@paulduvall/claude-dev-toolkit 0.0.1-alpha.2 → 0.0.1-alpha.21

package/hooks/check-commit-signing.py

@@ -0,0 +1,127 @@
+#!/usr/bin/env python3
+"""PreToolUse hook: verify GPG/SSH commit signing before git commit.
+
+Reads a PreToolUse JSON event from stdin. If the Bash command is a
+git commit, verifies that commit signing is configured. Blocks with
+remediation instructions if not.
+"""
+
+from __future__ import annotations
+
+import json
+import re
+import subprocess
+import sys
+
+_GIT_COMMIT_RE = re.compile(r"\bgit\s+commit\b")
+
+
+def _is_git_commit(command: str) -> bool:
+    """Return True if command contains a git commit invocation."""
+    return bool(_GIT_COMMIT_RE.search(command))
+
+
+def _git_config(key: str) -> str:
+    """Read a git config value, returning empty string on failure."""
+    try:
+        result = subprocess.run(
+            ["git", "config", "--get", key],
+            capture_output=True, text=True, timeout=5,
+        )
+        return result.stdout.strip()
+    except (subprocess.SubprocessError, OSError):
+        return ""
+
+
+def _check_gpg_signing() -> str | None:
+    """Verify GPG signing config. Return error message or None."""
+    gpg_format = _git_config("gpg.format")
+    if gpg_format == "ssh":
+        return _check_ssh_signing()
+    program = _git_config("gpg.program")
+    if not program:
+        return "gpg.program is not configured"
+    return None
+
+
+def _check_ssh_signing() -> str | None:
+    """Verify SSH signing config. Return error message or None."""
+    allowed = _git_config("gpg.ssh.allowedSignersFile")
+    if not allowed:
+        return "gpg.ssh.allowedSignersFile is not configured"
+    return None
+
+
+_REMEDIATION_TEMPLATE = """\
+Commit signing is not properly configured: {error}
+
+IMPORTANT: Ask the user which option they prefer before proceeding.
+
+**Option 1 -- GPG signing** (traditional, widely supported):
+```
+git config --global commit.gpgsign true
+git config --global gpg.program gpg
+```
+Requires: GPG installed, a GPG key generated (`gpg --gen-key`)
+
+**Option 2 -- SSH signing** (simpler, uses existing SSH keys):
+
+Step 1 -- Generate an SSH key (skip if ~/.ssh/id_ed25519.pub exists):
+```
+ssh-keygen -t ed25519 -C "your_email@example.com"
+```
+
+Step 2 -- Configure git to use SSH signing:
+```
+git config --global commit.gpgsign true
+git config --global gpg.format ssh
+git config --global user.signingkey ~/.ssh/id_ed25519.pub
+```
+
+Step 3 -- Create the allowed signers file:
+```
+echo "$(git config --get user.email) namespaces=\\"git\\" $(cat ~/.ssh/id_ed25519.pub)" > ~/.ssh/allowed_signers
+git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers
+```
+
+Step 4 -- Add the key to GitHub as a **signing key**:
+```
+gh ssh-key add ~/.ssh/id_ed25519.pub --type signing
+```
+(Or manually: GitHub -> Settings -> SSH and GPG keys -> New SSH key -> \
+Key type: **Signing Key**)
+
+Ask the user: "Commit signing isn't configured. Would you like me to \
+set it up for you? I can configure GPG or SSH signing -- which do you \
+prefer?" Then run the commands for their chosen option.\
+"""
+
+
+def _build_remediation(error: str) -> str:
+    """Build a user-friendly remediation message."""
+    return _REMEDIATION_TEMPLATE.format(error=error)
+
+
+def main() -> None:
+    """Entry point: check commit signing config before git commit."""
+    try:
+        event = json.load(sys.stdin)
+    except (json.JSONDecodeError, EOFError):
+        sys.exit(0)
+    command = event.get("tool_input", {}).get("command", "")
+    if not _is_git_commit(command):
+        sys.exit(0)
+    gpgsign = _git_config("commit.gpgsign")
+    if gpgsign != "true":
+        reason = _build_remediation("commit.gpgsign is not enabled")
+        print(json.dumps({"decision": "block", "reason": reason}))
+        sys.exit(0)
+    error = _check_gpg_signing()
+    if error:
+        reason = _build_remediation(error)
+        print(json.dumps({"decision": "block", "reason": reason}))
+    sys.exit(0)
+
+
+if __name__ == "__main__":
+    main()

