npm - @esoteric-logic/praxis-harness - Versions diffs - 2.9.0 → 2.9.1 - Mend

@esoteric-logic/praxis-harness 2.9.0 → 2.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/base/hooks/auto-format.sh +1 -0
package/base/hooks/dep-audit.sh +20 -7
package/base/hooks/session-data-collect.sh +1 -0
package/base/hooks/vault-checkpoint.sh +1 -0
package/base/lib/kit-check.sh +42 -0
package/base/lib/output.sh +38 -0
package/bin/praxis-preflight.sh +5 -8
package/kits/api/install.sh +3 -16
package/kits/code-quality/hooks/pre-push.sh +31 -8
package/kits/data/install.sh +6 -19
package/kits/infrastructure/install.sh +2 -20
package/kits/security/install.sh +5 -18
package/package.json +1 -1
package/scripts/onboard-mcp.sh +3 -18

package/base/hooks/auto-format.sh CHANGED Viewed

@@ -2,6 +2,7 @@
 # PostToolUse hook — auto-formats files after edit.
 # Always exits 0 (advisory, never blocks).
 set -uo pipefail
+trap 'exit 0' ERR
 INPUT=$(cat)
 FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // empty' 2>/dev/null)

package/base/hooks/dep-audit.sh CHANGED Viewed

@@ -2,7 +2,8 @@
 # dep-audit.sh — PostToolUse:Write|Edit|MultiEdit hook
 # Runs dependency vulnerability checks when manifest files are modified.
 # Always exits 0 (advisory only — PostToolUse cannot hard-block).
-set -euo pipefail
+set -uo pipefail
+trap 'exit 0' ERR
 INPUT=$(cat)
 FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // empty' 2>/dev/null)
@@ -20,28 +21,40 @@ case "$BASENAME" in
   package.json)
     ECOSYSTEM="npm"
     if command -v npm &>/dev/null && [[ -f "$DIR/package-lock.json" || -f "$DIR/node_modules/.package-lock.json" ]]; then
-      AUDIT_RESULT=$(cd "$DIR" && npm audit --audit-level=high --json 2>/dev/null || true)
+      # npm audit exits non-zero when vulnerabilities exist — capture output regardless
+      AUDIT_RESULT=$(cd "$DIR" && npm audit --audit-level=high --json 2>/dev/null) || {
+        if [[ -n "$AUDIT_RESULT" ]]; then
+          : # non-zero with output = vulnerabilities found (expected)
+        else
+          echo "DEP-AUDIT (npm): audit command failed" >&2
+        fi
+      }
     fi
     ;;
   go.mod)
     ECOSYSTEM="go"
     if command -v govulncheck &>/dev/null; then
-      AUDIT_RESULT=$(cd "$DIR" && govulncheck -json ./... 2>/dev/null || true)
+      AUDIT_RESULT=$(cd "$DIR" && govulncheck -json ./... 2>/dev/null) || {
+        [[ -z "$AUDIT_RESULT" ]] && echo "DEP-AUDIT (go): govulncheck failed" >&2
+      }
     elif command -v go &>/dev/null; then
-      # Fallback: at least check for known issues via go list
-      AUDIT_RESULT=$(cd "$DIR" && go list -m -json all 2>/dev/null | head -c 5000 || true)
+      AUDIT_RESULT=$(cd "$DIR" && go list -m -json all 2>/dev/null | head -c 5000) || AUDIT_RESULT=""
     fi
     ;;
   requirements.txt|pyproject.toml)
     ECOSYSTEM="python"
     if command -v pip-audit &>/dev/null; then
-      AUDIT_RESULT=$(cd "$DIR" && pip-audit --format=json 2>/dev/null || true)
+      AUDIT_RESULT=$(cd "$DIR" && pip-audit --format=json 2>/dev/null) || {
+        [[ -z "$AUDIT_RESULT" ]] && echo "DEP-AUDIT (python): pip-audit failed" >&2
+      }
     fi
     ;;
   Cargo.toml)
     ECOSYSTEM="rust"
     if command -v cargo-audit &>/dev/null; then
-      AUDIT_RESULT=$(cd "$DIR" && cargo audit --json 2>/dev/null || true)
+      AUDIT_RESULT=$(cd "$DIR" && cargo audit --json 2>/dev/null) || {
+        [[ -z "$AUDIT_RESULT" ]] && echo "DEP-AUDIT (rust): cargo-audit failed" >&2
+      }
     fi
     ;;
   *)

