@friedbotstudio/create-baseline 0.2.1 → 0.4.0

package/obj/template/.claude/hooks/git_commit_guard.mjs

@@ -0,0 +1,224 @@
+#!/usr/bin/env node
+// Git Commit Guard — PreToolUse(Bash) and PreToolUse(Write|Edit|MultiEdit)
+//
+// JS port of git_commit_guard.sh, adding branch-aware consent policy:
+//
+//   1. Bash matcher — branch-aware:
+//        - `git push` is no longer in FORBIDDEN_RE (was an unconditional
+//          hard-block; now policy-driven).
+//        - `git commit` and `git push` both consult `git rev-parse
+//          --abbrev-ref HEAD`. Detached HEAD ("HEAD") → DENY explicitly.
+//        - On a branch matched by project.json → git.protected_branches
+//          (or when that key is null/absent → every branch protected),
+//          commits require fresh commit_consent (300s) and pushes require
+//          fresh push_consent (300s).
+//        - When git.branch_pattern is set and the current branch does NOT
+//          match the regex, commits are denied with the pattern surfaced.
+//        - On a non-protected branch, commits and pushes proceed without
+//          consent.
+//
+//   2. Write matcher — unchanged behavior plus an arm for push_consent:
+//        - Blocks Claude from writing the marker files (commit/push_consent_grant).
+//        - Gates writes to commit_consent on a fresh commit-consent marker.
+//        - Gates writes to push_consent on a fresh push-consent marker.
+
+import { execFileSync } from 'node:child_process';
+import { existsSync, readFileSync, unlinkSync } from 'node:fs';
+import {
+  readPayload,
+  payloadGet,
+  projectGet,
+  emitBlock,
+  emitAllow,
+  logLine,
+  canonicalRel,
+  canonicalSlug,
+  validateConsentMarker,
+  blockMarkerSelfWrite,
+  matchAnyGlob,
+  CLAUDE_PROJECT_ROOT,
+  STATE_DIR,
+  CONSENT_MARKER_COMMIT,
+  CONSENT_MARKER_COMMIT_REL,
+  CONSENT_MARKER_PUSH,
+  CONSENT_MARKER_PUSH_REL,
+} from './lib/common.mjs';
+
+const HOOK = 'git_commit_guard';
+
+// Hard-blocks that apply regardless of consent or branch.
+// NOTE: `git push` was previously included; removed in the branch-aware
+// policy. The remaining ops are still flat-out forbidden because they
+// rewrite history, skip safety, or sweep paths.
+const FORBIDDEN_RE = new RegExp(
+  '(' +
+    '\\bgit\\s+commit\\b[^|&;]*--amend' +
+    '|--no-verify' +
+    '|--no-gpg-sign' +
+    '|\\bgit\\s+reset\\s+--hard\\b' +
+    '|\\bgit\\s+clean\\s+-[a-zA-Z]*f\\b' +
+    '|\\bgit\\s+checkout\\s+--\\s' +
+    '|\\bgit\\s+branch\\s+-D\\b' +
+    '|\\bgit\\s+config\\b' +
+    '|\\bgit\\s+rebase\\s+-i\\b' +
+    '|\\bgit\\s+add\\s+-i\\b' +
+    '|\\bgit\\s+add\\s+(-A|\\.)(?![A-Za-z0-9_/.\\-])' +
+  ')'
+);
+
+function currentBranch() {
+  try {
+    const out = execFileSync('git', ['rev-parse', '--abbrev-ref', 'HEAD'], { encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'], cwd: CLAUDE_PROJECT_ROOT });
+    return out.trim();
+  } catch {
+    return null;
+  }
+}
+
+function isInsideWorkTree() {
+  try {
+    execFileSync('git', ['rev-parse', '--is-inside-work-tree'], { stdio: 'ignore', cwd: CLAUDE_PROJECT_ROOT });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// Returns: { protected: bool, patternViolation: string|null, detached: bool, branch: string|null }
+function branchPolicy() {
+  const branch = currentBranch();
+  if (branch === null) return { protected: false, patternViolation: null, detached: false, branch: null, notGit: true };
+  if (branch === 'HEAD') return { protected: false, patternViolation: null, detached: true, branch, notGit: false };
+
+  // protected_branches: null/absent → every branch protected; else glob match.
+  const globs = projectGet('.git.protected_branches');
+  let isProtected;
+  if (globs == null) {
+    isProtected = true;
+  } else if (Array.isArray(globs)) {
+    isProtected = matchAnyGlob(branch, globs);
+  } else {
+    isProtected = true; // invalid type → fail-safe to protected
+  }
+
+  // branch_pattern: null/absent → no check; string → must match.
+  const pattern = projectGet('.git.branch_pattern');
+  let patternViolation = null;
+  if (typeof pattern === 'string' && pattern.length > 0) {
+    try {
+      if (!new RegExp(pattern).test(branch)) patternViolation = pattern;
+    } catch {
+      // invalid regex → treat as no pattern, warn via log
+      logLine(HOOK, `WARN invalid git.branch_pattern regex: ${pattern}`);
+    }
+  }
+
+  return { protected: isProtected, patternViolation, detached: false, branch, notGit: false };
+}
+
+function validateConsentToken(file, ttlKey, defaultTtl, gateLabel, cmdHint) {
