@soleri/cli 9.4.0 → 9.5.0

package/src/hook-packs/flock-guard/manifest.json

@@ -0,0 +1,36 @@
+{
+  "name": "flock-guard",
+  "version": "1.0.0",
+  "description": "Parallel agent lock guard — prevents lockfile corruption when multiple agents run in worktrees by using atomic mkdir-based locking across PreToolUse/PostToolUse",
+  "hooks": [],
+  "scripts": [
+    {
+      "name": "flock-guard-pre",
+      "file": "flock-guard-pre.sh",
+      "targetDir": "hooks"
+    },
+    {
+      "name": "flock-guard-post",
+      "file": "flock-guard-post.sh",
+      "targetDir": "hooks"
+    }
+  ],
+  "lifecycleHooks": [
+    {
+      "event": "PreToolUse",
+      "matcher": "Bash",
+      "type": "command",
+      "command": "sh ~/.claude/hooks/flock-guard-pre.sh",
+      "timeout": 10,
+      "statusMessage": "Checking lockfile guard..."
+    },
+    {
+      "event": "PostToolUse",
+      "matcher": "Bash",
+      "type": "command",
+      "command": "sh ~/.claude/hooks/flock-guard-post.sh",
+      "timeout": 10,
+      "statusMessage": "Releasing lockfile guard..."
+    }
+  ]
+}

package/src/hook-packs/flock-guard/scripts/flock-guard-post.sh

@@ -0,0 +1,48 @@
+#!/bin/sh
+# Flock Guard — PostToolUse lock release (Soleri Hook Pack: flock-guard)
+# Releases the lock after a lockfile-modifying command completes.
+# Dependencies: jq
+# POSIX sh compatible.
+
+set -eu
+
+INPUT=$(cat)
+
+CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+if [ -z "$CMD" ]; then
+  exit 0
+fi
+
+# Strip quoted strings (same logic as pre script)
+STRIPPED=$(printf '%s' "$CMD" | sed -e "s/<<'[A-Za-z_]*'.*//g" -e 's/<<[A-Za-z_]*.*//g' 2>/dev/null || printf '%s' "$CMD")
+STRIPPED=$(printf '%s' "$STRIPPED" | sed 's/"[^"]*"//g' 2>/dev/null || printf '%s' "$STRIPPED")
+STRIPPED=$(printf '%s' "$STRIPPED" | sed "s/'[^']*'//g" 2>/dev/null || printf '%s' "$STRIPPED")
+
+# Check if command modifies lockfiles (same patterns as pre)
+IS_LOCKFILE_CMD=false
+printf '%s' "$STRIPPED" | grep -qE '(^|\s|;|&&|\|\|)npm\s+(install|ci)(\s|$|;)' && IS_LOCKFILE_CMD=true
+printf '%s' "$STRIPPED" | grep -qE '(^|\s|;|&&|\|\|)yarn(\s+install)?(\s|$|;)' && IS_LOCKFILE_CMD=true
+printf '%s' "$STRIPPED" | grep -qE '(^|\s|;|&&|\|\|)pnpm\s+install(\s|$|;)' && IS_LOCKFILE_CMD=true
+printf '%s' "$STRIPPED" | grep -qE '(^|\s|;|&&|\|\|)cargo\s+(build|update)(\s|$|;)' && IS_LOCKFILE_CMD=true
+printf '%s' "$STRIPPED" | grep -qE '(^|\s|;|&&|\|\|)pip[3]?\s+install(\s|$|;)' && IS_LOCKFILE_CMD=true
+
+if [ "$IS_LOCKFILE_CMD" = false ]; then
+  exit 0
+fi
+
+# Release lock
+PROJECT_ROOT=$(git rev-parse --show-toplevel 2>/dev/null || pwd)
+PROJECT_HASH=$(printf '%s' "$PROJECT_ROOT" | shasum | cut -c1-8)
+LOCK_DIR="${TMPDIR:-${TEMP:-/tmp}}/soleri-guard-${PROJECT_HASH}.lock"
+
+# Only release if we own it
+SESSION_ID="${CLAUDE_SESSION_ID:-$$}"
+if [ -f "$LOCK_DIR/lock.json" ]; then
+  LOCK_AGENT=$(jq -r '.agentId // ""' "$LOCK_DIR/lock.json" 2>/dev/null || echo "")
+  if [ "$LOCK_AGENT" = "$SESSION_ID" ]; then
+    rm -rf "$LOCK_DIR"
+  fi
+fi
+
+# PostToolUse never blocks
+exit 0

