types"]

package/harper-fabric/copy-overwrite/tsconfig.eslint.json

@@ -22,6 +22,7 @@
     "coverage",
     "harper-app/resources.js",
     "harper-app/resource-*.js",
-    "harper-app/web/**/*.js"
+    "harper-app/web/**",
+    "harper-app/lib/**"
   ]
 }

package/harper-fabric/create-only/.github/workflows/deploy.yml

@@ -0,0 +1,82 @@
+# This file is create-only from Lisa.
+# Customize it for your Harper Fabric target; Lisa will not overwrite it.
+
+name: Deploy Harper Fabric
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+concurrency:
+  group: harper-fabric-deploy-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  deploy:
+    name: Build, deploy, and verify
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    env:
+      HARPER_PROJECT: ${{ vars.HARPER_PROJECT || github.event.repository.name }}
+      HARPER_PACKAGE: ${{ vars.HARPER_PACKAGE || 'harper-app' }}
+      CLI_TARGET: ${{ secrets.CLI_TARGET || secrets.HARPER_FABRIC_TARGET }}
+      CLI_TARGET_USERNAME: ${{ secrets.CLI_TARGET_USERNAME }}
+      CLI_TARGET_PASSWORD: ${{ secrets.CLI_TARGET_PASSWORD }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '22.21.1'
+          package-manager-cache: false
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: '1.3.8'
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Build Harper component
+        run: bun run build
+
+      - name: Verify Fabric secrets
+        run: |
+          test -n "${CLI_TARGET}" || { echo "Missing CLI_TARGET or HARPER_FABRIC_TARGET secret"; exit 1; }
+          test -n "${CLI_TARGET_USERNAME}" || { echo "Missing CLI_TARGET_USERNAME secret"; exit 1; }
+          test -n "${CLI_TARGET_PASSWORD}" || { echo "Missing CLI_TARGET_PASSWORD secret"; exit 1; }
+
+      - name: Deploy component to Harper Fabric
+        run: |
+          if command -v harper >/dev/null 2>&1; then
+            HARPER_BIN="harper"
+          elif [ -x node_modules/.bin/harper ]; then
+            HARPER_BIN="node_modules/.bin/harper"
+          elif [ -x node_modules/.bin/harperdb ]; then
+            HARPER_BIN="node_modules/.bin/harperdb"
+          else
+            echo "Missing Harper CLI. Add harper/harperdb to devDependencies or install it before deploy."
+            exit 1
+          fi
+
+          "$HARPER_BIN" deploy_component \
+            project="${HARPER_PROJECT}" \
+            package="${HARPER_PACKAGE}" \
+            target="${CLI_TARGET}" \
+            username="${CLI_TARGET_USERNAME}" \
+            password="${CLI_TARGET_PASSWORD}" \
+            restart=true \
+            replicated=true
+
+      - name: Smoke verify deployed component
+        run: |
+          if bun run | grep -qE '^[[:space:]]*verify[[:space:]]'; then
+            bun run verify
+          else
+            echo "No verify script defined; add one to smoke-test the deployed Harper endpoint."
+          fi

package/harper-fabric/create-only/.github/workflows/zap-baseline.yml

@@ -0,0 +1,56 @@
+# This file is create-only from Lisa.
+# Customize the target URL and rules for your Harper Fabric app.
+
+name: ZAP Baseline
+
+on:
+  pull_request:
+  workflow_dispatch:
+    inputs:
+      target_url:
+        description: URL to scan. Defaults to ZAP_TARGET_URL variable or http://host.docker.internal:9926.
+        required: false
+        type: string
+
+concurrency:
+  group: harper-fabric-zap-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  zap:
+    name: ZAP baseline scan
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    env:
+      ZAP_TARGET_URL: ${{ inputs.target_url || vars.ZAP_TARGET_URL || 'http://host.docker.internal:9926' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '22.21.1'
+          package-manager-cache: false
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: '1.3.8'
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Run ZAP baseline
+        run: bash scripts/zap-baseline.sh
+
+      - name: Upload ZAP reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: zap-baseline-report
+          path: |
+            zap-report.html
+            zap-report.json
+            zap-report.md
+          if-no-files-found: ignore