package/hooks/check-complexity.py

@@ -0,0 +1,38 @@
+#!/usr/bin/env python3
+"""PostToolUse hook: detect common code smells in modified files.
+
+Delegates all analysis to smell_checks module. Reads the PostToolUse
+JSON event from stdin, checks the written file, and emits a blocking
+result when violations are found.
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import sys
+
+# Allow importing sibling module from the same directory.
+sys.path.insert(0, os.path.dirname(os.path.abspath(__file__)))
+
+from smell_checks import check_file, format_violations  # noqa: E402
+
+
+def main() -> None:
+    """Entry point: read PostToolUse event, check file, emit result."""
+    try:
+        event = json.load(sys.stdin)
+    except (json.JSONDecodeError, EOFError):
+        sys.exit(0)
+    file_path = event.get("tool_input", {}).get("file_path", "")
+    if not file_path or not os.path.isfile(file_path):
+        sys.exit(0)
+    smells = check_file(file_path)
+    if smells:
+        reason = format_violations(file_path, smells)
+        print(json.dumps({"decision": "block", "reason": reason}))
+    sys.exit(0)
+
+
+if __name__ == "__main__":
+    main()

package/hooks/check-security.py

@@ -0,0 +1,37 @@
+#!/usr/bin/env python3
+"""PostToolUse hook: detect security violations in modified files.
+
+Delegates analysis to security_checks module. Reads the PostToolUse
+JSON event from stdin, checks the written file, and emits a blocking
+result when violations are found.
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import sys
+
+sys.path.insert(0, os.path.dirname(os.path.abspath(__file__)))
+
+from security_checks import check_security, format_security_violations  # noqa: E402
+
+
+def main() -> None:
+    """Entry point: read PostToolUse event, check file, emit result."""
+    try:
+        event = json.load(sys.stdin)
+    except (json.JSONDecodeError, EOFError):
+        sys.exit(0)
+    file_path = event.get("tool_input", {}).get("file_path", "")
+    if not file_path or not os.path.isfile(file_path):
+        sys.exit(0)
+    smells = check_security(file_path)
+    if smells:
+        reason = format_security_violations(file_path, smells)
+        print(json.dumps({"decision": "block", "reason": reason}))
+    sys.exit(0)
+
+
+if __name__ == "__main__":
+    main()

package/hooks/claude-wrapper.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+# claude-wrapper.sh - Shell wrapper for claude that manages iTerm2 tab colors
+#
+# Source this file in ~/.zshrc:
+#   source ~/Code/claude-code/hooks/claude-wrapper.sh
+#
+# Sets gray tab color on launch, red on non-zero exit, then resets.
+# Mid-session colors (blue=working, green=done) are handled by Claude Code hooks.
+# See ~/.claude/settings.json and tab-color.sh
+
+CCDK_HOOKS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]:-$0}")" && pwd)"
+
+claude() {
+  # Set initial tab color to gray (idle, no prompt running yet)
+  "$CCDK_HOOKS_DIR/tab-color.sh" gray < /dev/null
+
+  # Pass all args through to the real claude binary
+  command claude "$@"
+  local exit_code=$?
+
+  if [ $exit_code -ne 0 ]; then
+    "$CCDK_HOOKS_DIR/tab-color.sh" red < /dev/null
+  fi
+
+  # Reset tab color to default
+  "$CCDK_HOOKS_DIR/tab-color.sh" reset < /dev/null
+
+  return $exit_code
+}

package/hooks/config.py

@@ -0,0 +1,110 @@
+"""Per-project configuration loader for code smell and security hooks.
+
+Searches for .smellrc.json walking up from the target file's directory.
+Falls back to defaults matching the hardcoded thresholds in smell_types.
+"""
+
+from __future__ import annotations
+
+import fnmatch
+import json
+import os
+from dataclasses import dataclass, field
+from functools import lru_cache
+
+
+@dataclass(frozen=True)
+class Config:
+    """Immutable configuration for all hooks."""
+
+    max_complexity: int = 10
+    max_function_lines: int = 20
+    max_nesting_depth: int = 3
+    max_parameters: int = 4
+    max_file_lines: int = 300
+    duplicate_min_lines: int = 4
+    security_enabled: bool = True
+    trojan_enabled: bool = True
+    suppress_files: tuple[str, ...] = ()
+
+
+DEFAULT_CONFIG = Config()
+
+
+def _find_config_file(start_dir: str) -> str | None:
+    """Walk up from start_dir looking for .smellrc.json."""
+    current = os.path.abspath(start_dir)
+    root = os.path.dirname(current)
+    while current != root:
+        candidate = os.path.join(current, ".smellrc.json")
+        if os.path.isfile(candidate):
+            return candidate
+        root = current
+        current = os.path.dirname(current)
+    return None
+
+
+def _parse_config(path: str) -> Config:
+    """Parse a .smellrc.json file into a Config object."""
+    with open(path, "r", encoding="utf-8") as fh:
+        raw = json.load(fh)
+    thresholds = raw.get("thresholds", {})
+    security = raw.get("security", {})
+    suppress = raw.get("suppress_files", [])
+    return Config(
+        max_complexity=thresholds.get("max_complexity", DEFAULT_CONFIG.max_complexity),
+        max_function_lines=thresholds.get("max_function_lines", DEFAULT_CONFIG.max_function_lines),
+        max_nesting_depth=thresholds.get("max_nesting_depth", DEFAULT_CONFIG.max_nesting_depth),
+        max_parameters=thresholds.get("max_parameters", DEFAULT_CONFIG.max_parameters),
+        max_file_lines=thresholds.get("max_file_lines", DEFAULT_CONFIG.max_file_lines),
+        duplicate_min_lines=thresholds.get("duplicate_min_lines", DEFAULT_CONFIG.duplicate_min_lines),
+        security_enabled=security.get("enabled", DEFAULT_CONFIG.security_enabled),
+        trojan_enabled=security.get("trojan_enabled", DEFAULT_CONFIG.trojan_enabled),
+        suppress_files=tuple(suppress),
+    )
+
+
+@lru_cache(maxsize=32)
+def _cached_load(config_path: str) -> Config:
+    """Load and cache a config file by its resolved path."""
+    return _parse_config(config_path)
+
+
+def load_config(file_path: str) -> Config:
+    """Load config for a given source file.
+
+    Args:
+        file_path: Path to the source file being checked.
+
+    Returns:
+        Config from nearest .smellrc.json, or DEFAULT_CONFIG.
+    """
+    start = os.path.dirname(os.path.abspath(file_path))
+    config_path = _find_config_file(start)
+    if config_path is None:
+        return DEFAULT_CONFIG
+    try:
+        return _cached_load(config_path)
+    except (json.JSONDecodeError, OSError, KeyError, TypeError):
+        return DEFAULT_CONFIG
+
+
+def is_file_suppressed(file_path: str, config: Config) -> bool:
+    """Check if a file matches any suppress_files glob patterns.
+
+    Args:
+        file_path: Path to check against suppression globs.
+        config: Config with suppress_files patterns.
+
+    Returns:
+        True if the file should be skipped.
+    """
+    if not config.suppress_files:
+        return False
+    basename = os.path.basename(file_path)
+    for pattern in config.suppress_files:
+        if fnmatch.fnmatch(basename, pattern):
+            return True
+        if fnmatch.fnmatch(file_path, pattern):
+            return True
+    return False

