@massu/core 0.1.2 → 0.4.1

package/dist/hooks/pre-compact.js

@@ -9,6 +9,7 @@ import { existsSync as existsSync2, mkdirSync } from "fs";
 // src/config.ts
 import { resolve, dirname } from "path";
 import { existsSync, readFileSync } from "fs";
+import { homedir } from "os";
 import { parse as parseYaml } from "yaml";
 import { z } from "zod";
 var DomainConfigSchema = z.object({
@@ -140,6 +141,49 @@ var CloudConfigSchema = z.object({
     audit: z.boolean().default(true)
   }).default({ memory: true, analytics: true, audit: true })
 }).optional();
+var ConventionsConfigSchema = z.object({
+  claudeDirName: z.string().default(".claude").refine(
+    (s) => !s.includes("..") && !s.startsWith("/"),
+    { message: 'claudeDirName must not contain ".." or start with "/"' }
+  ),
+  sessionStatePath: z.string().default(".claude/session-state/CURRENT.md").refine(
+    (s) => !s.includes("..") && !s.startsWith("/"),
+    { message: 'sessionStatePath must not contain ".." or start with "/"' }
+  ),
+  sessionArchivePath: z.string().default(".claude/session-state/archive").refine(
+    (s) => !s.includes("..") && !s.startsWith("/"),
+    { message: 'sessionArchivePath must not contain ".." or start with "/"' }
+  ),
+  knowledgeCategories: z.array(z.string()).default([
+    "patterns",
+    "commands",
+    "incidents",
+    "reference",
+    "protocols",
+    "checklists",
+    "playbooks",
+    "critical",
+    "scripts",
+    "status",
+    "templates",
+    "loop-state",
+    "session-state",
+    "agents"
+  ]),
+  knowledgeSourceFiles: z.array(z.string()).default(["CLAUDE.md", "MEMORY.md", "corrections.md"]),
+  excludePatterns: z.array(z.string()).default(["/ARCHIVE/", "/SESSION-HISTORY/"])
+}).optional();
+var PythonDomainConfigSchema = z.object({
+  name: z.string(),
+  packages: z.array(z.string()),
+  allowed_imports_from: z.array(z.string()).default([])
+});
+var PythonConfigSchema = z.object({
+  root: z.string(),
+  alembic_dir: z.string().optional(),
+  domains: z.array(PythonDomainConfigSchema).default([]),
+  exclude_dirs: z.array(z.string()).default(["__pycache__", ".venv", "venv", ".mypy_cache", ".pytest_cache"])
+}).optional();
 var PathsConfigSchema = z.object({
   source: z.string().default("src"),
   aliases: z.record(z.string(), z.string()).default({ "@": "src" }),
@@ -174,7 +218,9 @@ var RawConfigSchema = z.object({
   security: SecurityConfigSchema,
   team: TeamConfigSchema,
   regression: RegressionConfigSchema,
-  cloud: CloudConfigSchema
+  cloud: CloudConfigSchema,
+  conventions: ConventionsConfigSchema,
+  python: PythonConfigSchema
 }).passthrough();
 var _config = null;
 var _projectRoot = null;
@@ -238,13 +284,24 @@ function getConfig() {
     security: parsed.security,
     team: parsed.team,
     regression: parsed.regression,
-    cloud: parsed.cloud
+    cloud: parsed.cloud,
+    conventions: parsed.conventions,
+    python: parsed.python
   };
+  if (!_config.cloud?.apiKey && process.env.MASSU_API_KEY) {
+    _config.cloud = {
+      enabled: true,
+      sync: { memory: true, analytics: true, audit: true },
+      ..._config.cloud,
+      apiKey: process.env.MASSU_API_KEY
+    };
+  }
   return _config;
 }
 function getResolvedPaths() {
   const config = getConfig();
   const root = getProjectRoot();
+  const claudeDirName = config.conventions?.claudeDirName ?? ".claude";
   return {
     codegraphDbPath: resolve(root, ".codegraph/codegraph.db"),
     dataDbPath: resolve(root, ".massu/data.db"),
@@ -260,11 +317,20 @@ function getResolvedPaths() {
     ),
     extensions: [".ts", ".tsx", ".js", ".jsx"],
     indexFiles: ["index.ts", "index.tsx", "index.js", "index.jsx"],
-    patternsDir: resolve(root, ".claude/patterns"),
-    claudeMdPath: resolve(root, ".claude/CLAUDE.md"),
+    patternsDir: resolve(root, claudeDirName, "patterns"),
+    claudeMdPath: resolve(root, claudeDirName, "CLAUDE.md"),
     docsMapPath: resolve(root, ".massu/docs-map.json"),
     helpSitePath: resolve(root, "../" + config.project.name + "-help"),
-    memoryDbPath: resolve(root, ".massu/memory.db")
+    memoryDbPath: resolve(root, ".massu/memory.db"),
+    knowledgeDbPath: resolve(root, ".massu/knowledge.db"),
+    plansDir: resolve(root, "docs/plans"),
+    docsDir: resolve(root, "docs"),
+    claudeDir: resolve(root, claudeDirName),
+    memoryDir: resolve(homedir(), claudeDirName, "projects", root.replace(/\//g, "-"), "memory"),
+    sessionStatePath: resolve(root, config.conventions?.sessionStatePath ?? `${claudeDirName}/session-state/CURRENT.md`),
+    sessionArchivePath: resolve(root, config.conventions?.sessionArchivePath ?? `${claudeDirName}/session-state/archive`),
+    mcpJsonPath: resolve(root, ".mcp.json"),
+    settingsLocalPath: resolve(root, claudeDirName, "settings.local.json")
   };
 }
 
