@vinaes/succ 1.3.22 → 1.3.31

package/hooks/succ-pre-tool.cjs

@@ -1,19 +1,22 @@
 #!/usr/bin/env node
 /**
- * PreToolUse Hook — Command safety guard + commit context injection
+ * PreToolUse Hook — Command safety guard + commit context + file-linked memories
  *
- * Fires before every Bash tool call. Three features:
+ * Fires before every tool call. Four features:
  *
- * 1. Command safety guard — blocks dangerous git/filesystem/database/docker commands
+ * 1. File-linked memories — intercepts Edit/Write, queries daemon for related memories,
+ *    injects them as additionalContext (~10ms, fail-open)
+ *
+ * 2. Command safety guard — blocks dangerous git/filesystem/database/docker commands
  *    Config: commandSafetyGuard.mode = 'deny' | 'ask' | 'off' (default: 'deny')
  *    Config: commandSafetyGuard.allowlist = string[]
  *    Config: commandSafetyGuard.customPatterns = [{ pattern: "regex", reason: "why" }]
  *
- * 2. Commit guidelines injection — injects co-author format into context
+ * 3. Commit guidelines injection — injects co-author format into context
  *    when Claude is about to run git commit
  *    Config: includeCoAuthoredBy (default: true)
  *
- * 3. Pre-commit diff review reminder — injects reminder to run diff-reviewer
+ * 4. Pre-commit diff review reminder — injects reminder to run diff-reviewer
  *    Config: preCommitReview (default: false)
  */
 
@@ -24,72 +27,182 @@ const path = require('path');
 
 const DANGEROUS_PATTERNS = [
   // ── Git — data loss ──
-  { pattern: /\bgit\s+reset\s+--hard\b/, reason: 'git reset --hard destroys uncommitted changes. Use git stash first.' },
-  { pattern: /\bgit\s+reset\s+--merge\b/, reason: 'git reset --merge can destroy uncommitted changes.' },
-  { pattern: /\bgit\s+checkout\s+--\s/, reason: 'git checkout -- discards file modifications. Use git stash first.' },
-  { pattern: /\bgit\s+checkout\s+\.\s*($|[;&|])/, reason: 'git checkout . discards all modifications. Use git stash first.' },
-  { pattern: /\bgit\s+restore\s+--staged\s+--worktree\b/, reason: 'git restore --staged --worktree discards both staged and unstaged changes.' },
-  { pattern: /\bgit\s+clean\s+-[a-zA-Z]*f/, reason: 'git clean -f permanently deletes untracked files.' },
-  { pattern: /\bgit\s+push\s+.*--force(?!-with-lease)\b/, reason: 'git push --force rewrites remote history. Use --force-with-lease instead.' },
-  { pattern: /\bgit\s+push\s+-f\b/, reason: 'git push -f rewrites remote history. Use --force-with-lease instead.' },
-  { pattern: /\bgit\s+branch\s+-D\b/, reason: 'git branch -D force-deletes without merge verification. Use -d for safe delete.' },
-  { pattern: /\bgit\s+stash\s+drop\b/, reason: 'git stash drop permanently destroys stashed work.' },
+  {
+    pattern: /\bgit\s+reset\s+--hard\b/,
+    reason: 'git reset --hard destroys uncommitted changes. Use git stash first.',
+  },
+  {
+    pattern: /\bgit\s+reset\s+--merge\b/,
+    reason: 'git reset --merge can destroy uncommitted changes.',
+  },
+  {
+    pattern: /\bgit\s+checkout\s+--\s/,
+    reason: 'git checkout -- discards file modifications. Use git stash first.',
+  },
+  {
+    pattern: /\bgit\s+checkout\s+\.\s*($|[;&|])/,
+    reason: 'git checkout . discards all modifications. Use git stash first.',
+  },
+  {
+    pattern: /\bgit\s+restore\s+--staged\s+--worktree\b/,
+    reason: 'git restore --staged --worktree discards both staged and unstaged changes.',
+  },
+  {
+    pattern: /\bgit\s+clean\s+-[a-zA-Z]*f/,
+    reason: 'git clean -f permanently deletes untracked files.',
+  },
+  {
+    pattern: /\bgit\s+push\s+.*--force(?!-with-lease)\b/,
+    reason: 'git push --force rewrites remote history. Use --force-with-lease instead.',
+  },
+  {
+    pattern: /\bgit\s+push\s+-f\b/,
+    reason: 'git push -f rewrites remote history. Use --force-with-lease instead.',
+  },
+  {
+    pattern: /\bgit\s+branch\s+-D\b/,
+    reason: 'git branch -D force-deletes without merge verification. Use -d for safe delete.',
+  },
+  {
+    pattern: /\bgit\s+stash\s+drop\b/,
+    reason: 'git stash drop permanently destroys stashed work.',
+  },
   { pattern: /\bgit\s+stash\s+clear\b/, reason: 'git stash clear destroys ALL stashed work.' },
-  { pattern: /\bgit\s+rebase\s+-i\b/, reason: 'git rebase -i requires interactive terminal (not available in hooks).' },
-  { pattern: /\bgit\s+reflog\s+expire\s+--expire=now\b/, reason: 'git reflog expire --expire=now permanently removes recovery points.' },
+  {
+    pattern: /\bgit\s+rebase\s+-i\b/,
+    reason: 'git rebase -i requires interactive terminal (not available in hooks).',
+  },
+  {
+    pattern: /\bgit\s+reflog\s+expire\s+--expire=now\b/,
+    reason: 'git reflog expire --expire=now permanently removes recovery points.',
+  },
 
