axel-setup 0.2.0 → 0.3.0

package/CHANGELOG.md

@@ -9,21 +9,35 @@ Releases are grouped by date and logical scope. npm package releases use semver
 
 ## [Unreleased]
 
+<!-- Nothing pending. -->
+
+---
+
+## [0.3.0] 2026-06-13 security and hooks hardening
+
 ### Added
-- `axel-setup review-upgrades` for target-aware inspection of generated upgrade proposals before manual apply.
-- `core` install profile as the public safe default for reusable Claude Code setup.
-- Release automation now supports npm Trusted Publishing via GitHub Actions OIDC, with an `NPM_TOKEN` provenance fallback for first publish or migration windows.
-- `install.sh` curl wrapper for a macOS one-line install path that delegates to the packaged AXEL release.
-- Fixture-driven hook harness covering PreToolUse model routing, PostToolUse action logging, and Stop session persistence without a live Claude session.
-- `axel-setup metrics [--json]` report for context-budget, usage-monitor, and hook-harness impact signals generated from package assets and public fixtures only.
+- `SECURITY.md` with vulnerability scope, reporting channel (GitHub private security advisories), and response commitment.
+- `CODE_OF_CONDUCT.md` adopting Contributor Covenant v2.1.
+- `.github/dependabot.yml` for weekly GitHub Actions dependency updates.
+- `.editorconfig` with consistent LF, UTF-8, final newline, and 2-space indent across shell, JSON, YAML, JS, and Markdown files.
+- `.shellcheckrc` placeholder committing the project to ShellCheck defaults with a comment explaining the policy.
+- README badges (npm version, CI status, license, Node requirement) added just below the H1.
+- README Security section summarising install footprint, permission profile escalation, and vulnerability reporting.
 
 ### Changed
-- Default installs now use `--profile core`, keeping `personal` and `full` as explicit choices for fuller local automation.
-- Maintainer release notes now document npm verification commands and conservative rollback through fixed patch releases or `latest` dist-tag movement.
+- `install.sh`: default package pinned to `axel-setup@0.3.0` (overridable via `AXEL_SETUP_PACKAGE` env). Prevents unintended upgrades via `@latest` on a curl pipe.
+- `README.md`: `npx axel-setup@0.3.0` is now the primary recommended install path, above the curl wrapper. The curl URL now points to the release tag (`v0.3.0`) instead of `main`.
+- `README.md`: Maintainer Publish Checklist no longer contains a hardcoded personal path; uses `<repo-root>` placeholder.
+- `README.md`: Language/Customization section clarifies that the Spanish default applies only to the generated personal `CLAUDE.md` template, not to the CLI or documentation.
+- `package.json`: version bumped to `0.3.0`.
 
-### Fixed
-- Re-running the bootstrap with only `MEMORY.md` in the memory directory no longer exits early.
-- Portable targets now generate `axel-upgrades/REVIEW.md` and `MANIFEST.md` when local files differ from the package.
+---
+
+## [0.2.1] 2026-06-13 OIDC trusted publishing
+
+### Changed
+- Release workflow now publishes exclusively through npm Trusted Publishing (OIDC); removed the `NPM_TOKEN` fallback now that the package exists on the registry.
+- First release published with build provenance attestation generated from GitHub Actions.
 
 ---
 

package/README.md

@@ -1,5 +1,10 @@
 # AXEL Setup — Claude Code Power Configuration
 
+[![npm version](https://img.shields.io/npm/v/axel-setup.svg)](https://www.npmjs.com/package/axel-setup)
+[![CI](https://github.com/cveralyon/axel-setup/actions/workflows/ci.yml/badge.svg)](https://github.com/cveralyon/axel-setup/actions/workflows/ci.yml)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](./LICENSE)
+[![Node >=18](https://img.shields.io/node/v/axel-setup)](https://www.npmjs.com/package/axel-setup)
+
 **AXEL** = **A**utonomous e**X**celsior **E**ngineering **L**ayer
 
 A complete, production-grade configuration package for [Claude Code](https://docs.anthropic.com/en/docs/claude-code) that transforms it into a proactive engineering partner. Includes session persistence, automatic memory, proactive error resolution, a curated suite of specialized agents and slash commands, and a real-time usage monitor.
@@ -46,18 +51,18 @@ See [AXEL Multi-Runtime Roadmap](docs/roadmap/multi-runtime.md) for the adapter
 
 ## Quick Start
 
-The npm registry install is the primary path:
+The recommended install path is directly through npx:
 
 ```bash
-npx axel-setup --dry-run --user-name "Your Name"
+npx axel-setup@0.3.0 --dry-run --user-name "Your Name"
 ```
 
 By default AXEL uses `--profile core`, a public safe Claude Code install that keeps conservative permissions and skips optional side effects such as plugin installation, usage monitor launchd setup, keybindings, and the external GSD installer. Use `--profile personal` or `--profile full` when you explicitly want the fuller local automation setup.
 
-For a macOS one-line installer, use the curl wrapper. It checks for Claude Code, jq, zsh, and Node before delegating to the packaged npm release:
+Alternatively, for a macOS one-line installer, use the pinned curl wrapper. It checks for Claude Code, jq, zsh, and Node before delegating to the packaged npm release:
 
 ```bash
-curl -fsSL https://raw.githubusercontent.com/cveralyon/axel-setup/main/install.sh | bash -s -- --dry-run --user-name "Your Name"
+curl -fsSL https://raw.githubusercontent.com/cveralyon/axel-setup/v0.3.0/install.sh | bash -s -- --dry-run --user-name "Your Name"
 ```
 
 Before the first npm publish, use the same wrapper against the GitHub package source:
@@ -85,7 +90,7 @@ bash bootstrap.sh --user-name "Your Name"
 Run publish commands from the repository root, where `package.json` lives:
 
 ```bash
-cd /Users/cveralyon/axel-onboarding
+cd <repo-root>
 npm whoami
 npm run check
 npm run publish:dry-run
@@ -95,7 +100,7 @@ npm publish --access public
 From another directory, pass the package path explicitly:
 
