@friedbotstudio/create-baseline 0.1.0

package/obj/template/.claude/hooks/artifact_template_guard.sh

@@ -0,0 +1,141 @@
+#!/usr/bin/env bash
+# Artifact Template Guard — PreToolUse(Write|Edit|MultiEdit)
+#
+# Enforces that writes to docs/{intake,brd,specs,rca}/*.md include every
+# required section heading for that artifact type. Required sections come
+# from .claude/project.json → artifacts.required_sections.<type>.
+#
+# Template files (any basename starting with "_TEMPLATE_") are exempt — they
+# ARE the canonical structure, and edits to them shouldn't self-check.
+# Also exempt: writes where the proposed content is empty/whitespace only
+# (the guard intervenes on substantive writes, not touch/clear operations).
+#
+# The guard inspects *proposed content* (what the tool is about to write),
+# not the file on disk. For Edit: checks the resulting content by merging
+# old_string → new_string into the existing file. For MultiEdit: same,
+# applied sequentially. For Write: checks the new content directly.
+
+# shellcheck source=./lib/common.sh
+. "${BASH_SOURCE[0]%/*}/lib/common.sh"
+read_payload
+
+TOOL="$(payload_get .tool_name)"
+case "$TOOL" in
+  Write|Edit|MultiEdit) ;;
+  *) emit_allow ;;
+esac
+
+FILE="$(payload_get .tool_input.file_path)"
+[ -n "$FILE" ] || emit_allow
+rel="${FILE#$CLAUDE_PROJECT_ROOT/}"
+
+# Identify artifact type from path.
+artifact_type=""
+case "$rel" in
+  docs/intake/*.md) artifact_type="intake" ;;
+  docs/brd/*.md)    artifact_type="brd" ;;
+  docs/specs/*.md)  artifact_type="spec" ;;
+  docs/rca/*.md)    artifact_type="rca" ;;
+  *) emit_allow ;;
+esac
+
+# Exempt templates.
+base="$(/usr/bin/basename "$rel" 2>/dev/null || echo "${rel##*/}")"
+case "$base" in
+  _TEMPLATE_*|*TEMPLATE*.md) emit_allow ;;
+esac
+
+# Fetch required sections for this artifact type.
+required_json="$(project_get ".artifacts.required_sections.$artifact_type")"
+if [ -z "$required_json" ] || [ "$required_json" = "None" ]; then
+  # No requirements configured → don't enforce.
+  emit_allow
+fi
+
+# Compute the resulting content the write would produce. For Write, that's
+# tool_input.content. For Edit/MultiEdit, we apply the edits against the
+# existing file (if any) to get the post-write content.
+HOOK_FILE="$FILE" HOOK_TOOL="$TOOL" HOOK_REQ_JSON="$required_json" HOOK_REL="$rel" HOOK_ARTIFACT="$artifact_type" python3 <<'PY'
+import json, os, re, sys, pathlib
+
+payload = json.loads(os.environ.get("HOOK_PAYLOAD", "") or "{}")
+tool    = os.environ["HOOK_TOOL"]
+file_   = os.environ["HOOK_FILE"]
+rel     = os.environ["HOOK_REL"]
+atype   = os.environ["HOOK_ARTIFACT"]
+req     = json.loads(os.environ["HOOK_REQ_JSON"])
+if not isinstance(req, list):
+    # Malformed config — don't enforce, fail open.
+    sys.exit(0)
+
+ti = payload.get("tool_input") or {}
+
+def current_file_content():
+    try:
+        return pathlib.Path(file_).read_text(encoding="utf-8")
+    except Exception:
+        return ""
+
+if tool == "Write":
+    content = ti.get("content") or ""
+elif tool == "Edit":
+    base = current_file_content()
+    old = ti.get("old_string") or ""
+    new = ti.get("new_string") or ""
+    if ti.get("replace_all"):
+        content = base.replace(old, new)
+    else:
+        # Apply single replacement.
