npm - @orchestrator-claude/cli - Versions diffs - 3.17.1 → 3.19.0 - Mend

@orchestrator-claude/cli 3.17.1 → 3.19.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (55) hide show

package/dist/templates/base/claude/hooks/post-phase-checkpoint.sh DELETED Viewed

@@ -1,203 +0,0 @@
-#!/bin/bash
-# Post-Phase Checkpoint Hook (RFC-012 compatible)
-# Registers a checkpoint in PostgreSQL via the Orchestrator REST API.
-# Replaces the deprecated orchestrator-index.json approach (TD-105 F-04).
-#
-# Triggered by: PostToolUse on Task tool (after agent completes)
-# Behavior: Infers the just-completed phase from the active workflow state
-#           and registers a checkpoint via the REST API.
-#
-# Required env vars:
-#   ORCHESTRATOR_API_URL        - Base URL (e.g. http://localhost:3000)
-#   ORCHESTRATOR_PROJECT_TOKEN  - Bearer token for API authentication
-#
-# Optional env vars:
-#   ORCHESTRATOR_PROJECT_ID     - Project ID for project-scoped workflow query
-#   ORCH_CHECKPOINT_DEBUG=1     - Enable verbose logging
-#
-# Always exits 0 (non-blocking).
-set -euo pipefail
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-STATE_DIR="$SCRIPT_DIR/../../.orchestrator/.state"
-LOG_FILE="${STATE_DIR}/checkpoint-hook.log"
-LAST_PHASE_FILE="${STATE_DIR}/last-checkpointed-phase"
-DEBUG="${ORCH_CHECKPOINT_DEBUG:-0}"
-mkdir -p "$STATE_DIR"
-log_info()  { echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] [INFO]  $1" >> "$LOG_FILE"; }
-log_warn()  { echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] [WARN]  $1" >> "$LOG_FILE"; echo "[WARN]  $1" >&2; }
-log_debug() { [ "$DEBUG" = "1" ] && echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] [DEBUG] $1" >> "$LOG_FILE" || true; }
-# ── prerequisites ─────────────────────────────────────────────────────────────
-check_prerequisites() {
-  if ! command -v curl &>/dev/null; then
-    log_warn "curl not found. Checkpoints disabled."
-    return 1
-  fi
-  if ! command -v jq &>/dev/null; then
-    log_warn "jq not found. Checkpoints disabled."
-    return 1
-  fi
-  if [ -z "${ORCHESTRATOR_API_URL:-}" ]; then
-    log_debug "ORCHESTRATOR_API_URL not set. Checkpoints disabled."
-    return 1
-  fi
-  if [ -z "${ORCHESTRATOR_PROJECT_TOKEN:-}" ]; then
-    log_debug "ORCHESTRATOR_PROJECT_TOKEN not set. Checkpoints disabled."
-    return 1
-  fi
-  return 0
-}
-# ── API helpers ────────────────────────────────────────────────────────────────
-get_active_workflow() {
-  local project_id="${ORCHESTRATOR_PROJECT_ID:-}"
-  local url="${ORCHESTRATOR_API_URL}/api/v1/workflows?status=in_progress&limit=1"
-  [ -n "$project_id" ] && url="${url}&projectId=${project_id}"
-  local tmpfile
-  tmpfile=$(mktemp 2>/dev/null) || return 1
-  curl -sf \
-    -H "Authorization: Bearer ${ORCHESTRATOR_PROJECT_TOKEN}" \
-    -H "Content-Type: application/json" \
-    "${url}" \
-    -o "$tmpfile" 2>/dev/null || { rm -f "$tmpfile"; return 1; }
-  local result
-  result=$(node -e "
-    const fs=require('fs');
-    try {
-      const d=fs.readFileSync('${tmpfile}','utf8');
-      const j=JSON.parse(d);
-      const wf=Array.isArray(j)?j[0]:j;
-      if(wf&&wf.id){ process.stdout.write(JSON.stringify(wf)); process.exit(0); }
-      process.exit(1);
-    } catch { process.exit(1); }" 2>/dev/null)
-  local rc=$?
