@rigour-labs/core 3.0.0 → 3.0.2

package/dist/gates/security-patterns.d.ts

@@ -33,6 +33,10 @@ export interface SecurityPatternsConfig {
     hardcoded_secrets?: boolean;
     insecure_randomness?: boolean;
     command_injection?: boolean;
+    redos?: boolean;
+    overly_permissive?: boolean;
+    unsafe_output?: boolean;
+    missing_input_validation?: boolean;
     block_on_severity?: 'critical' | 'high' | 'medium' | 'low';
 }
 export declare class SecurityPatternsGate extends Gate {

package/dist/gates/security-patterns.js

@@ -131,6 +131,98 @@ const VULNERABILITY_PATTERNS = [
         cwe: 'CWE-78',
         languages: ['ts', 'js']
     },
+    // ReDoS — Denial of Service via regex (OWASP #7)
+    {
+        type: 'redos',
+        regex: /new RegExp\s*\([^)]*(?:req\.|params|query|body|input|user)/g,
+        severity: 'high',
+        description: 'Dynamic regex from user input — potential ReDoS',
+        cwe: 'CWE-1333',
+        languages: ['ts', 'js']
+    },
+    {
+        type: 'redos',
+        regex: /\(\?:[^)]*\+[^)]*\)\+|\([^)]*\*[^)]*\)\+|\(\.\*\)\{/g,
+        severity: 'medium',
+        description: 'Regex with nested quantifiers — potential ReDoS',
+        cwe: 'CWE-1333',
+        languages: ['ts', 'js', 'py']
+    },
+    // Overly Permissive Code (OWASP #9)
+    {
+        type: 'overly_permissive',
+        regex: /cors\s*\(\s*\{[^}]*origin\s*:\s*(?:true|['"`]\*['"`])/g,
+        severity: 'high',
+        description: 'CORS wildcard origin — allows any domain',
+        cwe: 'CWE-942',
+        languages: ['ts', 'js']
+    },
+    {
+        type: 'overly_permissive',
+        regex: /(?:listen|bind)\s*\(\s*(?:\d+\s*,\s*)?['"`]0\.0\.0\.0['"`]/g,
+        severity: 'medium',
+        description: 'Binding to 0.0.0.0 exposes service to all interfaces',
+        cwe: 'CWE-668',
+        languages: ['ts', 'js', 'py', 'go']
+    },
+    {
+        type: 'overly_permissive',
+        regex: /chmod\s*\(\s*[^,]*,\s*['"`]?(?:0o?)?777['"`]?\s*\)/g,
+        severity: 'high',
+        description: 'chmod 777 — world-readable/writable permissions',
+        cwe: 'CWE-732',
+        languages: ['ts', 'js', 'py']
+    },
+    {
+        type: 'overly_permissive',
+        regex: /(?:Access-Control-Allow-Origin|x-powered-by)['"`,\s:]+\*/gi,
+        severity: 'high',
+        description: 'Wildcard Access-Control-Allow-Origin header',
+        cwe: 'CWE-942',
+        languages: ['ts', 'js', 'py']
+    },
+    // Unsafe Output Handling (OWASP #6)
+    {
+        type: 'unsafe_output',
+        regex: /res\.(?:send|write|end)\s*\(\s*(?:req\.|params|query|body|input|user)/g,
+        severity: 'high',
+        description: 'Reflecting user input in response without sanitization',
+        cwe: 'CWE-79',
+        languages: ['ts', 'js']
+    },
+    {
+        type: 'unsafe_output',
+        regex: /\$\{[^}]*(?:req\.|params|query|body|input|user)[^}]*\}.*(?:html|template|render)/gi,
+        severity: 'high',
+        description: 'User input interpolated into template/HTML output',
+        cwe: 'CWE-79',
+        languages: ['ts', 'js', 'py']
+    },
+    {
+        type: 'unsafe_output',
+        regex: /eval\s*\(\s*(?:req\.|params|query|body|input|user)/g,
+        severity: 'critical',
+        description: 'eval() with user input — code injection',
+        cwe: 'CWE-94',
+        languages: ['ts', 'js', 'py']
+    },
+    // Missing Input Validation (OWASP #8)
+    {
+        type: 'missing_input_validation',
+        regex: /JSON\.parse\s*\(\s*(?:req\.body|request\.body|body|data|input)\s*\)/g,
+        severity: 'medium',
+        description: 'JSON.parse on raw input without schema validation',
+        cwe: 'CWE-20',
+        languages: ['ts', 'js']
+    },
+    {
+        type: 'missing_input_validation',
+        regex: /(?:as\s+any|:\s*any)\s*(?:[;,)\]}])/g,
+        severity: 'medium',
+        description: 'Type assertion to "any" bypasses type safety',
+        cwe: 'CWE-20',
+        languages: ['ts']
+    },
 ];
 export class SecurityPatternsGate extends Gate {
     config;
@@ -145,6 +237,10 @@ export class SecurityPatternsGate extends Gate {
             hardcoded_secrets: config.hardcoded_secrets ?? true,
             insecure_randomness: config.insecure_randomness ?? true,
             command_injection: config.command_injection ?? true,
+            redos: config.redos ?? true,
+            overly_permissive: config.overly_permissive ?? true,
+            unsafe_output: config.unsafe_output ?? true,
+            missing_input_validation: config.missing_input_validation ?? true,
             block_on_severity: config.block_on_severity ?? 'high',
         };
     }
@@ -178,6 +274,10 @@ export class SecurityPatternsGate extends Gate {
                 case 'hardcoded_secrets': return this.config.hardcoded_secrets;
                 case 'insecure_randomness': return this.config.insecure_randomness;
                 case 'command_injection': return this.config.command_injection;
+                case 'redos': return this.config.redos;
+                case 'overly_permissive': return this.config.overly_permissive;
+                case 'unsafe_output': return this.config.unsafe_output;
+                case 'missing_input_validation': return this.config.missing_input_validation;
                 default: return true;
             }
         });