+        content = base.replace(old, new, 1) if old in base else (base + new)
+elif tool == "MultiEdit":
+    content = current_file_content()
+    for edit in (ti.get("edits") or []):
+        old = edit.get("old_string") or ""
+        new = edit.get("new_string") or ""
+        if edit.get("replace_all"):
+            content = content.replace(old, new)
+        else:
+            content = content.replace(old, new, 1) if old in content else (content + new)
+else:
+    sys.exit(0)
+
+# Don't enforce on empty/whitespace-only content (touch or clear).
+if not content.strip():
+    sys.exit(0)
+
+# Collect heading text (## and ### levels) from the content.
+headings = set()
+for ln in content.splitlines():
+    m = re.match(r'^\s{0,3}#{2,4}\s+(.+?)\s*$', ln)
+    if m:
+        # Normalize: lowercase, strip trailing punctuation, collapse whitespace.
+        h = re.sub(r'\s+', ' ', m.group(1).strip()).lower()
+        h = h.rstrip(':').rstrip('.')
+        headings.add(h)
+
+missing = []
+for r in req:
+    r_norm = re.sub(r'\s+', ' ', str(r).strip()).lower().rstrip(':').rstrip('.')
+    if r_norm not in headings:
+        missing.append(r)
+
+if not missing:
+    sys.exit(0)
+
+msg = (
+    f"Artifact Template Guard: '{rel}' ({atype}) is missing required section(s): "
+    f"{', '.join(missing)}. "
+    f"Use the `{atype}` skill at .claude/skills/{atype}/SKILL.md (template at "
+    f".claude/skills/{atype}/template.md) to produce a compliant document. "
+    f"Every required heading must appear as a ## or ### heading."
+)
+print(json.dumps({
+    "hookSpecificOutput": {
+        "hookEventName": "PreToolUse",
+        "permissionDecision": "deny",
+        "permissionDecisionReason": msg,
+    }
+}))
+PY
+
+exit 0

package/obj/template/.claude/hooks/consent_gate_grant.sh

@@ -0,0 +1,89 @@
+#!/usr/bin/env bash
+# Consent Gate Grant — UserPromptSubmit
+#
+# When the user types one of the three consent-gate slash commands —
+# /approve-spec, /approve-swarm, /grant-commit — this hook fires BEFORE the
+# model is invoked. It writes a short-lived consent marker to
+# .claude/state/.<gate>_grant.
+#
+# The marker is what makes the corresponding approval-token write succeed:
+# the gate-specific PreToolUse guard (spec_approval_guard, swarm_approval_guard,
+# git_commit_guard) reads the marker and allows Claude's write only if a
+# fresh, slug-matched marker is on disk.
+#
+# Why the marker is unforgeable by Claude:
+#   - This hook runs on UserPromptSubmit, OUTSIDE Claude's tool boundary.
+#   - The PreToolUse guards block Claude from writing the marker file.
+#   - Markers expire after consent.gate_marker_ttl_seconds (default 60).
+#
+# Marker shapes (also documented in lib/common.sh validate_consent_marker):
+#   .spec_approval_grant   line 1: basename of spec path (slug)
+#                          line 2: epoch
+#                          line 3: absolute spec path
+#   .swarm_approval_grant  line 1: slug · line 2: epoch
+#   .commit_consent_grant  line 1: epoch · line 2: optional note
+
+# shellcheck source=./lib/common.sh
+. "${BASH_SOURCE[0]%/*}/lib/common.sh"
+read_payload
+
+# Fast-path: glob-match against the raw payload to rule out 99% of prompts
+# before any json/regex parsing. False positives are tolerated; the regex
+# dispatch below would no-op anyway.