package/src/hook-packs/flock-guard/scripts/flock-guard-pre.sh

@@ -0,0 +1,85 @@
+#!/bin/sh
+# Flock Guard — PreToolUse lock acquisition (Soleri Hook Pack: flock-guard)
+# Acquires atomic mkdir-based lock before lockfile-modifying commands.
+# Dependencies: jq
+# POSIX sh compatible.
+
+set -eu
+
+INPUT=$(cat)
+
+# Extract command from stdin JSON
+CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+if [ -z "$CMD" ]; then
+  exit 0
+fi
+
+# Strip quoted strings to avoid false positives (same as anti-deletion.sh)
+STRIPPED=$(printf '%s' "$CMD" | sed -e "s/<<'[A-Za-z_]*'.*//g" -e 's/<<[A-Za-z_]*.*//g' 2>/dev/null || printf '%s' "$CMD")
+STRIPPED=$(printf '%s' "$STRIPPED" | sed 's/"[^"]*"//g' 2>/dev/null || printf '%s' "$STRIPPED")
+STRIPPED=$(printf '%s' "$STRIPPED" | sed "s/'[^']*'//g" 2>/dev/null || printf '%s' "$STRIPPED")
+
+# Check if command modifies lockfiles
+IS_LOCKFILE_CMD=false
+# npm install (but not npm run, npm test, etc.)
+printf '%s' "$STRIPPED" | grep -qE '(^|\s|;|&&|\|\|)npm\s+install(\s|$|;)' && IS_LOCKFILE_CMD=true
+printf '%s' "$STRIPPED" | grep -qE '(^|\s|;|&&|\|\|)npm\s+ci(\s|$|;)' && IS_LOCKFILE_CMD=true
+# yarn (bare yarn or yarn install)
+printf '%s' "$STRIPPED" | grep -qE '(^|\s|;|&&|\|\|)yarn(\s+install)?(\s|$|;)' && IS_LOCKFILE_CMD=true
+# pnpm install
+printf '%s' "$STRIPPED" | grep -qE '(^|\s|;|&&|\|\|)pnpm\s+install(\s|$|;)' && IS_LOCKFILE_CMD=true
+# cargo build / cargo update
+printf '%s' "$STRIPPED" | grep -qE '(^|\s|;|&&|\|\|)cargo\s+(build|update)(\s|$|;)' && IS_LOCKFILE_CMD=true
+# pip install
+printf '%s' "$STRIPPED" | grep -qE '(^|\s|;|&&|\|\|)pip[3]?\s+install(\s|$|;)' && IS_LOCKFILE_CMD=true
+
+if [ "$IS_LOCKFILE_CMD" = false ]; then
+  exit 0
+fi
+
+# Compute project-specific lock path
+PROJECT_ROOT=$(git rev-parse --show-toplevel 2>/dev/null || pwd)
+PROJECT_HASH=$(printf '%s' "$PROJECT_ROOT" | shasum | cut -c1-8)
+LOCK_DIR="${TMPDIR:-${TEMP:-/tmp}}/soleri-guard-${PROJECT_HASH}.lock"
+LOCK_JSON="$LOCK_DIR/lock.json"
+STALE_TIMEOUT=30
+SESSION_ID="${CLAUDE_SESSION_ID:-$$}"
+
+# Try to acquire lock (mkdir is atomic on POSIX)
+if mkdir "$LOCK_DIR" 2>/dev/null; then
+  # Lock acquired — write state
+  printf '{"agentId":"%s","timestamp":%d,"command":"%s"}' "$SESSION_ID" "$(date +%s)" "$CMD" > "$LOCK_JSON"
+  exit 0
+fi
+
+# Lock held — check staleness
+if [ -f "$LOCK_JSON" ]; then
+  LOCK_TIME=$(jq -r '.timestamp // 0' "$LOCK_JSON" 2>/dev/null || echo 0)
+  NOW=$(date +%s)
+  AGE=$((NOW - LOCK_TIME))
+
+  LOCK_AGENT=$(jq -r '.agentId // "unknown"' "$LOCK_JSON" 2>/dev/null || echo "unknown")
+
+  # Same agent — allow reentry
+  if [ "$LOCK_AGENT" = "$SESSION_ID" ]; then
+    # Refresh timestamp
+    printf '{"agentId":"%s","timestamp":%d,"command":"%s"}' "$SESSION_ID" "$NOW" "$CMD" > "$LOCK_JSON"
+    exit 0
+  fi
+
+  # Stale lock — clean and retry
+  if [ "$AGE" -gt "$STALE_TIMEOUT" ]; then
+    rm -rf "$LOCK_DIR"
+    if mkdir "$LOCK_DIR" 2>/dev/null; then
+      printf '{"agentId":"%s","timestamp":%d,"command":"%s"}' "$SESSION_ID" "$NOW" "$CMD" > "$LOCK_JSON"
+      exit 0
+    fi
+  fi
+fi
+
+# Lock held by another active agent — block
+LOCK_AGENT=$(jq -r '.agentId // "another agent"' "$LOCK_JSON" 2>/dev/null || echo "another agent")
+jq -n --arg agent "$LOCK_AGENT" '{
+  continue: false,
+  stopReason: ("BLOCKED: Another agent (" + $agent + ") is modifying lockfiles. Wait for it to finish, then retry. Lock auto-expires after 30s if the agent crashes.")
+}'