+  let ttl = projectGet(ttlKey);
+  if (typeof ttl !== 'number' || !Number.isFinite(ttl)) ttl = defaultTtl;
+  if (!existsSync(file)) {
+    logLine(HOOK, `BLOCKED no consent file: ${file}`);
+    emitBlock(`${gateLabel}: no consent granted. The user must run \`${cmdHint}\` before a ${cmdHint.includes('push') ? 'push' : 'commit'} is allowed. Consent is valid for ${ttl}s.`);
+  }
+  let grantedAt;
+  try {
+    grantedAt = readFileSync(file, 'utf8').split(/\r?\n/)[0].trim();
+  } catch {
+    grantedAt = '';
+  }
+  if (!/^\d+$/.test(grantedAt)) {
+    logLine(HOOK, `BLOCKED malformed consent file: ${file}`);
+    emitBlock(`${gateLabel}: consent file is malformed. Ask the user to re-run \`${cmdHint}\`.`);
+  }
+  const now = Math.floor(Date.now() / 1000);
+  const age = now - parseInt(grantedAt, 10);
+  if (age > ttl) {
+    logLine(HOOK, `BLOCKED consent expired age=${age}s ttl=${ttl}s file=${file}`);
+    emitBlock(`${gateLabel}: consent expired (${age}s old, TTL ${ttl}s). Ask the user to re-run \`${cmdHint}\`.`);
+  }
+  logLine(HOOK, `ALLOWED age=${age}s file=${file}`);
+}
+
+function handleBash(cmd) {
+  if (!cmd || !/(^|\s)git(\s|$)/.test(cmd)) emitAllow();
+
+  // Hard-blocks first. Push is NOT in this set anymore.
+  if (FORBIDDEN_RE.test(cmd)) {
+    logLine(HOOK, `BLOCKED forbidden git op: ${cmd}`);
+    emitBlock('Git Commit Guard: forbidden git operation detected. seed.md forbids `git commit --amend`, `--no-verify`, `--no-gpg-sign`, `git reset --hard`, `git clean -f`, `git checkout -- `, `git branch -D`, `git config`, `git rebase -i`, `git add -i`, `git add -A|.` regardless of consent or branch. Ask the user to approve by stating the exact command.');
+  }
+
+  const isCommit = /\bgit\s+commit\b/.test(cmd);
+  const isPush = /\bgit\s+push\b/.test(cmd);
+  if (!isCommit && !isPush) emitAllow();
+
+  // Article VII applicability: gate operations require git.
+  if (!isInsideWorkTree()) {
+    logLine(HOOK, `ALLOWED not-a-git-repo cmd=${cmd}`);
+    emitAllow();
+  }
+
+  const policy = branchPolicy();
+  if (policy.detached) {
+    logLine(HOOK, `BLOCKED detached HEAD cmd=${cmd}`);
+    emitBlock(`Git Commit Guard: detached HEAD. Check out a branch first. Branch-aware policy needs a named branch to evaluate \`git.protected_branches\` and \`git.branch_pattern\`.`);
+  }
+
+  if (isCommit && policy.patternViolation) {
+    logLine(HOOK, `BLOCKED branch_pattern violation branch=${policy.branch} pattern=${policy.patternViolation}`);
+    emitBlock(`Git Commit Guard: branch '${policy.branch}' does not match \`git.branch_pattern\` (\`${policy.patternViolation}\`). Rename the branch to conform, or set \`git.branch_pattern\` to null in project.json to disable naming enforcement.`);
+  }
+
+  if (!policy.protected) {
+    logLine(HOOK, `ALLOWED unprotected-branch branch=${policy.branch} cmd=${cmd}`);
+    emitAllow();
+  }
+
+  // Protected — require the matching consent token.
+  if (isCommit) {
+    validateConsentToken(`${STATE_DIR}/commit_consent`, '.consent.commit_ttl_seconds', 300, 'Git Commit Guard', '/grant-commit');
+  } else {
+    validateConsentToken(`${STATE_DIR}/push_consent`, '.consent.push_ttl_seconds', 300, 'Git Commit Guard', '/grant-push');
+  }
+  emitAllow();
+}
+
+function handleWrite(payload) {
+  const filePath = payloadGet(payload, '.tool_input.file_path');
+  if (!filePath) emitAllow();
+  const rel = canonicalRel(filePath);
+  if (!rel) emitAllow();
+
+  // Block self-write of the commit / push markers (Claude can never forge them).
+  blockMarkerSelfWrite(rel, CONSENT_MARKER_COMMIT_REL, 'Git Commit Guard', '/grant-commit');
+  blockMarkerSelfWrite(rel, CONSENT_MARKER_PUSH_REL, 'Git Commit Guard', '/grant-push');
+
+  // Gate writes to the consent state files on a fresh marker.
+  if (rel === '.claude/state/commit_consent') {
+    validateConsentMarker(CONSENT_MARKER_COMMIT, 'Git Commit Guard', '/grant-commit');
+  } else if (rel === '.claude/state/push_consent') {
+    validateConsentMarker(CONSENT_MARKER_PUSH, 'Git Commit Guard', '/grant-push');
+  }
+  emitAllow();
+}
+
+async function main() {
+  const payload = await readPayload();
+  const tool = payloadGet(payload, '.tool_name');
+  if (tool === 'Bash') {
+    const cmd = payloadGet(payload, '.tool_input.command');
+    handleBash(cmd);
+  } else if (tool === 'Write' || tool === 'Edit' || tool === 'MultiEdit') {
+    handleWrite(payload);
+  } else {
+    emitAllow();
+  }
+}
+
+main().catch((err) => {
+  logLine(HOOK, `ERROR ${err && err.message ? err.message : String(err)}`);
+  emitAllow();
+});

package/obj/template/.claude/hooks/harness_continuation.sh

@@ -6,18 +6,25 @@
 # tick) and decides whether to re-fire harness on the same turn or stay
 # silent.
 #
-# Three-rung gate (plus sanity rail) — ALL three must pass to emit a block:
-#   1. stop_hook_active flag absent on payload (avoids in-turn recursion).
-#   2. .claude/state/.harness_active exists (session-scoped in-the-loop marker;
-#      the harness skill creates it on continue, deletes it on yielded/done;
-#      memory_session_start.sh deletes it on session boundary).
-#   3. harness_state.state equals "continue".
+# Gate has two disjunctive paths, both gated by rung 1:
+#   Path A (mid-loop continuation):
+#     1. stop_hook_active flag absent on payload (avoids in-turn recursion).
+#     2. .claude/state/.harness_active marker exists (session-scoped).
+#     3. harness_state.state equals "continue".
+#   Path B (rung 4 — gate-resume after a consent slash command):
+#     1. stop_hook_active flag absent.
+#     4a. harness_state.state equals "yielded".
+#     4b. .claude/state/workflow.json exists and parses.
+#     4c. at least one of {commit_consent, push_consent,
+#         spec_approvals/<slug>.approval, swarm_approvals/<slug>.approval}
+#         exists with mtime newer than harness_state's mtime.
+#   If Path A or Path B passes, the sanity rail runs and a block decision
+#   is emitted. Otherwise: exit 0 silent.
 #
 # Sanity rail: if the marker's slug content disagrees with workflow.json.slug,
 # log one WARN line to harness_continuation.log; the decision is unchanged.
 #
-# If all three pass, emit {"decision":"block","reason":"..."} to stdout.
-# Otherwise: exit 0 silent. Internal failures are treated as silence.
+# Internal failures are treated as silence.
 
 # shellcheck source=./lib/common.sh
 . "${BASH_SOURCE[0]%/*}/lib/common.sh"
@@ -32,17 +39,14 @@ case "$STOP_ACTIVE" in
     ;;
 esac
 
-# Rung 2: active marker presence — session-scoped "in the loop" signal.
+# Marker path (presence check is now inside Python — Path B can fire with
+# the marker absent).
 MARKER="$STATE_DIR/.harness_active"
-if [ ! -f "$MARKER" ]; then
-  log_line harness_continuation "silent: rung2 marker missing ($MARKER)"
-  exit 0
-fi
 
-# Rung 3 (plus sanity rail + emit) — delegate to python for JSON parsing.
+# harness_state existence — both paths need it readable.
 HARNESS_STATE="$STATE_DIR/harness_state"
 if [ ! -r "$HARNESS_STATE" ]; then
-  log_line harness_continuation "silent: rung3a harness_state missing or unreadable"
+  log_line harness_continuation "silent: harness_state missing or unreadable"
   exit 0
 fi
 
@@ -74,21 +78,92 @@ def _warn(message):
     _log('WARN', message)
 
