@paths.design/caws-cli 9.2.0 → 9.3.0

package/dist/scaffold/cursor-hooks.js

@@ -106,7 +106,6 @@ async function scaffoldCursorHooks(projectDir, levels = ['safety', 'quality', 's
         { command: './.cursor/hooks/block-dangerous.sh' },
         { command: './.cursor/hooks/audit.sh' },
       ];
-      hooksConfig.hooks.beforeMCPExecution = [{ command: './.cursor/hooks/audit.sh' }];
       hooksConfig.hooks.beforeReadFile = [{ command: './.cursor/hooks/scan-secrets.sh' }];
     }
 

package/dist/scaffold/git-hooks.js

@@ -408,8 +408,25 @@ elif [ -f "scripts/quality-gates/run-quality-gates.js" ]; then
   fi
 # Option 3: CAWS CLI validation
 elif command -v caws >/dev/null 2>&1; then
+  # In a worktree, validate only the associated spec to avoid false positives
+  CAWS_VALIDATE_ARGS="--quiet"
+  WORKTREE_BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "")
+  if [ -f ".caws/worktrees.json" ] && command -v node >/dev/null 2>&1; then
+    SPEC_ID=$(node -e "
+      try {
+        var reg = JSON.parse(require('fs').readFileSync('.caws/worktrees.json', 'utf8'));
+        var wt = Object.values(reg.worktrees || {}).find(function(w) {
+          return w.branch === '$WORKTREE_BRANCH';
+        });
+        if (wt && wt.specId) console.log(wt.specId);
+      } catch(e) {}
+    " 2>/dev/null || echo "")
+    if [ -n "$SPEC_ID" ]; then
+      CAWS_VALIDATE_ARGS="--quiet --spec-id $SPEC_ID"
+    fi
+  fi
   echo "Running CAWS CLI validation..."
-  if caws validate --quiet 2>/dev/null; then
+  if caws validate $CAWS_VALIDATE_ARGS 2>/dev/null; then
     echo "CAWS validation passed"
     QUALITY_GATES_RAN=true
   else

package/dist/templates/.caws/tools/README.md

@@ -4,18 +4,15 @@ This directory contains CAWS-specific tools that aren't available in the CLI.
 
 ## scope-guard.js
 
-Enforces that experimental code stays within designated sandbox areas. Used by Cursor hooks for scope validation.
+Checks whether a file is within scope of active working-spec and feature specs. Used by Cursor hooks for scope validation on file attachments.
 
 ```bash
-# Validate experimental code containment
-node .caws/tools/scope-guard.js validate
+# Check if a file is in scope
+node .caws/tools/scope-guard.js check src/index.js
 
-# Check containment status
-node .caws/tools/scope-guard.js check .caws/working-spec.yaml
+# Exit code 0 = in scope, 1 = out of scope
 ```
 
 **Usage in Cursor Hooks:**
 
 The `.cursor/hooks/scope-guard.sh` hook automatically uses this tool to validate file attachments against working spec scope boundaries.
-
-

package/dist/templates/.caws/tools/scope-guard.js

@@ -1,208 +1,152 @@
 #!/usr/bin/env node
 
 /**
- * @fileoverview CAWS Scope Guard
- * Enforces that experimental code stays within designated sandbox areas
+ * @fileoverview CAWS Scope Guard (file-level)
+ * Checks whether a given file path is within scope of active specs.
+ * Used by Cursor hooks for scope validation on file attachments.
  * @author @darianrosebrook
  */
 
 const fs = require('fs');
-const { execSync } = require('child_process');
+const path = require('path');
 
