@jaguilar87/gaia-ops 4.4.0 → 4.5.0

package/.claude-plugin/marketplace.json

@@ -8,7 +8,7 @@
     {
       "name": "gaia-security",
       "description": "Keeps you in the loop only when it matters. Gaia Security analyzes every command and classifies it into risk tiers: read-only queries run freely, simulations and validations pass through, and state-changing operations (create, delete, apply, push) pause for your explicit approval before executing. Irreversible commands like dropping databases or deleting cloud infrastructure are permanently blocked.",
-      "version": "4.4.0",
+      "version": "4.5.0",
       "source": "./dist/gaia-security"
     }
   ]

package/.claude-plugin/plugin.json

@@ -1,15 +1,24 @@
 {
   "name": "gaia-ops",
-  "version": "4.4.0",
+  "version": "4.5.0",
   "description": "Security-first orchestrator with specialized agents, hooks, and governance for AI coding",
   "author": {
     "name": "jaguilar87"
   },
   "repository": "https://github.com/metraton/gaia-ops",
   "license": "MIT",
-  "keywords": ["security", "devops", "orchestrator", "governance"],
+  "keywords": [
+    "security",
+    "devops",
+    "orchestrator",
+    "governance"
+  ],
   "engines": {
     "claude-code": ">=2.1.0"
   },
-  "categories": ["devops", "security", "orchestration"]
+  "categories": [
+    "devops",
+    "security",
+    "orchestration"
+  ]
 }

package/CHANGELOG.md

@@ -5,6 +5,40 @@ All notable changes to the gaia-ops orchestration system are documented in this
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [4.5.0] - 2026-03-24
+
+### Settings Architecture Redesign + Multi-Cloud Security
+
+Unified approach for permissions across NPM and plugin installation modes. Permissions now live in `settings.local.json` (union merge, preserves user config). `settings.json` contains only hooks.
+
+#### Added
+- **Azure deny rules** — 39 rules covering resource groups, networking, AKS, Key Vault, CosmosDB, Service Bus, and more
+- **Generic wildcard deny rules** — 20 rules that catch all present and future cloud services (`aws * delete-*`, `az * delete`, `gcloud * delete`, etc.)
+- **Indirect execution detection** — Catches `bash -c`, `eval`, `python3 -c`, `node -e`, `ruby -e`, `perl -e` wrappers that bypass regex patterns
+- **Managed settings template** — `templates/managed-settings.template.json` for enterprise deployment via Claude.ai Admin Console
+- **`updateLocalPermissions()`** in `gaia-update.js` — NPM postinstall now merges permissions into `settings.local.json` (same approach as plugin SessionStart)
+- **Plugin mode detection via `plugin.json`** — `plugin_setup.py` and `plugin_mode.py` now read `.claude-plugin/plugin.json` for reliable name/version/mode detection with `--plugin-dir`
+- **First-run welcome message** — `user_prompt_submit.py` detects first run and injects a welcome explaining that restart is needed to activate permissions
+
+#### Changed
+- **`settings.template.json`** — Removed permissions block; template now contains only hooks + environment
+- **`_DENY_RULES` centralized in Python** — Single source of truth in `plugin_setup.py`, shared by both OPS and SECURITY modes
+- **T3 approval flow** — All T3 mutative operations now use native `ask` dialog (both ops and security mode). Nonce workflow removed from direct conversation; kept for subagent use via skills.
+- **`approval_messages.py`** — Simplified T3 block message to minimal data (tier + nonce). Workflow instructions live in skills, not hook messages.
+- **`pre_tool_use.py`** — Simplified: passes through `block_response` from `bash_validator` directly, no more mode-specific branching
+- **`bash_validator.py`** — T3 mutative returns `ask` response directly (no nonce generation, no pending files)
+- **`session_start.py`** — Uses `mark_done=False` so `user_prompt_submit.py` can detect first-run and show welcome before marking initialized
+- **`gaia-update.js` registry path** — Fixed to write `plugin-registry.json` in `.claude/` (same path Python hooks expect)
+- **`gaia-doctor.js`** — Now checks permissions in `settings.local.json` (not just `settings.json`). Updated agent and config file lists.
+- **`gaia-update.js` health check** — Updated config files (`surface-routing.json`) and agent list (`gaia-system.md`, `speckit-planner.md`)
+
+#### Fixed
+- **Registry path mismatch** — `gaia-update.js` wrote to `.claude/project-context/`, Python read from `.claude/`. Now both use `.claude/`.
+- **Orphaned nonce files** — `bash_validator` no longer writes pending approval files for `ask` responses
+- **Plugin mode detection** — `--plugin-dir` now correctly detects `gaia-ops` vs `gaia-security` via `plugin.json` instead of path parsing
+- **First-run welcome race condition** — `SessionStart` no longer marks initialized; `UserPromptSubmit` marks after showing welcome
+- **`_build_welcome()` framing** — Rewritten to explain WHY the user needs to restart (permissions not active yet), making Claude naturally relay the message
+
 ## [4.4.0-rc.5] - 2026-03-19
 