package/hooks/file-logger.sh

@@ -0,0 +1,100 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Claude Code Hook: File Logger
+# 
+# Purpose: Simple demonstration of hook functionality
+# Trigger: PreToolUse for Edit, Write, MultiEdit tools
+# Blocking: No - just logs activity
+#
+# This hook demonstrates basic hook functionality by logging file operations
+
+
+##################################
+# Configuration
+##################################
+HOOK_NAME="file-logger"
+LOG_FILE="$HOME/.claude/logs/file-logger.log"
+
+# Ensure log directory exists with secure permissions
+mkdir -p "$(dirname "$LOG_FILE")"
+chmod 700 "$(dirname "$LOG_FILE")"
+
+# Create log file with restrictive permissions if it doesn't exist
+touch "$LOG_FILE"
+chmod 600 "$LOG_FILE"
+
+##################################
+# Logging Functions
+##################################
+log() {
+    echo "[$(date +'%Y-%m-%d %H:%M:%S')] [$HOOK_NAME] $*" | tee -a "$LOG_FILE"
+}
+
+##################################
+# Dependency Validation
+##################################
+validate_hook_dependencies() {
+    local deps=("wc" "file")
+    local missing=()
+    
+    for dep in "${deps[@]}"; do
+        if ! command -v "$dep" &> /dev/null; then
+            missing+=("$dep")
+        fi
+    done
+    
+    if [[ ${#missing[@]} -gt 0 ]]; then
+        log "ERROR: Missing required dependencies: ${missing[*]}"
+        echo "Install missing tools and retry"
+        exit 1
+    fi
+}
+
+##################################
+# Main Hook Logic
+##################################
+main() {
+    # Validate dependencies first
+    validate_hook_dependencies
+    local tool_name="${CLAUDE_TOOL:-unknown}"
+    local file_path="${CLAUDE_FILE:-unknown}"
+    
+    log "Hook triggered!"
+    log "Tool: $tool_name"
+    log "File: $file_path"
+    
+    # Only process file modification tools
+    case "$tool_name" in
+        "Edit"|"Write"|"MultiEdit")
+            log "Processing file modification tool: $tool_name"
+            ;;
+        *)
+            log "Skipping non-file tool: $tool_name"
+            exit 0
+            ;;
+    esac
+    
+    # Get basic file info if file exists
+    if [[ -n "$file_path" ]] && [[ "$file_path" != "unknown" ]] && [[ -f "$file_path" ]]; then
+        local file_size
+        file_size=$(wc -c < "$file_path" 2>/dev/null || echo "0")
+        local file_lines
+        file_lines=$(wc -l < "$file_path" 2>/dev/null || echo "0")
+        
+        log "File size: $file_size bytes"
+        log "File lines: $file_lines"
+        log "File type: $(file -b "$file_path" 2>/dev/null || echo "unknown")"
+    else
+        log "File does not exist yet or path unknown"
+    fi
+    
+    # Always allow the operation to proceed
+    log "Operation allowed - no blocking behavior"
+    exit 0
+}
+
+##################################
+# Execute Main Function
+##################################
+main "$@"