@curdx/flow 3.0.0 → 3.2.0

package/cli/lib/doctor-claude-settings.js

@@ -1,1186 +0,0 @@
-import fs from "node:fs/promises";
-import os from "node:os";
-import path from "node:path";
-
-const PROJECT_ONLY_IGNORED_SETTINGS = [
-  {
-    key: "autoMemoryDirectory",
-    kind: "ignored-project-setting",
-    message: "autoMemoryDirectory is not accepted in project settings; move it to user or local settings",
-  },
-  {
-    key: "autoMode",
-    kind: "ignored-project-setting",
-    message: "autoMode is not read from shared project settings; move it to user or local settings",
-  },
-  {
-    key: "useAutoModeDuringPlan",
-    kind: "ignored-project-setting",
-    message: "useAutoModeDuringPlan is not read from shared project settings; move it to user or local settings",
-  },
-  {
-    key: "sshConfigs",
-    kind: "ignored-project-setting",
-    message: "sshConfigs is only read from user or managed settings; remove it from shared project settings",
-  },
-  {
-    key: "teammateMode",
-    kind: "invalid-project-setting",
-    message: "teammateMode belongs in the global ~/.claude.json config, not project settings.json",
-  },
-];
-
-const MANAGED_ONLY_SETTINGS = [
-  "allowedChannelPlugins",
-  "allowedMcpServers",
-  "allowManagedHooksOnly",
-  "allowManagedMcpServersOnly",
-  "allowManagedPermissionRulesOnly",
-  "blockedMarketplaces",
-  "channelsEnabled",
-  "deniedMcpServers",
-  "forceRemoteSettingsRefresh",
-  "pluginTrustMessage",
-  "strictKnownMarketplaces",
-];
-
-const SHARED_SCRIPT_SETTINGS = [
-  {
-    key: "apiKeyHelper",
-    kind: "shared-script-setting",
-    message: "apiKeyHelper runs a local script from shared project settings",
-  },
-  {
-    key: "awsAuthRefresh",
-    kind: "shared-script-setting",
-    message: "awsAuthRefresh runs a local credential-refresh script from shared project settings",
-  },
-  {
-    key: "awsCredentialExport",
-    kind: "shared-script-setting",
-    message: "awsCredentialExport runs a local credential-export script from shared project settings",
-  },
-  {
-    key: "otelHeadersHelper",
-    kind: "shared-script-setting",
-    message: "otelHeadersHelper runs a local telemetry script from shared project settings",
-  },
-];
-
-const CURDX_FLOW_AGENT_TYPES = [
-  "flow-adversary",
-  "flow-architect",
-  "flow-brownfield-analyst",
-  "flow-debugger",
-  "flow-edge-hunter",
-  "flow-executor",
-  "flow-orchestrator",
-  "flow-planner",
-  "flow-product-designer",
-  "flow-qa-engineer",
-  "flow-researcher",
-  "flow-reviewer",
-  "flow-security-auditor",
-  "flow-triage-analyst",
-  "flow-ui-researcher",
-  "flow-ux-designer",
-  "flow-verifier",
-];
-
-const CURDX_FLOW_REQUIRED_MODEL_ALIASES = ["sonnet", "opus"];
-const CURDX_FLOW_REQUIRED_TOOLS = [
-  "Agent",
-  "AskUserQuestion",
-  "Bash",
-  "Monitor",
-  "Read",
-  "Write",
-  "Edit",
-  "Grep",
-  "Glob",
-];
-const CURDX_FLOW_PLUGIN_ID = "curdx-flow@curdx-flow-marketplace";
-const CURDX_FLOW_PLUGIN_OPTIONS = {
-  autonomous_blocking: {
-    type: "boolean",
-    default: true,
-  },
-  daily_dependency_check: {
-    type: "boolean",
-    default: true,
-  },
-  monitor_interval_seconds: {
-    type: "number",
-    default: 8,
-    integer: true,
-    min: 3,
-    max: 60,
-  },
-};
-const CURDX_FLOW_REQUIRED_PLUGIN_IDS = ["context7-plugin@context7-marketplace"];
-const HTTP_HOOK_SETTINGS = ["allowedHttpHookUrls", "httpHookAllowedEnvVars"];
-const PERSISTED_EFFORT_LEVELS = ["low", "medium", "high", "xhigh"];
-const ENV_EFFORT_LEVELS = [...PERSISTED_EFFORT_LEVELS, "max", "auto"];
-export const CURDX_FLOW_RUNTIME_CONSUMERS = {
-  autonomous_blocking: {
-    envVar: "CLAUDE_PLUGIN_OPTION_AUTONOMOUS_BLOCKING",
-    consumer: "hooks/scripts/stop-watcher.sh",
-    summary: "controls whether the Stop hook blocks Claude from stopping while execute work remains",
-  },
-  daily_dependency_check: {
-    envVar: "CLAUDE_PLUGIN_OPTION_DAILY_DEPENDENCY_CHECK",
-    consumer: "hooks/scripts/session-start.sh",
-    summary: "controls the once-per-day recommended companion plugin reminder",
-  },
-  monitor_interval_seconds: {
-    envVar: "CLAUDE_PLUGIN_OPTION_MONITOR_INTERVAL_SECONDS",
-    consumer: "monitors/scripts/flow-state-monitor.sh",
-    summary: "controls the polling interval for the interactive flow-state monitor",
-  },
-};
-
-function resolveManagedSettingsRoot({ platform = process.platform, env = process.env } = {}) {
-  if (platform === "darwin") {
-    return "/Library/Application Support/ClaudeCode";
-  }
-
-  if (platform === "linux") {
-    return "/etc/claude-code";
-  }
-
-  if (platform === "win32") {
-    return path.join(env.ProgramFiles || "C:\\Program Files", "ClaudeCode");
-  }
-
-  return null;
-}
-
-function envFlagEnabled(value) {
