cclaw-cli 0.48.9 → 0.48.10

package/dist/content/opencode-plugin.js

@@ -425,16 +425,16 @@ export default function cclawPlugin(ctx) {
         await refreshBootstrapCache(true);
       }
       if (eventType === "session.compacted") {
-        await runHookScript("pre-compact.sh", eventData ?? {});
+        await runHookScript("pre-compact", eventData ?? {});
       }
       if (eventType === "session.idle") {
-        await runHookScript("stop-checkpoint.sh", { loop_count: 0 });
+        await runHookScript("stop-checkpoint", { loop_count: 0 });
       }
     },
     "tool.execute.before": async (input, output) => {
       const payload = normalizeToolPayload(input, output);
-      const promptOk = await runHookScript("prompt-guard.sh", payload);
-      const workflowOk = await runHookScript("workflow-guard.sh", payload);
+      const promptOk = await runHookScript("prompt-guard", payload);
+      const workflowOk = await runHookScript("workflow-guard", payload);
       if (!promptOk || !workflowOk) {
         throw new Error(
           "cclaw OpenCode guard blocked tool.execute.before (prompt/workflow guard non-zero exit)."
@@ -443,7 +443,7 @@ export default function cclawPlugin(ctx) {
     },
     "tool.execute.after": async (input, output) => {
       const payload = normalizeToolPayload(input, output);
-      await runHookScript("context-monitor.sh", payload);
+      await runHookScript("context-monitor", payload);
       void refreshBootstrapCache(false);
     },
     "experimental.chat.system.transform": (payload) => {

package/dist/content/protocols.js

@@ -101,19 +101,15 @@ Shared closeout sequence applied by every stage skill.
 1. Verify mandatory delegations are completed or explicitly waived.
 2. Persist stage artifact under \`.cclaw/artifacts/\`.
 3. Use the canonical helper:
-   - \`bash .cclaw/hooks/stage-complete.sh <stage>\`
+   - \`node .cclaw/hooks/stage-complete.mjs <stage>\`
    - helper responsibilities: validate mandatory delegations, validate
      current-stage gate evidence/artifact lint, update
      \`stageGateCatalog\` + \`guardEvidence\`, and advance \`currentStage\`.
-4. Legacy fallback (only when helper is unavailable): manually edit
-   \`.cclaw/state/flow-state.json\` to mark passed gates, clear resolved
-   blocked gates, and update \`guardEvidence\`. This path is legacy and
-   intentionally noisy in workflow guards.
-5. Run \`npx cclaw doctor\` and resolve failures.
-6. **Capture through-flow learnings** — see the policy below. Knowledge
+4. Run \`npx cclaw doctor\` and resolve failures.
+5. **Capture through-flow learnings** — see the policy below. Knowledge
    accrues continuously across stages, not just at retro.
-7. Notify user with stage completion and next action (\`/cc-next\`).
-8. Stop; do not auto-run the next stage unless user asks.
+6. Notify user with stage completion and next action (\`/cc-next\`).
+7. Stop; do not auto-run the next stage unless user asks.
 
 ## Through-flow knowledge capture
 

package/dist/content/skills.js

@@ -222,7 +222,7 @@ function completionParametersBlock(schema, track) {
 - \`gates\`: ${gateList}
 - \`artifact\`: \`${RUNTIME_ROOT}/artifacts/${schema.artifactFile}\`
 - \`mandatory delegations\`: ${mandatory}
-- \`completion helper\`: \`bash .cclaw/hooks/stage-complete.sh ${schema.stage}\`
+- \`completion helper\`: \`node .cclaw/hooks/stage-complete.mjs ${schema.stage}\`
 - Fill \`## Learnings\` before closeout: either \`- None this stage.\` or JSON bullets with required keys \`type\`, \`trigger\`, \`action\`, \`confidence\` (knowledge-schema compatible).
 - Record mandatory delegation completion/waiver in \`${RUNTIME_ROOT}/state/delegation-log.json\` with rationale as needed.
 - Use the completion helper instead of raw \`flow-state.json\` edits (legacy direct edits trigger workflow-guard warnings or strict-mode blocks).

package/dist/content/stage-common-guidance.js

@@ -63,7 +63,7 @@ Before closeout, fill the artifact \`## Learnings\` section (do not write
 - \`- None this stage.\` when nothing reusable emerged.
 - Or 1-3 JSON bullets with required keys \`type\`, \`trigger\`, \`action\`,
   \`confidence\` (optional fields may mirror knowledge.jsonl schema keys).
-During \`bash .cclaw/hooks/stage-complete.sh <stage>\`, cclaw validates those
+During \`node .cclaw/hooks/stage-complete.mjs <stage>\`, cclaw validates those
 bullets, appends unique entries to \`.cclaw/knowledge.jsonl\`, and stamps a
 harvest marker in the artifact.
 

