@paulduvall/claude-dev-toolkit 0.0.1-alpha.19 → 0.0.1-alpha.21

package/hooks/.smellrc.example.json

@@ -0,0 +1,19 @@
+{
+  "thresholds": {
+    "max_complexity": 10,
+    "max_function_lines": 20,
+    "max_nesting_depth": 3,
+    "max_parameters": 4,
+    "max_file_lines": 300,
+    "duplicate_min_lines": 4
+  },
+  "security": {
+    "enabled": true,
+    "trojan_enabled": true
+  },
+  "suppress_files": [
+    "tests/**",
+    "*_test.py",
+    "*.generated.*"
+  ]
+}

package/hooks/check-commit-signing.py

@@ -0,0 +1,127 @@
+#!/usr/bin/env python3
+"""PreToolUse hook: verify GPG/SSH commit signing before git commit.
+
+Reads a PreToolUse JSON event from stdin. If the Bash command is a
+git commit, verifies that commit signing is configured. Blocks with
+remediation instructions if not.
+"""
+
+from __future__ import annotations
+
+import json
+import re
+import subprocess
+import sys
+
+_GIT_COMMIT_RE = re.compile(r"\bgit\s+commit\b")
+
+
+def _is_git_commit(command: str) -> bool:
+    """Return True if command contains a git commit invocation."""
+    return bool(_GIT_COMMIT_RE.search(command))
+
+
+def _git_config(key: str) -> str:
+    """Read a git config value, returning empty string on failure."""
+    try:
+        result = subprocess.run(
+            ["git", "config", "--get", key],
+            capture_output=True, text=True, timeout=5,
+        )
+        return result.stdout.strip()
+    except (subprocess.SubprocessError, OSError):
+        return ""
+
+
+def _check_gpg_signing() -> str | None:
+    """Verify GPG signing config. Return error message or None."""
+    gpg_format = _git_config("gpg.format")
+    if gpg_format == "ssh":
+        return _check_ssh_signing()
+    program = _git_config("gpg.program")
+    if not program:
+        return "gpg.program is not configured"
+    return None
+
+
+def _check_ssh_signing() -> str | None:
+    """Verify SSH signing config. Return error message or None."""
+    allowed = _git_config("gpg.ssh.allowedSignersFile")
+    if not allowed:
+        return "gpg.ssh.allowedSignersFile is not configured"
+    return None
+
+
+_REMEDIATION_TEMPLATE = """\
+Commit signing is not properly configured: {error}
+
+IMPORTANT: Ask the user which option they prefer before proceeding.
+
+**Option 1 -- GPG signing** (traditional, widely supported):
+```
+git config --global commit.gpgsign true
+git config --global gpg.program gpg
+```
+Requires: GPG installed, a GPG key generated (`gpg --gen-key`)
+
+**Option 2 -- SSH signing** (simpler, uses existing SSH keys):
+
+Step 1 -- Generate an SSH key (skip if ~/.ssh/id_ed25519.pub exists):
+```
+ssh-keygen -t ed25519 -C "your_email@example.com"
+```
+
+Step 2 -- Configure git to use SSH signing:
+```
+git config --global commit.gpgsign true
+git config --global gpg.format ssh
+git config --global user.signingkey ~/.ssh/id_ed25519.pub
+```
+
+Step 3 -- Create the allowed signers file:
+```
+echo "$(git config --get user.email) namespaces=\\"git\\" $(cat ~/.ssh/id_ed25519.pub)" > ~/.ssh/allowed_signers
+git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers
+```
+
+Step 4 -- Add the key to GitHub as a **signing key**:
+```
+gh ssh-key add ~/.ssh/id_ed25519.pub --type signing
+```
+(Or manually: GitHub -> Settings -> SSH and GPG keys -> New SSH key -> \
+Key type: **Signing Key**)
+
+Ask the user: "Commit signing isn't configured. Would you like me to \
+set it up for you? I can configure GPG or SSH signing -- which do you \
+prefer?" Then run the commands for their chosen option.\
+"""
+
+
+def _build_remediation(error: str) -> str:
+    """Build a user-friendly remediation message."""
+    return _REMEDIATION_TEMPLATE.format(error=error)
+
+
+def main() -> None:
+    """Entry point: check commit signing config before git commit."""
+    try:
+        event = json.load(sys.stdin)
+    except (json.JSONDecodeError, EOFError):
+        sys.exit(0)
+    command = event.get("tool_input", {}).get("command", "")
+    if not _is_git_commit(command):
+        sys.exit(0)
+    gpgsign = _git_config("commit.gpgsign")
+    if gpgsign != "true":
+        reason = _build_remediation("commit.gpgsign is not enabled")
+        print(json.dumps({"decision": "block", "reason": reason}))
+        sys.exit(0)
+    error = _check_gpg_signing()
+    if error:
+        reason = _build_remediation(error)
+        print(json.dumps({"decision": "block", "reason": reason}))
+    sys.exit(0)
+
+
+if __name__ == "__main__":
+    main()

