@rigour-labs/core 3.0.0 → 3.0.1

package/dist/gates/security-patterns-owasp.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/gates/security-patterns-owasp.test.js

@@ -0,0 +1,171 @@
+/**
+ * Tests for OWASP-aligned security patterns added in v3.0.0.
+ * Covers: ReDoS, overly permissive code, unsafe output, missing input validation.
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { SecurityPatternsGate, checkSecurityPatterns } from './security-patterns.js';
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+describe('SecurityPatternsGate — OWASP extended patterns', () => {
+    let testDir;
+    beforeEach(() => {
+        testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'owasp-test-'));
+    });
+    afterEach(() => {
+        fs.rmSync(testDir, { recursive: true, force: true });
+    });
+    describe('ReDoS detection (OWASP #7)', () => {
+        it('should detect dynamic regex from user input', async () => {
+            const filePath = path.join(testDir, 'search.ts');
+            fs.writeFileSync(filePath, `
+                const pattern = new RegExp(req.query.search);
+                const matches = text.match(pattern);
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'redos')).toBe(true);
+        });
+        it('should detect nested quantifiers', async () => {
+            const filePath = path.join(testDir, 'regex.ts');
+            fs.writeFileSync(filePath, `
+                const re = /(?:a+)+b/;
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'redos')).toBe(true);
+        });
+        it('should allow safe regex patterns', async () => {
+            const filePath = path.join(testDir, 'safe-regex.ts');
+            fs.writeFileSync(filePath, `
+                const re = /^[a-z]+$/;
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.filter(v => v.type === 'redos')).toHaveLength(0);
+        });
+    });
+    describe('Overly Permissive Code (OWASP #9)', () => {
+        it('should detect CORS wildcard origin', async () => {
+            const filePath = path.join(testDir, 'server.ts');
+            fs.writeFileSync(filePath, `
+                import cors from 'cors';
+                app.use(cors({ origin: '*' }));
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'overly_permissive')).toBe(true);
+        });
+        it('should detect CORS origin true', async () => {
+            const filePath = path.join(testDir, 'server2.ts');
+            fs.writeFileSync(filePath, `
+                app.use(cors({ origin: true }));
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'overly_permissive')).toBe(true);
+        });
+        it('should detect 0.0.0.0 binding', async () => {
+            const filePath = path.join(testDir, 'listen.ts');
+            fs.writeFileSync(filePath, `
+                app.listen(3000, '0.0.0.0');
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'overly_permissive')).toBe(true);
+        });
+        it('should detect chmod 777', async () => {
+            const filePath = path.join(testDir, 'perms.ts');
+            fs.writeFileSync(filePath, `
+                fs.chmod('/tmp/data', 0o777);
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'overly_permissive')).toBe(true);
+        });
+        it('should detect wildcard CORS header', async () => {
+            const filePath = path.join(testDir, 'headers.ts');
+            fs.writeFileSync(filePath, `
+                res.setHeader('Access-Control-Allow-Origin', '*');
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'overly_permissive')).toBe(true);
+        });
+        it('should allow specific CORS origin', async () => {
+            const filePath = path.join(testDir, 'safe-cors.ts');
+            fs.writeFileSync(filePath, `
+                app.use(cors({ origin: 'https://myapp.com' }));
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.filter(v => v.type === 'overly_permissive')).toHaveLength(0);
+        });
+    });
+    describe('Unsafe Output Handling (OWASP #6)', () => {
+        it('should detect response reflecting user input', async () => {
+            const filePath = path.join(testDir, 'handler.ts');
+            fs.writeFileSync(filePath, `
+                app.get('/echo', (req, res) => {
+                    res.send(req.query.msg);
+                });
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'unsafe_output')).toBe(true);
+        });
+        it('should detect eval with user input', async () => {
+            const filePath = path.join(testDir, 'eval.ts');
+            fs.writeFileSync(filePath, `
+                eval(req.body.code);
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'unsafe_output')).toBe(true);
+        });
+        it('should allow safe response patterns', async () => {
+            const filePath = path.join(testDir, 'safe-res.ts');
+            fs.writeFileSync(filePath, `
+                res.json({ status: 'ok', data: processedData });
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.filter(v => v.type === 'unsafe_output')).toHaveLength(0);
+        });
+    });
+    describe('Missing Input Validation (OWASP #8)', () => {
+        it('should detect JSON.parse on raw body', async () => {
+            const filePath = path.join(testDir, 'parse.ts');
+            fs.writeFileSync(filePath, `
+                const data = JSON.parse(req.body);
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'missing_input_validation')).toBe(true);
+        });
+        it('should detect "as any" type assertion', async () => {
+            const filePath = path.join(testDir, 'assert.ts');
+            fs.writeFileSync(filePath, `
+                const user = payload as any;
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'missing_input_validation')).toBe(true);
+        });
+        it('should allow validated JSON parse', async () => {
+            const filePath = path.join(testDir, 'safe-parse.ts');
+            fs.writeFileSync(filePath, `
+                const data = JSON.parse(rawString);
+                const validated = schema.parse(data);
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.filter(v => v.type === 'missing_input_validation')).toHaveLength(0);
+        });
+    });
+    describe('config toggles for new patterns', () => {
+        it('should disable redos when configured', async () => {
+            const gate = new SecurityPatternsGate({ enabled: true, redos: false });
+            const filePath = path.join(testDir, 'regex.ts');
+            fs.writeFileSync(filePath, `
+                const pattern = new RegExp(req.query.search);
+            `);
+            const failures = await gate.run({ cwd: testDir });
+            expect(failures.filter(f => f.title?.includes('ReDoS') || f.title?.includes('regex'))).toHaveLength(0);
+        });
+        it('should disable overly_permissive when configured', async () => {
+            const gate = new SecurityPatternsGate({ enabled: true, overly_permissive: false });
+            const filePath = path.join(testDir, 'cors.ts');
+            fs.writeFileSync(filePath, `
+                app.use(cors({ origin: '*' }));
+            `);
+            const failures = await gate.run({ cwd: testDir });
+            expect(failures.filter(f => f.title?.includes('CORS') || f.title?.includes('permissive'))).toHaveLength(0);
+        });
+    });
+});

