@friedbotstudio/create-baseline 0.1.0

package/obj/template/.claude/hooks/process_lifecycle_guard.sh

@@ -0,0 +1,89 @@
+#!/usr/bin/env bash
+# process_lifecycle_guard — PreToolUse / Bash
+#
+# Advisory hook. Detects process-management Bash patterns (kill, pkill, lsof,
+# fuser, dev-server spawns) and surfaces relevant memory entries inline so
+# Claude reads them at the moment of action rather than relying on
+# session-start salience to persist across turns.
+#
+# Closes the gap diagnosed 2026-04-30: phase skills pull memory just-in-time
+# via their `read on demand` contract, but ad-hoc main-context Bash has no
+# skill firing — so no entry was ever read at the action point. This hook
+# fires the read structurally.
+#
+# Output: prints the matched memory entries to stderr (Claude Code surfaces
+# stderr in the tool transcript). Always emits `allow` — never blocks.
+# Cross-references CLAUDE.md Article IX clauses 6 + 7.
+
+# shellcheck source=./lib/common.sh
+. "${BASH_SOURCE[0]%/*}/lib/common.sh"
+read_payload
+
+CMD="$(payload_get .tool_input.command)"
+
+# Empty commands or non-Bash payloads — nothing to inspect.
+[ -n "$CMD" ] || { emit_allow; }
+
+# Trigger detection. Patterns chosen to match the dev-server-ownership and
+# lsof-port-kill-takes-firefox-with-it surfaces. Case-sensitive on the binary
+# name; lower-case is canonical for these tools.
+should_surface=0
+case "$CMD" in
+  *"kill "*|*"kill\""*|*"kill$"*|kill" "*|*" kill "*) should_surface=1 ;;
+  *"pkill "*|*" pkill "*|pkill" "*) should_surface=1 ;;
+  *"killall "*|*" killall "*) should_surface=1 ;;
+  *"lsof "*|*" lsof "*|lsof" "*) should_surface=1 ;;
+  *"fuser "*|*" fuser "*) should_surface=1 ;;
+  *"npm run "*"serve"*|*"npm run "*"dev"*) should_surface=1 ;;
+  *"yarn dev"*|*"pnpm dev"*) should_surface=1 ;;
+  *"eleventy --serve"*|*"eleventy serve"*) should_surface=1 ;;
+  *"vite"*|*"next dev"*|*"astro dev"*|*"http.server"*) should_surface=1 ;;
+esac
+
+[ "$should_surface" = 1 ] || { emit_allow; }
+
+# Surface the relevant memory entries. The body of each entry (verbatim block
+# first, structured fields after) is read directly so Claude sees the user's
+# actual words, not Claude's prior paraphrase.
+MEM="$CLAUDE_DOTDIR/memory"
+
+excerpts="$(MEM="$MEM" python3 <<'PY'
+import os, pathlib, re, sys
+mem = pathlib.Path(os.environ["MEM"])
+targets = [
+    ("conventions.md", "dev-server-ownership"),
+    ("landmines.md",   "lsof-port-kill-takes-firefox-with-it"),
+]
+chunks = []
+for fname, anchor in targets:
+    p = mem / fname
+    if not p.exists():
+        continue
+    text = p.read_text()
+    # Capture from "## <anchor>" up to the next "## " (or EOF).
+    m = re.search(
+        rf"^##\s+{re.escape(anchor)}\b.*?(?=^##\s|\Z)",
+        text, re.M | re.S
+    )
+    if m:
+        chunks.append(f"--- {fname} ---\n{m.group(0).rstrip()}")
+print("\n\n".join(chunks))
+PY
+)"
+
+if [ -z "$excerpts" ]; then
+  # No matching memory entries on disk — emit a softer notice so the absence
+  # is itself surfaced. Curator should re-flush memory if this fires.
+  emit_info "process_lifecycle_guard: command matched a process-management pattern, but no memory entries (\`conventions.md → dev-server-ownership\`, \`landmines.md → lsof-port-kill-takes-firefox-with-it\`) were found. Consider \`/memory-flush\` or restoring the entries before proceeding."