package/dist/content/stages/design.js

@@ -43,7 +43,7 @@ export const DESIGN = {
         "If a section has no issues, say 'No issues found' and move on.",
         "Do not skip failure-mode mapping.",
         "For design baseline approval: present the full baseline. **STOP.** Do NOT proceed until user explicitly approves the design.",
-        "**STOP BEFORE ADVANCE.** Mandatory delegation `planner` must be marked completed or explicitly waived in `.cclaw/state/delegation-log.json`. Then close the stage via `bash .cclaw/hooks/stage-complete.sh design` (do not hand-edit `.cclaw/state/flow-state.json`).",
+        "**STOP BEFORE ADVANCE.** Mandatory delegation `planner` must be marked completed or explicitly waived in `.cclaw/state/delegation-log.json`. Then close the stage via `node .cclaw/hooks/stage-complete.mjs design` (do not hand-edit `.cclaw/state/flow-state.json`).",
         "Take a firm position on every recommendation. Do NOT hedge with 'it depends' or 'you could do either'. State your opinion, then justify it.",
         "Use pushback patterns for weak framing: if the user says 'it's just a small change', respond with 'small changes to shared interfaces have outsized blast radius — let's map it'. If 'we'll refactor later', respond with 'later never comes — show me the refactor ticket or do it now'.",
         "When the user's proposed architecture is suboptimal, say so directly. Offer the alternative with concrete trade-offs, do not bury criticism in praise.",

package/dist/content/stages/plan.js

@@ -29,7 +29,7 @@ export const PLAN = {
         "Map scope Locked Decisions — every D-XX from scope is referenced by at least one plan task (or explicitly marked deferred with reason).",
         "Run anti-placeholder + anti-scope-reduction scans — block `TODO/TBD/...` and phrasing like `v1`, `for now`, `later` for locked boundaries.",
         "Define checkpoints — mark points where progress should be validated before continuing.",
-        "WAIT_FOR_CONFIRM — write plan artifact and explicitly pause. **STOP.** Do NOT proceed until user confirms. Then close the stage with `bash .cclaw/hooks/stage-complete.sh plan` and tell user to run `/cc-next`."
+        "WAIT_FOR_CONFIRM — write plan artifact and explicitly pause. **STOP.** Do NOT proceed until user confirms. Then close the stage with `node .cclaw/hooks/stage-complete.mjs plan` and tell user to run `/cc-next`."
     ],
     interactionProtocol: [
         "Plan in read-only mode relative to implementation.",
@@ -39,7 +39,7 @@ export const PLAN = {
         "Preserve locked scope boundaries: no silent scope reduction language in task rows.",
         "Enforce WAIT_FOR_CONFIRM: present the plan summary with options (A) Approve / (B) Revise / (C) Reject.",
         "**STOP.** Do NOT proceed until user explicitly approves.",
-        "**STOP BEFORE ADVANCE.** Mandatory delegation `planner` must be marked completed or explicitly waived in `.cclaw/state/delegation-log.json`. Then close the stage via `bash .cclaw/hooks/stage-complete.sh plan` and tell the user to run `/cc-next`."
+        "**STOP BEFORE ADVANCE.** Mandatory delegation `planner` must be marked completed or explicitly waived in `.cclaw/state/delegation-log.json`. Then close the stage via `node .cclaw/hooks/stage-complete.mjs plan` and tell the user to run `/cc-next`."
     ],
     process: [
         "Build dependency graph and ordered slices.",

package/dist/content/stages/scope.js

@@ -42,7 +42,7 @@ export const SCOPE = {
         "Once the user accepts or rejects a recommendation, commit fully. Do not re-argue.",
         "Produce a clean scope summary after all issues are resolved.",
         "**STOP.** Wait for explicit user approval of scope contract before advancing to design.",
-        "**STOP BEFORE ADVANCE.** Mandatory delegation `planner` must be marked completed or explicitly waived in `.cclaw/state/delegation-log.json`. Then close the stage via `bash .cclaw/hooks/stage-complete.sh scope` (do not hand-edit `.cclaw/state/flow-state.json`)."
+        "**STOP BEFORE ADVANCE.** Mandatory delegation `planner` must be marked completed or explicitly waived in `.cclaw/state/delegation-log.json`. Then close the stage via `node .cclaw/hooks/stage-complete.mjs scope` (do not hand-edit `.cclaw/state/flow-state.json`)."
     ],
     process: [
         "Run premise challenge and existing-solution leverage check.",