package/dist/gates/security-patterns.d.ts

@@ -33,6 +33,10 @@ export interface SecurityPatternsConfig {
     hardcoded_secrets?: boolean;
     insecure_randomness?: boolean;
     command_injection?: boolean;
+    redos?: boolean;
+    overly_permissive?: boolean;
+    unsafe_output?: boolean;
+    missing_input_validation?: boolean;
     block_on_severity?: 'critical' | 'high' | 'medium' | 'low';
 }
 export declare class SecurityPatternsGate extends Gate {

package/dist/gates/security-patterns.js

@@ -131,6 +131,98 @@ const VULNERABILITY_PATTERNS = [
         cwe: 'CWE-78',
         languages: ['ts', 'js']
     },
+    // ReDoS — Denial of Service via regex (OWASP #7)
+    {
+        type: 'redos',
+        regex: /new RegExp\s*\([^)]*(?:req\.|params|query|body|input|user)/g,
+        severity: 'high',
+        description: 'Dynamic regex from user input — potential ReDoS',
+        cwe: 'CWE-1333',
+        languages: ['ts', 'js']
+    },
+    {
+        type: 'redos',
+        regex: /\(\?:[^)]*\+[^)]*\)\+|\([^)]*\*[^)]*\)\+|\(\.\*\)\{/g,
+        severity: 'medium',
+        description: 'Regex with nested quantifiers — potential ReDoS',
+        cwe: 'CWE-1333',
+        languages: ['ts', 'js', 'py']
+    },
+    // Overly Permissive Code (OWASP #9)
+    {
+        type: 'overly_permissive',
+        regex: /cors\s*\(\s*\{[^}]*origin\s*:\s*(?:true|['"`]\*['"`])/g,
+        severity: 'high',
+        description: 'CORS wildcard origin — allows any domain',
+        cwe: 'CWE-942',
+        languages: ['ts', 'js']
+    },
+    {
+        type: 'overly_permissive',
+        regex: /(?:listen|bind)\s*\(\s*(?:\d+\s*,\s*)?['"`]0\.0\.0\.0['"`]/g,
+        severity: 'medium',
+        description: 'Binding to 0.0.0.0 exposes service to all interfaces',
+        cwe: 'CWE-668',
+        languages: ['ts', 'js', 'py', 'go']
+    },
+    {
+        type: 'overly_permissive',
+        regex: /chmod\s*\(\s*[^,]*,\s*['"`]?(?:0o?)?777['"`]?\s*\)/g,
+        severity: 'high',
+        description: 'chmod 777 — world-readable/writable permissions',
+        cwe: 'CWE-732',
+        languages: ['ts', 'js', 'py']
+    },
+    {
+        type: 'overly_permissive',
+        regex: /(?:Access-Control-Allow-Origin|x-powered-by)['"`,\s:]+\*/gi,
+        severity: 'high',
+        description: 'Wildcard Access-Control-Allow-Origin header',
+        cwe: 'CWE-942',
+        languages: ['ts', 'js', 'py']
+    },
+    // Unsafe Output Handling (OWASP #6)
+    {
+        type: 'unsafe_output',
+        regex: /res\.(?:send|write|end)\s*\(\s*(?:req\.|params|query|body|input|user)/g,
+        severity: 'high',
+        description: 'Reflecting user input in response without sanitization',
+        cwe: 'CWE-79',
+        languages: ['ts', 'js']
+    },
+    {
+        type: 'unsafe_output',
+        regex: /\$\{[^}]*(?:req\.|params|query|body|input|user)[^}]*\}.*(?:html|template|render)/gi,
+        severity: 'high',
+        description: 'User input interpolated into template/HTML output',
+        cwe: 'CWE-79',
+        languages: ['ts', 'js', 'py']
+    },
+    {
+        type: 'unsafe_output',
+        regex: /eval\s*\(\s*(?:req\.|params|query|body|input|user)/g,
+        severity: 'critical',
+        description: 'eval() with user input — code injection',
+        cwe: 'CWE-94',
+        languages: ['ts', 'js', 'py']
+    },
+    // Missing Input Validation (OWASP #8)
+    {
+        type: 'missing_input_validation',
+        regex: /JSON\.parse\s*\(\s*(?:req\.body|request\.body|body|data|input)\s*\)/g,
+        severity: 'medium',
+        description: 'JSON.parse on raw input without schema validation',
+        cwe: 'CWE-20',
+        languages: ['ts', 'js']
+    },
+    {
+        type: 'missing_input_validation',
+        regex: /(?:as\s+any|:\s*any)\s*(?:[;,)\]}])/g,
+        severity: 'medium',
+        description: 'Type assertion to "any" bypasses type safety',
+        cwe: 'CWE-20',
+        languages: ['ts']
+    },
 ];
 export class SecurityPatternsGate extends Gate {
     config;
@@ -145,6 +237,10 @@ export class SecurityPatternsGate extends Gate {
             hardcoded_secrets: config.hardcoded_secrets ?? true,
             insecure_randomness: config.insecure_randomness ?? true,
             command_injection: config.command_injection ?? true,
+            redos: config.redos ?? true,
+            overly_permissive: config.overly_permissive ?? true,
+            unsafe_output: config.unsafe_output ?? true,
+            missing_input_validation: config.missing_input_validation ?? true,
             block_on_severity: config.block_on_severity ?? 'high',
         };
     }
@@ -178,6 +274,10 @@ export class SecurityPatternsGate extends Gate {
                 case 'hardcoded_secrets': return this.config.hardcoded_secrets;
                 case 'insecure_randomness': return this.config.insecure_randomness;
                 case 'command_injection': return this.config.command_injection;
+                case 'redos': return this.config.redos;
+                case 'overly_permissive': return this.config.overly_permissive;
+                case 'unsafe_output': return this.config.unsafe_output;
+                case 'missing_input_validation': return this.config.missing_input_validation;
                 default: return true;
             }
         });

