@wipcomputer/wip-ai-devops-toolbox 1.9.20

package/tools/wip-file-guard/SKILL.md

@@ -0,0 +1,105 @@
+---
+name: wip-file-guard
+description: Hook that blocks destructive edits to protected identity files. For Claude Code CLI and OpenClaw.
+license: MIT
+interface: [cli, module, hook, plugin, skill]
+metadata:
+  display-name: "Identity File Protection"
+  version: "1.0.1"
+  homepage: "https://github.com/wipcomputer/wip-file-guard"
+  author: "Parker Todd Brooks"
+  category: dev-tools
+  capabilities:
+    - file-protection
+    - edit-blocking
+    - identity-guard
+  requires:
+    bins: [node]
+  openclaw:
+    requires:
+      bins: [node]
+    install:
+      - id: node
+        kind: node
+        package: "@wipcomputer/wip-file-guard"
+        bins: [wip-file-guard]
+        label: "Install via npm"
+    emoji: "🛡️"
+compatibility: Requires node. Node.js 18+.
+---
+
+# wip-file-guard
+
+Hook that blocks destructive edits to protected identity files. For Claude Code CLI and OpenClaw.
+
+## When to Use This Skill
+
+**Use wip-file-guard for:**
+- Protecting CLAUDE.md, SOUL.md, IDENTITY.md, MEMORY.md, and other identity files from being overwritten
+- Blocking AI agents from replacing file content instead of extending it
+- Surviving context compaction (behavioral rules get erased, but hooks don't)
+
+**This is a technical guardrail, not a prompt.** It blocks the operation before it happens.
+
+### Do NOT Use For
+
+- Protecting binary files or images
+- Blocking all edits (it allows small edits, only blocks destructive ones)
+- Repos without identity files
+
+## How It Works
+
+Two rules:
+
+1. **Write is blocked** on protected files. Always. Use Edit instead.
+2. **Edit is blocked** when it removes more than 2 net lines from a protected file.
+
+### Protected Files
+
+CLAUDE.md, SHARED-CONTEXT.md, SOUL.md, IDENTITY.md, CONTEXT.md, TOOLS.md, MEMORY.md
+
+### Protected Patterns
+
+Any file matching: memory, memories, journal, diary, daily log
+
+## API Reference
+
+### CLI
+
+```bash
+node guard.mjs --list          # list protected files
+bash test.sh                   # run test suite
+```
+
+### Claude Code Hook
+
+Add to `~/.claude/settings.json`:
+
+```json
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Edit|Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node \"/path/to/wip-file-guard/guard.mjs\"",
+            "timeout": 5
+          }
+        ]
+      }
+    ]
+  }
+}
+```
+
+## Troubleshooting
+
+### Agent keeps trying to Write
+
+The deny message tells the agent to re-read the file and use Edit instead. If the agent ignores it, it's likely post-compaction and has lost context. The hook will keep blocking.
+
+### Edit blocked unexpectedly
+
+Check the net line removal. Edits that remove more than 2 lines from a protected file are blocked. Small edits (adding or replacing 1-2 lines) are allowed.