 /**
- * Check if experimental code is properly contained
- * @param {string} workingSpecPath - Path to working spec file
- * @returns {Object} Scope validation results
+ * Convert a glob pattern to a RegExp, handling **, *, ?, [abc], {a,b}
  */
-function checkExperimentalContainment(workingSpecPath = '.caws/working-spec.yaml') {
-  try {
-    if (!fs.existsSync(workingSpecPath)) {
-      console.error('❌ Working spec not found:', workingSpecPath);
-      return { valid: false, errors: ['Working spec not found'] };
-    }
-
-    const yaml = require('js-yaml');
-    const spec = yaml.load(fs.readFileSync(workingSpecPath, 'utf8'));
-
-    const results = {
-      valid: true,
-      errors: [],
-      warnings: [],
-      experimentalFiles: [],
-      nonExperimentalFiles: [],
-    };
-
-    // Only check if experimental mode is enabled
-    if (!spec.experimental_mode?.enabled) {
-      console.log('ℹ️  Experimental mode not enabled - skipping containment check');
-      return results;
+function globToRegex(pattern) {
+  let i = 0, re = '';
+  while (i < pattern.length) {
+    const c = pattern[i];
+    if (c === '*' && pattern[i + 1] === '*') {
+      re += '.*'; i += 2;
+      if (pattern[i] === '/') i++; // skip trailing slash after **
+    } else if (c === '*') {
+      re += '[^/]*'; i++;
+    } else if (c === '?') {
+      re += '[^/]'; i++;
+    } else if (c === '[') {
+      const end = pattern.indexOf(']', i);
+      if (end > i) { re += pattern.slice(i, end + 1); i = end + 1; }
+      else { re += '\\['; i++; }
+    } else if (c === '{') {
+      const end = pattern.indexOf('}', i);
+      if (end > i) {
+        const alts = pattern.slice(i + 1, end).split(',').map(a => a.trim());
+        re += '(?:' + alts.join('|') + ')'; i = end + 1;
+      } else { re += '\\{'; i++; }
+    } else if ('.+^$|()'.includes(c)) {
+      re += '\\' + c; i++;
+    } else {
+      re += c; i++;
     }
+  }
+  return new RegExp(re);
+}
 
-    const sandboxLocation = spec.experimental_mode.sandbox_location || 'experimental/';
-    console.log(`🔍 Checking containment for experimental code in: ${sandboxLocation}`);
+const TERMINAL = new Set(['completed', 'closed', 'archived']);
 
-    // Get list of changed files (this would typically come from git diff)
-    const changedFiles = getChangedFiles();
+/**
+ * Check if a file is within scope of active specs.
+ * @param {string} filePath - Relative path from project root
+ * @param {string} projectDir - Project root directory
+ * @returns {{inScope: boolean, reason: string}}
+ */
+function checkFileScope(filePath, projectDir) {
+  // Smart allowlist: root-level files, .caws/, .claude/ always pass
+  if (!filePath.includes('/') || filePath.startsWith('.caws/') || filePath.startsWith('.claude/')) {
+    return { inScope: true, reason: 'allowlisted path' };
+  }
 
-    if (changedFiles.length === 0) {
-      console.log('ℹ️  No files changed - skipping scope check');
-      return results;
-    }
+  const specFile = path.join(projectDir, '.caws/working-spec.yaml');
+  const specsDir = path.join(projectDir, '.caws/specs');
 
-    // Check each changed file
-    changedFiles.forEach((file) => {
-      const isInSandbox =
-        file.startsWith(sandboxLocation) ||
-        file.includes(`/${sandboxLocation}`) ||
-        file.includes(sandboxLocation);
-
-      if (isInSandbox) {
-        results.experimentalFiles.push(file);
-        console.log(`✅ Experimental file properly contained: ${file}`);
-      } else {
-        results.nonExperimentalFiles.push(file);
-        results.valid = false;
-        results.errors.push(`Experimental code found outside sandbox: ${file}`);
-        console.error(`❌ Experimental code outside sandbox: ${file}`);
-      }
-    });
-
-    // Check if experimental files actually exist
-    results.experimentalFiles.forEach((file) => {
-      if (!fs.existsSync(file)) {
-        results.warnings.push(`Experimental file not found (may have been deleted): ${file}`);
-        console.warn(`⚠️  Experimental file not found: ${file}`);
-      }
-    });
+  if (!fs.existsSync(specFile) && !fs.existsSync(specsDir)) {
+    return { inScope: true, reason: 'no specs found' };
+  }
 
-    return results;
-  } catch (error) {
-    console.error('❌ Error checking experimental containment:', error.message);
-    return { valid: false, errors: [error.message] };
+  // Load all active specs
+  let yaml;
+  try { yaml = require('js-yaml'); } catch (_) {
+    return { inScope: true, reason: 'js-yaml not available' };
   }
-}
 
-/**
- * Get list of changed files from git
- * @returns {Array} List of changed file paths
- */
-function getChangedFiles() {
-  try {
-    // Get files that are staged or modified
-    const staged = execSync('git diff --cached --name-only', { encoding: 'utf8' })
-      .split('\n')
-      .filter((file) => file.trim());
-
-    const modified = execSync('git diff --name-only', { encoding: 'utf8' })
-      .split('\n')
-      .filter((file) => file.trim());
-
-    // Combine and deduplicate
-    const allFiles = [...new Set([...staged, ...modified])];
-
-    // Filter out deleted files (they might still be in the diff)
-    return allFiles.filter((file) => {
-      try {
-        return fs.existsSync(file);
-      } catch {
-        return false;
+  const specs = [];
+
+  if (fs.existsSync(specFile)) {
+    try {
+      const s = yaml.load(fs.readFileSync(specFile, 'utf8'));
+      if (s && !TERMINAL.has(s.status)) {
+        specs.push({ source: 'working-spec', spec: s });
       }
-    });
-  } catch (error) {
-    console.warn('⚠️  Could not get changed files from git:', error.message);
-    return [];
+    } catch (_) {}
   }
-}
 
-/**
- * Validate that experimental code follows containment rules
- * @param {string} workingSpecPath - Path to working spec file
- */
-function validateExperimentalScope(workingSpecPath = '.caws/working-spec.yaml') {
-  console.log('🔍 Validating experimental code containment...');
-
-  const results = checkExperimentalContainment(workingSpecPath);
-
-  if (!results.valid) {
-    console.error('\n❌ Experimental containment validation failed:');
-    results.errors.forEach((error) => {
-      console.error(`   - ${error}`);
-    });
-
-    if (results.warnings.length > 0) {
-      console.warn('\n⚠️  Warnings:');
-      results.warnings.forEach((warning) => {
-        console.warn(`   - ${warning}`);
-      });
+  if (fs.existsSync(specsDir)) {
+    for (const f of fs.readdirSync(specsDir).filter(f => f.endsWith('.yaml') || f.endsWith('.yml'))) {
+      try {
+        const s = yaml.load(fs.readFileSync(path.join(specsDir, f), 'utf8'));
+        if (s && !TERMINAL.has(s.status)) {
+          specs.push({ source: f, spec: s });
+        }
+      } catch (_) {}
     }
+  }
 
-    console.error('\n💡 To fix containment issues:');
-    console.error('   1. Move experimental code to the designated sandbox location');
-    console.error('   2. Update the sandbox_location in your working spec');
-    console.error('   3. Or disable experimental mode if this is production code');
+  if (specs.length === 0) {
+    return { inScope: true, reason: 'no active specs' };
+  }
 
-    process.exit(1);
+  // Check scope.out — any match blocks
+  for (const { source, spec } of specs) {
+    for (const pattern of (spec.scope?.out || [])) {
+      if (globToRegex(pattern).test(filePath)) {
+        return { inScope: false, reason: `out-of-scope in ${source} (pattern: ${pattern})` };
+      }
+    }
   }
 
-  if (results.warnings.length > 0) {
-    console.warn('\n⚠️  Experimental containment warnings:');
-    results.warnings.forEach((warning) => {
-      console.warn(`   - ${warning}`);
-    });
+  // Union all scope.in — must match at least one
+  const allIn = specs.flatMap(({ spec }) => spec.scope?.in || []);
+  if (allIn.length > 0) {
+    const found = allIn.some(pattern => globToRegex(pattern).test(filePath));
+    if (!found) {
+      return { inScope: false, reason: 'not in any active spec scope.in' };
+    }
   }
 