@@ -746,6 +812,39 @@ function initMemorySchema(db) {
     );
     CREATE INDEX IF NOT EXISTS idx_pending_sync_created ON pending_sync(created_at ASC);
   `);
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS license_cache (
+      api_key_hash TEXT PRIMARY KEY,
+      tier TEXT NOT NULL,
+      valid_until TEXT NOT NULL,
+      last_validated TEXT NOT NULL,
+      features TEXT DEFAULT '[]'
+    );
+  `);
+}
+function assignImportance(type, vrResult) {
+  switch (type) {
+    case "decision":
+    case "failed_attempt":
+      return 5;
+    case "cr_violation":
+    case "incident_near_miss":
+      return 4;
+    case "vr_check":
+      return vrResult === "PASS" ? 2 : 4;
+    case "pattern_compliance":
+      return vrResult === "PASS" ? 2 : 4;
+    case "feature":
+    case "bugfix":
+      return 3;
+    case "refactor":
+      return 2;
+    case "file_change":
+    case "discovery":
+      return 1;
+    default:
+      return 3;
+  }
 }
 function autoDetectTaskId(planFile) {
   if (!planFile) return null;
@@ -760,6 +859,29 @@ function createSession(db, sessionId, opts) {
     VALUES (?, ?, ?, ?, ?, ?)
   `).run(sessionId, opts?.branch ?? null, opts?.planFile ?? null, taskId, now.toISOString(), Math.floor(now.getTime() / 1e3));
 }
+function addObservation(db, sessionId, type, title, detail, opts) {
+  const now = /* @__PURE__ */ new Date();
+  const importance = opts?.importance ?? assignImportance(type, opts?.evidence?.includes("PASS") ? "PASS" : void 0);
+  const result = db.prepare(`
+    INSERT INTO observations (session_id, type, title, detail, files_involved, plan_item, cr_rule, vr_type, evidence, importance, original_tokens, created_at, created_at_epoch)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `).run(
+    sessionId,
+    type,
+    title,
+    detail,
+    JSON.stringify(opts?.filesInvolved ?? []),
+    opts?.planItem ?? null,
+    opts?.crRule ?? null,
+    opts?.vrType ?? null,
+    opts?.evidence ?? null,
+    importance,
+    opts?.originalTokens ?? 0,
+    now.toISOString(),
+    Math.floor(now.getTime() / 1e3)
+  );
+  return Number(result.lastInsertRowid);
+}
 function addSummary(db, sessionId, summary) {
   const now = /* @__PURE__ */ new Date();
   db.prepare(`
@@ -818,6 +940,23 @@ async function main() {
       ).all(session_id);
       const summary = buildSnapshotSummary(observations, prompts);
       addSummary(db, session_id, summary);
+      try {
+        const knowledgeObs = observations.filter(
+          (o) => o.title?.includes("knowledge") || o.title?.includes("Knowledge") || o.detail?.includes("knowledge")
+        );
+        if (knowledgeObs.length > 0) {
+          const knowledgeContext = knowledgeObs.map((o) => `[${o.type}] ${o.title}`).join("; ");
+          addObservation(
+            db,
+            session_id,
+            "discovery",
+            "Knowledge context preserved before compaction",
+            knowledgeContext,
+            { importance: 4 }
+          );
+        }
+      } catch (_knowledgeErr) {
+      }
       try {
         logAuditEntry(db, {
           sessionId: session_id,