-  rm -f "$tmpfile"
-  [ $rc -eq 0 ] && echo "$result" || return 1
-}
-create_checkpoint() {
-  local workflow_id="$1"
-  local phase="$2"
-  local description="$3"
-  local body
-  body=$(jq -n \
-    --arg phase "$phase" \
-    --arg desc "$description" \
-    '{ phase: $phase, description: $desc }')
-  local http_code
-  http_code=$(curl -sf -o /dev/null -w "%{http_code}" \
-    -X POST \
-    -H "Authorization: Bearer ${ORCHESTRATOR_PROJECT_TOKEN}" \
-    -H "Content-Type: application/json" \
-    -d "$body" \
-    "${ORCHESTRATOR_API_URL}/api/v1/workflows/${workflow_id}/checkpoints" 2>/dev/null) || echo ""
-  echo "$http_code"
-}
-# ── dedup guard ────────────────────────────────────────────────────────────────
-get_saved_last_phase() {
-  [ -f "$LAST_PHASE_FILE" ] && cat "$LAST_PHASE_FILE" || echo ""
-}
-save_last_phase() {
-  echo "$1" > "$LAST_PHASE_FILE"
-}
-# ── phase inference ────────────────────────────────────────────────────────────
-# When workflow is at PLAN, it means SPECIFY just completed, etc.
-get_completed_phase() {
-  local current="$1"
-  local status="$2"
-  case "$status" in
-    "completed") echo "implement"; return ;;
-  esac
-  case "${current,,}" in
-    "plan")      echo "specify" ;;
-    "tasks")     echo "plan"    ;;
-    "implement") echo "tasks"   ;;
-    *)           echo ""        ;;
-  esac
-}
-# ── main ───────────────────────────────────────────────────────────────────────
-main() {
-  log_debug "Hook triggered"
-  if ! check_prerequisites; then
-    exit 0
-  fi
-  local workflow_json
-  workflow_json=$(get_active_workflow 2>/dev/null) || workflow_json=""
-  if [ -z "$workflow_json" ]; then
-    log_debug "No active workflow found via API."
-    exit 0
-  fi
-  local workflow_id current_phase workflow_status
-  workflow_id=$(echo "$workflow_json"     | jq -r '.id // empty'           2>/dev/null || echo "")
-  current_phase=$(echo "$workflow_json"  | jq -r '.currentPhase // empty'  2>/dev/null || echo "")
-  workflow_status=$(echo "$workflow_json" | jq -r '.status // empty'        2>/dev/null || echo "")
-  if [ -z "$workflow_id" ] || [ -z "$current_phase" ]; then
-    log_debug "Could not parse workflow ID or phase."
-    exit 0
-  fi
-  local completed_phase
-  completed_phase=$(get_completed_phase "$current_phase" "$workflow_status")
-  if [ -z "$completed_phase" ]; then
-    log_debug "No completed phase inferred from current_phase=${current_phase}."
-    exit 0
-  fi
-  # Dedup guard — skip if we already checkpointed this phase
-  local saved_last
-  saved_last=$(get_saved_last_phase)
-  if [ "$completed_phase" = "$saved_last" ]; then
-    log_debug "Phase ${completed_phase} already checkpointed. Skipping."
-    exit 0
-  fi
-  local description="Auto-checkpoint after ${completed_phase} phase"
-  local http_code
-  http_code=$(create_checkpoint "$workflow_id" "$completed_phase" "$description")
-  case "$http_code" in
-    201|200)
-      save_last_phase "$completed_phase"
-      log_info "Checkpoint registered: workflow=${workflow_id}, phase=${completed_phase}"
-      ;;
-    409)
-      save_last_phase "$completed_phase"
-      log_info "Checkpoint already exists (409): phase=${completed_phase}"
-      ;;
-    "")
-      log_warn "API unreachable. Checkpoint skipped for phase=${completed_phase}."