package/src/hook-packs/full/manifest.json

@@ -12,5 +12,12 @@
     "ux-touch-targets",
     "no-ai-attribution"
   ],
-  "composedFrom": ["typescript-safety", "a11y", "css-discipline", "clean-commits", "yolo-safety"]
+  "composedFrom": [
+    "typescript-safety",
+    "a11y",
+    "css-discipline",
+    "clean-commits",
+    "safety",
+    "yolo-safety"
+  ]
 }

package/src/hook-packs/graduation.ts

@@ -0,0 +1,65 @@
+/**
+ * Hook pack graduation — promote/demote action levels.
+ * remind → warn → block (promote)
+ * block → warn → remind (demote)
+ */
+import { writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { getPack } from './registry.js';
+import type { HookPackManifest } from './registry.js';
+
+const LEVELS = ['remind', 'warn', 'block'] as const;
+type ActionLevel = (typeof LEVELS)[number];
+
+export interface GraduationResult {
+  packName: string;
+  previousLevel: ActionLevel;
+  newLevel: ActionLevel;
+  manifestPath: string;
+}
+
+function getCurrentLevel(manifest: HookPackManifest): ActionLevel {
+  const level = manifest.actionLevel;
+  if (level && (LEVELS as readonly string[]).includes(level)) return level as ActionLevel;
+  return 'remind'; // default
+}
+
+export function promotePack(packName: string): GraduationResult {
+  const pack = getPack(packName);
+  if (!pack) throw new Error(`Unknown hook pack: "${packName}"`);
+
+  const manifestPath = join(pack.dir, 'manifest.json');
+  const manifest = pack.manifest;
+  const current = getCurrentLevel(manifest);
+  const currentIndex = LEVELS.indexOf(current);
+
+  if (currentIndex >= LEVELS.length - 1) {
+    throw new Error(`Pack "${packName}" is already at maximum level: ${current}`);
+  }
+
+  const newLevel = LEVELS[currentIndex + 1];
+  manifest.actionLevel = newLevel;
+  writeFileSync(manifestPath, JSON.stringify(manifest, null, 2) + '\n', 'utf-8');
+
+  return { packName, previousLevel: current, newLevel, manifestPath };
+}
+
+export function demotePack(packName: string): GraduationResult {
+  const pack = getPack(packName);
+  if (!pack) throw new Error(`Unknown hook pack: "${packName}"`);
+
+  const manifestPath = join(pack.dir, 'manifest.json');
+  const manifest = pack.manifest;
+  const current = getCurrentLevel(manifest);
+  const currentIndex = LEVELS.indexOf(current);
+
+  if (currentIndex <= 0) {
+    throw new Error(`Pack "${packName}" is already at minimum level: ${current}`);
+  }
+
+  const newLevel = LEVELS[currentIndex - 1];
+  manifest.actionLevel = newLevel;
+  writeFileSync(manifestPath, JSON.stringify(manifest, null, 2) + '\n', 'utf-8');
+
+  return { packName, previousLevel: current, newLevel, manifestPath };
+}

package/src/hook-packs/installer.ts

@@ -195,7 +195,9 @@ export function installPack(
     mkdirSync(destDir, { recursive: true });
     const destPath = join(destDir, file);
     copyFileSync(sourcePath, destPath);
-    chmodSync(destPath, 0o755);
+    if (process.platform !== 'win32') {
+      chmodSync(destPath, 0o755);
+    }
     installedScripts.push(`${targetDir}/${file}`);
   }
   const lcHooks = resolveLifecycleHooks(packName);