+  log_line "process_lifecycle_guard" "fired with empty memory: $CMD"
+  emit_allow
+fi
+
+emit_info "process_lifecycle_guard — process-management memory surfaced (verbatim then interpretation):
+
+$excerpts
+
+This advisory fires whenever a Bash command matches a process-management pattern. CLAUDE.md Article IX clause 7: read the verbatim above, treat it as binding for the current operation, and prefer verbatim over interpretation when they conflict."
+
+log_line "process_lifecycle_guard" "surfaced: ${CMD:0:120}"
+emit_allow

package/obj/template/.claude/hooks/setup_guard.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+# Setup Guard — PreToolUse(Write|Edit|MultiEdit)
+#
+# Advisory only. When `.claude/project.json` reports `configured: false`,
+# this hook emits a one-time-per-period info message reminding the user
+# that the baseline is in project-agnostic mode (test/lint runners are
+# in guide mode, no stack-specific tailoring). It does NOT block writes.
+#
+# Bypass is intentionally allowed — the user gets baseline-only behaviour
+# until they run `/init-project`. Other guards (commit, env, spec-approval,
+# verify-pass, track) remain hard.
+#
+# Deduplication: the warning prints only when no warn marker has been
+# touched in the last 600s. This keeps editing-heavy sessions from
+# spamming. Re-warns at the start of each new session naturally
+# (file mtime ages out).
+
+# shellcheck source=./lib/common.sh
+. "${BASH_SOURCE[0]%/*}/lib/common.sh"
+read_payload
+
+TOOL="$(payload_get .tool_name)"
+case "$TOOL" in
+  Write|Edit|MultiEdit) ;;
+  *) emit_allow ;;
+esac
+
+FILE="$(payload_get .tool_input.file_path)"
+[ -n "$FILE" ] || emit_allow
+rel="${FILE#$CLAUDE_PROJECT_ROOT/}"
+
+# Already configured → no-op.
+configured="$(project_get .configured)"
+if [ "$configured" = "True" ] || [ "$configured" = "true" ]; then
+  emit_allow
+fi
+
+# Configured=false. Emit a one-time-per-period advisory and allow the write.
+WARN_MARKER="$STATE_DIR/setup_guard_last_warn"
+NOW="$(date +%s 2>/dev/null || echo 0)"
+LAST="$(stat -f %m "$WARN_MARKER" 2>/dev/null || stat -c %Y "$WARN_MARKER" 2>/dev/null || echo 0)"
+SINCE=$((NOW - LAST))
+
+if [ "$SINCE" -ge 600 ] || [ "$LAST" = "0" ]; then
+  emit_info "Setup Guard (advisory): \`.claude/project.json\` reports configured=false. The baseline is running in project-agnostic mode — test_runner and lint_runner hooks are in guide mode and no stack-specific tailoring has been applied. Run \`/init-project\` to scout the codebase, invoke the recommender, and generate a tailored config. (This warning is rate-limited to once per 10 minutes.)"
+  : > "$WARN_MARKER" 2>/dev/null || true
+fi
+
+log_line setup_guard "advisory pre-init write to $rel (warned=$([ "$SINCE" -ge 600 ] && echo yes || echo no))"
+emit_allow

package/obj/template/.claude/hooks/spec_approval_guard.sh

@@ -0,0 +1,81 @@
+#!/usr/bin/env bash
+# Spec Approval Guard — PreToolUse(Write|Edit|MultiEdit)
+#
+# Three enforcement modes:
+#
+#   1. Approval artifacts (.claude/state/spec_approvals/*.approval) — only
+#      writable when a fresh slug-matched consent marker exists at
+#      .claude/state/.spec_approval_grant. The marker is written by
+#      consent_gate_grant.sh on /approve-spec invocation, OUTSIDE Claude's
+#      tool boundary. Validated and consumed via validate_consent_marker.
+#
+#   2. The marker file itself — Claude SHALL NEVER write it via tool. The
+#      marker is the structural source of consent; allowing Claude to write
+#      it would defeat the gate.
+#
+#   3. Spec files (docs/specs/*.md) — block writes that add/modify an
+#      "Approved" / "Status: Approved" line. The user must run /approve-spec.