package/dist/doctor.js

@@ -484,11 +484,11 @@ export async function doctorChecks(projectRoot, options = {}) {
                 : `no deprecated "tddTestGlobs" key detected in ${RUNTIME_ROOT}/config.yaml`
         });
         const expectedMode = parsedConfig.promptGuardMode === "strict" ? "strict" : "advisory";
-        const promptGuardPath = path.join(projectRoot, RUNTIME_ROOT, "hooks", "prompt-guard.sh");
+        const promptGuardPath = path.join(projectRoot, RUNTIME_ROOT, "hooks", "run-hook.mjs");
         let promptGuardModeOk = false;
         if (await exists(promptGuardPath)) {
             const promptGuardContent = await fs.readFile(promptGuardPath, "utf8");
-            promptGuardModeOk = promptGuardContent.includes(`PROMPT_GUARD_MODE="${expectedMode}"`);
+            promptGuardModeOk = promptGuardContent.includes(`const DEFAULT_PROMPT_GUARD_MODE = "${expectedMode}"`);
         }
         checks.push({
             name: "hook:prompt_guard:mode",
@@ -496,13 +496,13 @@ export async function doctorChecks(projectRoot, options = {}) {
             details: `${promptGuardPath} must match promptGuardMode=${expectedMode}`
         });
         if (parsedConfig.gitHookGuards === true) {
-            const runtimePreCommit = path.join(projectRoot, RUNTIME_ROOT, "hooks", "git", "pre-commit.sh");
-            const runtimePrePush = path.join(projectRoot, RUNTIME_ROOT, "hooks", "git", "pre-push.sh");
+            const runtimePreCommit = path.join(projectRoot, RUNTIME_ROOT, "hooks", "git", "pre-commit.mjs");
+            const runtimePrePush = path.join(projectRoot, RUNTIME_ROOT, "hooks", "git", "pre-push.mjs");
             const runtimeScriptsOk = (await exists(runtimePreCommit)) && (await exists(runtimePrePush));
             checks.push({
                 name: "git_hooks:managed:runtime_scripts",
                 ok: runtimeScriptsOk,
-                details: `${RUNTIME_ROOT}/hooks/git/pre-commit.sh and pre-push.sh must exist when gitHookGuards=true`
+                details: `${RUNTIME_ROOT}/hooks/git/pre-commit.mjs and pre-push.mjs must exist when gitHookGuards=true`
             });
             const gitHooksDir = await resolveGitHooksDir(projectRoot);
             if (!gitHooksDir) {
@@ -673,15 +673,9 @@ export async function doctorChecks(projectRoot, options = {}) {
     }
     // Hook scripts
     for (const script of [
-        "_lib.sh",
-        "session-start.sh",
-        "stop-checkpoint.sh",
-        "run-hook.cmd",
-        "stage-complete.sh",
-        "pre-compact.sh",
-        "prompt-guard.sh",
-        "workflow-guard.sh",
-        "context-monitor.sh"
+        "run-hook.mjs",
+        "stage-complete.mjs",
+        "opencode-plugin.mjs"
     ]) {
         const scriptPath = path.join(projectRoot, RUNTIME_ROOT, "hooks", script);
         const scriptExists = await exists(scriptPath);
@@ -699,10 +693,13 @@ export async function doctorChecks(projectRoot, options = {}) {
             catch {
                 executable = false;
             }
+            const executableCheckOk = process.platform === "win32" ? true : executable;
             checks.push({
                 name: `hook:script:${script}:executable`,
-                ok: executable,
-                details: `${scriptPath} must be executable`
+                ok: executableCheckOk,
+                details: process.platform === "win32"
+                    ? `${scriptPath} executable-bit check skipped on Windows`
+                    : `${scriptPath} must be executable`
             });
         }
     }
@@ -776,11 +773,11 @@ export async function doctorChecks(projectRoot, options = {}) {
         const preCommands = collectHookCommands(hooks.PreToolUse);
         const postCommands = collectHookCommands(hooks.PostToolUse);
         const stopCommands = collectHookCommands(hooks.Stop);
-        const wiringOk = sessionCommands.some((cmd) => cmd.includes("session-start.sh")) &&
-            preCommands.some((cmd) => cmd.includes("prompt-guard.sh")) &&
-            preCommands.some((cmd) => cmd.includes("workflow-guard.sh")) &&
-            postCommands.some((cmd) => cmd.includes("context-monitor.sh")) &&
-            stopCommands.some((cmd) => cmd.includes("stop-checkpoint.sh"));
+        const wiringOk = sessionCommands.some((cmd) => cmd.includes("session-start")) &&
+            preCommands.some((cmd) => cmd.includes("prompt-guard")) &&
+            preCommands.some((cmd) => cmd.includes("workflow-guard")) &&
+            postCommands.some((cmd) => cmd.includes("context-monitor")) &&
+            stopCommands.some((cmd) => cmd.includes("stop-checkpoint"));
         checks.push({
             name: "hook:wiring:claude",
             ok: wiringOk,
@@ -809,11 +806,11 @@ export async function doctorChecks(projectRoot, options = {}) {
         const preCommands = collectHookCommands(hooks.preToolUse);
         const postCommands = collectHookCommands(hooks.postToolUse);
         const stopCommands = collectHookCommands(hooks.stop);
-        const wiringOk = sessionCommands.some((cmd) => cmd.includes("session-start.sh")) &&
-            preCommands.some((cmd) => cmd.includes("prompt-guard.sh")) &&
-            preCommands.some((cmd) => cmd.includes("workflow-guard.sh")) &&
-            postCommands.some((cmd) => cmd.includes("context-monitor.sh")) &&
-            stopCommands.some((cmd) => cmd.includes("stop-checkpoint.sh"));
+        const wiringOk = sessionCommands.some((cmd) => cmd.includes("session-start")) &&
+            preCommands.some((cmd) => cmd.includes("prompt-guard")) &&
+            preCommands.some((cmd) => cmd.includes("workflow-guard")) &&
+            postCommands.some((cmd) => cmd.includes("context-monitor")) &&
+            stopCommands.some((cmd) => cmd.includes("stop-checkpoint"));
         checks.push({
             name: "hook:wiring:cursor",
             ok: wiringOk,
@@ -876,14 +873,14 @@ export async function doctorChecks(projectRoot, options = {}) {
         const codexPreCmds = collectHookCommands(codexHooks.PreToolUse);