package/dist/hooks/pre-delete-check.js

@@ -2,12 +2,13 @@
 import{createRequire as __cr}from"module";const require=__cr(import.meta.url);
 
 // src/hooks/pre-delete-check.ts
-import Database from "better-sqlite3";
+import Database2 from "better-sqlite3";
 import { existsSync as existsSync2 } from "fs";
 
 // src/config.ts
 import { resolve, dirname } from "path";
 import { existsSync, readFileSync } from "fs";
+import { homedir } from "os";
 import { parse as parseYaml } from "yaml";
 import { z } from "zod";
 var DomainConfigSchema = z.object({
@@ -139,6 +140,49 @@ var CloudConfigSchema = z.object({
     audit: z.boolean().default(true)
   }).default({ memory: true, analytics: true, audit: true })
 }).optional();
+var ConventionsConfigSchema = z.object({
+  claudeDirName: z.string().default(".claude").refine(
+    (s) => !s.includes("..") && !s.startsWith("/"),
+    { message: 'claudeDirName must not contain ".." or start with "/"' }
+  ),
+  sessionStatePath: z.string().default(".claude/session-state/CURRENT.md").refine(
+    (s) => !s.includes("..") && !s.startsWith("/"),
+    { message: 'sessionStatePath must not contain ".." or start with "/"' }
+  ),
+  sessionArchivePath: z.string().default(".claude/session-state/archive").refine(
+    (s) => !s.includes("..") && !s.startsWith("/"),
+    { message: 'sessionArchivePath must not contain ".." or start with "/"' }
+  ),
+  knowledgeCategories: z.array(z.string()).default([
+    "patterns",
+    "commands",
+    "incidents",
+    "reference",
+    "protocols",
+    "checklists",
+    "playbooks",
+    "critical",
+    "scripts",
+    "status",
+    "templates",
+    "loop-state",
+    "session-state",
+    "agents"
+  ]),
+  knowledgeSourceFiles: z.array(z.string()).default(["CLAUDE.md", "MEMORY.md", "corrections.md"]),
+  excludePatterns: z.array(z.string()).default(["/ARCHIVE/", "/SESSION-HISTORY/"])
+}).optional();
+var PythonDomainConfigSchema = z.object({
+  name: z.string(),
+  packages: z.array(z.string()),
+  allowed_imports_from: z.array(z.string()).default([])
+});
+var PythonConfigSchema = z.object({
+  root: z.string(),
+  alembic_dir: z.string().optional(),
+  domains: z.array(PythonDomainConfigSchema).default([]),
+  exclude_dirs: z.array(z.string()).default(["__pycache__", ".venv", "venv", ".mypy_cache", ".pytest_cache"])
+}).optional();
 var PathsConfigSchema = z.object({
   source: z.string().default("src"),
   aliases: z.record(z.string(), z.string()).default({ "@": "src" }),