+
+# shellcheck source=./lib/common.sh
+. "${BASH_SOURCE[0]%/*}/lib/common.sh"
+read_payload
+
+TOOL="$(payload_get .tool_name)"
+case "$TOOL" in
+  Write|Edit|MultiEdit) ;;
+  *) emit_allow ;;
+esac
+
+FILE="$(payload_get .tool_input.file_path)"
+[ -n "$FILE" ] || emit_allow
+rel="$(canonical_rel "$FILE")"
+[ -n "$rel" ] || emit_allow
+
+block_marker_self_write "$rel" "$CONSENT_MARKER_SPEC_REL" "Spec Approval Guard" "/approve-spec <path>"
+
+case "$rel" in
+  .claude/state/spec_approvals/*.approval)
+    # Strip .approval, then canonical_slug to fold legacy `<slug>.md.approval`
+    # and current `<slug>.approval` to the same bare slug as the marker.
+    expected_slug="$(canonical_slug "$(basename "$rel" .approval)")"
+    validate_consent_marker "$CONSENT_MARKER_SPEC" "Spec Approval Guard" "/approve-spec <slug|path>" "$expected_slug"
+    emit_allow
+    ;;
+esac
+
+case "$rel" in
+  docs/specs/*.md) ;;
+  *) emit_allow ;;
+esac
+
+content=""
+case "$TOOL" in
+  Write) content="$(payload_get .tool_input.content)" ;;
+  Edit)  content="$(payload_get .tool_input.new_string)" ;;
+  MultiEdit)
+    content="$(python3 -c '
+import json, os
+raw = os.environ.get("HOOK_PAYLOAD","")
+d = json.loads(raw) if raw else {}
+edits = (d.get("tool_input") or {}).get("edits") or []
+print("\n".join(e.get("new_string","") for e in edits))
+')"
+    ;;
+esac
+
+if python3 -c "
+import re, sys
+c = sys.argv[1]
+for ln in c.splitlines():
+    s = ln.strip().lstrip('-').lstrip('*').strip()
+    if re.match(r'(status|state|approval)\s*[:=]\s*approved\b', s, re.I):
+        sys.exit(0)
+    if re.fullmatch(r'approved\s*[:=]\s*true', s, re.I):
+        sys.exit(0)
+sys.exit(1)
+" "$content"; then
+  log_line spec_approval_guard "BLOCKED self-approval in: $rel"
+  emit_block "Spec Approval Guard: Claude cannot mark a spec as Approved. The user must run \`/approve-spec $rel\`, which produces the consent marker that allows the approval token to be written. Remove the 'Approved' line from this edit."
+fi
+
+emit_allow

package/obj/template/.claude/hooks/spec_design_calls_guard.sh

@@ -0,0 +1,183 @@
+#!/usr/bin/env bash
+# Spec Design Calls Guard — PreToolUse(Write|Edit|MultiEdit)
+#
+# When a spec's write_set intersects `project.json → tdd.ui_globs`, the spec
+# MUST declare a `## Design calls` section with at least one populated row.
+# This hook denies writes to docs/specs/*.md that violate the rule.
+#
+# The rule is structurally tied to CLAUDE.md Article X.2: every UI design
+# task in a workflow phase routes through `design-ui`. /tdd Step 6 reads the
+# spec's design_calls rows and invokes design-ui per row. Without those
+# rows, the design lane is silently skipped — the rule prevents that.
+#
+# Conditional firing:
+#   - SKIP (allow): `tdd.ui_globs` empty or missing.
+#   - SKIP (allow): write_set ∩ ui_globs is empty (no UI files in the spec).
+#   - DENY: write_set has UI files AND no `## Design calls` section / empty body.
+#   - ALLOW: write_set has UI files AND `## Design calls` has a populated row.
+#
+# Template files (_TEMPLATE_*) are exempt — they declare the section shape.