   // ── Filesystem — data loss ──
-  { pattern: /\brm\s+.*\.succ\b/, reason: '.succ/ contains your memory, brain vault, and config. This would destroy all succ data.' },
-  { pattern: /\brm\s+-[a-zA-Z]*r[a-zA-Z]*f[a-zA-Z]*\b/, reason: 'rm -rf can permanently delete files. Verify the target path.', checkPath: true },
-  { pattern: /\brm\s+-[a-zA-Z]*f[a-zA-Z]*r[a-zA-Z]*\b/, reason: 'rm -fr can permanently delete files. Verify the target path.', checkPath: true },
+  {
+    pattern: /\brm\s+.*\.succ\b/,
+    reason:
+      '.succ/ contains your memory, brain vault, and config. This would destroy all succ data.',
+  },
+  {
+    pattern: /\brm\s+-[a-zA-Z]*r[a-zA-Z]*f[a-zA-Z]*\b/,
+    reason: 'rm -rf can permanently delete files. Verify the target path.',
+    checkPath: true,
+  },
+  {
+    pattern: /\brm\s+-[a-zA-Z]*f[a-zA-Z]*r[a-zA-Z]*\b/,
+    reason: 'rm -fr can permanently delete files. Verify the target path.',
+    checkPath: true,
+  },
 
   // ── Docker — container/image/volume destruction ──
-  { pattern: /\bdocker\s+system\s+prune\b/, reason: 'docker system prune removes all unused containers, networks, images, and optionally volumes.' },
-  { pattern: /\bdocker\s+volume\s+prune\b/, reason: 'docker volume prune removes all unused volumes (potential data loss).' },
-  { pattern: /\bdocker\s+rm\s+-f\b/, reason: 'docker rm -f force-removes running containers without graceful shutdown.' },
-  { pattern: /\bdocker\s+rmi\s+-f\b/, reason: 'docker rmi -f force-removes images that may be in use.' },
-  { pattern: /\bdocker-compose\s+down\s+-v\b/, reason: 'docker-compose down -v removes named volumes (database data loss).' },
-  { pattern: /\bdocker\s+compose\s+down\s+-v\b/, reason: 'docker compose down -v removes named volumes (database data loss).' },
+  {
+    pattern: /\bdocker\s+system\s+prune\b/,
+    reason:
+      'docker system prune removes all unused containers, networks, images, and optionally volumes.',
+  },
+  {
+    pattern: /\bdocker\s+volume\s+prune\b/,
+    reason: 'docker volume prune removes all unused volumes (potential data loss).',
+  },
+  {
+    pattern: /\bdocker\s+rm\s+-f\b/,
+    reason: 'docker rm -f force-removes running containers without graceful shutdown.',
+  },
+  {
+    pattern: /\bdocker\s+rmi\s+-f\b/,
+    reason: 'docker rmi -f force-removes images that may be in use.',
+  },
+  {
+    pattern: /\bdocker-compose\s+down\s+-v\b/,
+    reason: 'docker-compose down -v removes named volumes (database data loss).',
+  },
+  {
+    pattern: /\bdocker\s+compose\s+down\s+-v\b/,
+    reason: 'docker compose down -v removes named volumes (database data loss).',
+  },
 