@@ -173,7 +217,9 @@ var RawConfigSchema = z.object({
   security: SecurityConfigSchema,
   team: TeamConfigSchema,
   regression: RegressionConfigSchema,
-  cloud: CloudConfigSchema
+  cloud: CloudConfigSchema,
+  conventions: ConventionsConfigSchema,
+  python: PythonConfigSchema
 }).passthrough();
 var _config = null;
 var _projectRoot = null;
@@ -237,13 +283,24 @@ function getConfig() {
     security: parsed.security,
     team: parsed.team,
     regression: parsed.regression,
-    cloud: parsed.cloud
+    cloud: parsed.cloud,
+    conventions: parsed.conventions,
+    python: parsed.python
   };
+  if (!_config.cloud?.apiKey && process.env.MASSU_API_KEY) {
+    _config.cloud = {
+      enabled: true,
+      sync: { memory: true, analytics: true, audit: true },
+      ..._config.cloud,
+      apiKey: process.env.MASSU_API_KEY
+    };
+  }
   return _config;
 }
 function getResolvedPaths() {
   const config = getConfig();
   const root = getProjectRoot();
+  const claudeDirName = config.conventions?.claudeDirName ?? ".claude";
   return {
     codegraphDbPath: resolve(root, ".codegraph/codegraph.db"),
     dataDbPath: resolve(root, ".massu/data.db"),
@@ -259,14 +316,26 @@ function getResolvedPaths() {
     ),
     extensions: [".ts", ".tsx", ".js", ".jsx"],
     indexFiles: ["index.ts", "index.tsx", "index.js", "index.jsx"],
-    patternsDir: resolve(root, ".claude/patterns"),
-    claudeMdPath: resolve(root, ".claude/CLAUDE.md"),
+    patternsDir: resolve(root, claudeDirName, "patterns"),
+    claudeMdPath: resolve(root, claudeDirName, "CLAUDE.md"),
     docsMapPath: resolve(root, ".massu/docs-map.json"),
     helpSitePath: resolve(root, "../" + config.project.name + "-help"),
-    memoryDbPath: resolve(root, ".massu/memory.db")
+    memoryDbPath: resolve(root, ".massu/memory.db"),
+    knowledgeDbPath: resolve(root, ".massu/knowledge.db"),
+    plansDir: resolve(root, "docs/plans"),
+    docsDir: resolve(root, "docs"),
+    claudeDir: resolve(root, claudeDirName),
+    memoryDir: resolve(homedir(), claudeDirName, "projects", root.replace(/\//g, "-"), "memory"),
+    sessionStatePath: resolve(root, config.conventions?.sessionStatePath ?? `${claudeDirName}/session-state/CURRENT.md`),
+    sessionArchivePath: resolve(root, config.conventions?.sessionArchivePath ?? `${claudeDirName}/session-state/archive`),
+    mcpJsonPath: resolve(root, ".mcp.json"),
+    settingsLocalPath: resolve(root, claudeDirName, "settings.local.json")
   };
 }
 
