@torus-engineering/tas-kit 1.9.0 → 1.10.0

package/lib/install.js

@@ -31,16 +31,21 @@ async function removeDeletedFiles(target, deletedFiles) {
   return { removed, skipped };
 }
 
-async function confirm(question) {
+async function ask(question, defaultValue = '') {
   const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
   return new Promise((resolve) => {
-    rl.question(`${question} [y/N] `, (answer) => {
+    rl.question(question, (answer) => {
       rl.close();
-      resolve(answer.toLowerCase() === 'y' || answer.toLowerCase() === 'yes');
+      resolve((answer || '').trim() || defaultValue);
     });
   });
 }
 
+async function confirm(question) {
+  const answer = await ask(`${question} [y/N] `);
+  return answer.toLowerCase() === 'y' || answer.toLowerCase() === 'yes';
+}
+
 async function exists(p) {
   return fs.access(p).then(() => true).catch(() => false);
 }
@@ -49,10 +54,131 @@ async function copyDir(src, dest) {
   await fs.cp(src, dest, { recursive: true });
 }
 
-export async function update({ directory, yes }) {
+// ─── Security hook wiring ────────────────────────────────────────────────────
+
+async function chooseSecurityHookMode({ target, yes, forced }) {
+  if (forced) return forced;
+  if (yes) return 'native';
+
+  const hasPackageJson = await exists(path.join(target, 'package.json'));
+  const hint = hasPackageJson
+    ? '  Detected package.json — husky mode is available.'
+    : '  No package.json — husky mode will add one or fall back to native.';
+
+  console.log('\n  Pre-commit security hook wiring:');
+  console.log(hint);
+  console.log('    [1] husky     — shared via git, requires Node project');
+  console.log('    [2] native    — plain .git/hooks/pre-commit, any stack');
+  console.log('    [3] skip      — wire it later with "tas-kit install --security-hook=..."');
+  const answer = await ask('  Choose [1/2/3] (default: 2): ', '2');
+  if (answer === '1') return 'husky';
+  if (answer === '3') return 'none';
+  return 'native';
+}
+
+async function installSecurityHookNative({ target }) {
+  const gitDir = path.join(target, '.git');
+  if (!(await exists(gitDir))) {
+    console.warn('  [skip] Security hook (native): .git/ not found — run `git init` first, then re-run installer with --security-hook=native');
+    return false;
+  }
+
+  const hooksDir = path.join(gitDir, 'hooks');
+  await fs.mkdir(hooksDir, { recursive: true });
+
+  const src = path.join(PACKAGE_DIR, '.tas', 'hooks', 'pre-commit');
+  const dest = path.join(hooksDir, 'pre-commit');
+
+  if (await exists(dest)) {
+    const existing = await fs.readFile(dest, 'utf8').catch(() => '');
+    if (!existing.includes('TAS Kit')) {
+      const backup = dest + '.backup';
+      await fs.copyFile(dest, backup);
+      console.log('  [ok] .git/hooks/pre-commit.backup (preserved existing hook)');
+    }
+  }
+
+  await fs.copyFile(src, dest);
+  if (process.platform !== 'win32') {
+    await fs.chmod(dest, 0o755);
+  }
+  console.log('  [ok] .git/hooks/pre-commit (security scan wired — native)');
+  return true;
+}
+
+async function installSecurityHookHusky({ target }) {
+  const pkgPath = path.join(target, 'package.json');
+  const hasPackageJson = await exists(pkgPath);
+
+  if (!hasPackageJson) {
+    console.warn('  [warn] Security hook (husky): no package.json — falling back to native mode');
+    return await installSecurityHookNative({ target });
+  }
+
+  // Read + update package.json (add prepare script + husky devDep)
+  let pkg;
+  try {
+    pkg = JSON.parse(await fs.readFile(pkgPath, 'utf8'));
+  } catch (err) {
+    console.warn(`  [warn] Security hook (husky): package.json unreadable (${err.message}) — falling back to native`);
+    return await installSecurityHookNative({ target });
+  }
+
+  pkg.scripts = pkg.scripts || {};
+  if (!pkg.scripts.prepare) {
+    pkg.scripts.prepare = 'husky';
+  } else if (!/husky/.test(pkg.scripts.prepare)) {
+    pkg.scripts.prepare = `${pkg.scripts.prepare} && husky`;
+  }
+
+  pkg.devDependencies = pkg.devDependencies || {};
+  if (!pkg.devDependencies.husky) {
+    pkg.devDependencies.husky = '^9.1.0';
+  }
+
+  await fs.writeFile(pkgPath, JSON.stringify(pkg, null, 2) + '\n');
+  console.log('  [ok] package.json (husky devDep + prepare script)');
+
+  // Write .husky/pre-commit
+  const huskyDir = path.join(target, '.husky');
+  await fs.mkdir(huskyDir, { recursive: true });
+
+  const huskyHook = path.join(huskyDir, 'pre-commit');
+  const content = [
+    '# TAS Kit — husky pre-commit (delegates to .tas/hooks/pre-commit)',
+    '. "$(dirname -- "$0")/../.tas/hooks/pre-commit"',
+    '',
+  ].join('\n');
+  await fs.writeFile(huskyHook, content);
+  if (process.platform !== 'win32') {
+    await fs.chmod(huskyHook, 0o755);
+  }
+  console.log('  [ok] .husky/pre-commit (delegates to .tas/hooks/pre-commit)');
+  console.log('  [--] Run `npm install` in the project to activate husky');
+  return true;
+}
+
+async function installSecurityHook({ target, mode }) {
+  if (mode === 'none' || !mode) {
+    console.log('  [skip] Security hook (you can enable later: tas-kit install --security-hook=native|husky)');
+    return;
+  }
+  if (mode === 'husky') {
+    await installSecurityHookHusky({ target });
+    return;
+  }
+  if (mode === 'native') {
+    await installSecurityHookNative({ target });
+    return;
+  }
+  console.warn(`  [warn] Unknown security hook mode: "${mode}" — skipping`);
+}
+
+// ─── Update ──────────────────────────────────────────────────────────────────
+
+export async function update({ directory, yes, securityHook }) {
   const target = path.resolve(directory);
 