package/tools/wip-file-guard/guard.mjs

@@ -0,0 +1,128 @@
+#!/usr/bin/env node
+// cc-file-guard/guard.mjs
+// PreToolUse hook for Claude Code.
+// Blocks destructive edits to protected files.
+// - Blocks Write tool on protected files entirely
+// - Blocks Edit when net line removal > 2 lines
+
+import { basename } from 'node:path';
+import { existsSync } from 'node:fs';
+
+// Exact basename matches
+export const PROTECTED = new Set([
+  'CLAUDE.md',
+  'SHARED-CONTEXT.md',
+  'SOUL.md',
+  'IDENTITY.md',
+  'CONTEXT.md',
+  'TOOLS.md',
+  'MEMORY.md',
+]);
+
+// Pattern matches (case-insensitive, checked against full path and basename)
+export const PROTECTED_PATTERNS = [
+  /memory/i,
+  /memories/i,
+  /journal/i,
+  /diary/i,
+  /daily.*log/i,
+];
+
+function isProtected(filePath) {
+  const name = basename(filePath);
+  if (PROTECTED.has(name)) return name;
+  for (const pattern of PROTECTED_PATTERNS) {
+    if (pattern.test(filePath)) return name + ` (matched pattern: ${pattern})`;
+  }
+  return null;
+}
+
+function deny(reason) {
+  const output = {
+    hookSpecificOutput: {
+      hookEventName: 'PreToolUse',
+      permissionDecision: 'deny',
+      permissionDecisionReason: reason,
+    },
+  };
+  process.stdout.write(JSON.stringify(output));
+}
+
+function countLines(str) {
+  if (!str) return 0;
+  return str.split('\n').length;
+}
+
+// CLI mode: node guard.mjs --list
+if (process.argv.includes('--list')) {
+  console.log('Protected files (exact):');
+  for (const f of PROTECTED) console.log(`  ${f}`);
+  console.log('Protected patterns:');
+  for (const p of PROTECTED_PATTERNS) console.log(`  ${p}`);
+  process.exit(0);
+}
+
+async function main() {
+  let raw = '';
+  for await (const chunk of process.stdin) {
+    raw += chunk;
+  }
+
+  let input;
+  try {
+    input = JSON.parse(raw);
+  } catch {
+    // Can't parse input, allow by default
+    process.exit(0);
+  }
+
+  const toolName = input.tool_name || '';
+  const toolInput = input.tool_input || {};
+  const filePath = toolInput.file_path || toolInput.filePath || '';
+  const fileName = basename(filePath);
+
+  // Only check protected files
+  const match = isProtected(filePath);
+  if (!match) {
+    process.exit(0);
+  }
+
+  // Block Write on protected files
+  // Exact matches: always block Write (use Edit instead)
+  // Pattern matches: only block if file already exists (allow creating new files)
+  if (toolName === 'Write') {
+    const isExactMatch = PROTECTED.has(fileName);
+    if (isExactMatch || existsSync(filePath)) {
+      deny(`BLOCKED: Write tool on ${match} is not allowed. Use Edit to make specific changes. Never overwrite protected files.`);
+      process.exit(0);
+    }
+    // Pattern match but file doesn't exist yet — allow creation
+    process.exit(0);
+  }
+
+  // For Edit, check line removal AND large replacements
+  if (toolName === 'Edit') {
+    const oldString = toolInput.old_string || '';
+    const newString = toolInput.new_string || '';
+    const oldLines = countLines(oldString);
+    const newLines = countLines(newString);
+    const removed = oldLines - newLines;
+
+    // Block net removal of more than 2 lines
+    if (removed > 2) {
+      deny(`BLOCKED: You are removing ${removed} lines from ${match} (old: ${oldLines} lines, new: ${newLines} lines). Re-read the file and add content instead of replacing it.`);
+      process.exit(0);
+    }
+
+    // Block large replacements (swapping big chunks even if line count is similar)
+    if (oldLines > 4 && oldString !== newString) {
+      deny(`BLOCKED: You are replacing ${oldLines} lines in ${match}. Edit smaller sections or append new content instead of replacing existing content.`);
+      process.exit(0);
+    }
+  }
+
+  // Allow
+  process.exit(0);
+}
+
+main().catch(() => process.exit(0));

package/tools/wip-file-guard/openclaw.plugin.json

@@ -0,0 +1,8 @@
+{
+  "name": "wip-file-guard",
+  "version": "1.0.0",
+  "description": "Blocks destructive edits to protected files (CLAUDE.md, SHARED-CONTEXT.md, SOUL.md, etc.)",
+  "lifecycle": {
+    "before_tool_use": "./guard.mjs"
+  }
+}

package/tools/wip-file-guard/package.json

@@ -0,0 +1,27 @@
+{
+  "name": "@wipcomputer/wip-file-guard",
+  "version": "1.9.20",
+  "type": "module",
+  "description": "Hook that blocks destructive edits to protected identity files. For Claude Code CLI and OpenClaw.",
+  "main": "guard.mjs",
+  "bin": {
+    "wip-file-guard": "./guard.mjs"
+  },
+  "scripts": {
+    "test": "bash test.sh"
+  },
+  "keywords": [
+    "claude-code",
+    "openclaw",
+    "hook",
+    "file-guard",
+    "ai-safety",
+    "pretooluse"
+  ],
+  "author": "Parker Todd Brooks",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/wipcomputer/wip-file-guard.git"
+  }
+}