-  if (value === true || value === 1) return true;
-  if (typeof value !== "string") return false;
-  return ["1", "true", "yes", "on"].includes(value.trim().toLowerCase());
-}
-
-function normalizedEnvValue(value) {
-  if (typeof value !== "string") return null;
-  const normalized = value.trim();
-  return normalized.length > 0 ? normalized : null;
-}
-
-function parsePermissionRule(rule) {
-  if (typeof rule !== "string") return null;
-  const match = rule.match(/^([A-Za-z][A-Za-z0-9]*)(?:\((.*)\))?$/);
-  if (!match) return null;
-  return {
-    tool: match[1],
-    matcher: match[2] ?? null,
-  };
-}
-
-function isBroadToolDeny(rule) {
-  const parsed = parsePermissionRule(rule);
-  if (!parsed || !CURDX_FLOW_REQUIRED_TOOLS.includes(parsed.tool)) return false;
-  return parsed.matcher === null || parsed.matcher === "*" || parsed.matcher === "**";
-}
-
-function isCurdxFlowAgentDeny(rule) {
-  const parsed = parsePermissionRule(rule);
-  if (!parsed || parsed.tool !== "Agent") return false;
-  if (parsed.matcher === null || parsed.matcher === "*" || parsed.matcher === "**") return true;
-  return CURDX_FLOW_AGENT_TYPES.some(
-    (agentType) => parsed.matcher === agentType || parsed.matcher === `curdx-flow:${agentType}`
-  );
-}
-
-function disabledPluginIdsFromSettings(enabledPlugins) {
-  if (!enabledPlugins || typeof enabledPlugins !== "object" || Array.isArray(enabledPlugins)) {
-    return [];
-  }
-
-  return Object.entries(enabledPlugins)
-    .filter(([, enabled]) => enabled === false)
-    .map(([pluginId]) => pluginId);
-}
-
-function isNonArrayObject(value) {
-  return value && typeof value === "object" && !Array.isArray(value);
-}
-
-function hasProjectBlockingSandboxPath(values) {
-  if (!Array.isArray(values)) return false;
-
-  return values.some((value) => {
-    if (typeof value !== "string") return false;
-    const token = value.trim().replace(/\/\*{1,2}$/, "").replace(/\/$/, "");
-    return [".", ".flow", "./.flow", ".git", "./.git"].includes(token);
-  });
-}
-
-function pushScopedWarning(target, kind, message, scope = "project") {
-  const warning = { kind, message };
-  if (scope !== "project") warning.scope = scope;
-  target.push(warning);
-}
-
-function createCurdxFlowPluginOptionsState() {
-  const definitions = Object.entries(CURDX_FLOW_PLUGIN_OPTIONS).map(([key, value]) => ({
-    key,
-    type: value.type,
-    default: value.default,
-    min: value.min,
-    max: value.max,
-    integer: value.integer === true,
-  }));
-
-  const repoEffective = Object.fromEntries(
-    definitions.map((definition) => [
-      definition.key,
-      { value: definition.default, source: "default" },
-    ])
-  );
-
-  return {
-    pluginId: CURDX_FLOW_PLUGIN_ID,
-    definitions,
-    managed: {
-      overrides: {},
-      files: [],
-    },
-    user: {
-      pluginConfigsPresent: false,
-      pluginConfigPresent: false,
-      optionsPresent: false,
-      overrides: {},
-    },
-    project: {
-      pluginConfigsPresent: false,
-      pluginConfigPresent: false,
-      optionsPresent: false,
-      overrides: {},
-    },
-    local: {
-      pluginConfigsPresent: false,
-      pluginConfigPresent: false,
-      optionsPresent: false,
-      overrides: {},
-    },
-    repoEffective,
-    machineEffective: structuredClone(repoEffective),
-  };
-}
-
-function pluginScopeLabel(scope) {
-  if (scope === "managed") return "managed settings";
-  if (scope === "local") return "settings.local.json";
-  if (scope === "user") return "~/.claude/settings.json";
-  return "settings.json";
-}
-
-function invalidSettingKindForScope(scope) {
-  if (scope === "managed") return "invalid-managed-setting";
-  if (scope === "local") return "invalid-local-setting";
-  if (scope === "user") return "invalid-user-setting";
-  return "invalid-project-setting";
-}
-
-function applyCurdxFlowPluginOptionOverride(pluginOptionsState, key, value, scope) {
-  pluginOptionsState.machineEffective[key] = {
-    value,
-    source: scope,
-  };
-
-  if (scope === "project" || scope === "local") {
-    pluginOptionsState.repoEffective[key] = {
-      value,
-      source: scope,
-    };
-  }
-}
-
-function buildCurdxFlowRuntimeProjection(pluginOptionsState) {
-  return pluginOptionsState.definitions.map((definition) => {
-    const effective = pluginOptionsState.machineEffective[definition.key] || {
-      value: definition.default,
-      source: "default",
-    };
-    const runtime = CURDX_FLOW_RUNTIME_CONSUMERS[definition.key] || {};
-    const details = [];
-
-    if (definition.key === "autonomous_blocking") {
-      details.push(
-        effective.value === false
-          ? "stop-hook continuation is disabled; Claude may stop at turn end even when execute tasks remain"
