@windyroad/itil 0.35.6-preview.363 → 0.35.7-preview.365

package/.claude-plugin/plugin.json

@@ -484,5 +484,5 @@
     }
   },
   "name": "wr-itil",
-  "version": "0.35.6"
+  "version": "0.35.7"
 }

package/hooks/itil-rfc-trailer-advisory.sh

@@ -48,11 +48,22 @@
 # marker (per-invocation deterministic; mirrors P125 staging-detect.sh
 # and P141 itil-changeset-discipline.sh precedent).
 #
+# Command-shape detection delegates to
+# `lib/command-detect.sh::command_invokes_git_commit`, which strips
+# common prefix shapes (leading whitespace, env-var assignments,
+# `cd <path> &&`) and checks whether the residual leading token pair
+# is literally `git commit`. P274: replaced the prior substring match
+# `*"git commit"*` that misfired on non-commit Bash whose argument
+# vectors merely mentioned the phrase (grep / sed / cat-heredoc /
+# echo / `git log --grep`).
+#
 # References:
 #   ADR-005 — plugin testing strategy (hook bats live under hooks/test/).
 #   ADR-013 Rule 6 — fail-open on missing inputs / parse errors.
 #   ADR-014 — single-commit grain (this hook never auto-fixes via
 #             follow-up commit; advisory-only).
+#   ADR-017 — shared-code sync pattern (command-detect.sh canonical at
+#             packages/shared/hooks/lib/).
 #   ADR-038 — progressive disclosure / advisory band ≤300 bytes.
 #   ADR-045 — hook injection budget; Pattern 1 silent-on-pass.
 #   ADR-051 — load-bearing-from-the-start (drift detection ships at
@@ -63,6 +74,12 @@
 #   P081    — behavioural tests preferred over structural greps.
 #   P125    — sibling per-invocation no-marker hook precedent.
 #   P141    — sibling commit-time gate hook precedent.
+#   P268    — shared `command_invokes_git_commit` helper.
+#   P274    — sibling-hook refactor: substring-match → helper here.
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+# shellcheck source=lib/command-detect.sh
+source "$SCRIPT_DIR/lib/command-detect.sh"
 
 INPUT=$(cat)
 
@@ -89,11 +106,10 @@ except:
     print('')
 " 2>/dev/null || echo "")
 
-# Only fire on `git commit` invocations.
-case "$COMMAND" in
-  *"git commit"*) ;;
-  *) exit 0 ;;
-esac
+# Only fire on actual `git commit` invocations. P274: delegates to the
+# shared `command_invokes_git_commit` helper for leading-executable
+# semantics (was substring match prone to grep/sed/echo false positives).
+command_invokes_git_commit "$COMMAND" || exit 0
 