-      ;;
-    *)
-      log_warn "Unexpected HTTP ${http_code} creating checkpoint for phase=${completed_phase}."
-      ;;
-  esac
-  exit 0
-}
-main "$@"

package/dist/templates/base/claude/hooks/prompt-orchestrator.sh DELETED Viewed

@@ -1,41 +0,0 @@
-#!/bin/bash
-# prompt-orchestrator.sh — ADR-013 Phase 5 Hook (JSON Structured Output)
-# Trigger: UserPromptSubmit
-# Purpose: On every user prompt, inject orchestrator context.
-#          If no workflow active, remind about workflow requirement.
-#          If workflow active, inject current state.
-#
-# Output: JSON with additionalContext (never blocks prompts)
-set -euo pipefail
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-source "$SCRIPT_DIR/orch-helpers.sh"
-orch_log "PROMPT-ORCH: UserPromptSubmit triggered"
-# Find active workflow
-WORKFLOW_ID=$(orch_get_active_workflow 2>/dev/null) || WORKFLOW_ID=""
-if [ -z "$WORKFLOW_ID" ]; then
-  # No workflow — inject reminder (lightweight, no API calls)
-  orch_log "PROMPT-ORCH: No active workflow, injecting reminder"
-  echo '{"hookSpecificOutput":{"hookEventName":"UserPromptSubmit","additionalContext":"[ORCHESTRATOR] No active workflow. If this request involves creating, modifying, or fixing code, you must start a workflow first (detectWorkflow → startWorkflow). The workflow-guard hook will block writes to src/ without a workflow."}}'
-  exit 0
-fi
-# Active workflow — inject state
-NEXT_ACTION=$(orch_get_next_action "$WORKFLOW_ID" 2>/dev/null) || NEXT_ACTION=""
-HAS_ACTION=$(orch_json_field "$NEXT_ACTION" "hasAction")
-AGENT=$(orch_json_field "$NEXT_ACTION" "pendingAction.agent")
-PA_STATUS=$(orch_json_field "$NEXT_ACTION" "pendingAction.status")
-if [ "$HAS_ACTION" = "true" ]; then
-  CONTEXT="[ORCHESTRATOR] Active workflow: ${WORKFLOW_ID}. Next: invoke '${AGENT}' (${PA_STATUS})."
-else
-  CONTEXT="[ORCHESTRATOR] Active workflow: ${WORKFLOW_ID}. No pending actions."
-fi
-orch_log "PROMPT-ORCH: workflow=$WORKFLOW_ID hasAction=$HAS_ACTION"
-echo "{\"hookSpecificOutput\":{\"hookEventName\":\"UserPromptSubmit\",\"additionalContext\":$(echo "$CONTEXT" | node -e "let d='';process.stdin.on('data',c=>d+=c);process.stdin.on('end',()=>console.log(JSON.stringify(d)))" 2>/dev/null)}}"
-exit 0

package/dist/templates/base/claude/hooks/session-orchestrator.sh DELETED Viewed

@@ -1,54 +0,0 @@
-#!/bin/bash
-# session-orchestrator.sh — ADR-013 Phase 5 Hook (JSON Structured Output)
-# Trigger: SessionStart
-# Purpose: On session start, check for active workflow and inject context.
-#          Helps the LLM resume work from where it left off.