-  // Must already have .claude/ or .tas/ — otherwise suggest install
   const claudeExists = await exists(path.join(target, '.claude'));
   const tasExists = await exists(path.join(target, '.tas'));
   if (!claudeExists && !tasExists) {
@@ -74,21 +200,12 @@ export async function update({ directory, yes }) {
     console.log();
   }
 
-  // Overwrite .claude/
-  await copyDir(
-    path.join(PACKAGE_DIR, '.claude'),
-    path.join(target, '.claude')
-  );
+  await copyDir(path.join(PACKAGE_DIR, '.claude'), path.join(target, '.claude'));
   console.log('  [ok] .claude/ (updated)');
 
-  // Overwrite .tas/
-  await copyDir(
-    path.join(PACKAGE_DIR, '.tas'),
-    path.join(target, '.tas')
-  );
+  await copyDir(path.join(PACKAGE_DIR, '.tas'), path.join(target, '.tas'));
   console.log('  [ok] .tas/ (updated)');
 
-  // Remove files deleted from the kit in previous versions
   const deletedFiles = await getDeletedFiles();
   if (deletedFiles.length > 0) {
     const { removed } = await removeDeletedFiles(target, deletedFiles);
@@ -99,12 +216,20 @@ export async function update({ directory, yes }) {
     }
   }
 
-  // Set executable bit on tas-ado.py (Unix/macOS)
   if (process.platform !== 'win32') {
     const adoPy = path.join(target, '.tas', 'tools', 'tas-ado.py');
     if (await exists(adoPy)) {
       await fs.chmod(adoPy, 0o755);
     }
+    const preCommit = path.join(target, '.tas', 'hooks', 'pre-commit');
+    if (await exists(preCommit)) {
+      await fs.chmod(preCommit, 0o755);
+    }
+  }
+
+  // Re-wire hook only if user explicitly asked via flag
+  if (securityHook) {
+    await installSecurityHook({ target, mode: securityHook });
   }
 
   console.log(`  [--] CLAUDE.md, tas.yaml, .env.example — not touched`);
@@ -117,15 +242,15 @@ and manually merge changes into your CLAUDE.md and tas.yaml if needed.
   `);
 }
 
-export async function install({ directory, yes }) {
+// ─── Install ─────────────────────────────────────────────────────────────────
+
+export async function install({ directory, yes, securityHook }) {
   const target = path.resolve(directory);
 