package/dist/hooks/checker.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Lightweight per-file checker for hook integration.
+ *
+ * Runs a fast subset of Rigour gates on individual files,
+ * designed to complete in <200ms for real-time hook feedback.
+ *
+ * Used by all tool-specific hooks (Claude, Cursor, Cline, Windsurf).
+ *
+ * @since v3.0.0
+ */
+import type { HookCheckerResult } from './types.js';
+interface CheckerOptions {
+    cwd: string;
+    files: string[];
+    timeout_ms?: number;
+    block_on_failure?: boolean;
+}
+/**
+ * Run fast gates on a set of files.
+ * Returns structured JSON for hook consumers.
+ */
+export declare function runHookChecker(options: CheckerOptions): Promise<HookCheckerResult>;
+export {};

package/dist/hooks/checker.js

@@ -0,0 +1,222 @@
+/**
+ * Lightweight per-file checker for hook integration.
+ *
+ * Runs a fast subset of Rigour gates on individual files,
+ * designed to complete in <200ms for real-time hook feedback.
+ *
+ * Used by all tool-specific hooks (Claude, Cursor, Cline, Windsurf).
+ *
+ * @since v3.0.0
+ */
+import fs from 'fs-extra';
+import path from 'path';
+import yaml from 'yaml';
+import { ConfigSchema } from '../types/index.js';
+const JS_TS_PATTERN = /\.(ts|tsx|js|jsx|mts|mjs)$/;
+/**
+ * Load rigour config from cwd, falling back to defaults.
+ */
+async function loadConfig(cwd) {
+    const configPath = path.join(cwd, 'rigour.yml');
+    if (await fs.pathExists(configPath)) {
+        const raw = yaml.parse(await fs.readFile(configPath, 'utf-8'));
+        return ConfigSchema.parse(raw);
+    }
+    return ConfigSchema.parse({ version: 1 });
+}
+/**
+ * Resolve a file path to absolute, read its content, and return metadata.
+ */
+async function resolveFile(filePath, cwd) {
+    const absPath = path.isAbsolute(filePath) ? filePath : path.join(cwd, filePath);
+    if (!(await fs.pathExists(absPath))) {
+        return null;
+    }
+    const content = await fs.readFile(absPath, 'utf-8');
+    const relPath = path.relative(cwd, absPath);
+    return { absPath, relPath, content };
+}
+/**
+ * Run all fast gates on a single file's content.
+ */
+function checkFile(content, relPath, cwd, config) {
+    const failures = [];
+    const lines = content.split('\n');
+    // Gate 1: File size
+    const maxLines = config.gates.max_file_lines ?? 500;
+    if (lines.length > maxLines) {
+        failures.push({
+            gate: 'file-size',
+            file: relPath,
+            message: `File has ${lines.length} lines (max: ${maxLines})`,
+            severity: 'medium',
+        });
+    }
+    const isJsTs = JS_TS_PATTERN.test(relPath);
+    // Gate 2: Hallucinated imports (JS/TS only)
+    if (isJsTs) {
+        checkHallucinatedImports(content, relPath, cwd, failures);
+    }
+    // Gate 3: Promise safety (JS/TS only)
+    if (isJsTs) {
+        checkPromiseSafety(lines, relPath, failures);
+    }
+    // Gate 4: Security patterns (all languages)
+    checkSecurityPatterns(lines, relPath, failures);
+    return failures;
+}
+/**
+ * Run fast gates on a set of files.
+ * Returns structured JSON for hook consumers.
+ */
+export async function runHookChecker(options) {
+    const start = Date.now();
+    const { cwd, files, timeout_ms = 5000 } = options;
+    const failures = [];
+    try {
+        const config = await loadConfig(cwd);
+        const deadline = start + timeout_ms;
+        for (const filePath of files) {
+            if (Date.now() > deadline) {
+                break;
+            }
+            const resolved = await resolveFile(filePath, cwd);
+            if (!resolved) {
+                continue;
+            }
+            const fileFailures = checkFile(resolved.content, resolved.relPath, cwd, config);
+            failures.push(...fileFailures);
+        }
+        return {
+            status: failures.length > 0 ? 'fail' : 'pass',
+            failures,
+            duration_ms: Date.now() - start,
+        };
+    }
+    catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        return {
+            status: 'error',
+            failures: [{
+                    gate: 'hook-checker',
+                    file: '',
+                    message: `Hook checker error: ${msg}`,