-#
-# Output: JSON with additionalContext containing workflow state
-set -euo pipefail
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-source "$SCRIPT_DIR/orch-helpers.sh"
-orch_log "SESSION-ORCH: SessionStart hook triggered"
-# Find active workflow
-WORKFLOW_ID=$(orch_get_active_workflow 2>/dev/null) || WORKFLOW_ID=""
-if [ -z "$WORKFLOW_ID" ]; then
-  orch_log "SESSION-ORCH: No active workflow"
-  echo '{"hookSpecificOutput":{"hookEventName":"SessionStart","additionalContext":"[ORCHESTRATOR] No active workflow. For feature requests, bug fixes, or refactoring, start with:\n1. mcp__orchestrator-tools__detectWorkflow\n2. mcp__orchestrator-tools__startWorkflow\n3. Follow the nextStep returned\n\nDirect implementation is blocked by the workflow-guard hook."}}'
-  exit 0
-fi
-# Get workflow details
-TOKEN=$(orch_get_token 2>/dev/null) || TOKEN=""
-if [ -z "$TOKEN" ]; then
-  echo "{\"hookSpecificOutput\":{\"hookEventName\":\"SessionStart\",\"additionalContext\":\"[ORCHESTRATOR] Active workflow: ${WORKFLOW_ID} (could not fetch details — auth failed).\"}}"
-  exit 0
-fi
-STATUS_RESP=$(curl -sf --max-time 5 "${API_URL}/api/v1/workflows/${WORKFLOW_ID}/status" \
-  -H "Authorization: Bearer $TOKEN" \
-  -H "X-Project-ID: $PROJECT_ID" 2>/dev/null) || STATUS_RESP=""
-PHASE=$(orch_json_field "$STATUS_RESP" "currentPhase")
-STATUS=$(orch_json_field "$STATUS_RESP" "status")
-WF_TYPE=$(orch_json_field "$STATUS_RESP" "type")
-# Get next action
-NEXT_ACTION=$(orch_get_next_action "$WORKFLOW_ID" 2>/dev/null) || NEXT_ACTION=""
-HAS_ACTION=$(orch_json_field "$NEXT_ACTION" "hasAction")
-AGENT=$(orch_json_field "$NEXT_ACTION" "pendingAction.agent")
-PA_STATUS=$(orch_json_field "$NEXT_ACTION" "pendingAction.status")
-CONTEXT="[ORCHESTRATOR] Active workflow: ${WORKFLOW_ID}\nType: ${WF_TYPE}\nPhase: ${PHASE}\nStatus: ${STATUS}"
-if [ "$HAS_ACTION" = "true" ]; then
-  CONTEXT="${CONTEXT}\nNext action: invoke '${AGENT}' (${PA_STATUS})"
-fi
-orch_log "SESSION-ORCH: Injecting workflow context (wf=$WORKFLOW_ID phase=$PHASE)"
-echo "{\"hookSpecificOutput\":{\"hookEventName\":\"SessionStart\",\"additionalContext\":$(echo "$CONTEXT" | node -e "let d='';process.stdin.on('data',c=>d+=c);process.stdin.on('end',()=>console.log(JSON.stringify(d)))" 2>/dev/null)}}"
-exit 0

package/dist/templates/base/claude/hooks/track-agent-invocation.sh DELETED Viewed

@@ -1,230 +0,0 @@
-#!/bin/bash
-# Track Agent Invocation Hook
-# Registers agent invocations in orchestrator-index.json
-#
-# Usage (called by Claude Code hooks):
-#   track-agent-invocation.sh start    (reads stdin JSON)
-#   track-agent-invocation.sh complete (reads stdin JSON)
-#
-# Claude Code passes JSON via stdin with structure:
-#   { "tool_name": "Task", "tool_input": { "subagent_type": "...", ... } }
-set -e
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
-INDEX_FILE="$PROJECT_ROOT/.orchestrator/orchestrator-index.json"
-STATE_DIR="$PROJECT_ROOT/.orchestrator/.state"
-INVOCATION_FILE="$STATE_DIR/current-invocation"
-DEBUG_LOG="$STATE_DIR/hook-debug.log"
-# Ensure state directory exists
-mkdir -p "$STATE_DIR"
-ACTION="${1:-}"
-# Read stdin into variable (Claude Code passes JSON via stdin)
-STDIN_DATA=""
-if [ ! -t 0 ]; then
-  STDIN_DATA=$(cat)
-fi
-case "$ACTION" in
-  start)
-    # Extract agent info from stdin JSON
-    # Structure: { "tool_name": "Task", "tool_input": { "subagent_type": "...", ... } }
-    if [ -n "$STDIN_DATA" ]; then