+
+# shellcheck source=./lib/common.sh
+. "${BASH_SOURCE[0]%/*}/lib/common.sh"
+read_payload
+
+TOOL="$(payload_get .tool_name)"
+case "$TOOL" in
+  Write|Edit|MultiEdit) ;;
+  *) emit_allow ;;
+esac
+
+FILE="$(payload_get .tool_input.file_path)"
+[ -n "$FILE" ] || emit_allow
+rel="${FILE#$CLAUDE_PROJECT_ROOT/}"
+
+case "$rel" in
+  docs/specs/*.md) ;;
+  *) emit_allow ;;
+esac
+
+base="${rel##*/}"
+case "$base" in
+  _TEMPLATE_*|*TEMPLATE*.md) emit_allow ;;
+esac
+
+ui_globs_json="$(project_get .tdd.ui_globs)"
+if [ -z "$ui_globs_json" ] || [ "$ui_globs_json" = "None" ] || [ "$ui_globs_json" = "[]" ]; then
+  emit_allow
+fi
+
+HOOK_FILE="$FILE" HOOK_TOOL="$TOOL" HOOK_REL="$rel" HOOK_UI_GLOBS="$ui_globs_json" python3 <<'PY'
+import json, os, pathlib, re, sys
+
+payload = json.loads(os.environ.get("HOOK_PAYLOAD", "") or "{}")
+tool    = os.environ["HOOK_TOOL"]
+file_   = os.environ["HOOK_FILE"]
+rel     = os.environ["HOOK_REL"]
+try:
+    ui_globs = json.loads(os.environ["HOOK_UI_GLOBS"])
+except Exception:
+    sys.exit(0)
+if not isinstance(ui_globs, list) or not ui_globs:
+    sys.exit(0)
+
+ti = payload.get("tool_input") or {}
+
+def current():
+    try:
+        return pathlib.Path(file_).read_text(encoding="utf-8")
+    except Exception:
+        return ""
+
+if tool == "Write":
+    content = ti.get("content") or ""
+elif tool == "Edit":
+    base = current()
+    old = ti.get("old_string") or ""
+    new = ti.get("new_string") or ""
+    if ti.get("replace_all"):
+        content = base.replace(old, new)
+    else:
+        content = base.replace(old, new, 1) if old in base else (base + new)
+elif tool == "MultiEdit":
+    content = current()
+    for edit in (ti.get("edits") or []):
+        old = edit.get("old_string") or ""
+        new = edit.get("new_string") or ""
+        if edit.get("replace_all"):
+            content = content.replace(old, new)
+        else:
+            content = content.replace(old, new, 1) if old in content else (content + new)
+else:
+    sys.exit(0)
+
+if not content.strip():
+    sys.exit(0)
+
+def expand_brace_globs(globs):
+    out = []
+    for g in globs:
+        if "{" not in g:
+            out.append(g); continue
+        i = g.index("{"); j = g.index("}", i)
+        prefix, alts, suffix = g[:i], g[i+1:j].split(","), g[j+1:]
+        for a in alts:
+            out.append(prefix + a.strip() + suffix)
+    return out
+
+def glob_to_regex(g):
+    out, i = [], 0
+    while i < len(g):
+        c = g[i]
+        if c == "*":
+            if i + 1 < len(g) and g[i+1] == "*":
+                out.append(".*"); i += 2
+            else:
+                out.append("[^/]*"); i += 1
+        elif c == "?":
+            out.append("[^/]"); i += 1
+        elif c in ".+()|^$\\[]{}":
+            out.append(re.escape(c)); i += 1
+        else:
+            out.append(c); i += 1
+    return "^" + "".join(out) + "$"
+
+def matches_any_glob(path, globs):
+    for g in expand_brace_globs(globs):
+        if re.fullmatch(glob_to_regex(g), path):
+            return True
+    return False
+
+# Extract write_set paths from the spec body. Accept a leading "write_set:"
+# line or paths inside a `## Design calls` table.
+write_set_paths = set()
+for line in content.splitlines():
+    m = re.search(r'write[_\s]set\s*:\s*(.+)$', line, re.IGNORECASE)
+    if m:
+        for tok in re.split(r'[`,\s|]+', m.group(1)):
+            tok = tok.strip().strip("*").strip()
+            if tok and "/" in tok and not tok.startswith("#"):
+                write_set_paths.add(tok)
+
+ui_hits = [p for p in write_set_paths if matches_any_glob(p, ui_globs)]
+if not ui_hits:
+    sys.exit(0)
+
+# Find the `## Design calls` section and verify it has a populated row.
+dc_section = re.search(
+    r'^##\s+Design\s+calls\s*$([\s\S]*?)(?=^##\s|\Z)',
+    content, re.MULTILINE | re.IGNORECASE,
+)
+body = dc_section.group(1).strip() if dc_section else ""
+
+def is_populated(body):
+    # A populated body has at least one table row that isn't the header / separator.
+    # A row like `| --- | --- | ... |` is the separator (not a real row).