+// src/memory-db.ts
+import Database from "better-sqlite3";
+
 // src/sentinel-db.ts
 var PROJECT_ROOT = getProjectRoot();
 function parsePortalScope(raw) {
@@ -351,17 +420,46 @@ function getFeatureImpact(db, filePaths) {
 
 // src/hooks/pre-delete-check.ts
 var PROJECT_ROOT2 = getProjectRoot();
+var KNOWLEDGE_PROTECTED_FILES = [
+  "knowledge-db.ts",
+  "knowledge-indexer.ts",
+  "knowledge-tools.ts"
+];
 function getDataDb() {
   const dbPath = getResolvedPaths().dataDbPath;
   if (!existsSync2(dbPath)) return null;
   try {
-    const db = new Database(dbPath, { readonly: true });
+    const db = new Database2(dbPath, { readonly: true });
     db.pragma("journal_mode = WAL");
     return db;
   } catch {
     return null;
   }
 }
+function checkKnowledgeFileProtection(input) {
+  const candidateFiles = [];
+  if (input.tool_name === "Bash" && input.tool_input.command) {
+    const cmd = input.tool_input.command;
+    const rmMatch = cmd.match(/(?:rm|git\s+rm)\s+(?:-[rf]*\s+)*(.+)/);
+    if (rmMatch) {
+      const parts = rmMatch[1].split(/\s+/).filter((p) => !p.startsWith("-"));
+      candidateFiles.push(...parts);
+    }
+  }
+  if (input.tool_name === "Write" && input.tool_input.file_path) {
+    const content = input.tool_input.content || "";
+    if (content.trim().length === 0) {
+      candidateFiles.push(input.tool_input.file_path);
+    }
+  }
+  for (const f of candidateFiles) {
+    const basename = f.split("/").pop() ?? f;
+    if (KNOWLEDGE_PROTECTED_FILES.includes(basename)) {
+      return `KNOWLEDGE SYSTEM PROTECTION: "${basename}" is a core knowledge system file. Deleting it will break knowledge indexing and memory retrieval. Create a replacement before removing.`;
+    }
+  }
+  return null;
+}
 function extractDeletedFiles(input) {
   const files = [];
   if (input.tool_name === "Bash" && input.tool_input.command) {
@@ -371,7 +469,7 @@ function extractDeletedFiles(input) {
       const paths = rmMatch[1].split(/\s+/).filter((p) => !p.startsWith("-"));
       for (const p of paths) {
         const relPath = p.startsWith("src/") ? p : p.replace(PROJECT_ROOT2 + "/", "");
-        if (relPath.startsWith("src/")) {
+        if (relPath.startsWith("src/") || relPath.endsWith(".py")) {
           files.push(relPath);
         }
       }
@@ -381,7 +479,7 @@ function extractDeletedFiles(input) {
     const content = input.tool_input.content || "";
     if (content.trim().length === 0) {
       const relPath = input.tool_input.file_path.replace(PROJECT_ROOT2 + "/", "");
-      if (relPath.startsWith("src/")) {
+      if (relPath.startsWith("src/") || relPath.endsWith(".py")) {
         files.push(relPath);
       }
     }
@@ -392,6 +490,12 @@ async function main() {
   try {
     const input = await readStdin();
     const hookInput = JSON.parse(input);
+    const knowledgeWarning = checkKnowledgeFileProtection(hookInput);
+    if (knowledgeWarning) {
+      process.stdout.write(JSON.stringify({ message: knowledgeWarning }));
+      process.exit(0);
+      return;
+    }
     const deletedFiles = extractDeletedFiles(hookInput);
     if (deletedFiles.length === 0) {
       process.exit(0);
@@ -402,10 +506,11 @@ async function main() {
       process.exit(0);
       return;
     }
+    const SENTINEL_TABLE = "massu_sentinel";
     try {
       const tableExists = db.prepare(
-        "SELECT name FROM sqlite_master WHERE type='table' AND name='massu_sentinel'"
-      ).get();
+        `SELECT name FROM sqlite_master WHERE type='table' AND name=?`
+      ).get(SENTINEL_TABLE);
       if (!tableExists) {
         process.exit(0);
         return;
@@ -432,6 +537,31 @@ async function main() {
         msg.push("Create a migration plan before deleting these files.");
         process.stdout.write(JSON.stringify({ message: msg.join("\n") }));
       }
+      const pyFiles = deletedFiles.filter((f) => f.endsWith(".py"));
+      if (pyFiles.length > 0) {
+        try {
+          for (const pyFile of pyFiles) {
+            const importers = db.prepare(
+              "SELECT source_file FROM massu_py_imports WHERE target_file = ?"
+            ).all(pyFile);
+            const routes = db.prepare(
+              "SELECT method, path FROM massu_py_routes WHERE file = ?"
+            ).all(pyFile);
+            const models = db.prepare(
+              "SELECT class_name FROM massu_py_models WHERE file = ?"
+            ).all(pyFile);
+            if (importers.length > 0 || routes.length > 0 || models.length > 0) {
+              const parts = [];
+              if (importers.length > 0) parts.push(`imported by ${importers.length} files`);
+              if (routes.length > 0) parts.push(`defines ${routes.length} routes`);
+              if (models.length > 0) parts.push(`defines ${models.length} models`);
+              const msg = `PYTHON IMPACT: "${pyFile}" ${parts.join(", ")}. Check dependents before deleting.`;
+              process.stdout.write(JSON.stringify({ message: msg }));
+            }
+          }
+        } catch {
+        }
+      }
     } finally {
       db.close();
     }

