@sdsrs/code-graph 0.72.0 → 0.73.0

package/claude-plugin/.claude-plugin/plugin.json

@@ -4,7 +4,7 @@
   "author": {
     "name": "sdsrs"
   },
-  "version": "0.72.0",
+  "version": "0.73.0",
   "keywords": [
     "code-graph",
     "ast",

package/claude-plugin/scripts/hook-emit.js

@@ -0,0 +1,53 @@
+#!/usr/bin/env node
+'use strict';
+// Shared hook emit envelopes. One place defines the CC hookSpecificOutput JSON
+// schema so the three sibling delivery hooks (pre-read-guide / pre-edit-guide /
+// post-grep-inject) cannot drift apart (feedback_hook_class_bug_sweep — no
+// inline copies of shared logic). DRY mirror of the project-root.js precedent.
+//
+// Why these two shapes:
+//   - PreToolUse plain stdout on exit 0 goes to the DEBUG LOG ONLY — it never
+//     reaches the model (CC docs, code.claude.com/docs/en/hooks.md, v2026-06).
+//     `additionalContext` DOES reach the model, but only alongside a
+//     permissionDecision. For the safe-tool pre hooks (Read fanout hint, Edit
+//     impact summary) the elevation to `allow` is negligible and is what makes
+//     the carried context visible.
+//   - PostToolUse honors `additionalContext` permission-neutrally (no
+//     permissionDecision), so the Bash-side grep answer can be injected without
+//     skipping CC's default permission prompt for the underlying tool call.
+
+/**
+ * PreToolUse allow + additionalContext envelope (string, no trailing newline).
+ * Used by the safe-tool delivery hooks (pre-read-guide / pre-edit-guide) so
+ * their carried hint/impact text reaches the model instead of dying in the
+ * debug log.
+ * @param {string} text
+ * @returns {string} JSON line
+ */
+function emitPreToolAllowContext(text) {
+  return JSON.stringify({
+    hookSpecificOutput: {
+      hookEventName: 'PreToolUse',
+      permissionDecision: 'allow',
+      additionalContext: text,
+    },
+  });
+}
+
+/**
+ * PostToolUse additionalContext envelope (string, no trailing newline).
+ * Permission-neutral: NO permissionDecision, so the underlying Bash tool call's
+ * permission flow is untouched while the answer still reaches the model.
+ * @param {string} text
+ * @returns {string} JSON line
+ */
+function emitPostToolContext(text) {
+  return JSON.stringify({
+    hookSpecificOutput: {
+      hookEventName: 'PostToolUse',
+      additionalContext: text,
+    },
+  });
+}
+
+module.exports = { emitPreToolAllowContext, emitPostToolContext };

package/claude-plugin/scripts/hook-fire.test.js

@@ -17,8 +17,8 @@ const { hookFireWarning, analyzeHookDark } = require('./session-init');
 
 test('verifyHooksFire: all real registered hooks run cleanly (exit 0)', () => {
   const { ok, results } = verifyHooksFire();
-  // 3 PreToolUse + 1 PostToolUse + 1 UserPromptSubmit = 5 settings.json hooks
-  assert.ok(results.length >= 5, `expected >=5 hook probes, got ${results.length}`);
+  // 3 PreToolUse + 2 PostToolUse (incremental-index + compound-grep inject) + 1 UserPromptSubmit = 6 settings.json hooks
+  assert.ok(results.length >= 6, `expected >=6 hook probes, got ${results.length}`);
   for (const r of results) {
     assert.ok(r.ok, `hook ${r.label} (${r.script}) did not fire cleanly: code=${r.code} err=${r.error}`);
   }

package/claude-plugin/scripts/hooks.test.js

@@ -182,8 +182,8 @@ function allRegisteredHookCommands() {
 
 test('every registered hook script exists on disk', () => {
   const commands = allRegisteredHookCommands();
-  // 3 PreToolUse + 1 PostToolUse + 1 UserPromptSubmit + 1 SessionStart = 6
-  assert.ok(commands.length >= 6, `expected >=6 registered hook commands, got ${commands.length}`);
+  // 3 PreToolUse + 2 PostToolUse (incremental-index + compound-grep inject) + 1 UserPromptSubmit + 1 SessionStart = 7
+  assert.ok(commands.length >= 7, `expected >=7 registered hook commands, got ${commands.length}`);
   for (const cmd of commands) {
     const p = resolveHookScript(cmd);
     assert.ok(p, `could not extract a .js path from hook command: ${JSON.stringify(cmd)}`);
@@ -221,8 +221,8 @@ test('buildSettingsHookEntries: matcher surface is exactly the intended set', ()
   const setOf = (event) => (desired[event] || []).map(e => e.matcher).sort();
   assert.deepEqual(setOf('PreToolUse'), ['Bash', 'Edit', 'Read'],
     'PreToolUse matcher set changed — update this gate intentionally (does the new tool need a guide hook?)');
-  assert.deepEqual(setOf('PostToolUse'), ['Write|Edit'],
-    'PostToolUse matcher set changed — incremental-index re-index trigger surface must be deliberate');
+  assert.deepEqual(setOf('PostToolUse'), ['Bash', 'Write|Edit'],
+    'PostToolUse matcher set changed — incremental-index (Write|Edit) + compound-grep inject (Bash) trigger surface must be deliberate');
   assert.deepEqual(setOf('UserPromptSubmit'), [''],
     'UserPromptSubmit matcher set changed unexpectedly');
   assert.deepEqual(Object.keys(desired).sort(), ['PostToolUse', 'PreToolUse', 'UserPromptSubmit'],

package/claude-plugin/scripts/lifecycle.js

@@ -310,6 +310,7 @@ const OUR_HOOK_SCRIPTS = [
   'pre-edit-guide.js',
   'pre-grep-guide.js',   // v0.32.0 — was in plugin-cache only, never fired
   'pre-read-guide.js',   // v0.32.0 — was in plugin-cache only, never fired
+  'post-grep-inject.js', // compound-grep — PostToolUse(Bash) permission-neutral answer inject
 ];
 