-          : "stop-hook continuation is enabled; CurDX-Flow can block turn end while execute tasks remain"
-      );
-    } else if (definition.key === "daily_dependency_check") {
-      details.push(
-        effective.value === false
-          ? "SessionStart plugin reminder is disabled on this machine"
-          : "SessionStart plugin reminder runs at most once per day on this machine"
-      );
-    } else if (definition.key === "monitor_interval_seconds") {
-      details.push(`flow-state monitor polls every ${effective.value} second(s) when Monitor is available`);
-    }
-
-    return {
-      key: definition.key,
-      envVar: runtime.envVar || `CLAUDE_PLUGIN_OPTION_${definition.key.toUpperCase()}`,
-      consumer: runtime.consumer || "plugin subprocess",
-      summary: runtime.summary || "runtime consumer",
-      value: effective.value,
-      source: effective.source,
-      details,
-    };
-  });
-}
-
-function auditCurdxFlowPluginOptions(
-  parsed,
-  warnings,
-  pluginOptionsState,
-  { scope = "project", settingsLabel = pluginScopeLabel(scope), targetOverrides = null } = {}
-) {
-  if (!isNonArrayObject(parsed) || !("pluginConfigs" in parsed)) {
-    return;
-  }
-
-  const target = scope === "managed"
-    ? pluginOptionsState.managed
-    : scope === "local"
-      ? pluginOptionsState.local
-      : scope === "user"
-        ? pluginOptionsState.user
-        : pluginOptionsState.project;
-  target.pluginConfigsPresent = true;
-
-  if (!isNonArrayObject(parsed.pluginConfigs)) {
-    pushScopedWarning(
-      warnings,
-      invalidSettingKindForScope(scope),
-      `pluginConfigs in ${settingsLabel} must be an object keyed by plugin@marketplace id`,
-      scope
-    );
-    return;
-  }
-
-  const pluginConfig = parsed.pluginConfigs[CURDX_FLOW_PLUGIN_ID];
-  if (pluginConfig === undefined) {
-    return;
-  }
-
-  target.pluginConfigPresent = true;
-
-  if (!isNonArrayObject(pluginConfig)) {
-    pushScopedWarning(
-      warnings,
-      invalidSettingKindForScope(scope),
-      `pluginConfigs[${CURDX_FLOW_PLUGIN_ID}] in ${settingsLabel} must be an object when set`,
-      scope
-    );
-    return;
-  }
-
-  if (!("options" in pluginConfig)) {
-    return;
-  }
-
-  target.optionsPresent = true;
-
-  if (!isNonArrayObject(pluginConfig.options)) {
-    pushScopedWarning(
-      warnings,
-      invalidSettingKindForScope(scope),
-      `pluginConfigs[${CURDX_FLOW_PLUGIN_ID}].options in ${settingsLabel} must be an object when set`,
-      scope
-    );
-    return;
-  }
-
-  for (const [key, value] of Object.entries(pluginConfig.options)) {
-    const definition = CURDX_FLOW_PLUGIN_OPTIONS[key];
-
-    if (!definition) {
-      pushScopedWarning(
-        warnings,
-        "unknown-plugin-option",
-        `unknown CurDX-Flow plugin option in ${settingsLabel}: ${key}`,
-        scope
-      );
-      continue;
-    }
-
-    if (definition.type === "boolean" && typeof value !== "boolean") {
-      pushScopedWarning(
-        warnings,
-        invalidSettingKindForScope(scope),
-        `CurDX-Flow plugin option ${key} in ${settingsLabel} must be boolean`,
-        scope
-      );
-      continue;
-    }
-
-    if (definition.type === "number") {
-      if (typeof value !== "number" || Number.isNaN(value)) {
-        pushScopedWarning(
-          warnings,
-          invalidSettingKindForScope(scope),
-          `CurDX-Flow plugin option ${key} in ${settingsLabel} must be a number`,
-          scope
-        );
-        continue;
-      }
-
-      if (definition.integer && !Number.isInteger(value)) {
-        pushScopedWarning(
-          warnings,
-          invalidSettingKindForScope(scope),
-          `CurDX-Flow plugin option ${key} in ${settingsLabel} must be an integer`,
-          scope
-        );
-        continue;
-      }
-
-      if (typeof definition.min === "number" && value < definition.min) {
-        pushScopedWarning(
-          warnings,
-          invalidSettingKindForScope(scope),
-          `CurDX-Flow plugin option ${key} in ${settingsLabel} must be between ${definition.min} and ${definition.max}`,
-          scope
-        );
-        continue;
-      }
-
-      if (typeof definition.max === "number" && value > definition.max) {
-        pushScopedWarning(
-          warnings,
-          invalidSettingKindForScope(scope),
-          `CurDX-Flow plugin option ${key} in ${settingsLabel} must be between ${definition.min} and ${definition.max}`,
-          scope
-        );
-        continue;
-      }
-    }
-
-    const overrideTarget = targetOverrides || target.overrides;
-    overrideTarget[key] = value;
-    if (scope === "managed") {
-      target.overrides[key] = value;
-    }
-    applyCurdxFlowPluginOptionOverride(pluginOptionsState, key, value, scope);