   // ── SQLite — database destruction ──
-  { pattern: /\bsqlite3?\b.*\bDROP\s+TABLE\b/i, reason: 'DROP TABLE permanently deletes a SQLite table and all its data.' },
-  { pattern: /\bsqlite3?\b.*\bDROP\s+DATABASE\b/i, reason: 'DROP DATABASE permanently deletes the entire SQLite database.' },
-  { pattern: /\bsqlite3?\b.*\bDELETE\s+FROM\s+\w+\s*;/i, reason: 'DELETE FROM without WHERE deletes all rows in a SQLite table.' },
-  { pattern: /\bsqlite3?\b.*\bTRUNCATE\b/i, reason: 'TRUNCATE removes all data from a SQLite table.' },
+  {
+    pattern: /\bsqlite3?\b.*\bDROP\s+TABLE\b/i,
+    reason: 'DROP TABLE permanently deletes a SQLite table and all its data.',
+  },
+  {
+    pattern: /\bsqlite3?\b.*\bDROP\s+DATABASE\b/i,
+    reason: 'DROP DATABASE permanently deletes the entire SQLite database.',
+  },
+  {
+    pattern: /\bsqlite3?\b.*\bDELETE\s+FROM\s+\w+\s*;/i,
+    reason: 'DELETE FROM without WHERE deletes all rows in a SQLite table.',
+  },
+  {
+    pattern: /\bsqlite3?\b.*\bTRUNCATE\b/i,
+    reason: 'TRUNCATE removes all data from a SQLite table.',
+  },
 
   // ── PostgreSQL — database destruction ──
-  { pattern: /\bpsql\b.*\bDROP\s+TABLE\b/i, reason: 'DROP TABLE permanently deletes a PostgreSQL table and all its data.' },
-  { pattern: /\bpsql\b.*\bDROP\s+DATABASE\b/i, reason: 'DROP DATABASE permanently deletes the entire PostgreSQL database.' },
-  { pattern: /\bpsql\b.*\bDELETE\s+FROM\s+\w+\s*;/i, reason: 'DELETE FROM without WHERE deletes all rows in a PostgreSQL table.' },
-  { pattern: /\bpsql\b.*\bTRUNCATE\b/i, reason: 'TRUNCATE removes all data from a PostgreSQL table.' },
+  {
+    pattern: /\bpsql\b.*\bDROP\s+TABLE\b/i,
+    reason: 'DROP TABLE permanently deletes a PostgreSQL table and all its data.',
+  },
+  {
+    pattern: /\bpsql\b.*\bDROP\s+DATABASE\b/i,
+    reason: 'DROP DATABASE permanently deletes the entire PostgreSQL database.',
+  },
+  {
+    pattern: /\bpsql\b.*\bDELETE\s+FROM\s+\w+\s*;/i,
+    reason: 'DELETE FROM without WHERE deletes all rows in a PostgreSQL table.',
+  },
+  {
+    pattern: /\bpsql\b.*\bTRUNCATE\b/i,
+    reason: 'TRUNCATE removes all data from a PostgreSQL table.',
+  },
   { pattern: /\bdropdb\b/, reason: 'dropdb permanently deletes a PostgreSQL database.' },
   { pattern: /\bdropuser\b/, reason: 'dropuser permanently deletes a PostgreSQL user/role.' },
 