package/dist/hooks/checker.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Lightweight per-file checker for hook integration.
+ *
+ * Runs a fast subset of Rigour gates on individual files,
+ * designed to complete in <200ms for real-time hook feedback.
+ *
+ * Used by all tool-specific hooks (Claude, Cursor, Cline, Windsurf).
+ *
+ * @since v3.0.0
+ */
+import type { HookCheckerResult } from './types.js';
+interface CheckerOptions {
+    cwd: string;
+    files: string[];
+    timeout_ms?: number;
+    block_on_failure?: boolean;
+}
+/**
+ * Run fast gates on a set of files.
+ * Returns structured JSON for hook consumers.
+ */
+export declare function runHookChecker(options: CheckerOptions): Promise<HookCheckerResult>;
+export {};

package/dist/hooks/checker.js

@@ -0,0 +1,222 @@
+/**
+ * Lightweight per-file checker for hook integration.
+ *
+ * Runs a fast subset of Rigour gates on individual files,
+ * designed to complete in <200ms for real-time hook feedback.
+ *
+ * Used by all tool-specific hooks (Claude, Cursor, Cline, Windsurf).
+ *
+ * @since v3.0.0
+ */
+import fs from 'fs-extra';
+import path from 'path';
+import yaml from 'yaml';
+import { ConfigSchema } from '../types/index.js';
+const JS_TS_PATTERN = /\.(ts|tsx|js|jsx|mts|mjs)$/;
+/**
+ * Load rigour config from cwd, falling back to defaults.
+ */
+async function loadConfig(cwd) {
+    const configPath = path.join(cwd, 'rigour.yml');
+    if (await fs.pathExists(configPath)) {
+        const raw = yaml.parse(await fs.readFile(configPath, 'utf-8'));
+        return ConfigSchema.parse(raw);
+    }
+    return ConfigSchema.parse({ version: 1 });
+}
+/**
+ * Resolve a file path to absolute, read its content, and return metadata.
+ */
+async function resolveFile(filePath, cwd) {
+    const absPath = path.isAbsolute(filePath) ? filePath : path.join(cwd, filePath);
+    if (!(await fs.pathExists(absPath))) {
+        return null;
+    }
+    const content = await fs.readFile(absPath, 'utf-8');
+    const relPath = path.relative(cwd, absPath);
+    return { absPath, relPath, content };
+}
+/**
+ * Run all fast gates on a single file's content.
+ */
+function checkFile(content, relPath, cwd, config) {
+    const failures = [];
+    const lines = content.split('\n');
+    // Gate 1: File size
+    const maxLines = config.gates.max_file_lines ?? 500;
+    if (lines.length > maxLines) {
+        failures.push({
+            gate: 'file-size',
+            file: relPath,
+            message: `File has ${lines.length} lines (max: ${maxLines})`,
+            severity: 'medium',
+        });
+    }
+    const isJsTs = JS_TS_PATTERN.test(relPath);
+    // Gate 2: Hallucinated imports (JS/TS only)
+    if (isJsTs) {
+        checkHallucinatedImports(content, relPath, cwd, failures);
+    }
+    // Gate 3: Promise safety (JS/TS only)
+    if (isJsTs) {
+        checkPromiseSafety(lines, relPath, failures);
+    }
+    // Gate 4: Security patterns (all languages)
+    checkSecurityPatterns(lines, relPath, failures);
+    return failures;
+}
+/**
+ * Run fast gates on a set of files.
+ * Returns structured JSON for hook consumers.
+ */
+export async function runHookChecker(options) {
+    const start = Date.now();
+    const { cwd, files, timeout_ms = 5000 } = options;
+    const failures = [];
+    try {
+        const config = await loadConfig(cwd);
+        const deadline = start + timeout_ms;
+        for (const filePath of files) {
+            if (Date.now() > deadline) {
+                break;
+            }
+            const resolved = await resolveFile(filePath, cwd);
+            if (!resolved) {
+                continue;
+            }
+            const fileFailures = checkFile(resolved.content, resolved.relPath, cwd, config);
+            failures.push(...fileFailures);
+        }
+        return {
+            status: failures.length > 0 ? 'fail' : 'pass',
+            failures,
+            duration_ms: Date.now() - start,
+        };
+    }
+    catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        return {
+            status: 'error',
+            failures: [{
+                    gate: 'hook-checker',
+                    file: '',
+                    message: `Hook checker error: ${msg}`,
+                    severity: 'medium',
+                }],
+            duration_ms: Date.now() - start,
+        };
+    }
+}
+/**
+ * Check for imports of non-existent relative files.
+ */
+function checkHallucinatedImports(content, relPath, cwd, failures) {
+    const importRegex = /(?:import\s+.*\s+from\s+['"]([^'"]+)['"]|require\s*\(\s*['"]([^'"]+)['"]\s*\))/g;
+    let match;
+    while ((match = importRegex.exec(content)) !== null) {
+        const specifier = match[1] || match[2];
+        if (!specifier || !specifier.startsWith('.')) {
+            continue;
+        }
+        const dir = path.dirname(path.join(cwd, relPath));
+        const resolved = path.resolve(dir, specifier);
+        const extensions = ['', '.ts', '.tsx', '.js', '.jsx', '.mts', '.mjs', '/index.ts', '/index.js'];
+        const exists = extensions.some(ext => {
+            try {
+                return fs.existsSync(resolved + ext);
+            }
+            catch {
+                return false;
+            }
+        });
+        if (!exists) {
+            const lineNum = content.substring(0, match.index).split('\n').length;
+            failures.push({
+                gate: 'hallucinated-imports',
+                file: relPath,
+                message: `Import '${specifier}' does not resolve to an existing file`,
+                severity: 'high',
+                line: lineNum,
+            });
+        }
+    }
+}
+/**
+ * Check for common async/promise safety issues.
+ */
+function checkPromiseSafety(lines, relPath, failures) {
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        checkUnsafeJsonParse(line, lines, i, relPath, failures);
+        checkUnhandledFetch(line, lines, i, relPath, failures);
+    }
+}
+function checkUnsafeJsonParse(line, lines, i, relPath, failures) {
+    if (!/JSON\.parse\s*\(/.test(line)) {
+        return;
+    }
+    const contextStart = Math.max(0, i - 5);
+    const context = lines.slice(contextStart, i + 1).join('\n');
+    if (!/try\s*\{/.test(context)) {
+        failures.push({
+            gate: 'promise-safety',
+            file: relPath,
+            message: 'JSON.parse() without try/catch — crashes on malformed input',
+            severity: 'medium',
+            line: i + 1,
+        });
+    }
+}
+function checkUnhandledFetch(line, lines, i, relPath, failures) {
+    if (!/\bfetch\s*\(/.test(line) || /\.catch\b/.test(line) || /await/.test(line)) {
+        return;
+    }
+    const contextEnd = Math.min(lines.length, i + 3);
+    const afterContext = lines.slice(i, contextEnd).join('\n');
+    const beforeContext = lines.slice(Math.max(0, i - 5), i + 1).join('\n');
+    if (!/\.catch\b/.test(afterContext) && !/try\s*\{/.test(beforeContext)) {
+        failures.push({
+            gate: 'promise-safety',
+            file: relPath,
+            message: 'fetch() without error handling',
+            severity: 'medium',
+            line: i + 1,
+        });
+    }
+}
+/**
+ * Check for critical security patterns.
+ */
+function checkSecurityPatterns(lines, relPath, failures) {
+    const isTestFile = /\.(test|spec|example|mock)\./i.test(relPath);
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        checkHardcodedSecrets(line, i, relPath, isTestFile, failures);
+        checkCommandInjection(line, i, relPath, failures);
+    }
+}
+function checkHardcodedSecrets(line, i, relPath, isTestFile, failures) {
+    if (isTestFile) {
+        return;
+    }
+    if (/(?:api[_-]?key|secret|password|token)\s*[:=]\s*['"][A-Za-z0-9+/=]{20,}['"]/i.test(line)) {
+        failures.push({
+            gate: 'security-patterns',
+            file: relPath,
+            message: 'Possible hardcoded secret or API key',
+            severity: 'critical',
+            line: i + 1,
+        });
+    }
+}
+function checkCommandInjection(line, i, relPath, failures) {
+    if (/(?:exec|spawn|execSync|spawnSync)\s*\(.*\$\{/.test(line)) {
+        failures.push({
+            gate: 'security-patterns',
+            file: relPath,
+            message: 'Potential command injection: user input in shell command',
+            severity: 'critical',
+            line: i + 1,
+        });
+    }
+}