-  }
-}
-
-async function readManagedClaudeSettings(
-  pluginOptionsState,
-  warnings,
-  {
-    platform = process.platform,
-    env = process.env,
-    managedSettingsDir = resolveManagedSettingsRoot({ platform, env }),
-  } = {}
-) {
-  const state = {
-    supported: Boolean(managedSettingsDir),
-    rootPath: managedSettingsDir,
-    basePath: managedSettingsDir ? path.join(managedSettingsDir, "managed-settings.json") : null,
-    dropInPath: managedSettingsDir ? path.join(managedSettingsDir, "managed-settings.d") : null,
-    exists: false,
-    baseExists: false,
-    dropInDirExists: false,
-    files: [],
-  };
-
-  if (!managedSettingsDir) {
-    return state;
-  }
-
-  const fileQueue = [];
-
-  try {
-    const stat = await fs.stat(state.basePath);
-    if (stat.isFile()) {
-      state.baseExists = true;
-      state.exists = true;
-      fileQueue.push({
-        label: "managed-settings.json",
-        path: state.basePath,
-      });
-    }
-  } catch {}
-
-  try {
-    const stat = await fs.stat(state.dropInPath);
-    if (stat.isDirectory()) {
-      state.dropInDirExists = true;
-      const entries = (await fs.readdir(state.dropInPath))
-        .filter((name) => !name.startsWith(".") && name.endsWith(".json"))
-        .sort();
-      for (const name of entries) {
-        const absPath = path.join(state.dropInPath, name);
-        const entryStat = await fs.stat(absPath);
-        if (!entryStat.isFile()) continue;
-        state.exists = true;
-        fileQueue.push({
-          label: `managed-settings.d/${name}`,
-          path: absPath,
-        });
-      }
-    }
-  } catch {}
-
-  for (const file of fileQueue) {
-    const entry = {
-      label: file.label,
-      path: file.path,
-      invalid: false,
-      parseError: null,
-      overrides: {},
-    };
-
-    try {
-      const parsed = JSON.parse(await fs.readFile(file.path, "utf-8"));
-      auditCurdxFlowPluginOptions(parsed, warnings, pluginOptionsState, {
-        scope: "managed",
-        settingsLabel: file.label,
-        targetOverrides: entry.overrides,
-      });
-    } catch (error) {
-      entry.invalid = true;
-      entry.parseError = error?.message || String(error);
-    }
-
-    state.files.push(entry);
-    pluginOptionsState.managed.files.push({
-      label: entry.label,
-      path: entry.path,
-      overrides: { ...entry.overrides },
-      invalid: entry.invalid,
-      parseError: entry.parseError,
-    });
-  }
-
-  return state;
-}
-
-function auditLocalClaudeSettings(parsed, warnings) {
-  const scope = "local";
-  const permissions = parsed?.permissions && typeof parsed.permissions === "object"
-    ? parsed.permissions
-    : {};
-  const deny = Array.isArray(permissions.deny) ? permissions.deny : [];
-
-  if ("enabledPlugins" in parsed && (
-    !parsed.enabledPlugins ||
-    typeof parsed.enabledPlugins !== "object" ||
-    Array.isArray(parsed.enabledPlugins)
-  )) {
-    pushScopedWarning(
-      warnings,
-      "invalid-local-setting",
-      "enabledPlugins in settings.local.json must be an object keyed by plugin@marketplace id",
-      scope
-    );
-  }
-
-  const disabledPluginIds = disabledPluginIdsFromSettings(parsed.enabledPlugins);
-  if (disabledPluginIds.includes(CURDX_FLOW_PLUGIN_ID)) {
-    pushScopedWarning(
-      warnings,
-      "flow-runtime-blocker",
-      `settings.local.json disables CurDX-Flow for this machine: ${CURDX_FLOW_PLUGIN_ID}`,
-      scope
-    );
-  }
-
-  for (const pluginId of CURDX_FLOW_REQUIRED_PLUGIN_IDS) {
-    if (disabledPluginIds.includes(pluginId)) {
-      pushScopedWarning(
-        warnings,
-        "required-plugin-disabled",
-        `settings.local.json disables required CurDX-Flow companion plugin: ${pluginId}`,
-        scope
-      );
-    }
-  }
-
-  if (permissions.defaultMode === "bypassPermissions") {
-    pushScopedWarning(
-      warnings,
-      "bypass-default-mode",
-      'permissions.defaultMode in settings.local.json is "bypassPermissions"',
-      scope
-    );
-  }
-
-  if (permissions.defaultMode === "dontAsk") {
-    pushScopedWarning(
-      warnings,
-      "flow-runtime-blocker",
-      'permissions.defaultMode in settings.local.json is "dontAsk"; CurDX-Flow clarification and Agent dispatch prompts may be auto-denied',
-      scope
-    );
-  }
-
-  for (const rule of deny) {
-    if (isCurdxFlowAgentDeny(rule)) {
-      pushScopedWarning(
-        warnings,
-        "flow-runtime-blocker",
-        `settings.local.json deny rule blocks CurDX-Flow subagent dispatch: ${rule}`,
-        scope
-      );
-      continue;
-    }
-
-    if (isBroadToolDeny(rule)) {
-      pushScopedWarning(
-        warnings,
-        "flow-runtime-blocker",