+case "$HOOK_PAYLOAD" in
+  *'"prompt":'*/approve-spec*) ;;
+  *'"prompt":'*/approve-swarm*) ;;
+  *'"prompt":'*/grant-commit*) ;;
+  *) exit 0 ;;
+esac
+
+PROMPT="$(payload_get .prompt)"
+[ -n "$PROMPT" ] || exit 0
+
+first_line="${PROMPT%%$'\n'*}"
+trimmed="${first_line#"${first_line%%[![:space:]]*}"}"
+
+NOW="$(date +%s)"
+
+write_marker_atomic() {
+  local marker="$1"
+  shift
+  local tmp="${marker}.tmp.$$"
+  if printf '%s\n' "$@" >"$tmp" 2>/dev/null && mv -f "$tmp" "$marker" 2>/dev/null; then
+    return 0
+  fi
+  rm -f "$tmp" 2>/dev/null || true
+  return 1
+}
+
+if [[ "$trimmed" =~ ^/approve-spec[[:space:]]+([^[:space:]]+) ]]; then
+  arg="${BASH_REMATCH[1]}"
+  slug="$(canonical_slug "$arg")"
+  case "$arg" in
+    /*)  abs_path="$arg" ;;
+    */*) abs_path="$CLAUDE_PROJECT_ROOT/$arg" ;;
+    *)   abs_path="$CLAUDE_PROJECT_ROOT/docs/specs/$slug.md" ;;
+  esac
+  if write_marker_atomic "$CONSENT_MARKER_SPEC" "$slug" "$NOW" "$abs_path"; then
+    log_line consent_gate_grant "wrote spec_approval_grant slug=$slug path=$abs_path"
+  else
+    log_line consent_gate_grant "FAILED write spec_approval_grant slug=$slug"
+  fi
+elif [[ "$trimmed" =~ ^/approve-swarm[[:space:]]+([^[:space:]]+) ]]; then
+  slug="$(canonical_slug "${BASH_REMATCH[1]}")"
+  if write_marker_atomic "$CONSENT_MARKER_SWARM" "$slug" "$NOW"; then
+    log_line consent_gate_grant "wrote swarm_approval_grant slug=$slug"
+  else
+    log_line consent_gate_grant "FAILED write swarm_approval_grant slug=$slug"
+  fi
+elif [[ "$trimmed" =~ ^/grant-commit([[:space:]].*)?$ ]]; then
+  note="${BASH_REMATCH[1]:-}"
+  note="${note#"${note%%[![:space:]]*}"}"
+  if write_marker_atomic "$CONSENT_MARKER_COMMIT" "$NOW" "$note"; then
+    log_line consent_gate_grant "wrote commit_consent_grant note=$note"
+  else
+    log_line consent_gate_grant "FAILED write commit_consent_grant"
+  fi
+fi
+
+exit 0

package/obj/template/.claude/hooks/destructive_cmd_guard.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+# Destructive Command Guard — PreToolUse(Bash)
+#
+# Two tiers:
+#   - hard_block_patterns: block outright, cannot be overridden here (user
+#     would need to remove the pattern from project.json).
+#   - ask_patterns: emit an "ask" decision so the user is prompted each time.
+#
+# Patterns come from .destructive.hard_block_patterns / .destructive.ask_patterns
+# in .claude/project.json. Mode selector .destructive.mode is "ask" (default)
+# or "block" — block upgrades ask_patterns to deny.
+
+# shellcheck source=./lib/common.sh
+. "${BASH_SOURCE[0]%/*}/lib/common.sh"
+read_payload
+
+TOOL="$(payload_get .tool_name)"
+[ "$TOOL" = "Bash" ] || emit_allow
+
+CMD="$(payload_get .tool_input.command)"
+[ -n "$CMD" ] || emit_allow
+
+hard="$(project_get .destructive.hard_block_patterns)"
+if [ -n "$hard" ] && cmd_matches_any "$CMD" "$hard"; then
+  log_line destructive_cmd_guard "HARD BLOCK: $CMD"
+  emit_block "Destructive Command Guard: '$CMD' matches a hard-block pattern (catastrophic/irreversible). This is not overridable by confirmation. If this is genuinely necessary, edit .claude/project.json .destructive.hard_block_patterns."