 ### Identity Redesign

package/README.md

@@ -14,14 +14,17 @@ Multi-agent DevOps system that classifies every operation by risk, routes work t
 
 ### Features
 
-- **Multi-cloud support** - GCP, AWS
-- **6 agents** - terraform-architect, gitops-operator, cloud-troubleshooter, devops-developer, speckit-planner, gaia (meta-agent)
+- **Multi-cloud support** - GCP, AWS, Azure
+- **6 agents** - terraform-architect, gitops-operator, cloud-troubleshooter, devops-developer, speckit-planner, gaia-system (meta-agent)
 - **Contracts as SSOT** - Cloud-agnostic base contracts with per-cloud extensions (GCP, AWS)
 - **Dynamic identity** - Orchestrator identity injected by UserPromptSubmit hook; skills loaded on-demand
-- **Approval gates** for T3 operations via nonce-based workflow
+- **Dual-barrier security** - Settings deny rules (Claude Code native) + hook-level blocking (inalterable via symlink)
+- **Indirect execution detection** - Catches `bash -c`, `eval`, `python -c` wrappers that bypass regex patterns
+- **Approval gates** for T3 operations via native `ask` dialog
 - **Git commit validation** with Conventional Commits
-- **20 skills** - Injected procedural knowledge modules for agents
+- **21 skills** - Injected procedural knowledge modules for agents
 - **Plugin + npm** - Distributable as Claude Code native plugin or npm package
+- **Enterprise ready** - Managed settings template for organization-wide deployment
 
 ## Installation
 
@@ -56,12 +59,24 @@ gaia-scan
 
 This will:
 1. Auto-detect your project structure (GitOps, Terraform, AppServices)
-2. Install Claude Code if not present
-3. Create `.claude/` directory with symlinks to this package
-4. Generate `project-context.json` and `settings.json`
+2. Create `.claude/` directory with symlinks to this package
+3. Generate `project-context.json`
+4. Create `settings.json` with hooks only (no permissions in settings.json)
+5. Merge deny rules + allow permissions into `settings.local.json` (preserves existing user config)
 
 No `CLAUDE.md` is generated -- orchestrator identity is injected dynamically by the UserPromptSubmit hook.
 
+### Settings Architecture
+
+Gaia-Ops separates hooks from permissions:
+
+| File | Content | Strategy |
+|------|---------|----------|
+| `settings.json` | Hooks only (9 hook types) | Overwritten from template on each update |
+| `settings.local.json` | Permissions (allow + deny rules) | Union merge — never removes user config |
+
+This ensures your personal customizations (MCP servers, extra permissions) survive updates.
+
 ### Manual Installation
 
 ```bash
@@ -100,17 +115,34 @@ npx gaia-skills-diagnose
 npx gaia-skills-diagnose --run-tests
 ```
 
