@paths.design/caws-cli 9.3.2 → 10.0.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@paths.design/caws-cli",
-  "version": "9.3.2",
+  "version": "10.0.1",
   "description": "CAWS CLI - Coding Agent Workflow System command-line tools for spec management, quality gates, and AI-assisted development",
   "main": "dist/index.js",
   "bin": {
@@ -17,7 +17,7 @@
     "dev": "mkdir -p dist && cp -r src/* dist/ && node dist/index.js",
     "typecheck": "tsc --emitDeclarationOnly --outDir dist",
     "start": "node dist/index.js",
-    "test": "npm run build && jest && npm run test:cleanup",
+    "test": "node scripts/run-tests.js",
     "test:unit": "npm run build && jest --testPathIgnorePatterns='perf-budgets|integration|e2e|mutation|axe|contract' && npm run test:cleanup",
     "test:contract": "npm run build && jest --testPathPatterns=contract && npm run test:cleanup",
     "test:integration": "npm run build && jest --testPathPatterns=integration && npm run test:cleanup",
@@ -34,7 +34,7 @@
     "validate": "echo 'CLI package validation not required'",
     "caws:validate": "node ../../.caws/validate.js ../../.caws/working-spec.yaml",
     "clean": "rm -rf dist test-caws-project .agent && npm run test:cleanup",
-    "prepare": "husky"
+    "prepare": "husky >/dev/null 2>&1 || true"
   },
   "keywords": [
     "caws",
@@ -59,7 +59,9 @@
     "chalk": "4.1.2",
     "commander": "^11.0.0",
     "fs-extra": "^11.0.0",
-    "inquirer": "8.2.7"
+    "inquirer": "8.2.7",
+    "ajv": "8.17.1",
+    "js-yaml": "4.1.0"
   },
   "devDependencies": {
     "@eslint/js": "^9.0.0",
@@ -71,12 +73,10 @@
     "@types/inquirer": "^8.2.6",
     "@types/js-yaml": "^4.0.0",
     "@types/node": "^20.0.0",
-    "ajv": "8.17.1",
     "esbuild": "0.25.10",
     "eslint": "^9.0.0",
     "husky": "9.1.7",
     "jest": "30.1.3",
-    "js-yaml": "4.1.0",
     "lint-staged": "15.5.2",
     "micromatch": "4.0.8",
     "prettier": "^3.0.0",

package/templates/.caws/schemas/policy.schema.json

@@ -0,0 +1,50 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "CAWS Policy",
+  "type": "object",
+  "required": ["version", "risk_tiers"],
+  "properties": {
+    "version": { "type": "integer", "const": 1 },
+    "risk_tiers": {
+      "type": "object",
+      "properties": {
+        "1": { "$ref": "#/$defs/tier" },
+        "2": { "$ref": "#/$defs/tier" },
+        "3": { "$ref": "#/$defs/tier" }
+      },
+      "required": ["1", "2", "3"]
+    },
+    "edit_rules": {
+      "type": "object",
+      "properties": {
+        "policy_and_code_same_pr": { "type": "boolean" },
+        "min_approvers_for_budget_raise": { "type": "integer", "minimum": 1 },
+        "require_signed_commits": { "type": "boolean" }
+      }
+    },
+    "gates": {
+      "type": "object",
+      "additionalProperties": {
+        "type": "object",
+        "properties": {
+          "enabled": { "type": "boolean" },
+          "description": { "type": "string" },
+          "mode": { "type": "string", "enum": ["block", "warn", "skip"] },
+          "thresholds": { "type": "object" }
+        },
+        "required": ["enabled"]
+      }
+    }
+  },
+  "$defs": {
+    "tier": {
+      "type": "object",
+      "required": ["max_files", "max_loc"],
+      "properties": {
+        "max_files": { "type": "integer", "minimum": 1 },
+        "max_loc": { "type": "integer", "minimum": 1 },
+        "description": { "type": "string" }
+      }
+    }
+  }
+}