+    rows = [
+        ln for ln in body.splitlines()
+        if re.match(r'^\s*\|', ln) and not re.match(r'^\s*\|[\s:-]+\|', ln)
+    ]
+    if len(rows) < 2:
+        return False
+    # The first row is the column header; the rest are data rows.
+    return any(not re.search(r'^\s*-?\s*\*?\(?none\)?\*?\s*$', r.strip("|").strip(), re.IGNORECASE) for r in rows[1:])
+
+if dc_section and is_populated(body):
+    sys.exit(0)
+
+reason_lines = [
+    f"Spec Design Calls Guard: '{rel}' has UI files in its write_set but lacks a populated `## Design calls` section.",
+    f"  UI files detected: {', '.join(sorted(ui_hits))}",
+    "  The `## Design calls` section is required when the spec's write_set intersects `project.json → tdd.ui_globs`.",
+    "  See `.claude/skills/spec/template.md` for the canonical Design calls table shape.",
+    "  See CLAUDE.md Article X.2 for the routing rule.",
+]
+
+print(json.dumps({
+    "hookSpecificOutput": {
+        "hookEventName": "PreToolUse",
+        "permissionDecision": "deny",
+        "permissionDecisionReason": "\n".join(reason_lines),
+    }
+}))
+PY

package/obj/template/.claude/hooks/spec_diagram_presence_guard.sh

@@ -0,0 +1,141 @@
+#!/usr/bin/env bash
+# Spec Diagram Presence Guard — PreToolUse(Write|Edit|MultiEdit)
+#
+# Enforces that docs/specs/*.md contains the diagram kinds required by the
+# spec template. Complements artifact_template_guard (which checks headings)
+# and plantuml_syntax_guard (which checks each block's syntax): this one
+# ensures the right *kinds* of diagrams exist.
+#
+# Config source: .claude/project.json → artifacts.required_diagrams.spec
+#
+# Each entry is an object of the form:
+#   "<kind>": {
+#     "min":     <int>,           # required occurrences; default 1
+#     "marker":  "<literal>",     # optional literal substring to look for
+#     "any_of":  ["<regex>", ...] # optional list; a block matching ANY counts
+#   }
+#
+# A fenced ```plantuml``` block counts toward <kind> if it contains the literal
+# `marker` OR if any line matches any regex in `any_of`. The guard scans only
+# inside plantuml fences — prose mentions don't satisfy the requirement.
+#
+# Template files (_TEMPLATE_*) are exempt. So is empty/whitespace-only content.
+
+# shellcheck source=./lib/common.sh
+. "${BASH_SOURCE[0]%/*}/lib/common.sh"
+read_payload
+
+TOOL="$(payload_get .tool_name)"
+case "$TOOL" in
+  Write|Edit|MultiEdit) ;;
+  *) emit_allow ;;
+esac
+
+FILE="$(payload_get .tool_input.file_path)"
+[ -n "$FILE" ] || emit_allow
+rel="${FILE#$CLAUDE_PROJECT_ROOT/}"
+
+case "$rel" in
+  docs/specs/*.md) ;;
+  *) emit_allow ;;
+esac
+
+base="${rel##*/}"
+case "$base" in
+  _TEMPLATE_*|*TEMPLATE*.md) emit_allow ;;
+esac
+
+required_json="$(project_get .artifacts.required_diagrams.spec)"
+if [ -z "$required_json" ] || [ "$required_json" = "None" ]; then
+  emit_allow
+fi
+
+HOOK_FILE="$FILE" HOOK_TOOL="$TOOL" HOOK_REL="$rel" HOOK_REQ_JSON="$required_json" python3 <<'PY'
+import json, os, pathlib, re, sys
+
+payload = json.loads(os.environ.get("HOOK_PAYLOAD", "") or "{}")
+tool    = os.environ["HOOK_TOOL"]
+file_   = os.environ["HOOK_FILE"]
+rel     = os.environ["HOOK_REL"]
+try:
+    required = json.loads(os.environ["HOOK_REQ_JSON"])
+except Exception:
+    sys.exit(0)
+if not isinstance(required, dict):
+    sys.exit(0)
+
+ti = payload.get("tool_input") or {}
+
+def current():
+    try:
+        return pathlib.Path(file_).read_text(encoding="utf-8")
+    except Exception:
+        return ""
+
+if tool == "Write":
+    content = ti.get("content") or ""
+elif tool == "Edit":
+    base = current()