package/dist/hooks/checker.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/hooks/checker.test.js

@@ -0,0 +1,132 @@
+/**
+ * Tests for the hooks fast-checker module.
+ * Verifies all 4 fast gates: file-size, hallucinated-imports, promise-safety, security-patterns.
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { runHookChecker } from './checker.js';
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+import yaml from 'yaml';
+describe('runHookChecker', () => {
+    let testDir;
+    beforeEach(() => {
+        testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'hook-checker-test-'));
+        // Write minimal rigour.yml
+        fs.writeFileSync(path.join(testDir, 'rigour.yml'), yaml.stringify({
+            version: 1,
+            gates: { max_file_lines: 50 },
+        }));
+        // Write package.json for import resolution
+        fs.writeFileSync(path.join(testDir, 'package.json'), JSON.stringify({
+            name: 'test-proj',
+            dependencies: { express: '^4.0.0' },
+        }));
+    });
+    afterEach(() => {
+        fs.rmSync(testDir, { recursive: true, force: true });
+    });
+    it('should return pass for clean files', async () => {
+        const filePath = path.join(testDir, 'clean.ts');
+        fs.writeFileSync(filePath, 'export const x = 1;\n');
+        const result = await runHookChecker({ cwd: testDir, files: [filePath] });
+        expect(result.status).toBe('pass');
+        expect(result.failures).toHaveLength(0);
+        expect(result.duration_ms).toBeGreaterThanOrEqual(0);
+    });
+    it('should detect file size violations', async () => {
+        const filePath = path.join(testDir, 'big.ts');
+        const lines = Array.from({ length: 100 }, (_, i) => `export const v${i} = ${i};`);
+        fs.writeFileSync(filePath, lines.join('\n'));
+        const result = await runHookChecker({ cwd: testDir, files: [filePath] });
+        expect(result.status).toBe('fail');
+        expect(result.failures.some(f => f.gate === 'file-size')).toBe(true);
+    });
+    it('should detect hardcoded secrets', async () => {
+        const filePath = path.join(testDir, 'auth.ts');
+        fs.writeFileSync(filePath, `
+            const api_key = "abcdefghijklmnopqrstuvwxyz123456";
+        `);
+        const result = await runHookChecker({ cwd: testDir, files: [filePath] });
+        expect(result.status).toBe('fail');
+        expect(result.failures.some(f => f.gate === 'security-patterns')).toBe(true);
+    });
+    it('should detect command injection patterns', async () => {
+        const filePath = path.join(testDir, 'cmd.ts');
+        fs.writeFileSync(filePath, `
+            import { exec } from 'child_process';
+            exec(\`rm -rf \${userInput}\`);
+        `);
+        const result = await runHookChecker({ cwd: testDir, files: [filePath] });
+        expect(result.status).toBe('fail');
+        expect(result.failures.some(f => f.gate === 'security-patterns' && f.message.includes('command injection'))).toBe(true);
+    });
+    it('should detect JSON.parse without try/catch', async () => {
+        const filePath = path.join(testDir, 'parse.ts');
+        fs.writeFileSync(filePath, `
+            const data = JSON.parse(input);
+            console.log(data);
+        `);
+        const result = await runHookChecker({ cwd: testDir, files: [filePath] });
+        expect(result.status).toBe('fail');
+        expect(result.failures.some(f => f.gate === 'promise-safety')).toBe(true);
+    });
+    it('should skip non-existent files gracefully', async () => {
+        const result = await runHookChecker({
+            cwd: testDir,
+            files: ['/does/not/exist.ts'],
+        });
+        expect(result.status).toBe('pass');
+        expect(result.failures).toHaveLength(0);
+    });
+    it('should handle multiple files', async () => {
+        const cleanFile = path.join(testDir, 'clean.ts');
+        fs.writeFileSync(cleanFile, 'export const x = 1;\n');
+        const badFile = path.join(testDir, 'bad.ts');
+        fs.writeFileSync(badFile, `const password = "supersecretpassword123456";`);
+        const result = await runHookChecker({
+            cwd: testDir,
+            files: [cleanFile, badFile],
+        });
+        expect(result.status).toBe('fail');
+        expect(result.failures.length).toBeGreaterThan(0);
+    });
+    it('should handle missing config gracefully', async () => {
+        // Remove rigour.yml
+        fs.unlinkSync(path.join(testDir, 'rigour.yml'));
+        const filePath = path.join(testDir, 'test.ts');
+        fs.writeFileSync(filePath, 'export const x = 1;\n');
+        const result = await runHookChecker({ cwd: testDir, files: [filePath] });
+        expect(result.status).toBe('pass');
+    });
+    it('should complete within timeout', async () => {
+        const filePath = path.join(testDir, 'test.ts');
+        fs.writeFileSync(filePath, 'export const x = 1;\n');
+        const result = await runHookChecker({
+            cwd: testDir,
+            files: [filePath],
+            timeout_ms: 5000,
+        });
+        expect(result.duration_ms).toBeLessThan(5000);
+    });
+    it('should detect hallucinated relative imports', async () => {
+        const filePath = path.join(testDir, 'app.ts');
+        fs.writeFileSync(filePath, `
+            import { helper } from './nonexistent-module';
+        `);
+        const result = await runHookChecker({ cwd: testDir, files: [filePath] });
+        expect(result.status).toBe('fail');
+        expect(result.failures.some(f => f.gate === 'hallucinated-imports')).toBe(true);
+    });
+    it('should not flag existing relative imports', async () => {
+        const helperPath = path.join(testDir, 'helper.ts');
+        fs.writeFileSync(helperPath, 'export const help = true;\n');
+        const filePath = path.join(testDir, 'app.ts');
+        fs.writeFileSync(filePath, `
+            import { help } from './helper';
+        `);
+        const result = await runHookChecker({ cwd: testDir, files: [filePath] });
+        const importFailures = result.failures.filter(f => f.gate === 'hallucinated-imports');
+        expect(importFailures).toHaveLength(0);
+    });
+});