+                    severity: 'medium',
+                }],
+            duration_ms: Date.now() - start,
+        };
+    }
+}
+/**
+ * Check for imports of non-existent relative files.
+ */
+function checkHallucinatedImports(content, relPath, cwd, failures) {
+    const importRegex = /(?:import\s+.*\s+from\s+['"]([^'"]+)['"]|require\s*\(\s*['"]([^'"]+)['"]\s*\))/g;
+    let match;
+    while ((match = importRegex.exec(content)) !== null) {
+        const specifier = match[1] || match[2];
+        if (!specifier || !specifier.startsWith('.')) {
+            continue;
+        }
+        const dir = path.dirname(path.join(cwd, relPath));
+        const resolved = path.resolve(dir, specifier);
+        const extensions = ['', '.ts', '.tsx', '.js', '.jsx', '.mts', '.mjs', '/index.ts', '/index.js'];
+        const exists = extensions.some(ext => {
+            try {
+                return fs.existsSync(resolved + ext);
+            }
+            catch {
+                return false;
+            }
+        });
+        if (!exists) {
+            const lineNum = content.substring(0, match.index).split('\n').length;
+            failures.push({
+                gate: 'hallucinated-imports',
+                file: relPath,
+                message: `Import '${specifier}' does not resolve to an existing file`,
+                severity: 'high',
+                line: lineNum,
+            });
+        }
+    }
+}
+/**
+ * Check for common async/promise safety issues.
+ */
+function checkPromiseSafety(lines, relPath, failures) {
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        checkUnsafeJsonParse(line, lines, i, relPath, failures);
+        checkUnhandledFetch(line, lines, i, relPath, failures);
+    }
+}
+function checkUnsafeJsonParse(line, lines, i, relPath, failures) {
+    if (!/JSON\.parse\s*\(/.test(line)) {
+        return;
+    }
+    const contextStart = Math.max(0, i - 5);
+    const context = lines.slice(contextStart, i + 1).join('\n');
+    if (!/try\s*\{/.test(context)) {
+        failures.push({
+            gate: 'promise-safety',
+            file: relPath,
+            message: 'JSON.parse() without try/catch — crashes on malformed input',
+            severity: 'medium',
+            line: i + 1,
+        });
+    }
+}
+function checkUnhandledFetch(line, lines, i, relPath, failures) {
+    if (!/\bfetch\s*\(/.test(line) || /\.catch\b/.test(line) || /await/.test(line)) {
+        return;
+    }
+    const contextEnd = Math.min(lines.length, i + 3);
+    const afterContext = lines.slice(i, contextEnd).join('\n');
+    const beforeContext = lines.slice(Math.max(0, i - 5), i + 1).join('\n');
+    if (!/\.catch\b/.test(afterContext) && !/try\s*\{/.test(beforeContext)) {
+        failures.push({
+            gate: 'promise-safety',
+            file: relPath,
+            message: 'fetch() without error handling',
+            severity: 'medium',
+            line: i + 1,
+        });
+    }
+}
+/**
+ * Check for critical security patterns.
+ */
+function checkSecurityPatterns(lines, relPath, failures) {
+    const isTestFile = /\.(test|spec|example|mock)\./i.test(relPath);
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        checkHardcodedSecrets(line, i, relPath, isTestFile, failures);
+        checkCommandInjection(line, i, relPath, failures);
+    }
+}
+function checkHardcodedSecrets(line, i, relPath, isTestFile, failures) {
+    if (isTestFile) {
+        return;
+    }
+    if (/(?:api[_-]?key|secret|password|token)\s*[:=]\s*['"][A-Za-z0-9+/=]{20,}['"]/i.test(line)) {
+        failures.push({
+            gate: 'security-patterns',
+            file: relPath,
+            message: 'Possible hardcoded secret or API key',
+            severity: 'critical',
+            line: i + 1,
+        });
+    }
+}
+function checkCommandInjection(line, i, relPath, failures) {
+    if (/(?:exec|spawn|execSync|spawnSync)\s*\(.*\$\{/.test(line)) {
+        failures.push({
+            gate: 'security-patterns',
+            file: relPath,
+            message: 'Potential command injection: user input in shell command',
+            severity: 'critical',
+            line: i + 1,
+        });
+    }
+}

