chief-clancy 0.8.22 → 0.9.0

package/hooks/clancy-branch-guard.js

@@ -1,128 +0,0 @@
-#!/usr/bin/env node
-// Clancy Branch Guard — PreToolUse hook.
-// Blocks dangerous git operations: force push, push to protected branches,
-// hard reset, clean, bulk discard, and force branch deletion.
-// Best-effort — never blocks on error (fail-open).
-
-'use strict';
-
-// Protected branch names — pushes to these are blocked.
-// CLANCY_BASE_BRANCH is added dynamically if set and not already in the list.
-const PROTECTED_BRANCHES = ['main', 'master', 'develop'];
-if (process.env.CLANCY_BASE_BRANCH && !PROTECTED_BRANCHES.includes(process.env.CLANCY_BASE_BRANCH)) {
-  PROTECTED_BRANCHES.push(process.env.CLANCY_BASE_BRANCH);
-}
-
-/**
- * Check whether a command string contains a dangerous git operation.
- * Returns a reason string if blocked, or null if allowed.
- */
-function checkCommand(cmd) {
-  if (!cmd || typeof cmd !== 'string') return null;
-
-  // --- git push --force / -f (without --force-with-lease) ---
-  // Match any occurrence of "git push" with --force or -f flag
-  if (/\bgit\s+push\b/.test(cmd)) {
-    const hasForceFlag = /\s--force\b/.test(cmd) || /\s-f\b/.test(cmd);
-    const hasForceWithLease = /--force-with-lease\b/.test(cmd);
-    if (hasForceFlag && !hasForceWithLease) {
-      return 'Blocked: git push --force destroys remote history. Use --force-with-lease instead.';
-    }
-
-    // --- git push to protected branches ---
-    // Pattern: git push [flags...] <remote> <protected-branch>
-    // Skip any flags (tokens starting with -) to find the remote and branch.
-    // The branch must be a standalone token — not a prefix of a longer name.
-    for (const branch of PROTECTED_BRANCHES) {
-      // Matches: git push origin main, git push -u origin main, git push --set-upstream origin main:main
-      // Does NOT match: git push origin main-feature
-      // Escape regex metacharacters in branch name (e.g. release/1.0 → release\/1\.0)
-      const escaped = branch.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-      const pattern = new RegExp(`\\bgit\\s+push\\s+(?:-\\S+\\s+)*\\S+\\s+${escaped}(?:\\s|$|:)`);
-      if (pattern.test(cmd)) {
-        return `Blocked: direct push to protected branch '${branch}'. Create a PR instead.`;
-      }
-    }
-  }
-
-  // --- git reset --hard ---
-  if (/\bgit\s+reset\s+--hard\b/.test(cmd)) {
-    return 'Blocked: git reset --hard destroys uncommitted work. Use --soft or --mixed instead.';
-  }
-
-  // --- git clean -f (any variant with -f but not just -n) ---
-  // Block git clean with -f flag (e.g. -f, -fd, -fdx, -xfd, etc.) but allow -n (dry run)
-  if (/\bgit\s+clean\b/.test(cmd)) {
-    // Check for -f flag in the clean arguments
-    // Match short flags like -f, -fd, -fdx, -xf, etc.
-    const cleanMatch = cmd.match(/\bgit\s+clean\s+(.*)/);
-    if (cleanMatch) {
-      const args = cleanMatch[1];
-      // Check for -f in combined short flags or standalone
-      if (/(?:^|\s)-[a-zA-Z]*f/.test(args) && !/(?:^|\s)-n\b/.test(args)) {
-        return 'Blocked: git clean -f deletes untracked files permanently. Use -n for a dry run first.';
-      }
-    }
-  }
-
-  // --- git checkout -- . (discard all changes) ---
-  if (/\bgit\s+checkout\s+--\s+\./.test(cmd)) {
-    return 'Blocked: git checkout -- . discards all uncommitted changes.';
-  }
-
-  // --- git restore . (discard all changes) ---
-  // Only block bare "git restore ." (all files), not "git restore ./specific-file"
-  if (/\bgit\s+restore\s+\.(?:\s*$|\s*[;&|])/.test(cmd)) {
-    return 'Blocked: git restore . discards all uncommitted changes.';
-  }
-
-  // --- git branch -D (force delete) ---
-  // Block uppercase -D only, not lowercase -d
-  if (/\bgit\s+branch\s+.*-D\b/.test(cmd)) {
-    return 'Blocked: git branch -D force-deletes a branch irrecoverably. Use -d for safe deletion.';
-  }
-
-  return null;
-}
-
-// Read hook input — Claude Code passes PreToolUse data as a JSON argument.
