all-for-claudecode 2.0.0 → 2.2.0

package/scripts/afc-blast-radius.sh

@@ -0,0 +1,418 @@
+#!/bin/bash
+set -euo pipefail
+
+# Blast Radius Analyzer: Traces source/dependency fan-out for planned changes
+# Detects circular source chains and generates an impact report.
+#
+# Usage: afc-blast-radius.sh <plan_file_or_dir> [project_root]
+#   - plan file: parses File Change Map table to extract planned file changes
+#   - directory:  scans all .sh files for dependency analysis
+#
+# Exit 0: analysis complete (no cycles)
+# Exit 1: cycle detected or error
+
+TMPDIR_WORK=""
+
+# shellcheck disable=SC2329
+cleanup() {
+  if [ -n "$TMPDIR_WORK" ] && [ -d "$TMPDIR_WORK" ]; then
+    rm -rf "$TMPDIR_WORK"
+  fi
+}
+trap cleanup EXIT
+
+# ── Args ──────────────────────────────────────────────────
+
+INPUT_PATH="${1:-}"
+PROJECT_ROOT="${2:-${CLAUDE_PROJECT_DIR:-$(pwd)}}"
+
+if [ -z "$INPUT_PATH" ]; then
+  printf '[afc:blast-radius] Usage: %s <plan_file_or_dir> [project_root]\n' "$0" >&2
+  exit 1
+fi
+
+if [ ! -e "$INPUT_PATH" ]; then
+  printf '[afc:blast-radius] Error: path not found: %s\n' "$INPUT_PATH" >&2
+  exit 1
+fi
+
+TMPDIR_WORK="$(mktemp -d)"
+
+PLANNED_FILES="$TMPDIR_WORK/planned.txt"
+ALL_DEPS="$TMPDIR_WORK/deps.txt"
+DIRECT_DEPENDENTS="$TMPDIR_WORK/dependents.txt"
+HOOKS_REFS="$TMPDIR_WORK/hooks_refs.txt"
+FAN_OUT="$TMPDIR_WORK/fan_out.txt"
+CYCLE_RESULT="$TMPDIR_WORK/cycle.txt"
+: > "$PLANNED_FILES"
+: > "$ALL_DEPS"
+: > "$DIRECT_DEPENDENTS"
+: > "$HOOKS_REFS"
+: > "$FAN_OUT"
+: > "$CYCLE_RESULT"
+
+# ── Parse planned files ──────────────────────────────────
+
+if [ -f "$INPUT_PATH" ]; then
+  # Parse plan.md: extract file paths from File Change Map table
+  # Format: | `path/to/file` | Action | description | ~N |
+  while IFS= read -r line || [ -n "$line" ]; do
+    # Match lines with backtick-delimited paths in table cells
+    # shellcheck disable=SC2016
+    if printf '%s\n' "$line" | grep -qE '^\|.*`[^`]+`.*\|'; then
+      file_path=""
+      # shellcheck disable=SC2016
+      file_path=$(printf '%s\n' "$line" | sed -n 's/^|[[:space:]]*`\([^`]*\)`.*/\1/p')
+      if [ -n "$file_path" ]; then
+        printf '%s\n' "$file_path" >> "$PLANNED_FILES"
+      fi
+    fi
+  done < "$INPUT_PATH"
+elif [ -d "$INPUT_PATH" ]; then
+  # Directory mode: scan all .sh files
+  find "$INPUT_PATH" -name '*.sh' -type f 2>/dev/null | while IFS= read -r f; do
+    # Make path relative to project root if possible
+    rel_path="${f#"$PROJECT_ROOT"/}"
+    printf '%s\n' "$rel_path" >> "$PLANNED_FILES"
+  done
+fi
+
+PLANNED_COUNT=$(wc -l < "$PLANNED_FILES" | tr -d ' ')
+
+if [ "$PLANNED_COUNT" -eq 0 ]; then
+  printf 'Impact Analysis:\n'
+  printf '  Planned changes: 0 files\n'
+  printf '  Direct dependents: 0 files\n'
+  printf '  High fan-out (>5 dependents): none\n'
+  printf '  Cross-references: none\n'
+  printf '  Circular dependencies: none\n'
+  printf '  Total blast radius: 0 files\n'
+  exit 0
+fi
+
+# ── Build source dependency map ──────────────────────────
+# Scan all .sh files in the project for `source` and `. ` directives
+
+SCRIPTS_DIR="$PROJECT_ROOT/scripts"
+ALL_SH_FILES="$TMPDIR_WORK/all_sh.txt"
+: > "$ALL_SH_FILES"
+
+# Collect all shell scripts in the project
+if [ -d "$SCRIPTS_DIR" ]; then
+  find "$SCRIPTS_DIR" -name '*.sh' -type f 2>/dev/null >> "$ALL_SH_FILES"
+fi
+# Also check spec/ directory for test files that may source scripts
+if [ -d "$PROJECT_ROOT/spec" ]; then
+  find "$PROJECT_ROOT/spec" -name '*.sh' -type f 2>/dev/null >> "$ALL_SH_FILES"
+fi
+
+# For each shell file, extract what it sources
+# Format: sourcer<TAB>sourced_basename
+while IFS= read -r sh_file || [ -n "$sh_file" ]; do
+  [ -z "$sh_file" ] && continue
+  [ ! -f "$sh_file" ] && continue