package/dist/hooks/checker.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/hooks/checker.test.js

@@ -0,0 +1,132 @@
+/**
+ * Tests for the hooks fast-checker module.
+ * Verifies all 4 fast gates: file-size, hallucinated-imports, promise-safety, security-patterns.
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { runHookChecker } from './checker.js';
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+import yaml from 'yaml';
+describe('runHookChecker', () => {
+    let testDir;
+    beforeEach(() => {
+        testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'hook-checker-test-'));
+        // Write minimal rigour.yml
+        fs.writeFileSync(path.join(testDir, 'rigour.yml'), yaml.stringify({
+            version: 1,
+            gates: { max_file_lines: 50 },
+        }));
+        // Write package.json for import resolution
+        fs.writeFileSync(path.join(testDir, 'package.json'), JSON.stringify({
+            name: 'test-proj',
+            dependencies: { express: '^4.0.0' },
+        }));
+    });
+    afterEach(() => {
+        fs.rmSync(testDir, { recursive: true, force: true });
+    });
+    it('should return pass for clean files', async () => {
+        const filePath = path.join(testDir, 'clean.ts');
+        fs.writeFileSync(filePath, 'export const x = 1;\n');
+        const result = await runHookChecker({ cwd: testDir, files: [filePath] });
+        expect(result.status).toBe('pass');
+        expect(result.failures).toHaveLength(0);
+        expect(result.duration_ms).toBeGreaterThanOrEqual(0);
+    });
+    it('should detect file size violations', async () => {
+        const filePath = path.join(testDir, 'big.ts');
+        const lines = Array.from({ length: 100 }, (_, i) => `export const v${i} = ${i};`);
+        fs.writeFileSync(filePath, lines.join('\n'));
+        const result = await runHookChecker({ cwd: testDir, files: [filePath] });
+        expect(result.status).toBe('fail');
+        expect(result.failures.some(f => f.gate === 'file-size')).toBe(true);
+    });
+    it('should detect hardcoded secrets', async () => {
+        const filePath = path.join(testDir, 'auth.ts');
+        fs.writeFileSync(filePath, `
+            const api_key = "abcdefghijklmnopqrstuvwxyz123456";
+        `);
+        const result = await runHookChecker({ cwd: testDir, files: [filePath] });
+        expect(result.status).toBe('fail');
+        expect(result.failures.some(f => f.gate === 'security-patterns')).toBe(true);
+    });
+    it('should detect command injection patterns', async () => {
+        const filePath = path.join(testDir, 'cmd.ts');
+        fs.writeFileSync(filePath, `
+            import { exec } from 'child_process';
+            exec(\`rm -rf \${userInput}\`);
+        `);
+        const result = await runHookChecker({ cwd: testDir, files: [filePath] });
+        expect(result.status).toBe('fail');
+        expect(result.failures.some(f => f.gate === 'security-patterns' && f.message.includes('command injection'))).toBe(true);
+    });
+    it('should detect JSON.parse without try/catch', async () => {
+        const filePath = path.join(testDir, 'parse.ts');
+        fs.writeFileSync(filePath, `
+            const data = JSON.parse(input);
+            console.log(data);
+        `);
+        const result = await runHookChecker({ cwd: testDir, files: [filePath] });
+        expect(result.status).toBe('fail');
+        expect(result.failures.some(f => f.gate === 'promise-safety')).toBe(true);
+    });
+    it('should skip non-existent files gracefully', async () => {
+        const result = await runHookChecker({
+            cwd: testDir,
+            files: ['/does/not/exist.ts'],
+        });
+        expect(result.status).toBe('pass');
+        expect(result.failures).toHaveLength(0);
+    });
+    it('should handle multiple files', async () => {
+        const cleanFile = path.join(testDir, 'clean.ts');
+        fs.writeFileSync(cleanFile, 'export const x = 1;\n');
+        const badFile = path.join(testDir, 'bad.ts');
+        fs.writeFileSync(badFile, `const password = "supersecretpassword123456";`);
+        const result = await runHookChecker({
+            cwd: testDir,
+            files: [cleanFile, badFile],
+        });
+        expect(result.status).toBe('fail');
+        expect(result.failures.length).toBeGreaterThan(0);
+    });
+    it('should handle missing config gracefully', async () => {
+        // Remove rigour.yml
+        fs.unlinkSync(path.join(testDir, 'rigour.yml'));
+        const filePath = path.join(testDir, 'test.ts');
+        fs.writeFileSync(filePath, 'export const x = 1;\n');
+        const result = await runHookChecker({ cwd: testDir, files: [filePath] });
+        expect(result.status).toBe('pass');
+    });
+    it('should complete within timeout', async () => {
+        const filePath = path.join(testDir, 'test.ts');
+        fs.writeFileSync(filePath, 'export const x = 1;\n');
+        const result = await runHookChecker({
+            cwd: testDir,
+            files: [filePath],
+            timeout_ms: 5000,
+        });
+        expect(result.duration_ms).toBeLessThan(5000);
+    });
+    it('should detect hallucinated relative imports', async () => {
+        const filePath = path.join(testDir, 'app.ts');
+        fs.writeFileSync(filePath, `
+            import { helper } from './nonexistent-module';
+        `);
+        const result = await runHookChecker({ cwd: testDir, files: [filePath] });
+        expect(result.status).toBe('fail');
+        expect(result.failures.some(f => f.gate === 'hallucinated-imports')).toBe(true);
+    });
+    it('should not flag existing relative imports', async () => {
+        const helperPath = path.join(testDir, 'helper.ts');
+        fs.writeFileSync(helperPath, 'export const help = true;\n');
+        const filePath = path.join(testDir, 'app.ts');
+        fs.writeFileSync(filePath, `
+            import { help } from './helper';
+        `);
+        const result = await runHookChecker({ cwd: testDir, files: [filePath] });
+        const importFailures = result.failures.filter(f => f.gate === 'hallucinated-imports');
+        expect(importFailures).toHaveLength(0);
+    });
+});