+    old = ti.get("old_string") or ""
+    new = ti.get("new_string") or ""
+    if ti.get("replace_all"):
+        content = base.replace(old, new)
+    else:
+        content = base.replace(old, new, 1) if old in base else (base + new)
+elif tool == "MultiEdit":
+    content = current()
+    for edit in (ti.get("edits") or []):
+        old = edit.get("old_string") or ""
+        new = edit.get("new_string") or ""
+        if edit.get("replace_all"):
+            content = content.replace(old, new)
+        else:
+            content = content.replace(old, new, 1) if old in content else (content + new)
+else:
+    sys.exit(0)
+
+if not content.strip():
+    sys.exit(0)
+
+fence_re = re.compile(r'^[ \t]*```[ \t]*plantuml[ \t]*$(.*?)^[ \t]*```[ \t]*$',
+                      re.DOTALL | re.IGNORECASE | re.MULTILINE)
+blocks = [m.group(1) for m in fence_re.finditer(content)]
+
+def block_matches(body, rule):
+    marker = rule.get("marker")
+    if marker and marker in body:
+        return True
+    for pat in rule.get("any_of") or []:
+        try:
+            if re.search(pat, body, re.MULTILINE):
+                return True
+        except re.error:
+            continue
+    return False
+
+missing = []
+for kind, rule in required.items():
+    if not isinstance(rule, dict):
+        continue
+    need = int(rule.get("min", 1))
+    found = sum(1 for b in blocks if block_matches(b, rule))
+    if found < need:
+        missing.append((kind, need, found))
+
+if not missing:
+    sys.exit(0)
+
+lines = [f"Spec Diagram Presence Guard: '{rel}' is missing required diagram kinds. Each kind must appear inside a ```plantuml``` fence."]
+for kind, need, found in missing:
+    lines.append(f"  - {kind}: need {need}, found {found}")
+lines.append("See .claude/skills/spec/template.md for the canonical diagram skeletons (C4 Context/Container/Component, class, sequence, dependency graph).")
+lines.append("Required kinds are configured at .claude/project.json → artifacts.required_diagrams.spec.")
+
+print(json.dumps({
+    "hookSpecificOutput": {
+        "hookEventName": "PreToolUse",
+        "permissionDecision": "deny",
+        "permissionDecisionReason": "\n".join(lines),
+    }
+}))
+PY

package/obj/template/.claude/hooks/swarm_approval_guard.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+# Swarm Approval Guard — PreToolUse(Write|Edit|MultiEdit)
+#
+# Symmetric to spec_approval_guard for gate B (/approve-swarm). Two modes:
+#
+#   1. Approval artifacts (.claude/state/swarm_approvals/<slug>.approval) —
+#      writable only when a fresh slug-matched marker at
+#      .claude/state/.swarm_approval_grant exists. Marker is written by
+#      consent_gate_grant.sh on /approve-swarm. Validated + consumed via
+#      validate_consent_marker.
+#
+#   2. The marker file itself — Claude SHALL NEVER write it via tool.
+
+# shellcheck source=./lib/common.sh
+. "${BASH_SOURCE[0]%/*}/lib/common.sh"
+read_payload
+
+TOOL="$(payload_get .tool_name)"
+case "$TOOL" in
+  Write|Edit|MultiEdit) ;;
+  *) emit_allow ;;
+esac
+
+FILE="$(payload_get .tool_input.file_path)"
+[ -n "$FILE" ] || emit_allow
+rel="$(canonical_rel "$FILE")"
+[ -n "$rel" ] || emit_allow
+
+block_marker_self_write "$rel" "$CONSENT_MARKER_SWARM_REL" "Swarm Approval Guard" "/approve-swarm <slug>"
+
+case "$rel" in
+  .claude/state/swarm_approvals/*.approval)
+    expected_slug="$(canonical_slug "$(basename "$rel" .approval)")"
+    validate_consent_marker "$CONSENT_MARKER_SWARM" "Swarm Approval Guard" "/approve-swarm <slug>" "$expected_slug"
+    emit_allow
+    ;;
+esac
+
+emit_allow