package/src/hook-packs/marketing-research/README.md

@@ -0,0 +1,37 @@
+# Marketing Research Hook Pack
+
+Example hook demonstrating the skill-to-hook conversion workflow. Automatically reminds you to check brand guidelines and A/B testing data when editing marketing files.
+
+## Conversion Score
+
+| Dimension         | Score | Rationale                                                   |
+| ----------------- | ----- | ----------------------------------------------------------- |
+| Frequency         | HIGH  | 4+ manual checks per session when editing marketing content |
+| Event Correlation | HIGH  | Always triggers on Write/Edit to marketing files            |
+| Determinism       | HIGH  | Lookups and context injection, not creative guidance        |
+| Autonomy          | HIGH  | No interactive decisions needed                             |
+
+**Score: 4/4 — Strong candidate**
+
+## Install
+
+```bash
+soleri hooks add-pack marketing-research
+```
+
+## What It Does
+
+Fires on `Write` and `Edit` tool calls when the target file matches marketing patterns:
+
+- `**/marketing/**`
+- `**/*marketing*`
+- `**/campaign*/**`
+
+Injects a reminder with brand guidelines context. Does not block — action level is `remind`.
+
+## Graduation
+
+```bash
+soleri hooks promote marketing-research   # remind → warn
+soleri hooks promote marketing-research   # warn → block
+```

package/src/hook-packs/marketing-research/manifest.json

@@ -0,0 +1,24 @@
+{
+  "name": "marketing-research",
+  "version": "1.0.0",
+  "description": "Auto-research hook for marketing files — reminds to check brand guidelines, A/B testing data, and audience segmentation before editing marketing content",
+  "hooks": [],
+  "scripts": [
+    {
+      "name": "marketing-research",
+      "file": "marketing-research.sh",
+      "targetDir": "hooks"
+    }
+  ],
+  "lifecycleHooks": [
+    {
+      "event": "PreToolUse",
+      "matcher": "Write|Edit",
+      "type": "command",
+      "command": "sh ~/.claude/hooks/marketing-research.sh",
+      "timeout": 10,
+      "statusMessage": "Checking marketing context..."
+    }
+  ],
+  "actionLevel": "remind"
+}

package/src/hook-packs/marketing-research/scripts/marketing-research.sh

@@ -0,0 +1,70 @@
+#!/bin/sh
+# Marketing Research Hook for Claude Code (Soleri Hook Pack: marketing-research)
+# PreToolUse -> Write|Edit: reminds to check brand guidelines, A/B testing data,
+# and audience segmentation before editing marketing content.
+#
+# Matched file patterns:
+#   - **/marketing/**
+#   - **/*marketing*
+#   - **/campaign*/**
+#
+# Dependencies: jq (required)
+# POSIX sh compatible — no bash-specific features.
+
+set -eu
+
+INPUT=$(cat)
+
+# Extract tool name
+TOOL_NAME=$(printf '%s' "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+# Only act on Write or Edit
+case "$TOOL_NAME" in
+  Write|Edit) ;;
+  *) exit 0 ;;
+esac
+
+# Extract file_path from tool_input
+FILE_PATH=$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+
+# No file path — let it through
+if [ -z "$FILE_PATH" ]; then
+  exit 0
+fi
+
+# Check if file matches marketing patterns
+IS_MARKETING=false
+
+# Pattern: **/marketing/** — file is inside a marketing directory
+case "$FILE_PATH" in
+  */marketing/*) IS_MARKETING=true ;;
+esac
+
+# Pattern: **/*marketing* — filename or path component contains "marketing"
+if [ "$IS_MARKETING" = false ]; then
+  BASENAME=$(basename "$FILE_PATH")
+  case "$BASENAME" in
+    *marketing*) IS_MARKETING=true ;;
+  esac
+fi
+
+# Pattern: **/campaign*/** — file is inside a campaign* directory
+if [ "$IS_MARKETING" = false ]; then
+  # Check if any path component starts with "campaign"
+  if printf '%s' "$FILE_PATH" | grep -qE '/(campaign[^/]*)/'; then
+    IS_MARKETING=true
+  fi
+fi
+
+# Not a marketing file — let it through
+if [ "$IS_MARKETING" = false ]; then
+  exit 0
+fi
+
+# Output remind JSON
+jq -n \
+  --arg file "$FILE_PATH" \
+  '{
+    continue: true,
+    message: ("Marketing file detected: " + $file + "\n\nBefore editing, consider checking:\n- Brand guidelines — tone, voice, approved terminology\n- A/B testing data — what messaging has performed well\n- Audience segmentation — who is the target for this content\n- Campaign calendar — timing and coordination with other assets")
+  }'