 // Description markers — primary cleanup discriminator (immune to env/path
@@ -318,6 +319,7 @@ const OUR_HOOK_SCRIPTS = [
 const SETTINGS_HOOK_DESC = {
   preToolUse:       '[code-graph-mcp v0.32+] PreToolUse re-routed via settings.json (cache hooks.json silently ignored for this event by current CC)',
   postToolUseEdit:  '[code-graph-mcp v0.32+] PostToolUse Write|Edit incremental-index update',
+  postToolUseInject:'[code-graph-mcp v0.32+] PostToolUse Bash compound-grep answer inject (permission-neutral additionalContext)',
   userPromptSubmit: '[code-graph-mcp v0.32+] UserPromptSubmit context push',
 };
 
@@ -330,6 +332,7 @@ const OUR_DESCRIPTIONS = [
   // v0.32.0 — new re-route markers
   SETTINGS_HOOK_DESC.preToolUse,
   SETTINGS_HOOK_DESC.postToolUseEdit,
+  SETTINGS_HOOK_DESC.postToolUseInject,
   SETTINGS_HOOK_DESC.userPromptSubmit,
 ];
 
@@ -385,6 +388,7 @@ function buildSettingsHookEntries() {
     ],
     PostToolUse: [
       { description: SETTINGS_HOOK_DESC.postToolUseEdit, matcher: 'Write|Edit', hooks: [scriptCmd('incremental-index.js', 10)] },
+      { description: SETTINGS_HOOK_DESC.postToolUseInject, matcher: 'Bash', hooks: [scriptCmd('post-grep-inject.js', 5)] },
     ],
     UserPromptSubmit: [
       { description: SETTINGS_HOOK_DESC.userPromptSubmit, matcher: '', hooks: [scriptCmd('user-prompt-context.js', 5)] },
@@ -481,7 +485,11 @@ function surveyHookCoverage(settings) {
 function hookFirePayload(matcher) {
   switch (matcher) {
     case 'Bash':
-      return { tool_name: 'Bash', tool_input: { command: 'grep -rn someUniqueSymbol src/' } };
+      // A QUOTED, identifier-like pattern → classifyBlock-positive → the
+      // PreToolUse deny tier emits (the hint-tier dark stdout fallthrough was
+      // removed in the compound-grep change, so a non-foldable pattern would now
+      // produce no output and falsely read as "didn't fire").
+      return { tool_name: 'Bash', tool_input: { command: 'grep -rn "SomeUniqueSymbol" src/' } };
     case 'Read':
       return { tool_name: 'Read', tool_input: { file_path: 'src/example.rs' } };
     case 'Edit':