package/harper-fabric/create-only/.zap/baseline.conf

@@ -0,0 +1,21 @@
+# OWASP ZAP Baseline Scan Configuration - Harper Fabric apps
+# Format: <rule_id> <action> <description>
+# Actions: IGNORE (skip rule), WARN (report but do not fail), FAIL (fail on finding)
+
+# Harper apps often sit behind Fabric/proxy infrastructure that owns transport headers.
+10035	WARN	(Strict-Transport-Security Header Not Set)
+10021	WARN	(X-Content-Type-Options Header Missing)
+10038	WARN	(Content Security Policy (CSP) Header Not Set)
+
+# Static/browser surfaces should not disclose implementation details.
+10036	WARN	(Server Leaks Version Information via "Server" HTTP Response Header Field)
+10023	FAIL	(Information Disclosure - Debug Error Messages)
+
+# Session cookies, when present, must carry browser-safe flags.
+10010	FAIL	(Cookie No HttpOnly Flag)
+10011	FAIL	(Cookie Without Secure Flag)
+10054	WARN	(Cookie without SameSite Attribute)
+
+# Harper REST/GraphQL endpoints may legitimately expose API-oriented responses.
+10020	WARN	(X-Frame-Options Header Not Set)
+10063	WARN	(Permissions Policy Header Not Set)

package/harper-fabric/create-only/scripts/zap-baseline.sh

@@ -0,0 +1,107 @@
+#!/usr/bin/env bash
+# OWASP ZAP Baseline Scan - Harper Fabric app
+# Builds the Harper app, starts it locally when no deployed target is supplied,
+# and runs a ZAP baseline scan via Docker.
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+TARGET_URL="${ZAP_TARGET_URL:-http://host.docker.internal:9926}"
+LOCAL_TARGETS=("http://localhost:9926" "http://host.docker.internal:9926")
+SCAN_TARGET_URL="$TARGET_URL"
+ZAP_RULES_FILE="${ZAP_RULES_FILE:-.zap/baseline.conf}"
+REPORT_FILE="zap-report.html"
+SERVER_PID=""
+
+cd "$PROJECT_ROOT"
+
+if ! command -v docker >/dev/null 2>&1; then
+  echo "Error: Docker is required but not installed."
+  exit 1
+fi
+
+if ! docker info >/dev/null 2>&1; then
+  echo "Error: Docker daemon is not running."
+  exit 1
+fi
+
+echo "==> Building Harper Fabric project..."
+bun run build
+
+should_start_local=false
+for local_target in "${LOCAL_TARGETS[@]}"; do
+  if [ "$TARGET_URL" = "$local_target" ]; then
+    should_start_local=true
+    SCAN_TARGET_URL="http://host.docker.internal:9926"
+  fi
+done
+
+cleanup() {
+  if [ -n "${SERVER_PID:-}" ]; then
+    echo "==> Stopping Harper app..."
+    kill "$SERVER_PID" 2>/dev/null || true
+  fi
+}
+trap cleanup EXIT
+
+if [ "$should_start_local" = true ]; then
+  if command -v harper >/dev/null 2>&1; then
+    HARPER_BIN="harper"
+  elif [ -x node_modules/.bin/harper ]; then
+    HARPER_BIN="node_modules/.bin/harper"
+  elif [ -x node_modules/.bin/harperdb ]; then
+    HARPER_BIN="node_modules/.bin/harperdb"
+  else
+    echo "Error: missing Harper CLI. Set ZAP_TARGET_URL to a deployed app or install the Harper CLI."
+    exit 1
+  fi
+
+  echo "==> Starting Harper app locally..."
+  "$HARPER_BIN" run harper-app &
+  SERVER_PID=$!
+
+  echo "==> Waiting for Harper app..."
+  retries=30
+  until curl -sf http://localhost:9926 >/dev/null 2>&1 || [ "$retries" -eq 0 ]; do
+    retries=$((retries - 1))
+    sleep 2
+  done
+
+  if [ "$retries" -eq 0 ]; then
+    echo "Error: Harper app did not become reachable at http://localhost:9926"
+    exit 1
+  fi
+fi
+
+echo "==> Running OWASP ZAP baseline scan against $SCAN_TARGET_URL..."
+zap_args="-t $SCAN_TARGET_URL"
+
+if [ -f "$ZAP_RULES_FILE" ]; then
+  echo "    Using rules file: $ZAP_RULES_FILE"
+  zap_args="$zap_args -c /zap/wrk/$(basename "$ZAP_RULES_FILE")"
+  mount_rules="-v $(dirname "$(realpath "$ZAP_RULES_FILE")"):/zap/wrk:ro"
+else
+  mount_rules=""
+fi
+
+docker run --rm \
+  --add-host=host.docker.internal:host-gateway \
+  -v "$(pwd)":/zap/wrk/:rw \
+  $mount_rules \
+  ghcr.io/zaproxy/zaproxy:stable \
+  zap-baseline.py $zap_args \
+  -r "$REPORT_FILE" \
+  -J zap-report.json \
+  -w zap-report.md \
+  -l WARN || zap_exit=$?
+
+if [ -f "$REPORT_FILE" ]; then
+  echo "ZAP report saved to: $REPORT_FILE"
+fi
+
+if [ "${zap_exit:-0}" -ne 0 ]; then
+  echo "ZAP found medium+ severity findings (exit code: $zap_exit)."
+  exit "$zap_exit"
+fi
+
+echo "ZAP baseline scan passed."