package/dist/hooks/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Hooks module — multi-tool hook integration for Rigour.
+ *
+ * @since v3.0.0
+ */
+export { runHookChecker } from './checker.js';
+export { generateHookFiles } from './templates.js';
+export type { HookTool, HookConfig, HookCheckerResult } from './types.js';
+export { DEFAULT_HOOK_CONFIG, FAST_GATE_IDS } from './types.js';

package/dist/hooks/index.js

@@ -0,0 +1,8 @@
+/**
+ * Hooks module — multi-tool hook integration for Rigour.
+ *
+ * @since v3.0.0
+ */
+export { runHookChecker } from './checker.js';
+export { generateHookFiles } from './templates.js';
+export { DEFAULT_HOOK_CONFIG, FAST_GATE_IDS } from './types.js';

package/dist/hooks/standalone-checker.d.ts

@@ -0,0 +1,15 @@
+#!/usr/bin/env node
+/**
+ * Standalone hook checker entry point.
+ *
+ * Can be invoked two ways:
+ *   1. CLI args:  node rigour-hook-checker.js --files path/to/file.ts
+ *   2. Stdin:     echo '{"file_path":"x.ts"}' | node rigour-hook-checker.js --stdin
+ *
+ * Exit codes:
+ *   0 = pass (or warn-only mode)
+ *   2 = block (fail + block_on_failure enabled)
+ *
+ * @since v3.0.0
+ */
+export {};