package/src/hook-packs/registry.ts

@@ -30,6 +30,7 @@ export interface HookPackManifest {
   scripts?: HookPackScript[];
   lifecycleHooks?: HookPackLifecycleHook[];
   source?: 'built-in' | 'local';
+  actionLevel?: 'remind' | 'warn' | 'block';
 }
 
 const __filename = fileURLToPath(import.meta.url);
@@ -97,7 +98,9 @@ export function getPack(name: string): { manifest: HookPackManifest; dir: string
 export function getInstalledPacks(): string[] {
   const claudeDir = join(homedir(), '.claude');
   const packs = listPacks();
-  const installed: string[] = [];
+  const installed = new Set<string>();
+
+  // First pass: detect directly installed packs (hooks or scripts)
   for (const pack of packs) {
     if (pack.hooks.length === 0) {
       if (pack.scripts && pack.scripts.length > 0) {
@@ -105,7 +108,7 @@ export function getInstalledPacks(): string[] {
           existsSync(join(claudeDir, script.targetDir, script.file)),
         );
         if (allScripts) {
-          installed.push(pack.name);
+          installed.add(pack.name);
         }
       }
       continue;
@@ -114,8 +117,19 @@ export function getInstalledPacks(): string[] {
       existsSync(join(claudeDir, `hookify.${hook}.local.md`)),
     );
     if (allPresent) {
-      installed.push(pack.name);
+      installed.add(pack.name);
     }
   }
-  return installed;
+
+  // Second pass: composed packs are installed if all sub-packs are installed
+  for (const pack of packs) {
+    if (pack.composedFrom && pack.composedFrom.length > 0 && !installed.has(pack.name)) {
+      const allSubsInstalled = pack.composedFrom.every((sub) => installed.has(sub));
+      if (allSubsInstalled) {
+        installed.add(pack.name);
+      }
+    }
+  }
+
+  return Array.from(installed);
 }

package/src/hook-packs/safety/README.md

@@ -0,0 +1,50 @@
+# Safety Hook Pack
+
+Anti-deletion safety net for Claude Code. Intercepts destructive commands, stages files before deletion, and blocks dangerous operations.
+
+## Install
+
+```bash
+soleri hooks add-pack safety
+```
+
+## What It Intercepts
+
+| Command                    | Action                                       |
+| -------------------------- | -------------------------------------------- |
+| `rm` / `rmdir`             | Copies files to staging, then blocks         |
+| `git push --force`         | Blocks (use `--force-with-lease` instead)    |
+| `git reset --hard`         | Blocks (use `git stash` first)               |
+| `git clean`                | Blocks (use `git stash --include-untracked`) |
+| `git checkout -- .`        | Blocks                                       |
+| `git restore .`            | Blocks                                       |
+| `mv ~/projects/...`        | Blocks                                       |
+| `DROP TABLE`               | Blocks                                       |
+| `docker rm` / `docker rmi` | Blocks                                       |
+
+## Where Backups Go
+
+Staged files are saved to `~/.soleri/staging/<timestamp>/` with directory structure preserved.
+
+Backups use rsync (excludes `node_modules`, `dist`, `.git`) when available, falls back to `cp -R`.
+
+## Restore
+
+```bash
+soleri staging list       # see available backups
+soleri staging restore    # restore from a backup
+soleri staging clean      # manually clean old backups
+```
+
+## Auto-Cleanup
+
+Backups older than 7 days are automatically deleted on each hook invocation. No manual cleanup needed for normal usage.
+
+## Dependencies
+
+- `jq` (required for JSON parsing)
+- POSIX sh compatible — works on macOS and Linux
+
+## False Positive Prevention
+
+The hook strips here-documents and quoted strings before pattern matching. Commands like `gh issue comment --body "rm -rf explanation"` will not trigger a false positive.

package/src/hook-packs/safety/manifest.json

@@ -0,0 +1,23 @@
+{
+  "name": "safety",
+  "version": "1.0.0",
+  "description": "Anti-deletion safety net — intercepts destructive commands (rm, git push --force, git reset --hard, git clean, drop table, docker rm), stages files before deletion, blocks everything else",
+  "hooks": [],
+  "scripts": [
+    {
+      "name": "anti-deletion",
+      "file": "anti-deletion.sh",
+      "targetDir": "hooks"
+    }
+  ],
+  "lifecycleHooks": [
+    {
+      "event": "PreToolUse",
+      "matcher": "Bash",
+      "type": "command",
+      "command": "sh ~/.claude/hooks/anti-deletion.sh",
+      "timeout": 10,
+      "statusMessage": "Checking for destructive commands..."
+    }
+  ]
+}