 # Bypass via env var.
 if [ "${BYPASS_RFC_TRAILER_ADVISORY:-}" = "1" ]; then

package/hooks/p057-staging-trap-detect.sh

@@ -10,10 +10,19 @@
 # a recovery path" contract via the mechanical-recovery shape (no
 # skill wrapper required — re-staging a file is a single command).
 #
+# Command-shape detection delegates to
+# `lib/command-detect.sh::command_invokes_git_commit`, which strips
+# common prefix shapes (leading whitespace, env-var assignments,
+# `cd <path> &&`) and checks whether the residual leading token pair
+# is literally `git commit`. P273: replaced the prior substring match
+# `*"git commit"*` that misfired on non-commit Bash whose argument
+# vectors merely mentioned the phrase (grep / sed / cat-heredoc /
+# echo / `git log --grep`).
+#
 # Allow paths (exit 0 without deny):
 #   - tool_name != "Bash"          (only Bash invocations are gated)
-#   - command does not contain     `git commit` substring (non-commit
-#                                  Bash bypasses entirely)
+#   - command is not a `git commit` invocation by leading-executable
+#                                  semantics (helper returns 1)
 #   - working tree clean of trap  (helper returns 0)
 #   - outside a git work tree     (helper fails-open)
 #   - parse failure on stdin      (mirrors create-gate.sh fail-open)
@@ -23,15 +32,23 @@
 #   ADR-009 — gate marker lifecycle (this hook deliberately does NOT
 #             use markers; detection is per-invocation deterministic).
 #   ADR-013 Rule 1 — deny redirects with mechanical recovery.
+#   ADR-017 — shared-code sync pattern (command-detect.sh canonical at
+#             packages/shared/hooks/lib/; synced into per-package
+#             hooks/lib/ via scripts/sync-command-detect.sh).
 #   ADR-038 — progressive disclosure / deny-message terseness budget.
 #   P057    — original staging-trap ticket; this hook is the
 #             enforcement layer the documentation alone didn't provide.
 #   P119    — sibling create-gate hook (PreToolUse:Write + lib/create-gate.sh).
 #   P125    — this hook.
+#   P268    — shared `command_invokes_git_commit` helper landed for
+#             `itil-readme-refresh-discipline.sh`.
+#   P273    — sibling-hook refactor: substring-match → helper here.
 
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 # shellcheck source=lib/staging-detect.sh
 source "$SCRIPT_DIR/lib/staging-detect.sh"
+# shellcheck source=lib/command-detect.sh
+source "$SCRIPT_DIR/lib/command-detect.sh"
 
 INPUT=$(cat)
 
@@ -58,13 +75,12 @@ except:
     print('')
 " 2>/dev/null || echo "")
 
-# Only fire on `git commit` invocations. Substring match catches
-# common shapes (`git commit -m`, `git commit --amend`, leading
-# `cd && git commit`, etc.) without over-matching unrelated bash.
-case "$COMMAND" in
-  *"git commit"*) ;;
-  *) exit 0 ;;
-esac
+# Only fire on actual `git commit` invocations. Delegates to
+# `lib/command-detect.sh::command_invokes_git_commit`, which strips
+# common prefix shapes (leading whitespace, env-var assignments,
+# `cd <path> &&`) and checks whether the residual leading token pair
+# is literally `git commit`. P273: replaces the prior substring match.
+command_invokes_git_commit "$COMMAND" || exit 0
 
 # Run detection. Helper echoes trap'd path on stdout when detected;
 # returns 1 in that case. Returns 0 (allow) on no-trap or fail-open