package/base/hooks/session-data-collect.sh CHANGED Viewed

@@ -2,6 +2,7 @@
 # Stop hook — collects structured session data and stages it for the Stop prompt.
 # Always exits 0 (advisory, never blocks session end).
 set -uo pipefail
+trap 'exit 0' ERR
 CONFIG_FILE="$HOME/.claude/praxis.config.json"

package/base/hooks/vault-checkpoint.sh CHANGED Viewed

@@ -2,6 +2,7 @@
 # PreCompact hook — writes minimal checkpoint to vault before context compaction.
 # Always exits 0 (advisory, never blocks compaction).
 set -uo pipefail
+trap 'exit 0' ERR
 CONFIG_FILE="$HOME/.claude/praxis.config.json"

package/base/lib/kit-check.sh ADDED Viewed

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+# ════════════════════════════════════════════════════════════════
+#  Praxis — Shared Kit Install Check
+#  Source this file in kit install.sh scripts for consistent
+#  tool-checking output and counters.
+#
+#  Usage:
+#    source "$(dirname "$0")/../../base/lib/kit-check.sh"
+#    check "jq"      "brew install jq"
+#    check "curl"    "pre-installed on macOS/Linux"
+#    kit_check_summary
+# ════════════════════════════════════════════════════════════════
+KIT_CHECK_PASS=0
+KIT_CHECK_TOTAL=0
+check() {
+  local cmd="$1"
+  local install_hint="$2"
+  local optional="${3:-}"
+  KIT_CHECK_TOTAL=$((KIT_CHECK_TOTAL + 1))
+  if command -v "$cmd" &>/dev/null; then
+    echo "  ✓ $cmd found ($(command -v "$cmd"))"
+    KIT_CHECK_PASS=$((KIT_CHECK_PASS + 1))
+  else
+    if [[ "$optional" == "optional" ]]; then
+      echo "  ⚠ $cmd not found (optional)"
+    else
+      echo "  ✗ $cmd not found"
+    fi
+    echo "    Install: $install_hint"
+  fi
+}
+kit_check_summary() {
+  echo ""
+  echo "  $KIT_CHECK_PASS/$KIT_CHECK_TOTAL tools found"
+  if [[ $KIT_CHECK_PASS -lt $KIT_CHECK_TOTAL ]]; then
+    echo "  ⚠ Some tools missing. Install them before using kit commands."
+  fi
+}

package/base/lib/output.sh ADDED Viewed

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+# ═══════��════════════════════════════════════════════════════════
+#  Praxis — Shared Output Helpers
+#  Source this file instead of defining colors/helpers inline.
+#
+#  Usage:
+#    source "$(dirname "$0")/../base/lib/output.sh"
+#    # or with absolute path:
+#    source "$HOME/.claude/lib/output.sh"
+#
+#  Safe to source multiple times — guards against redefinition.
+# ════��═══════════════════════════════════════════════════════════
+# ─── Colors (skip if already set) ───
+RED="${RED:-\033[0;31m}"
+GREEN="${GREEN:-\033[0;32m}"
+YELLOW="${YELLOW:-\033[0;33m}"
+CYAN="${CYAN:-\033[0;36m}"
+BOLD="${BOLD:-\033[1m}"
+DIM="${DIM:-\033[2m}"
+NC="${NC:-\033[0m}"
+# ─── Output helpers (skip if already defined) ───
+if ! declare -f ok &>/dev/null; then
+  ok()   { echo -e "  ${GREEN}✓${NC} $1"; }
+fi
+if ! declare -f warn &>/dev/null; then
+  warn() { echo -e "  ${YELLOW}⚠${NC} $1"; }
+fi
+if ! declare -f fail &>/dev/null; then
+  fail() { echo -e "  ${RED}✗${NC} $1"; }
+fi
+if ! declare -f step &>/dev/null; then
+  step() { echo -e "\n${CYAN}${BOLD}$1${NC}"; }
+fi
+if ! declare -f dim &>/dev/null; then
+  dim()  { echo -e "  ${DIM}$1${NC}"; }
+fi