-// Fall back to stdin for forward compatibility with potential API changes.
-function readInput() {
-  if (process.argv[2]) return process.argv[2];
-  try { return require('fs').readFileSync('/dev/stdin', 'utf8'); } catch { return '{}'; }
-}
-
-try {
-  // Check if guard is disabled
-  if (process.env.CLANCY_BRANCH_GUARD === 'false') {
-    console.log(JSON.stringify({ decision: 'approve' }));
-    process.exit(0);
-  }
-
-  const input = JSON.parse(readInput());
-  const toolName = input.tool_name || '';
-  const toolInput = input.tool_input || {};
-
-  // Only check Bash tool calls
-  if (toolName !== 'Bash') {
-    console.log(JSON.stringify({ decision: 'approve' }));
-    process.exit(0);
-  }
-
-  const cmd = (toolInput.command || '').trim();
-  const reason = checkCommand(cmd);
-
-  if (reason) {
-    console.log(JSON.stringify({ decision: 'block', reason }));
-  } else {
-    console.log(JSON.stringify({ decision: 'approve' }));
-  }
-} catch {
-  // Best-effort — never block on error
-  console.log(JSON.stringify({ decision: 'approve' }));
-}
-
-// Export for testing
-if (typeof module !== 'undefined') {
-  module.exports = { checkCommand };
-}

package/hooks/clancy-check-update.js

@@ -1,114 +0,0 @@
-#!/usr/bin/env node
-// SessionStart hook: check for Clancy updates in the background.
-// Spawns a detached child process to hit npm, writes result to cache.
-// Claude reads the cache via CLAUDE.md instruction — no output from this script.
-
-'use strict';
-
-const fs = require('fs');
-const path = require('path');
-const os = require('os');
-const { spawn } = require('child_process');
-
-const homeDir = os.homedir();
-const cwd = process.cwd();
-
-// Resolve the Clancy install dir (local takes priority over global).
-function findInstallDir() {
-  const localVersion = path.join(cwd, '.claude', 'commands', 'clancy', 'VERSION');
-  const globalVersion = path.join(homeDir, '.claude', 'commands', 'clancy', 'VERSION');
-  if (fs.existsSync(localVersion)) return path.dirname(localVersion);
-  if (fs.existsSync(globalVersion)) return path.dirname(globalVersion);
-  return null;
-}
-
-const installDir = findInstallDir();
-if (!installDir) process.exit(0); // Clancy not installed — nothing to check
-
-const cacheDir = path.join(homeDir, '.claude', 'cache');
-const cacheFile = path.join(cacheDir, 'clancy-update-check.json');
-const versionFile = path.join(installDir, 'VERSION');
-
-if (!fs.existsSync(cacheDir)) {
-  try { fs.mkdirSync(cacheDir, { recursive: true }); } catch { process.exit(0); }
-}
-
-// Spawn a detached background process to do the actual npm check.
-// This script returns immediately so it never delays session start.
-const child = spawn(process.execPath, ['-e', `
-  const fs = require('fs');
-  const { execFileSync } = require('child_process');
-
-  const cacheFile = ${JSON.stringify(cacheFile)};
-  const versionFile = ${JSON.stringify(versionFile)};
-
-  let installed = '0.0.0';
-  try { installed = fs.readFileSync(versionFile, 'utf8').trim(); } catch {}
-
-  let latest = null;
-  try {
-    latest = execFileSync('npm', ['view', 'chief-clancy', 'version'], {
-      encoding: 'utf8',
-      timeout: 10000,
-      windowsHide: true,
-    }).trim();
-  } catch {}
-
-  const result = {
-    update_available: Boolean(latest && installed !== latest),
-    installed,
-    latest: latest || 'unknown',
-    checked: Math.floor(Date.now() / 1000),
-  };
-
-  try { fs.writeFileSync(cacheFile, JSON.stringify(result)); } catch {}
-`], {
-  stdio: 'ignore',
-  windowsHide: true,
-  detached: true,
-});
-
-child.unref();
-
-// --- Stale brief detection ---
-// Best-effort: detect unapproved briefs older than 7 days, write count to cache file.