package/claude-plugin/scripts/post-grep-inject.js

@@ -0,0 +1,184 @@
+#!/usr/bin/env node
+'use strict';
+// PostToolUse(Bash) hook: deliver cg's AST-aware answer for a FOLDABLE grep that
+// rode inside a COMPOUND command and therefore flew past the PreToolUse deny gate
+// (`echo "..." && grep Sym tests/`, `git diff && grep ...`, `for s in …; do grep`).
+//
+// Why PostToolUse, not PreToolUse: the leading-grep deny path (pre-grep-guide)
+// only fires when the command HEAD is grep — a grep buried after a side-effecting
+// sibling has head=echo/git/for and is intentionally left alone there (denying the
+// whole compound command would also block the sibling). Those greps RUN, so the
+// only permission-neutral way to hand the model cg's structural view is a
+// PostToolUse `additionalContext` injection (CC docs v2026-06: PostToolUse honors
+// additionalContext; a PreToolUse `allow` would skip the default permission prompt
+// for the underlying Bash call, which we must not do).
+//
+// Reuses the PreToolUse pure predicates wholesale (feedback_hook_class_bug_sweep —
+// no inline copies of the grep gate): splitTopLevelSegments + classifyBlock pick
+// the foldable segment; pickBlockPattern / translateBreToRg / extractSearchPath +
+// sanitizeSearchPath + runGrepAnswer / runShowAnswer run the exact same answer the
+// deny path would have. Best-effort: any miss (no hits / unavailable / no binary)
+// exits silently with NO injection — an enhancement, never a new failure mode.
+
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+const { cgTmpDir } = require('./tmp-dir');
+const { recordRecommendation } = require('./recommendation-log');
+const { runGrepAnswer, runShowAnswer, sanitizeSearchPath } = require('./cg-answer');
+const { emitPostToolContext } = require('./hook-emit');
+const {
+  splitTopLevelSegments,
+  classifyBlock,
+  pickBlockPattern,
+  translateBreToRg,
+  extractSearchPath,
+  normalizeCommandPaths,
+  rebaseRelativePaths,
+  resolveProjectRoot,
+} = require('./pre-grep-guide');
+
+// The command HEAD is grep/rg/ag (or git grep, or a KEY=VALUE/env prefix). Kept
+// loosely aligned with pre-grep-guide's GREP_VERB; this only gates "is this
+// segment a search command" so the segment splitter doesn't have to.
+const GREP_HEAD = /^\s*(?:env\s+)?(?:[A-Za-z_][A-Za-z0-9_]*=\S*\s+)*(?:git\s+grep|grep|rg|ag)\b/;
+
+// --- Pure logic (testable) ---
+
+/**
+ * Find the FIRST foldable grep segment in a (possibly compound) command.
+ * Splits via splitTopLevelSegments (NOT on a single `|` — that is an output
+ * filter), then returns the first segment whose head is grep AND whose
+ * classifyBlock is non-null (the answerable symbol/show tier).
+ * @returns {{segment: string, block: {mode: string, symbols?: string[]}} | null}
+ */
+function findFoldableGrepSegment(cmd) {
+  if (!cmd || typeof cmd !== 'string') return null;
+  for (const segment of splitTopLevelSegments(cmd)) {
+    if (!GREP_HEAD.test(segment)) continue;
+    const block = classifyBlock(segment);
+    if (block) return { segment, block };
+  }
+  return null;
+}
+
+// Short header so the model recognizes this as cg's parallel structural view of
+// the grep it just ran (the grep already executed; this is additive context).
+const INJECT_HEADER = '[code-graph] AST-aware view of your grep (ran alongside):';
+
+function buildInjectText(answer, mode) {
+  const lines = [INJECT_HEADER, answer.text];
+  if (answer.truncated) {
+    lines.push(mode === 'show'
+      ? '(truncated — re-run the `code-graph-mcp show <symbol>` command above for full source)'
+      : '(truncated — run `code-graph-mcp grep "<pattern>"` yourself for the full list)');
+  }
+  lines.push('Each hit shows its containing fn/module — use these results directly.');
+  return lines.join('\n');
+}
+
+// Kill switch — matches the sibling-hook convention (pre-grep-guide.isSilenced).
+function isSilenced(env = process.env) {
+  return env.CODE_GRAPH_QUIET_HOOKS === '1';
+}
+
+// New per-this-hook opt-out (released-artifact requirement): =1 disables the
+// PostToolUse compound-grep injection entirely, independent of QUIET_HOOKS.
+function isInjectDisabled(env = process.env) {
+  return env.CODE_GRAPH_NO_INJECT === '1';
+}
+
+// Per-command cooldown, mirror of pre-grep-guide's flag pattern but with a
+// DISTINCT prefix so the two hooks never share a flag (a PreToolUse deny and a
+// PostToolUse inject for different commands must not suppress each other).
+function commandHash(cmd) {
+  return crypto.createHash('sha1').update(String(cmd)).digest('hex').slice(0, 12);
+}
+
+function flagPath(cmd) {
+  return path.join(cgTmpDir(), `.code-graph-postinject-${commandHash(cmd)}`);
+}
+
+function isOnCooldown(cmd, now = Date.now(), windowMs = 60000) {
+  try {
+    return now - fs.statSync(flagPath(cmd)).mtimeMs < windowMs;
+  } catch { return false; }
+}
+
+function markCooldown(cmd) {
+  try { fs.writeFileSync(flagPath(cmd), ''); } catch { /* ok */ }
+}
+
+// --- Main execution ---
+
+function runMain() {
+  if (isSilenced() || isInjectDisabled()) return;
+  // Walk up from the persistent shell cwd (subdir-cwd fix — shared resolver).
+  const shellCwd = process.cwd();
+  const root = resolveProjectRoot(shellCwd);
+  if (root === null) return;  // no index anywhere up to $HOME
+
+  let input;
+  try {
+    // fd 0, not '/dev/stdin': the path form fails ENXIO on socketpair stdin.
+    input = JSON.parse(fs.readFileSync(0, 'utf8'));
+  } catch { return; }
+
+  const rawCmd = (input.tool_input && input.tool_input.command) || '';
+  if (!rawCmd) return;
+
+  // Normalize abs paths under the root + rebase subdir-relative tokens, exactly
+  // like the PreToolUse path, so the segment classifier and the answer scope see
+  // root-relative paths. Cooldown stays keyed on the raw command.
+  let cmd = normalizeCommandPaths(rawCmd, root);
+  const relPrefix = path.relative(root, shellCwd);
+  if (relPrefix) cmd = rebaseRelativePaths(cmd, relPrefix, root);
+
+  const found = findFoldableGrepSegment(cmd);
+  if (!found) return;
+
+  if (isOnCooldown(rawCmd)) return;
+  markCooldown(rawCmd);
+
+  const { segment, block } = found;
+  // Run the answer exactly like the deny path.
+  const pattern = translateBreToRg(segment, pickBlockPattern(segment));
+  const searchPath = sanitizeSearchPath(extractSearchPath(segment));
+  let answer = { status: 'unavailable' };
+  let answeredMode = block.mode;
+  if (block.mode === 'show') {
+    answer = runShowAnswer({ cwd: root, symbols: block.symbols });
+    if (answer.status !== 'hits' && pattern) {
+      answeredMode = 'grep';
+      answer = runGrepAnswer({ cwd: root, pattern, searchPath });
+    }
+  } else if (pattern) {
+    answer = runGrepAnswer({ cwd: root, pattern, searchPath });
+  }
+
+  // Only inject on hits — no-hits / unavailable / no-binary stay silent (the grep
+  // already ran and produced its own output; a failed cg answer adds no value and
+  // 0 hits ≠ proof of absence given regex-dialect differences).
+  if (answer.status !== 'hits') return;
+
+  recordRecommendation(root, {
+    hook: 'grep', action: 'inject', answered: true,
+    ...(pattern ? { pattern } : {}),
+    mode: answeredMode,
+  });
+  process.stdout.write(emitPostToolContext(buildInjectText(answer, answeredMode)) + '\n');
+}
+
+if (require.main === module) {
+  runMain();
+}
+
+module.exports = {
+  findFoldableGrepSegment,
+  buildInjectText,
+  isSilenced,
+  isInjectDisabled,
+  commandHash,
+  isOnCooldown,
+  markCooldown,
+};