package/dist/hooks/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Hooks module — multi-tool hook integration for Rigour.
+ *
+ * @since v3.0.0
+ */
+export { runHookChecker } from './checker.js';
+export { generateHookFiles } from './templates.js';
+export type { HookTool, HookConfig, HookCheckerResult } from './types.js';
+export { DEFAULT_HOOK_CONFIG, FAST_GATE_IDS } from './types.js';

package/dist/hooks/index.js

@@ -0,0 +1,8 @@
+/**
+ * Hooks module — multi-tool hook integration for Rigour.
+ *
+ * @since v3.0.0
+ */
+export { runHookChecker } from './checker.js';
+export { generateHookFiles } from './templates.js';
+export { DEFAULT_HOOK_CONFIG, FAST_GATE_IDS } from './types.js';

package/dist/hooks/standalone-checker.d.ts

@@ -0,0 +1,15 @@
+#!/usr/bin/env node
+/**
+ * Standalone hook checker entry point.
+ *
+ * Can be invoked two ways:
+ *   1. CLI args:  node rigour-hook-checker.js --files path/to/file.ts
+ *   2. Stdin:     echo '{"file_path":"x.ts"}' | node rigour-hook-checker.js --stdin
+ *
+ * Exit codes:
+ *   0 = pass (or warn-only mode)
+ *   2 = block (fail + block_on_failure enabled)
+ *
+ * @since v3.0.0
+ */
+export {};

package/dist/hooks/standalone-checker.js

@@ -0,0 +1,106 @@
+#!/usr/bin/env node
+/**
+ * Standalone hook checker entry point.
+ *
+ * Can be invoked two ways:
+ *   1. CLI args:  node rigour-hook-checker.js --files path/to/file.ts
+ *   2. Stdin:     echo '{"file_path":"x.ts"}' | node rigour-hook-checker.js --stdin
+ *
+ * Exit codes:
+ *   0 = pass (or warn-only mode)
+ *   2 = block (fail + block_on_failure enabled)
+ *
+ * @since v3.0.0
+ */
+import { runHookChecker } from './checker.js';
+const EMPTY_RESULT = JSON.stringify({ status: 'pass', failures: [], duration_ms: 0 });
+/**
+ * Read all of stdin as a string.
+ */
+async function readStdin() {
+    const chunks = [];
+    for await (const chunk of process.stdin) {
+        chunks.push(chunk);
+    }
+    return Buffer.concat(chunks).toString('utf-8').trim();
+}
+/**
+ * Parse file paths from stdin JSON payload.
+ *
+ * Supports multiple formats from different tools:
+ *   Cursor:   { file_path, old_content, new_content }
+ *   Windsurf: { file_path, content }
+ *   Cline:    { toolName, toolInput: { path } }
+ *   Array:    { files: ["a.ts", "b.ts"] }
+ */
+function parseStdinFiles(input) {
+    if (!input) {
+        return [];
+    }
+    try {
+        const payload = JSON.parse(input);
+        // Array format
+        if (Array.isArray(payload.files)) {
+            return payload.files;
+        }
+        // Direct file_path (Cursor/Windsurf)
+        if (payload.file_path) {
+            return [payload.file_path];
+        }
+        // Cline format: { toolInput: { path } }
+        if (payload.toolInput?.path) {
+            return [payload.toolInput.path];
+        }
+        if (payload.toolInput?.file_path) {
+            return [payload.toolInput.file_path];
+        }
+        return [];
+    }
+    catch {
+        // Not JSON — treat each line as a file path
+        return input.split('\n').map(l => l.trim()).filter(Boolean);
+    }
+}
+/**
+ * Parse file paths from CLI --files argument.
+ */
+function parseCliFiles(args) {
+    const filesIdx = args.indexOf('--files');
+    if (filesIdx === -1 || !args[filesIdx + 1]) {
+        return [];
+    }
+    return args[filesIdx + 1].split(',').map(f => f.trim()).filter(Boolean);
+}
+/**
+ * Log failures to stderr in human-readable format.
+ */
+function logFailures(failures) {
+    for (const f of failures) {
+        const loc = f.line ? `:${f.line}` : '';
+        process.stderr.write(`[rigour/${f.gate}] ${f.file}${loc}: ${f.message}\n`);
+    }
+}
+async function main() {
+    const args = process.argv.slice(2);
+    const cwd = process.cwd();
+    const files = args.includes('--stdin')
+        ? parseStdinFiles(await readStdin())
+        : parseCliFiles(args);
+    if (files.length === 0) {
+        process.stdout.write(EMPTY_RESULT);
+        return;
+    }
+    const result = await runHookChecker({ cwd, files });
+    process.stdout.write(JSON.stringify(result));
+    if (result.status === 'fail') {
+        logFailures(result.failures);
+    }
+    // Exit 2 = block signal for tools that respect it
+    if (result.status === 'fail' && args.includes('--block')) {
+        process.exit(2);
+    }
+}
+main().catch((err) => {
+    process.stderr.write(`Rigour hook checker fatal error: ${err.message}\n`);
+    process.exit(1);
+});