 ```bash
-npm publish /Users/cveralyon/axel-onboarding --access public
+npm publish <repo-root> --access public
 ```
 
 ### Maintainer Release Automation
@@ -438,7 +443,7 @@ Edit `~/.claude/settings.json` and add entries to the relevant event:
 
 ### Language
 
-Default is Spanish. Change `"language"` in `settings.json` to your preferred language.
+The default language in the generated `CLAUDE.md` personal template is Spanish. This applies only to the template file written during install — the CLI itself, the documentation, and all hook/agent code are in English. Change `"language"` in `settings.json` to your preferred language for hook output (session summaries, memory extraction, etc.).
 
 ### Team CLAUDE.md
 
@@ -450,6 +455,14 @@ The template at `~/CLAUDE.md` (created only if you don't have one) includes:
 
 Customize it with your team's specific repos, conventions, and rules.
 
+## Security
+
+AXEL writes exclusively to `~/.claude` (hooks, agents, commands, skills, settings). All installs are additive: existing files are never silently overwritten, a backup is proposed before any replacement, and `settings.json` is deep-merged rather than replaced.
+
+**Permission profiles:** the default `--profile core` uses `acceptEdits` mode, which requires explicit confirmation before file edits. The `--profile personal` and `--profile full` profiles elevate to `bypassPermissions`, granting the agent broad autonomy. Only use those profiles when you understand and accept the expanded trust boundary.
+
+**Reporting vulnerabilities:** please use [GitHub private security advisories](https://github.com/cveralyon/axel-setup/security/advisories/new) to report security issues. See [`SECURITY.md`](./SECURITY.md) for scope, response commitment, and contact details.
+
 ## Contributing
 
 Contributions are welcome when they improve AXEL as reusable developer tooling. Start with [`CONTRIBUTING.md`](./CONTRIBUTING.md), open a focused issue when the scope is unclear, and keep private company context out of public examples.

package/axel-manifest.json

@@ -2,7 +2,7 @@
   "schemaVersion": 1,
   "package": {
     "name": "axel-setup",
-    "version": "0.2.0"
+    "version": "0.3.0"
   },
   "defaultTarget": "claude",
   "targets": {
@@ -123,7 +123,7 @@
       "id": "gsd",
       "name": "get-shit-done-cc",
       "managedExternally": true,
-      "installCommand": "npx -y get-shit-done-cc@latest"
+      "installCommand": "npx -y get-shit-done-cc@1.42.3"
     }
   ]
 }

package/bin/axel-setup.js

@@ -50,7 +50,7 @@ function parseRuntimeArgs(argv, command) {
     const arg = argv[index];
     if (arg === "--home") {
       requireValue(argv, index, arg);
-      home = argv[index + 1];
+      home = path.resolve(argv[index + 1]);
       index += 1;
     } else if (arg === "--target") {
       requireValue(argv, index, arg);
@@ -58,11 +58,11 @@ function parseRuntimeArgs(argv, command) {
       index += 1;
     } else if (arg === "--codex-home") {
       requireValue(argv, index, arg);
-      codexHome = argv[index + 1];
+      codexHome = path.resolve(argv[index + 1]);
       index += 1;
     } else if (arg === "--output") {
       requireValue(argv, index, arg);
-      output = argv[index + 1];
+      output = path.resolve(argv[index + 1]);
       index += 1;
     } else if (arg === "--apply" && command === "uninstall") {
       apply = true;
@@ -511,8 +511,55 @@ function pruneEmptyParents(startDir, stopDir) {
   }
 }
 
+const DANGEROUS_ROOTS = new Set(["/", "/etc", "/usr", "/bin", "/sbin", "/var", "/tmp"]);
+
+function assertSafeInstallRoot(installRoot, apply) {
+  if (!apply) {
+    return;
+  }
+
+  // Block exact dangerous roots
+  if (DANGEROUS_ROOTS.has(installRoot)) {
+    console.error(`Refusing to uninstall from dangerous root: ${installRoot}`);
+    process.exit(1);
+  }
+
+  // Block exact home directory (subdir is fine: ~/.claude is allowed)
+  if (installRoot === os.homedir()) {
+    console.error(`Refusing to uninstall from home directory directly: ${installRoot}`);
+    process.exit(1);
+  }
+}
+
+function assertManifestValid(manifestPath, installRoot, apply) {
+  if (!apply) {
+    return;
+  }
+
+  if (!fs.existsSync(manifestPath)) {
+    console.error(`Refusing to uninstall: no axel-manifest.json found at ${manifestPath}`);
+    console.error(`This directory does not appear to be an AXEL install root.`);
+    process.exit(1);
+  }
+
+  try {
+    const manifest = readJson(manifestPath);
+    if (!manifest || typeof manifest !== "object" || !manifest.package || !manifest.package.name) {
+      throw new Error("Manifest missing required package.name field");
+    }
+  } catch (err) {
+    console.error(`Refusing to uninstall: axel-manifest.json at ${manifestPath} is invalid: ${err.message}`);
+    process.exit(1);
+  }
+}
+
 function runUninstall(argv) {
   const { apply, installRoot, manifestPath, target } = resolveRuntime(argv, "uninstall");
+