-  console.log('✅ Experimental code containment validated');
-  console.log(`   - Files in sandbox: ${results.experimentalFiles.length}`);
-  console.log(`   - Files outside sandbox: ${results.nonExperimentalFiles.length}`);
+  return { inScope: true, reason: 'in scope' };
 }
 
 // CLI interface
 if (require.main === module) {
   const command = process.argv[2];
-  const specPath = process.argv[3] || '.caws/working-spec.yaml';
-
-  switch (command) {
-    case 'validate':
-      validateExperimentalScope(specPath);
-      break;
-
-    case 'check':
-      const results = checkExperimentalContainment(specPath);
-      console.log('\n📊 Containment Check Results:');
-      console.log(`   Valid: ${results.valid}`);
-      console.log(`   Experimental files: ${results.experimentalFiles.length}`);
-      console.log(`   Non-experimental files: ${results.nonExperimentalFiles.length}`);
-      console.log(`   Errors: ${results.errors.length}`);
-      console.log(`   Warnings: ${results.warnings.length}`);
-
-      if (results.errors.length > 0) {
-        console.log('\n❌ Errors:');
-        results.errors.forEach((error) => console.log(`   - ${error}`));
-      }
-
-      if (results.warnings.length > 0) {
-        console.log('\n⚠️  Warnings:');
-        results.warnings.forEach((warning) => console.log(`   - ${warning}`));
-      }
-
-      process.exit(results.valid ? 0 : 1);
-      break;
-
-    default:
-      console.log('CAWS Scope Guard');
-      console.log('Usage:');
-      console.log('  node scope-guard.js validate [spec-path]');
-      console.log('  node scope-guard.js check [spec-path]');
-      console.log('');
-      console.log('Examples:');
-      console.log('  node scope-guard.js validate');
-      console.log('  node scope-guard.js check .caws/working-spec.yaml');
+  const filePath = process.argv[3];
+
+  if (command === 'check' && filePath) {
+    // Resolve relative to cwd
+    const projectDir = process.cwd();
+    const rel = filePath.startsWith(projectDir)
+      ? filePath.slice(projectDir.length + 1)
+      : filePath;
+
+    const result = checkFileScope(rel, projectDir);
+    if (result.inScope) {
+      console.log(`in_scope: ${result.reason}`);
+      process.exit(0);
+    } else {
+      console.error(`out_of_scope: ${result.reason}`);
       process.exit(1);
+    }
+  } else {
+    console.log('CAWS Scope Guard');
+    console.log('Usage:');
+    console.log('  node scope-guard.js check <file-path>');
+    console.log('');
+    console.log('Examples:');
+    console.log('  node scope-guard.js check src/index.js');
+    console.log('  node scope-guard.js check packages/cli/lib/main.ts');
+    process.exit(1);
   }
 }
 
-module.exports = {
-  checkExperimentalContainment,
-  validateExperimentalScope,
-  getChangedFiles,
-};
+module.exports = { checkFileScope, globToRegex };