-      # Debug: log received data
-      echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] START stdin: $STDIN_DATA" >> "$DEBUG_LOG"
-      AGENT_NAME=$(echo "$STDIN_DATA" | node -e "
-        let data = '';
-        process.stdin.on('data', chunk => data += chunk);
-        process.stdin.on('end', () => {
-          try {
-            const json = JSON.parse(data);
-            // Try different structures
-            const type = json.tool_input?.subagent_type
-                      || json.subagent_type
-                      || json.tool_input?.type
-                      || 'unknown';
-            console.log(type);
-          } catch { console.log('unknown'); }
-        });
-      ")
-      PHASE=$(echo "$STDIN_DATA" | node -e "
-        let data = '';
-        process.stdin.on('data', chunk => data += chunk);
-        process.stdin.on('end', () => {
-          try {
-            const json = JSON.parse(data);
-            const type = json.tool_input?.subagent_type
-                      || json.subagent_type
-                      || json.tool_input?.type
-                      || 'unknown';
-            const phaseMap = {
-              'specifier': 'specify',
-              'planner': 'plan',
-              'task-generator': 'tasks',
-              'implementer': 'implement',
-              'researcher': 'research',
-              'reviewer': 'review',
-              'orchestrator': 'orchestrate'
-            };
-            console.log(phaseMap[type] || type);
-          } catch { console.log('unknown'); }
-        });
-      ")
-    elif [ -n "$CLAUDE_TOOL_INPUT" ]; then
-      # Fallback to environment variable
-      echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] START env: $CLAUDE_TOOL_INPUT" >> "$DEBUG_LOG"
-      AGENT_NAME=$(echo "$CLAUDE_TOOL_INPUT" | node -e "
-        let data = '';
-        process.stdin.on('data', chunk => data += chunk);
-        process.stdin.on('end', () => {
-          try {
-            const json = JSON.parse(data);
-            const type = json.subagent_type || json.tool_input?.subagent_type || 'unknown';
-            console.log(type);
-          } catch { console.log('unknown'); }
-        });
-      ")
-      PHASE="unknown"
-    else
-      echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] START no input received" >> "$DEBUG_LOG"
-      AGENT_NAME="unknown"
-      PHASE="unknown"
-    fi
-    # Generate invocation ID
-    INVOCATION_ID="inv-$(date +%s)-$(head -c 4 /dev/urandom | xxd -p)"
-    STARTED_AT=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
-    # Get workflow ID from index
-    WORKFLOW_ID=""
-    if [ -f "$INDEX_FILE" ]; then
-      WORKFLOW_ID=$(node -e "
-        const fs = require('fs');
-        try {
-          const idx = JSON.parse(fs.readFileSync('$INDEX_FILE', 'utf8'));
-          console.log(idx.activeWorkflow?.id || 'wf-standalone-' + Date.now());
-        } catch { console.log('wf-standalone-' + Date.now()); }
-      ")
-    fi
-    # Save invocation state
-    echo "$INVOCATION_ID" > "$INVOCATION_FILE"
-    # Update orchestrator-index.json
-    if [ -f "$INDEX_FILE" ]; then
-      node -e "
-        const fs = require('fs');
-        const indexPath = '$INDEX_FILE';
-        const idx = JSON.parse(fs.readFileSync(indexPath, 'utf8'));
-        if (!idx.agentInvocations) idx.agentInvocations = [];
-        idx.agentInvocations.push({