+
+  sourcer_rel="${sh_file#"$PROJECT_ROOT"/}"
+
+  # Match: source "path" or . "path" (with various quoting)
+  # Lines like: . "$(dirname "$0")/afc-state.sh" have nested quotes,
+  # so we extract the .sh basename directly from the line.
+  while IFS= read -r src_line || [ -n "$src_line" ]; do
+    [ -z "$src_line" ] && continue
+
+    # Extract the last .sh filename from the source line
+    sourced_base=""
+    sourced_base=$(printf '%s\n' "$src_line" | grep -oE '[a-zA-Z0-9_.-]+\.sh' | tail -1 || true)
+    [ -z "$sourced_base" ] && continue
+
+    # Find the actual file path that matches this basename
+    sourced_rel=""
+    if [ -d "$SCRIPTS_DIR" ]; then
+      sourced_match=$(find "$SCRIPTS_DIR" -name "$sourced_base" -type f 2>/dev/null | head -1 || true)
+      if [ -n "$sourced_match" ]; then
+        sourced_rel="${sourced_match#"$PROJECT_ROOT"/}"
+      fi
+    fi
+    if [ -z "$sourced_rel" ]; then
+      # Try spec/ or other dirs
+      sourced_match=$(find "$PROJECT_ROOT" -name "$sourced_base" -type f -not -path "*/node_modules/*" -not -path "*/.git/*" -not -path "*/vendor/*" 2>/dev/null | head -1 || true)
+      if [ -n "$sourced_match" ]; then
+        sourced_rel="${sourced_match#"$PROJECT_ROOT"/}"
+      else
+        sourced_rel="scripts/$sourced_base"
+      fi
+    fi
+
+    # Record: sourcer sources sourced_rel
+    printf '%s\t%s\n' "$sourcer_rel" "$sourced_rel" >> "$ALL_DEPS"
+  done < <(grep -nE '^\s*(\.|source)\s+' "$sh_file" 2>/dev/null || true)
+done < "$ALL_SH_FILES"
+
+# ── Find direct dependents of planned files ──────────────
+
+while IFS= read -r planned || [ -n "$planned" ]; do
+  [ -z "$planned" ] && continue
+  planned_base="$(basename "$planned")"
+
+  # Find scripts that source this planned file
+  # shellcheck disable=SC2002
+  while IFS=$'\t' read -r sourcer sourced || [ -n "$sourcer" ]; do
+    sourced_base="$(basename "$sourced" 2>/dev/null || true)"
+    if [ "$sourced_base" = "$planned_base" ] || [ "$sourced" = "$planned" ]; then
+      printf '%s\n' "$sourcer" >> "$DIRECT_DEPENDENTS"
+    fi
+  done < "$ALL_DEPS"
+done < "$PLANNED_FILES"
+
+# Deduplicate dependents, exclude files already in planned list
+if [ -s "$DIRECT_DEPENDENTS" ]; then
+  sort -u "$DIRECT_DEPENDENTS" > "$TMPDIR_WORK/dependents_unique.txt"
+  # Remove planned files from dependents (they are not "additional" impact)
+  comm -23 "$TMPDIR_WORK/dependents_unique.txt" <(sort "$PLANNED_FILES") > "$DIRECT_DEPENDENTS" 2>/dev/null || \
+    mv "$TMPDIR_WORK/dependents_unique.txt" "$DIRECT_DEPENDENTS"
+fi
+
+DEPENDENT_COUNT=$(wc -l < "$DIRECT_DEPENDENTS" | tr -d ' ')
+
+# ── Compute fan-out per planned file ─────────────────────
+
+while IFS= read -r planned || [ -n "$planned" ]; do
+  [ -z "$planned" ] && continue
+  planned_base="$(basename "$planned")"
+
+  count=0
+  while IFS=$'\t' read -r _sourcer sourced || [ -n "$_sourcer" ]; do
+    sourced_base="$(basename "$sourced" 2>/dev/null || true)"
+    if [ "$sourced_base" = "$planned_base" ] || [ "$sourced" = "$planned" ]; then
+      count=$((count + 1))
+    fi
+  done < "$ALL_DEPS"
+
+  if [ "$count" -gt 0 ]; then
+    printf '%d\t%s\n' "$count" "$planned" >> "$FAN_OUT"
+  fi
+done < "$PLANNED_FILES"
+
+# ── Check hooks.json cross-references ────────────────────
+
+HOOKS_FILE="$PROJECT_ROOT/hooks/hooks.json"
+if [ -f "$HOOKS_FILE" ]; then
+  while IFS= read -r planned || [ -n "$planned" ]; do
+    [ -z "$planned" ] && continue
+    planned_base="$(basename "$planned")"
+
+    if grep -q "$planned_base" "$HOOKS_FILE" 2>/dev/null; then
+      printf '%s\n' "$planned_base" >> "$HOOKS_REFS"
+    fi
+  done < "$PLANNED_FILES"
+fi
+
+# Deduplicate hooks refs
+if [ -s "$HOOKS_REFS" ]; then