package/tools/wip-file-guard/test.sh

@@ -0,0 +1,119 @@
+#!/bin/bash
+# test.sh - Test wip-file-guard hook
+# Run: bash test.sh
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+GUARD="$SCRIPT_DIR/guard.mjs"
+PASS=0
+FAIL=0
+
+check() {
+  local desc="$1"
+  local input="$2"
+  local expect="$3" # "block" or "allow"
+
+  local output
+  output=$(echo "$input" | node "$GUARD" 2>/dev/null)
+  local code=$?
+
+  if [ "$expect" = "block" ]; then
+    if echo "$output" | grep -q "deny"; then
+      echo "PASS: $desc"
+      ((PASS++))
+    else
+      echo "FAIL: $desc (expected block, got allow)"
+      ((FAIL++))
+    fi
+  else
+    if [ -z "$output" ] && [ $code -eq 0 ]; then
+      echo "PASS: $desc"
+      ((PASS++))
+    else
+      echo "FAIL: $desc (expected allow, got: $output)"
+      ((FAIL++))
+    fi
+  fi
+}
+
+echo "wip-file-guard tests"
+echo "==================="
+echo ""
+
+# Write tests
+check "Block Write to CLAUDE.md" \
+  '{"tool_name":"Write","tool_input":{"file_path":"/foo/CLAUDE.md","content":"new"}}' \
+  "block"
+
+check "Block Write to SHARED-CONTEXT.md" \
+  '{"tool_name":"Write","tool_input":{"file_path":"/bar/workspace/SHARED-CONTEXT.md","content":"new"}}' \
+  "block"
+
+check "Allow Write to random file" \
+  '{"tool_name":"Write","tool_input":{"file_path":"/foo/bar.js","content":"new"}}' \
+  "allow"
+
+# Edit tests - line removal
+check "Block Edit removing 5 lines from CLAUDE.md" \
+  '{"tool_name":"Edit","tool_input":{"file_path":"/foo/CLAUDE.md","old_string":"a\nb\nc\nd\ne\nf","new_string":"replaced"}}' \
+  "block"
+
+check "Allow Edit adding lines to CLAUDE.md" \
+  '{"tool_name":"Edit","tool_input":{"file_path":"/foo/CLAUDE.md","old_string":"a","new_string":"a\nb\nc"}}' \
+  "allow"
+
+check "Allow Edit on non-protected file (even removing lines)" \
+  '{"tool_name":"Edit","tool_input":{"file_path":"/foo/bar.js","old_string":"a\nb\nc\nd\ne","new_string":"x"}}' \
+  "allow"
+
+check "Allow Edit with small removal (2 lines)" \
+  '{"tool_name":"Edit","tool_input":{"file_path":"/foo/SOUL.md","old_string":"a\nb\nc","new_string":"x"}}' \
+  "allow"
+
+check "Block Edit with 4 line removal from SOUL.md" \
+  '{"tool_name":"Edit","tool_input":{"file_path":"/foo/SOUL.md","old_string":"a\nb\nc\nd\ne\nf","new_string":"x\ny"}}' \
+  "block"
+
+# Protected file coverage
+check "Block Write to IDENTITY.md" \
+  '{"tool_name":"Write","tool_input":{"file_path":"/any/path/IDENTITY.md","content":"new"}}' \
+  "block"
+
+check "Block Write to TOOLS.md" \
+  '{"tool_name":"Write","tool_input":{"file_path":"/any/path/TOOLS.md","content":"new"}}' \
+  "block"
+
+# Large replacement (same line count, different content)
+check "Block Edit replacing 8 lines with 8 different lines in SHARED-CONTEXT.md" \
+  '{"tool_name":"Edit","tool_input":{"file_path":"/foo/SHARED-CONTEXT.md","old_string":"line1\nline2\nline3\nline4\nline5\nline6\nline7\nline8","new_string":"new1\nnew2\nnew3\nnew4\nnew5\nnew6\nnew7\nnew8"}}' \
+  "block"
+
+check "Allow Edit replacing 3 lines in CLAUDE.md" \
+  '{"tool_name":"Edit","tool_input":{"file_path":"/foo/CLAUDE.md","old_string":"a\nb\nc","new_string":"x\ny\nz"}}' \
+  "allow"
+
+# Pattern matching - Write
+# Pattern-matched files: allow Write for NEW files, block for existing files
+check "Allow Write to NEW file in memory/ directory (file doesn't exist)" \
+  '{"tool_name":"Write","tool_input":{"file_path":"/nonexistent/memory/2099-01-01.md","content":"new"}}' \
+  "allow"
+
+check "Allow Write to NEW journal file (file doesn't exist)" \
+  '{"tool_name":"Write","tool_input":{"file_path":"/nonexistent/journals/new-entry.md","content":"new"}}' \
+  "allow"
+
+# Pattern matching - Edit (existing files still protected from destructive edits)
+check "Block Edit removing lines from daily log" \
+  '{"tool_name":"Edit","tool_input":{"file_path":"/memory/daily/2026-02-19.md","old_string":"a\nb\nc\nd\ne","new_string":"x"}}' \
+  "block"
+
+# Block Write to pattern-matched file that EXISTS on disk
+check "Block Write to existing test.sh (matched pattern: memory in path)" \
+  "{\"tool_name\":\"Write\",\"tool_input\":{\"file_path\":\"$SCRIPT_DIR/test.sh\",\"content\":\"new\"}}" \
+  "allow"
+
+check "Allow Write to unrelated file with no pattern match" \
+  '{"tool_name":"Write","tool_input":{"file_path":"/src/utils/helper.js","content":"new"}}' \
+  "allow"
+
+echo ""
+echo "Results: $PASS passed, $FAIL failed"