package/claude-plugin/scripts/post-grep-inject.test.js

@@ -0,0 +1,260 @@
+'use strict';
+const test = require('node:test');
+const assert = require('node:assert/strict');
+const { spawnSync } = require('child_process');
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+const { cgTmpDir } = require('./tmp-dir');
+
+const {
+  findFoldableGrepSegment,
+  isSilenced,
+  isInjectDisabled,
+  buildInjectText,
+  commandHash,
+} = require('./post-grep-inject');
+
+// ── Pure logic: findFoldableGrepSegment ─────────────────────────────
+// Reuses splitTopLevelSegments + classifyBlock from pre-grep-guide. The FIRST
+// segment whose head is grep AND whose classifyBlock is non-null is the foldable
+// grep to answer. Leading-grep foldable commands were DENIED in PreToolUse and
+// never ran → never reach PostToolUse, so no dedup is needed here.
+
+test('findFoldableGrepSegment: compound `echo && grep "Sym" tests/` → the grep segment', () => {
+  // classifyBlock requires a QUOTED, identifier-like pattern (the deny gate's
+  // contract); `EmbeddingModel` stands for the spec's illustrative `Sym`.
+  const seg = findFoldableGrepSegment('echo "x" && grep "EmbeddingModel" tests/');
+  assert.ok(seg, 'expected a foldable grep segment');
+  assert.equal(seg.segment, 'grep "EmbeddingModel" tests/');
+  assert.equal(seg.block.mode, 'grep');
+});
+
+test('findFoldableGrepSegment: `git diff && grep "Sym" src/` → the grep segment', () => {
+  const seg = findFoldableGrepSegment('git diff && grep "EmbeddingModel" src/');
+  assert.ok(seg);
+  assert.equal(seg.segment, 'grep "EmbeddingModel" src/');
+});
+
+test('findFoldableGrepSegment: `cargo test | grep FAIL` is an output filter → null', () => {
+  // single pipe is NOT a split → head stays `cargo`, not a foldable grep.
+  assert.equal(findFoldableGrepSegment('cargo test | grep FAIL'), null);
+});
+
+test('findFoldableGrepSegment: a leading non-compound grep is NOT folded here (PreToolUse denies it)', () => {
+  // A bare leading foldable grep is handled by PreToolUse deny; if it somehow
+  // reaches PostToolUse it still classifies, but the typical compound case is the
+  // target. We DO answer a lone classifyBlock-positive segment when present.
+  const seg = findFoldableGrepSegment('grep "EmbeddingModel" src/');
+  assert.ok(seg, 'a classifyBlock-positive grep segment is foldable');
+  assert.equal(seg.block.mode, 'grep');
+});
+
+test('findFoldableGrepSegment: non-foldable hint-tier grep (marker) → null', () => {
+  // bare TODO marker passes shouldHint but classifyBlock is null → not foldable.
+  assert.equal(findFoldableGrepSegment('echo hi && grep "TODO" src/'), null);
+});
+
+test('findFoldableGrepSegment: no grep anywhere → null', () => {
+  assert.equal(findFoldableGrepSegment('cargo build && cargo test'), null);
+});
+
+test('findFoldableGrepSegment: for-loop body grep is isolated and folded', () => {
+  const seg = findFoldableGrepSegment('for s in a b; do grep "EmbeddingModel" src/; done');
+  assert.ok(seg, 'loop-body grep must be foldable');
+  assert.match(seg.segment, /grep "EmbeddingModel" src\//);
+});
+
+test('findFoldableGrepSegment: empty / non-string → null', () => {
+  assert.equal(findFoldableGrepSegment(''), null);
+  assert.equal(findFoldableGrepSegment(null), null);
+});
+
+test('findFoldableGrepSegment: show-mode (decl anchor + context flag) classifies as show', () => {
+  const seg = findFoldableGrepSegment('echo go && grep "fn handle_message" -A 5 src/');
+  assert.ok(seg);
+  assert.equal(seg.block.mode, 'show');
+  assert.deepEqual(seg.block.symbols, ['handle_message']);
+});
+
+// ── buildInjectText ─────────────────────────────────────────────────
+
+test('buildInjectText: carries a header + the answer text', () => {
+  const out = buildInjectText({ text: 'src/foo.rs:7  fn x()', truncated: false }, 'grep');
+  assert.match(out, /AST-aware view of your grep/);
+  assert.match(out, /src\/foo\.rs:7/);
+});
+
+test('buildInjectText: truncation note appended when truncated', () => {
+  const out = buildInjectText({ text: 'hit', truncated: true }, 'grep');
+  assert.match(out, /truncated/);
+});
+
+test('buildInjectText: no truncation note when not truncated', () => {
+  const out = buildInjectText({ text: 'hit', truncated: false }, 'grep');
+  assert.doesNotMatch(out, /truncated/);
+});
+
+// ── opt-out / kill switch ───────────────────────────────────────────
+
+test('isSilenced: CODE_GRAPH_QUIET_HOOKS=1 → silenced; default not', () => {
+  assert.equal(isSilenced({ CODE_GRAPH_QUIET_HOOKS: '1' }), true);
+  assert.equal(isSilenced({}), false);
+});
+
+test('isInjectDisabled: CODE_GRAPH_NO_INJECT=1 → disabled; default not', () => {
+  assert.equal(isInjectDisabled({ CODE_GRAPH_NO_INJECT: '1' }), true);
+  assert.equal(isInjectDisabled({ CODE_GRAPH_NO_INJECT: '0' }), false);
+  assert.equal(isInjectDisabled({}), false);
+});
+
+// ── e2e: real spawn with stub binary (mirrors pre-grep-guide harness) ──
+// PostToolUse-shaped stdin {tool_input:{command:"..."}}; assert on
+// hookSpecificOutput.additionalContext.
+
+function e2eFixture(stubBody) {
+  const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'post-grep-e2e-'));
+  fs.mkdirSync(path.join(dir, '.code-graph'), { recursive: true });
+  fs.writeFileSync(path.join(dir, '.code-graph', 'index.db'), '');
+  const stub = path.join(dir, 'cg-stub.js');