-          id: '$INVOCATION_ID',
-          agentName: '$AGENT_NAME',
-          phase: '$PHASE',
-          workflowId: '$WORKFLOW_ID',
-          startedAt: '$STARTED_AT',
-          completedAt: null,
-          status: 'running',
-          durationMs: 0
-        });
-        fs.writeFileSync(indexPath, JSON.stringify(idx, null, 2));
-        console.log(JSON.stringify({ invocationId: '$INVOCATION_ID', startedAt: '$STARTED_AT' }));
-      "
-    else
-      echo '{"invocationId": "'$INVOCATION_ID'", "startedAt": "'$STARTED_AT'", "warning": "No index file found"}'
-    fi
-    ;;
-  complete)
-    # Get invocation ID from state file
-    INVOCATION_ID=""
-    if [ -f "$INVOCATION_FILE" ]; then
-      INVOCATION_ID=$(cat "$INVOCATION_FILE")
-    fi
-    if [ -z "$INVOCATION_ID" ]; then
-      echo '{"success": false, "error": "No invocation ID found"}'
-      exit 0  # Don't fail the hook
-    fi
-    # Debug log
-    if [ -n "$STDIN_DATA" ]; then
-      echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] COMPLETE stdin: $STDIN_DATA" >> "$DEBUG_LOG"
-    fi
-    # Determine status - default to success
-    STATUS="success"
-    SUMMARY="Completed"
-    COMPLETED_AT=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
-    # Update orchestrator-index.json
-    if [ -f "$INDEX_FILE" ]; then
-      node -e "
-        const fs = require('fs');
-        const indexPath = '$INDEX_FILE';
-        const idx = JSON.parse(fs.readFileSync(indexPath, 'utf8'));
-        const invocations = idx.agentInvocations || [];
-        const invIdx = invocations.findIndex(i => i.id === '$INVOCATION_ID');
-        if (invIdx === -1) {
-          console.log(JSON.stringify({ success: false, error: 'Invocation not found' }));
-          process.exit(0);
-        }
-        const inv = invocations[invIdx];
-        const startTime = new Date(inv.startedAt).getTime();
-        const endTime = new Date('$COMPLETED_AT').getTime();
-        const durationMs = endTime - startTime;
-        invocations[invIdx] = {
-          ...inv,
-          completedAt: '$COMPLETED_AT',
-          status: '$STATUS' === 'success' ? 'completed' : 'failed',
-          durationMs,
-          result: {
-            status: '$STATUS',
-            summary: '$SUMMARY'
-          }
-        };
-        idx.agentInvocations = invocations;
-        // Update statistics
-        if (idx.statistics) {
-          idx.statistics.totalInvocations = invocations.length;
-          idx.statistics.lastActivity = '$COMPLETED_AT';
-        }
-        fs.writeFileSync(indexPath, JSON.stringify(idx, null, 2));
-        console.log(JSON.stringify({ success: true, durationMs }));
-      "
-    else
-      echo '{"success": false, "error": "No index file found"}'
-    fi
-    # Clean up state file
-    rm -f "$INVOCATION_FILE"
-    ;;
-  *)
-    echo "Usage: $0 {start|complete}"
-    echo ""
-    echo "This script is called by Claude Code hooks."
-    echo "It reads JSON from stdin with structure:"
-    echo '  { "tool_name": "Task", "tool_input": { "subagent_type": "...", ... } }'
-    echo ""
-    echo "Debug log: $DEBUG_LOG"
-    exit 0
-    ;;
-esac

package/dist/templates/base/claude/hooks/workflow-guard.sh DELETED Viewed

@@ -1,79 +0,0 @@
-#!/bin/bash
-# workflow-guard.sh — ADR-013 Phase 5 Hook (JSON Structured Output)
-# Trigger: PreToolUse on Write|Edit
-# Purpose: Block writes to src/ and tests/ when no active workflow exists.