   // ── Qdrant — vector database destruction ──
-  { pattern: /\bcurl\b.*\bqdrant\b.*\bDELETE\b/i, reason: 'DELETE on Qdrant API can remove collections or points permanently.' },
-  { pattern: /\bcurl\b.*\b:6333\b.*\bDELETE\b/i, reason: 'DELETE on Qdrant port 6333 can remove collections or points permanently.' },
-  { pattern: /\bcurl\b.*\b:6334\b.*\bDELETE\b/i, reason: 'DELETE on Qdrant gRPC port can remove data permanently.' },
+  {
+    pattern: /\bcurl\b.*\bqdrant\b.*\bDELETE\b/i,
+    reason: 'DELETE on Qdrant API can remove collections or points permanently.',
+  },
+  {
+    pattern: /\bcurl\b.*\b:6333\b.*\bDELETE\b/i,
+    reason: 'DELETE on Qdrant port 6333 can remove collections or points permanently.',
+  },
+  {
+    pattern: /\bcurl\b.*\b:6334\b.*\bDELETE\b/i,
+    reason: 'DELETE on Qdrant gRPC port can remove data permanently.',
+  },
 ];
 
 // Paths where rm -rf is considered safe (normalized, lowercase)
 const SAFE_RM_PATHS = [
-  '/tmp', '/var/tmp',
-  'node_modules', 'dist', 'build', '.cache',
-  '__pycache__', '.pytest_cache', '.tox',
-  'target/debug', 'target/release',
-  '.next', '.nuxt', '.turbo', 'coverage',
+  '/tmp',
+  '/var/tmp',
+  'node_modules',
+  'dist',
+  'build',
+  '.cache',
+  '__pycache__',
+  '.pytest_cache',
+  '.tox',
+  'target/debug',
+  'target/release',
+  '.next',
+  '.nuxt',
+  '.turbo',
+  'coverage',
 ];
 
 // Prefixes that indicate the command is data, not execution
 const DATA_PREFIXES = [
-  /^\s*(?:#|\/\/)/,           // comments
-  /^\s*echo\b/,              // echo
-  /^\s*printf\b/,            // printf
-  /^\s*cat\s*<</,            // heredoc (cat <<)
-  /^\s*grep\b/,              // grep
-  /^\s*rg\b/,                // ripgrep
-  /^\s*ag\b/,                // silver searcher
-  /^\s*(?:"|').*(?:"|')\s*$/,// quoted string
+  /^\s*(?:#|\/\/)/, // comments
+  /^\s*echo\b/, // echo
+  /^\s*printf\b/, // printf
+  /^\s*cat\s*<</, // heredoc (cat <<)
+  /^\s*grep\b/, // grep
+  /^\s*rg\b/, // ripgrep
+  /^\s*ag\b/, // silver searcher
+  /^\s*(?:"|').*(?:"|')\s*$/, // quoted string
 ];
 
 // ─── Helpers ─────────────────────────────────────────────────────────
@@ -143,7 +256,7 @@ function loadConfig(projectDir) {
 
 function isDataContext(command) {
   const trimmed = command.trim();
-  return DATA_PREFIXES.some(prefix => prefix.test(trimmed));
+  return DATA_PREFIXES.some((prefix) => prefix.test(trimmed));
 }
 
 function isRmPathSafe(command) {
@@ -153,7 +266,7 @@ function isRmPathSafe(command) {
   const target = match[1].trim().replace(/["']/g, '');
   const normalized = target.toLowerCase().replace(/\\/g, '/');
 
-  return SAFE_RM_PATHS.some(safe => {
+  return SAFE_RM_PATHS.some((safe) => {
     if (normalized === safe || normalized.endsWith('/' + safe)) return true;
     if (safe === '/tmp' && normalized.startsWith('/tmp/')) return true;
     if (safe === '/var/tmp' && normalized.startsWith('/var/tmp/')) return true;
@@ -236,6 +349,58 @@ MEDIUM and below — commit is OK, mention findings in summary.
   return parts.join('\n');
 }
 