         const codexPostCmds = collectHookCommands(codexHooks.PostToolUse);
         const codexStopCmds = collectHookCommands(codexHooks.Stop);
-        const codexWiringOk = codexSessionCmds.some((cmd) => cmd.includes("session-start.sh")) &&
-            codexUserPromptCmds.some((cmd) => cmd.includes("prompt-guard.sh")) &&
-            codexUserPromptCmds.some((cmd) => cmd.includes("workflow-guard.sh")) &&
+        const codexWiringOk = codexSessionCmds.some((cmd) => cmd.includes("session-start")) &&
+            codexUserPromptCmds.some((cmd) => cmd.includes("prompt-guard")) &&
+            codexUserPromptCmds.some((cmd) => cmd.includes("workflow-guard")) &&
             codexUserPromptCmds.some((cmd) => cmd.includes("verify-current-state")) &&
-            codexPreCmds.some((cmd) => cmd.includes("prompt-guard.sh")) &&
-            codexPreCmds.some((cmd) => cmd.includes("workflow-guard.sh")) &&
-            codexPostCmds.some((cmd) => cmd.includes("context-monitor.sh")) &&
-            codexStopCmds.some((cmd) => cmd.includes("stop-checkpoint.sh"));
+            codexPreCmds.some((cmd) => cmd.includes("prompt-guard")) &&
+            codexPreCmds.some((cmd) => cmd.includes("workflow-guard")) &&
+            codexPostCmds.some((cmd) => cmd.includes("context-monitor")) &&
+            codexStopCmds.some((cmd) => cmd.includes("stop-checkpoint"));
         checks.push({
             name: "hook:wiring:codex",
             ok: codexWiringOk,
@@ -963,10 +960,10 @@ export async function doctorChecks(projectRoot, options = {}) {
                 content.includes("event: async") &&
                     content.includes('"tool.execute.before"') &&
                     content.includes('"tool.execute.after"') &&
-                    content.includes("prompt-guard.sh") &&
-                    content.includes("workflow-guard.sh") &&
-                    content.includes("context-monitor.sh") &&
-                    content.includes("pre-compact.sh") &&
+                    content.includes("prompt-guard") &&
+                    content.includes("workflow-guard") &&
+                    content.includes("context-monitor") &&
+                    content.includes("pre-compact") &&
                     content.includes('"session.created"') &&
                     content.includes('"session.idle"') &&
                     content.includes('"session.resumed"') &&
@@ -981,7 +978,7 @@ export async function doctorChecks(projectRoot, options = {}) {
                     content.includes('"tool.execute.after": async');
             precompactHookOk =
                 content.includes('eventType === "session.compacted"') &&
-                    content.includes('runHookScript("pre-compact.sh"');
+                    content.includes('runHookScript("pre-compact"');
         }
         checks.push({
             name: "lifecycle:opencode:rehydration_events",
@@ -996,7 +993,7 @@ export async function doctorChecks(projectRoot, options = {}) {
         checks.push({
             name: "hook:opencode:precompact_digest",
             ok: precompactHookOk,
-            details: `${file} must run pre-compact.sh on session.compacted before bootstrap refresh.`
+            details: `${file} must run pre-compact on session.compacted before bootstrap refresh.`
         });
         const runtimeShape = await opencodePluginRuntimeShapeCheck(projectRoot);
         checks.push({
@@ -1011,34 +1008,48 @@ export async function doctorChecks(projectRoot, options = {}) {
             details: registration.details
         });
     }
-    const hasBash = await commandAvailable("bash");
     const hasNode = await commandAvailable("node");
     const hasPython = await commandAvailable("python3");
     const hasJq = await commandAvailable("jq");
-    checks.push({
-        name: "capability:required:bash",
-        ok: hasBash,
-        details: "bash is required to execute cclaw hook scripts"
-    });
     checks.push({
         name: "capability:required:node",
         ok: hasNode,
         details: "node is required for cclaw runtime scripts and CLI wiring"
     });
-    checks.push({
-        name: "capability:runtime:json_parser",
-        ok: hasPython || hasJq,
-        details: "at least one of python3 or jq must be available for hook JSON parsing fallbacks"
-    });
     checks.push({
         name: "warning:capability:jq",
         ok: true,
-        details: hasJq ? "jq available" : "warning: jq not found, python/node fallbacks will be used"
+        details: hasJq
+            ? "jq available (optional)"
+            : "warning: jq not found; Node hook runtime no longer depends on jq"
     });
     checks.push({
         name: "warning:capability:python3",
         ok: true,
-        details: hasPython ? "python3 available" : "warning: python3 not found, jq/node paths must stay healthy"
+        details: hasPython
+            ? "python3 available (optional)"
+            : "warning: python3 not found; Node hook runtime no longer depends on python3"
+    });
+    const windowsHookConfigCandidates = [
+        path.join(projectRoot, ".claude/hooks/hooks.json"),
+        path.join(projectRoot, ".cursor/hooks.json"),
+        path.join(projectRoot, ".codex/hooks.json")
+    ];
+    const legacyDispatchFiles = [];
+    for (const candidate of windowsHookConfigCandidates) {
+        if (!(await exists(candidate)))
+            continue;
+        const content = await fs.readFile(candidate, "utf8");
+        if (/run-hook\.cmd|bash\s+\.cclaw\/hooks\//u.test(content)) {
+            legacyDispatchFiles.push(path.relative(projectRoot, candidate));
+        }
+    }
+    checks.push({
+        name: "warning:windows:hook_dispatch_node_only",
+        ok: legacyDispatchFiles.length === 0,
+        details: legacyDispatchFiles.length === 0
+            ? "hook configs use node-dispatched .cclaw/hooks/run-hook.mjs commands"
+            : `warning: legacy shell hook dispatch remains in ${legacyDispatchFiles.join(", ")}`
     });
     // Knowledge store exists (canonical JSONL, no markdown mirror)
     checks.push({