-        `settings.local.json deny rule blocks a tool CurDX-Flow workflows require: ${rule}`,
-        scope
-      );
-    }
-  }
-
-  if (parsed.env && typeof parsed.env === "object" && !Array.isArray(parsed.env)) {
-    if (envFlagEnabled(parsed.env.CLAUDE_CODE_SIMPLE)) {
-      pushScopedWarning(
-        warnings,
-        "flow-runtime-blocker",
-        "settings.local.json env.CLAUDE_CODE_SIMPLE=1 enables bare/simple mode, disabling CurDX-Flow plugin, hook, skill, MCP, and CLAUDE.md discovery",
-        scope
-      );
-    }
-
-    if (envFlagEnabled(parsed.env.CLAUDE_CODE_SIMPLE_SYSTEM_PROMPT)) {
-      pushScopedWarning(
-        warnings,
-        "local-runtime-setting",
-        "settings.local.json env.CLAUDE_CODE_SIMPLE_SYSTEM_PROMPT=1 forces the minimal Claude system prompt for local sessions",
-        scope
-      );
-    }
-  }
-
-  if (parsed.disableAllHooks === true) {
-    pushScopedWarning(
-      warnings,
-      "flow-runtime-blocker",
-      "settings.local.json disableAllHooks disables CurDX-Flow stop/recovery hooks and plugin subagent status lines",
-      scope
-    );
-  }
-
-  if (parsed.disableSkillShellExecution === true) {
-    pushScopedWarning(
-      warnings,
-      "skill-shell-disabled",
-      "settings.local.json disableSkillShellExecution disables inline shell expansion in project/plugin skills and commands",
-      scope
-    );
-  }
-
-  if (Array.isArray(parsed.availableModels)) {
-    const missing = CURDX_FLOW_REQUIRED_MODEL_ALIASES.filter(
-      (modelAlias) => !parsed.availableModels.includes(modelAlias)
-    );
-    if (missing.length > 0) {
-      pushScopedWarning(
-        warnings,
-        "flow-runtime-blocker",
-        `settings.local.json availableModels excludes CurDX-Flow agent model aliases: ${missing.join(", ")}`,
-        scope
-      );
-    }
-  }
-
-  if ("agent" in parsed) {
-    if (typeof parsed.agent !== "string" || parsed.agent.trim().length === 0) {
-      pushScopedWarning(
-        warnings,
-        "invalid-local-setting",
-        "agent in settings.local.json must be a non-empty subagent name when set",
-        scope
-      );
-    } else {
-      pushScopedWarning(
-        warnings,
-        "flow-runtime-blocker",
-        `settings.local.json routes the main thread through subagent "${parsed.agent}", overriding CurDX-Flow prompt, tools, and model`,
-        scope
-      );
-    }
-  }
-
-  if ("sandbox" in parsed) {
-    if (!isNonArrayObject(parsed.sandbox)) {
-      pushScopedWarning(
-        warnings,
-        "invalid-local-setting",
-        "sandbox in settings.local.json must be an object when set",
-        scope
-      );
-    } else {
-      if (parsed.sandbox.failIfUnavailable === true) {
-        pushScopedWarning(
-          warnings,
-          "flow-runtime-blocker",
-          "settings.local.json sandbox.failIfUnavailable can prevent Claude Code startup on hosts where sandboxing is unavailable",
-          scope
-        );
-      }
-
-      const filesystem = isNonArrayObject(parsed.sandbox.filesystem)
-        ? parsed.sandbox.filesystem
-        : {};
-      if (hasProjectBlockingSandboxPath(filesystem.denyRead)) {
-        pushScopedWarning(
-          warnings,
-          "flow-runtime-blocker",
-          "settings.local.json sandbox.filesystem.denyRead blocks .flow/.git or the project root, which CurDX-Flow must inspect",
-          scope
-        );
-      }
-      if (hasProjectBlockingSandboxPath(filesystem.denyWrite)) {
-        pushScopedWarning(
-          warnings,
-          "flow-runtime-blocker",
-          "settings.local.json sandbox.filesystem.denyWrite blocks .flow/.git or the project root, which CurDX-Flow must update",
-          scope
-        );
-      }
-    }
-  }
-}
-
-export async function readProjectClaudeSettings(
-  cwd = process.cwd(),
-  {
-    homeDir = os.homedir(),
-    platform = process.platform,
-    env = process.env,
-    managedSettingsDir = resolveManagedSettingsRoot({ platform, env }),
-  } = {}
-) {
-  const settingsPath = path.join(cwd, ".claude", "settings.json");
-  const localSettingsPath = path.join(cwd, ".claude", "settings.local.json");
-  const userSettingsPath = path.join(homeDir, ".claude", "settings.json");
-  const state = {
-    managedSettings: {
-      supported: Boolean(managedSettingsDir),
-      rootPath: managedSettingsDir,
-      basePath: managedSettingsDir ? path.join(managedSettingsDir, "managed-settings.json") : null,
-      dropInPath: managedSettingsDir ? path.join(managedSettingsDir, "managed-settings.d") : null,
-      exists: false,
-      baseExists: false,
-      dropInDirExists: false,
-      files: [],
-    },
-    managedWarnings: [],
-    userExists: false,
-    userInvalid: false,