package/hooks/test/itil-rfc-trailer-advisory.bats

@@ -271,3 +271,105 @@ Refs: RFC-002"
   # Permit per-line overhead; the advisory should remain readable.
   [ "${#output}" -le 600 ]
 }
+
+# ── P274 / P268 leading-executable regression cases ─────────────────────────
+#
+# The hook must fire on ACTUAL `git commit` invocations, NOT on Bash that
+# merely MENTIONS the phrase "git commit" in argument vectors or heredoc
+# bodies. Mirrors the P268 regression fixtures in command-detect.bats and
+# the P272 sibling fixtures in itil-changeset-discipline.bats.
+#
+# Setup constructs a drift state (RFC + stale problem) — the hook would
+# emit an advisory on any `git commit` after `Refs: RFC-001` lands in HEAD.
+# These tests confirm non-commit Bash that mentions "git commit" does NOT
+# emit the advisory.
+
+@test "P274 allow: grep with literal 'git commit' pattern in drift state → silent" {
+  write_rfc "001" "foo" "accepted"
+  write_problem_without_rfcs_section "168"
+  echo "x" > stub.txt
+  git add stub.txt
+  git -c commit.gpgsign=false commit --quiet -m "feat: stub" -m "" -m "Refs: RFC-001"
+  run run_post_bash_hook "grep -r 'git commit' ."
+  [ "$status" -eq 0 ]
+  [ -z "$output" ]
+}
+
+@test "P274 allow: sed pattern containing 'git commit' in drift state → silent" {
+  write_rfc "001" "foo" "accepted"
+  write_problem_without_rfcs_section "168"
+  echo "x" > stub.txt
+  git add stub.txt
+  git -c commit.gpgsign=false commit --quiet -m "feat: stub" -m "" -m "Refs: RFC-001"
+  run run_post_bash_hook "sed -n 's/git commit/X/p' stub.txt"
+  [ "$status" -eq 0 ]
+  [ -z "$output" ]
+}
+
+@test "P274 allow: echo with literal 'git commit' string in drift state → silent" {
+  write_rfc "001" "foo" "accepted"
+  write_problem_without_rfcs_section "168"
+  echo "x" > stub.txt
+  git add stub.txt
+  git -c commit.gpgsign=false commit --quiet -m "feat: stub" -m "" -m "Refs: RFC-001"
+  run run_post_bash_hook "echo 'run git commit -m foo'"
+  [ "$status" -eq 0 ]
+  [ -z "$output" ]
+}
+
+@test "P274 allow: git log --grep with 'git commit' search term in drift state → silent" {
+  write_rfc "001" "foo" "accepted"
+  write_problem_without_rfcs_section "168"
+  echo "x" > stub.txt
+  git add stub.txt
+  git -c commit.gpgsign=false commit --quiet -m "feat: stub" -m "" -m "Refs: RFC-001"
+  run run_post_bash_hook "git log --grep='git commit'"
+  [ "$status" -eq 0 ]
+  [ -z "$output" ]
+}
+
+@test "P274 allow: git commit-tree plumbing in drift state → silent (boundary)" {
+  write_rfc "001" "foo" "accepted"
+  write_problem_without_rfcs_section "168"
+  echo "x" > stub.txt
+  git add stub.txt
+  git -c commit.gpgsign=false commit --quiet -m "feat: stub" -m "" -m "Refs: RFC-001"
+  run run_post_bash_hook "git commit-tree HEAD^{tree} -m 'msg'"
+  [ "$status" -eq 0 ]
+  [ -z "$output" ]
+}
+
+# ── P274 positive leading-executable cases still emit advisory ──────────────
+
+@test "P274 advisory: env-var-prefixed git commit in drift state still emits advisory" {
+  write_rfc "001" "foo" "accepted"
+  write_problem_without_rfcs_section "168"
+  echo "x" > stub.txt
+  git add stub.txt
+  git -c commit.gpgsign=false commit --quiet -m "feat: stub" -m "" -m "Refs: RFC-001"
+  run run_post_bash_hook "GIT_AUTHOR_NAME=foo git commit -m foo"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"RFC-001"* ]]
+}
+
+@test "P274 advisory: cd-prefixed git commit in drift state still emits advisory" {
+  write_rfc "001" "foo" "accepted"
+  write_problem_without_rfcs_section "168"
+  echo "x" > stub.txt
+  git add stub.txt
+  git -c commit.gpgsign=false commit --quiet -m "feat: stub" -m "" -m "Refs: RFC-001"
+  run run_post_bash_hook "cd . && git commit -m foo"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"RFC-001"* ]]
+}
+
+@test "P274 advisory: leading-whitespace git commit in drift state still emits advisory" {
+  write_rfc "001" "foo" "accepted"
+  write_problem_without_rfcs_section "168"
+  echo "x" > stub.txt
+  git add stub.txt
+  git -c commit.gpgsign=false commit --quiet -m "feat: stub" -m "" -m "Refs: RFC-001"
+  run run_post_bash_hook "   git commit -m foo"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"RFC-001"* ]]
+}