+## Security
+
+Gaia-Ops enforces a 6-layer security pipeline:
+
+| Layer | Mechanism | Bypassable? |
+|-------|-----------|-------------|
+| Indirect execution detection | `bash -c`, `eval`, `python -c` wrappers | No (hook-level) |
+| Blocked commands (regex) | 85+ regex patterns | No (symlink to npm package) |
+| Blocked commands (semantic) | 70+ ordered-token rules | No (symlink to npm package) |
+| Cloud pipe validator | Credential piping detection | No (hook-level) |
+| Mutative verb detection | `ask` dialog for state-changing ops | User approves via native dialog |
+| Settings deny rules | 147 deny rules in `settings.local.json` | Self-healing (restored each session) |
+
+### Enterprise Deployment
+
+For organization-wide enforcement, deploy `templates/managed-settings.template.json` as a managed settings policy via Claude.ai Admin Console. Managed settings have the highest precedence and cannot be overridden.
+
 ## Project Structure
 
 ```
 node_modules/@jaguilar87/gaia-ops/
 ├── agents/              # Agent definitions (6 agents)
-├── skills/              # Skill modules (20 skills)
+├── skills/              # Skill modules (21 skills)
 ├── tools/               # Orchestration tools
 ├── hooks/               # Claude Code hooks (modular architecture)
 ├── commands/            # Slash commands (5 speckit + scan-project)
 ├── config/              # Configuration (contracts, git standards, rules)
-├── templates/           # Installation templates (settings, governance)
+├── templates/           # Installation templates (settings, governance, managed-settings)
 ├── speckit/             # Spec-Kit framework (templates)
 ├── bin/                 # CLI utilities (11 scripts)
 └── tests/               # Test suite
@@ -133,7 +165,7 @@ This package follows [Semantic Versioning](https://semver.org/):
 - **MINOR:** New features
 - **PATCH:** Bug fixes
 
-Current version: **4.4.0-rc.5**
+Current version: **4.5.0**
 
 See [CHANGELOG.md](./CHANGELOG.md) for version history.
 
@@ -169,7 +201,7 @@ git clone git@bitbucket.org:yourorg/your-project-context.git project-context
 
 - **Issues:** [GitHub Issues](https://github.com/metraton/gaia-ops/issues)
 - **Repository:** [github.com/metraton/gaia-ops](https://github.com/metraton/gaia-ops)
-- **Author:** Jorge Aguilar <jaguilar1897@gmail.com>
+- **Author:** Jorge Aguilar <jorge.aguilar88@gmail.com>
 
 ## License
 

package/bin/README.md

@@ -27,7 +27,7 @@ Configure symlinks  Remove files
 | Script | Description |
 |--------|-------------|
 | `gaia-scan` | Project scanner and installer (Python) |
-| `gaia-update.js` | Configuration updater (postinstall hook) |
+| `gaia-update.js` | Configuration updater (postinstall hook) — updates hooks template, merges permissions into settings.local.json, ensures plugin-registry |
 
 ### Diagnostics and Monitoring
 
@@ -146,4 +146,4 @@ npx gaia-scan --non-interactive
 
 ---
 
-**Version:** 4.4.0-rc.5 | **Updated:** 2026-03-19 | **Scripts:** 11
+**Version:** 4.5.0 | **Updated:** 2026-03-24 | **Scripts:** 11

package/bin/gaia-doctor.js

@@ -102,17 +102,30 @@ async function checkSettingsJson() {
       if (!hookTypes.includes('PostToolUse')) issues.push('Missing PostToolUse hook');
     }
 
-    // Check permissions exist
-    if (!data.permissions) {
-      issues.push('No permissions configured');
+    // Check permissions — now live in settings.local.json (not settings.json)
+    const localPath = join(CWD, '.claude', 'settings.local.json');
+    let permCount = 0;
+    if (existsSync(localPath)) {
+      try {
+        const localData = JSON.parse(await fs.readFile(localPath, 'utf-8'));
+        if (localData.permissions) {