package/dist/templates/.claude/hooks/audit.sh

@@ -88,6 +88,31 @@ case "$EVENT_TYPE" in
     ;;
 esac
 
+# --- Log rotation ---
+# Keep main audit.log under 10MB; keep date-logs for 30 days
+rotate_logs() {
+  # Rotate main audit.log at 10MB
+  if [[ -f "$LOG_FILE" ]]; then
+    local size
+    size=$(wc -c < "$LOG_FILE" 2>/dev/null | tr -d ' ')
+    if [[ "$size" -gt 10485760 ]]; then
+      # Keep last rotated copy, discard older
+      [[ -f "${LOG_FILE}.1" ]] && rm -f "${LOG_FILE}.1"
+      mv "$LOG_FILE" "${LOG_FILE}.1"
+    fi
+  fi
+
+  # Prune date-based logs older than 30 days
+  if [[ -d "$LOG_DIR" ]]; then
+    find "$LOG_DIR" -name 'audit-*.log' -type f -mtime +30 -delete 2>/dev/null || true
+  fi
+}
+
+# Run rotation check ~1% of the time (avoid stat overhead on every tool call)
+if [[ $(( RANDOM % 100 )) -eq 0 ]]; then
+  rotate_logs
+fi
+
 # Append to log files
 echo "$LOG_ENTRY" >> "$LOG_FILE"
 echo "$LOG_ENTRY" >> "$DATE_LOG_FILE"

package/dist/templates/.claude/hooks/block-dangerous.sh

@@ -75,6 +75,8 @@ DANGEROUS_PATTERNS=(
   'git clean -f'
   'git checkout \.'
   'git restore \.'
+  '(^|&&|\|\||;|\|)\s*git rebase'
+  '(^|&&|\|\||;|\|)\s*git cherry-pick'
 
   # Virtual environment creation (prevents venv sprawl)
   'python -m venv'
@@ -91,6 +93,43 @@ for pattern in "${DANGEROUS_PATTERNS[@]}"; do
       continue
     fi
 
+    # Allow git rebase/cherry-pick only when no worktrees are active
+    if [[ "$pattern" == *"git rebase"* ]] || [[ "$pattern" == *"git cherry-pick"* ]]; then
+      PROJECT_DIR="${CLAUDE_PROJECT_DIR:-.}"
+      # Resolve to main repo root if we're in a worktree
+      if command -v git >/dev/null 2>&1; then
+        GIT_COMMON=$(cd "$PROJECT_DIR" && git rev-parse --git-common-dir 2>/dev/null || echo "")
+        if [[ -n "$GIT_COMMON" ]] && [[ "$GIT_COMMON" != ".git" ]]; then
+          CANDIDATE=$(cd "$PROJECT_DIR" && cd "$GIT_COMMON/.." 2>/dev/null && pwd || echo "")
+          if [[ -n "$CANDIDATE" ]] && [[ -d "$CANDIDATE/.caws" ]]; then
+            PROJECT_DIR="$CANDIDATE"
+          fi
+        fi
+      fi
+      WT_FILE="$PROJECT_DIR/.caws/worktrees.json"
+      if [[ -f "$WT_FILE" ]] && command -v node >/dev/null 2>&1; then
+        ACTIVE_COUNT=$(node -e "
+          try {
+            var r = JSON.parse(require('fs').readFileSync('$WT_FILE','utf8'));
+            var c = Object.values(r.worktrees||{}).filter(function(w){return w.status==='active';}).length;
+            console.log(c);
+          } catch(e) { console.log(0); }
+        " 2>/dev/null || echo "0")
+        if [[ "$ACTIVE_COUNT" -gt 0 ]]; then
+          # Extract the specific git subcommand for the message
+          GIT_SUBCMD="git operation"
+          [[ "$pattern" == *"git rebase"* ]] && GIT_SUBCMD="git rebase"
+          [[ "$pattern" == *"git cherry-pick"* ]] && GIT_SUBCMD="git cherry-pick"
+          echo "BLOCKED: $GIT_SUBCMD is forbidden while $ACTIVE_COUNT worktree(s) are active." >&2
+          echo "This can replay or rewrite commits across worktree boundaries." >&2
+          echo "Command was: $COMMAND" >&2
+          exit 2
+        fi
+      fi
+      # No active worktrees — allow
+      continue
+    fi
+
     # Allow venv commands if target matches designated venv path from scope.json
     if echo "$pattern" | grep -qE '(python.*venv|virtualenv|conda create)'; then
       PROJECT_DIR="${CLAUDE_PROJECT_DIR:-.}"

package/dist/templates/.claude/hooks/lite-sprawl-check.sh

@@ -49,9 +49,37 @@ if command -v node >/dev/null 2>&1; then
       const basename = '$BASENAME';
       const banned = scope.bannedPatterns || {};
 
+      function globToRegex(pattern) {
+        let i = 0, re = '';
+        while (i < pattern.length) {
+          const c = pattern[i];
+          if (c === '*' && pattern[i+1] === '*') {
+            re += '.*'; i += 2;
+            if (pattern[i] === '/') i++;
+          } else if (c === '*') {
+            re += '[^/]*'; i++;
+          } else if (c === '?') {
+            re += '[^/]'; i++;
+          } else if (c === '[') {
+            const end = pattern.indexOf(']', i);
+            if (end > i) { re += pattern.slice(i, end + 1); i = end + 1; }
+            else { re += '\\\\['; i++; }
+          } else if (c === '{') {
+            const end = pattern.indexOf('}', i);
+            if (end > i) {
+              const alts = pattern.slice(i + 1, end).split(',').map(a => a.trim());
+              re += '(?:' + alts.join('|') + ')'; i = end + 1;
+            } else { re += '\\\\{'; i++; }
+          } else if ('.+^$|()'.includes(c)) {
+            re += '\\\\' + c; i++;
+          } else {
+            re += c; i++;
+          }
+        }
+        return new RegExp('^' + re + '$');
+      }
       function matchGlob(str, pattern) {
-        const regex = new RegExp('^' + pattern.replace(/\\*/g, '.*').replace(/\\?/g, '.') + '$');
-        return regex.test(str);
+        return globToRegex(pattern).test(str);
       }
 
       // Check banned file patterns

package/dist/templates/.claude/hooks/naming-check.sh

@@ -51,9 +51,12 @@ BANNED_MODIFIERS=(
 # Convert filename to lowercase for checking
 FILENAME_LOWER=$(echo "$FILENAME" | tr '[:upper:]' '[:lower:]')
 
-# Check for banned modifiers
+# Check for banned modifiers (word-boundary aware)
 for modifier in "${BANNED_MODIFIERS[@]}"; do
-  if [[ "$FILENAME_LOWER" == *"$modifier"* ]]; then
+  # Match modifier preceded by start-of-string, hyphen, underscore, or dot
+  # and followed by end-of-string, hyphen, underscore, or dot
+  # Prevents false positives like "old" in "gold_oracle" or "new" in "renewable"
+  if [[ "$FILENAME_LOWER" =~ (^|[-_.])"$modifier"([-_.]|$) ]]; then
     # Special case: allow test files that follow conventions
     if [[ "$modifier" == "test-" ]] || [[ "$modifier" == "-test" ]] || [[ "$modifier" == "_test" ]]; then
       if [[ "$FILENAME_LOWER" =~ \.(test|spec)\.(js|ts|jsx|tsx|py|go|rs)$ ]]; then