+  // Hard guards before any destructive operation
+  assertSafeInstallRoot(installRoot, apply);
+  assertManifestValid(manifestPath, installRoot, apply);
+
   const manifest = readInstalledManifest(manifestPath, target);
 
   if (!manifest) {

package/bootstrap.sh

@@ -249,31 +249,53 @@ run() {
   fi
 }
 
+# Escape a value for safe interpolation into the replacement side of a sed
+# `s|...|...|` command. The base template ships safe-by-default; the only place
+# permissions are elevated is settings_for_profile() below, explicitly and
+# visibly. User-supplied values, however, can contain sed metacharacters
+# (`\`, `|`, `&`) that would corrupt the substitution — escape them here.
+sed_escape() {
+  # Order matters: escape backslashes first, then the delimiter and `&`.
+  printf '%s' "$1" | sed -e 's/[\\]/\\\\/g' -e 's/|/\\|/g' -e 's/&/\\&/g'
+}
+
 settings_for_profile() {
   local src="$1"
   local dest="$2"
 
-  if [ "$PROFILE" = "personal" ] || [ "$PROFILE" = "full" ]; then
+  # The base template (templates/settings.json) is SAFE BY DEFAULT:
+  # defaultMode "acceptEdits", no "Bash(*)" in allow, and
+  # skipDangerousModePermissionPrompt false. Most profiles ship it verbatim.
+  if [ "$PROFILE" != "personal" ] && [ "$PROFILE" != "full" ]; then
     cp "$src" "$dest"
     return
   fi
 
+  # personal/full ELEVATE permissions explicitly and visibly: full autonomy
+  # bypass mode, Bash(*) allowance, and the dangerous-mode prompt suppressed.
+  # This keeps the distributed file safe while preserving per-profile behavior.
   jq '
-    .permissions.defaultMode = "acceptEdits" |
-    .permissions.allow = ((.permissions.allow // []) | map(select(. != "Bash(*)"))) |
-    .skipDangerousModePermissionPrompt = false
+    .permissions.defaultMode = "bypassPermissions" |
+    .permissions.allow = ((.permissions.allow // []) + (if ((.permissions.allow // []) | index("Bash(*)")) then [] else ["Bash(*)"] end)) |
+    .skipDangerousModePermissionPrompt = true
   ' "$src" > "$dest"
 }
 
 write_processed_skill() {
   local src="$1"
   local dest="$2"
+  local posthog_context assistant_language user_name user_context
+
+  posthog_context=$(sed_escape "$POSTHOG_PROJECT_CONTEXT")
+  assistant_language=$(sed_escape "$ASSISTANT_LANGUAGE")
+  user_name=$(sed_escape "$USER_NAME")
+  user_context=$(sed_escape "$USER_CONTEXT")
 
   sed \
-    -e "s|{{POSTHOG_PROJECT_CONTEXT}}|$POSTHOG_PROJECT_CONTEXT|g" \
-    -e "s|{{ASSISTANT_LANGUAGE}}|$ASSISTANT_LANGUAGE|g" \
-    -e "s|{{USER_NAME}}|$USER_NAME|g" \
-    -e "s|{{USER_CONTEXT}}|$USER_CONTEXT|g" \
+    -e "s|{{POSTHOG_PROJECT_CONTEXT}}|$posthog_context|g" \
+    -e "s|{{ASSISTANT_LANGUAGE}}|$assistant_language|g" \
+    -e "s|{{USER_NAME}}|$user_name|g" \
+    -e "s|{{USER_CONTEXT}}|$user_context|g" \
     "$src" > "$dest"
 }
 
@@ -343,7 +365,11 @@ add_or_upgrade() {
         cp "$src" "$UPGRADES_DIR/$upgrade_subdir/$(basename "$dest")"
       fi
       upgrade "$label"
-      eval "$upgraded_var=\$((\$$upgraded_var + 1))"
+      # Increment the named counter without eval. printf -v writes to the
+      # variable named in $upgraded_var; ${!upgraded_var} reads its value.
+      # This stays portable to Bash 3.2 (macOS default), where `local -n`
+      # namerefs are unavailable.
+      printf -v "$upgraded_var" '%s' "$(( ${!upgraded_var} + 1 ))"
     fi
     # Same content — nothing to do
   else
@@ -352,7 +378,7 @@ add_or_upgrade() {
     else
       cp "$src" "$dest"
     fi
-    eval "$added_var=\$((\$$added_var + 1))"
+    printf -v "$added_var" '%s' "$(( ${!added_var} + 1 ))"
   fi
 }
 
@@ -630,11 +656,15 @@ for hook_file in "$SCRIPT_DIR/hooks/"*; do
 
   # Hooks need placeholder substitution, so we use a temp file for comparison.
   # Keep the sed list in sync with any new {{PLACEHOLDER}} added to hook files.
+  # User values are escaped so sed metacharacters (\ | &) can't corrupt the sub.
   PROCESSED=$(mktemp)
+  HOOK_USER_NAME=$(sed_escape "$USER_NAME")
+  HOOK_USER_CONTEXT=$(sed_escape "$USER_CONTEXT")
+  HOOK_ASSISTANT_LANGUAGE=$(sed_escape "$ASSISTANT_LANGUAGE")
   sed \
-    -e "s|{{USER_NAME}}|$USER_NAME|g" \
-    -e "s|{{USER_CONTEXT}}|$USER_CONTEXT|g" \
-    -e "s|{{ASSISTANT_LANGUAGE}}|$ASSISTANT_LANGUAGE|g" \
+    -e "s|{{USER_NAME}}|$HOOK_USER_NAME|g" \
+    -e "s|{{USER_CONTEXT}}|$HOOK_USER_CONTEXT|g" \
+    -e "s|{{ASSISTANT_LANGUAGE}}|$HOOK_ASSISTANT_LANGUAGE|g" \
     "$hook_file" > "$PROCESSED"
 
   if [ -f "$DEST" ]; then
@@ -915,9 +945,12 @@ if ! $SKIP_MONITOR && [[ "$OSTYPE" == "darwin"* ]]; then
       info "launchd agent skipped by --no-launchd or profile"
     elif ! $DRY_RUN; then
       mkdir -p "$(dirname "$PLIST_DEST")"
-      sed -e "s|{{USERNAME}}|${USERNAME:-$(whoami)}|g" \
-          -e "s|{{HOME}}|$HOME|g" \
-          -e "s|{{NODE_PATH}}|$NODE_BIN|g" \
+      PLIST_USERNAME=$(sed_escape "${USERNAME:-$(whoami)}")
+      PLIST_HOME=$(sed_escape "$HOME")
+      PLIST_NODE_BIN=$(sed_escape "$NODE_BIN")