+  sort -u "$HOOKS_REFS" > "$TMPDIR_WORK/hooks_unique.txt"
+  mv "$TMPDIR_WORK/hooks_unique.txt" "$HOOKS_REFS"
+fi
+
+# ── Cycle detection (DFS) ────────────────────────────────
+# Build adjacency: sourced -> sourcer (if sourced changes, sourcer is affected)
+# But for cycles we care about: A sources B, B sources A
+# So we detect cycles in the "sources" graph: edge from sourcer to sourced
+
+CYCLE_FOUND=0
+NODES_FILE="$TMPDIR_WORK/nodes.txt"
+: > "$NODES_FILE"
+
+# Collect all unique nodes from deps
+if [ -s "$ALL_DEPS" ]; then
+  cut -f1 "$ALL_DEPS" >> "$NODES_FILE"
+  cut -f2 "$ALL_DEPS" >> "$NODES_FILE"
+  sort -u "$NODES_FILE" > "$TMPDIR_WORK/nodes_unique.txt"
+  mv "$TMPDIR_WORK/nodes_unique.txt" "$NODES_FILE"
+fi
+
+NODE_COUNT=$(wc -l < "$NODES_FILE" | tr -d ' ')
+
+if [ "$NODE_COUNT" -gt 0 ]; then
+  COLOR_DIR="$TMPDIR_WORK/colors"
+  mkdir -p "$COLOR_DIR"
+
+  # Initialize all nodes as WHITE (0)
+  while IFS= read -r node || [ -n "$node" ]; do
+    [ -z "$node" ] && continue
+    # Use md5/hash for safe filenames (paths contain /)
+    node_hash=$(printf '%s' "$node" | md5sum 2>/dev/null | cut -d' ' -f1 || printf '%s' "$node" | md5 2>/dev/null || printf '%s' "$node" | tr '/' '_')
+    printf '0' > "$COLOR_DIR/$node_hash"
+    # Map hash back to name
+    printf '%s\t%s\n' "$node_hash" "$node" >> "$TMPDIR_WORK/hash_map.txt"
+  done < "$NODES_FILE"
+
+  # DFS from each white node
+  dfs_visit() {
+    local start_hash="$1"
+    local stack_file="$TMPDIR_WORK/dfs_stack.txt"
+    local path_file="$TMPDIR_WORK/dfs_path.txt"
+    printf '%s\n' "$start_hash" > "$stack_file"
+    : > "$path_file"
+
+    while [ -s "$stack_file" ]; do
+      current_hash="$(tail -1 "$stack_file")"
+
+      color_file="$COLOR_DIR/$current_hash"
+      if [ ! -f "$color_file" ]; then
+        # Remove from stack
+        sed -i '' '$d' "$stack_file" 2>/dev/null || sed -i '$d' "$stack_file"
+        continue
+      fi
+
+      color="$(cat "$color_file")"
+
+      if [ "$color" = "0" ]; then
+        # Mark GRAY (in progress)
+        printf '1' > "$color_file"
+        printf '%s\n' "$current_hash" >> "$path_file"
+
+        # Get current node name
+        current_name=$(grep -E "^${current_hash}\t" "$TMPDIR_WORK/hash_map.txt" 2>/dev/null | cut -f2 | head -1 || true)
+        [ -z "$current_name" ] && { sed -i '' '$d' "$stack_file" 2>/dev/null || sed -i '$d' "$stack_file"; continue; }
+
+        # Find neighbors (files this script sources)
+        has_neighbor=0
+        while IFS=$'\t' read -r src dst || [ -n "$src" ]; do
+          if [ "$src" = "$current_name" ]; then
+            dst_hash=$(printf '%s' "$dst" | md5sum 2>/dev/null | cut -d' ' -f1 || printf '%s' "$dst" | md5 2>/dev/null || printf '%s' "$dst" | tr '/' '_')
+            dst_color_file="$COLOR_DIR/$dst_hash"
+            [ ! -f "$dst_color_file" ] && continue
+
+            dst_color="$(cat "$dst_color_file")"
+            if [ "$dst_color" = "1" ]; then
+              # Back edge found -> cycle
+              CYCLE_FOUND=1
+              # Reconstruct cycle path
+              dst_name=$(grep -E "^${dst_hash}\t" "$TMPDIR_WORK/hash_map.txt" 2>/dev/null | cut -f2 | head -1 || true)
+              cycle_str="CYCLE:"
+              in_cycle=0
+              while IFS= read -r ph || [ -n "$ph" ]; do
+                if [ "$ph" = "$dst_hash" ]; then
+                  in_cycle=1
+                fi
+                if [ "$in_cycle" -eq 1 ]; then
+                  pname=$(grep -E "^${ph}\t" "$TMPDIR_WORK/hash_map.txt" 2>/dev/null | cut -f2 | head -1 || true)
+                  if [ -n "$pname" ]; then
+                    cycle_str="${cycle_str} ${pname} ->"
+                  fi
+                fi
+              done < "$path_file"