package/hooks/check-complexity.py

@@ -0,0 +1,38 @@
+#!/usr/bin/env python3
+"""PostToolUse hook: detect common code smells in modified files.
+
+Delegates all analysis to smell_checks module. Reads the PostToolUse
+JSON event from stdin, checks the written file, and emits a blocking
+result when violations are found.
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import sys
+
+# Allow importing sibling module from the same directory.
+sys.path.insert(0, os.path.dirname(os.path.abspath(__file__)))
+
+from smell_checks import check_file, format_violations  # noqa: E402
+
+
+def main() -> None:
+    """Entry point: read PostToolUse event, check file, emit result."""
+    try:
+        event = json.load(sys.stdin)
+    except (json.JSONDecodeError, EOFError):
+        sys.exit(0)
+    file_path = event.get("tool_input", {}).get("file_path", "")
+    if not file_path or not os.path.isfile(file_path):
+        sys.exit(0)
+    smells = check_file(file_path)
+    if smells:
+        reason = format_violations(file_path, smells)
+        print(json.dumps({"decision": "block", "reason": reason}))
+    sys.exit(0)
+
+
+if __name__ == "__main__":
+    main()

package/hooks/check-security.py

@@ -0,0 +1,37 @@
+#!/usr/bin/env python3
+"""PostToolUse hook: detect security violations in modified files.
+
+Delegates analysis to security_checks module. Reads the PostToolUse
+JSON event from stdin, checks the written file, and emits a blocking
+result when violations are found.
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import sys
+
+sys.path.insert(0, os.path.dirname(os.path.abspath(__file__)))
+
+from security_checks import check_security, format_security_violations  # noqa: E402
+
+
+def main() -> None:
+    """Entry point: read PostToolUse event, check file, emit result."""
+    try:
+        event = json.load(sys.stdin)
+    except (json.JSONDecodeError, EOFError):
+        sys.exit(0)
+    file_path = event.get("tool_input", {}).get("file_path", "")
+    if not file_path or not os.path.isfile(file_path):
+        sys.exit(0)
+    smells = check_security(file_path)
+    if smells:
+        reason = format_security_violations(file_path, smells)
+        print(json.dumps({"decision": "block", "reason": reason}))
+    sys.exit(0)
+
+
+if __name__ == "__main__":
+    main()

package/hooks/claude-wrapper.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+# claude-wrapper.sh - Shell wrapper for claude that manages iTerm2 tab colors
+#
+# Source this file in ~/.zshrc:
+#   source ~/Code/claude-code/hooks/claude-wrapper.sh
+#
+# Sets gray tab color on launch, red on non-zero exit, then resets.
+# Mid-session colors (blue=working, green=done) are handled by Claude Code hooks.
+# See ~/.claude/settings.json and tab-color.sh
+
+CCDK_HOOKS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]:-$0}")" && pwd)"
+
+claude() {
+  # Set initial tab color to gray (idle, no prompt running yet)
+  "$CCDK_HOOKS_DIR/tab-color.sh" gray < /dev/null
+
+  # Pass all args through to the real claude binary
+  command claude "$@"
+  local exit_code=$?
+
+  if [ $exit_code -ne 0 ]; then
+    "$CCDK_HOOKS_DIR/tab-color.sh" red < /dev/null
+  fi
+
+  # Reset tab color to default
+  "$CCDK_HOOKS_DIR/tab-color.sh" reset < /dev/null
+
+  return $exit_code
+}