-try {
-  const briefsDir = path.join(cwd, '.clancy', 'briefs');
-  const staleFile = path.join(cwd, '.clancy', '.brief-stale-count');
-
-  if (!fs.existsSync(briefsDir)) {
-    // No briefs dir — clear any stale cache so old counts don't linger
-    try { fs.unlinkSync(staleFile); } catch { /* may not exist */ }
-  } else {
-    const files = fs.readdirSync(briefsDir);
-    // Only count brief files (YYYY-MM-DD-slug.md), exclude .feedback.md and .approved markers
-    const mdFiles = files.filter(f =>
-      f.endsWith('.md') &&
-      !f.endsWith('.md.approved') &&
-      !f.endsWith('.feedback.md')
-    );
-    const now = Date.now();
-    const sevenDays = 7 * 24 * 60 * 60 * 1000;
-    let staleCount = 0;
-
-    for (const file of mdFiles) {
-      // Check there is no corresponding .approved marker
-      if (files.includes(file + '.approved')) continue;
-
-      // Parse date from filename prefix: YYYY-MM-DD-slug.md
-      const match = file.match(/^(\d{4}-\d{2}-\d{2})-/);
-      if (!match) continue;
-
-      const fileDate = new Date(match[1] + 'T00:00:00Z');
-      if (isNaN(fileDate.getTime())) continue;
-
-      if (now - fileDate.getTime() > sevenDays) {
-        staleCount++;
-      }
-    }
-
-    fs.writeFileSync(staleFile, String(staleCount));
-  }
-} catch {
-  // Best-effort — never crash the hook
-}

package/hooks/clancy-context-monitor.js

@@ -1,189 +0,0 @@
-#!/usr/bin/env node
-// Clancy Context Monitor — PostToolUse hook.
-// Reads context metrics from the bridge file written by clancy-statusline.js
-// and injects warnings into Claude's conversation when context runs low.
-//
-// Context thresholds:
-//   WARNING  (remaining <= 35%): wrap up analysis, move to implementation
-//   CRITICAL (remaining <= 25%): commit current work, log to .clancy/progress.txt, stop
-//
-// Time guard:
-//   Reads .clancy/lock.json for startedAt timestamp.
-//   WARNING  (elapsed >= 80% of CLANCY_TIME_LIMIT): wrap up implementation
-//   CRITICAL (elapsed >= 100% of CLANCY_TIME_LIMIT): stop and deliver
-//
-// Debounce: 5 tool uses between warnings; severity escalation bypasses debounce.
-// Context and time guards use independent debounce counters.
-
-'use strict';
-
-const fs = require('fs');
-const os = require('os');
-const path = require('path');
-
-const WARNING_THRESHOLD  = 35;
-const CRITICAL_THRESHOLD = 25;
-const STALE_SECONDS      = 60;
-const DEBOUNCE_CALLS     = 5;
-const DEFAULT_TIME_LIMIT = 30; // minutes
-
-let input = '';
-const stdinTimeout = setTimeout(() => process.exit(0), 3000);
-process.stdin.setEncoding('utf8');
-process.stdin.on('data', chunk => { input += chunk; });
-process.stdin.on('end', () => {
-  clearTimeout(stdinTimeout);
-  try {
-    const data = JSON.parse(input);
-    const session = data.session_id;
-    if (!session) process.exit(0);
-
-    const messages = [];
-
-    // ── Warn file (shared by context + time debounce) ───────────
-    const warnPath = path.join(os.tmpdir(), `clancy-ctx-${session}-warned.json`);
-    let warnData = {
-      callsSinceWarn: 0,
-      lastLevel: null,
-      timeCallsSinceWarn: 0,
-      timeLastLevel: null,
-    };
-    let firstContextWarn = true;
-    let firstTimeWarn = true;
-
-    if (fs.existsSync(warnPath)) {
-      try {
-        const existing = JSON.parse(fs.readFileSync(warnPath, 'utf8'));
-        warnData = { ...warnData, ...existing };
-        firstContextWarn = !existing.lastLevel;
-        firstTimeWarn = !existing.timeLastLevel;
-      } catch {}
-    }
-
-    // ── Context guard ───────────────────────────────────────────
-    const bridgePath = path.join(os.tmpdir(), `clancy-ctx-${session}.json`);
-    let contextFired = false;
-
-    if (fs.existsSync(bridgePath)) {
-      const metrics = JSON.parse(fs.readFileSync(bridgePath, 'utf8'));