package/harper-fabric/merge/.oxlintrc.json

@@ -12,6 +12,7 @@
     "**/generated/**",
     "harper-app/resources.js",
     "harper-app/resource-*.js",
-    "harper-app/web/**/*.js"
+    "harper-app/web/**",
+    "harper-app/lib/**"
   ]
 }

package/oxlint/harper-fabric.json

@@ -7,6 +7,7 @@
     "node_modules/**",
     "harper-app/resources.js",
     "harper-app/resource-*.js",
-    "harper-app/web/**/*.js"
+    "harper-app/web/**",
+    "harper-app/lib/**"
   ]
 }

package/package.json

@@ -84,7 +84,7 @@
     "lodash": ">=4.18.1"
   },
   "name": "@codyswann/lisa",
-  "version": "2.159.9",
+  "version": "2.161.0",
   "description": "Claude Code governance framework that applies guardrails, guidance, and automated enforcement to projects",
   "main": "dist/index.js",
   "exports": {

package/plugins/lisa/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "2.159.9",
+  "version": "2.161.0",
   "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "2.159.9",
+  "version": "2.161.0",
   "description": "Universal governance: agents, skills, commands, hooks, and rules for all projects.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "2.159.9",
+  "version": "2.161.0",
   "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-cdk/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-cdk",
-  "version": "2.159.9",
+  "version": "2.161.0",
   "description": "AWS CDK-specific plugin",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-cdk/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-cdk",
-  "version": "2.159.9",
+  "version": "2.161.0",
   "description": "AWS CDK-specific Lisa plugin.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-cdk-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-cdk",
-  "version": "2.159.9",
+  "version": "2.161.0",
   "description": "AWS CDK-specific plugin",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-cdk-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-cdk",
-  "version": "2.159.9",
+  "version": "2.161.0",
   "description": "AWS CDK-specific plugin",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-cdk-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-cdk",
-  "version": "2.159.9",
+  "version": "2.161.0",
   "description": "AWS CDK-specific plugin",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "2.159.9",
+  "version": "2.161.0",
   "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "2.159.9",
+  "version": "2.161.0",
   "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-expo/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-expo",
-  "version": "2.159.9",
+  "version": "2.161.0",
   "description": "Expo/React Native-specific skills, agents, rules, and MCP servers",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-expo/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-expo",
-  "version": "2.159.9",
+  "version": "2.161.0",
   "description": "Expo and React Native-specific skills, agents, rules, and MCP servers.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-expo-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-expo",
-  "version": "2.159.9",
+  "version": "2.161.0",
   "description": "Expo/React Native-specific skills, agents, rules, and MCP servers",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-expo-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-expo",
-  "version": "2.159.9",
+  "version": "2.161.0",
   "description": "Expo/React Native-specific skills, agents, rules, and MCP servers",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-expo-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-expo",
-  "version": "2.159.9",
+  "version": "2.161.0",
   "description": "Expo/React Native-specific skills, agents, rules, and MCP servers",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-harper-fabric/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-harper-fabric",
-  "version": "2.159.9",
+  "version": "2.161.0",
   "description": "Harper/Fabric-specific rules for TypeScript component apps",
   "author": {
     "name": "Cody Swann"
@@ -9,6 +9,17 @@
     "lisa-typescript"
   ],
   "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Write|Edit|MultiEdit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "${CLAUDE_PLUGIN_ROOT}/hooks/block-generated-artifact-edits.sh"
+          }
+        ]
+      }
+    ],
     "SessionStart": [
       {
         "matcher": "",