+      sed -e "s|{{USERNAME}}|$PLIST_USERNAME|g" \
+          -e "s|{{HOME}}|$PLIST_HOME|g" \
+          -e "s|{{NODE_PATH}}|$PLIST_NODE_BIN|g" \
           "$PLIST_SRC" > "$PLIST_DEST"
       launchctl load "$PLIST_DEST" 2>/dev/null && \
         log "  Usage monitor started at http://localhost:9119" || \

package/hooks/gsd-context-monitor.js

@@ -12,10 +12,10 @@
 //    as additionalContext, which the agent sees in its conversation
 //
 // Thresholds:
-//   WARNING  (remaining <= 35%): Agent should wrap up current task
-//   CRITICAL (remaining <= 25%): Agent should stop immediately and save state
+//   WARNING  (remaining <= 15%): Agent should wrap up current task
+//   CRITICAL (remaining <=  8%): Agent should stop immediately and save state
 //
-// Debounce: 5 tool uses between warnings to avoid spam
+// Debounce: 10 tool uses between warnings to avoid spam
 // Severity escalation bypasses debounce (WARNING -> CRITICAL fires immediately)
 
 const fs = require('fs');

package/hooks/linear-lifecycle-sync.sh

@@ -27,35 +27,41 @@ case "$TICKET_PATTERN" in "{{"*"}}"|"") TICKET_PATTERN="[A-Z]+-[0-9]+" ;; esac
 LINEAR_TEAM="{{LINEAR_TEAM}}"
 case "$LINEAR_TEAM" in "{{"*"}}"|"") LINEAR_TEAM="your team" ;; esac
 
+# Name of the Linear state for "PR opened, awaiting review". Some teams call it
+# "In Review", others "PR In Review". Bootstrap substitutes the placeholder; the
+# case fallback keeps the script working when run without bootstrap.
+PR_REVIEW_STATE="{{PR_REVIEW_STATE}}"
+case "$PR_REVIEW_STATE" in "{{"*"}}"|"") PR_REVIEW_STATE="In Review" ;; esac
+
 # Guard against recursive invocation (this script spawns claude -p)
 if [ -n "$CLAUDE_LINEAR_SYNC" ]; then exit 0; fi
 
 INPUT=$(cat)
-COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
-CWD=$(echo "$INPUT" | jq -r '.cwd // empty' 2>/dev/null)
+COMMAND=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CWD=$(printf '%s' "$INPUT" | jq -r '.cwd // empty' 2>/dev/null)
 
 # Only run in configured repos (skip if filter is empty — runs everywhere)
-if [ -n "$REPO_PATH_FILTER" ] && ! echo "$CWD" | grep -qE "$REPO_PATH_FILTER"; then exit 0; fi
+if [ -n "$REPO_PATH_FILTER" ] && ! printf '%s' "$CWD" | grep -qE "$REPO_PATH_FILTER"; then exit 0; fi
 
 # --- Detect action type ---
 ACTION=""
 TICKETS=""
 
-if echo "$COMMAND" | grep -qE '(^|[[:space:]&;|(])git[[:space:]]+commit([[:space:]]|$)'; then
+if printf '%s' "$COMMAND" | grep -qE '(^|[[:space:]&;|(])git[[:space:]]+commit([[:space:]]|$)'; then
   ACTION="in_progress"
-  TICKETS=$(echo "$COMMAND" | grep -oE "$TICKET_PATTERN" | sort -u | tr '\n' ' ' | sed 's/ $//')
+  TICKETS=$(printf '%s' "$COMMAND" | grep -oE "$TICKET_PATTERN" | sort -u | tr '\n' ' ' | sed 's/ $//')
 
-elif echo "$COMMAND" | grep -qE '(^|[[:space:]&;|(])gh[[:space:]]+pr[[:space:]]+create'; then
+elif printf '%s' "$COMMAND" | grep -qE '(^|[[:space:]&;|(])gh[[:space:]]+pr[[:space:]]+create'; then
   ACTION="in_review"
-  TICKETS=$(echo "$COMMAND" | grep -oE "$TICKET_PATTERN" | sort -u | tr '\n' ' ' | sed 's/ $//')
+  TICKETS=$(printf '%s' "$COMMAND" | grep -oE "$TICKET_PATTERN" | sort -u | tr '\n' ' ' | sed 's/ $//')
   if [ -z "$TICKETS" ]; then
     TICKETS=$(git -C "$CWD" log --not --remotes --pretty=format:"%s %b" 2>/dev/null \
       | grep -oE "$TICKET_PATTERN" | sort -u | tr '\n' ' ' | sed 's/ $//')
   fi
 
-elif echo "$COMMAND" | grep -qE '(^|[[:space:]&;|(])gh[[:space:]]+pr[[:space:]]+merge'; then
+elif printf '%s' "$COMMAND" | grep -qE '(^|[[:space:]&;|(])gh[[:space:]]+pr[[:space:]]+merge'; then
   ACTION="done"
-  TICKETS=$(echo "$COMMAND" | grep -oE "$TICKET_PATTERN" | sort -u | tr '\n' ' ' | sed 's/ $//')
+  TICKETS=$(printf '%s' "$COMMAND" | grep -oE "$TICKET_PATTERN" | sort -u | tr '\n' ' ' | sed 's/ $//')
   if [ -z "$TICKETS" ]; then
     TICKETS=$(git -C "$CWD" log --not --remotes --pretty=format:"%s %b" 2>/dev/null \
       | grep -oE "$TICKET_PATTERN" | sort -u | tr '\n' ' ' | sed 's/ $//')
@@ -77,7 +83,7 @@ touch "$RATE_FILE"
 # --- Determine target state label ---
 case "$ACTION" in
   in_progress) TARGET="In Progress" ;;
-  in_review)   TARGET="In Review" ;;
+  in_review)   TARGET="$PR_REVIEW_STATE" ;;
   done)        TARGET="Done" ;;
   *) exit 0 ;;
 esac
@@ -92,8 +98,8 @@ Instructions:
 1. Call list_issue_statuses to find the state ID for '$TARGET' in the $LINEAR_TEAM team.
 2. For each ticket, call get_issue to check its current state name.
 3. Skip rules:
-   - If target is 'In Progress' and current state is already In Progress, In Review, or Done → skip.
-   - If target is 'In Review' and current state is already In Review or Done → skip.
+   - If target is 'In Progress' and current state is already In Progress, $PR_REVIEW_STATE, or Done → skip.
+   - If target is '$PR_REVIEW_STATE' and current state is already $PR_REVIEW_STATE or Done → skip.
    - If target is 'Done' and current state is already Done → skip.
 4. For tickets that need updating, call save_issue with the new stateId.
