@windyroad/voice-tone 0.5.11 → 0.5.13

package/.claude-plugin/plugin.json

@@ -123,5 +123,5 @@
     }
   },
   "name": "wr-voice-tone",
-  "version": "0.5.11"
+  "version": "0.5.13"
 }

package/hooks/external-comms-gate.sh

@@ -185,28 +185,59 @@ except Exception:
         DRAFT=$(printf '%s' "$COMMAND" | python3 -c "
 import sys, re
 cmd = sys.stdin.read()
-# (pattern, flags) — first match wins.
+# P364: bash double-quote unescape. The double-quoted body capture groups
+# carry RAW shell-escaped command text — an orchestrator must backslash-escape
+# backticks (and \$, \", \\) inside \"...\" to survive bash parsing, e.g.
+# --body \"Fixed in \\\`code\\\` ...\". The PostToolUse mark hook hashes the
+# LOGICAL <draft> body (plain backticks), so the gate must undo those escapes
+# or the two marker keys diverge → permanent deny-after-PASS. Inside double
+# quotes a backslash is special ONLY before \$ \` \" \\ or a newline (line
+# continuation); single-quoted and <<'EOF' forms are literal and need none.
+# Single left-to-right pass so an escaped backslash adjacent to another escape
+# (\\\\\` -> backslash + backtick) is NOT mis-collapsed. chr() literals keep
+# this source free of the very metacharacters the surrounding shell double
+# quotes would otherwise eat.
+def unescape_dq(s):
+    out = []
+    i = 0
+    n = len(s)
+    special = set([chr(36), chr(96), chr(34), chr(92), chr(10)])
+    while i < n:
+        if s[i] == chr(92) and i + 1 < n and s[i + 1] in special:
+            if s[i + 1] != chr(10):
+                out.append(s[i + 1])
+            i += 2
+        else:
+            out.append(s[i])
+            i += 1
+    return ''.join(out)
+# (pattern, flags, unescape) — first match wins. unescape=True for the
+# double-quoted forms only (P364).
 patterns = [
     # HEREDOC body — matches a here-doc with EOF delimiter (quoted or
     # unquoted). The literal '<<' is written as the char-class pair
     # [<][<] so bash's command-substitution parser does NOT mis-parse
     # this regex as a real here-doc operator (P082 implementation note).
-    # DOTALL so the body can span newlines.
-    (r\"[<][<]\s*['\\\"]?EOF['\\\"]?\s*\n(.*?)\nEOF\", re.DOTALL),
+    # DOTALL so the body can span newlines. Left literal: the AI-canonical
+    # form is the quoted <<'EOF' heredoc, whose body bash does not unescape.
+    (r\"[<][<]\s*['\\\"]?EOF['\\\"]?\s*\n(.*?)\nEOF\", re.DOTALL, False),
     # gh issue/pr + npm publish --body 'TEXT' / --body \"TEXT\" (existing).
-    (r\"--body[= ]'([^']*)'\", 0),
-    (r'--body[= ]\"([^\"]*)\"', 0),
+    (r\"--body[= ]'([^']*)'\", 0, False),
+    (r'--body[= ]\"([^\"]*)\"', 0, True),
     # gh api --field summary='TEXT' / --field summary=\"TEXT\" (existing).
-    (r\"--field [a-zA-Z_]+='([^']*)'\", 0),
-    (r'--field [a-zA-Z_]+=\"([^\"]*)\"', 0),
+    (r\"--field [a-zA-Z_]+='([^']*)'\", 0, False),
+    (r'--field [a-zA-Z_]+=\"([^\"]*)\"', 0, True),
     # git commit -m / --message single-line literal forms (P082 Phase 1).
-    (r\"(?:-m|--message)[= ]'([^']*)'\", 0),
-    (r'(?:-m|--message)[= ]\"([^\"]*)\"', 0),
+    (r\"(?:-m|--message)[= ]'([^']*)'\", 0, False),
+    (r'(?:-m|--message)[= ]\"([^\"]*)\"', 0, True),
 ]
-for pat, flags in patterns:
+for pat, flags, unescape in patterns:
     m = re.search(pat, cmd, flags)
     if m:
-        print(m.group(1))
+        body = m.group(1)
+        if unescape:
+            body = unescape_dq(body)
+        print(body)
         break
 " 2>/dev/null || echo "")
         ;;
@@ -287,6 +318,28 @@ if [ "$EXTERNAL_COMMS_LEAK_PREFILTER" = "yes" ]; then
     fi
 fi
 