package/templates/.caws/schemas/waivers.schema.json

@@ -1,30 +1,36 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "title": "CAWS Waivers Configuration",
+  "title": "CAWS Waiver",
+  "description": "Individual waiver file created by caws waivers create",
   "type": "object",
-  "patternProperties": {
-    ".*": {
-      "type": "object",
-      "required": ["gate", "reason", "owner", "expiry"],
-      "properties": {
-        "gate": {
-          "type": "string",
-          "enum": ["coverage", "mutation", "contracts", "a11y", "perf", "security"]
-        },
-        "reason": { "type": "string", "minLength": 10 },
-        "owner": { "type": "string" },
-        "expiry": { "type": "string", "format": "date-time" },
-        "compensating_control": { "type": "string" },
-        "ticket_url": { "type": "string", "format": "uri" },
-        "approved_by": { "type": "string" },
-        "created_at": { "type": "string", "format": "date-time" },
-        "status": {
-          "type": "string",
-          "enum": ["active", "expired", "revoked"],
-          "default": "active"
-        }
-      }
-    }
+  "required": ["id", "title", "reason", "gates", "created_at", "expires_at", "approved_by", "status"],
+  "properties": {
+    "id": { "type": "string", "pattern": "^WV-\\d{4}$" },
+    "title": { "type": "string", "minLength": 1 },
+    "reason": { "type": "string", "minLength": 10 },
+    "description": { "type": "string" },
+    "gates": {
+      "type": "array",
+      "items": { "type": "string" },
+      "minItems": 1,
+      "description": "Gate names this waiver applies to"
+    },
+    "created_at": { "type": "string" },
+    "expires_at": { "type": "string" },
+    "approved_by": { "type": "string" },
+    "impact_level": { "type": "string" },
+    "mitigation_plan": { "type": "string" },
+    "status": {
+      "type": "string",
+      "enum": ["active", "expired", "revoked"],
+      "default": "active"
+    },
+    "created_by_session": { "type": ["string", "null"] },
+    "compensating_control": { "type": "string" },
+    "ticket_url": { "type": "string", "format": "uri" },
+    "revoked_at": { "type": "string" },
+    "revoked_by": { "type": "string" },
+    "revocation_reason": { "type": "string" }
   },
   "additionalProperties": false
 }

package/templates/.caws/schemas/working-spec.schema.json

@@ -18,8 +18,15 @@
   "properties": {
     "id": { "type": "string", "pattern": "^[A-Z]{2,6}-\\d{3,4}$" },
     "title": { "type": "string", "minLength": 10, "maxLength": 200 },
+    "type": { "type": "string", "enum": ["feature", "fix", "refactor", "chore", "docs"] },
+    "status": {
+      "type": "string",
+      "enum": ["draft", "active", "in_progress", "completed", "closed", "archived"]
+    },
+    "created_at": { "type": "string" },
+    "updated_at": { "type": "string" },
     "risk_tier": { "type": ["integer", "string"], "enum": [1, 2, 3, "1", "2", "3"] },
-    "mode": { "type": "string", "enum": ["feature", "refactor", "fix", "doc", "chore"] },
+    "mode": { "type": "string", "enum": ["feature", "refactor", "fix", "doc", "docs", "chore", "development"] },
     "waiver_ids": {
       "type": "array",
       "items": { "type": "string", "pattern": "^WV-\\d{4}$" },
@@ -45,7 +52,7 @@
     "invariants": { "type": "array", "items": { "type": "string" }, "minItems": 1 },
     "acceptance": {
       "type": "array",
-      "minItems": 1,
+      "minItems": 0,
       "items": {
         "type": "object",
         "required": ["id", "given", "when", "then"],
@@ -57,6 +64,35 @@
         }
       }
     },
+    "acceptance_criteria": {
+      "type": "array",
+      "minItems": 0,
+      "items": {
+        "type": "object",
+        "required": ["id"],
+        "properties": {
+          "id": { "type": "string" },
+          "description": { "type": "string" },
+          "completed": { "type": "boolean" },
+          "test": { "type": "string" },
+          "test_command": { "type": "string" },
+          "test_nodeids": {
+            "type": "array",
+            "items": { "type": "string" }
+          },
+          "evidence": {
+            "oneOf": [
+              { "type": "string" },
+              {
+                "type": "array",
+                "items": { "type": "string" }
+              }
+            ]
+          }
+        },
+        "additionalProperties": true
+      }
+    },
     "non_functional": {
       "type": "object",
       "properties": {
@@ -75,13 +111,14 @@
     },
     "contracts": {
       "type": "array",
-      "minItems": 1,
       "items": {
         "type": "object",
         "required": ["type", "path"],
         "properties": {
-          "type": { "type": "string", "enum": ["openapi", "graphql", "proto", "pact"] },
-          "path": { "type": "string" }
+          "type": { "type": "string", "enum": ["openapi", "graphql", "proto", "pact", "project_setup"] },
+          "path": { "type": "string" },
+          "description": { "type": "string" },
+          "version": { "type": "string" }
         }
       }
     },
@@ -95,9 +132,15 @@
     },
     "migrations": { "type": "array", "items": { "type": "string" } },
     "rollback": { "type": "array", "items": { "type": "string" } },
-    "experiment_mode": {
-      "type": "boolean",
-      "description": "Enables experimental mode with reduced requirements"
+    "experimental_mode": {
+      "type": "object",
+      "description": "Enables experimental mode with reduced requirements",
+      "required": ["enabled", "rationale", "expires_at"],
+      "properties": {
+        "enabled": { "type": "boolean" },
+        "rationale": { "type": "string" },
+        "expires_at": { "type": "string" }
+      }
     },
     "timeboxed_hours": {
       "type": "integer",

package/templates/.caws/schemas/worktrees.schema.json

@@ -21,11 +21,13 @@
           "baseBranch": { "type": "string" },
           "scope": { "type": ["string", "null"] },
           "specId": { "type": ["string", "null"] },
+          "owner": { "type": ["string", "null"], "description": "CLAUDE_SESSION_ID of the creating agent" },
           "createdAt": { "type": "string", "format": "date-time" },
           "destroyedAt": { "type": "string", "format": "date-time" },
+          "autoRegistered": { "type": "boolean" },
           "status": {
             "type": "string",
-            "enum": ["active", "orphaned", "missing", "destroyed"]
+            "enum": ["fresh", "active", "merged", "orphaned", "missing", "stale-merged", "destroyed"]
           }
         },
         "additionalProperties": false

package/templates/.caws/templates/working-spec.template.yml

@@ -1,6 +1,10 @@
 id: '{{FEATURE_ID}}'
 title: '{{FEATURE_TITLE}}'
-risk_tier: { { TIER } }
+risk_tier: {{TIER}}
+mode: feature
+blast_radius:
+  modules: []
+operational_rollback_slo: "30m"
 scope:
   in:
     - '{{SCOPE_ITEM_1}}'
@@ -37,8 +41,8 @@ non_functional:
   a11y:
     - '{{ACCESSIBILITY_REQUIREMENT}}'
   perf:
-    api_p95_ms: { { PERF_BUDGET } }
-    lcp_ms: { { LCP_BUDGET } }
+    api_p95_ms: {{PERF_BUDGET}}
+    lcp_ms: {{LCP_BUDGET}}
   security:
     - '{{SECURITY_REQUIREMENT}}'
 contracts:

package/templates/.claude/hooks/block-dangerous.sh

@@ -1,23 +1,70 @@
 #!/bin/bash
-# CAWS Dangerous Command Blocker for Claude Code
-# Blocks potentially destructive shell commands
+# CAWS Command Safety Gate for Claude Code
+# Delegates to classify_command.py for robust command parsing and classification.
+# Falls back to bash pattern matching if Python is unavailable.
+#
+# The Python classifier handles:
+#   - Heredoc-aware parsing (won't false-positive on quoted dangerous commands)
+#   - Quoted-region stripping (echo "git reset --hard" is safe)
+#   - Pipeline-aware dangers (curl | sh)
+#   - Context-aware rm classification (safe prefixes vs dangerous targets)
+#   - Proper shell segmentation (&&, ||, ;, |)
+#
 # @author @darianrosebrook
 
 set -euo pipefail
 
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
 # Read JSON input from Claude Code
 INPUT=$(cat)
 