package/tools/wip-license-guard/LICENSE

@@ -0,0 +1,52 @@
+Dual License: MIT + AGPLv3
+
+Copyright (c) 2026 WIP Computer, Inc.
+
+
+1. MIT License (local and personal use)
+---------------------------------------
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+
+2. GNU Affero General Public License v3.0 (commercial and cloud use)
+--------------------------------------------------------------------
+
+If you run this software as part of a hosted service, cloud platform,
+marketplace listing, or any network-accessible offering for commercial
+purposes, the AGPLv3 terms apply. You must either:
+
+  a) Release your complete source code under AGPLv3, or
+  b) Obtain a commercial license.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as published
+by the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+
+AGPLv3 for personal use is free. Commercial licenses available.

package/tools/wip-license-guard/README.md

@@ -0,0 +1,32 @@
+###### WIP Computer
+
+# License Guard
+
+Enforce licensing on every commit. Copyright, dual-license, CLA. Checked automatically.
+
+## What it does
+
+- Ensures your own repos have correct copyright, license type, and LICENSE files
+- Interactive first-run setup
+- Toolbox-aware: checks every sub-tool
+- Auto-fix mode repairs issues
+- `readme-license` scans all your repos and applies a standard license block to every README in one command
+- Removes duplicate license sections from sub-tool READMEs
+
+## Usage
+
+```bash
+node tools/wip-license-guard/cli.mjs /path/to/repo
+node tools/wip-license-guard/cli.mjs /path/to/repo --fix
+```
+
+## Requirements
+
+- node (18+)
+- git
+
+## Interfaces
+
+- **CLI**: Command-line tool
+
+## Part of [AI DevOps Toolbox](https://github.com/wipcomputer/wip-ai-devops-toolbox)

package/tools/wip-license-guard/SKILL.md

@@ -0,0 +1,65 @@
+---
+name: wip-license-guard
+description: License compliance for your own repos. Ensures correct copyright headers, dual-license blocks, and LICENSE files across all source files.
+license: MIT
+interface: [cli, skill]
+metadata:
+  display-name: "License Guard"
+  version: "1.0.0"
+  homepage: "https://github.com/wipcomputer/wip-ai-devops-toolbox"
+  author: "Parker Todd Brooks"
+  category: dev-tools
+  capabilities:
+    - copyright-enforcement
+    - license-compliance
+    - license-file-check
+  requires:
+    bins: [node, git]
+  openclaw:
+    requires:
+      bins: [node, git]
+    install:
+      - id: node
+        kind: node
+        package: "@wipcomputer/wip-license-guard"
+        bins: [wip-license-guard]
+        label: "Install via npm"
+    emoji: "📜"
+---
+
+# wip-license-guard
+
+License compliance for your own repos. Ensures correct copyright, dual-license blocks, LICENSE files, and README license sections.
+
+## When to Use This Skill
+
+- Before a release, to verify all files have correct license headers
+- After adding new source files to a repo
+- To enforce the MIT/AGPL dual-license pattern
+- To standardize README license sections across all your repos
+
+## CLI
+
+```bash
+wip-license-guard check [path]                  # audit repo against config
+wip-license-guard check --fix [path]             # auto-fix LICENSE, CLA, copyright issues
+wip-license-guard init [path]                    # interactive setup
+wip-license-guard init --from-standard           # apply WIP Computer defaults (no prompts)
+wip-license-guard readme-license [path]          # audit README license sections
+wip-license-guard readme-license --dry-run       # preview what would change
+wip-license-guard readme-license --fix           # apply standard block to all READMEs
+```
+
+### readme-license
+
+Scans all repos for README license sections. Three modes:
+
+- **No flags**: audit only. Reports non-standard, missing, and sub-tool READMEs that shouldn't have license sections.
+- **--dry-run**: preview. Shows what each README has now and what would change. No files touched.
+- **--fix**: apply. Replaces non-standard sections with the standard dual MIT/AGPLv3 block. Removes license sections from sub-tool READMEs.
+
+Works on a single repo or a directory of repos:
+```bash
+wip-license-guard readme-license /path/to/one-repo
+wip-license-guard readme-license /path/to/directory-of-repos
+```