package/dist/hooks/quality-event.js

@@ -9,6 +9,7 @@ import { existsSync as existsSync2, mkdirSync } from "fs";
 // src/config.ts
 import { resolve, dirname } from "path";
 import { existsSync, readFileSync } from "fs";
+import { homedir } from "os";
 import { parse as parseYaml } from "yaml";
 import { z } from "zod";
 var DomainConfigSchema = z.object({
@@ -140,6 +141,49 @@ var CloudConfigSchema = z.object({
     audit: z.boolean().default(true)
   }).default({ memory: true, analytics: true, audit: true })
 }).optional();
+var ConventionsConfigSchema = z.object({
+  claudeDirName: z.string().default(".claude").refine(
+    (s) => !s.includes("..") && !s.startsWith("/"),
+    { message: 'claudeDirName must not contain ".." or start with "/"' }
+  ),
+  sessionStatePath: z.string().default(".claude/session-state/CURRENT.md").refine(
+    (s) => !s.includes("..") && !s.startsWith("/"),
+    { message: 'sessionStatePath must not contain ".." or start with "/"' }
+  ),
+  sessionArchivePath: z.string().default(".claude/session-state/archive").refine(
+    (s) => !s.includes("..") && !s.startsWith("/"),
+    { message: 'sessionArchivePath must not contain ".." or start with "/"' }
+  ),
+  knowledgeCategories: z.array(z.string()).default([
+    "patterns",
+    "commands",
+    "incidents",
+    "reference",
+    "protocols",
+    "checklists",
+    "playbooks",
+    "critical",
+    "scripts",
+    "status",
+    "templates",
+    "loop-state",
+    "session-state",
+    "agents"
+  ]),
+  knowledgeSourceFiles: z.array(z.string()).default(["CLAUDE.md", "MEMORY.md", "corrections.md"]),
+  excludePatterns: z.array(z.string()).default(["/ARCHIVE/", "/SESSION-HISTORY/"])
+}).optional();
+var PythonDomainConfigSchema = z.object({
+  name: z.string(),
+  packages: z.array(z.string()),
+  allowed_imports_from: z.array(z.string()).default([])
+});
+var PythonConfigSchema = z.object({
+  root: z.string(),
+  alembic_dir: z.string().optional(),
+  domains: z.array(PythonDomainConfigSchema).default([]),
+  exclude_dirs: z.array(z.string()).default(["__pycache__", ".venv", "venv", ".mypy_cache", ".pytest_cache"])
+}).optional();
 var PathsConfigSchema = z.object({
   source: z.string().default("src"),
   aliases: z.record(z.string(), z.string()).default({ "@": "src" }),
@@ -174,7 +218,9 @@ var RawConfigSchema = z.object({
   security: SecurityConfigSchema,
   team: TeamConfigSchema,
   regression: RegressionConfigSchema,
-  cloud: CloudConfigSchema
+  cloud: CloudConfigSchema,
+  conventions: ConventionsConfigSchema,
+  python: PythonConfigSchema
 }).passthrough();
 var _config = null;
 var _projectRoot = null;
@@ -238,13 +284,24 @@ function getConfig() {
     security: parsed.security,
     team: parsed.team,
     regression: parsed.regression,
-    cloud: parsed.cloud
+    cloud: parsed.cloud,
+    conventions: parsed.conventions,
+    python: parsed.python
   };
+  if (!_config.cloud?.apiKey && process.env.MASSU_API_KEY) {
+    _config.cloud = {
+      enabled: true,
+      sync: { memory: true, analytics: true, audit: true },
+      ..._config.cloud,
+      apiKey: process.env.MASSU_API_KEY
+    };
+  }
   return _config;
 }
 function getResolvedPaths() {
   const config = getConfig();
   const root = getProjectRoot();
+  const claudeDirName = config.conventions?.claudeDirName ?? ".claude";
   return {
     codegraphDbPath: resolve(root, ".codegraph/codegraph.db"),
     dataDbPath: resolve(root, ".massu/data.db"),
@@ -260,11 +317,20 @@ function getResolvedPaths() {
     ),
     extensions: [".ts", ".tsx", ".js", ".jsx"],
     indexFiles: ["index.ts", "index.tsx", "index.js", "index.jsx"],
-    patternsDir: resolve(root, ".claude/patterns"),
-    claudeMdPath: resolve(root, ".claude/CLAUDE.md"),
+    patternsDir: resolve(root, claudeDirName, "patterns"),
+    claudeMdPath: resolve(root, claudeDirName, "CLAUDE.md"),
     docsMapPath: resolve(root, ".massu/docs-map.json"),
     helpSitePath: resolve(root, "../" + config.project.name + "-help"),
-    memoryDbPath: resolve(root, ".massu/memory.db")
+    memoryDbPath: resolve(root, ".massu/memory.db"),
+    knowledgeDbPath: resolve(root, ".massu/knowledge.db"),
+    plansDir: resolve(root, "docs/plans"),
+    docsDir: resolve(root, "docs"),
+    claudeDir: resolve(root, claudeDirName),
+    memoryDir: resolve(homedir(), claudeDirName, "projects", root.replace(/\//g, "-"), "memory"),
+    sessionStatePath: resolve(root, config.conventions?.sessionStatePath ?? `${claudeDirName}/session-state/CURRENT.md`),
+    sessionArchivePath: resolve(root, config.conventions?.sessionArchivePath ?? `${claudeDirName}/session-state/archive`),
+    mcpJsonPath: resolve(root, ".mcp.json"),
+    settingsLocalPath: resolve(root, claudeDirName, "settings.local.json")
   };
 }
 