package/bin/praxis-preflight.sh CHANGED Viewed

@@ -4,13 +4,10 @@
 # Also implements: set-key subcommand for secret management.
 set -euo pipefail
-# ─── Colors ───
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-YELLOW='\033[0;33m'
-CYAN='\033[0;36m'
-BOLD='\033[1m'
-NC='\033[0m'
+# ─── Colors (shared) ───
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+REPO_DIR="$(dirname "$SCRIPT_DIR")"
+source "$REPO_DIR/base/lib/output.sh"
 PASS=0
 WARN=0
@@ -19,10 +16,10 @@ PRAXIS_DIR="$HOME/.praxis"
 SECRETS_FILE="$PRAXIS_DIR/secrets"
 REPORT_FILE="$PRAXIS_DIR/preflight-report.json"
+# Override shared helpers with counter-incrementing versions
 ok()   { echo -e "  ${GREEN}✓${NC} $1"; PASS=$((PASS + 1)); }
 warn() { echo -e "  ${YELLOW}⚠${NC} $1"; WARN=$((WARN + 1)); }
 fail() { echo -e "  ${RED}✗${NC} $1"; BLOCK=$((BLOCK + 1)); }
-step() { echo -e "\n${CYAN}${BOLD}$1${NC}"; }
 # ═══════════════════════════════════════════
 # Subcommand: set-key

package/kits/api/install.sh CHANGED Viewed

@@ -4,19 +4,7 @@ set -euo pipefail
 echo "=== Praxis: Installing api kit ==="
 echo ""
-PASS=0
-TOTAL=0
-check() {
-  TOTAL=$((TOTAL + 1))
-  if command -v "$1" &>/dev/null; then
-    echo "  ✓ $1 found ($(command -v "$1"))"
-    PASS=$((PASS + 1))
-  else
-    echo "  ✗ $1 not found"
-    echo "    Install: $2"
-  fi
-}
+source "$(dirname "$0")/../../base/lib/kit-check.sh"
 echo "Checking optional CLI tools..."
 echo ""
@@ -24,10 +12,9 @@ echo ""
 check "jq"      "brew install jq  OR  apt-get install jq"
 check "curl"    "pre-installed on macOS/Linux"
-echo ""
-echo "  $PASS/$TOTAL tools found"
-echo ""
+kit_check_summary
+echo ""
 echo "Note: This kit uses Claude's built-in analysis capabilities."
 echo "No external API linting tools required."
 echo ""