+# ---------- Repo-visibility precondition: git-commit-message surface (P365) ----------
+# A commit message only becomes external-facing prose when it lands in a PUBLIC
+# GitHub repo (git log / PR commits tab / release-page auto-notes / CHANGELOG).
+# In private or internal repos the marker-review delegation deny below is a pure
+# false-positive (P365 — user direction 2026-06-11: "this MUST NOT fire for
+# private repos"). Confirm visibility authoritatively via gh and silent-pass the
+# marker gate on any non-PUBLIC result. Any INDETERMINATE result (gh absent,
+# unauthenticated, no remote, API error → empty $REPO_VISIBILITY) is treated as
+# non-public: a commit message is only demonstrably external when the repo is
+# confirmably PUBLIC, so the conservative direction for THIS surface is to not
+# fire. This is a fail-open on the voice/tone-and-prose review ONLY — the
+# leak-pattern pre-filter above (credentials / prod-URLs) has already run for
+# every surface in every repo, so the high-stakes secrecy net is unaffected.
+# Scoped to git-commit-message only; the gh-issue/pr/api, npm-publish, and
+# changeset-author surfaces are inherently external and stay gated regardless.
+if [ "$SURFACE" = "git-commit-message" ]; then
+    REPO_VISIBILITY=$(gh repo view --json visibility -q .visibility 2>/dev/null || echo "")
+    if [ "$REPO_VISIBILITY" != "PUBLIC" ]; then
+        exit 0
+    fi
+fi
+
 # ---------- Marker-based gate (per-evaluator marker per ADR-028 amended 2026-05-14) ----------
 SESSION_DIR="${TMPDIR:-/tmp}/claude-risk-${SESSION_ID}"
 mkdir -p "$SESSION_DIR"

package/hooks/test/external-comms-gate.bats

@@ -61,9 +61,23 @@ print(json.dumps({
 " "$file_path" "$content"
 }
 
+# Mock `gh repo view --json visibility` for the git-commit-message surface
+# repo-visibility precondition (P365). vis ∈ {PUBLIC,PRIVATE,INTERNAL}; pass the
+# literal "FAIL" to simulate gh absent / unauthenticated (non-zero exit).
+mock_gh_visibility() {
+  local vis="$1"
+  mkdir -p "$TEST_PROJECT_DIR/mockbin"
+  if [ "$vis" = "FAIL" ]; then
+    printf '#!/usr/bin/env bash\nexit 1\n' > "$TEST_PROJECT_DIR/mockbin/gh"
+  else
+    printf '#!/usr/bin/env bash\necho %s\n' "$vis" > "$TEST_PROJECT_DIR/mockbin/gh"
+  fi
+  chmod +x "$TEST_PROJECT_DIR/mockbin/gh"
+}
+
 run_hook() {
   local input="$1"
-  run bash -c "cd '$TEST_PROJECT_DIR' && printf '%s' \"\$1\" | '$HOOK'" _ "$input"
+  run bash -c "cd '$TEST_PROJECT_DIR' && export PATH='$TEST_PROJECT_DIR/mockbin':\$PATH && printf '%s' \"\$1\" | '$HOOK'" _ "$input"
 }
 
 # ---------- Tests ----------
@@ -242,6 +256,7 @@ run_hook() {
 # ---------------------------------------------------------------------------
 
 @test "P082: git commit -m with literal -m body denies and delegates to voice-tone evaluator" {
+  mock_gh_visibility PUBLIC
   INPUT=$(build_bash_input "git commit -m \"I've implemented the feature\"")
   run_hook "$INPUT"
   [ "$status" -eq 0 ]
@@ -251,6 +266,7 @@ run_hook() {
 }
 
 @test "P082: git commit --message with literal body denies and delegates" {
+  mock_gh_visibility PUBLIC
   INPUT=$(build_bash_input "git commit --message \"happy to help further with this fix\"")
   run_hook "$INPUT"
   [ "$status" -eq 0 ]
@@ -259,6 +275,7 @@ run_hook() {
 }
 
 @test "P082: git commit --amend -m is intercepted (P082 SC2)" {
+  mock_gh_visibility PUBLIC
   INPUT=$(build_bash_input "git commit --amend -m \"rewritten subject\"")
   run_hook "$INPUT"
   [ "$status" -eq 0 ]
@@ -270,6 +287,7 @@ run_hook() {
   # Build a HEREDOC-shaped command. The hook regex pulls the body BETWEEN
   # the <<'EOF' opener and the closing EOF marker — the extracted DRAFT is
   # the inner text, NOT the literal `$(cat <<'EOF' ... EOF)` wrapper.
+  mock_gh_visibility PUBLIC
   BODY=$'feat(foo): add bar\n\nWe observed a build failure on Node 20.'
   CMD=$'git commit -m "$(cat <<\'EOF\'\n'"$BODY"$'\nEOF\n)"'
   INPUT=$(build_bash_input "$CMD")
@@ -312,6 +330,7 @@ run_hook() {
 }
 