 5. Output format (one line per ticket):
@@ -103,7 +109,7 @@ Instructions:
 HOOK_TMP=$(mktemp -d 2>/dev/null)
 REAL_TMP=$(cd "$HOOK_TMP" 2>/dev/null && pwd -P)
 RESULT=$(cd "$HOOK_TMP" 2>/dev/null && printf '%s' "$PROMPT" | CLAUDE_LINEAR_SYNC=1 claude -p --model haiku 2>/dev/null)
-GHOST_SLUG=$(echo "$REAL_TMP" | sed 's|[^a-zA-Z0-9]|-|g')
+GHOST_SLUG=$(printf '%s' "$REAL_TMP" | sed 's|[^a-zA-Z0-9]|-|g')
 rm -rf "$HOOK_TMP" "$HOME/.claude/projects/${GHOST_SLUG}" 2>/dev/null
 
 mkdir -p "$HOME/.claude/logs"

package/hooks/post-commit-verify.sh

@@ -1,17 +1,23 @@
-#!/bin/zsh
-# PostToolUse hook: After a git commit, outputs a reminder for AXEL to
+#!/bin/bash
+# PostToolUse hook (Bash): after a git commit, outputs a reminder for AXEL to
 # launch excelsior-verifier on the committed files.
 # This is a lightweight trigger — the actual verification runs as a subagent.
+#
+# Contract: the hook payload arrives as JSON on stdin. PostToolUse does NOT
+# include an exit code, so commit success is inferred from the tool output
+# (absence of common git failure signals).
+
+INPUT=$(cat)
+CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+OUT=$(printf '%s' "$INPUT" | jq -r '.tool_response.text // .tool_response // empty' 2>/dev/null)
 
 # Only trigger on Bash tool calls that contain 'git commit'
-TOOL_INPUT="${TOOL_INPUT:-}"
-if [[ "$TOOL_INPUT" != *"git commit"* ]]; then
+if [[ "$CMD" != *"git commit"* ]]; then
   exit 0
 fi
 
-# Check if the commit actually succeeded (exit code 0 from the tool)
-TOOL_IS_ERROR="${TOOL_RESULT_IS_ERROR:-0}"
-if [[ "$TOOL_IS_ERROR" == "1" ]] || [[ "$TOOL_IS_ERROR" == "true" ]]; then
+# Infer failure from the tool output: if git refused the commit, bail out.
+if printf '%s' "$OUT" | grep -qiE "nothing to commit|no changes added|error:|fatal:|hook declined|rejected"; then
   exit 0
 fi
 
@@ -21,7 +27,7 @@ if [ -z "$CHANGED_FILES" ]; then
   exit 0
 fi
 
-FILE_COUNT=$(echo "$CHANGED_FILES" | wc -l | tr -d ' ')
+FILE_COUNT=$(printf '%s' "$CHANGED_FILES" | wc -l | tr -d ' ')
 COMMIT_MSG=$(git log --oneline -1 2>/dev/null)
 
 # Only trigger for non-trivial commits (2+ files or test/feature commits)
@@ -32,7 +38,7 @@ fi
 # Output advisory to AXEL to launch verifier
 cat << EOF
 Post-commit verification advisory: Commit "$COMMIT_MSG" modified $FILE_COUNT files:
-$(echo "$CHANGED_FILES" | sed 's/^/  - /')
+$(printf '%s' "$CHANGED_FILES" | sed 's/^/  - /')
 
 Consider launching excelsior-verifier as a background agent to verify this commit.
 Command: Agent({ subagent_type: "excelsior-verifier", run_in_background: true, prompt: "Verify commit: $COMMIT_MSG. Files: $CHANGED_FILES" })

package/hooks/post-edit-lint.sh

@@ -1,15 +1,9 @@
 #!/bin/zsh
-# PostToolUse hook: Auto-lint/fix files after Edit or Write.
-# Uses HOOK_TOOL_INPUT (JSON stdin) for richer context when available,
-# falls back to TOOL_INPUT_FILE_PATH env var.
+# PostToolUse hook (Edit|Write): auto-lint/fix files after Edit or Write.
+# Reads the hook payload as JSON from stdin and extracts .tool_input.file_path.
 
-# Try to extract file path from JSON stdin first, then env var
-FILE=""
-if [ -n "$TOOL_INPUT_FILE_PATH" ]; then
-  FILE="$TOOL_INPUT_FILE_PATH"
-elif [ -n "$HOOK_TOOL_INPUT" ]; then
-  FILE=$(echo "$HOOK_TOOL_INPUT" | python3 -c "import sys,json; print(json.loads(sys.stdin.read()).get('file_path',''))" 2>/dev/null)
-fi
+INPUT=$(cat)
+FILE=$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
 
 if [ -z "$FILE" ] || [ ! -f "$FILE" ]; then
   exit 0

package/hooks/proactive-resolver.sh

@@ -3,19 +3,30 @@
 # Philosophy: ANY failure that can be auto-resolved SHOULD be auto-resolved.
 # This hook handles the fast, known patterns. For everything else,
 # the CLAUDE.md Excelsior principle tells the model to investigate and resolve.
-
-TOOL_OUTPUT="${TOOL_OUTPUT:-}"
-EXIT_CODE="${TOOL_EXIT_CODE:-0}"
-
-# Only act on failures
-[ "$EXIT_CODE" = "0" ] && exit 0
+#
+# Contract: the hook payload arrives as JSON on stdin. PostToolUse does NOT
+# include an exit code, so instead of gating on a status code we act whenever
+# the tool output text contains a known error signal.
+
+INPUT=$(cat)
+TOOL_OUTPUT=$(printf '%s' "$INPUT" | jq -r '.tool_response.text // .tool_response // empty' 2>/dev/null)
+
+# Nothing to inspect → nothing to do.
+[ -z "$TOOL_OUTPUT" ] && exit 0
+
+# Cheap early-out: only proceed if the output looks like it contains an error.
+# This keeps the hook a no-op on successful commands without relying on an
+# exit code (which the PostToolUse contract does not provide).
+if ! printf '%s' "$TOOL_OUTPUT" | grep -qiE "error|refused|not connect|cannot connect|cannot find|no module|not found|does not exist|already in use|pending|failed|denied"; then
+  exit 0
+fi
 
 RESOLVED=""
 
 # === SERVICE DETECTION & AUTO-START ===
 
 # Docker (any Docker-related error)
-if echo "$TOOL_OUTPUT" | grep -qiE "docker daemon|Cannot connect to the Docker|docker\.sock|Is the docker daemon running|docker:.*command not found"; then