@@ -746,6 +812,15 @@ function initMemorySchema(db) {
     );
     CREATE INDEX IF NOT EXISTS idx_pending_sync_created ON pending_sync(created_at ASC);
   `);
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS license_cache (
+      api_key_hash TEXT PRIMARY KEY,
+      tier TEXT NOT NULL,
+      valid_until TEXT NOT NULL,
+      last_validated TEXT NOT NULL,
+      features TEXT DEFAULT '[]'
+    );
+  `);
 }
 
 // src/hooks/quality-event.ts

package/dist/hooks/security-gate.js

@@ -52,6 +52,24 @@ function checkFilePath(filePath) {
   }
   return null;
 }
+var DANGEROUS_PYTHON_PATTERNS = [
+  { pattern: /\beval\s*\(/, label: "Python eval() \u2014 arbitrary code execution" },
+  { pattern: /\bexec\s*\(/, label: "Python exec() \u2014 arbitrary code execution" },
+  { pattern: /\b__import__\s*\(/, label: "Python __import__() \u2014 dynamic import (potential code injection)" },
+  { pattern: /subprocess\.call\([^)]*shell\s*=\s*True/, label: "subprocess.call(shell=True) \u2014 shell injection risk" },
+  { pattern: /subprocess\.Popen\([^)]*shell\s*=\s*True/, label: "subprocess.Popen(shell=True) \u2014 shell injection risk" },
+  { pattern: /os\.system\s*\(/, label: "os.system() \u2014 shell injection risk" },
+  { pattern: /\bf['"].*\{.*\}.*['"].*(?:execute|cursor|query)/, label: "f-string in SQL \u2014 SQL injection risk" },
+  { pattern: /['"].*%s.*['"].*%.*(?:execute|cursor|query)/, label: "String formatting in SQL \u2014 SQL injection risk" }
+];
+function checkPythonContent(content) {
+  for (const { pattern, label } of DANGEROUS_PYTHON_PATTERNS) {
+    if (pattern.test(content)) {
+      return label;
+    }
+  }
+  return null;
+}
 async function main() {
   try {
     const input = await readStdin();
@@ -77,6 +95,17 @@ Ensure this is intentional and no secrets will be exposed.`
         }));
       }
     }
+    const pyContent = tool_input.content || tool_input.new_string;
+    if ((tool_name === "Write" || tool_name === "Edit") && tool_input.file_path?.endsWith(".py") && pyContent) {
+      const pyViolation = checkPythonContent(pyContent);
+      if (pyViolation) {
+        process.stdout.write(JSON.stringify({
+          message: `SECURITY GATE: Dangerous Python pattern detected: ${pyViolation}
+File: ${tool_input.file_path}
+Review carefully before proceeding.`
+        }));
+      }
+    }
   } catch {
   }
   process.exit(0);