package/hooks/config.py

@@ -0,0 +1,110 @@
+"""Per-project configuration loader for code smell and security hooks.
+
+Searches for .smellrc.json walking up from the target file's directory.
+Falls back to defaults matching the hardcoded thresholds in smell_types.
+"""
+
+from __future__ import annotations
+
+import fnmatch
+import json
+import os
+from dataclasses import dataclass, field
+from functools import lru_cache
+
+
+@dataclass(frozen=True)
+class Config:
+    """Immutable configuration for all hooks."""
+
+    max_complexity: int = 10
+    max_function_lines: int = 20
+    max_nesting_depth: int = 3
+    max_parameters: int = 4
+    max_file_lines: int = 300
+    duplicate_min_lines: int = 4
+    security_enabled: bool = True
+    trojan_enabled: bool = True
+    suppress_files: tuple[str, ...] = ()
+
+
+DEFAULT_CONFIG = Config()
+
+
+def _find_config_file(start_dir: str) -> str | None:
+    """Walk up from start_dir looking for .smellrc.json."""
+    current = os.path.abspath(start_dir)
+    root = os.path.dirname(current)
+    while current != root:
+        candidate = os.path.join(current, ".smellrc.json")
+        if os.path.isfile(candidate):
+            return candidate
+        root = current
+        current = os.path.dirname(current)
+    return None
+
+
+def _parse_config(path: str) -> Config:
+    """Parse a .smellrc.json file into a Config object."""
+    with open(path, "r", encoding="utf-8") as fh:
+        raw = json.load(fh)
+    thresholds = raw.get("thresholds", {})
+    security = raw.get("security", {})
+    suppress = raw.get("suppress_files", [])
+    return Config(
+        max_complexity=thresholds.get("max_complexity", DEFAULT_CONFIG.max_complexity),
+        max_function_lines=thresholds.get("max_function_lines", DEFAULT_CONFIG.max_function_lines),
+        max_nesting_depth=thresholds.get("max_nesting_depth", DEFAULT_CONFIG.max_nesting_depth),
+        max_parameters=thresholds.get("max_parameters", DEFAULT_CONFIG.max_parameters),
+        max_file_lines=thresholds.get("max_file_lines", DEFAULT_CONFIG.max_file_lines),
+        duplicate_min_lines=thresholds.get("duplicate_min_lines", DEFAULT_CONFIG.duplicate_min_lines),
+        security_enabled=security.get("enabled", DEFAULT_CONFIG.security_enabled),
+        trojan_enabled=security.get("trojan_enabled", DEFAULT_CONFIG.trojan_enabled),
+        suppress_files=tuple(suppress),
+    )
+
+
+@lru_cache(maxsize=32)
+def _cached_load(config_path: str) -> Config:
+    """Load and cache a config file by its resolved path."""
+    return _parse_config(config_path)
+
+
+def load_config(file_path: str) -> Config:
+    """Load config for a given source file.
+
+    Args:
+        file_path: Path to the source file being checked.
+
+    Returns:
+        Config from nearest .smellrc.json, or DEFAULT_CONFIG.
+    """
+    start = os.path.dirname(os.path.abspath(file_path))
+    config_path = _find_config_file(start)
+    if config_path is None:
+        return DEFAULT_CONFIG
+    try:
+        return _cached_load(config_path)
+    except (json.JSONDecodeError, OSError, KeyError, TypeError):
+        return DEFAULT_CONFIG
+
+
+def is_file_suppressed(file_path: str, config: Config) -> bool:
+    """Check if a file matches any suppress_files glob patterns.
+
+    Args:
+        file_path: Path to check against suppression globs.
+        config: Config with suppress_files patterns.
+
+    Returns:
+        True if the file should be skipped.
+    """
+    if not config.suppress_files:
+        return False
+    basename = os.path.basename(file_path)
+    for pattern in config.suppress_files:
+        if fnmatch.fnmatch(basename, pattern):
+            return True
+        if fnmatch.fnmatch(file_path, pattern):
+            return True
+    return False