+  fs.writeFileSync(stub, '#!/usr/bin/env node\n' + stubBody);
+  fs.chmodSync(stub, 0o755);
+  return { dir, stub };
+}
+
+function runHook(cmd, fixture, extraEnv = {}, cwdOverride) {
+  return spawnSync(process.execPath, [path.join(__dirname, 'post-grep-inject.js')], {
+    cwd: cwdOverride || fixture.dir,
+    input: JSON.stringify({ tool_input: { command: cmd } }),
+    encoding: 'utf8',
+    env: {
+      ...process.env,
+      _CG_ANSWER_BINARY: fixture.stub,
+      CODE_GRAPH_QUIET_HOOKS: '0',
+      CODE_GRAPH_NO_INJECT: '0',
+      ...extraEnv,
+    },
+  });
+}
+
+function cleanupFixture(fixture, cmd) {
+  fs.rmSync(fixture.dir, { recursive: true, force: true });
+  try {
+    fs.unlinkSync(path.join(cgTmpDir(), `.code-graph-postinject-${commandHash(cmd)}`));
+  } catch { /* ok */ }
+}
+
+test('e2e: `echo "x" && grep Sym tests/` → injects additionalContext with the stub hits + records inject', () => {
+  const uniq = `PostHit${Date.now()}`;
+  const fixture = e2eFixture(
+    `process.stdout.write('tests/foo.rs:7  fn ' + process.argv[3] + '()\\n');`);
+  const cmd = `echo "x" && grep "${uniq}" tests/`;
+  try {
+    const res = runHook(cmd, fixture);
+    assert.equal(res.status, 0);
+    const out = JSON.parse(res.stdout);
+    assert.equal(out.hookSpecificOutput.hookEventName, 'PostToolUse');
+    assert.equal(out.hookSpecificOutput.permissionDecision, undefined,
+      'PostToolUse inject must be permission-neutral (no permissionDecision)');
+    assert.match(out.hookSpecificOutput.additionalContext, new RegExp(uniq));
+    assert.match(out.hookSpecificOutput.additionalContext, /tests\/foo\.rs:7/);
+    const recs = fs.readFileSync(
+      path.join(fixture.dir, '.code-graph', 'recommendations.jsonl'), 'utf8');
+    const rec = JSON.parse(recs.trim().split('\n').pop());
+    assert.equal(rec.action, 'inject');
+    assert.equal(rec.answered, true);
+    assert.equal(rec.hook, 'grep');
+    assert.equal(rec.pattern, uniq);
+  } finally {
+    cleanupFixture(fixture, cmd);
+  }
+});
+
+test('e2e: `git diff && grep Sym src/` → inject', () => {
+  const uniq = `GitDiffHit${Date.now()}`;
+  const fixture = e2eFixture(
+    `process.stdout.write('src/foo.rs:9  fn ' + process.argv[3] + '()\\n');`);
+  const cmd = `git diff && grep "${uniq}" src/`;
+  try {
+    const res = runHook(cmd, fixture);
+    assert.equal(res.status, 0);
+    const out = JSON.parse(res.stdout);
+    assert.match(out.hookSpecificOutput.additionalContext, new RegExp(uniq));
+  } finally {
+    cleanupFixture(fixture, cmd);
+  }
+});
+
+test('e2e: `cargo test | grep FAIL` → no inject (output filter)', () => {
+  const fixture = e2eFixture(`process.stdout.write('should not run\\n');`);
+  const cmd = `cargo test | grep FAIL`;
+  try {
+    const res = runHook(cmd, fixture);
+    assert.equal(res.status, 0);
+    assert.equal(res.stdout.trim(), '', 'an output-filter pipe must not inject');
+  } finally {
+    cleanupFixture(fixture, cmd);
+  }
+});
+
+test('e2e: stub reports no hits → silent (no inject)', () => {
+  const uniq = `PostMiss${Date.now()}`;
+  const fixture = e2eFixture(
+    `process.stdout.write('[code-graph] No matches\\n');`);
+  const cmd = `echo go && grep "${uniq}" src/`;
+  try {
+    const res = runHook(cmd, fixture);
+    assert.equal(res.status, 0);
+    assert.equal(res.stdout.trim(), '', 'no-hits must inject nothing');
+  } finally {
+    cleanupFixture(fixture, cmd);
+  }
+});
+
+test('e2e: CODE_GRAPH_NO_INJECT=1 silences the hook', () => {
+  const uniq = `PostOptout${Date.now()}`;
+  const fixture = e2eFixture(`process.stdout.write('src/foo.rs:7  hit\\n');`);
+  const cmd = `echo go && grep "${uniq}" src/`;
+  try {
+    const res = runHook(cmd, fixture, { CODE_GRAPH_NO_INJECT: '1' });
+    assert.equal(res.status, 0);
+    assert.equal(res.stdout.trim(), '', 'opt-out must silence the inject');
+  } finally {
+    cleanupFixture(fixture, cmd);
+  }
+});
+
+test('e2e: per-command cooldown — verbatim re-run within window injects only once', () => {
+  const uniq = `PostCool${Date.now()}`;
+  const fixture = e2eFixture(`process.stdout.write('src/foo.rs:7  hit\\n');`);
+  const cmd = `echo go && grep "${uniq}" src/`;
+  try {
+    const r1 = runHook(cmd, fixture);
+    assert.notEqual(r1.stdout.trim(), '', 'first run injects');
+    const r2 = runHook(cmd, fixture);
+    assert.equal(r2.stdout.trim(), '', 'second run within cooldown is silent');
+  } finally {
+    cleanupFixture(fixture, cmd);
+  }
+});
+
+test('e2e: no index up to $HOME → silent exit 0', () => {
+  // A cwd with no .code-graph anywhere up the tree resolves to null root → exit.
+  const bare = fs.mkdtempSync(path.join(os.tmpdir(), 'post-grep-noidx-'));
+  const stub = path.join(bare, 'cg-stub.js');
+  fs.writeFileSync(stub, '#!/usr/bin/env node\nprocess.stdout.write("hit\\n");');
+  fs.chmodSync(stub, 0o755);
+  const cmd = `echo go && grep "FooBar" src/`;
+  try {
+    const res = spawnSync(process.execPath, [path.join(__dirname, 'post-grep-inject.js')], {
+      cwd: bare,
+      input: JSON.stringify({ tool_input: { command: cmd } }),
+      encoding: 'utf8',
+      env: { ...process.env, _CG_ANSWER_BINARY: stub, HOME: bare, CODE_GRAPH_QUIET_HOOKS: '0' },
+    });
+    assert.equal(res.status, 0);
+    assert.equal(res.stdout.trim(), '');
+  } finally {
+    fs.rmSync(bare, { recursive: true, force: true });
+  }
+});