+if printf '%s' "$TOOL_OUTPUT" | grep -qiE "docker daemon|Cannot connect to the Docker|docker\.sock|Is the docker daemon running|docker:.*command not found"; then
   if [ "$(uname)" = "Darwin" ] && ! docker info >/dev/null 2>&1; then
     open -a "Docker" 2>/dev/null
     for i in $(seq 1 15); do docker info >/dev/null 2>&1 && break; sleep 1; done
@@ -28,7 +39,7 @@ if echo "$TOOL_OUTPUT" | grep -qiE "docker daemon|Cannot connect to the Docker|d
 fi
 
 # PostgreSQL (any PG connection error)
-if echo "$TOOL_OUTPUT" | grep -qiE "PG::|postgresql.*refused|could not connect.*5432\|could not connect.*5433\|connection to server.*failed.*postgres"; then
+if printf '%s' "$TOOL_OUTPUT" | grep -qiE "PG::|postgresql.*refused|could not connect.*5432|could not connect.*5433|connection to server.*failed.*postgres"; then
   if [ "$(uname)" = "Darwin" ]; then
     brew services start postgresql@16 2>/dev/null || brew services start postgresql 2>/dev/null
     STOPPED_PG=$(docker ps -a --filter "ancestor=postgres" --filter "status=exited" --format "{{.Names}}" 2>/dev/null | head -1)
@@ -38,19 +49,19 @@ if echo "$TOOL_OUTPUT" | grep -qiE "PG::|postgresql.*refused|could not connect.*
 fi
 
 # Redis
-if echo "$TOOL_OUTPUT" | grep -qiE "Redis.*refused|ECONNREFUSED.*6379|Redis::CannotConnectError|redis.*not connect"; then
+if printf '%s' "$TOOL_OUTPUT" | grep -qiE "Redis.*refused|ECONNREFUSED.*6379|Redis::CannotConnectError|redis.*not connect"; then
   brew services start redis 2>/dev/null && RESOLVED="Redis started via Homebrew."
 fi
 
 # MySQL
-if echo "$TOOL_OUTPUT" | grep -qiE "mysql.*refused|ECONNREFUSED.*3306|Access denied for user.*mysql"; then
+if printf '%s' "$TOOL_OUTPUT" | grep -qiE "mysql.*refused|ECONNREFUSED.*3306|Access denied for user.*mysql"; then
   brew services start mysql 2>/dev/null && RESOLVED="MySQL started via Homebrew."
 fi
 
 # === DEPENDENCY RESOLUTION ===
 
 # Node modules missing
-if echo "$TOOL_OUTPUT" | grep -qiE "Cannot find module|MODULE_NOT_FOUND|ERR_MODULE_NOT_FOUND" && [ -f "package.json" ]; then
+if printf '%s' "$TOOL_OUTPUT" | grep -qiE "Cannot find module|MODULE_NOT_FOUND|ERR_MODULE_NOT_FOUND" && [ -f "package.json" ]; then
   if [ -f "pnpm-lock.yaml" ]; then
     RESOLVED="HINT: Run 'pnpm install' — missing node_modules detected."
   elif [ -f "yarn.lock" ]; then
@@ -61,12 +72,12 @@ if echo "$TOOL_OUTPUT" | grep -qiE "Cannot find module|MODULE_NOT_FOUND|ERR_MODU
 fi
 
 # Ruby gems missing
-if echo "$TOOL_OUTPUT" | grep -qiE "Could not find gem|Bundler::GemNotFound|bundle install|Gem::MissingSpecError"; then
+if printf '%s' "$TOOL_OUTPUT" | grep -qiE "Could not find gem|Bundler::GemNotFound|bundle install|Gem::MissingSpecError"; then
   RESOLVED="HINT: Run 'bundle install' — missing gems detected."
 fi
 
 # Python deps missing
-if echo "$TOOL_OUTPUT" | grep -qiE "ModuleNotFoundError|No module named|ImportError.*No module"; then
+if printf '%s' "$TOOL_OUTPUT" | grep -qiE "ModuleNotFoundError|No module named|ImportError.*No module"; then
   if [ -f "requirements.txt" ]; then
     RESOLVED="HINT: Run 'pip install -r requirements.txt' — missing Python module."
   elif [ -f "pyproject.toml" ]; then
@@ -77,21 +88,21 @@ fi
 # === ENVIRONMENT ISSUES ===
 
 # Port in use — identify the blocker
-if echo "$TOOL_OUTPUT" | grep -qiE "EADDRINUSE|Address already in use|port.*already.*use|bind.*address already"; then
-  PORT=$(echo "$TOOL_OUTPUT" | grep -oE "[0-9]{4,5}" | head -1)
+if printf '%s' "$TOOL_OUTPUT" | grep -qiE "EADDRINUSE|Address already in use|port.*already.*use|bind.*address already"; then
+  PORT=$(printf '%s' "$TOOL_OUTPUT" | grep -oE "[0-9]{4,5}" | head -1)
   [ -n "$PORT" ] && PID=$(lsof -ti ":$PORT" 2>/dev/null | head -1)
   [ -n "$PID" ] && PROC=$(ps -p "$PID" -o comm= 2>/dev/null)
   [ -n "$PROC" ] && RESOLVED="HINT: Port $PORT blocked by $PROC (PID $PID). Kill with: kill $PID"
 fi
 
 # Database not created
-if echo "$TOOL_OUTPUT" | grep -qiE "database.*does not exist|Unknown database|FATAL.*database.*not exist"; then
-  DB=$(echo "$TOOL_OUTPUT" | grep -oE '"[^"]*"' | head -1 | tr -d '"')
+if printf '%s' "$TOOL_OUTPUT" | grep -qiE "database.*does not exist|Unknown database|FATAL.*database.*not exist"; then
+  DB=$(printf '%s' "$TOOL_OUTPUT" | grep -oE '"[^"]*"' | head -1 | tr -d '"')
   RESOLVED="HINT: Database '$DB' doesn't exist. Create it: rails db:create or createdb $DB"
 fi
 
 # Migrations pending
-if echo "$TOOL_OUTPUT" | grep -qiE "Migrations are pending|pending migration|migrate.*first"; then
+if printf '%s' "$TOOL_OUTPUT" | grep -qiE "Migrations are pending|pending migration|migrate.*first"; then
   RESOLVED="HINT: Pending migrations. Run: rails db:migrate RAILS_ENV=test"
 fi
 

package/hooks/session-log-action.sh

@@ -1,29 +1,32 @@
 #!/bin/bash
-# Log significant tool actions during session for context persistence