package/dist/install.js

@@ -24,8 +24,7 @@ import { rewindCommandContract, rewindCommandSkillMarkdown } from "./content/rew
 import { subagentDrivenDevSkill, parallelAgentsSkill } from "./content/subagents.js";
 import { sessionHooksSkillMarkdown } from "./content/session-hooks.js";
 import { ironLawRuntimeDocument, ironLawsSkillMarkdown } from "./content/iron-laws.js";
-import { hookLibScript, sessionStartScript, stopCheckpointScript, runHookDispatcherScript, stageCompleteScript, preCompactScript, opencodePluginJs, claudeHooksJson, codexHooksJson, cursorHooksJson } from "./content/hooks.js";
-import { contextMonitorScript, promptGuardScript, workflowGuardScript } from "./content/observe.js";
+import { stageCompleteScript, opencodePluginJs, claudeHooksJson, codexHooksJson, cursorHooksJson } from "./content/hooks.js";
 import { nodeHookRuntimeScript } from "./content/node-hooks.js";
 import { META_SKILL_NAME, usingCclawSkillMarkdown } from "./content/meta-skill.js";
 import { decisionProtocolMarkdown, completionProtocolMarkdown, ethosProtocolMarkdown } from "./content/protocols.js";
@@ -73,32 +72,121 @@ async function resolveGitHooksDir(projectRoot) {
     }
 }
 function managedGitRuntimeScript(hookName) {
-    const rangeExpression = hookName === "pre-commit"
-        ? 'git diff --cached --name-only'
-        : 'git diff --name-only @{upstream}...HEAD || git diff --name-only HEAD~1...HEAD';
-    return `#!/usr/bin/env bash
-# ${GIT_HOOK_MANAGED_MARKER}: runtime ${hookName}
-set -euo pipefail
+    return `#!/usr/bin/env node
+// ${GIT_HOOK_MANAGED_MARKER}: runtime ${hookName}
+import fs from "node:fs";
+import path from "node:path";
+import process from "node:process";
+import { spawnSync } from "node:child_process";
+
+const HOOK_NAME = ${JSON.stringify(hookName)};
+const RUNTIME_ROOT = ${JSON.stringify(RUNTIME_ROOT)};
+
+function runGit(args, cwd) {
+  const result = spawnSync("git", args, {
+    cwd,
+    encoding: "utf8",
+    stdio: ["ignore", "pipe", "ignore"]
+  });
+  return {
+    status: typeof result.status === "number" ? result.status : 1,
+    stdout: typeof result.stdout === "string" ? result.stdout : ""
+  };
+}
+
+function resolveRepoRoot() {
+  const result = runGit(["rev-parse", "--show-toplevel"], process.cwd());
+  if (result.status === 0) {
+    const root = result.stdout.trim();
+    if (root.length > 0) return root;
+  }
+  return process.cwd();
+}
 
-ROOT=$(git rev-parse --show-toplevel 2>/dev/null || pwd)
-GUARD_SCRIPT="$ROOT/${RUNTIME_ROOT}/hooks/prompt-guard.sh"
-[ -x "$GUARD_SCRIPT" ] || exit 0
+function resolveChangedFiles(root) {
+  if (HOOK_NAME === "pre-commit") {
+    const result = runGit(["diff", "--cached", "--name-only"], root);
+    return result.status === 0 ? result.stdout : "";
+  }
+  const upstreamResult = runGit(["diff", "--name-only", "@{upstream}...HEAD"], root);
+  if (upstreamResult.status === 0) {
+    return upstreamResult.stdout;
+  }
+  const fallback = runGit(["diff", "--name-only", "HEAD~1...HEAD"], root);
+  return fallback.status === 0 ? fallback.stdout : "";
+}
+
+const root = resolveRepoRoot();
+const runtimeHook = path.join(root, RUNTIME_ROOT, "hooks", "run-hook.mjs");
+if (!fs.existsSync(runtimeHook)) {
+  process.exit(0);
+}
+
+const changedFiles = resolveChangedFiles(root)
+  .split(/\\r?\\n/gu)
+  .map((line) => line.trim())
+  .filter((line) => line.length > 0);
+if (changedFiles.length === 0) {
+  process.exit(0);
+}
 