package/hooks/security_bandit.py

@@ -0,0 +1,177 @@
+"""Python AST-based security checks inspired by Bandit.
+
+Detects common security anti-patterns without external dependencies:
+B101 (assert), B102 (exec/eval), B105/B106 (hardcoded passwords),
+B110 (try-except-pass), B301 (pickle), B602 (subprocess shell=True).
+"""
+
+from __future__ import annotations
+
+import ast
+import os
+
+from smell_types import FIXES, Smell
+
+# ---------------------------------------------------------------------------
+# Individual check functions
+# ---------------------------------------------------------------------------
+
+_PASSWORD_NAMES = frozenset((
+    "password", "passwd", "pwd", "secret", "token", "api_key",
+))
+
+
+def _is_test_file(file_path: str) -> bool:
+    """Return True if file looks like a test file."""
+    base = os.path.basename(file_path)
+    return base.startswith("test_") or base.endswith("_test.py")
+
+
+def _check_assert(node: ast.Assert, file_path: str) -> Smell | None:
+    """B101: assert used outside test files."""
+    if _is_test_file(file_path):
+        return None
+    return Smell(
+        "B101", "assert", node.lineno,
+        "assert used in non-test code",
+        FIXES["B101"],
+    )
+
+
+def _check_exec_eval(node: ast.Call) -> Smell | None:
+    """B102: exec() or eval() call detected."""
+    func = node.func
+    if isinstance(func, ast.Name) and func.id in ("exec", "eval"):
+        return Smell(
+            "B102", func.id, node.lineno,
+            f"{func.id}() call detected",
+            FIXES["B102"],
+        )
+    return None
+
+
+def _check_hardcoded_password(node: ast.Assign) -> Smell | None:
+    """B105/B106: hardcoded string assigned to password-like variable."""
+    if not isinstance(node.value, ast.Constant):
+        return None
+    if not isinstance(node.value.value, str):
+        return None
+    if not node.value.value or len(node.value.value) < 2:
+        return None
+    for target in node.targets:
+        name = _extract_name(target)
+        if name and name.lower() in _PASSWORD_NAMES:
+            return Smell(
+                "B105", name, node.lineno,
+                f"hardcoded value assigned to '{name}'",
+                FIXES["B105"],
+            )
+    return None
+
+
+def _extract_name(node: ast.AST) -> str | None:
+    """Extract variable name from an assignment target."""
+    if isinstance(node, ast.Name):
+        return node.id
+    if isinstance(node, ast.Attribute):
+        return node.attr
+    return None
+
+
+def _check_except_pass(node: ast.ExceptHandler) -> Smell | None:
+    """B110: except block that only contains pass."""
+    if len(node.body) == 1 and isinstance(node.body[0], ast.Pass):
+        return Smell(
+            "B110", "except-pass", node.lineno,
+            "except block silently passes",
+            FIXES["B110"],
+        )
+    return None
+
+
+def _check_pickle(node: ast.Call) -> Smell | None:
+    """B301: pickle.loads/load call detected."""
+    func = node.func
+    if not isinstance(func, ast.Attribute):
+        return None
+    if func.attr not in ("load", "loads"):
+        return None
+    if isinstance(func.value, ast.Name) and func.value.id == "pickle":
+        return Smell(
+            "B301", "pickle", node.lineno,
+            f"pickle.{func.attr}() used on potentially untrusted data",
+            FIXES["B301"],
+        )
+    return None
+
+
+def _check_subprocess_shell(node: ast.Call) -> Smell | None:
+    """B602: subprocess call with shell=True."""
+    func = node.func
+    if not isinstance(func, ast.Attribute):
+        return None
+    if func.attr not in ("call", "run", "Popen", "check_output"):
+        return None
+    if not (isinstance(func.value, ast.Name) and func.value.id == "subprocess"):
+        return None
+    for kw in node.keywords:
+        if kw.arg == "shell" and _is_true_constant(kw.value):
+            return Smell(
+                "B602", f"subprocess.{func.attr}", node.lineno,
+                "subprocess call with shell=True",
+                FIXES["B602"],
+            )
+    return None
+
+
+def _is_true_constant(node: ast.AST) -> bool:
+    """Return True if the node is the constant True."""
+    return isinstance(node, ast.Constant) and node.value is True
+
+
+# ---------------------------------------------------------------------------
+# Public API
+# ---------------------------------------------------------------------------
+
+def check_bandit(file_path: str, source: str) -> list[Smell]:
+    """Run AST-based security checks on Python source.
+
+    Args:
+        file_path: Path for context (test file detection).
+        source: Python source code string.
+
+    Returns:
+        List of detected security violations.
+    """
+    try:
+        tree = ast.parse(source, filename=file_path)
+    except SyntaxError:
+        return []
+    smells: list[Smell] = []
+    for node in ast.walk(tree):
+        smell = _dispatch_check(node, file_path)
+        if smell is not None:
+            smells.append(smell)
+    return smells
+
+
+def _dispatch_check(node: ast.AST, file_path: str) -> Smell | None:
+    """Route an AST node to the appropriate security check."""
+    if isinstance(node, ast.Assert):
+        return _check_assert(node, file_path)
+    if isinstance(node, ast.Call):
+        return _check_call(node)
+    if isinstance(node, ast.Assign):
+        return _check_hardcoded_password(node)
+    if isinstance(node, ast.ExceptHandler):
+        return _check_except_pass(node)
+    return None
+
+
+def _check_call(node: ast.Call) -> Smell | None:
+    """Run all Call-node security checks, return first match."""
+    for checker in (_check_exec_eval, _check_pickle, _check_subprocess_shell):
+        result = checker(node)
+        if result is not None:
+            return result
+    return None