+fi
+
+mode="$(project_get .destructive.mode)"
+[ -z "$mode" ] && mode="ask"
+
+ask="$(project_get .destructive.ask_patterns)"
+if [ -n "$ask" ] && cmd_matches_any "$CMD" "$ask"; then
+  if [ "$mode" = "block" ]; then
+    log_line destructive_cmd_guard "BLOCK (mode=block): $CMD"
+    emit_block "Destructive Command Guard: '$CMD' matches a destructive pattern and mode=block. Ask the user to run this themselves, or set .destructive.mode to 'ask' in project.json."
+  fi
+  log_line destructive_cmd_guard "ASK: $CMD"
+  emit_ask "Destructive Command Guard: '$CMD' looks destructive (matches an ask pattern). Confirm this is intentional before proceeding."
+fi
+
+emit_allow

package/obj/template/.claude/hooks/env_guard.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+# .env file guard — PreToolUse(Edit|Write|MultiEdit|NotebookEdit)
+#
+# Blocks any write to files matching .env patterns that are likely to hold
+# secrets. Allows .env.example / .env.sample (template files that don't hold
+# real secrets).
+
+# shellcheck source=./lib/common.sh
+. "${BASH_SOURCE[0]%/*}/lib/common.sh"
+read_payload
+
+TOOL="$(payload_get .tool_name)"
+case "$TOOL" in
+  Edit|Write|MultiEdit|NotebookEdit) ;;
+  *) emit_allow ;;
+esac
+
+FILE="$(payload_get .tool_input.file_path)"
+[ -n "$FILE" ] || emit_allow
+
+base="$(basename "$FILE")"
+
+# Allow clearly-safe template files.
+case "$base" in
+  .env.example|.env.sample|.env.template|.env.dist|.env.defaults) emit_allow ;;
+esac
+
+# Block anything else matching .env*.
+case "$base" in
+  .env|.env.*|*.env)
+    log_line env_guard "BLOCKED $FILE"
+    emit_block ".env file guard: '$FILE' looks like a secrets file. seed.md forbids edits to .env files. If this is a template, rename to .env.example."
+    ;;
+esac
+
+emit_allow

package/obj/template/.claude/hooks/git_commit_guard.sh

@@ -0,0 +1,93 @@
+#!/usr/bin/env bash
+# Git Commit Guard — PreToolUse(Bash) and PreToolUse(Write|Edit|MultiEdit)
+#
+# Two roles:
+#
+#   1. Bash matcher (run-boundary) — gates `git commit` invocations on a
+#      fresh consent token at .claude/state/commit_consent (default TTL 5
+#      min). Hard-blocks forbidden git operations regardless of consent.
+#
+#   2. Write matcher (write-boundary) — gates Claude's writes to the consent
+#      files themselves:
+#        - .claude/state/.commit_consent_grant — the marker. Written only by
+#          consent_gate_grant.sh (UserPromptSubmit) on /grant-commit.
+#        - .claude/state/commit_consent — the consent token. Writable by
+#          Claude only when a fresh marker is on disk (consumed on success).
+#
+# This makes gate C structurally symmetric with gates A and B.
+
+# shellcheck source=./lib/common.sh
+. "${BASH_SOURCE[0]%/*}/lib/common.sh"
+read_payload
+
+TOOL="$(payload_get .tool_name)"
+case "$TOOL" in
+  Bash)
+    : # fall through to run-boundary logic below
+    ;;
+  Write|Edit|MultiEdit)
+    FILE="$(payload_get .tool_input.file_path)"
+    [ -n "$FILE" ] || emit_allow
+    rel="$(canonical_rel "$FILE")"
+    [ -n "$rel" ] || emit_allow
+
+    block_marker_self_write "$rel" "$CONSENT_MARKER_COMMIT_REL" "Git Commit Guard" "/grant-commit"
+
+    case "$rel" in
+      .claude/state/commit_consent)
+        validate_consent_marker "$CONSENT_MARKER_COMMIT" "Git Commit Guard" "/grant-commit"
+        emit_allow
+        ;;
+      *)
+        emit_allow
+        ;;
+    esac
+    ;;
+  *)
+    emit_allow
+    ;;
+esac
+
+CMD="$(payload_get .tool_input.command)"
+[ -n "$CMD" ] || emit_allow
+
+case "$CMD" in
+  *git\ *|git) ;;
+  *) emit_allow ;;
+esac
+
+# Hard-blocks (apply always, consent cannot override).