package/dist/templates/.claude/hooks/scope-guard.sh

@@ -44,6 +44,37 @@ if [[ ! -f "$SPEC_FILE" ]] && [[ -f "$SCOPE_FILE" ]]; then
     LITE_CHECK=$(node -e "
       const fs = require('fs');
       const path = require('path');
+
+      function globToRegex(pattern) {
+        let i = 0, re = '';
+        while (i < pattern.length) {
+          const c = pattern[i];
+          if (c === '*' && pattern[i+1] === '*') {
+            re += '.*'; i += 2;
+            if (pattern[i] === '/') i++;
+          } else if (c === '*') {
+            re += '[^/]*'; i++;
+          } else if (c === '?') {
+            re += '[^/]'; i++;
+          } else if (c === '[') {
+            const end = pattern.indexOf(']', i);
+            if (end > i) { re += pattern.slice(i, end + 1); i = end + 1; }
+            else { re += '\\\\['; i++; }
+          } else if (c === '{') {
+            const end = pattern.indexOf('}', i);
+            if (end > i) {
+              const alts = pattern.slice(i + 1, end).split(',').map(a => a.trim());
+              re += '(?:' + alts.join('|') + ')'; i = end + 1;
+            } else { re += '\\\\{'; i++; }
+          } else if ('.+^$|()'.includes(c)) {
+            re += '\\\\' + c; i++;
+          } else {
+            re += c; i++;
+          }
+        }
+        return new RegExp(re);
+      }
+
       try {
         const scope = JSON.parse(fs.readFileSync('$SCOPE_FILE', 'utf8'));
         const filePath = '$REL_PATH';
@@ -54,7 +85,7 @@ if [[ ! -f "$SPEC_FILE" ]] && [[ -f "$SCOPE_FILE" ]]; then
         const basename = path.basename(filePath);
         const bannedFiles = banned.files || [];
         for (const pattern of bannedFiles) {
-          const regex = new RegExp(pattern.replace(/\\*/g, '.*').replace(/\\?/g, '.'));
+          const regex = globToRegex(pattern);
           if (regex.test(basename)) {
             console.log('banned:' + pattern);
             process.exit(0);
@@ -64,7 +95,7 @@ if [[ ! -f "$SPEC_FILE" ]] && [[ -f "$SCOPE_FILE" ]]; then
         // Check banned doc patterns
         const bannedDocs = banned.docs || [];
         for (const pattern of bannedDocs) {
-          const regex = new RegExp(pattern.replace(/\\*/g, '.*').replace(/\\?/g, '.'));
+          const regex = globToRegex(pattern);
           if (regex.test(basename)) {
             console.log('banned:' + pattern);
             process.exit(0);
@@ -129,6 +160,37 @@ if command -v node >/dev/null 2>&1; then
     const fs = require('fs');
     const path = require('path');
 
+    // Convert glob pattern to regex, handling **, *, ?, [abc], {a,b}
+    function globToRegex(pattern) {
+      let i = 0, re = '';
+      while (i < pattern.length) {
+        const c = pattern[i];
+        if (c === '*' && pattern[i+1] === '*') {
+          re += '.*'; i += 2;
+          if (pattern[i] === '/') i++; // skip trailing slash after **
+        } else if (c === '*') {
+          re += '[^/]*'; i++;
+        } else if (c === '?') {
+          re += '[^/]'; i++;
+        } else if (c === '[') {
+          const end = pattern.indexOf(']', i);
+          if (end > i) { re += pattern.slice(i, end + 1); i = end + 1; }
+          else { re += '\\\\['; i++; }
+        } else if (c === '{') {
+          const end = pattern.indexOf('}', i);
+          if (end > i) {
+            const alts = pattern.slice(i + 1, end).split(',').map(a => a.trim());
+            re += '(?:' + alts.join('|') + ')'; i = end + 1;
+          } else { re += '\\\\{'; i++; }
+        } else if ('.+^$|()'.includes(c)) {
+          re += '\\\\' + c; i++;
+        } else {
+          re += c; i++;
+        }
+      }
+      return new RegExp(re);
+    }
+
     try {
       const filePath = '$REL_PATH';
 
@@ -177,7 +239,7 @@ if command -v node >/dev/null 2>&1; then
       // Check scope.out across ALL active specs — any match blocks
       for (const { source, spec } of specs) {
         for (const pattern of (spec.scope?.out || [])) {
-          const regex = new RegExp(pattern.replace(/\\*/g, '.*').replace(/\\?/g, '.'));
+          const regex = globToRegex(pattern);
           if (regex.test(filePath)) {
             console.log('out_of_scope:' + source + ':' + pattern);
             process.exit(0);
@@ -190,7 +252,7 @@ if command -v node >/dev/null 2>&1; then
       if (allInScope.length > 0) {
         let found = false;
         for (const pattern of allInScope) {
-          const regex = new RegExp(pattern.replace(/\\*/g, '.*').replace(/\\?/g, '.'));
+          const regex = globToRegex(pattern);
           if (regex.test(filePath)) {
             found = true;
             break;