package/claude-plugin/scripts/pre-edit-guide.js

@@ -14,6 +14,7 @@ const { cgTmpDir } = require('./tmp-dir');
 const { resolveProjectRoot } = require('./project-root');
 const { recordRecommendation } = require('./recommendation-log');
 const { formatCoveringTests } = require('./covering-tests');
+const { emitPreToolAllowContext } = require('./hook-emit');
 
 // v0.49 — walk up from the shell cwd (subdir-cwd fix). The per-cwd index.db
 // gate kept this hook dark for entire sessions after `cd backend/` — daagu
@@ -211,4 +212,10 @@ summary += formatCoveringTests(jsonResult.test_callers, editedFile);
 // fire with the count alone — the verdict must stay coherent either way.
 summary += `  → Before this edit: confirm each caller of ${symbol}() still holds with your change, or note why it is unaffected.\n`;
 
-process.stdout.write(summary);
+// Compound-grep sibling sweep: deliver via the PreToolUse allow+additionalContext
+// envelope (shared hook-emit.js). Bare stdout on a PreToolUse exit-0 lands in the
+// debug log only and never reaches the model (CC docs v2026-06); additionalContext
+// is what actually surfaces the impact summary. Impact must stay PRE-edit (so the
+// reconciliation happens before the change), hence allow + additionalContext, not
+// a PostToolUse inject.
+process.stdout.write(emitPreToolAllowContext(summary) + '\n');

package/claude-plugin/scripts/pre-edit-guide.test.js

@@ -197,3 +197,22 @@ test('covering-tests: edit injection records test_targets for the forward funnel
   const source = fs.readFileSync(path.join(__dirname, 'pre-edit-guide.js'), 'utf8');
   assert.match(source, /test_targets:/);
 });
+
+// ── Compound-grep sibling sweep: impact summary → additionalContext ──
+// Bare `process.stdout.write(summary)` on a PreToolUse exit-0 lands in the debug
+// log only and never reaches the model (CC docs v2026-06). The impact summary
+// must ride the shared PreToolUse allow+additionalContext envelope instead.
+// Source-grep, same convention as the salience/pattern-sync guards (hook exits
+// on require: reads stdin, resolves the index).
+
+test('emit: impact summary is delivered via the PreToolUse allow+additionalContext envelope', () => {
+  const fs = require('node:fs');
+  const path = require('node:path');
+  const source = fs.readFileSync(path.join(__dirname, 'pre-edit-guide.js'), 'utf8');
+  assert.match(source, /require\(['"]\.\/hook-emit['"]\)/,
+    'pre-edit-guide must use the shared hook-emit module (no inline envelope copy)');
+  assert.match(source, /emitPreToolAllowContext\(summary\)/,
+    'the impact summary must be carried inside additionalContext, not bare stdout');
+  assert.doesNotMatch(source, /process\.stdout\.write\(summary\)\s*;/,
+    'the bare stdout summary emission (debug-log-only) must be removed');
+});

package/claude-plugin/scripts/pre-grep-guide.js

@@ -382,6 +382,74 @@ function pickBlockPattern(cmd) {
   return extractPatterns(cmd).find(p => IDENTIFIER_LIKE.test(p));
 }
 
+// Compound-grep PostToolUse splitter. Split a command into top-level segments on
+// `&&`, `||`, `;`, newline, and shell `for … in` / `do` / `done` control-word
+// boundaries — but NOT on a single `|`: a `cargo test | grep X` is an OUTPUT
+// FILTER (its head stays `cargo`, so it is excluded from folding), exactly as
+// PIPE_INTO_GREP treats it in the PreToolUse path. Quote-aware: separators
+// inside single/double quotes are literal command text, never split points.
+// Returns trimmed, non-empty segments. Shared by post-grep-inject so the
+// PostToolUse path reuses this splitter instead of copying it.
+function splitTopLevelSegments(cmd) {
+  if (!cmd || typeof cmd !== 'string') return [];
+  const segs = [];
+  let cur = '';
+  let quote = null;
+  for (let i = 0; i < cmd.length; i++) {
+    const c = cmd[i];
+    if (quote) {
+      cur += c;
+      // Inside DOUBLE quotes a backslash escapes the next char, so `\"` does NOT
+      // close the quote (POSIX). Single quotes do no escaping — `\` is literal
+      // and `'` always closes — so this only applies to `"`. Without it,
+      // `echo "x\" && grep \"Y\" src/"` (one literal echo arg) mis-closes at
+      // `\"`, splits on `&&`, and yields a phantom foldable grep segment.
+      if (quote === '"' && c === '\\' && i + 1 < cmd.length) {
+        cur += cmd[i + 1];
+        i++;
+        continue;
+      }
+      if (c === quote) quote = null;
+      continue;
+    }
+    if (c === '"' || c === "'") { quote = c; cur += c; continue; }
+    // `&&` and `||` (a single `&`/`|` is NOT a split — `|` is an output-filter
+    // pipe, lone `&` is background and rare in tool calls).
+    if ((c === '&' && cmd[i + 1] === '&') || (c === '|' && cmd[i + 1] === '|')) {
+      segs.push(cur); cur = ''; i++; continue;
+    }
+    if (c === ';' || c === '\n') { segs.push(cur); cur = ''; continue; }
+    cur += c;
+  }
+  segs.push(cur);
+  // Split out `for … in` / `do` / `done` control words as their own boundaries
+  // so a loop body grep is isolated (the head of `for s in …; do grep …` is the
+  // `for` keyword, which would otherwise mask the grep). Quote-safety already
+  // handled above — these run per already-split segment on whitespace-delimited
+  // control words only.
+  const out = [];
+  const CTRL = /(?:^|\s)(for\s+\S+\s+in\b|do\b|done\b|then\b|fi\b)(?=\s|$)/g;
+  for (const raw of segs) {
+    let last = 0;
+    let m;
+    CTRL.lastIndex = 0;
+    let pushed = false;
+    while ((m = CTRL.exec(raw)) !== null) {
+      const before = raw.slice(last, m.index);
+      if (before.trim()) out.push(before);
+      last = CTRL.lastIndex;
+      pushed = true;
+    }
+    if (pushed) {
+      const tail = raw.slice(last);
+      if (tail.trim()) out.push(tail);
+    } else {
+      out.push(raw);
+    }
+  }
+  return out.map(s => s.trim()).filter(Boolean);
+}
+
 function commandHash(cmd) {
   return crypto.createHash('sha1').update(cmd).digest('hex').slice(0, 12);
 }
@@ -664,8 +732,14 @@ function runMain() {
     return;
   }
 