-#
-# Output: JSON with permissionDecision (deny/allow) + additionalContext
-# Exit 0 with JSON = structured decision
-set -euo pipefail
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-source "$SCRIPT_DIR/orch-helpers.sh"
-STDIN_DATA=$(orch_read_stdin)
-# Extract file path (Claude Code wraps in tool_input)
-FILE_PATH=$(orch_json_field "$STDIN_DATA" "tool_input.file_path")
-[ -z "$FILE_PATH" ] && FILE_PATH=$(orch_json_field "$STDIN_DATA" "file_path")
-[ -z "$FILE_PATH" ] && FILE_PATH=$(orch_json_field "$STDIN_DATA" "input.file_path")
-orch_log "workflow-guard: file_path=$FILE_PATH"
-# Explicit bypass via env var (for direct implementation without dogfooding)
-if [ "${SKIP_WORKFLOW_GUARD:-}" = "true" ]; then
-  orch_log "workflow-guard: ALLOW (SKIP_WORKFLOW_GUARD=true)"
-  echo '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow","additionalContext":"Workflow guard bypassed via SKIP_WORKFLOW_GUARD=true."}}'
-  exit 0
-fi
-# Only guard src/ and tests/ paths (production code)
-case "$FILE_PATH" in
-  */src/*|*/tests/*)
-    ;;
-  *)
-    orch_log "workflow-guard: ALLOW (non-guarded path)"
-    exit 0
-    ;;
-esac
-# Allow config and non-code files
-case "$FILE_PATH" in
-  *.json|*.yml|*.yaml|*.md|*.env|*.env.*)
-    orch_log "workflow-guard: ALLOW (config/doc file)"
-    exit 0
-    ;;
-esac
-# Check for active workflow
-WORKFLOW_ID=$(orch_get_active_workflow 2>/dev/null) || WORKFLOW_ID=""
-if [ -n "$WORKFLOW_ID" ]; then
-  # Check if running inside a sub-agent (agent_id present) or main agent (absent)
-  AGENT_ID=$(orch_json_field "$STDIN_DATA" "agent_id")
-  if [ -n "$AGENT_ID" ]; then
-    # Sub-agent writing — ALLOW
-    AGENT_TYPE=$(orch_json_field "$STDIN_DATA" "agent_type")
-    orch_log "workflow-guard: ALLOW (sub-agent: ${AGENT_TYPE:-unknown}, workflow: $WORKFLOW_ID)"
-    echo "{\"hookSpecificOutput\":{\"hookEventName\":\"PreToolUse\",\"permissionDecision\":\"allow\",\"additionalContext\":\"Active workflow: ${WORKFLOW_ID}. Sub-agent ${AGENT_TYPE:-unknown} write allowed.\"}}"
-    exit 0
-  fi
-  # Main agent writing directly — check if SKIP_SUBAGENT_GUARD allows it
-  if [ "${SKIP_SUBAGENT_GUARD:-}" = "true" ]; then
-    orch_log "workflow-guard: ALLOW (SKIP_SUBAGENT_GUARD=true, workflow: $WORKFLOW_ID)"
-    echo "{\"hookSpecificOutput\":{\"hookEventName\":\"PreToolUse\",\"permissionDecision\":\"allow\",\"additionalContext\":\"Active workflow: ${WORKFLOW_ID}. Direct write allowed via SKIP_SUBAGENT_GUARD.\"}}"
-    exit 0
-  fi
-  # Main agent writing directly — DENY, must use sub-agent
-  orch_log "workflow-guard: DENY (main agent direct write, no sub-agent invocation)"
-  echo "{\"hookSpecificOutput\":{\"hookEventName\":\"PreToolUse\",\"permissionDecision\":\"deny\",\"permissionDecisionReason\":\"Workflow Guard: Direct code writes are blocked. You must invoke a sub-agent (e.g. implementer) to write code. The sub-agent will have write access.\",\"additionalContext\":\"Use the Agent tool to spawn an implementer sub-agent for code changes. The workflow-guard allows writes only from sub-agents (identified by agent_id in hook input).\"}}"
-  exit 0
-fi
-# No active workflow — DENY with structured instructions
-orch_log "workflow-guard: DENY (no active workflow)"
-echo '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny","permissionDecisionReason":"Workflow Guard: No active workflow. Direct implementation is not allowed.","additionalContext":"You MUST start a workflow before writing code:\n1. mcp__orchestrator-tools__detectWorkflow({ prompt: \"...\" })\n2. mcp__orchestrator-tools__startWorkflow({ workflowType: \"...\", prompt: \"...\" })\n3. Follow the nextStep returned by startWorkflow\n\nThe workflow-guard hook blocks all writes to src/ and tests/ without an active workflow."}}'
-exit 0

package/templates/base/claude/hooks/approval-guardian.sh DELETED Viewed

@@ -1,62 +0,0 @@
-#!/bin/bash
-# approval-guardian.sh — TD-128 F-09 Hook
-# Trigger: PreToolUse on mcp__orchestrator-tools__approveAction and mcp__orchestrator-extended__completeWorkflow
-# Purpose: Block auto-approve and auto-complete when workflow is awaiting_approval.