package/hooks/security_checks.py

@@ -0,0 +1,97 @@
+"""Security check orchestrator -- runs secrets, bandit, and trojan checks.
+
+Reads a source file, runs applicable security checks, and returns
+Smell objects for any violations. Respects per-project config.
+"""
+
+from __future__ import annotations
+
+import os
+
+from config import Config, load_config, is_file_suppressed
+from security_bandit import check_bandit
+from security_secrets import check_secrets
+from security_trojan import check_trojan
+from smell_types import Smell
+from suppression import filter_suppressed
+
+PYTHON_EXTS = frozenset((".py",))
+ALL_EXTS = frozenset((
+    ".py", ".js", ".jsx", ".ts", ".tsx", ".java", ".go",
+    ".rs", ".c", ".cpp", ".cs", ".rb", ".sh", ".yaml", ".yml",
+    ".json", ".toml", ".env", ".cfg", ".ini", ".conf",
+))
+SKIP_DIRS = frozenset((
+    "node_modules", "__pycache__", ".git", "dist", "build", ".next",
+))
+
+
+def _should_skip(file_path: str) -> bool:
+    """Return True for paths in ignored directories."""
+    parts = set(file_path.replace("\\", "/").split("/"))
+    return bool(SKIP_DIRS & parts)
+
+
+def _read_source(file_path: str) -> str | None:
+    """Read file contents, returning None on failure."""
+    try:
+        with open(file_path, "r", encoding="utf-8", errors="replace") as fh:
+            return fh.read()
+    except OSError:
+        return None
+
+
+def _run_checks(file_path: str, source: str, config: Config) -> list[Smell]:
+    """Run applicable security checks on file contents."""
+    lines = source.splitlines()
+    smells = _collect_violations(file_path, source, lines, config)
+    return filter_suppressed(smells, lines, "security")
+
+
+def _collect_violations(
+    file_path: str, source: str, lines: list[str], config: Config,
+) -> list[Smell]:
+    """Gather raw violations before suppression filtering."""
+    smells: list[Smell] = []
+    if config.security_enabled:
+        smells.extend(check_secrets(lines))
+    ext = os.path.splitext(file_path)[1]
+    if ext in PYTHON_EXTS and config.security_enabled:
+        smells.extend(check_bandit(file_path, source))
+    if config.trojan_enabled:
+        smells.extend(check_trojan(lines))
+    return smells
+
+
+def _is_excluded(file_path: str, ext: str, config: Config) -> bool:
+    """Return True if file should be excluded from security checks."""
+    if ext not in ALL_EXTS or _should_skip(file_path):
+        return True
+    return is_file_suppressed(file_path, config)
+
+
+def check_security(file_path: str, config: Config | None = None) -> list[Smell]:
+    """Run all security checks on a single file."""
+    if config is None:
+        config = load_config(file_path)
+    ext = os.path.splitext(file_path)[1]
+    if _is_excluded(file_path, ext, config):
+        return []
+    source = _read_source(file_path)
+    if source is None:
+        return []
+    return _run_checks(file_path, source, config)
+
+
+def format_security_violations(file_path: str, smells: list[Smell]) -> str:
+    """Build the feedback message for security violations."""
+    header = f"\nSECURITY VIOLATIONS in {file_path}:"
+    details = []
+    for s in smells:
+        tag = s.kind.upper().replace("_", " ")
+        details.append(f"  [{tag}] {s.name} line {s.line}: {s.detail}")
+    fixes = ["\nFix these security issues before moving on:"]
+    for fix in dict.fromkeys(s.fix for s in smells):
+        fixes.append(f"  - {fix}")
+    fixes.append("Then notify the user what you fixed and why.")
+    return "\n".join([header, *details, *fixes])