-  recordRecommendation(root, { hook: 'grep', action: 'hint' });
-  process.stdout.write(buildHint() + '\n');
+  // Compound-grep change: the dark-stdout HINT fallthrough was DELETED. A grep
+  // that passes shouldHint but NOT classifyBlock used to record action:'hint'
+  // and write buildHint() to stdout — but PreToolUse exit-0 plain stdout goes to
+  // the DEBUG LOG ONLY and never reaches the model (CC docs v2026-06). It was
+  // pure noise. These hint-tier greps (unanswerable-flag / marker / multi-path)
+  // are exactly the cases cg cannot fold, so silence is correct: the model's own
+  // grep runs unimpeded. classifyBlock-positive compound greps are now picked up
+  // permission-neutrally by the PostToolUse post-grep-inject hook.
 }
 
 if (require.main === module) {
@@ -676,6 +750,7 @@ module.exports = {
   shouldHint,
   shouldBlock,
   classifyBlock,         // v0.49 — intent-aware block tiers
+  splitTopLevelSegments, // compound-grep — quote-aware top-level segment splitter (PostToolUse reuse)
   extractDeclSymbols,    // v0.49 — show-mode symbol extraction
   translateBreToRg,      // v0.49 — BRE→rust-regex dialect bridge
   buildShowDenyReason,   // v0.49 — show-mode deny copy

package/claude-plugin/scripts/pre-grep-guide.test.js

@@ -5,6 +5,7 @@ const {
   shouldHint,
   shouldBlock,
   classifyBlock,
+  splitTopLevelSegments,
   countNamedPaths,
   extractDeclSymbols,
   translateBreToRg,
@@ -1529,3 +1530,93 @@ test('extractSedReadTargets: pipeline sed after grep still extracted', () => {
     extractSedReadTargets('grep -n "x" src/a.py | sed -n 1,5p src/b.py'),
     ['src/b.py']);
 });
+
+// ── splitTopLevelSegments (compound-grep PostToolUse §1) ─────────────
+// Quote-aware top-level splitter shared by post-grep-inject. Splits on &&, ||,
+// ;, newline, and for…in / do / done boundaries — NOT on a single `|` (so a
+// pipe-into-grep keeps head=cargo and is recognized as an output filter).
+
+test('splitTopLevelSegments: && joins two commands → two segments', () => {
+  assert.deepEqual(
+    splitTopLevelSegments('echo "x" && grep Sym tests/'),
+    ['echo "x"', 'grep Sym tests/']);
+});
+
+test('splitTopLevelSegments: ; and || are top-level separators', () => {
+  assert.deepEqual(
+    splitTopLevelSegments('git diff; grep Sym src/ || echo none'),
+    ['git diff', 'grep Sym src/', 'echo none']);
+});
+
+test('splitTopLevelSegments: a single pipe is NOT a separator (output filter)', () => {
+  // cargo test | grep X must keep head=cargo so it reads as an output filter,
+  // NOT a foldable grep segment.
+  assert.deepEqual(
+    splitTopLevelSegments('cargo test | grep FAIL'),
+    ['cargo test | grep FAIL']);
+});
+
+test('splitTopLevelSegments: for … in / do / done are segment boundaries', () => {
+  const segs = splitTopLevelSegments('for s in a b; do grep "$s" src/; done');
+  // the grep body is isolated as its own segment
+  assert.ok(segs.some(seg => /grep "\$s" src\//.test(seg)),
+    `grep body not isolated: ${JSON.stringify(segs)}`);
+  // the for-header / do / done keywords are not glued onto the grep
+  assert.ok(!segs.some(seg => /for s in/.test(seg) && /grep/.test(seg)),
+    `for-header glued to grep: ${JSON.stringify(segs)}`);
+});
+
+test('splitTopLevelSegments: separators inside quotes are literal, not splits', () => {
+  assert.deepEqual(
+    splitTopLevelSegments('grep "a && b; c" src/'),
+    ['grep "a && b; c" src/']);
+  assert.deepEqual(
+    splitTopLevelSegments("grep 'x || y' src/"),
+    ["grep 'x || y' src/"]);
+});
+
+test('splitTopLevelSegments: backslash-escaped quote inside double quotes does NOT close (no phantom segment)', () => {
+  // One literal echo arg — the \" must not close the quote, so && stays inside
+  // the string and no foldable `grep` segment is split out. (review L1)
+  assert.deepEqual(
+    splitTopLevelSegments('echo "x\\" && grep \\"Y\\" src/ rest"'),
+    ['echo "x\\" && grep \\"Y\\" src/ rest"']);
+  // Single quotes do NOT process backslashes (POSIX): a real separator after a
+  // closed single-quoted string still splits.
+  assert.deepEqual(
+    splitTopLevelSegments("echo 'a\\' && grep Sym src/"),
+    ["echo 'a\\'", 'grep Sym src/']);
+});
+
+test('splitTopLevelSegments: newline is a separator', () => {
+  assert.deepEqual(
+    splitTopLevelSegments('echo hi\ngrep Sym src/'),
+    ['echo hi', 'grep Sym src/']);
+});
+
+test('splitTopLevelSegments: empty / non-string → empty array', () => {
+  assert.deepEqual(splitTopLevelSegments(''), []);
+  assert.deepEqual(splitTopLevelSegments(null), []);
+  assert.deepEqual(splitTopLevelSegments(undefined), []);
+});
+
+test('splitTopLevelSegments: trims and drops empty segments', () => {
+  assert.deepEqual(
+    splitTopLevelSegments('  echo a  ;;  grep Sym src/  '),
+    ['echo a', 'grep Sym src/']);
+});
+
+// The dark-hint fallthrough (action:'hint' + stdout buildHint) was DELETED in
+// the compound-grep change: a grep that passes shouldHint but not classifyBlock
+// now exits silently from PreToolUse (PostToolUse handles only classifyBlock
+// non-null cases). buildHint stays exported (referenced above) but is never
+// emitted by the runMain hint tier.
+test('source-text: PreToolUse no longer emits the dark stdout hint fallthrough', () => {
+  const fs = require('node:fs');
+  const path = require('node:path');
+  const src = fs.readFileSync(path.join(__dirname, 'pre-grep-guide.js'), 'utf8');
+  assert.doesNotMatch(src, /process\.stdout\.write\(buildHint\(\)/,
+    'the dark hint stdout emission must be removed (PreToolUse exit-0 stdout is debug-log-only)');
+  assert.doesNotMatch(src, /action:\s*'hint'\s*\}\);\s*\n\s*process\.stdout\.write\(buildHint/,
+    'the hint-tier recordRecommendation + buildHint pair must be removed');
+});