+FORBIDDEN_RE='(\bgit\s+push\b|\bgit\s+commit\b[^|&;]*--amend|--no-verify|--no-gpg-sign|\bgit\s+reset\s+--hard\b|\bgit\s+clean\s+-[a-zA-Z]*f\b|\bgit\s+checkout\s+--\s|\bgit\s+branch\s+-D\b|\bgit\s+config\b|\bgit\s+rebase\s+-i\b|\bgit\s+add\s+-i\b|\bgit\s+add\s+(-A|\.)(?![A-Za-z0-9_/.\-]))'
+if python3 -c "import re,sys; sys.exit(0 if re.search(r'''$FORBIDDEN_RE''', sys.argv[1]) else 1)" "$CMD"; then
+  log_line git_commit_guard "BLOCKED forbidden git op: $CMD"
+  emit_block "Git Commit Guard: forbidden git operation detected. seed.md forbids git push / --amend / --no-verify / reset --hard / clean -f / checkout -- / branch -D / config / rebase -i / add -A|. unless the user explicitly names the operation. Ask the user to approve by stating the exact command."
+fi
+
+if ! python3 -c "import re,sys; sys.exit(0 if re.search(r'\bgit\s+commit\b', sys.argv[1]) else 1)" "$CMD"; then
+  emit_allow
+fi
+
+CONSENT_FILE="$STATE_DIR/commit_consent"
+COMMIT_TTL="$(project_get .consent.commit_ttl_seconds)"
+[ -z "$COMMIT_TTL" ] && COMMIT_TTL=300
+
+if [ ! -f "$CONSENT_FILE" ]; then
+  log_line git_commit_guard "BLOCKED no consent file: $CMD"
+  emit_block "Git Commit Guard: no consent granted. The user must run \`/grant-commit\` before a commit is allowed. Consent is valid for ${COMMIT_TTL}s."
+fi
+
+read -r granted_at < "$CONSENT_FILE" 2>/dev/null
+now="$(date +%s)"
+if ! [[ "$granted_at" =~ ^[0-9]+$ ]]; then
+  log_line git_commit_guard "BLOCKED malformed consent file"
+  emit_block "Git Commit Guard: consent file is malformed. Ask the user to re-run \`/grant-commit\`."
+fi
+
+age=$(( now - granted_at ))
+if [ "$age" -gt "$COMMIT_TTL" ]; then
+  log_line git_commit_guard "BLOCKED consent expired age=${age}s ttl=${COMMIT_TTL}s"
+  emit_block "Git Commit Guard: consent expired (${age}s old, TTL ${COMMIT_TTL}s). Ask the user to re-run \`/grant-commit\`."
+fi
+
+log_line git_commit_guard "ALLOWED age=${age}s cmd=$CMD"
+emit_allow

package/obj/template/.claude/hooks/harness_continuation.sh

@@ -0,0 +1,121 @@
+#!/usr/bin/env bash
+# Harness Continuation — Stop event
+#
+# Auto-continues multi-phase workflows across non-gated phase boundaries.
+# Reads .claude/state/harness_state (written by the harness skill on every
+# tick) and decides whether to re-fire harness on the same turn or stay
+# silent.
+#
+# Three-rung gate (plus sanity rail) — ALL three must pass to emit a block:
+#   1. stop_hook_active flag absent on payload (avoids in-turn recursion).
+#   2. .claude/state/.harness_active exists (session-scoped in-the-loop marker;
+#      the harness skill creates it on continue, deletes it on yielded/done;
+#      memory_session_start.sh deletes it on session boundary).
+#   3. harness_state.state equals "continue".