-FILES=$(${rangeExpression} 2>/dev/null || true)
-[ -n "$FILES" ] || exit 0
+const payload = JSON.stringify({
+  tool_name: "Write",
+  tool_input: {
+    path: changedFiles.join("\\n"),
+    paths: changedFiles
+  }
+});
 
-printf '%s\n' "$FILES" | bash "$GUARD_SCRIPT"
+  const result = spawnSync(process.execPath, [runtimeHook, "prompt-guard"], {
+  cwd: root,
+  env: process.env,
+  input: payload,
+  encoding: "utf8",
+  stdio: ["pipe", "ignore", "inherit"]
+});
+process.exit(typeof result.status === "number" ? result.status : 1);
 `;
 }
 function managedGitRelayHook(hookName) {
-    return `#!/usr/bin/env bash
-# ${GIT_HOOK_MANAGED_MARKER}: relay ${hookName}
-set -euo pipefail
+    return `#!/usr/bin/env node
+// ${GIT_HOOK_MANAGED_MARKER}: relay ${hookName}
+import fs from "node:fs";
+import path from "node:path";
+import process from "node:process";
+import { spawn, spawnSync } from "node:child_process";
+
+const RUNTIME_REL_DIR = ${JSON.stringify(GIT_HOOK_RUNTIME_REL_DIR)};
+const HOOK_NAME = ${JSON.stringify(hookName)};
+
+function resolveRepoRoot() {
+  const result = spawnSync("git", ["rev-parse", "--show-toplevel"], {
+    cwd: process.cwd(),
+    encoding: "utf8",
+    stdio: ["ignore", "pipe", "ignore"]
+  });
+  if (typeof result.status === "number" && result.status === 0) {
+    const root = (result.stdout || "").trim();
+    if (root.length > 0) return root;
+  }
+  return process.cwd();
+}
+
+const root = resolveRepoRoot();
+const runtimeHook = path.join(root, RUNTIME_REL_DIR, HOOK_NAME + ".mjs");
+if (!fs.existsSync(runtimeHook)) {
+  process.exit(0);
+}
 