package/dist/hooks/templates.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Hook configuration templates for each AI coding tool.
+ *
+ * Each template generates the tool-native config format:
+ * - Claude Code: .claude/settings.json (PostToolUse matcher)
+ * - Cursor: .cursor/hooks.json (afterFileEdit event)
+ * - Cline: .clinerules/hooks/PostToolUse (executable script)
+ * - Windsurf: .windsurf/hooks.json (post_write_code event)
+ *
+ * @since v3.0.0
+ */
+import type { HookTool } from './types.js';
+export interface GeneratedHookFile {
+    path: string;
+    content: string;
+    executable?: boolean;
+    description: string;
+}
+/**
+ * Generate hook config files for a specific tool.
+ */
+export declare function generateHookFiles(tool: HookTool, checkerPath: string): GeneratedHookFile[];

package/dist/hooks/templates.js

@@ -0,0 +1,232 @@
+/**
+ * Hook configuration templates for each AI coding tool.
+ *
+ * Each template generates the tool-native config format:
+ * - Claude Code: .claude/settings.json (PostToolUse matcher)
+ * - Cursor: .cursor/hooks.json (afterFileEdit event)
+ * - Cline: .clinerules/hooks/PostToolUse (executable script)
+ * - Windsurf: .windsurf/hooks.json (post_write_code event)
+ *
+ * @since v3.0.0
+ */
+/**
+ * Generate hook config files for a specific tool.
+ */
+export function generateHookFiles(tool, checkerPath) {
+    switch (tool) {
+        case 'claude':
+            return generateClaudeHooks(checkerPath);
+        case 'cursor':
+            return generateCursorHooks(checkerPath);
+        case 'cline':
+            return generateClineHooks(checkerPath);
+        case 'windsurf':
+            return generateWindsurfHooks(checkerPath);
+        default:
+            return [];
+    }
+}
+function generateClaudeHooks(checkerPath) {
+    const settings = {
+        hooks: {
+            PostToolUse: [
+                {
+                    matcher: "Write|Edit|MultiEdit",
+                    hooks: [
+                        {
+                            type: "command",
+                            command: `node ${checkerPath} --files "$TOOL_INPUT_file_path"`,
+                        }
+                    ]
+                }
+            ]
+        }
+    };
+    return [
+        {
+            path: '.claude/settings.json',
+            content: JSON.stringify(settings, null, 4),
+            description: 'Claude Code PostToolUse hook — runs Rigour fast-check after every Write/Edit',
+        },
+    ];
+}
+function generateCursorHooks(checkerPath) {
+    const hooks = {
+        version: 1,
+        hooks: {
+            afterFileEdit: [
+                {
+                    command: `node ${checkerPath} --stdin`,
+                }
+            ]
+        }
+    };
+    const wrapper = `#!/usr/bin/env node
+/**
+ * Cursor afterFileEdit hook wrapper for Rigour.
+ * Receives { file_path, old_content, new_content } on stdin.
+ * Runs Rigour fast-check on the edited file.
+ */
+const { runHookChecker } = require('./node_modules/@rigour-labs/core/dist/hooks/checker.js');
+
+let data = '';
+process.stdin.on('data', chunk => { data += chunk; });
+process.stdin.on('end', async () => {
+    try {
+        const payload = JSON.parse(data);
+        const result = await runHookChecker({
+            cwd: process.cwd(),
+            files: [payload.file_path],
+        });
+
+        // Write result to stdout for Cursor to consume
+        process.stdout.write(JSON.stringify({ status: 'ok' }));
+
+        // Log failures to stderr (visible in Cursor Hooks panel)
+        if (result.status === 'fail') {
+            for (const f of result.failures) {
+                const loc = f.line ? \`:\${f.line}\` : '';
+                process.stderr.write(\`[rigour/\${f.gate}] \${f.file}\${loc}: \${f.message}\\n\`);
+            }
+        }
+    } catch (err) {
+        process.stderr.write(\`Rigour hook error: \${err.message}\\n\`);
+        process.stdout.write(JSON.stringify({ status: 'ok' }));
+    }
+});
+`;
+    return [
+        {
+            path: '.cursor/hooks.json',
+            content: JSON.stringify(hooks, null, 4),
+            description: 'Cursor afterFileEdit hook config',
+        },
+        {
+            path: '.cursor/rigour-hook.js',
+            content: wrapper,
+            executable: true,
+            description: 'Cursor hook wrapper that reads stdin and runs Rigour checker',
+        },
+    ];
+}
+function generateClineHooks(checkerPath) {
+    const script = `#!/usr/bin/env node
+/**
+ * Cline PostToolUse hook for Rigour.
+ * Receives JSON on stdin with { toolName, toolInput, toolOutput }.
+ * Only triggers on write_to_file and replace_in_file tools.
+ */
+const { runHookChecker } = require('./node_modules/@rigour-labs/core/dist/hooks/checker.js');
+
+const WRITE_TOOLS = ['write_to_file', 'replace_in_file'];
+
+let data = '';
+process.stdin.on('data', chunk => { data += chunk; });
+process.stdin.on('end', async () => {
+    try {
+        const payload = JSON.parse(data);
+
+        if (!WRITE_TOOLS.includes(payload.toolName)) {
+            // Not a write tool, pass through
+            process.stdout.write(JSON.stringify({}));
+            process.exit(0);
+            return;
+        }
+
+        const filePath = payload.toolInput?.path || payload.toolInput?.file_path;
+        if (!filePath) {
+            process.stdout.write(JSON.stringify({}));
+            process.exit(0);
+            return;
+        }
+
+        const result = await runHookChecker({
+            cwd: process.cwd(),
+            files: [filePath],
+        });
+
+        if (result.status === 'fail') {
+            const messages = result.failures
+                .map(f => {
+                    const loc = f.line ? \`:\${f.line}\` : '';
+                    return \`[rigour/\${f.gate}] \${f.file}\${loc}: \${f.message}\`;
+                })
+                .join('\\n');
+
+            process.stdout.write(JSON.stringify({
+                contextModification: \`\\n[Rigour Quality Gate] Found \${result.failures.length} issue(s):\\n\${messages}\\nPlease fix before continuing.\`,
+            }));
+        } else {
+            process.stdout.write(JSON.stringify({}));
+        }
+    } catch (err) {
+        process.stderr.write(\`Rigour hook error: \${err.message}\\n\`);
+        process.stdout.write(JSON.stringify({}));
+    }
+});
+`;
+    return [
+        {
+            path: '.clinerules/hooks/PostToolUse',
+            content: script,
+            executable: true,
+            description: 'Cline PostToolUse hook — runs Rigour fast-check after file writes',
+        },
+    ];
+}
+function generateWindsurfHooks(checkerPath) {
+    const hooks = {
+        version: 1,
+        hooks: {
+            post_write_code: [
+                {
+                    command: `node ${checkerPath} --stdin`,
+                }
+            ]
+        }
+    };
+    const wrapper = `#!/usr/bin/env node
+/**
+ * Windsurf post_write_code hook wrapper for Rigour.
+ * Receives { file_path, content } on stdin from Cascade agent.
+ * Runs Rigour fast-check on the written file.
+ */
+const { runHookChecker } = require('./node_modules/@rigour-labs/core/dist/hooks/checker.js');
+
+let data = '';
+process.stdin.on('data', chunk => { data += chunk; });
+process.stdin.on('end', async () => {
+    try {
+        const payload = JSON.parse(data);
+        const result = await runHookChecker({
+            cwd: process.cwd(),
+            files: [payload.file_path],
+        });
+
+        if (result.status === 'fail') {
+            for (const f of result.failures) {
+                const loc = f.line ? \`:\${f.line}\` : '';
+                process.stderr.write(\`[rigour/\${f.gate}] \${f.file}\${loc}: \${f.message}\\n\`);
+            }
+            // Exit 2 = block (if configured), exit 0 = warn only
+            process.exit(0);
+        }
+    } catch (err) {
+        process.stderr.write(\`Rigour hook error: \${err.message}\\n\`);
+    }
+});
+`;
+    return [
+        {
+            path: '.windsurf/hooks.json',
+            content: JSON.stringify(hooks, null, 4),
+            description: 'Windsurf post_write_code hook config',
+        },
+        {
+            path: '.windsurf/rigour-hook.js',
+            content: wrapper,
+            executable: true,
+            description: 'Windsurf hook wrapper that reads stdin and runs Rigour checker',
+        },
+    ];
+}