package/hooks/test/p057-staging-trap-detect.bats

@@ -139,3 +139,93 @@ run_bash_hook() {
   [ "$status" -eq 0 ]
   [ "${#output}" -lt 400 ]
 }
+
+# --- P273 / P268: leading-executable command detection regression cases ---
+#
+# The hook must fire on ACTUAL `git commit` invocations, NOT on Bash that
+# merely MENTIONS the phrase "git commit" in argument vectors or heredoc
+# bodies. Mirrors the P268 regression fixtures landed in
+# command-detect.bats and the P272 sibling fixtures in
+# itil-changeset-discipline.bats.
+
+@test "allow: grep with literal 'git commit' pattern in trap state does NOT deny" {
+  # Trap shape IS present in the working tree, but the Bash is a grep
+  # invocation whose pattern argument MENTIONS "git commit" — the hook
+  # must not fire (leading executable is `grep`, not `git`).
+  git mv foo.md bar.md
+  echo "modified" > bar.md
+  run run_bash_hook "grep -r 'git commit' ."
+  [ "$status" -eq 0 ]
+  [[ "$output" != *"\"permissionDecision\": \"deny\""* ]]
+}
+
+@test "allow: sed pattern containing 'git commit' in trap state does NOT deny" {
+  git mv foo.md bar.md
+  echo "modified" > bar.md
+  run run_bash_hook "sed -n 's/git commit/X/p' bar.md"
+  [ "$status" -eq 0 ]
+  [[ "$output" != *"\"permissionDecision\": \"deny\""* ]]
+}
+
+@test "allow: echo with literal 'git commit' string in trap state does NOT deny" {
+  git mv foo.md bar.md
+  echo "modified" > bar.md
+  run run_bash_hook "echo 'run git commit -m foo'"
+  [ "$status" -eq 0 ]
+  [[ "$output" != *"\"permissionDecision\": \"deny\""* ]]
+}
+
+@test "allow: cat heredoc body containing 'git commit' in trap state does NOT deny" {
+  git mv foo.md bar.md
+  echo "modified" > bar.md
+  run run_bash_hook "cat <<EOF
+prose mentioning git commit invocations
+EOF"
+  [ "$status" -eq 0 ]
+  [[ "$output" != *"\"permissionDecision\": \"deny\""* ]]
+}
+
+@test "allow: git log --grep with 'git commit' search term does NOT deny" {
+  git mv foo.md bar.md
+  echo "modified" > bar.md
+  run run_bash_hook "git log --grep='git commit'"
+  [ "$status" -eq 0 ]
+  [[ "$output" != *"\"permissionDecision\": \"deny\""* ]]
+}
+
+@test "allow: git commit-tree plumbing in trap state does NOT deny (boundary)" {
+  # `git commit-tree` is a different git subcommand — the helper must
+  # not match it on the `commit-*` boundary.
+  git mv foo.md bar.md
+  echo "modified" > bar.md
+  run run_bash_hook "git commit-tree HEAD^{tree} -m 'msg'"
+  [ "$status" -eq 0 ]
+  [[ "$output" != *"\"permissionDecision\": \"deny\""* ]]
+}
+
+# --- P273 / P268: positive leading-executable cases still deny ---
+
+@test "deny: env-var-prefixed git commit in trap state still triggers deny" {
+  git mv foo.md bar.md
+  echo "modified" > bar.md
+  run run_bash_hook "GIT_AUTHOR_NAME=foo git commit -m 'test'"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"\"permissionDecision\": \"deny\""* ]]
+  [[ "$output" == *"P057"* ]]
+}
+
+@test "deny: cd-prefixed git commit in trap state still triggers deny" {
+  git mv foo.md bar.md
+  echo "modified" > bar.md
+  run run_bash_hook "cd . && git commit -m 'test'"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"\"permissionDecision\": \"deny\""* ]]
+}
+
+@test "deny: leading-whitespace git commit in trap state still triggers deny" {
+  git mv foo.md bar.md
+  echo "modified" > bar.md
+  run run_bash_hook "   git commit -m 'test'"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"\"permissionDecision\": \"deny\""* ]]
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@windyroad/itil",
-  "version": "0.35.6-preview.363",
+  "version": "0.35.7-preview.365",
   "description": "ITIL-aligned IT service management for Claude Code (problem, and future incident/change skills)",
   "bin": {
     "windyroad-itil": "./bin/install.mjs"