package/kits/code-quality/hooks/pre-push.sh CHANGED Viewed

@@ -8,6 +8,25 @@ BASELINE="$REPO_ROOT/.quality-baseline.json"
 TMP="/tmp/praxis-quality-$$"
 mkdir -p "$TMP"
+# Safe jq wrapper: validates JSON before querying; returns fallback on parse failure
+# and logs a warning so gate operators know a scan produced bad output.
+safe_jq() {
+  local query="$1"
+  local file="$2"
+  local fallback="${3:-0}"
+  if [[ ! -s "$file" ]]; then
+    echo "$fallback"
+    return
+  fi
+  if ! jq empty "$file" 2>/dev/null; then
+    echo "  ⚠ WARNING: $file is not valid JSON — treating as scan failure" >&2
+    GATE_WARNINGS+=("PARSE: $(basename "$file") produced invalid output")
+    echo "$fallback"
+    return
+  fi
+  jq -r "$query" "$file" 2>/dev/null || echo "$fallback"
+}
 echo ""
 echo "Praxis Code Quality Gate"
 echo "------------------------"
@@ -32,8 +51,8 @@ if [ -s "$TMP/code-files.txt" ]; then
   FILES=$(cat "$TMP/code-files.txt" | tr '\n' ' ')
   opengrep scan --config auto --json $FILES > "$TMP/sast.json" 2>/dev/null || true
-  CRITICAL=$(jq '[.results[] | select(.extra.severity == "ERROR")] | length' "$TMP/sast.json" 2>/dev/null || echo 0)
-  HIGH=$(jq '[.results[] | select(.extra.severity == "WARNING")] | length' "$TMP/sast.json" 2>/dev/null || echo 0)
+  CRITICAL=$(safe_jq '[.results[] | select(.extra.severity == "ERROR")] | length' "$TMP/sast.json")
+  HIGH=$(safe_jq '[.results[] | select(.extra.severity == "WARNING")] | length' "$TMP/sast.json")
   [ "$CRITICAL" -gt 0 ] && GATE_FAILURES+=("SAST: $CRITICAL critical findings")
   [ "$HIGH" -gt 0 ]     && GATE_WARNINGS+=("SAST: $HIGH high findings")
@@ -44,7 +63,11 @@ SAST_PID=$!
 # -- SECRETS (TruffleHog) --
 echo "  Secrets scan (TruffleHog)..."
 trufflehog git file://. --since-commit HEAD~1 --only-verified --json > "$TMP/secrets.json" 2>/dev/null || true
-SECRETS=$(jq -s 'length' "$TMP/secrets.json" 2>/dev/null || echo 0)
+if [[ -s "$TMP/secrets.json" ]]; then
+  SECRETS=$(jq -s 'length' "$TMP/secrets.json" 2>/dev/null || echo 0)
+else
+  SECRETS=0
+fi
 [ "$SECRETS" -gt 0 ] && GATE_FAILURES+=("SECRETS: $SECRETS verified secrets found")
 echo "     Verified secrets: $SECRETS" &
 SECRETS_PID=$!
@@ -52,8 +75,8 @@ SECRETS_PID=$!
 # -- SCA (OSV-Scanner) --
 echo "  Dependency scan (OSV-Scanner)..."
 osv-scanner scan --format json "$REPO_ROOT" > "$TMP/sca.json" 2>/dev/null || true
-SCA_CRITICAL=$(jq '[.vulns[]? | select(.database_specific.severity? == "CRITICAL")] | length' "$TMP/sca.json" 2>/dev/null || echo 0)
-SCA_HIGH=$(jq '[.vulns[]? | select(.database_specific.severity? == "HIGH")] | length' "$TMP/sca.json" 2>/dev/null || echo 0)
+SCA_CRITICAL=$(safe_jq '[.vulns[]? | select(.database_specific.severity? == "CRITICAL")] | length' "$TMP/sca.json")
+SCA_HIGH=$(safe_jq '[.vulns[]? | select(.database_specific.severity? == "HIGH")] | length' "$TMP/sca.json")
 [ "$SCA_CRITICAL" -gt 0 ] && GATE_FAILURES+=("SCA: $SCA_CRITICAL critical CVEs in dependencies")
 [ "$SCA_HIGH" -gt 0 ]     && GATE_WARNINGS+=("SCA: $SCA_HIGH high CVEs in dependencies")
 echo "     Critical CVEs: $SCA_CRITICAL  High CVEs: $SCA_HIGH" &
@@ -63,7 +86,7 @@ SCA_PID=$!
 if [ -s "$TMP/iac-files.txt" ]; then
   echo "  IaC scan (Checkov)..."
   checkov -d "$REPO_ROOT" --output json --quiet --compact 2>/dev/null > "$TMP/iac.json" || true
-  IaC_FAIL=$(jq '.results.failed_checks | length' "$TMP/iac.json" 2>/dev/null || echo 0)
+  IaC_FAIL=$(safe_jq '.results.failed_checks | length' "$TMP/iac.json")
   [ "$IaC_FAIL" -gt 0 ] && GATE_WARNINGS+=("IaC: $IaC_FAIL policy violations")
   echo "     Policy violations: $IaC_FAIL"
 fi &
@@ -73,9 +96,9 @@ IaC_PID=$!
 wait $SAST_PID $SECRETS_PID $SCA_PID $IaC_PID 2>/dev/null || true
 # -- COVERAGE --
-COVERAGE_THRESHOLD=$(jq -r '.coverage.line_min' "$CONFIG" 2>/dev/null || echo 80)
+COVERAGE_THRESHOLD=$(safe_jq '.coverage.line_min' "$CONFIG" 80)
 if [ -f "$REPO_ROOT/coverage/coverage-summary.json" ]; then
-  COVERAGE=$(jq '.total.lines.pct' "$REPO_ROOT/coverage/coverage-summary.json" 2>/dev/null || echo 100)
+  COVERAGE=$(safe_jq '.total.lines.pct' "$REPO_ROOT/coverage/coverage-summary.json" 100)
   BELOW=$(echo "$COVERAGE < $COVERAGE_THRESHOLD" | bc -l 2>/dev/null || echo 0)
   [ "$BELOW" = "1" ] && GATE_WARNINGS+=("COVERAGE: ${COVERAGE}% below threshold ${COVERAGE_THRESHOLD}%")
   echo "  Coverage: ${COVERAGE}% (threshold: ${COVERAGE_THRESHOLD}%)"