package/dist/hooks/types.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Hook system types for multi-tool integration.
+ *
+ * Each AI coding tool (Claude Code, Cursor, Cline, Windsurf)
+ * has its own hook format. These types unify the config generation.
+ *
+ * @since v3.0.0
+ */
+export type HookTool = 'claude' | 'cursor' | 'cline' | 'windsurf';
+export interface HookConfig {
+    /** Which tools to generate hooks for */
+    tools: HookTool[];
+    /** Gates to run in the hook checker (fast subset) */
+    fast_gates: string[];
+    /** Max execution time in ms before the checker aborts */
+    timeout_ms: number;
+    /** Whether to block the tool on failure (exit 2) or just warn */
+    block_on_failure: boolean;
+}
+/** The fast gates that can run per-file in <200ms */
+export declare const FAST_GATE_IDS: readonly ["hallucinated-imports", "promise-safety", "security-patterns", "file-size"];
+export declare const DEFAULT_HOOK_CONFIG: HookConfig;
+export type FastGateId = typeof FAST_GATE_IDS[number];
+export interface HookCheckerResult {
+    status: 'pass' | 'fail' | 'error';
+    failures: Array<{
+        gate: string;
+        file: string;
+        message: string;
+        severity: string;
+        line?: number;
+    }>;
+    duration_ms: number;
+}

package/dist/hooks/types.js

@@ -0,0 +1,21 @@
+/**
+ * Hook system types for multi-tool integration.
+ *
+ * Each AI coding tool (Claude Code, Cursor, Cline, Windsurf)
+ * has its own hook format. These types unify the config generation.
+ *
+ * @since v3.0.0
+ */
+/** The fast gates that can run per-file in <200ms */
+export const FAST_GATE_IDS = [
+    'hallucinated-imports',
+    'promise-safety',
+    'security-patterns',
+    'file-size',
+];
+export const DEFAULT_HOOK_CONFIG = {
+    tools: ['claude'],
+    fast_gates: [...FAST_GATE_IDS],
+    timeout_ms: 5000,
+    block_on_failure: false,
+};

package/dist/index.d.ts

@@ -8,3 +8,4 @@ export { Gate, GateContext } from './gates/base.js';
 export { RetryLoopBreakerGate } from './gates/retry-loop-breaker.js';
 export * from './utils/logger.js';
 export * from './services/score-history.js';
+export * from './hooks/index.js';

package/dist/index.js

@@ -8,6 +8,7 @@ export { Gate } from './gates/base.js';
 export { RetryLoopBreakerGate } from './gates/retry-loop-breaker.js';
 export * from './utils/logger.js';
 export * from './services/score-history.js';
+export * from './hooks/index.js';
 // Pattern Index is intentionally NOT exported here to prevent
 // native dependency issues (sharp/transformers) from leaking into 
 // non-AI parts of the system. 