-  // Ensure target directory exists
   await fs.mkdir(target, { recursive: true });
 
   console.log(`\nInstalling TAS Kit into: ${target}\n`);
 
-  // Warn if .claude/ or .tas/ already exist
   const claudeExists = await exists(path.join(target, '.claude'));
   const tasExists = await exists(path.join(target, '.tas'));
 
@@ -141,64 +266,51 @@ export async function install({ directory, yes }) {
     console.log();
   }
 
-  // Copy .claude/
-  await copyDir(
-    path.join(PACKAGE_DIR, '.claude'),
-    path.join(target, '.claude')
-  );
+  await copyDir(path.join(PACKAGE_DIR, '.claude'), path.join(target, '.claude'));
   console.log('  [ok] .claude/');
 
-  // Copy .tas/
-  await copyDir(
-    path.join(PACKAGE_DIR, '.tas'),
-    path.join(target, '.tas')
-  );
+  await copyDir(path.join(PACKAGE_DIR, '.tas'), path.join(target, '.tas'));
   console.log('  [ok] .tas/');
 
-  // Copy CLAUDE-Example.md as CLAUDE.md (only if absent)
   const claudeMdTarget = path.join(target, 'CLAUDE.md');
   if (!(await exists(claudeMdTarget))) {
-    await fs.copyFile(
-      path.join(PACKAGE_DIR, 'CLAUDE-Example.md'),
-      claudeMdTarget
-    );
+    await fs.copyFile(path.join(PACKAGE_DIR, 'CLAUDE-Example.md'), claudeMdTarget);
     console.log('  [ok] CLAUDE.md (from CLAUDE-Example.md)');
   } else {
     console.log('  [--] CLAUDE.md already exists, skipped');
   }
 
-  // Copy .env.example (only if absent)
   const envExampleTarget = path.join(target, '.env.example');
   if (!(await exists(envExampleTarget))) {
-    await fs.copyFile(
-      path.join(PACKAGE_DIR, '.env.example'),
-      envExampleTarget
-    );
+    await fs.copyFile(path.join(PACKAGE_DIR, '.env.example'), envExampleTarget);
     console.log('  [ok] .env.example');
   } else {
     console.log('  [--] .env.example already exists, skipped');
   }
 
-  // Copy tas-example.yaml as tas.yaml (only if absent)
   const tasYamlTarget = path.join(target, 'tas.yaml');
   if (!(await exists(tasYamlTarget))) {
-    await fs.copyFile(
-      path.join(PACKAGE_DIR, '.tas', 'tas-example.yaml'),
-      tasYamlTarget
-    );
+    await fs.copyFile(path.join(PACKAGE_DIR, '.tas', 'tas-example.yaml'), tasYamlTarget);
     console.log('  [ok] tas.yaml (from .tas/tas-example.yaml)');
   } else {
     console.log('  [--] tas.yaml already exists, skipped');
   }
 
-  // Set executable bit on tas-ado.py (Unix/macOS)
   if (process.platform !== 'win32') {
     const adoPy = path.join(target, '.tas', 'tools', 'tas-ado.py');
     if (await exists(adoPy)) {
       await fs.chmod(adoPy, 0o755);
     }
+    const preCommit = path.join(target, '.tas', 'hooks', 'pre-commit');
+    if (await exists(preCommit)) {
+      await fs.chmod(preCommit, 0o755);
+    }
   }
 
+  // ─── Wire security pre-commit hook ─────────────────────────────────────────
+  const mode = await chooseSecurityHookMode({ target, yes, forced: securityHook });
+  await installSecurityHook({ target, mode });
+
   console.log(`
 TAS Kit installed successfully!
 
@@ -208,6 +320,8 @@ Next steps:
   3. Create .env        — add AZURE_DEVOPS_PAT (see .env.example)
   4. Open Claude Code   — run /tas-init to initialize your project
 
-Docs: .tas/README.md
+Docs:
+  .tas/README.md           — kit overview
+  .tas/hooks/README.md     — pre-commit security hook details
   `);
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@torus-engineering/tas-kit",
-  "version": "1.9.0",
+  "version": "1.10.0",
   "description": "Torus Agentic SDLC Kit — Collection of commands, skills, rules, hooks, agents and workflows for modern AI-First SDLC",
   "type": "module",
   "bin": {