package/kits/data/install.sh CHANGED Viewed

@@ -4,32 +4,19 @@ set -euo pipefail
 echo "=== Praxis: Installing data kit ==="
 echo ""
-PASS=0
-TOTAL=0
-check() {
-  TOTAL=$((TOTAL + 1))
-  if command -v "$1" &>/dev/null; then
-    echo "  ✓ $1 found ($(command -v "$1"))"
-    PASS=$((PASS + 1))
-  else
-    echo "  ✗ $1 not found (optional)"
-    echo "    Install: $2"
-  fi
-}
+source "$(dirname "$0")/../../base/lib/kit-check.sh"
 echo "Checking optional CLI tools..."
 echo ""
-check "psql"    "brew install postgresql  OR  apt-get install postgresql-client"
-check "mysql"   "brew install mysql-client  OR  apt-get install mysql-client"
-check "mongosh" "brew install mongosh  OR  https://www.mongodb.com/try/download/shell"
+check "psql"    "brew install postgresql  OR  apt-get install postgresql-client" "optional"
+check "mysql"   "brew install mysql-client  OR  apt-get install mysql-client" "optional"
+check "mongosh" "brew install mongosh  OR  https://www.mongodb.com/try/download/shell" "optional"
 check "jq"      "brew install jq  OR  apt-get install jq"
-echo ""
-echo "  $PASS/$TOTAL tools found"
-echo ""
+kit_check_summary
+echo ""
 echo "Note: This kit uses Claude's built-in analysis for schema and query review."
 echo "Database CLI tools are needed only for live query testing."
 echo ""