package/dist/hooks/standalone-checker.js

@@ -0,0 +1,106 @@
+#!/usr/bin/env node
+/**
+ * Standalone hook checker entry point.
+ *
+ * Can be invoked two ways:
+ *   1. CLI args:  node rigour-hook-checker.js --files path/to/file.ts
+ *   2. Stdin:     echo '{"file_path":"x.ts"}' | node rigour-hook-checker.js --stdin
+ *
+ * Exit codes:
+ *   0 = pass (or warn-only mode)
+ *   2 = block (fail + block_on_failure enabled)
+ *
+ * @since v3.0.0
+ */
+import { runHookChecker } from './checker.js';
+const EMPTY_RESULT = JSON.stringify({ status: 'pass', failures: [], duration_ms: 0 });
+/**
+ * Read all of stdin as a string.
+ */
+async function readStdin() {
+    const chunks = [];
+    for await (const chunk of process.stdin) {
+        chunks.push(chunk);
+    }
+    return Buffer.concat(chunks).toString('utf-8').trim();
+}
+/**
+ * Parse file paths from stdin JSON payload.
+ *
+ * Supports multiple formats from different tools:
+ *   Cursor:   { file_path, old_content, new_content }
+ *   Windsurf: { file_path, content }
+ *   Cline:    { toolName, toolInput: { path } }
+ *   Array:    { files: ["a.ts", "b.ts"] }
+ */
+function parseStdinFiles(input) {
+    if (!input) {
+        return [];
+    }
+    try {
+        const payload = JSON.parse(input);
+        // Array format
+        if (Array.isArray(payload.files)) {
+            return payload.files;
+        }
+        // Direct file_path (Cursor/Windsurf)
+        if (payload.file_path) {
+            return [payload.file_path];
+        }
+        // Cline format: { toolInput: { path } }
+        if (payload.toolInput?.path) {
+            return [payload.toolInput.path];
+        }
+        if (payload.toolInput?.file_path) {
+            return [payload.toolInput.file_path];
+        }
+        return [];
+    }
+    catch {
+        // Not JSON — treat each line as a file path
+        return input.split('\n').map(l => l.trim()).filter(Boolean);
+    }
+}
+/**
+ * Parse file paths from CLI --files argument.
+ */
+function parseCliFiles(args) {
+    const filesIdx = args.indexOf('--files');
+    if (filesIdx === -1 || !args[filesIdx + 1]) {
+        return [];
+    }
+    return args[filesIdx + 1].split(',').map(f => f.trim()).filter(Boolean);
+}
+/**
+ * Log failures to stderr in human-readable format.
+ */
+function logFailures(failures) {
+    for (const f of failures) {
+        const loc = f.line ? `:${f.line}` : '';
+        process.stderr.write(`[rigour/${f.gate}] ${f.file}${loc}: ${f.message}\n`);
+    }
+}
+async function main() {
+    const args = process.argv.slice(2);
+    const cwd = process.cwd();
+    const files = args.includes('--stdin')
+        ? parseStdinFiles(await readStdin())
+        : parseCliFiles(args);
+    if (files.length === 0) {
+        process.stdout.write(EMPTY_RESULT);
+        return;
+    }
+    const result = await runHookChecker({ cwd, files });
+    process.stdout.write(JSON.stringify(result));
+    if (result.status === 'fail') {
+        logFailures(result.failures);
+    }
+    // Exit 2 = block signal for tools that respect it
+    if (result.status === 'fail' && args.includes('--block')) {
+        process.exit(2);
+    }
+}
+main().catch((err) => {
+    process.stderr.write(`Rigour hook checker fatal error: ${err.message}\n`);
+    process.exit(1);
+});

package/dist/hooks/templates.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Hook configuration templates for each AI coding tool.
+ *
+ * Each template generates the tool-native config format:
+ * - Claude Code: .claude/settings.json (PostToolUse matcher)
+ * - Cursor: .cursor/hooks.json (afterFileEdit event)
+ * - Cline: .clinerules/hooks/PostToolUse (executable script)
+ * - Windsurf: .windsurf/hooks.json (post_write_code event)
+ *
+ * @since v3.0.0
+ */
+import type { HookTool } from './types.js';
+export interface GeneratedHookFile {
+    path: string;
+    content: string;
+    executable?: boolean;
+    description: string;
+}
+/**
+ * Generate hook config files for a specific tool.
+ */
+export declare function generateHookFiles(tool: HookTool, checkerPath: string): GeneratedHookFile[];