-ROOT=$(git rev-parse --show-toplevel 2>/dev/null || pwd)
-RUNTIME_HOOK="$ROOT/${GIT_HOOK_RUNTIME_REL_DIR}/${hookName}.sh"
-[ -x "$RUNTIME_HOOK" ] || exit 0
-exec bash "$RUNTIME_HOOK" "$@"
+const child = spawn(process.execPath, [runtimeHook, ...process.argv.slice(2)], {
+  cwd: root,
+  env: process.env,
+  stdio: "inherit"
+});
+child.on("error", () => process.exit(1));
+child.on("close", (code, signal) => {
+  process.exit(signal ? 1 : typeof code === "number" ? code : 1);
+});
 `;
 }
 async function removeManagedGitHookRelays(projectRoot) {
@@ -141,7 +229,7 @@ async function syncManagedGitHooks(projectRoot, config) {
     const runtimeGitHooksDir = path.join(projectRoot, GIT_HOOK_RUNTIME_REL_DIR);
     await ensureDir(runtimeGitHooksDir);
     for (const hookName of ["pre-commit", "pre-push"]) {
-        const runtimePathForHook = path.join(runtimeGitHooksDir, `${hookName}.sh`);
+        const runtimePathForHook = path.join(runtimeGitHooksDir, `${hookName}.mjs`);
         await writeFileSafe(runtimePathForHook, managedGitRuntimeScript(hookName));
         try {
             await fs.chmod(runtimePathForHook, 0o755);
@@ -631,22 +719,7 @@ async function writeHooks(projectRoot, config) {
         mode: config.ironLaws?.mode,
         strictLaws: config.ironLaws?.strictLaws
     }), null, 2)}\n`);
-    await writeFileSafe(path.join(hooksDir, "_lib.sh"), hookLibScript());
-    await writeFileSafe(path.join(hooksDir, "session-start.sh"), sessionStartScript());
-    await writeFileSafe(path.join(hooksDir, "stop-checkpoint.sh"), stopCheckpointScript());
-    await writeFileSafe(path.join(hooksDir, "run-hook.cmd"), runHookDispatcherScript());
-    await writeFileSafe(path.join(hooksDir, "stage-complete.sh"), stageCompleteScript());
-    await writeFileSafe(path.join(hooksDir, "pre-compact.sh"), preCompactScript());
-    await writeFileSafe(path.join(hooksDir, "prompt-guard.sh"), promptGuardScript({
-        strictMode: config.promptGuardMode === "strict"
-    }));
-    await writeFileSafe(path.join(hooksDir, "workflow-guard.sh"), workflowGuardScript({
-        workflowGuardMode: config.strictness ?? "advisory",
-        tddEnforcementMode: config.tddEnforcement ?? "advisory",
-        tddTestPathPatterns: config.tdd?.testPathPatterns ?? config.tddTestGlobs,
-        tddProductionPathPatterns: config.tdd?.productionPathPatterns
-    }));
-    await writeFileSafe(path.join(hooksDir, "context-monitor.sh"), contextMonitorScript());
+    await writeFileSafe(path.join(hooksDir, "stage-complete.mjs"), stageCompleteScript());
     await writeFileSafe(path.join(hooksDir, "run-hook.mjs"), nodeHookRuntimeScript({
         promptGuardMode: config.promptGuardMode ?? config.strictness ?? "advisory",
         workflowGuardMode: config.strictness ?? "advisory",
@@ -658,15 +731,7 @@ async function writeHooks(projectRoot, config) {
     await writeFileSafe(path.join(hooksDir, "opencode-plugin.mjs"), opencodePluginSource);
     try {
         for (const script of [
-            "_lib.sh",
-            "session-start.sh",
-            "stop-checkpoint.sh",
-            "run-hook.cmd",
-            "stage-complete.sh",
-            "pre-compact.sh",
-            "prompt-guard.sh",
-            "workflow-guard.sh",
-            "context-monitor.sh",
+            "stage-complete.mjs",
             "run-hook.mjs",
             "opencode-plugin.mjs"
         ]) {
@@ -1151,7 +1216,16 @@ async function cleanLegacyArtifacts(projectRoot) {
         runtimePath(projectRoot, "observations.jsonl"),
         runtimePath(projectRoot, "hooks", "observe.sh"),
         runtimePath(projectRoot, "hooks", "summarize-observations.sh"),
-        runtimePath(projectRoot, "hooks", "summarize-observations.mjs")
+        runtimePath(projectRoot, "hooks", "summarize-observations.mjs"),
+        runtimePath(projectRoot, "hooks", "_lib.sh"),
+        runtimePath(projectRoot, "hooks", "session-start.sh"),
+        runtimePath(projectRoot, "hooks", "stop-checkpoint.sh"),
+        runtimePath(projectRoot, "hooks", "run-hook.cmd"),
+        runtimePath(projectRoot, "hooks", "stage-complete.sh"),
+        runtimePath(projectRoot, "hooks", "pre-compact.sh"),
+        runtimePath(projectRoot, "hooks", "prompt-guard.sh"),
+        runtimePath(projectRoot, "hooks", "workflow-guard.sh"),
+        runtimePath(projectRoot, "hooks", "context-monitor.sh")
     ]) {
         try {
             await fs.rm(legacyRuntimeFile, { force: true });
@@ -1355,13 +1429,10 @@ function stripManagedHookCommands(value) {
 }
 function isManagedRuntimeHookCommand(command) {
     const normalized = command.trim().replace(/\s+/gu, " ");
-    if (/(^|\s)(?:bash\s+)?(?:\.\/)?\.cclaw\/hooks\/(?:session-start|stop-checkpoint|pre-compact|prompt-guard|workflow-guard|context-monitor)\.sh(?:\s|$)/u.test(normalized) ||
-        /(^|\s)(?:bash\s+)?(?:\.\/)?\.cclaw\/hooks\/run-hook\.cmd\s+(?:session-start|stop-checkpoint|pre-compact|prompt-guard|workflow-guard|context-monitor)(?:\.sh)?(?:\s|$)/u.test(normalized) ||
-        /(^|\s)(?:node\s+)?(?:"|')?(?:\.\/)?\.cclaw\/hooks\/run-hook\.mjs(?:"|')?\s+(?:session-start|stop-checkpoint|pre-compact|prompt-guard|workflow-guard|context-monitor|verify-current-state)(?:\.sh)?(?:\s|$)/u.test(normalized)) {
+    if (/(^|\s)(?:node\s+)?(?:"|')?(?:\.\/)?\.cclaw\/hooks\/run-hook\.mjs(?:"|')?\s+(?:session-start|stop-checkpoint|pre-compact|prompt-guard|workflow-guard|context-monitor|verify-current-state)(?:\s|$)/u.test(normalized)) {
         return true;
     }
-    // Codex UserPromptSubmit non-blocking state nudge:
-    // legacy shell and newer Node wrappers call this internal command.
+    // Codex UserPromptSubmit non-blocking state nudge.
     return /internal verify-current-state(?:\s|$)/u.test(normalized);
 }
 async function removeManagedHookEntries(hookFilePath) {