-    userParseError: null,
-    userWarnings: [],
-    exists: false,
-    localExists: false,
-    invalid: false,
-    parseError: null,
-    warnings: [],
-    localInvalid: false,
-    localParseError: null,
-    localWarnings: [],
-    pluginOptions: createCurdxFlowPluginOptionsState(),
-    pluginRuntimeProjection: [],
-  };
-
-  try {
-    const userStat = await fs.stat(userSettingsPath);
-    state.userExists = userStat.isFile();
-  } catch {
-    state.userExists = false;
-  }
-
-  try {
-    const localStat = await fs.stat(localSettingsPath);
-    state.localExists = localStat.isFile();
-  } catch {
-    state.localExists = false;
-  }
-
-  if (state.userExists) {
-    try {
-      const userParsed = JSON.parse(await fs.readFile(userSettingsPath, "utf-8"));
-      auditCurdxFlowPluginOptions(userParsed, state.userWarnings, state.pluginOptions, { scope: "user" });
-    } catch (error) {
-      state.userInvalid = true;
-      state.userParseError = error?.message || String(error);
-    }
-  }
-
-  let parsed;
-  try {
-    const stat = await fs.stat(settingsPath);
-    if (!stat.isFile()) {
-      parsed = null;
-    } else {
-      state.exists = true;
-      parsed = JSON.parse(await fs.readFile(settingsPath, "utf-8"));
-    }
-  } catch (error) {
-    if (error?.code !== "ENOENT") {
-      state.invalid = true;
-      state.parseError = error.message;
-      return state;
-    }
-  }
-
-  if (state.exists) {
-    const permissions = parsed?.permissions && typeof parsed.permissions === "object"
-      ? parsed.permissions
-      : {};
-    const allow = Array.isArray(permissions.allow) ? permissions.allow : [];
-    const deny = Array.isArray(permissions.deny) ? permissions.deny : [];
-
-    auditCurdxFlowPluginOptions(parsed, state.warnings, state.pluginOptions, { scope: "project" });
-
-    if ("enabledPlugins" in parsed && (
-      !parsed.enabledPlugins ||
-      typeof parsed.enabledPlugins !== "object" ||
-      Array.isArray(parsed.enabledPlugins)
-    )) {
-      pushScopedWarning(
-        state.warnings,
-        "invalid-project-setting",
-        "enabledPlugins must be an object keyed by plugin@marketplace id"
-      );
-    }
-
-    const disabledPluginIds = disabledPluginIdsFromSettings(parsed.enabledPlugins);
-    if (disabledPluginIds.includes(CURDX_FLOW_PLUGIN_ID)) {
-      state.warnings.push({
-        kind: "flow-runtime-blocker",
-        message: `enabledPlugins disables CurDX-Flow in this project: ${CURDX_FLOW_PLUGIN_ID}`,
-      });
-    }
-
-    for (const pluginId of CURDX_FLOW_REQUIRED_PLUGIN_IDS) {
-      if (disabledPluginIds.includes(pluginId)) {
-        state.warnings.push({
-          kind: "required-plugin-disabled",
-          message: `enabledPlugins disables required CurDX-Flow companion plugin: ${pluginId}`,
-        });
-      }
-    }
-
-    if (permissions.defaultMode === "bypassPermissions") {
-      state.warnings.push({
-        kind: "bypass-default-mode",
-        message: 'permissions.defaultMode is "bypassPermissions"',
-      });
-    }
-
-    if (permissions.defaultMode === "dontAsk") {
-      state.warnings.push({
-        kind: "flow-runtime-blocker",
-        message: 'permissions.defaultMode is "dontAsk"; CurDX-Flow clarification and Agent dispatch prompts may be auto-denied',
-      });
-    }
-
-    if (permissions.skipDangerousModePermissionPrompt === true) {
-      state.warnings.push({
-        kind: "ignored-project-setting",
-        message: "permissions.skipDangerousModePermissionPrompt is ignored in project settings; move it to user or local settings",
-      });
-    }
-
-    for (const rule of allow) {
-      if (rule === "Bash" || rule === "Bash(*)" || rule === "*" || rule === "Read(**)") {
-        state.warnings.push({
-          kind: "broad-allow-rule",
-          message: `overbroad allow rule: ${rule}`,
-        });
-      }
-    }
-
-    for (const rule of deny) {
-      if (isCurdxFlowAgentDeny(rule)) {
-        state.warnings.push({
-          kind: "flow-runtime-blocker",
-          message: `deny rule blocks CurDX-Flow subagent dispatch: ${rule}`,
-        });
-        continue;
-      }
-
-      if (isBroadToolDeny(rule)) {
-        state.warnings.push({
-          kind: "flow-runtime-blocker",
-          message: `deny rule blocks a tool CurDX-Flow workflows require: ${rule}`,
-        });
-      }
-    }
-
-    const sensitiveDenyPatterns = ["Read(./.env)", "Read(./.env.*)"];
-    for (const pattern of sensitiveDenyPatterns) {
-      if (!deny.includes(pattern)) {
-        state.warnings.push({
-          kind: "missing-sensitive-deny",
-          message: `missing recommended deny rule: ${pattern}`,
-        });
-      }
-    }
-
-    for (const setting of PROJECT_ONLY_IGNORED_SETTINGS) {