package/plugins/lisa-harper-fabric/.codex-plugin/hooks.json

@@ -1,5 +1,16 @@
 {
   "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Write|Edit|MultiEdit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "${PLUGIN_ROOT}/hooks/block-generated-artifact-edits.sh"
+          }
+        ]
+      }
+    ],
     "SessionStart": [
       {
         "matcher": "",

package/plugins/lisa-harper-fabric/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-harper-fabric",
-  "version": "2.159.9",
+  "version": "2.161.0",
   "description": "Harper/Fabric-specific Lisa rules for TypeScript component apps.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-harper-fabric/generated-artifact-globs.txt

@@ -0,0 +1,4 @@
+harper-app/resources.js
+harper-app/resource-*.js
+harper-app/web/**
+harper-app/lib/**

package/plugins/lisa-harper-fabric/hooks/block-generated-artifact-edits.sh

@@ -0,0 +1,72 @@
+#!/bin/bash
+# This file is managed by Lisa.
+# Do not edit directly - changes will be overwritten on the next `lisa` run.
+
+# PreToolUse hook: block Write/Edit/MultiEdit on generated Harper deploy
+# artifacts. Harper/Fabric projects build these files from TypeScript under
+# src/, so direct edits are overwritten by the next build and usually ship as
+# no-op fixes.
+# Reference: https://docs.claude.com/en/docs/claude-code/hooks
+# Exit code 2 blocks the tool call and surfaces stderr to Claude.
+
+JSON_INPUT=$(cat)
+
+command -v jq >/dev/null 2>&1 || exit 0
+
+FILE_PATH=$(printf '%s' "$JSON_INPUT" | jq -r '.tool_input.file_path // empty')
+[ -n "$FILE_PATH" ] || exit 0
+
+PLUGIN_ROOT=${CLAUDE_PLUGIN_ROOT:-}
+if [ -z "$PLUGIN_ROOT" ]; then
+  PLUGIN_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+fi
+GLOBS_FILE="$PLUGIN_ROOT/generated-artifact-globs.txt"
+[ -f "$GLOBS_FILE" ] || exit 0
+
+normalize_path() {
+  local path="$1"
+  path="${path#./}"
+  printf '%s' "$path"
+}
+
+matches_glob() {
+  local file="$1"
+  local glob="$2"
+
+  if [ "${glob: -3}" = "/**" ]; then
+    local dir="${glob%/**}"
+    case "$file" in
+      "$dir"/* | */"$dir"/*) return 0 ;;
+    esac
+    return 1
+  fi
+
+  case "$file" in
+    $glob | */$glob) return 0 ;;
+  esac
+
+  return 1
+}
+
+NORMALIZED_FILE=$(normalize_path "$FILE_PATH")
+
+while IFS= read -r glob || [ -n "$glob" ]; do
+  [ -n "$glob" ] || continue
+  case "$glob" in \#*) continue ;; esac
+
+  if matches_glob "$NORMALIZED_FILE" "$glob"; then
+    cat >&2 <<MSG
+Blocked: direct edit to generated Harper/Fabric artifact.
+
+File: $FILE_PATH
+Matched generated artifact pattern: $glob
+
+TypeScript under src/ is the source of truth for Harper resources, web assets,
+and shared libraries. Change the matching TypeScript source under src/ and run
+the project build to regenerate harper-app outputs.
+MSG
+    exit 2
+  fi
+done <"$GLOBS_FILE"
+
+exit 0