package/dist/policy.js

@@ -180,19 +180,19 @@ export async function policyChecks(projectRoot, options = {}) {
         { file: runtimeFile("contexts/execution.md"), needle: "Context Mode: execution", name: "context_mode:execution" },
         { file: runtimeFile("contexts/review.md"), needle: "Context Mode: review", name: "context_mode:review" },
         { file: runtimeFile("contexts/incident.md"), needle: "Context Mode: incident", name: "context_mode:incident" },
-        { file: runtimeFile("hooks/session-start.sh"), needle: "ACTIVE_RUN=", name: "hooks:session_start:active_run" },
-        { file: runtimeFile("hooks/session-start.sh"), needle: "checkpoint.json", name: "hooks:session_start:checkpoint_ref" },
-        { file: runtimeFile("hooks/session-start.sh"), needle: "stage-activity.jsonl", name: "hooks:session_start:activity_ref" },
-        { file: runtimeFile("hooks/session-start.sh"), needle: "suggestion-memory.json", name: "hooks:session_start:suggestion_memory" },
-        { file: runtimeFile("hooks/session-start.sh"), needle: "context-warnings.jsonl", name: "hooks:session_start:context_warning_ref" },
-        { file: runtimeFile("hooks/stop-checkpoint.sh"), needle: "checkpoint.json", name: "hooks:stop:checkpoint_write" },
-        { file: runtimeFile("hooks/prompt-guard.sh"), needle: "write_to_cclaw_runtime", name: "hooks:guard:risky_write_advisory" },
-        { file: runtimeFile("hooks/workflow-guard.sh"), needle: "stage_invocation_without_recent_flow_read", name: "hooks:workflow_guard:flow_read_reason" },
-        { file: runtimeFile("hooks/workflow-guard.sh"), needle: "stage_jump_", name: "hooks:workflow_guard:stage_jump_reason" },
-        { file: runtimeFile("hooks/workflow-guard.sh"), needle: "tdd_write_without_open_red", name: "hooks:workflow_guard:tdd_red_first" },
-        { file: runtimeFile("hooks/context-monitor.sh"), needle: "remaining is", name: "hooks:context:threshold_warning" },
+        { file: runtimeFile("hooks/run-hook.mjs"), needle: "activeRunId", name: "hooks:session_start:active_run" },
+        { file: runtimeFile("hooks/run-hook.mjs"), needle: "checkpoint.json", name: "hooks:session_start:checkpoint_ref" },
+        { file: runtimeFile("hooks/run-hook.mjs"), needle: "stage-activity.jsonl", name: "hooks:session_start:activity_ref" },
+        { file: runtimeFile("hooks/run-hook.mjs"), needle: "suggestion-memory.json", name: "hooks:session_start:suggestion_memory" },
+        { file: runtimeFile("hooks/run-hook.mjs"), needle: "context-warnings.jsonl", name: "hooks:session_start:context_warning_ref" },
+        { file: runtimeFile("hooks/run-hook.mjs"), needle: "checkpoint.json", name: "hooks:stop:checkpoint_write" },
+        { file: runtimeFile("hooks/run-hook.mjs"), needle: "write_to_cclaw_runtime", name: "hooks:guard:risky_write_advisory" },
+        { file: runtimeFile("hooks/run-hook.mjs"), needle: "stage_invocation_without_recent_flow_read", name: "hooks:workflow_guard:flow_read_reason" },
+        { file: runtimeFile("hooks/run-hook.mjs"), needle: "stage_jump_", name: "hooks:workflow_guard:stage_jump_reason" },
+        { file: runtimeFile("hooks/run-hook.mjs"), needle: "tdd_write_without_open_red", name: "hooks:workflow_guard:tdd_red_first" },
+        { file: runtimeFile("hooks/run-hook.mjs"), needle: "context remaining is", name: "hooks:context:threshold_warning" },
         { file: runtimeFile("hooks/opencode-plugin.mjs"), needle: "activeRunId", name: "hooks:opencode:active_run" },
-        { file: runtimeFile("hooks/session-start.sh"), needle: "Knowledge digest", name: "hooks:session_start:knowledge_digest" },
+        { file: runtimeFile("hooks/run-hook.mjs"), needle: "Knowledge digest", name: "hooks:session_start:knowledge_digest" },
         { file: runtimeFile("hooks/opencode-plugin.mjs"), needle: "Knowledge digest", name: "hooks:opencode:knowledge_digest" }
     ];
     if (activeHarnesses.has("opencode")) {
@@ -203,7 +203,7 @@ export async function policyChecks(projectRoot, options = {}) {
         });
         utilitySkillChecks.push({
             file: ".opencode/plugins/cclaw-plugin.mjs",
-            needle: "workflow-guard.sh",
+            needle: "workflow-guard",
             name: "hooks:opencode:deployed_workflow_guard"
         });
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cclaw-cli",
-  "version": "0.48.9",
+  "version": "0.48.10",
   "description": "Installer-first flow toolkit for coding agents",
   "type": "module",
   "bin": {
@@ -23,10 +23,9 @@
     "test:coverage": "vitest run --coverage",
     "test:mutation": "stryker run",
     "smoke:runtime": "npm run build && node scripts/smoke-init.mjs",
-    "lint:hooks": "npm run build && node scripts/lint-generated-hooks.mjs",
     "build:harness-docs": "npm run build && node scripts/build-harness-docs.mjs",
     "build:plugin-manifests": "npm run build && node scripts/build-plugin-manifests.mjs",
-    "release:check": "npm run build && node scripts/verify-bin-executable.mjs && npm run test && node scripts/lint-generated-hooks.mjs && node scripts/build-plugin-manifests.mjs && npm pack --dry-run && node scripts/smoke-init.mjs",
+    "release:check": "npm run build && node scripts/verify-bin-executable.mjs && npm run test && node scripts/build-plugin-manifests.mjs && npm pack --dry-run && node scripts/smoke-init.mjs",
     "release:bundle": "npm run release:check && npm pack"
   },
   "keywords": [