+          permCount = Object.values(localData.permissions).flat().length;
+        }
+      } catch { /* ignore parse errors */ }
+    }
+    // Also count permissions in settings.json (legacy installs)
+    if (data.permissions) {
+      permCount += Object.values(data.permissions).flat().length;
+    }
+    if (permCount === 0) {
+      issues.push('No permissions configured (check settings.local.json)');
     }
 
     if (issues.length > 0) {
-      return { name: 'settings.json', ok: false, detail: issues.join('; '), fix: 'Run gaia-scan' };
+      return { name: 'settings.json', ok: false, detail: issues.join('; '), fix: 'Run gaia-scan or npx gaia-update' };
     }
 
     const hookCount = data.hooks ? Object.keys(data.hooks).length : 0;
-    const permCount = data.permissions ? Object.values(data.permissions).flat().length : 0;
     return { name: 'settings.json', ok: true, detail: `${hookCount} hook types, ${permCount} rules` };
   } catch {
     return { name: 'settings.json', ok: false, detail: 'Invalid JSON', fix: 'Delete and run gaia-scan' };

package/bin/gaia-scan.py

@@ -238,8 +238,11 @@ def _mode_fresh(project_root: Path, scan_config: ScanConfig, args) -> int:
 
     # Step 4: INSTALL (automatic, no prompts)
     skip_claude = getattr(args, "skip_claude_install", False)
+    npm_postinstall = getattr(args, "npm_postinstall", False)
     ensure_claude_code(skip_install=skip_claude)
-    ensure_gaia_ops_package(project_root)
+    if not npm_postinstall:
+        # Skip when called from npm postinstall to avoid re-entrance
+        ensure_gaia_ops_package(project_root)
     create_claude_directory(project_root)
     copy_claude_md(project_root)
     copy_settings_json(project_root)
@@ -496,6 +499,13 @@ def main(argv: list = None) -> int:
         dest="skip_claude_install",
         help="Skip Claude Code CLI installation",
     )
+    parser.add_argument(
+        "--npm-postinstall",
+        action="store_true",
+        default=False,
+        dest="npm_postinstall",
+        help="Called from npm postinstall: skip Claude Code install and npm package install to avoid re-entrance",
+    )
 
     args = parser.parse_args(argv)
 
@@ -544,11 +554,19 @@ def main(argv: list = None) -> int:
                 print(json.dumps(result), file=sys.stdout)
                 return 0
 
+        # --npm-postinstall implies --skip-claude-install and skips ensure_gaia_ops_package
+        if args.npm_postinstall:
+            args.skip_claude_install = True
+
         # Mode selection
         # --json or --scan-only: scan-only mode
         if args.json or args.scan_only:
             return _mode_scan_only(project_root, scan_config, args)
 
+        # --npm-postinstall: fresh install mode with re-entrance protection
+        if args.npm_postinstall:
+            return _mode_fresh(project_root, scan_config, args)
+
         # Detect mode based on .claude/ existence
         claude_dir = project_root / ".claude"
         if claude_dir.is_dir():

package/bin/gaia-update.js

@@ -7,13 +7,19 @@
  * Also available as: npx gaia-update
  *
  * Behavior:
- * - First-time install (.claude/ doesn't exist): skip silently (gaia-scan handles it)
+ * - First-time install (.claude/ doesn't exist):
+ *   1. Check Python 3 is available
+ *   2. Run gaia-scan --npm-postinstall to create .claude/, symlinks, settings, project-context
+ *   3. Create plugin-registry.json
+ *   4. Merge permissions into settings.local.json
+ *   5. Fall through to verification
  * - Update (.claude/ exists):
  *   1. Show version transition (previous → current)
- *   2. settings.json: REPLACE from template (template is source of truth)
- *   3. Symlinks: recreate if missing, fix broken ones
- *   4. Verify: hooks, python, project-context, config files
- *   5. Report: summary with any issues found
+ *   2. settings.json: REPLACE from template (hooks only — no permissions)
+ *   3. Merge permissions into settings.local.json (union, preserves user config)
+ *   4. Symlinks: recreate if missing, fix broken ones
+ *   5. Verify: hooks, python, project-context, config files
+ *   6. Report: summary with any issues found
  *
  * Usage:
  *   npm update @jaguilar87/gaia-ops   # Automatic via postinstall
@@ -82,9 +88,9 @@ async function updateSettingsJson() {
       return false;
     }
 
-    // Always replace from template -- template is the source of truth
+    // Always replace from template -- template is the source of truth (hooks only)
     await fs.copyFile(templatePath, settingsPath);
-    spinner.succeed('settings.json updated from template');
+    spinner.succeed('settings.json updated from template (hooks)');
     return true;
   } catch (error) {
     spinner.fail(`settings.json: ${error.message}`);
@@ -92,6 +98,114 @@ async function updateSettingsJson() {
   }
 }
 
+async function updateLocalPermissions() {
+  const spinner = ora('Merging permissions into settings.local.json...').start();
+  try {
+    const claudeDir = join(CWD, '.claude');
+    const localPath = join(claudeDir, 'settings.local.json');
+
+    if (!existsSync(claudeDir)) {
+      spinner.info('Skipped (.claude/ not found)');
+      return false;
+    }
+
+    // Load permissions from plugin_setup.py — the single source of truth.
+    // We use ast.literal_eval to extract the constants without importing
+    // the module (which has relative imports that fail standalone).
+    let gaiaPerms;
+    try {
+      const setupPath = join(__dirname, '..', 'hooks', 'modules', 'core', 'plugin_setup.py');
+      const { stdout } = await execAsync(
+        `python3 -c "
+import ast, json, re
+
+source = open('${setupPath.replace(/'/g, "\\'")}').read()
+
+# Extract _DENY_RULES list
+deny_match = re.search(r'^_DENY_RULES\\s*=\\s*\\[', source, re.MULTILINE)
+if deny_match:
+    bracket_start = deny_match.start() + source[deny_match.start():].index('[')
+    depth, i = 0, bracket_start
+    for i, ch in enumerate(source[bracket_start:], bracket_start):
+        if ch == '[': depth += 1
+        elif ch == ']': depth -= 1
+        if depth == 0: break
+    deny_rules = ast.literal_eval(source[bracket_start:i+1])
+else:
+    deny_rules = []
+
+# Extract OPS_PERMISSIONS allow list
+ops_match = re.search(r'^OPS_PERMISSIONS\\s*=', source, re.MULTILINE)
+if ops_match:
+    bracket_start = source.index('{', ops_match.start())
+    depth, i = 0, bracket_start
+    for i, ch in enumerate(source[bracket_start:], bracket_start):
+        if ch == '{': depth += 1
+        elif ch == '}': depth -= 1
+        if depth == 0: break
+    # Replace _DENY_RULES reference with actual list for eval
+    ops_str = source[bracket_start:i+1].replace('_DENY_RULES', json.dumps(deny_rules))
+    ops_perms = ast.literal_eval(ops_str)
+else:
+    ops_perms = {'permissions': {'allow': [], 'deny': deny_rules, 'ask': []}}
+
+print(json.dumps(ops_perms))
+"`,
+        { timeout: 10000 }
+      );
+      gaiaPerms = JSON.parse(stdout.trim());
+    } catch (pyError) {
+      spinner.warn(`Could not load permissions from Python — ${pyError.message || 'unknown error'}`);
+      return false;
+    }
+
+    const ourAllow = new Set(gaiaPerms.permissions.allow || []);
+    const ourDeny = new Set(gaiaPerms.permissions.deny || []);
+
+    // Load existing settings.local.json — preserve everything (enabledPlugins, MCP servers, etc.)
+    let existing = {};
+    if (existsSync(localPath)) {
+      try {
+        existing = JSON.parse(await fs.readFile(localPath, 'utf-8'));
+      } catch {
+        existing = {};
+      }
+    }
+
+    const perms = existing.permissions || {};
+    const currentAllow = new Set(perms.allow || []);
+    const currentDeny = new Set(perms.deny || []);
+
+    // Union merge — add ours without removing user's
+    const mergedAllow = [...new Set([...currentAllow, ...ourAllow])].sort();
+    const mergedDeny = [...new Set([...currentDeny, ...ourDeny])].sort();
+
+    // Check if anything changed
+    const allowChanged = mergedAllow.length !== currentAllow.size
+      || mergedAllow.some(r => !currentAllow.has(r));
+    const denyChanged = mergedDeny.length !== currentDeny.size
+      || mergedDeny.some(r => !currentDeny.has(r));
+
+    if (!allowChanged && !denyChanged) {
+      spinner.succeed('settings.local.json permissions already up to date');
+      return false;
+    }
+
+    // Update only permissions, preserve everything else
+    existing.permissions = existing.permissions || {};
+    existing.permissions.allow = mergedAllow;
+    existing.permissions.deny = mergedDeny;
+    existing.permissions.ask = existing.permissions.ask || [];
+
+    await fs.writeFile(localPath, JSON.stringify(existing, null, 2) + '\n');
+    spinner.succeed('settings.local.json permissions merged');
+    return true;
+  } catch (error) {
+    spinner.fail(`settings.local.json: ${error.message}`);
+    return false;
+  }
+}
+
 async function updateSymlinks() {
   const spinner = ora('Checking symlinks...').start();
   try {
@@ -206,7 +320,7 @@ async function runVerification() {
   }
 
   // 4. Config files accessible
-  const configFiles = ['classification-rules.json', 'git_standards.json', 'universal-rules.json'];
+  const configFiles = ['git_standards.json', 'universal-rules.json', 'surface-routing.json'];
   for (const cfg of configFiles) {
     const path = join(CWD, '.claude', 'config', cfg);
     if (existsSync(path)) {
@@ -218,7 +332,7 @@ async function runVerification() {
   }
 
   // 5. Agent definitions accessible
-  const agentFiles = ['terraform-architect.md', 'gitops-operator.md', 'cloud-troubleshooter.md', 'devops-developer.md', 'gaia.md'];
+  const agentFiles = ['terraform-architect.md', 'gitops-operator.md', 'cloud-troubleshooter.md', 'devops-developer.md', 'gaia-system.md', 'speckit-planner.md'];
   let agentsOk = 0;
   for (const agent of agentFiles) {
     if (existsSync(join(CWD, '.claude', 'agents', agent))) agentsOk++;
@@ -256,48 +370,102 @@ async function runVerification() {
 // Main
 // ============================================================================
 
+async function runFreshInstall() {
+  const packageDir = join(__dirname, '..');
+  const scanScript = join(packageDir, 'bin', 'gaia-scan.py');
+  const { current } = await detectVersions();
+
+  console.log(chalk.cyan(`\n  gaia-ops ${chalk.green(current)} — fresh install\n`));
+
+  // 1. Check Python 3 is available
+  const spinner = ora('Checking Python 3...').start();
+  try {
+    await execAsync('python3 --version', { timeout: 5000 });
+    spinner.succeed('Python 3 found');
+  } catch {
+    spinner.warn('Python 3 not found — skipping project setup');
+    console.log(chalk.gray('  Install Python 3.9+ and run: npx gaia-scan\n'));
+    return;
+  }
+
+  // 2. Run gaia-scan --npm-postinstall
+  const scanSpinner = ora('Running gaia-scan...').start();
+  try {
+    const { stdout, stderr } = await execAsync(
+      `python3 "${scanScript}" --npm-postinstall --root "${CWD}"`,
+      { timeout: 60000 }
+    );
+    scanSpinner.succeed('Project scanned and configured');
+    if (VERBOSE && stdout) console.log(chalk.gray(stdout));
+    if (VERBOSE && stderr) console.log(chalk.yellow(stderr));
+  } catch (error) {
+    scanSpinner.warn('gaia-scan encountered issues (non-fatal)');
+    if (VERBOSE && error.stderr) console.log(chalk.gray(error.stderr));
+  }
+
+  // 3. Create plugin-registry.json (in .claude/, same path Python hooks expect)
+  try {
+    const claudeDirPath = join(CWD, '.claude');
+    if (!existsSync(claudeDirPath)) {
+      await fs.mkdir(claudeDirPath, { recursive: true });
+    }
+    const registryPath = join(claudeDirPath, 'plugin-registry.json');
+    const registry = {
+      installed: [{ name: 'gaia-ops', version: current || 'unknown' }],
+      source: 'npm-postinstall',
+    };
+    await fs.writeFile(registryPath, JSON.stringify(registry, null, 2) + '\n');
+  } catch {
+    // Non-fatal — plugin-registry is a convenience, not critical
+  }
+
+  // 4. Merge permissions into settings.local.json (same approach as plugin mode)
+  await updateLocalPermissions();
+}
+
 async function main() {
   const claudeDir = join(CWD, '.claude');
   const isUpdate = existsSync(claudeDir);
 
   if (!isUpdate) {
-    // First-time install — gaia-scan handles everything
-    process.exit(0);
+    // First-time install — run gaia-scan to bootstrap everything
+    await runFreshInstall();
+  } else {
+    // Version info
+    const { previous, current } = await detectVersions();
+    const versionLine = previous && previous !== current
+      ? `${chalk.gray(previous)} → ${chalk.green(current)}`
+      : chalk.green(current);
+
+    console.log(chalk.cyan(`\n  gaia-ops update ${versionLine}\n`));
+
+    // Step 1-3: Update files
+    await updateSettingsJson();
+    await updateLocalPermissions();
+    await updateSymlinks();
   }
 
-  // Version info
-  const { previous, current } = await detectVersions();
-  const versionLine = previous && previous !== current
-    ? `${chalk.gray(previous)} → ${chalk.green(current)}`
-    : chalk.green(current);
-
-  console.log(chalk.cyan(`\n  gaia-ops update ${versionLine}\n`));
-
-  // Step 1-2: Update files
-  const settingsUpdated = await updateSettingsJson();
-  const { updated: symlinksUpdated, fixed: symlinksFix } = await updateSymlinks();
+  // Ensure plugin-registry.json exists in .claude/ (both fresh and update)
+  try {
+    const registryPath = join(CWD, '.claude', 'plugin-registry.json');
+    if (!existsSync(registryPath)) {
+      const { current } = await detectVersions();
+      const registry = {
+        installed: [{ name: 'gaia-ops', version: current || 'unknown' }],
+        source: 'npm-postinstall',
+      };
+      await fs.writeFile(registryPath, JSON.stringify(registry, null, 2) + '\n');
+    }
+  } catch { /* non-fatal */ }
 
-  // Step 3: Verify
+  // Verify (runs for both fresh install and update)
   const { issues, passed, total } = await runVerification();
 
-  // Summary
-  const changes = [settingsUpdated, symlinksUpdated].filter(Boolean).length;
-
   console.log('');
-  if (changes > 0 || issues.length > 0) {
-    // Changes summary
-    if (changes > 0) {
-      console.log(chalk.green(`  ${changes} file(s) updated`));
-      if (settingsUpdated) console.log(chalk.gray('    settings.json: replaced from template'));
-      if (symlinksFix > 0) console.log(chalk.gray(`    ${symlinksFix} symlink(s) fixed`));
-    }
-
-    // Issues
-    if (issues.length > 0) {
-      console.log(chalk.yellow(`\n  ${issues.length} issue(s) found:`));
-      for (const issue of issues) {
-        console.log(chalk.yellow(`    - ${issue}`));
-      }
+  if (issues.length > 0) {
+    console.log(chalk.yellow(`  ${issues.length} issue(s) found:`));
+    for (const issue of issues) {
+      console.log(chalk.yellow(`    - ${issue}`));
     }
   } else {
     console.log(chalk.green('  Everything up to date'));

package/git-hooks/commit-msg

@@ -0,0 +1,41 @@
+#!/bin/sh
+#
+# commit-msg hook: strip Claude Code attribution footers from commit messages.
+#
+# This hook runs at the git level, catching ALL commits regardless of whether
+# they originate from Claude Code's Bash tool, a subagent, or the user's terminal.
+#
+# Patterns match those in hooks/modules/tools/bash_validator.py _strip_claude_footers()
+# to maintain a single source of truth for what constitutes a forbidden footer.
+#
+# Installation:
+#   cp git-hooks/commit-msg .git/hooks/commit-msg
+#   chmod +x .git/hooks/commit-msg
+#
+# Or via gaia-init (automatic).
+
+COMMIT_MSG_FILE="$1"
+
+if [ ! -f "${COMMIT_MSG_FILE}" ]; then
+    exit 0
+fi
+
+# Create a temp file for the cleaned message
+TEMP_FILE=$(mktemp)
+trap 'rm -f "${TEMP_FILE}"' EXIT
+
+# Read the commit message and strip forbidden footer lines:
+#   - Co-Authored-By: containing "Claude" (any case)
+#   - "Generated with Claude Code" or "[Claude Code]" (any case)
+#   - Emoji-prefixed "Generated with" lines
+sed -E \
+    -e '/^[[:space:]]*[Cc][Oo]-[Aa][Uu][Tt][Hh][Oo][Rr][Ee][Dd]-[Bb][Yy]:.*[Cc][Ll][Aa][Uu][Dd][Ee]/d' \
+    -e '/^[[:space:]]*[Gg][Ee][Nn][Ee][Rr][Aa][Tt][Ee][Dd] [Ww][Ii][Tt][Hh].*[Cc][Ll][Aa][Uu][Dd][Ee] [Cc][Oo][Dd][Ee]/d' \
+    -e '/^[[:space:]]*..?[[:space:]]*[Gg][Ee][Nn][Ee][Rr][Aa][Tt][Ee][Dd] [Ww][Ii][Tt][Hh]/d' \
+    "${COMMIT_MSG_FILE}" > "${TEMP_FILE}"
+
+# Remove trailing blank lines (collapse to single trailing newline)
+# This prevents empty trailers after stripping
+sed -e :a -e '/^\n*$/{$d;N;ba' -e '}' "${TEMP_FILE}" > "${COMMIT_MSG_FILE}"
+
+exit 0

package/hooks/README.md

@@ -49,7 +49,8 @@ Command executes
 | **T0** | Read-only (get, list) | No | pre_tool_use |
 | **T1** | Local validation (validate, lint) | No | pre_tool_use |
 | **T2** | Simulation (plan, diff) | No | pre_tool_use |
-| **T3** | Execution (apply, delete) | **Yes** | pre_tool_use |
+| **T3** | Execution (apply, delete) | **Yes** (native `ask` dialog) | pre_tool_use |
+| **T3-blocked** | Irreversible (delete-vpc, drop db) | **Permanently blocked** | pre_tool_use (exit 2) |
 
 ## File Structure
 
@@ -70,6 +71,6 @@ hooks/
 
 ---
 
-**Version:** 4.4.0-rc.5
-**Last updated:** 2026-03-19
-**Total hooks:** 8 hook scripts (4 primary + 4 event handlers)
+**Version:** 4.5.0
+**Last updated:** 2026-03-24
+**Total hooks:** 9 hook scripts (4 primary + 4 event handlers + post_compact)

package/hooks/modules/README.md

@@ -173,11 +173,12 @@ All security rules (blocked patterns, mutative verbs, tiers) are hardcoded in th
 
 ### Validation Order (Defense-in-Depth)
 bash_validator checks commands in this order (short-circuit on first match):
+0. **Indirect execution detection** — `bash -c`, `eval`, `python -c` etc. → ask or block
 1. **Blocked commands** (blocked_commands.py) — permanently denied patterns, exit 2
 2. **Claude footer stripping** — transparent via updatedInput
 3. **Commit message validation** — conventional commits enforcement
 4. **Cloud pipe/redirect/chain check** (cloud_pipe_validator.py) — corrective deny
-5. **Mutative verbs** (mutative_verbs.py) — CLI-agnostic verb detector, nonce-based deny
+5. **Mutative verbs** (mutative_verbs.py) — CLI-agnostic verb detector, native `ask` dialog
 6. **GitOps validation** (gitops_validator.py) — kubectl/helm/flux policy enforcement
 7. **Everything else** — SAFE by elimination (auto-approved)