+// ─── Daemon helpers ──────────────────────────────────────────────────
+
+function getDaemonPort(projectDir) {
+  const portFile = path.join(projectDir, '.succ', '.tmp', 'daemon.port');
+  if (!fs.existsSync(portFile)) return null;
+  const port = parseInt(fs.readFileSync(portFile, 'utf8').trim(), 10);
+  return port && !isNaN(port) ? port : null;
+}
+
+async function recallFileMemories(projectDir, fileName) {
+  const port = getDaemonPort(projectDir);
+  if (!port) return [];
+
+  try {
+    const res = await fetch(`http://127.0.0.1:${port}/api/recall-by-tag`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ tag: `file:${fileName}`, limit: 5 }),
+      signal: AbortSignal.timeout(2000),
+    });
+    if (!res.ok) return [];
+    const data = await res.json();
+    return data.results || [];
+  } catch {
+    return []; // fail-open
+  }
+}
+
+async function fetchHookRules(projectDir, toolName, toolInput) {
+  const port = getDaemonPort(projectDir);
+  if (!port) return [];
+
+  try {
+    const res = await fetch(`http://127.0.0.1:${port}/api/hook-rules`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ tool_name: toolName, tool_input: toolInput || {} }),
+      signal: AbortSignal.timeout(2000),
+    });
+    if (!res.ok) return [];
+    const data = await res.json();
+    return data.rules || [];
+  } catch {
+    return []; // fail-open
+  }
+}
+
+function formatFileContext(memories, fileName) {
+  const lines = memories.map((m) => `- [${m.type || 'observation'}] ${m.content.slice(0, 200)}`);
+  return `<file-context file="${fileName}">\nRelated memories:\n${lines.join('\n')}\n</file-context>`;
+}
+
 // ─── Main ────────────────────────────────────────────────────────────
 
 let input = '';
@@ -247,7 +412,7 @@ process.stdin.on('readable', () => {
   }
 });
 
-process.stdin.on('end', () => {
+process.stdin.on('end', async () => {
   try {
     const hookInput = JSON.parse(input);
     let projectDir = hookInput.cwd || process.cwd();
@@ -267,43 +432,106 @@ process.stdin.on('end', () => {
       process.exit(0);
     }
 
-    const command = hookInput.tool_input?.command || '';
-    if (!command) {
-      process.exit(0);
+    const toolName = hookInput.tool_name || '';
+    const toolInput = hookInput.tool_input || {};
+    const filePath = toolInput.file_path || '';
+    const command = toolInput.command || '';
+    const contextParts = [];
+    let askReason = null;
+
+    // 1. Dynamic hook rules from memory (ALL tools)
+    // Note: deny/ask exit immediately — any accumulated contextParts are intentionally
+    // discarded because the tool call is being blocked or requires confirmation.
+    const rules = await fetchHookRules(projectDir, toolName, toolInput);
+    for (const rule of rules) {
+      if (rule.action === 'deny') {
+        const output = {
+          hookSpecificOutput: {
+            hookEventName: 'PreToolUse',
+            permissionDecision: 'deny',
+            permissionDecisionReason: `[succ rule] ${rule.content}`,
+          },
+        };
+        console.log(JSON.stringify(output));
+        process.exit(0);
+      }
+      if (rule.action === 'ask' && !askReason) {
+        askReason = rule.content;
+      }
+      if (rule.action === 'inject') {
+        contextParts.push(`<hook-rule>${rule.content}</hook-rule>`);
+      }
     }
 
-    const config = loadConfig(projectDir);
-
-    // 1. Command safety guard
-    const dangerousResult = checkDangerous(command, config);
-    if (dangerousResult) {
-      const output = {
-        hookSpecificOutput: {
-          hookEventName: 'PreToolUse',
-          permissionDecision: dangerousResult.mode === 'ask' ? 'ask' : 'deny',
-          permissionDecisionReason: `[succ guard] ${dangerousResult.reason}`,
-        },
-      };
-      console.log(JSON.stringify(output));
-      process.exit(0);
+    // 2. File-linked memories (Edit/Write only — Read is too frequent, wastes context)
+    if ((toolName === 'Edit' || toolName === 'Write') && filePath) {
+      const fileName = path.basename(filePath);
+      const memories = await recallFileMemories(projectDir, fileName);
+      if (memories.length > 0) {
+        contextParts.push(formatFileContext(memories, fileName));
+      }
     }
 