-      if (setting.key in parsed) {
-        state.warnings.push({
-          kind: setting.kind,
-          message: setting.message,
-        });
-      }
-    }
-
-    for (const key of MANAGED_ONLY_SETTINGS) {
-      if (key in parsed) {
-        state.warnings.push({
-          kind: "managed-only-setting",
-          message: `${key} only applies from managed settings; remove it from shared project settings`,
-        });
-      }
-    }
-
-    for (const setting of SHARED_SCRIPT_SETTINGS) {
-      if (setting.key in parsed) {
-        state.warnings.push({
-          kind: setting.kind,
-          message: setting.message,
-        });
-      }
-    }
-
-    if (parsed.fileSuggestion?.type === "command" && parsed.fileSuggestion.command) {
-      state.warnings.push({
-        kind: "shared-script-setting",
-        message: "fileSuggestion.command runs a local script from shared project settings",
-      });
-    }
-
-    if (parsed.statusLine?.type === "command" && parsed.statusLine.command) {
-      state.warnings.push({
-        kind: "shared-script-setting",
-        message: "statusLine.command runs a local script from shared project settings",
-      });
-    }
-
-    if (parsed.env && typeof parsed.env === "object" && !Array.isArray(parsed.env)) {
-      state.warnings.push({
-        kind: "shared-env-setting",
-        message: "env injects shared environment variables into every session; avoid machine-specific values or secrets",
-      });
-
-      if (envFlagEnabled(parsed.env.CLAUDE_CODE_SIMPLE)) {
-        state.warnings.push({
-          kind: "flow-runtime-blocker",
-          message: "env.CLAUDE_CODE_SIMPLE=1 enables bare/simple mode, disabling CurDX-Flow plugin, hook, skill, MCP, and CLAUDE.md discovery",
-        });
-      }
-
-      if (envFlagEnabled(parsed.env.CLAUDE_CODE_SIMPLE_SYSTEM_PROMPT)) {
-        state.warnings.push({
-          kind: "shared-env-setting",
-          message: "env.CLAUDE_CODE_SIMPLE_SYSTEM_PROMPT=1 forces the minimal Claude system prompt for every collaborator session",
-        });
-      }
-
-      const effortEnv = normalizedEnvValue(parsed.env.CLAUDE_CODE_EFFORT_LEVEL);
-      if (effortEnv && !ENV_EFFORT_LEVELS.includes(effortEnv)) {
-        state.warnings.push({
-          kind: "invalid-project-setting",
-          message: `env.CLAUDE_CODE_EFFORT_LEVEL must be one of ${ENV_EFFORT_LEVELS.join(", ")}`,
-        });
-      } else if (effortEnv === "low" || effortEnv === "medium") {
-        state.warnings.push({
-          kind: "low-effort-project-setting",
-          message: `env.CLAUDE_CODE_EFFORT_LEVEL=${effortEnv} lowers reasoning for every collaborator session`,
-        });
-      }
-
-      if ("CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS" in parsed.env) {
-        state.warnings.push({
-          kind: "shared-env-setting",
-          message: "env.CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS shares an experimental Claude runtime flag across this project",
-        });
-      }
-    }
-
-    if (parsed.disableAllHooks === true) {
-      state.warnings.push({
-        kind: "flow-runtime-blocker",
-        message: "disableAllHooks disables CurDX-Flow stop/recovery hooks and plugin subagent status lines",
-      });
-    }
-
-    if (parsed.disableSkillShellExecution === true) {
-      state.warnings.push({
-        kind: "skill-shell-disabled",
-        message: "disableSkillShellExecution disables inline shell expansion in project/plugin skills and commands",
-      });
-    }
-
-    for (const key of HTTP_HOOK_SETTINGS) {
-      if (!(key in parsed)) continue;
-      if (!Array.isArray(parsed[key])) {
-        state.warnings.push({
-          kind: "invalid-project-setting",
-          message: `${key} must be an array when set in settings.json`,
-        });
-        continue;
-      }
-      if (parsed[key].length === 0) {
-        state.warnings.push({
-          kind: "shared-hook-policy",
-          message: `${key} is an empty allowlist; matching HTTP hook behavior is blocked`,
-        });
-      }
-    }
-
-    if (Array.isArray(parsed.availableModels)) {
-      const missing = CURDX_FLOW_REQUIRED_MODEL_ALIASES.filter(
-        (modelAlias) => !parsed.availableModels.includes(modelAlias)
-      );
-      if (missing.length > 0) {
-        state.warnings.push({
-          kind: "flow-runtime-blocker",
-          message: `availableModels excludes CurDX-Flow agent model aliases: ${missing.join(", ")}`,
-        });
-      }
-    }
-
-    if ("agent" in parsed) {
-      if (typeof parsed.agent !== "string" || parsed.agent.trim().length === 0) {
-        state.warnings.push({
-          kind: "invalid-project-setting",
-          message: "agent must be a non-empty subagent name when set in settings.json",