package/kits/infrastructure/install.sh CHANGED Viewed

@@ -4,19 +4,7 @@ set -euo pipefail
 echo "=== Praxis: Installing infrastructure kit ==="
 echo ""
-PASS=0
-TOTAL=0
-check() {
-  TOTAL=$((TOTAL + 1))
-  if command -v "$1" &>/dev/null; then
-    echo "  ✓ $1 found ($(command -v "$1"))"
-    PASS=$((PASS + 1))
-  else
-    echo "  ✗ $1 not found"
-    echo "    Install: $2"
-  fi
-}
+source "$(dirname "$0")/../../base/lib/kit-check.sh"
 echo "Checking required CLI tools..."
 echo ""
@@ -26,13 +14,7 @@ check "terraform"  "https://developer.hashicorp.com/terraform/install"
 check "tflint"     "brew install tflint  OR  https://github.com/terraform-linters/tflint"
 check "jq"         "brew install jq  OR  apt-get install jq"
-echo ""
-echo "  $PASS/$TOTAL tools found"
-echo ""
-if [[ $PASS -lt $TOTAL ]]; then
-  echo "  ⚠ Some tools missing. Install them before using infrastructure commands."
-fi
+kit_check_summary
 echo ""
 echo "Note: Skills chain phases are status: planned."

package/kits/security/install.sh CHANGED Viewed

@@ -4,31 +4,18 @@ set -euo pipefail
 echo "=== Praxis: Installing security kit ==="
 echo ""
-PASS=0
-TOTAL=0
-check() {
-  TOTAL=$((TOTAL + 1))
-  if command -v "$1" &>/dev/null; then
-    echo "  ✓ $1 found ($(command -v "$1"))"
-    PASS=$((PASS + 1))
-  else
-    echo "  ✗ $1 not found (optional)"
-    echo "    Install: $2"
-  fi
-}
+source "$(dirname "$0")/../../base/lib/kit-check.sh"
 echo "Checking optional CLI tools..."
 echo ""
-check "trivy"     "brew install trivy  OR  https://aquasecurity.github.io/trivy"
-check "deepsource" "curl -fsSL https://cli.deepsource.com/install | sh"
+check "trivy"     "brew install trivy  OR  https://aquasecurity.github.io/trivy" "optional"
+check "deepsource" "curl -fsSL https://cli.deepsource.com/install | sh" "optional"
 check "rg"        "brew install ripgrep  OR  apt-get install ripgrep"
-echo ""
-echo "  $PASS/$TOTAL tools found"
-echo ""
+kit_check_summary
+echo ""
 echo "Note: This kit uses Claude's built-in analysis for most checks."
 echo "External tools enhance scanning but are not required."
 echo ""

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@esoteric-logic/praxis-harness",
-  "version": "2.9.0",
+  "version": "2.9.1",
   "description": "Layered Claude Code harness — workflow discipline, AI-Kits, persistent vault integration",
   "bin": {
     "praxis-harness": "./bin/praxis.js"

package/scripts/onboard-mcp.sh CHANGED Viewed

@@ -20,24 +20,9 @@ set -euo pipefail
 CLAUDE_DIR="${CLAUDE_DIR:-$HOME/.claude}"
 CONFIG_FILE="${CONFIG_FILE:-$CLAUDE_DIR/praxis.config.json}"
-# ─── Colors (safe defaults if not already set) ───
-RED="${RED:-\033[0;31m}"
-GREEN="${GREEN:-\033[0;32m}"
-YELLOW="${YELLOW:-\033[0;33m}"
-CYAN="${CYAN:-\033[0;36m}"
-BOLD="${BOLD:-\033[1m}"
-NC="${NC:-\033[0m}"
-# ─── Output helpers (no-op if already defined by install.sh) ───
-if ! declare -f ok &>/dev/null; then
-  ok()   { echo -e "  $GREEN✓$NC $1"; }
-fi
-if ! declare -f warn &>/dev/null; then
-  warn() { echo -e "  $YELLOW⚠$NC $1"; }
-fi
-if ! declare -f fail &>/dev/null; then
-  fail() { echo -e "  $RED✗$NC $1"; }
-fi
+# ─── Colors & output helpers (safe to source multiple times) ───
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/../base/lib/output.sh"
 # ═══════════════════════════════════════════
 # Utilities