-    // 2. Git commit — inject guidelines + diff review reminder
-    if (/\bgit\s+commit\b/.test(command)) {
-      const additionalContext = buildCommitContext(config);
-      if (additionalContext) {
+    // 3. Command safety guard (Bash only)
+    if (command) {
+      const config = loadConfig(projectDir);
+      const dangerousResult = checkDangerous(command, config);
+      if (dangerousResult) {
+        const output = {
+          hookSpecificOutput: {
+            hookEventName: 'PreToolUse',
+            permissionDecision: dangerousResult.mode === 'ask' ? 'ask' : 'deny',
+            permissionDecisionReason: `[succ guard] ${dangerousResult.reason}`,
+          },
+        };
+        console.log(JSON.stringify(output));
+        process.exit(0);
+      }
+
+      // 4. Hook rule ask (after safety guard, so deny takes priority)
+      if (askReason) {
         const output = {
           hookSpecificOutput: {
             hookEventName: 'PreToolUse',
-            additionalContext,
+            permissionDecision: 'ask',
+            permissionDecisionReason: `[succ rule] ${askReason}`,
           },
         };
         console.log(JSON.stringify(output));
         process.exit(0);
       }
+
+      // 5. Git commit — inject guidelines + diff review reminder
+      if (/\bgit\s+commit\b/.test(command)) {
+        const commitContext = buildCommitContext(config);
+        if (commitContext) {
+          contextParts.push(commitContext);
+        }
+      }
+    } else if (askReason) {
+      // Non-Bash ask rule
+      const output = {
+        hookSpecificOutput: {
+          hookEventName: 'PreToolUse',
+          permissionDecision: 'ask',
+          permissionDecisionReason: `[succ rule] ${askReason}`,
+        },
+      };
+      console.log(JSON.stringify(output));
+      process.exit(0);
+    }
+
+    // 6. Emit combined context
+    if (contextParts.length > 0) {
+      const output = {
+        hookSpecificOutput: {
+          hookEventName: 'PreToolUse',
+          additionalContext: contextParts.join('\n'),
+        },
+      };
+      console.log(JSON.stringify(output));
     }
 
-    // No action needed
     process.exit(0);
   } catch {
     // Fail-open: don't block on hook errors

package/hooks/succ-session-start.cjs

@@ -63,13 +63,15 @@ process.stdin.on('end', async () => {
       process.exit(0);
     }
 
-    // Load config settings
+    // Load config settings (project config overrides global, but both are checked)
     let includeCoAuthoredBy = true;   // default: true
     let communicationAutoAdapt = true; // default: true
     let communicationTrackHistory = false; // default: false
+    let hasOpenRouterKey = !!process.env.OPENROUTER_API_KEY;
     const configPaths = [
-      path.join(succDir, 'config.json'),
+      // Global first, then project overrides
       path.join(require('os').homedir(), '.succ', 'config.json'),
+      path.join(succDir, 'config.json'),
     ];
     for (const configPath of configPaths) {
       if (fs.existsSync(configPath)) {
@@ -84,7 +86,14 @@ process.stdin.on('end', async () => {
           if (config.communicationTrackHistory === true) {
             communicationTrackHistory = true;
           }
-          break;
+          // Check for OpenRouter API key: llm.api_key, llm.embeddings.api_key, or web_search.api_key
+          if (!hasOpenRouterKey) {
+            const keys = [config.llm?.api_key, config.llm?.embeddings?.api_key, config.web_search?.api_key];
+            if (keys.some(k => typeof k === 'string' && k.startsWith('sk-or-'))) {
+              hasOpenRouterKey = true;
+            }
+          }
+          // No break — merge both configs (global defaults, project overrides)
         } catch {
           // Ignore parse errors
         }
@@ -156,6 +165,28 @@ Without it, succ works in global-only mode and can't access project data.
 → Record failed approach (boosted in recall to prevent retrying)
 </memory>
 