-        });
-      } else {
-        state.warnings.push({
-          kind: "flow-runtime-blocker",
-          message: `agent routes the main thread through subagent "${parsed.agent}", overriding CurDX-Flow prompt, tools, and model`,
-        });
-      }
-    }
-
-    if ("effortLevel" in parsed) {
-      if (parsed.effortLevel === "max") {
-        state.warnings.push({
-          kind: "invalid-project-setting",
-          message:
-            "effortLevel in settings.json only supports low, medium, high, or xhigh; use /effort max or CLAUDE_CODE_EFFORT_LEVEL for session-only max",
-        });
-      } else if (!PERSISTED_EFFORT_LEVELS.includes(parsed.effortLevel)) {
-        state.warnings.push({
-          kind: "invalid-project-setting",
-          message:
-            "effortLevel in settings.json must be one of low, medium, high, or xhigh",
-        });
-      } else if (parsed.effortLevel === "low" || parsed.effortLevel === "medium") {
-        state.warnings.push({
-          kind: "low-effort-project-setting",
-          message: `effortLevel ${parsed.effortLevel} is shared at project scope; CurDX-Flow planning/review turns may need higher reasoning`,
-        });
-      }
-    }
-
-    if ("sandbox" in parsed) {
-      if (!isNonArrayObject(parsed.sandbox)) {
-        state.warnings.push({
-          kind: "invalid-project-setting",
-          message: "sandbox must be an object when set in settings.json",
-        });
-      } else {
-        if (parsed.sandbox.failIfUnavailable === true) {
-          state.warnings.push({
-            kind: "flow-runtime-blocker",
-            message: "sandbox.failIfUnavailable can prevent Claude Code startup on hosts where sandboxing is unavailable",
-          });
-        }
-        if (parsed.sandbox.allowUnsandboxedCommands === false) {
-          state.warnings.push({
-            kind: "shared-sandbox-policy",
-            message: "sandbox.allowUnsandboxedCommands=false disables the unsandboxed Bash escape hatch for this project",
-          });
-        }
-
-        const filesystem = isNonArrayObject(parsed.sandbox.filesystem)
-          ? parsed.sandbox.filesystem
-          : {};
-        if (hasProjectBlockingSandboxPath(filesystem.denyRead)) {
-          state.warnings.push({
-            kind: "flow-runtime-blocker",
-            message: "sandbox.filesystem.denyRead blocks .flow/.git or the project root, which CurDX-Flow must inspect",
-          });
-        }
-        if (hasProjectBlockingSandboxPath(filesystem.denyWrite)) {
-          state.warnings.push({
-            kind: "flow-runtime-blocker",
-            message: "sandbox.filesystem.denyWrite blocks .flow/.git or the project root, which CurDX-Flow must update",
-          });
-        }
-
-        const network = isNonArrayObject(parsed.sandbox.network)
-          ? parsed.sandbox.network
-          : {};
-        if (Array.isArray(network.allowedDomains) && network.allowedDomains.length === 0) {
-          state.warnings.push({
-            kind: "shared-sandbox-policy",
-            message: "sandbox.network.allowedDomains is empty; sandboxed commands have no outbound network access",
-          });
-        }
-      }
-    }
-
-    if (parsed.enableAllProjectMcpServers === true) {
-      state.warnings.push({
-        kind: "shared-mcp-auto-approve",
-        message: "enableAllProjectMcpServers auto-approves every project MCP server",
-      });
-    }
-
-    if (Array.isArray(parsed.enabledMcpjsonServers) && parsed.enabledMcpjsonServers.length > 0) {
-      state.warnings.push({
-        kind: "shared-mcp-auto-approve",
-        message: `enabledMcpjsonServers auto-approves project MCP servers: ${parsed.enabledMcpjsonServers.join(", ")}`,
-      });
-    }
-
-    if ("includeCoAuthoredBy" in parsed) {
-      state.warnings.push({
-        kind: "deprecated-setting",
-        message: "includeCoAuthoredBy is deprecated; migrate to attribution",
-      });
-    }
-  }
-
-  if (state.localExists) {
-    try {
-      const localParsed = JSON.parse(await fs.readFile(localSettingsPath, "utf-8"));
-      auditCurdxFlowPluginOptions(localParsed, state.localWarnings, state.pluginOptions, { scope: "local" });
-      auditLocalClaudeSettings(localParsed, state.localWarnings);
-    } catch (error) {
-      state.localInvalid = true;
-      state.localParseError = error?.message || String(error);
-    }
-  }
-
-  state.managedSettings = await readManagedClaudeSettings(
-    state.pluginOptions,
-    state.managedWarnings,
-    {
-      platform,
-      env,
-      managedSettingsDir,
-    }
-  );
-
-  state.pluginRuntimeProjection = buildCurdxFlowRuntimeProjection(state.pluginOptions);
-
-  return state;
-}