package/claude-plugin/scripts/pre-read-guide.js

@@ -29,6 +29,7 @@ const { cgTmpDir } = require('./tmp-dir');
 const { recordRecommendation } = require('./recommendation-log');
 const { resolveProjectRoot } = require('./project-root');
 const { runOverviewAnswer } = require('./cg-answer');
+const { emitPreToolAllowContext } = require('./hook-emit');
 
 // --- Configuration ---
 
@@ -185,7 +186,13 @@ function trackReadAndMaybeHint(root, rel, now = Date.now()) {
     // so the read-fanout funnel can tell a dark flagship apart from no result.
     ...(answered ? {} : { reason: answer.status }),
   });
-  process.stdout.write((answered ? buildHintWithAnswer(dir, answer) : buildHint(dir)) + '\n');
+  // Compound-grep sibling sweep: emit via the PreToolUse allow+additionalContext
+  // envelope (shared hook-emit.js). Bare stdout on a PreToolUse exit-0 lands in
+  // the debug log only and never reaches the model (CC docs v2026-06); the
+  // additionalContext channel is what actually surfaces the fanout hint. Read is
+  // a safe tool, so the allow elevation is negligible.
+  const hintText = answered ? buildHintWithAnswer(dir, answer) : buildHint(dir);
+  process.stdout.write(emitPreToolAllowContext(hintText) + '\n');
   return true;
 }
 

package/claude-plugin/scripts/pre-read-guide.test.js

@@ -279,7 +279,15 @@ test('trackReadAndMaybeHint: fires on 5th read with stubbed overview answer', ()
       fired = trackReadAndMaybeHint(root, 'src/storage/file' + i + '.rs');
     }
     assert.equal(fired, true, '5th same-dir read must fire');
-    assert.match(written.join(''), /Module overview stub/, 'hint must EMBED the overview answer');
+    // Compound-grep sibling sweep: the fanout hint is now emitted as a
+    // PreToolUse allow+additionalContext envelope (was bare stdout, which CC
+    // routes to the debug log only and never shows the model). The overview
+    // answer must ride inside additionalContext.
+    const emitted = JSON.parse(written.join(''));
+    assert.equal(emitted.hookSpecificOutput.hookEventName, 'PreToolUse');
+    assert.equal(emitted.hookSpecificOutput.permissionDecision, 'allow');
+    assert.match(emitted.hookSpecificOutput.additionalContext, /Module overview stub/,
+      'hint must EMBED the overview answer in additionalContext');
     const recs = fs.readFileSync(path.join(root, '.code-graph', 'recommendations.jsonl'), 'utf8');
     assert.match(recs, /"hook":"read"/);
     assert.match(recs, /"answered":true/);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sdsrs/code-graph",
-  "version": "0.72.0",
+  "version": "0.73.0",
   "description": "MCP server that indexes codebases into an AST knowledge graph with semantic search, call graph traversal, and HTTP route tracing",
   "license": "MIT",
   "repository": {
@@ -35,10 +35,10 @@
     "node": ">=16"
   },
   "optionalDependencies": {
-    "@sdsrs/code-graph-linux-x64": "0.72.0",
-    "@sdsrs/code-graph-linux-arm64": "0.72.0",
-    "@sdsrs/code-graph-darwin-x64": "0.72.0",
-    "@sdsrs/code-graph-darwin-arm64": "0.72.0",
-    "@sdsrs/code-graph-win32-x64": "0.72.0"
+    "@sdsrs/code-graph-linux-x64": "0.73.0",
+    "@sdsrs/code-graph-linux-arm64": "0.73.0",
+    "@sdsrs/code-graph-darwin-x64": "0.73.0",
+    "@sdsrs/code-graph-darwin-arm64": "0.73.0",
+    "@sdsrs/code-graph-win32-x64": "0.73.0"
   }
 }