+<hook-rules hint="Dynamic pre-tool rules from memory. Saved rules auto-fire before matching tool calls.">
+When user asks to remember a rule about tool behavior (e.g., "before deploy run tests",
+"always review before commit", "block rm -rf"), save with hook-rule convention:
+
+**succ_remember** content="..." tags=["hook-rule", "tool:{ToolName}", "match:{regex}"] type="decision|error|pattern"
+
+Tags:
+- **hook-rule** — required, marks memory as a pre-tool rule
+- **tool:{Name}** — optional, filter by tool (Bash, Edit, Write, Read, Skill, Task). Omit = all tools
+- **match:{regex}** — optional, regex tested against tool input (command, skill name, file basename, prompt)
+
+Action via type:
+- **decision/observation/learning** → inject as additionalContext (guide the agent)
+- **error** → deny the tool call (block it)
+- **pattern** → ask user for confirmation before proceeding
+
+Examples:
+\`succ_remember content="Run diff-reviewer before deploying" tags=["hook-rule","tool:Skill","match:deploy"] type="decision"\`
+\`succ_remember content="Never force-push to main" tags=["hook-rule","tool:Bash","match:push.*--force.*main"] type="error"\`
+\`succ_remember content="Editing test files — run tests after" tags=["hook-rule","tool:Edit","match:\\\\.test\\\\."] type="decision"\`
+</hook-rules>
+
 <ops>
 **succ_index_file** file="doc.md" [force=true] — index doc for succ_search
 **succ_index_code_file** file="src/auth.ts" [force=true] — index code for succ_search_code
@@ -179,12 +210,12 @@ Without it, succ works in global-only mode and can't access project data.
 **succ_prd_export** [prd_id="prd_xxx"] — Obsidian Mermaid export
 </prd>
 
-<web-search hint="Perplexity Sonar via OpenRouter. Requires OPENROUTER_API_KEY.">
+${hasOpenRouterKey ? `<web-search hint="Perplexity Sonar via OpenRouter.">
 **succ_quick_search** query="..." — cheap & fast, simple facts
 **succ_web_search** query="..." [model="perplexity/sonar-pro"] — quality search, complex queries
 **succ_deep_research** query="..." — multi-step research (30-120s, 30+ sources)
 **succ_web_search_history** [tool_name="..."] [limit=20] — past searches and costs
-</web-search>
+</web-search>` : ''}
 
 <debug hint="Structured debugging with hypothesis testing. Sessions in .succ/debugs/.">
 **succ_debug** action="create|hypothesis|instrument|result|resolve|abandon|status|list|log|show_log|detect_lang|gen_log"
@@ -203,8 +234,8 @@ Without it, succ works in global-only mode and can't access project data.
 | Multi-step tasks, research | succ-general | general-purpose agent |
 | Code review | succ-code-reviewer | built-in review |
 | Pre-commit review | succ-diff-reviewer | manual diff reading |
-| Web page fetch | succ_fetch | WebFetch |
-| Web search | succ_quick_search / succ_web_search | WebSearch / Brave |
+| Web page fetch | succ_fetch | WebFetch |${hasOpenRouterKey ? `
+| Web search | succ_quick_search / succ_web_search | WebSearch / Brave |` : ''}
 
 Direct file reads (Read/Grep) are fine when you know the exact path — for discovery, always succ agents.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vinaes/succ",
-  "version": "1.3.22",
+  "version": "1.3.31",
   "description": "Semantic Understanding for Code Contexts — persistent memory for AI coding assistants (Claude Code, Cursor, Windsurf, Continue.dev)",
   "type": "module",
   "publishConfig": {
@@ -27,7 +27,8 @@
     "succ-mcp": "./dist/mcp-server.js"
   },
   "scripts": {
-    "build": "tsc",
+    "build": "prettier --check src/ && eslint src/ && tsc",
+    "build:compile": "tsc",
     "dev": "tsx src/cli.ts",
     "test": "vitest",
     "test:storage": "vitest --run src/lib/storage/",
@@ -42,7 +43,7 @@
     "lint:fix": "eslint src/ --fix",
     "format": "prettier --write src/",
     "format:check": "prettier --check src/",
-    "prepare": "npm run build",
+    "prepare": "npm run build:compile",
     "prepublishOnly": "npm run build && npm run lint"
   },
   "keywords": [