+              cycle_str="${cycle_str} ${dst_name}"
+              printf '%s\n' "$cycle_str" > "$CYCLE_RESULT"
+              return
+            elif [ "$dst_color" = "0" ]; then
+              printf '%s\n' "$dst_hash" >> "$stack_file"
+              has_neighbor=1
+            fi
+          fi
+        done < "$ALL_DEPS"
+
+        if [ "$has_neighbor" -eq 0 ]; then
+          # Leaf node, mark BLACK
+          printf '2' > "$color_file"
+          sed -i '' '$d' "$stack_file" 2>/dev/null || sed -i '$d' "$stack_file"
+          sed -i '' '$d' "$path_file" 2>/dev/null || sed -i '$d' "$path_file"
+        fi
+      elif [ "$color" = "1" ]; then
+        # Returning from recursion, mark BLACK
+        printf '2' > "$color_file"
+        sed -i '' '$d' "$stack_file" 2>/dev/null || sed -i '$d' "$stack_file"
+        sed -i '' '$d' "$path_file" 2>/dev/null || sed -i '$d' "$path_file"
+      else
+        # Already BLACK, skip
+        sed -i '' '$d' "$stack_file" 2>/dev/null || sed -i '$d' "$stack_file"
+      fi
+    done
+  }
+
+  while IFS= read -r node || [ -n "$node" ]; do
+    [ -z "$node" ] && continue
+    node_hash=$(printf '%s' "$node" | md5sum 2>/dev/null | cut -d' ' -f1 || printf '%s' "$node" | md5 2>/dev/null || printf '%s' "$node" | tr '/' '_')
+    color_file="$COLOR_DIR/$node_hash"
+    [ ! -f "$color_file" ] && continue
+    color="$(cat "$color_file")"
+    if [ "$color" = "0" ]; then
+      dfs_visit "$node_hash"
+      if [ "$CYCLE_FOUND" -eq 1 ]; then
+        break
+      fi
+    fi
+  done < "$NODES_FILE"
+fi
+
+# ── Generate Report ──────────────────────────────────────
+
+# Collect all impacted files (planned + dependents + hooks-referenced scripts)
+ALL_IMPACTED="$TMPDIR_WORK/all_impacted.txt"
+cat "$PLANNED_FILES" > "$ALL_IMPACTED"
+if [ -s "$DIRECT_DEPENDENTS" ]; then
+  cat "$DIRECT_DEPENDENTS" >> "$ALL_IMPACTED"
+fi
+# hooks.json itself is impacted if any planned script is referenced
+if [ -s "$HOOKS_REFS" ]; then
+  printf 'hooks/hooks.json\n' >> "$ALL_IMPACTED"
+fi
+sort -u "$ALL_IMPACTED" > "$TMPDIR_WORK/all_impacted_unique.txt"
+mv "$TMPDIR_WORK/all_impacted_unique.txt" "$ALL_IMPACTED"
+
+TOTAL_RADIUS=$(wc -l < "$ALL_IMPACTED" | tr -d ' ')
+
+printf 'Impact Analysis:\n'
+printf '  Planned changes: %d files\n' "$PLANNED_COUNT"
+printf '  Direct dependents: %d files\n' "$DEPENDENT_COUNT"
+
+# High fan-out section
+HIGH_FANOUT_PRINTED=0
+if [ -s "$FAN_OUT" ]; then
+  while IFS=$'\t' read -r count file || [ -n "$count" ]; do
+    [ -z "$count" ] && continue
+    if [ "$count" -gt 5 ]; then
+      if [ "$HIGH_FANOUT_PRINTED" -eq 0 ]; then
+        printf '  High fan-out (>5 dependents):\n'
+        HIGH_FANOUT_PRINTED=1
+      fi
+      printf '    - %s (sourced by %d scripts)\n' "$file" "$count"
+    fi
+  done < <(sort -rn "$FAN_OUT")
+fi
+if [ "$HIGH_FANOUT_PRINTED" -eq 0 ]; then
+  printf '  High fan-out (>5 dependents): none\n'
+fi
+
+# Cross-references section
+if [ -s "$HOOKS_REFS" ]; then
+  refs_list=""
+  while IFS= read -r ref || [ -n "$ref" ]; do
+    if [ -z "$refs_list" ]; then
+      refs_list="$ref"
+    else
+      refs_list="$refs_list, $ref"
+    fi
+  done < "$HOOKS_REFS"
+  printf '  Cross-references:\n'
+  printf '    - hooks.json references: %s\n' "$refs_list"
+else
+  printf '  Cross-references: none\n'
+fi
+
+# Circular dependencies section
+if [ "$CYCLE_FOUND" -eq 1 ] && [ -s "$CYCLE_RESULT" ]; then
+  cycle_path=$(cat "$CYCLE_RESULT")
+  printf '  Circular dependencies: %s\n' "$cycle_path"
+else
+  printf '  Circular dependencies: none\n'
+fi
+
+printf '  Total blast radius: %d files\n' "$TOTAL_RADIUS"
+
+# Exit code: 1 if cycles found
+if [ "$CYCLE_FOUND" -eq 1 ]; then
+  exit 1
+fi
+
+exit 0

