adversarial-review-gate 2.0.0

package/src/core/transcript.js

@@ -0,0 +1,381 @@
+// Transcript parser and skip detection.
+// Ports the Python functions from hooks/guard.py:
+//   - ts_key         -> tsKey
+//   - iter_tool_uses -> iterToolUses (inline)
+//   - completed_tool_ids -> completedToolIds (inline in scanKeys)
+//   - scan_keys      -> scanKeys
+//   - is_subagent    -> isSubagentTranscript
+//   - last_user_text -> lastUserText
+//   - wants_skip     -> wantsSkip
+
+// Sentinels must match guard.py exactly so that review-task detection is
+// consistent between the Python and Node code paths.
+export const GATE_SENTINEL = "adversarial-review-gate";
+export const DEBATE_SENTINEL = "adversarial-debate-gate";
+
+const EDIT_TOOLS = new Set(["Edit", "Write", "MultiEdit", "NotebookEdit"]);
+const REVIEW_TOOLS = new Set(["Task", "Agent"]);
+
+// ---- Escape-hatch detection (ported from guard.py) --------------------------
+// Tight allow-list of fillers between "skip" and the object; Vietnamese variants
+// are included (bỏ qua review, khỏi review, etc.). A negation guard rejects
+// "don't skip the review" etc.  A trailing-NOUN guard rejects "skip the debate
+// club" etc. — only sentence-end, punctuation, newline, or a function-word
+// continuation are accepted.
+// Note: the `g` flag is required so that re.exec() advances lastIndex on each
+// call inside wantsSkip's while loop. Without `g`, exec() returns the same
+// match every time, causing an infinite loop.
+const SKIP_RE = new RegExp(
+  "(?:" +
+    // English: skip[ping] <optional fillers> <object>
+    "\\bskip(?:ping)?\\s+(?:this\\s+|that\\s+|the\\s+|an?\\s+|adversarial\\s+|code\\s+|multi-agent\\s+)*(?:review|debate|panel)" +
+    // Vietnamese: bỏ [qua] <object>  or  khỏi <object>
+    "|\\bb[oỏ]\\s+(?:qua\\s+)?(?:review|debate)" +
+    "|\\bkh[oỏ]i\\s+(?:review|debate)" +
+  ")\\b" +
+  // Boundary: sentence-end / punctuation, OR a function-word / adverb continuation.
+  "(?=\\s*(?:[.,!?;:)\\]\\n]|$)" +
+    "|\\s+(?:please|thanks?|now|today|just|then|so|and|or|since|because" +
+    "|for|this|that|too|also|entirely|altogether|finally|asap|ok(?:ay)?)\\b)",
+  "gi",
+);
+
+const NEG_RE = new RegExp(
+  "\\b(?:not|never|dont|doesnt|didnt|wont|cant|cannot|isnt|arent|aint|nor|without" +
+    "|refrain|avoid|forbid|forbidden|prohibit|prohibited|decline|refuse|refusing" +
+    "|hold\\s+off|rather\\s+not" +
+    "|no\\s+(?:need|reason|way|account|means|event|circumstances)" +
+    "|kh[ôo]ng|đừng|dừng|chớ|chẳng|chưa|chả)\\b",
+  "i",
+);
+
+// Matches individual words (letters only, no digits, no underscore).
+const WORD_RE = /[^\W\d_]+/gu;
+const NEG_WINDOW_WORDS = 8;
+
+// "? no" / "? nope" trailing negation after the skip phrase.
+const TRAILING_NO_RE = /\s*\?\s*(?:absolutely\s+|certainly\s+|definitely\s+)?(?:no|nope|nah|not|never)\b/i;
+
+// Self-disarm defense (layer 2): the gate's own block message contains the phrase
+// "skip the review"; never let the gate's echo be read as a user skip request.
+const HOOK_ECHO_RE =
+  /stop hook feedback|has NOT passed an adversarial review|this gate (?:stands down|recognises)/i;
+
+// ---- parseJsonl -------------------------------------------------------------
+
+/**
+ * Split a JSONL text into an array of parsed objects.
+ * Lines that fail to parse are silently dropped (tolerant mode).
+ *
+ * @param {string} text
+ * @returns {object[]}
+ */
+export function parseJsonl(text) {
+  return String(text)
+    .split(/\r?\n/)
+    .filter(Boolean)
+    .flatMap((line) => {
+      try {
+        return [JSON.parse(line)];
+      } catch {
+        return [];
+      }
+    });
+}
+
+// ---- tsKey ------------------------------------------------------------------
+
+/**
+ * Convert an ISO-8601 timestamp string to a comparable epoch float (seconds).
+ * Handles the trailing-Z form and any UTC-offset form supported by Date.parse.
+ * Returns 0 for any unparseable or missing value — treated as "oldest".
+ *
+ * Mirrors Python's ts_key() in guard.py (datetime.fromisoformat + .timestamp()).
+ *
+ * @param {unknown} s
+ * @returns {number}
+ */
+export function tsKey(s) {
+  if (typeof s !== "string" || !s) return 0;
+  const t = s.trim();
+  // Date.parse handles ISO-8601 with Z or offsets natively in Node.js / V8.
+  // fromisoformat in Python 3.11+ also handles these forms — equivalent.
+  const ms = Date.parse(t);
+  if (Number.isNaN(ms)) return 0;
+  return ms / 1000; // epoch seconds, matching Python .timestamp()
+}
+
+// ---- scanKeys ---------------------------------------------------------------
+
+/**
+ * Scan JSONL transcript entries and return edit/review ordering keys plus the
+ * set of file paths touched by edit tools.
+ *
+ * Mirrors Python's scan_keys() in guard.py exactly:
+ *   - Edit tools: Edit, Write, MultiEdit, NotebookEdit
+ *   - Review tools: Task, Agent  (counted only when sentinel present AND
+ *     the call ran to completion, i.e. has a matching tool_result)
+ *
+ * @param {object[]} entries  Parsed transcript entries
+ * @returns {{ lastEditKey: number, lastReviewKey: number, lastDebateKey: number, editedPaths: Set<string> }}
+ */
+export function scanKeys(entries) {
+  // Collect tool_use ids that have a corresponding tool_result (completed calls).
+  const completed = new Set();
+  for (const e of entries) {
+    const msg = e?.message;
+    if (!msg || typeof msg !== "object") continue;
+    const content = msg.content;
+    if (!Array.isArray(content)) continue;
+    for (const blk of content) {
+      if (blk && typeof blk === "object" && blk.type === "tool_result") {
+        const tid = blk.tool_use_id;
+        if (tid) completed.add(tid);
+      }
+    }
+  }
+
+  let lastEditKey = 0;
+  let lastReviewKey = 0;
+  let lastDebateKey = 0;
+  const editedPaths = new Set();
+
+  for (const e of entries) {
+    const key = tsKey(e?.timestamp);
+    const msg = e?.message;
+    if (!msg || typeof msg !== "object") continue;
+    const content = msg.content;
+    if (!Array.isArray(content)) continue;
+
+    for (const blk of content) {
+      if (!blk || typeof blk !== "object" || blk.type !== "tool_use") continue;
+      const name = blk.name || "";
+      const inp = blk.input || {};
+      const tid = blk.id || "";
+
+      if (EDIT_TOOLS.has(name)) {
+        if (key > lastEditKey) lastEditKey = key;
+        if (inp && typeof inp === "object") {
+          for (const k of ["file_path", "notebook_path"]) {
+            const p = inp[k];
+            if (typeof p === "string" && p) editedPaths.add(p);
+          }
+        }
+      } else if (REVIEW_TOOLS.has(name) && completed.has(tid)) {
+        // Serialize the input to a lowercase string and check for sentinels.
+        const blob =
+          typeof inp === "object"
+            ? JSON.stringify(inp).toLowerCase()
+            : String(inp).toLowerCase();
+        if (blob.includes(GATE_SENTINEL) && key > lastReviewKey) {
+          lastReviewKey = key;
+        }
+        if (blob.includes(DEBATE_SENTINEL) && key > lastDebateKey) {
+          lastDebateKey = key;
+        }
+      }
+    }
+  }
+
+  return { lastEditKey, lastReviewKey, lastDebateKey, editedPaths };
+}
+
+// ---- collectReviewOutputs ---------------------------------------------------
+
+/**
+ * Extract the plain-text payload of a `tool_result` content block.
+ *
+ * Anthropic transcripts encode tool_result content either as a bare string or
+ * as an array of blocks (commonly `{ type: "text", text: "..." }`). We
+ * concatenate all text-bearing parts so a verdict block embedded anywhere in
+ * the subagent's final output can be parsed.
+ *
+ * @param {unknown} content
+ * @returns {string}
+ */
+function toolResultText(content) {
+  if (typeof content === "string") return content;
+  if (Array.isArray(content)) {
+    const parts = [];
+    for (const blk of content) {
+      if (typeof blk === "string") {
+        parts.push(blk);
+      } else if (blk && typeof blk === "object") {
+        if (typeof blk.text === "string") parts.push(blk.text);
+        else if (typeof blk.content === "string") parts.push(blk.content);
+      }
+    }
+    return parts.join("\n");
+  }
+  return "";
+}
+
+/**
+ * Collect the final OUTPUT text of every review Task/Agent tool-use that
+ * COMPLETED (has a matching tool_result) strictly after `afterKey`.
+ *
+ * Unlike `scanKeys`, this does NOT gate on a sentinel substring — acceptance is
+ * decided by the caller via `parseVerdict`. A sentinel may still be used by the
+ * caller as a cheap pre-filter, but it must never be the basis for acceptance.
+ *
+ * Ordering: the review's timestamp (when its tool_use was issued) must be
+ * strictly greater than `afterKey` (the last edit). This mirrors the
+ * "completed after the last edit" requirement so a stale, pre-edit review can
+ * never satisfy the current change.
+ *
+ * @param {object[]} entries  Parsed transcript entries
+ * @param {number} afterKey   Epoch-seconds lower bound (typically lastEditKey)
+ * @returns {string[]} output text strings, in transcript order
+ */
+export function collectReviewOutputs(entries, afterKey = 0) {
+  // Map tool_use_id -> concatenated tool_result output text (completed calls).
+  const outputs = new Map();
+  for (const e of entries) {
+    const msg = e?.message;
+    if (!msg || typeof msg !== "object") continue;
+    const content = msg.content;
+    if (!Array.isArray(content)) continue;
+    for (const blk of content) {
+      if (blk && typeof blk === "object" && blk.type === "tool_result") {
+        const tid = blk.tool_use_id;
+        if (tid) outputs.set(tid, toolResultText(blk.content));
+      }
+    }
+  }
+
+  const results = [];
+  for (const e of entries) {
+    const key = tsKey(e?.timestamp);
+    const msg = e?.message;
+    if (!msg || typeof msg !== "object") continue;
+    const content = msg.content;
+    if (!Array.isArray(content)) continue;
+    for (const blk of content) {
+      if (!blk || typeof blk !== "object" || blk.type !== "tool_use") continue;
+      const name = blk.name || "";
+      const tid = blk.id || "";
+      if (!REVIEW_TOOLS.has(name)) continue;
+      if (!outputs.has(tid)) continue; // not completed
+      if (key <= afterKey) continue; // not strictly after the last edit
+      results.push(outputs.get(tid));
+    }
+  }
+  return results;
+}
+
+// ---- isSubagentTranscript ---------------------------------------------------
+
+/**
+ * Return true when the transcript belongs to a workflow-spawned subagent that
+ * should NOT be gated (to avoid serializing parallel pipelines).
+ *
+ * Mirrors the Python check in guard.py main():
+ *   session_id.startswith("g-")  OR
+ *   "/subagents/" in tp          OR
+ *   basename(tp).startswith("agent-")
+ *
+ * Works on Windows paths (backslashes are normalised first).
+ *
+ * @param {string} transcriptPath
+ * @param {string} [sessionId=""]
+ * @returns {boolean}
+ */
+export function isSubagentTranscript(transcriptPath, sessionId = "") {
+  const normalized = String(transcriptPath || "").replace(/\\/g, "/");
+  const base = normalized.split("/").at(-1) || "";
+  return (
+    String(sessionId).startsWith("g-") ||
+    normalized.includes("/subagents/") ||
+    base.startsWith("agent-")
+  );
+}
+
+// ---- lastUserText -----------------------------------------------------------
+
+/**
+ * Return the text of the most recent GENUINE human prompt from the transcript.
+ *
+ * Excludes:
+ *  - assistant turns
+ *  - isMeta / synthetic injections (skill notices, system reminders, hook feedback)
+ *  - entries whose content consists entirely of tool_result blocks
+ *
+ * This is layer 1 of the self-disarm defense; HOOK_ECHO_RE is layer 2.
+ *
+ * Mirrors Python's last_user_text() in guard.py.
+ *
+ * @param {object[]} entries
+ * @returns {string}
+ */
+export function lastUserText(entries) {
+  for (let i = entries.length - 1; i >= 0; i--) {
+    const e = entries[i];
+    if (e?.type !== "user" || e?.isMeta) continue;
+    const msg = e?.message;
+    if (!msg || typeof msg !== "object") continue;
+    const content = msg.content;
+    if (typeof content === "string") {
+      if (content.trim()) return content;
+      continue;
+    }
+    if (Array.isArray(content)) {
+      // Skip entries that are purely tool_result blocks (no genuine user text).
+      if (content.some((b) => b && typeof b === "object" && b.type === "tool_result")) {
+        continue;
+      }
+      const texts = content
+        .filter((b) => b && typeof b === "object" && b.type === "text")
+        .map((b) => b.text || "");
+      const joined = texts.filter(Boolean).join(" ").trim();
+      if (joined) return joined;
+    }
+  }
+  return "";
+}
+
+// ---- wantsSkip --------------------------------------------------------------
+
+/**
+ * Return true only if the text is a GENUINE request to skip the review.
+ *
+ * A skip phrase preceded (within NEG_WINDOW_WORDS words) by a negation cue
+ * does NOT count. A trailing-noun that extends the object phrase does NOT count.
+ * The gate's own echoed block reason does NOT count (HOOK_ECHO_RE defense).
+ *
+ * Errs toward review when ambiguous: a false-negative costs only an extra review,
+ * whereas a wrong match would silently disarm a safety gate.
+ *
+ * Mirrors Python's wants_skip() in guard.py.
+ *
+ * @param {string} text
+ * @returns {boolean}
+ */
+export function wantsSkip(text) {
+  if (!text || HOOK_ECHO_RE.test(text)) return false; // layer-2 self-disarm defense
+
+  // Normalize BOTH curly apostrophes (U+2018 left, U+2019 right) to a straight
+  // apostrophe. Mirrors Python: text.replace("‘","’").replace("’","’").
+  // The original regex had all three chars as U+2019 (a no-op); this is the fix.
+  const norm = text.replace(/[‘’]/g, "'");
+
+  // Create a fresh regex instance so that lastIndex starts at 0 and we can
+  // iterate over all matches. (SKIP_RE has the `g` flag, so exec() advances
+  // lastIndex; using a fresh instance avoids cross-call state leakage.)
+  const re = new RegExp(SKIP_RE.source, SKIP_RE.flags);
+  let match;
+  while ((match = re.exec(norm)) !== null) {
+    // Check for trailing negation ("? no", "? never", etc.)
+    if (TRAILING_NO_RE.test(norm.slice(match.index + match[0].length))) continue;
+
+    // Extract the window of words before the match for negation detection.
+    // Strip STRAIGHT apostrophe (U+0027) so contractions collapse:
+    // "don’t" → "dont", which NEG_RE matches. The curly apostrophes were
+    // already normalized to straight on line 276, so this single replace
+    // covers all variants. Mirrors Python: pre.replace("’", "").
+    const pre = norm.slice(0, match.index).replace(/'/g, "");
+    const words = [...pre.toLowerCase().matchAll(WORD_RE)].map((m) => m[0]);
+    const window = words.slice(-NEG_WINDOW_WORDS).join(" ");
+    if (!NEG_RE.test(window)) return true;
+  }
+  return false;
+}

package/src/core/verdict.js

@@ -0,0 +1,67 @@
+const START = "<<<ADVERSARIAL-REVIEW-VERDICT>>>";
+const END = "<<<END>>>";
+const MAX_OUTPUT_BYTES = 1024 * 1024;
+
+export function parseVerdict(output, job, options = {}) {
+  // FIX 3: compute text once to avoid TOCTOU gap with non-idempotent toString objects
+  const text = String(output);
+
+  if (Buffer.byteLength(text, "utf8") > (options.maxBytes || MAX_OUTPUT_BYTES)) {
+    return { ok: false, error: "verdict_output_too_large" };
+  }
+
+  const start = text.indexOf(START);
+  if (start < 0) return { ok: false, error: "missing_verdict_start" };
+
+  // FIX 1: reject inputs that contain more than one verdict block (prompt-injection defence)
+  if (text.indexOf(START) !== text.lastIndexOf(START)) {
+    return { ok: false, error: "multiple_verdict_blocks" };
+  }
+
+  const end = text.indexOf(END, start + START.length);
+  if (end < 0) return { ok: false, error: "missing_verdict_end" };
+  const trailing = text.slice(end + END.length).trim();
+  if (trailing) return { ok: false, error: "trailing_output_after_verdict" };
+  const body = text.slice(start + START.length, end).trim();
+
+  // FIX 1 (defense-in-depth): reject nested sentinel tokens inside the extracted body
+  if (body.includes(START) || body.includes(END)) {
+    return { ok: false, error: "nested_verdict_block" };
+  }
+
+  let parsed;
+  try {
+    parsed = JSON.parse(body);
+  } catch {
+    return { ok: false, error: "invalid_verdict_json" };
+  }
+  return validateVerdict(parsed, job);
+}
+
+export function validateVerdict(parsed, job) {
+  if (!parsed || typeof parsed !== "object") return { ok: false, error: "verdict_not_object" };
+  if (parsed.job_id !== job.jobId) return { ok: false, error: "job_id_mismatch" };
+  if (parsed.diff_hash !== job.diffHash) return { ok: false, error: "diff_hash_mismatch" };
+  if (parsed.reviewer !== job.reviewer) return { ok: false, error: "reviewer_mismatch" };
+  if (parsed.level !== job.level) return { ok: false, error: "level_mismatch" };
+  if (!["pass", "fail"].includes(parsed.verdict)) return { ok: false, error: "invalid_verdict_value" };
+  if (!Array.isArray(parsed.findings)) parsed.findings = [];
+  if (!parsed.coverage || typeof parsed.coverage !== "object") {
+    return { ok: false, error: "missing_coverage" };
+  }
+  const required = job.requiredDimensions || [];
+  const dimensions = parsed.dimensions || {};
+  for (const dimension of required) {
+    if (!(dimension in dimensions)) return { ok: false, error: `missing_dimension:${dimension}` };
+  }
+  // FIX 2: require severity to be a string so array/object/number values cannot
+  // bypass the forced-fail by accidentally matching via type coercion
+  const forcedFail = parsed.findings.some(
+    (finding) =>
+      finding &&
+      typeof finding.severity === "string" &&
+      ["Critical", "Important"].includes(finding.severity)
+  );
+  const verdict = forcedFail ? "fail" : parsed.verdict;
+  return { ok: true, verdict: { ...parsed, verdict } };
+}

package/src/hosts/claude-code.js

@@ -0,0 +1,77 @@
+// Claude Code native host integration module.
+//
+// Returns the planned writes needed to enable the Claude Code SessionStart and
+// Stop hooks. Exposes a planning function rather than writing files directly so
+// the `install` command can operate in dry-run mode without touching the disk.
+//
+// Hook target: bin/adversarial-review.js hook --host claude-code --event <event>
+//
+// Claude Code hooks.json location (per-project): <cwd>/.claude/settings.json
+// (hooks are embedded in the settings file as a "hooks" key) or a standalone
+// <cwd>/.claude/hooks.json depending on the Claude Code version. We write the
+// settings.json variant as that is the current standard and supported by
+// Task 12; Task 12 will refine the exact template.
+
+import path from "node:path";
+
+/**
+ * Build the hook configuration object for Claude Code.
+ *
+ * @param {object} options
+ * @param {string} options.binPath  - absolute path to the adversarial-review binary
+ * @returns {object}  hook config JSON object
+ */
+function buildHookConfig(binPath) {
+  const bin = binPath || "npx adversarial-review";
+  return {
+    hooks: {
+      SessionStart: [
+        {
+          hooks: [
+            {
+              type: "command",
+              command: `${bin} hook --host claude-code --event session-start`,
+            },
+          ],
+        },
+      ],
+      Stop: [
+        {
+          hooks: [
+            {
+              type: "command",
+              command: `${bin} hook --host claude-code --event stop`,
+            },
+          ],
+        },
+      ],
+    },
+  };
+}
+
+/**
+ * Return the list of planned writes to enable the Claude Code native hooks.
+ *
+ * Each entry describes a file that the installer would write:
+ *   { path: <absolute path>, content: <JSON string>, note: <human note> }
+ *
+ * This function never writes anything — it is intentionally pure so callers
+ * (including dry-run mode) can inspect planned writes before committing.
+ *
+ * @param {object} options
+ * @param {string} options.cwd      - project root (where .claude/ lives)
+ * @param {string} [options.binPath] - resolved path to adversarial-review binary
+ * @returns {Array<{path: string, content: string, note: string}>}
+ */
+export function plannedClaudeCodeWrites({ cwd, binPath }) {
+  const hookConfig = buildHookConfig(binPath);
+  const settingsPath = path.join(cwd, ".claude", "settings.json");
+
+  return [
+    {
+      path: settingsPath,
+      content: JSON.stringify(hookConfig, null, 2),
+      note: "Claude Code native hooks (SessionStart + Stop) — native-enforced",
+    },
+  ];
+}

package/src/hosts/index.js

@@ -0,0 +1,60 @@
+// Host capability registry.
+//
+// Each entry describes how a host integrates with the gate:
+//   enforcement:          "native-enforced"  - the host has a native Stop hook
+//                                              that the gate can attach to;
+//                         "wrapper-enforced" - the gate is invoked via a
+//                                              wrapper command (npx adversarial-
+//                                              review run --host <h> -- <cmd>).
+//   supportsBaseline:     true when the host exposes SessionStart / session-
+//                         open lifecycle hooks where we can capture a baseline.
+//   supportsSelfReview:   true when the host's own agent can act as reviewer
+//                         (native self-review).
+//   supportsNativeBlock:  true when the gate can hard-block the host from
+//                         completing an action via a native protocol return
+//                         (e.g. Claude Code Stop hook {"decision":"block"}).
+//   supportsExternalReview: true when an external reviewer process (codex,
+//                           opencode, custom) can be used for this host.
+
+export const HOSTS = {
+  "claude-code": {
+    id: "claude-code",
+    enforcement: "native-enforced",
+    supportsBaseline: false,
+    supportsSelfReview: true,
+    supportsNativeBlock: true,
+    supportsExternalReview: true,
+  },
+  "codex": {
+    id: "codex",
+    enforcement: "wrapper-enforced",
+    supportsBaseline: true,
+    supportsSelfReview: true,
+    supportsNativeBlock: false,
+    supportsExternalReview: true,
+  },
+  "opencode": {
+    id: "opencode",
+    enforcement: "wrapper-enforced",
+    supportsBaseline: true,
+    supportsSelfReview: true,
+    supportsNativeBlock: false,
+    supportsExternalReview: true,
+  },
+  "github-copilot-cli": {
+    id: "github-copilot-cli",
+    enforcement: "wrapper-enforced",
+    supportsBaseline: true,
+    supportsSelfReview: false,
+    supportsNativeBlock: false,
+    supportsExternalReview: false,
+  },
+  "antigravity": {
+    id: "antigravity",
+    enforcement: "wrapper-enforced",
+    supportsBaseline: true,
+    supportsSelfReview: false,
+    supportsNativeBlock: false,
+    supportsExternalReview: false,
+  },
+};

package/src/hosts/wrapper.js

@@ -0,0 +1,37 @@
+// Wrapper host integration module.
+//
+// Wrapper-enforced hosts cannot install native hooks; enforcement depends on
+// the user invoking the tool via an `adversarial-review run` wrapper command.
+// This module returns printable instructions (no file writes) that the
+// installer presents to the user.
+
+/**
+ * Return the wrapper invocation string and residual-risk note for a host.
+ *
+ * No file writes occur — wrapper hosts require the user to change their own
+ * launch command.  The returned object is printable by the installer.
+ *
+ * @param {object} options
+ * @param {string} options.host        - host id (e.g. "codex", "opencode")
+ * @param {string} [options.reviewer]  - reviewer id (may be "none")
+ * @param {string} [options.binPath]   - resolved path to adversarial-review binary
+ * @returns {{ host: string, wrapperCommand: string, enforcement: string, residualRisk: string }}
+ */
+export function wrapperInstructions({ host, reviewer, binPath }) {
+  const bin = binPath || "npx adversarial-review";
+  const reviewerNote = reviewer && reviewer !== "none" ? ` (reviewer: ${reviewer})` : "";
+
+  // Build a representative wrapper command.  The user substitutes their actual
+  // subcommand in place of the placeholder.
+  const wrapperCommand = `${bin} run --host ${host} -- ${host} <your-command>`;
+
+  return {
+    host,
+    wrapperCommand,
+    enforcement: "wrapper-enforced",
+    residualRisk:
+      `Wrapper enforcement depends on the user always invoking ${host} through ` +
+      `adversarial-review run. Bypassing the wrapper skips the review gate entirely. ` +
+      `Native enforcement is not available for this host${reviewerNote}.`,
+  };
+}

package/src/integrations/claude-code/hooks.json

@@ -0,0 +1,28 @@
+{
+  "hooks": {
+    "SessionStart": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node \"${CLAUDE_PLUGIN_ROOT}/bin/adversarial-review.js\" hook --host claude-code --event session-start",
+            "statusMessage": "Adversarial review baseline",
+            "timeout": 60
+          }
+        ]
+      }
+    ],
+    "Stop": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node \"${CLAUDE_PLUGIN_ROOT}/bin/adversarial-review.js\" hook --host claude-code --event stop",
+            "statusMessage": "Adversarial review gate",
+            "timeout": 300
+          }
+        ]
+      }
+    ]
+  }
+}