package/dist/templates/index.js

@@ -482,6 +482,13 @@ export const UNIVERSAL_CONFIG = {
             ignore_patterns: [],
         },
     },
+    hooks: {
+        enabled: false,
+        tools: [],
+        fast_gates: ['hallucinated-imports', 'promise-safety', 'security-patterns', 'file-size'],
+        timeout_ms: 5000,
+        block_on_failure: false,
+    },
     output: {
         report_path: 'rigour-report.json',
     },

package/dist/types/index.d.ts

@@ -568,6 +568,25 @@ export declare const CommandsSchema: z.ZodObject<{
     typecheck?: string | undefined;
     test?: string | undefined;
 }>;
+export declare const HooksSchema: z.ZodDefault<z.ZodOptional<z.ZodObject<{
+    enabled: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+    tools: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodEnum<["claude", "cursor", "cline", "windsurf"]>, "many">>>;
+    fast_gates: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+    timeout_ms: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+    block_on_failure: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+}, "strip", z.ZodTypeAny, {
+    enabled: boolean;
+    tools: ("claude" | "cursor" | "cline" | "windsurf")[];
+    fast_gates: string[];
+    timeout_ms: number;
+    block_on_failure: boolean;
+}, {
+    enabled?: boolean | undefined;
+    tools?: ("claude" | "cursor" | "cline" | "windsurf")[] | undefined;
+    fast_gates?: string[] | undefined;
+    timeout_ms?: number | undefined;
+    block_on_failure?: boolean | undefined;
+}>>>;
 export declare const ConfigSchema: z.ZodObject<{
     version: z.ZodDefault<z.ZodNumber>;
     preset: z.ZodOptional<z.ZodString>;
@@ -1141,6 +1160,25 @@ export declare const ConfigSchema: z.ZodObject<{
             check_unsafe_fetch?: boolean | undefined;
         } | undefined;
     }>>>;
+    hooks: z.ZodDefault<z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+        tools: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodEnum<["claude", "cursor", "cline", "windsurf"]>, "many">>>;
+        fast_gates: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+        timeout_ms: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+        block_on_failure: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+    }, "strip", z.ZodTypeAny, {
+        enabled: boolean;
+        tools: ("claude" | "cursor" | "cline" | "windsurf")[];
+        fast_gates: string[];
+        timeout_ms: number;
+        block_on_failure: boolean;
+    }, {
+        enabled?: boolean | undefined;
+        tools?: ("claude" | "cursor" | "cline" | "windsurf")[] | undefined;
+        fast_gates?: string[] | undefined;
+        timeout_ms?: number | undefined;
+        block_on_failure?: boolean | undefined;
+    }>>>;
     output: z.ZodDefault<z.ZodOptional<z.ZodObject<{
         report_path: z.ZodDefault<z.ZodString>;
     }, "strip", z.ZodTypeAny, {
@@ -1278,6 +1316,13 @@ export declare const ConfigSchema: z.ZodObject<{
             check_unsafe_fetch: boolean;
         };
     };
+    hooks: {
+        enabled: boolean;
+        tools: ("claude" | "cursor" | "cline" | "windsurf")[];
+        fast_gates: string[];
+        timeout_ms: number;
+        block_on_failure: boolean;
+    };
     output: {
         report_path: string;
     };
@@ -1414,6 +1459,13 @@ export declare const ConfigSchema: z.ZodObject<{
             check_unsafe_fetch?: boolean | undefined;
         } | undefined;
     } | undefined;
+    hooks?: {
+        enabled?: boolean | undefined;
+        tools?: ("claude" | "cursor" | "cline" | "windsurf")[] | undefined;
+        fast_gates?: string[] | undefined;
+        timeout_ms?: number | undefined;
+        block_on_failure?: boolean | undefined;
+    } | undefined;
     output?: {
         report_path?: string | undefined;
     } | undefined;
@@ -1421,9 +1473,11 @@ export declare const ConfigSchema: z.ZodObject<{
 }>;
 export type Gates = z.infer<typeof GatesSchema>;
 export type Commands = z.infer<typeof CommandsSchema>;
+export type Hooks = z.infer<typeof HooksSchema>;
 export type Config = z.infer<typeof ConfigSchema>;
 export type RawGates = z.input<typeof GatesSchema>;
 export type RawCommands = z.input<typeof CommandsSchema>;
+export type RawHooks = z.input<typeof HooksSchema>;
 export type RawConfig = z.input<typeof ConfigSchema>;
 export declare const StatusSchema: z.ZodEnum<["PASS", "FAIL", "SKIP", "ERROR"]>;
 export type Status = z.infer<typeof StatusSchema>;

package/dist/types/index.js

@@ -144,12 +144,25 @@ export const CommandsSchema = z.object({
     typecheck: z.string().optional(),
     test: z.string().optional(),
 });
+export const HooksSchema = z.object({
+    enabled: z.boolean().optional().default(false),
+    tools: z.array(z.enum(['claude', 'cursor', 'cline', 'windsurf'])).optional().default([]),
+    fast_gates: z.array(z.string()).optional().default([
+        'hallucinated-imports',
+        'promise-safety',
+        'security-patterns',
+        'file-size',
+    ]),
+    timeout_ms: z.number().optional().default(5000),
+    block_on_failure: z.boolean().optional().default(false),
+}).optional().default({});
 export const ConfigSchema = z.object({
     version: z.number().default(1),
     preset: z.string().optional(),
     paradigm: z.string().optional(),
     commands: CommandsSchema.optional().default({}),
     gates: GatesSchema.optional().default({}),
+    hooks: HooksSchema,
     output: z.object({
         report_path: z.string().default('rigour-report.json'),
     }).optional().default({}),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rigour-labs/core",
-  "version": "3.0.0",
+  "version": "3.0.1",
   "description": "Deterministic quality gate engine for AI-generated code. AST analysis, drift detection, and Fix Packet generation across TypeScript, JavaScript, Python, Go, Ruby, and C#.",
   "license": "MIT",
   "homepage": "https://rigour.run",