-# Captures: file edits, bash commands, agent launches — the "what was done"
+# PostToolUse hook: log significant tool actions during the session for context
+# persistence. Captures file edits, bash commands, and agent launches — the
+# "what was done". Reads the hook payload as JSON from stdin.
+
+INPUT=$(cat)
 
 PROJECT_NAME=$(basename "$(pwd)")
 SESSION_LOG="/tmp/claude-session-log-${PROJECT_NAME}.md"
 TIMESTAMP=$(date +%H:%M)
 
-TOOL_NAME_VAR="${TOOL_NAME:-unknown}"
+TOOL_NAME_VAR=$(printf '%s' "$INPUT" | jq -r '.tool_name // "unknown"' 2>/dev/null)
 
 # Parse tool input for meaningful context
 case "$TOOL_NAME_VAR" in
   Edit|Write)
-    FILE_PATH=$(echo "$TOOL_INPUT" | python3 -c "import sys,json; print(json.load(sys.stdin).get('file_path',''))" 2>/dev/null)
+    FILE_PATH=$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
     if [ -n "$FILE_PATH" ]; then
       echo "- [$TIMESTAMP] **$TOOL_NAME_VAR**: \`$(basename "$FILE_PATH")\`" >> "$SESSION_LOG"
     fi
     ;;
   Bash)
-    CMD=$(echo "$TOOL_INPUT" | python3 -c "import sys,json; print(json.load(sys.stdin).get('command','')[:120])" 2>/dev/null)
+    CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null | head -c 120)
     if [ -n "$CMD" ]; then
       echo "- [$TIMESTAMP] **Bash**: \`$CMD\`" >> "$SESSION_LOG"
     fi
     ;;
   Agent)
-    DESC=$(echo "$TOOL_INPUT" | python3 -c "import sys,json; print(json.load(sys.stdin).get('description',''))" 2>/dev/null)
+    DESC=$(printf '%s' "$INPUT" | jq -r '.tool_input.description // empty' 2>/dev/null)
     if [ -n "$DESC" ]; then
       echo "- [$TIMESTAMP] **Agent**: $DESC" >> "$SESSION_LOG"
     fi

package/hooks/session-log-prompt.sh

@@ -1,23 +1,20 @@
 #!/bin/bash
-# Log each user prompt during the session for context persistence
-# Appends to a temp file that session-save.sh reads at the end
+# UserPromptSubmit hook: log each user prompt during the session for context
+# persistence. Appends to a temp file that session-save.sh reads at the end.
+# Reads the hook payload as JSON from stdin and extracts .prompt.
+
+INPUT=$(cat)
 
 PROJECT_NAME=$(basename "$(pwd)")
 SESSION_LOG="/tmp/claude-session-log-${PROJECT_NAME}.md"
 
-# Read user prompt from stdin (Claude Code passes it as JSON via $PROMPT)
-USER_TEXT="$PROMPT"
-
-if [ -z "$USER_TEXT" ]; then
-  # Try reading from hook input
-  USER_TEXT=$(echo "$TOOL_INPUT" | python3 -c "import sys,json; print(json.load(sys.stdin).get('prompt',''))" 2>/dev/null)
-fi
+USER_TEXT=$(printf '%s' "$INPUT" | jq -r '.prompt // empty' 2>/dev/null)
 
 if [ -n "$USER_TEXT" ]; then
   TIMESTAMP=$(date +%H:%M)
-  # Truncate long prompts to keep log manageable
-  TRUNCATED=$(echo "$USER_TEXT" | head -c 500)
-  echo "### [$TIMESTAMP] Usuario" >> "$SESSION_LOG"
+  # Truncate long prompts to keep the log manageable
+  TRUNCATED=$(printf '%s' "$USER_TEXT" | head -c 500)
+  echo "### [$TIMESTAMP] User" >> "$SESSION_LOG"
   echo "$TRUNCATED" >> "$SESSION_LOG"
   echo "" >> "$SESSION_LOG"
 fi

package/hooks/session-restore.sh

@@ -13,7 +13,7 @@ if [ -z "$SESSIONS" ]; then
   exit 0
 fi
 
-LATEST=$(echo "$SESSIONS" | head -1)
+LATEST=$(printf '%s' "$SESSIONS" | head -1)
 SESSION_DATE=$(grep "^date:" "$LATEST" 2>/dev/null | cut -d' ' -f2)
 SESSION_TIME=$(grep "^time:" "$LATEST" 2>/dev/null | cut -d' ' -f2)
 
@@ -27,14 +27,19 @@ sed -n '/^---$/,/^---$/!p' "$LATEST" | head -80
 echo ""
 
 # Show previous sessions as one-liners
-OTHERS=$(echo "$SESSIONS" | tail -n +2)
+OTHERS=$(printf '%s' "$SESSIONS" | tail -n +2)
 if [ -n "$OTHERS" ]; then
   echo "### Sesiones anteriores:"
   for f in $OTHERS; do
     DATE=$(grep "^date:" "$f" 2>/dev/null | cut -d' ' -f2)
     TIME=$(grep "^time:" "$f" 2>/dev/null | cut -d' ' -f2)
-    # Extract first user prompt as summary
-    SUMMARY=$(grep -A1 "Usuario" "$f" 2>/dev/null | grep -v "Usuario" | grep -v "^--$" | head -1 | head -c 100)
+    # Language-agnostic summary: take the body after the frontmatter, drop the
+    # leading H1 title and any markdown headings/blank lines, then keep the
+    # first real content line. Works regardless of the summary language.
+    SUMMARY=$(sed -n '/^---$/,/^---$/!p' "$f" 2>/dev/null \
+      | grep -vE '^[[:space:]]*$|^#' \
+      | head -1 \
+      | head -c 100)
     echo "- **$DATE $TIME**: $SUMMARY"
   done
 fi

package/hooks/validate-commit-format.sh

@@ -1,38 +1,40 @@
 #!/bin/bash
-# Validates commit message format: tipo (Modelo/Archivo): Mensaje
-# Reads $TOOL_INPUT as JSON, extracts the command, then validates the commit message
+# PreToolUse hook (Bash): validates commit message format before the command runs.
+# Reads the hook payload as JSON from stdin, extracts .tool_input.command,
+# then validates the commit message.
 # Valid types: feat|fix|chore|refactor|test|docs|style|perf|ci|build|revert
+# Exit codes: 0 = allow, 2 = block (stderr shown to the model).
 
-TOOL_JSON="$TOOL_INPUT"
+INPUT=$(cat)
+CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
 