package/scripts/afc-config-change.sh

@@ -3,26 +3,28 @@ set -euo pipefail
 # ConfigChange Hook: Audit and block config changes while pipeline is active
 # policy_settings changes are logged only; other changes are blocked (exit 2)
 
+# shellcheck source=afc-state.sh
+. "$(dirname "$0")/afc-state.sh"
+
 # trap: Preserve exit code on abnormal termination + stderr message
 # shellcheck disable=SC2329
 cleanup() {
   local exit_code=$?
   if [ "$exit_code" -ne 0 ] && [ "$exit_code" -ne 2 ]; then
-    echo "AFC CONFIG: Abnormal exit (exit code: $exit_code)" >&2
+    echo "[afc:config] Abnormal exit (code: $exit_code)" >&2
   fi
   exit "$exit_code"
 }
 trap cleanup EXIT
 
 PROJECT_DIR="${CLAUDE_PROJECT_DIR:-$(pwd)}"
-PIPELINE_FLAG="${PROJECT_DIR}/.claude/.afc-active"
 AUDIT_LOG="${PROJECT_DIR}/.claude/.afc-config-audit.log"
 
 # Read hook data from stdin
 INPUT=$(cat)
 
 # Exit silently if pipeline is inactive
-if [ ! -f "$PIPELINE_FLAG" ]; then
+if ! afc_state_is_active; then
   exit 0
 fi
 
@@ -54,5 +56,5 @@ fi
 
 # Other changes: Write audit log + block
 printf '[%s] source=%s path=%s\n' "$TIMESTAMP" "$SOURCE" "$FILE_PATH" >> "$AUDIT_LOG"
-echo "AFC CONFIG: Config change detected while pipeline is active. source=${SOURCE} path=${FILE_PATH}" >&2
+echo "[afc:config] Config change detected while pipeline active. source=${SOURCE} path=${FILE_PATH}" >&2
 exit 2