-      const now = Math.floor(Date.now() / 1000);
-
-      const isStale = metrics.timestamp && (now - metrics.timestamp) > STALE_SECONDS;
-      if (!isStale) {
-        const remaining = metrics.remaining_percentage;
-        const usedPct   = metrics.used_pct;
-
-        if (remaining <= WARNING_THRESHOLD) {
-          warnData.callsSinceWarn = (warnData.callsSinceWarn || 0) + 1;
-
-          const isCritical      = remaining <= CRITICAL_THRESHOLD;
-          const currentLevel    = isCritical ? 'critical' : 'warning';
-          const severityEscalated = currentLevel === 'critical' && warnData.lastLevel === 'warning';
-
-          const shouldFire = firstContextWarn ||
-            warnData.callsSinceWarn >= DEBOUNCE_CALLS ||
-            severityEscalated;
-
-          if (shouldFire) {
-            warnData.callsSinceWarn = 0;
-            warnData.lastLevel = currentLevel;
-            contextFired = true;
-
-            if (isCritical) {
-              messages.push(
-                `CONTEXT CRITICAL: Usage at ${usedPct}%. Remaining: ${remaining}%. ` +
-                'Context is nearly exhausted. Stop reading files and wrap up immediately:\n' +
-                '1. Commit whatever work is staged on the current feature branch\n' +
-                '2. Append a WIP entry to .clancy/progress.txt: ' +
-                'YYYY-MM-DD HH:MM | TICKET-KEY | Summary | WIP — context exhausted\n' +
-                '3. Inform the user what was completed and what remains.\n' +
-                'Do NOT start any new work.'
-              );
-            } else {
-              messages.push(
-                `CONTEXT WARNING: Usage at ${usedPct}%. Remaining: ${remaining}%. ` +
-                'Context is getting limited. Stop exploring and move to implementation. ' +
-                'Avoid reading additional files unless strictly necessary. ' +
-                'Commit completed work as soon as it is ready.'
-              );
-            }
-          }
-        }
-      }
-    }
-
-    // ── Time guard ──────────────────────────────────────────────
-    const timeLimitEnv = process.env.CLANCY_TIME_LIMIT;
-    const timeLimit = timeLimitEnv !== undefined ? Number(timeLimitEnv) : DEFAULT_TIME_LIMIT;
-
-    if (timeLimit > 0) {
-      // Look for lock.json in the working directory's .clancy/
-      const cwd = data.cwd || process.cwd();
-      const lockPath = path.join(cwd, '.clancy', 'lock.json');
-
-      if (fs.existsSync(lockPath)) {
-        try {
-          const lock = JSON.parse(fs.readFileSync(lockPath, 'utf8'));
-          const startedAt = new Date(lock.startedAt);
-
-          if (!isNaN(startedAt.getTime())) {
-            const elapsedMs = Date.now() - startedAt.getTime();
-            const elapsedMin = Math.floor(elapsedMs / 60000);
-            const limitMs = timeLimit * 60000;
-            const pct = Math.floor((elapsedMs / limitMs) * 100);
-
-            if (pct >= 80) {
-              warnData.timeCallsSinceWarn = (warnData.timeCallsSinceWarn || 0) + 1;
-
-              const isTimeCritical = pct >= 100;
-              const currentTimeLevel = isTimeCritical ? 'critical' : 'warning';
-              const timeSeverityEscalated =
-                currentTimeLevel === 'critical' && warnData.timeLastLevel === 'warning';
-
-              const shouldFireTime = firstTimeWarn ||
-                warnData.timeCallsSinceWarn >= DEBOUNCE_CALLS ||
-                timeSeverityEscalated;
-
-              if (shouldFireTime) {
-                warnData.timeCallsSinceWarn = 0;
-                warnData.timeLastLevel = currentTimeLevel;
-
-                if (isTimeCritical) {
-                  messages.push(
-                    `TIME CRITICAL: Time limit reached (${elapsedMin}min of ${timeLimit}min).\n` +
-                    'STOP implementation immediately. