@garethdaine/agentops 0.9.0

package/hooks/unicode-lib.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+# Shared Unicode detection library — single source of truth for Glassworm/Trojan Source defense.
+# Sourced by: unicode-firewall.sh, unicode-scan-session.sh, lockfile-audit.sh
+
+# Dangerous invisible Unicode character ranges:
+#   Cat 1: Zero-width / invisible  U+200B-200F, U+2060-2064, U+FEFF
+#   Cat 2: Bidi overrides          U+202A-202E, U+2066-2069
+#   Cat 3: Variation selectors     U+FE00-FE0F
+#   Cat 4: Tag characters          U+E0001-E007F
+#   Cat 5: Variation sel. supp.    U+E0100-E01EF
+UNICODE_PATTERN='[\x{200B}-\x{200F}\x{2060}-\x{2064}\x{FEFF}\x{202A}-\x{202E}\x{2066}-\x{2069}\x{FE00}-\x{FE0F}\x{E0001}-\x{E007F}\x{E0100}-\x{E01EF}]'
+
+# Returns 0 (match) if dangerous invisible Unicode is found in stdin.
+unicode_detect() {
+  perl -CSD -ne "if (/$UNICODE_PATTERN/) { exit 0 } END { exit 1 }" 2>/dev/null
+}
+
+# Returns 0 (match) if dangerous invisible Unicode is found in a file.
+unicode_detect_file() {
+  local FILE="$1"
+  perl -CSD -ne "if (/$UNICODE_PATTERN/) { exit 0 } END { exit 1 }" "$FILE" 2>/dev/null
+}
+
+# Returns human-readable category summary from stdin.
+unicode_classify() {
+  perl -CSD -ne '
+    BEGIN { %c = () }
+    $c{"zero-width chars"}++            if /[\x{200B}-\x{200F}\x{2060}-\x{2064}\x{FEFF}]/;
+    $c{"bidi overrides"}++              if /[\x{202A}-\x{202E}\x{2066}-\x{2069}]/;
+    $c{"variation selectors"}++         if /[\x{FE00}-\x{FE0F}]/;
+    $c{"tag characters"}++              if /[\x{E0001}-\x{E007F}]/;
+    $c{"variation sel. supplement"}++   if /[\x{E0100}-\x{E01EF}]/;
+    END { print join(", ", sort keys %c) if %c }
+  ' 2>/dev/null
+}
+
+# Returns human-readable category summary from a file.
+unicode_classify_file() {
+  local FILE="$1"
+  perl -CSD -ne '
+    BEGIN { %c = () }
+    $c{"zero-width chars"}++            if /[\x{200B}-\x{200F}\x{2060}-\x{2064}\x{FEFF}]/;
+    $c{"bidi overrides"}++              if /[\x{202A}-\x{202E}\x{2066}-\x{2069}]/;
+    $c{"variation selectors"}++         if /[\x{FE00}-\x{FE0F}]/;
+    $c{"tag characters"}++              if /[\x{E0001}-\x{E007F}]/;
+    $c{"variation sel. supplement"}++   if /[\x{E0100}-\x{E01EF}]/;
+    END { print join(", ", sort keys %c) if %c }
+  ' "$FILE" 2>/dev/null
+}
+
+# Count affected lines from stdin.
+unicode_count_lines() {
+  perl -CSD -ne "print if /$UNICODE_PATTERN/" 2>/dev/null | wc -l | tr -d ' '
+}
+
+# Count affected lines in a file.
+unicode_count_lines_file() {
+  local FILE="$1"
+  perl -CSD -ne "print if /$UNICODE_PATTERN/" "$FILE" 2>/dev/null | wc -l | tr -d ' '
+}
+
+# Strip dangerous Unicode from a file in-place.
+unicode_strip_file() {
+  local FILE="$1"
+  perl -CSD -pi -e "s/$UNICODE_PATTERN//g" "$FILE" 2>/dev/null
+}

package/hooks/unicode-scan-session.sh

@@ -0,0 +1,96 @@
+#!/bin/bash
+set -uo pipefail
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/feature-flags.sh"
+
+[ "$(agentops_flag 'unicode_firewall_enabled')" = "false" ] && exit 0
+
+source "${SCRIPT_DIR}/unicode-lib.sh"
+
+PROJECT_DIR="${CLAUDE_PROJECT_DIR:-.}"
+CACHE_DIR="${PROJECT_DIR}/.agentops"
+CACHE_FILE="${CACHE_DIR}/unicode-scan-cache"
+
+# Skip scan if cache exists and no files have been modified since last scan
+if [ -f "$CACHE_FILE" ]; then
+  NEWER_FILES=$(find "$PROJECT_DIR" \
+    -type f \
+    \( -name '*.js' -o -name '*.ts' -o -name '*.tsx' -o -name '*.jsx' \
+       -o -name '*.py' -o -name '*.rb' -o -name '*.go' -o -name '*.rs' \
+       -o -name '*.java' -o -name '*.php' -o -name '*.sh' -o -name '*.json' \
+       -o -name '*.yaml' -o -name '*.yml' -o -name '*.md' -o -name '*.env' \) \
+    -not -path '*/.git/*' \
+    -not -path '*/node_modules/*' \
+    -not -path '*/vendor/*' \
+    -not -path '*/.agentops/*' \
+    -newer "$CACHE_FILE" \
+    -print -quit 2>/dev/null)
+  if [ -z "$NEWER_FILES" ]; then
+    # No files modified since last scan — use cached result
+    CACHED_MSG=$(cat "$CACHE_FILE" 2>/dev/null)
+    [ -n "$CACHED_MSG" ] && echo "$CACHED_MSG"
+    exit 0
+  fi
+fi
+
+# Scan project directory for files containing dangerous invisible Unicode.
+# Skips: .git, node_modules, vendor, .agentops, binary files, lock files.
+RESULTS=$(find "$PROJECT_DIR" \
+  -type f \
+  \( -name '*.js' -o -name '*.ts' -o -name '*.tsx' -o -name '*.jsx' \
+     -o -name '*.py' -o -name '*.rb' -o -name '*.go' -o -name '*.rs' \
+     -o -name '*.java' -o -name '*.php' -o -name '*.c' -o -name '*.cpp' \
+     -o -name '*.h' -o -name '*.hpp' -o -name '*.cs' -o -name '*.swift' \
+     -o -name '*.kt' -o -name '*.scala' -o -name '*.sh' -o -name '*.bash' \
+     -o -name '*.vue' -o -name '*.svelte' -o -name '*.json' -o -name '*.yaml' \
+     -o -name '*.yml' -o -name '*.toml' -o -name '*.xml' -o -name '*.md' \
+     -o -name '*.txt' -o -name '*.html' -o -name '*.css' -o -name '*.scss' \
+     -o -name '*.env' -o -name '*.env.*' -o -name 'Makefile' -o -name 'Dockerfile' \
+     -o -name '*.cfg' -o -name '*.ini' -o -name '*.conf' \) \
+  -not -path '*/.git/*' \
+  -not -path '*/node_modules/*' \
+  -not -path '*/vendor/*' \
+  -not -path '*/.agentops/*' \
+  -not -path '*/dist/*' \
+  -not -path '*/build/*' \
+  -not -path '*/*.min.js' \
+  -not -path '*/*.min.css' \
+  -not -name 'package-lock.json' \
+  -not -name 'yarn.lock' \
+  -not -name 'pnpm-lock.yaml' \
+  -not -name 'composer.lock' \
+  -not -name 'Cargo.lock' \
+  -not -name 'Gemfile.lock' \
+  -print0 2>/dev/null | \
+  xargs -0 perl -CSD -lne "
+    if (/$UNICODE_PATTERN/) {
+      print \$ARGV;
+      close ARGV;  # skip to next file after first match
+    }
+  " 2>/dev/null | sort -u)
+
+if [ -n "$RESULTS" ]; then
+  FILE_COUNT=$(echo "$RESULTS" | wc -l | tr -d ' ')
+
+  # Build a truncated file list (max 10 files shown)
+  FILE_LIST=$(echo "$RESULTS" | head -10 | sed "s|^$PROJECT_DIR/||")
+  [ "$FILE_COUNT" -gt 10 ] && FILE_LIST="${FILE_LIST}
+... and $((FILE_COUNT - 10)) more"
+
+  # Audit log
+  LOG_DIR="${PROJECT_DIR}/.agentops"
+  mkdir -p "$LOG_DIR" 2>/dev/null
+  jq -nc --arg ts "$(date -u +%FT%TZ)" --arg count "$FILE_COUNT" \
+    '{ts:$ts, event:"UNICODE_SESSION_SCAN", files_flagged:($count|tonumber)}' >> "$LOG_DIR/audit.jsonl" 2>/dev/null
+
+  OUTPUT=$(jq -nc --arg count "$FILE_COUNT" --arg files "$FILE_LIST" \
+    '{systemMessage:("UNICODE FIREWALL — SESSION SCAN: Found " + $count + " file(s) containing dangerous invisible Unicode characters (zero-width, bidi overrides, variation selectors, or tag characters). These may indicate a Glassworm/Trojan Source supply-chain compromise.\n\nAffected files:\n" + $files + "\n\nRun /agentops:unicode-scan to get a detailed analysis and clean these files.")}')
+  echo "$OUTPUT"
+  mkdir -p "$CACHE_DIR" 2>/dev/null
+  echo "$OUTPUT" > "$CACHE_FILE" 2>/dev/null
+else
+  OUTPUT=$(jq -nc '{systemMessage:"Unicode firewall: session scan clean — no dangerous invisible characters detected in project files."}')
+  echo "$OUTPUT"
+  mkdir -p "$CACHE_DIR" 2>/dev/null
+  echo "$OUTPUT" > "$CACHE_FILE" 2>/dev/null
+fi

package/hooks/validate-command.sh

@@ -0,0 +1,103 @@
+#!/bin/bash
+set -uo pipefail
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/feature-flags.sh"
+
+[ "$(agentops_flag 'command_validation_enabled')" = "false" ] && exit 0
+
+INPUT=$(cat) || exit 0
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null) || agentops_fail_closed
+[ -z "$COMMAND" ] && exit 0
+
+# Hard-deny rules execute BEFORE bypass check — they always enforce.
+HARD_DENY=$(agentops_hard_deny)
+
+# 1. Destructive system commands (always deny, even in bypass/unrestricted)
+if echo "$COMMAND" | grep -qE "(rm\s+-rf\s+/[^t]|mkfs\s|dd\s+if=|shutdown|reboot|init\s+[06])"; then
+  jq -nc --arg action "$HARD_DENY" \
+    '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:"Destructive system command blocked by AgentOps CommandPolicy (hard deny)"}}'
+  exit 0
+fi
+
+# 2. Indirect execution of destructive commands (always deny)
+if echo "$COMMAND" | grep -qE "(eval\s|bash\s+-c|sh\s+-c|exec\s)" && echo "$COMMAND" | grep -qiE "(rm\s+-rf|chmod\s+777|curl.*\|.*sh|wget.*\|.*bash|mkfs|dd\s+if=)"; then
+  jq -nc --arg action "$HARD_DENY" \
+    '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:"Indirect execution of dangerous command blocked by AgentOps CommandPolicy (hard deny)"}}'
+  exit 0
+fi
+
+# 3. Fork bomb / resource exhaustion (always deny)
+if echo "$COMMAND" | grep -qE ':\(\)\{|:\(\)\s*\{|\(\)\s*\{.*\|.*:\s*;'; then
+  jq -nc --arg action "$HARD_DENY" \
+    '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:"Fork bomb pattern detected (hard deny)"}}'
+  exit 0
+fi
+
+# 4. Tampering with .agentops/ state files via Bash (always deny)
+# Covers: writes, deletions, permission changes, symlink replacement
+# Exception: AGENTOPS_WRITABLE_STATE paths (e.g. flags.json) are whitelisted
+if echo "$COMMAND" | grep -qE '>\s*[^ ]*\.agentops/' \
+   || echo "$COMMAND" | grep -qE '(tee|cp|mv|install)\s+[^ ]*\s+[^ ]*\.agentops/' \
+   || echo "$COMMAND" | grep -qE '(tee|cp|mv|install)\s+[^ ]*\.agentops/' \
+   || echo "$COMMAND" | grep -qE 'sed\s+-i[^ ]*\s+[^ ]*\.agentops/' \
+   || echo "$COMMAND" | grep -qE 'dd\s+of=[^ ]*\.agentops/' \
+   || echo "$COMMAND" | grep -qE '(rm|unlink|shred|truncate)\s+[^ ]*\.agentops/' \
+   || echo "$COMMAND" | grep -qE '(chmod|chown)\s+[^ ]*\s+[^ ]*\.agentops/' \
+   || echo "$COMMAND" | grep -qE '(ln)\s+[^ ]*\s+[^ ]*\.agentops/'; then
+  if ! echo "$COMMAND" | grep -qE "$AGENTOPS_WRITABLE_STATE"; then
+    jq -nc --arg action "$HARD_DENY" \
+      '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:"Tampering with .agentops/ state files via Bash is blocked by AgentOps CommandPolicy (hard deny)"}}'
+    exit 0
+  fi
+fi
+
+# 4b. Tampering with hooks/ directory via Bash (always deny — prevent hook tampering)
+if echo "$COMMAND" | grep -qE '>\s*[^ ]*hooks/' \
+   || echo "$COMMAND" | grep -qE '(tee|cp|mv|install)\s+[^ ]*\s+[^ ]*hooks/' \
+   || echo "$COMMAND" | grep -qE 'sed\s+-i[^ ]*\s+[^ ]*hooks/' \
+   || echo "$COMMAND" | grep -qE '(rm|unlink|shred|truncate)\s+[^ ]*hooks/' \
+   || echo "$COMMAND" | grep -qE '(chmod|chown)\s+[^ ]*\s+[^ ]*hooks/' \
+   || echo "$COMMAND" | grep -qE '(ln)\s+[^ ]*\s+[^ ]*hooks/'; then
+  jq -nc --arg action "$HARD_DENY" \
+    '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:"Tampering with hooks/ directory via Bash is blocked by AgentOps CommandPolicy (hard deny)"}}'
+  exit 0
+fi
+
+# Soft rules below — bypass/unrestricted can downgrade these
+agentops_is_bypass "$INPUT" && agentops_bypass_advisory "validate-command"
+ACTION=$(agentops_enforcement_action)
+
+# 5. Shell injection + dangerous pattern combo
+if echo "$COMMAND" | grep -qE '\|\||&&' && echo "$COMMAND" | grep -qiE "(rm\s+-rf|chmod\s+777|curl.*\|.*sh|wget.*\|.*bash)"; then
+  jq -nc --arg action "$ACTION" \
+    '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:"Shell injection risk: chained operators with dangerous command"}}'
+  exit 0
+fi
+
+# 6. Pipe-to-shell without chaining operators
+if echo "$COMMAND" | grep -qE "(curl|wget)\s.*\|\s*(bash|sh|zsh|dash)\b"; then
+  jq -nc --arg action "$ACTION" \
+    '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:"Pipe-to-shell pattern detected"}}'
+  exit 0
+fi
+
+# 7. Credential file access
+if echo "$COMMAND" | grep -qiE "(/etc/shadow|/etc/passwd|\.ssh/id_|\.env\b|\.pem\b)" && echo "$COMMAND" | grep -qE "(cat|less|head|more|tail|grep|jq|python|ruby|node|base64|xxd)\s"; then
+  jq -nc --arg action "$ACTION" \
+    '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:"Credential/sensitive file access detected"}}'
+  exit 0
+fi
+
+# 8. Bash accessing system directories (HS-1 — path validation for Bash tool)
+if echo "$COMMAND" | grep -qE "^/(etc|proc|sys|dev|boot|root|sbin)(/|\s)" || echo "$COMMAND" | grep -qE "\s/(etc|proc|sys|dev|boot|root|sbin)(/|\s)"; then
+  jq -nc --arg action "$ACTION" \
+    '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:"Bash command references system directory — review before proceeding"}}'
+  exit 0
+fi
+
+# 9. Bash accessing sensitive dotfiles (HS-1)
+if echo "$COMMAND" | grep -qE "/\.(ssh|gnupg|aws|docker/config\.json|kube/config|npmrc|pypirc|netrc|git-credentials)"; then
+  jq -nc --arg action "$ACTION" \
+    '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:"Bash command references sensitive dotfile/directory"}}'
+  exit 0
+fi

package/hooks/validate-env.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+set -uo pipefail
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/feature-flags.sh"
+
+[ "$(agentops_flag 'env_validation_enabled')" = "false" ] && exit 0
+
+INPUT=$(cat) || exit 0
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null) || agentops_fail_closed
+[ -z "$COMMAND" ] && exit 0
+
+# Only check commands that set env vars (case-insensitive to catch export path=, Ld_Preload=, etc.)
+echo "$COMMAND" | grep -qiE "(export\s+|^[A-Za-z_]+=)" || exit 0
+
+VARS=$(echo "$COMMAND" | grep -oiE '\b[A-Za-z_][A-Za-z0-9_]*=' | sed 's/=$//' 2>/dev/null) || exit 0
+
+# --- Hard-deny rules (always enforce, even in bypass mode) ---
+HARD_DENY=$(agentops_hard_deny)
+
+for VAR in $VARS; do
+  # Normalize to uppercase for comparison
+  VAR_UPPER=$(echo "$VAR" | tr '[:lower:]' '[:upper:]')
+
+  # Forbidden keys — LD_PRELOAD, PATH, HOME etc. are always dangerous
+  if echo "$VAR_UPPER" | grep -qE "^(PATH|HOME|SHELL|USER|LD_PRELOAD|LD_LIBRARY_PATH|DYLD_)"; then
+    jq -nc --arg var "$VAR" --arg action "$HARD_DENY" \
+      '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:("EnvPolicy: forbidden env var " + $var + " (hard deny)")}}'
+    exit 0
+  fi
+
+  # DB credentials — always deny
+  if echo "$VAR_UPPER" | grep -qE "^(DB_|TEST_DB_|REDIS_|MYSQL_|POSTGRES_)"; then
+    jq -nc --arg var "$VAR" --arg action "$HARD_DENY" \
+      '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:("EnvPolicy: database credential var " + $var + " (hard deny)")}}'
+    exit 0
+  fi
+done
+
+# --- Soft rules (bypass can skip these) ---
+agentops_is_bypass "$INPUT" && agentops_bypass_advisory "validate-env"
+ACTION=$(agentops_enforcement_action)
+
+for VAR in $VARS; do
+  VAR_UPPER=$(echo "$VAR" | tr '[:lower:]' '[:upper:]')
+  # Secret patterns
+  if echo "$VAR_UPPER" | grep -qE "(SECRET|TOKEN|PASSWORD|PASS|PRIVATE|CREDENTIAL|API_KEY|AUTH)"; then
+    jq -nc --arg var "$VAR" --arg action "$ACTION" \
+      '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:("EnvPolicy: var matches secret pattern (" + $var + ")")}}'
+    exit 0
+  fi
+done

package/hooks/validate-path.sh

@@ -0,0 +1,81 @@
+#!/bin/bash
+set -uo pipefail
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/feature-flags.sh"
+
+[ "$(agentops_flag 'path_validation_enabled')" = "false" ] && exit 0
+
+INPUT=$(cat) || exit 0
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null) || agentops_fail_closed
+
+# Extract path based on tool
+case "$TOOL" in
+  Read|Write|Edit) FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null) ;;
+  Glob|Grep) FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.path // empty' 2>/dev/null) ;;
+  *) exit 0 ;;
+esac
+
+[ -z "$FILE_PATH" ] && exit 0
+
+# --- Hard-deny rules (always enforce, even in bypass mode) ---
+
+# 1. Must be absolute
+if [[ "$FILE_PATH" != /* ]]; then
+  jq -nc --arg fp "$FILE_PATH" \
+    '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:"deny",permissionDecisionReason:("PathPolicy: path must be absolute (got: " + $fp + ")")}}'
+  exit 0
+fi
+
+# 2. Path traversal
+if echo "$FILE_PATH" | grep -qE '\.\.(/|$)'; then
+  jq -nc '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:"deny",permissionDecisionReason:"PathPolicy: path traversal (..) blocked"}}'
+  exit 0
+fi
+
+# 3. Length limit (1024 chars)
+if [ ${#FILE_PATH} -gt 1024 ]; then
+  jq -nc '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:"deny",permissionDecisionReason:"PathPolicy: path exceeds 1024 character limit"}}'
+  exit 0
+fi
+
+# Canonicalize for symlink resolution (for Write/Edit, resolve existing paths)
+CANONICAL="$FILE_PATH"
+if [ "$TOOL" = "Write" ] || [ "$TOOL" = "Edit" ]; then
+  PARENT_DIR=$(dirname "$FILE_PATH")
+  if [ -d "$PARENT_DIR" ]; then
+    RESOLVED=$(realpath -m "$FILE_PATH" 2>/dev/null) || RESOLVED="$FILE_PATH"
+    CANONICAL="$RESOLVED"
+  fi
+fi
+
+# 4. Protect plugin state files from agent writes (hard deny)
+#    Exception: AGENTOPS_WRITABLE_STATE paths (e.g. flags.json) are whitelisted
+if [ "$TOOL" = "Write" ] || [ "$TOOL" = "Edit" ]; then
+  if echo "$CANONICAL" | grep -qE "$AGENTOPS_PROTECTED_PATHS"; then
+    if ! echo "$CANONICAL" | grep -qE "$AGENTOPS_WRITABLE_STATE"; then
+      jq -nc --arg fp "$CANONICAL" \
+        '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:"deny",permissionDecisionReason:("PathPolicy: protected AgentOps state file (" + $fp + ")")}}'
+      exit 0
+    fi
+  fi
+fi
+
+# --- Soft rules (bypass/unrestricted can downgrade) ---
+agentops_is_bypass "$INPUT" && agentops_bypass_advisory "validate-path"
+ACTION=$(agentops_enforcement_action)
+
+# 5. System directory confinement (check both raw and canonical)
+for CHECK_PATH in "$FILE_PATH" "$CANONICAL"; do
+  if echo "$CHECK_PATH" | grep -qE "^/(etc|proc|sys|dev|boot|root|sbin)(/|$)"; then
+    jq -nc --arg fp "$CHECK_PATH" --arg action "$ACTION" \
+      '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:("PathPolicy: access to system directory blocked (" + $fp + ")")}}'
+    exit 0
+  fi
+done
+
+# 6. Sensitive dotfiles
+if echo "$CANONICAL" | grep -qE "/\.(ssh|gnupg|aws|docker/config\.json|kube/config)"; then
+  jq -nc --arg fp "$CANONICAL" --arg action "$ACTION" \
+    '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:("PathPolicy: sensitive dotfile/directory access (" + $fp + ")")}}'
+  exit 0
+fi

package/package.json

@@ -0,0 +1,40 @@
+{
+  "name": "@garethdaine/agentops",
+  "version": "0.9.0",
+  "description": "Enterprise guardrails, delivery lifecycle, and self-evolution for Claude Code CLI",
+  "author": {
+    "name": "Gareth Daine",
+    "email": "1745959+garethdaine@users.noreply.github.com"
+  },
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/garethdaine/agentops.git"
+  },
+  "homepage": "https://github.com/garethdaine/agentops",
+  "bugs": {
+    "url": "https://github.com/garethdaine/agentops/issues"
+  },
+  "keywords": [
+    "claude-code",
+    "claude-code-plugin",
+    "guardrails",
+    "security",
+    "tdd",
+    "delivery",
+    "enterprise",
+    "ai-agent",
+    "compliance",
+    "audit"
+  ],
+  "files": [
+    ".claude-plugin/",
+    "agents/",
+    "commands/",
+    "hooks/",
+    "templates/",
+    "settings.json",
+    "LICENSE",
+    "README.md"
+  ]
+}

package/settings.json

@@ -0,0 +1,6 @@
+{
+  "permissions": {
+    "allow": [],
+    "deny": []
+  }
+}

package/templates/ai-config/tool-standards.md

@@ -0,0 +1,56 @@
+# Shared AI Configuration: Tool Standards
+
+## Approved AI Tools by Task
+
+| Task | Primary Tool | Alternative | Notes |
+|------|-------------|-------------|-------|
+| Architecture decisions | Claude (Opus) | — | Needs deep reasoning |
+| Feature implementation | Claude Code | Cursor | Structured workflow via /agentops:feature |
+| Code review | Claude Code | — | Via /agentops:review |
+| Bug investigation | Claude Code | — | Via bug-investigation workflow |
+| Documentation | Claude (Sonnet) | — | Fast, high-quality prose |
+| Test generation | Claude Code | — | Via /agentops:test-gen |
+| Refactoring | Claude Code | Cursor | Via refactoring workflow |
+
+## AI Output Quality Standards
+
+### Code Quality
+- Generated code must pass TypeScript strict mode
+- No `any` types unless explicitly justified
+- All functions must handle error cases
+- No placeholder values (TODO, FIXME, example.com)
+- Follows existing project patterns and conventions
+
+### Documentation Quality
+- Clear, concise, professional tone
+- No hallucinated links or references
+- All code examples must be syntactically correct
+- Technical accuracy verified against codebase
+
+### Review Quality
+- All findings must reference specific file:line locations
+- Fix suggestions must be concrete and implementable
+- Severity ratings must be justified
+- No false positives from pattern matching
+
+## Model Selection Guide
+
+| Consideration | Use Opus/Large | Use Sonnet/Medium | Use Haiku/Small |
+|---------------|---------------|-------------------|-----------------|
+| Architecture | Yes | — | — |
+| Complex features | Yes | — | — |
+| Simple features | — | Yes | — |
+| Code review | Yes | Yes | — |
+| Documentation | — | Yes | — |
+| Quick questions | — | — | Yes |
+| Content filtering | — | — | Yes |
+
+## Prompt Library Index
+
+| Category | Template | Location |
+|----------|----------|----------|
+| Feature build | feature-implementation.md | templates/workflows/ |
+| Bug fix | bug-investigation.md | templates/workflows/ |
+| Refactoring | refactoring.md | templates/workflows/ |
+| Architecture | architecture-decision.md | templates/workflows/ |
+| Spike | spike-exploration.md | templates/workflows/ |