-#          Requires explicit human confirmation before proceeding.
-#
-# Output: JSON with permissionDecision (deny/allow)
-set -euo pipefail
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-source "$SCRIPT_DIR/orch-helpers.sh"
-STDIN_DATA=$(orch_read_stdin)
-TOOL_NAME=$(orch_json_field "$STDIN_DATA" "tool_name")
-orch_log "APPROVAL-GUARDIAN: PreToolUse $TOOL_NAME triggered"
-# Extract workflow ID from tool_input
-WORKFLOW_ID=$(orch_json_field "$STDIN_DATA" "tool_input.workflowId")
-[ -z "$WORKFLOW_ID" ] && WORKFLOW_ID=$(orch_json_field "$STDIN_DATA" "workflowId")
-if [ -z "$WORKFLOW_ID" ]; then
-  # No workflow ID — allow (fail-open for non-workflow calls)
-  orch_log "APPROVAL-GUARDIAN: ALLOW (no workflowId)"
-  echo '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow","additionalContext":"No workflowId found, allowing."}}'
-  exit 0
-fi
-# Get auth token
-TOKEN=$(orch_get_token 2>/dev/null) || TOKEN=""
-if [ -z "$TOKEN" ]; then
-  # Can't check status — fail-open (auth issues shouldn't block workflow completion)
-  orch_log "APPROVAL-GUARDIAN: ALLOW (auth failed, fail-open)"
-  echo '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow","additionalContext":"Auth failed, allowing."}}'
-  exit 0
-fi
-# Get workflow status
-STATUS=$(curl -sf --max-time 5 "${API_URL}/api/v1/workflows/${WORKFLOW_ID}" \
-  -H "Authorization: Bearer $TOKEN" \
-  -H "X-Project-ID: $PROJECT_ID" 2>/dev/null) || STATUS=""
-if [ -z "$STATUS" ]; then
-  orch_log "APPROVAL-GUARDIAN: ALLOW (could not fetch workflow status)"
-  echo '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow","additionalContext":"Could not fetch workflow status, allowing."}}'
-  exit 0
-fi
-WORKFLOW_STATUS=$(orch_json_field "$STATUS" "status")
-orch_log "APPROVAL-GUARDIAN: workflow=$WORKFLOW_ID status=$WORKFLOW_STATUS tool=$TOOL_NAME"
-# Block approveAction AND completeWorkflow when awaiting_approval
-if [ "$WORKFLOW_STATUS" = "awaiting_approval" ]; then
-  orch_log "APPROVAL-GUARDIAN: DENY (workflow awaiting_approval — human confirmation required for $TOOL_NAME)"
-  echo "{\"hookSpecificOutput\":{\"hookEventName\":\"PreToolUse\",\"permissionDecision\":\"deny\",\"permissionDecisionReason\":\"Approval Guardian: Workflow is awaiting human approval. You MUST ask the user for explicit confirmation before calling ${TOOL_NAME}.\",\"additionalContext\":\"Present the workflow summary to the user and ask: 'Do you approve advancing to IMPLEMENT?' Wait for their response. Do NOT auto-approve or auto-complete.\"}}"
-  exit 0
-fi
-# All other statuses: ALLOW
-orch_log "APPROVAL-GUARDIAN: ALLOW ($TOOL_NAME, status=$WORKFLOW_STATUS)"
-echo "{\"hookSpecificOutput\":{\"hookEventName\":\"PreToolUse\",\"permissionDecision\":\"allow\",\"additionalContext\":\"${TOOL_NAME} allowed (status=${WORKFLOW_STATUS}).\"}}"
-exit 0