 # Extract tool info
-TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name // ""')
-COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // ""')
+TOOL_NAME=$(printf '%s' "$INPUT" | jq -r '.tool_name // ""')
+COMMAND=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // ""')
 
 # Only check Bash tool
 if [[ "$TOOL_NAME" != "Bash" ]] || [[ -z "$COMMAND" ]]; then
   exit 0
 fi
 
-# Dangerous command patterns
+# --- Try Python classifier first (preferred) ---
+CLASSIFIER="$SCRIPT_DIR/classify_command.py"
+if [[ -f "$CLASSIFIER" ]] && command -v python3 >/dev/null 2>&1; then
+  REPO_ROOT="${CLAUDE_PROJECT_DIR:-.}"
+  CLASSIFIER_STDERR=$(mktemp)
+  RESULT=$(printf '%s' "$COMMAND" | python3 "$CLASSIFIER" \
+    --repo-root "$REPO_ROOT" \
+    --home "$HOME" \
+    --cwd "$(pwd)" 2>"$CLASSIFIER_STDERR") || {
+    DIAG=$(head -c 200 "$CLASSIFIER_STDERR" 2>/dev/null || true)
+    rm -f "$CLASSIFIER_STDERR"
+    RESULT="{\"decision\":\"ask\",\"reason\":\"command classifier failed: ${DIAG:-unknown error}\"}"
+  }
+  rm -f "$CLASSIFIER_STDERR"
+
+  DECISION=$(printf '%s' "$RESULT" | jq -r '.decision // "ask"')
+  REASON=$(printf '%s' "$RESULT" | jq -r '.reason // "unknown"')
+
+  case "$DECISION" in
+    allow)
+      exit 0
+      ;;
+    deny)
+      echo "BLOCKED: $REASON" >&2
+      echo "Command was: $COMMAND" >&2
+      exit 2
+      ;;
+    ask)
+      echo "WARNING: $REASON" >&2
+      echo "Command was: $COMMAND" >&2
+      exit 1
+      ;;
+  esac
+fi
+
+# --- Fallback: bash pattern matching (less precise, no heredoc/quote awareness) ---
+
 DANGEROUS_PATTERNS=(
   # Destructive file operations
   'rm -rf /'
@@ -96,7 +143,6 @@ for pattern in "${DANGEROUS_PATTERNS[@]}"; do
     # Allow git rebase/cherry-pick only when no worktrees are active
     if [[ "$pattern" == *"git rebase"* ]] || [[ "$pattern" == *"git cherry-pick"* ]]; then
       PROJECT_DIR="${CLAUDE_PROJECT_DIR:-.}"
-      # Resolve to main repo root if we're in a worktree
       if command -v git >/dev/null 2>&1; then
         GIT_COMMON=$(cd "$PROJECT_DIR" && git rev-parse --git-common-dir 2>/dev/null || echo "")
         if [[ -n "$GIT_COMMON" ]] && [[ "$GIT_COMMON" != ".git" ]]; then
@@ -116,7 +162,6 @@ for pattern in "${DANGEROUS_PATTERNS[@]}"; do
           } catch(e) { console.log(0); }
         " 2>/dev/null || echo "0")
         if [[ "$ACTIVE_COUNT" -gt 0 ]]; then
-          # Extract the specific git subcommand for the message
           GIT_SUBCMD="git operation"
           [[ "$pattern" == *"git rebase"* ]] && GIT_SUBCMD="git rebase"
           [[ "$pattern" == *"git cherry-pick"* ]] && GIT_SUBCMD="git cherry-pick"
@@ -126,7 +171,6 @@ for pattern in "${DANGEROUS_PATTERNS[@]}"; do
           exit 2
         fi
       fi
-      # No active worktrees — allow
       continue
     fi
 
@@ -142,11 +186,8 @@ for pattern in "${DANGEROUS_PATTERNS[@]}"; do
       fi
     fi
 
-    # Output to stderr for Claude to see
     echo "BLOCKED: Command matches dangerous pattern: $pattern" >&2
     echo "Command was: $COMMAND" >&2
-
-    # Exit code 2 blocks the tool and shows stderr to Claude
     exit 2
   fi
 done