 
-# Rung 3: parse harness_state and check state field.
+def _read_workflow_slug():
+    """Return slug string from workflow.json, or None if file missing/unparseable.
+
+    An empty-string return ('') means the file exists and parses but has no
+    slug field — workflow.json present but ungated by slug.
+    """
+    if not workflow_path or not os.path.exists(workflow_path):
+        return None
+    try:
+        with open(workflow_path) as f:
+            wf = json.load(f)
+        return wf.get('slug') or ''
+    except Exception:
+        return None
+
+
+def _any_consent_newer_than(reference_mtime, workflow_slug):
+    """Rung 4c: is there a consent/approval token with mtime > reference_mtime?
+
+    Scans four canonical paths under $STATE_DIR. The two slug-gated paths
+    (spec_approvals, swarm_approvals) only check when workflow_slug is
+    non-empty.
+    """
+    state_dir = os.path.dirname(state_path)
+    candidates = [
+        os.path.join(state_dir, 'commit_consent'),
+        os.path.join(state_dir, 'push_consent'),
+    ]
+    if workflow_slug:
+        candidates.append(
+            os.path.join(state_dir, 'spec_approvals', f'{workflow_slug}.approval')
+        )
+        candidates.append(
+            os.path.join(state_dir, 'swarm_approvals', f'{workflow_slug}.approval')
+        )
+    for path in candidates:
+        try:
+            if os.path.getmtime(path) > reference_mtime:
+                return True
+        except OSError:
+            continue
+    return False
+
+
+# Parse harness_state and capture its mtime (rung 4 uses the mtime for the
+# fresh-consent comparison).
 try:
+    state_mtime = os.path.getmtime(state_path)
     with open(state_path) as f:
         data = json.load(f)
 except Exception as e:
-    _log('INFO', f'silent: rung3b harness_state unparseable ({e!s})')
+    _log('INFO', f'silent: harness_state unparseable ({e!s})')
     sys.exit(0)
 
 state_value = data.get('state')
-if state_value != 'continue':
-    _log('INFO', f'silent: rung3c state={state_value!r} (expected "continue")')
+
+# Read workflow.json's slug ONCE; both Path B's rung-4 check and the sanity
+# rail consume it. None = missing/unparseable; '' = present but no slug.
+workflow_slug = _read_workflow_slug()
+
+# Branch on state. Path A handles 'continue'; Path B (rung 4) handles
+# 'yielded'. Anything else is silent.
+emit_log_detail = ''
+
+if state_value == 'continue':
+    # Path A: marker must be present (rung 2).
+    if not marker_path or not os.path.exists(marker_path):
+        _log('INFO', 'silent: rung2 marker missing for Path A (state=continue)')
+        sys.exit(0)
+    emit_log_detail = 'Path A (state=continue + marker present)'
+elif state_value == 'yielded':
+    # Path B (rung 4): workflow.json must exist; a consent token must be
+    # newer than harness_state mtime.
+    if workflow_slug is None:
+        _log('INFO', 'silent: rung4 workflow.json missing or unparseable')
+        sys.exit(0)
+    if not _any_consent_newer_than(state_mtime, workflow_slug):
+        _log('INFO', 'silent: rung4 no consent token newer than harness_state')
+        sys.exit(0)
+    emit_log_detail = 'Path B (rung 4, state=yielded + fresh consent)'
+else:
+    _log('INFO', f'silent: state={state_value!r} (not "continue" or "yielded")')
     sys.exit(0)
 
-# Sanity rail: marker slug should match workflow.json slug.
-# Mismatch is a WARN log line; the decision is unchanged.
+# Sanity rail: marker slug should match workflow.json slug. Mismatch is a
+# WARN log line; the decision is unchanged.
 marker_slug = ''
 if marker_path and os.path.exists(marker_path):
     try:
@@ -97,25 +172,17 @@ if marker_path and os.path.exists(marker_path):
     except Exception:
         marker_slug = ''
 
-workflow_slug = ''
-if workflow_path and os.path.exists(workflow_path):
-    try:
-        with open(workflow_path) as f:
-            wf = json.load(f)
-        workflow_slug = wf.get('slug') or ''
-    except Exception:
-        workflow_slug = ''
-
-if marker_slug and workflow_slug and marker_slug != workflow_slug:
-    _warn(f'slug mismatch: marker={marker_slug} workflow={workflow_slug}')
+rail_workflow_slug = workflow_slug or ''
+if marker_slug and rail_workflow_slug and marker_slug != rail_workflow_slug:
+    _warn(f'slug mismatch: marker={marker_slug} workflow={rail_workflow_slug}')
 
-# All rungs passed — emit the block decision.
+# Gate passed — emit the block decision.
 decision = {
     'decision': 'block',
     'reason': 'Workflow continuing per harness_state. Invoke Skill(harness) to advance to the next phase.',
 }
 print(json.dumps(decision))
-_log('INFO', 'emit: decision=block (all rungs passed)')
+_log('INFO', f'emit: decision=block ({emit_log_detail})')
 PY
 
 exit 0