+#
+# Sanity rail: if the marker's slug content disagrees with workflow.json.slug,
+# log one WARN line to harness_continuation.log; the decision is unchanged.
+#
+# If all three pass, emit {"decision":"block","reason":"..."} to stdout.
+# Otherwise: exit 0 silent. Internal failures are treated as silence.
+
+# shellcheck source=./lib/common.sh
+. "${BASH_SOURCE[0]%/*}/lib/common.sh"
+read_payload
+
+# Rung 1: stop_hook_active prevents recursive re-firing inside a single turn.
+STOP_ACTIVE="$(payload_get .stop_hook_active)"
+case "$STOP_ACTIVE" in
+  true|True|TRUE)
+    log_line harness_continuation "silent: rung1 stop_hook_active=true"
+    exit 0
+    ;;
+esac
+
+# Rung 2: active marker presence — session-scoped "in the loop" signal.
+MARKER="$STATE_DIR/.harness_active"
+if [ ! -f "$MARKER" ]; then
+  log_line harness_continuation "silent: rung2 marker missing ($MARKER)"
+  exit 0
+fi
+
+# Rung 3 (plus sanity rail + emit) — delegate to python for JSON parsing.
+HARNESS_STATE="$STATE_DIR/harness_state"
+if [ ! -r "$HARNESS_STATE" ]; then
+  log_line harness_continuation "silent: rung3a harness_state missing or unreadable"
+  exit 0
+fi
+
+HARNESS_STATE="$HARNESS_STATE" \
+  WORKFLOW_JSON="$STATE_DIR/workflow.json" \
+  MARKER_PATH="$MARKER" \
+  LOG_PATH="$LOG_DIR/harness_continuation.log" \
+  python3 <<'PY' || exit 0
+import json, os, sys, time
+
+state_path = os.environ['HARNESS_STATE']
+workflow_path = os.environ.get('WORKFLOW_JSON', '')
+marker_path = os.environ.get('MARKER_PATH', '')
+log_path = os.environ.get('LOG_PATH', '')
+
+
+def _log(level, message):
+    if not log_path:
+        return
+    try:
+        with open(log_path, 'a') as f:
+            ts = time.strftime('%Y-%m-%dT%H:%M:%SZ', time.gmtime())
+            f.write(f'{ts}  {level}  {message}\n')
+    except Exception:
+        pass
+
+
+def _warn(message):
+    _log('WARN', message)
+
+
+# Rung 3: parse harness_state and check state field.
+try:
+    with open(state_path) as f:
+        data = json.load(f)
+except Exception as e:
+    _log('INFO', f'silent: rung3b harness_state unparseable ({e!s})')
+    sys.exit(0)
+
+state_value = data.get('state')
+if state_value != 'continue':
+    _log('INFO', f'silent: rung3c state={state_value!r} (expected "continue")')
+    sys.exit(0)
+
+# Sanity rail: marker slug should match workflow.json slug.
+# Mismatch is a WARN log line; the decision is unchanged.
+marker_slug = ''
+if marker_path and os.path.exists(marker_path):
+    try:
+        with open(marker_path) as f:
+            marker_slug = f.read().strip()
+    except Exception:
+        marker_slug = ''
+
+workflow_slug = ''
+if workflow_path and os.path.exists(workflow_path):
+    try:
+        with open(workflow_path) as f:
+            wf = json.load(f)
+        workflow_slug = wf.get('slug') or ''
+    except Exception:
+        workflow_slug = ''
+
+if marker_slug and workflow_slug and marker_slug != workflow_slug:
+    _warn(f'slug mismatch: marker={marker_slug} workflow={workflow_slug}')
+
+# All rungs passed — emit the block decision.
+decision = {
+    'decision': 'block',
+    'reason': 'Workflow continuing per harness_state. Invoke Skill(harness) to advance to the next phase.',
+}
+print(json.dumps(decision))
+_log('INFO', 'emit: decision=block (all rungs passed)')
+PY
+
+exit 0