 @test "P082: per-evaluator marker keyed on (body, git-commit-message) permits the call" {
+  mock_gh_visibility PUBLIC
   BODY="docs(retro): close iter 3 ask-hygiene trail"
   SURFACE="git-commit-message"
   KEY=$(printf '%s\n%s' "$BODY" "$SURFACE" | shasum -a 256 | cut -d' ' -f1)
@@ -322,3 +341,90 @@ run_hook() {
   [ "$status" -eq 0 ]
   [ -z "$output" ]
 }
+
+# ---------------------------------------------------------------------------
+# P365 — repo-visibility precondition on the git-commit-message surface.
+# Shared canonical hook (ADR-017 sync), so the precondition applies to the
+# voice-tone evaluator too: a commit message is external-facing prose ONLY in
+# a PUBLIC repo. In private/internal repos — or any indeterminate gh result —
+# the marker-review deny is a pure false-positive (user direction 2026-06-11:
+# "this MUST NOT fire for private repos"). Scoped to the git-commit-message
+# surface only; the gh-issue/pr/npm/changeset surfaces are inherently external
+# and stay gated regardless of repo visibility.
+# ---------------------------------------------------------------------------
+
+@test "P365: git commit -m in a PRIVATE repo silent-passes (no external-comms deny)" {
+  mock_gh_visibility PRIVATE
+  INPUT=$(build_bash_input "git commit -m \"I've implemented the feature\"")
+  run_hook "$INPUT"
+  [ "$status" -eq 0 ]
+  [ -z "$output" ]
+}
+
+@test "P365: git commit -m in an INTERNAL repo silent-passes" {
+  mock_gh_visibility INTERNAL
+  INPUT=$(build_bash_input "git commit -m \"I've implemented the feature\"")
+  run_hook "$INPUT"
+  [ "$status" -eq 0 ]
+  [ -z "$output" ]
+}
+
+@test "P365: git commit -m when gh is unavailable/indeterminate silent-passes (fail-non-public)" {
+  mock_gh_visibility FAIL
+  INPUT=$(build_bash_input "git commit -m \"I've implemented the feature\"")
+  run_hook "$INPUT"
+  [ "$status" -eq 0 ]
+  [ -z "$output" ]
+}
+
+@test "P365: git commit -m in a PUBLIC repo still denies+delegates (gate intact, precondition surface-scoped)" {
+  mock_gh_visibility PUBLIC
+  INPUT=$(build_bash_input "git commit -m \"I've implemented the feature\"")
+  run_hook "$INPUT"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"deny"* ]]
+  [[ "$output" == *"git-commit-message"* ]]
+}
+
+@test "P365: PRIVATE visibility does NOT short-circuit the gh-issue surface (still denies+delegates)" {
+  mock_gh_visibility PRIVATE
+  INPUT=$(build_bash_input "gh issue create --title x --body 'a clean issue body'")
+  run_hook "$INPUT"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"deny"* ]]
+  [[ "$output" == *"gh-issue-create"* ]]
+}
+
+# ---------------------------------------------------------------------------
+# P364 — backtick-bearing double-quoted --body marker-key mismatch.
+# The voice-tone gate shares the byte-identical canonical external-comms-gate.sh
+# (ADR-017 sync), so the P364 shell-unescape fix applies here too: a body with
+# backslash-escaped backticks in --body "..." must unescape to the logical
+# <draft> body the PostToolUse mark hook hashes, or the PASS marker never
+# permits. DISTINCT from P276 / P010 (whitespace / frontmatter).
+# ---------------------------------------------------------------------------
+
+@test "P364: backtick-bearing double-quoted --body permits when marker keyed on the unescaped logical body" {
+  LOGICAL='Tidied the wording in `external-comms-gate` for the patch.'
+  SURFACE="gh-issue-comment"
+  KEY=$(printf '%s\n%s' "$LOGICAL" "$SURFACE" | shasum -a 256 | cut -d' ' -f1)
+  touch "${RDIR}/external-comms-voice-tone-reviewed-${KEY}"
+
+  CMD='gh issue comment 42 --body "Tidied the wording in \`external-comms-gate\` for the patch."'
+  INPUT=$(build_bash_input "$CMD")
+  run_hook "$INPUT"
+  [ "$status" -eq 0 ]
+  [ -z "$output" ]
+}
+
+@test "P364: single-quoted --body with literal backticks stays literal (no unescaping applied)" {
+  LOGICAL='Tidied the wording in `plain_span` here.'
+  SURFACE="gh-issue-comment"
+  KEY=$(printf '%s\n%s' "$LOGICAL" "$SURFACE" | shasum -a 256 | cut -d' ' -f1)
+  touch "${RDIR}/external-comms-voice-tone-reviewed-${KEY}"
+
+  INPUT=$(build_bash_input "gh issue comment 42 --body 'Tidied the wording in \`plain_span\` here.'")
+  run_hook "$INPUT"
+  [ "$status" -eq 0 ]
+  [ -z "$output" ]
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@windyroad/voice-tone",
-  "version": "0.5.11",
+  "version": "0.5.13",
   "description": "Voice and tone enforcement for user-facing copy",
   "bin": {
     "windyroad-voice-tone": "./bin/install.mjs"