-# Extract the command field from the Bash tool JSON input
-CMD=$(echo "$TOOL_JSON" | jq -r '.command // empty' 2>/dev/null)
-[ -z "$CMD" ] && CMD="$TOOL_JSON"
+# Fallback: if stdin was not JSON, treat the whole payload as the command.
+[ -z "$CMD" ] && CMD="$INPUT"
 
 # Only check git commit commands
-echo "$CMD" | grep -qE 'git commit' || exit 0
+printf '%s' "$CMD" | grep -qE 'git commit' || exit 0
 
 # Extract commit message from -m flag
 # Handles: -m "msg", -m 'msg', -m "$(cat <<'EOF'\nmsg\nEOF\n)"
-MSG=$(echo "$CMD" | sed -n 's/.*-m[[:space:]]*["'\'']\{0,1\}\(.*\)/\1/p' | sed 's/["'\'']\{0,1\}[[:space:]]*$//' | head -1)
+MSG=$(printf '%s' "$CMD" | sed -n 's/.*-m[[:space:]]*["'\'']\{0,1\}\(.*\)/\1/p' | sed 's/["'\'']\{0,1\}[[:space:]]*$//' | head -1)
 
 # For heredoc pattern: extract the first content line
-if echo "$MSG" | grep -q '<<'; then
-  MSG=$(echo "$CMD" | tr '\n' '|' | sed 's/.*<<[^|]*|//' | sed 's/|.*//' | sed 's/^[[:space:]]*//')
+if printf '%s' "$MSG" | grep -q '<<'; then
+  MSG=$(printf '%s' "$CMD" | tr '\n' '|' | sed 's/.*<<[^|]*|//' | sed 's/|.*//' | sed 's/^[[:space:]]*//')
 fi
 
 # If we couldn't extract a message, skip validation (might be --amend or interactive)
 [ -z "$MSG" ] && exit 0
 
 # Validate format: tipo (Scope): message
-if ! echo "$MSG" | grep -qE '^(feat|fix|chore|refactor|test|docs|style|perf|ci|build|revert)\s*\('; then
+if ! printf '%s' "$MSG" | grep -qE '^(feat|fix|chore|refactor|test|docs|style|perf|ci|build|revert)\s*\('; then
   echo "BLOCKED: Commit format is incorrect." >&2
   echo "Required: type (Scope): Descriptive message" >&2
   echo "Canonical example: feat (AuthController): add OAuth2 login flow" >&2
   echo "Valid types: feat|fix|chore|refactor|test|docs|style|perf|ci|build|revert" >&2
   echo "Do not use --no-verify to bypass this check. Fix the message instead." >&2
   echo "Got: $MSG" >&2
-  exit 1
+  exit 2
 fi
 
 exit 0

package/install.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env sh
 set -eu
 
-AXEL_PACKAGE="${AXEL_SETUP_PACKAGE:-axel-setup@latest}"
+AXEL_PACKAGE="${AXEL_SETUP_PACKAGE:-axel-setup@0.3.0}"
 AXEL_NPX="${AXEL_SETUP_NPX:-npx}"
 
 die() {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "axel-setup",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "Claude Code-first team configuration package with hooks, agents, commands, skills, plugins, and repeatable bootstrap tooling.",
   "license": "MIT",
   "author": {

package/templates/merge-settings.jq

@@ -23,11 +23,14 @@
     ($event): (
       ($existing_hooks[$event] // []) as $existing_entries |
       ($axel_hooks[$event] // []) as $axel_entries |
-      ($existing_entries | map(.hooks[0].command // "") | map(select(. != ""))) as $existing_cmds |
+      # Identify each entry by the FULL ordered list of its hook commands, not
+      # just the first one. This keeps dedup correct for multi-command entries
+      # (two entries that share a first command but differ later are distinct).
+      ($existing_entries | map((.hooks // []) | map(.command // ""))) as $existing_cmds |
       ($axel_entries | map(
         select(
-          (.hooks[0].command // "") as $cmd |
-          ($existing_cmds | map(. == $cmd) | any | not)
+          ((.hooks // []) | map(.command // "")) as $cmds |
+          ($existing_cmds | map(. == $cmds) | any | not)
         )
       )) as $new_entries |
       $existing_entries + $new_entries

package/templates/settings.json

@@ -7,7 +7,6 @@
   },
   "permissions": {
     "allow": [
-      "Bash(*)",
       "Read(*)",
       "Edit(*)",
       "Write(*)",
@@ -20,7 +19,7 @@
       "Bash(rm -rf *)",
       "Bash(dd *)"
     ],
-    "defaultMode": "bypassPermissions"
+    "defaultMode": "acceptEdits"
   },
   "hooks": {
     "PreToolUse": [
@@ -29,7 +28,7 @@
         "hooks": [
           {
             "type": "command",
-            "command": "echo \"$TOOL_INPUT\" | grep -qE '\\-\\-no-verify' && echo 'BLOCKED: --no-verify is prohibited' >&2 && exit 2 || exit 0"
+            "command": "CMD=$(jq -r '.tool_input.command // empty'); printf '%s' \"$CMD\" | grep -qE '\\-\\-no-verify' && echo 'BLOCKED: --no-verify is prohibited' >&2 && exit 2 || exit 0"
           }
         ]
       },
@@ -47,7 +46,7 @@
         "hooks": [
           {
             "type": "command",
-            "command": "echo \"$TOOL_INPUT\" | grep -qE 'RAILS_ENV=staging' && echo 'WARNING: staging = PRODUCTION. Confirm with the user.' >&2 && exit 1 || exit 0"
+            "command": "CMD=$(jq -r '.tool_input.command // empty'); printf '%s' \"$CMD\" | grep -qE 'RAILS_ENV=staging' && echo 'BLOCKED: staging = PRODUCTION. Confirm with the user before running.' >&2 && exit 2 || exit 0"
           }
         ]
       },
@@ -251,5 +250,5 @@
   "autoMemoryDirectory": "~/.claude/memory",
   "autoDreamEnabled": true,
   "showThinkingSummaries": true,
-  "skipDangerousModePermissionPrompt": true
+  "skipDangerousModePermissionPrompt": false
 }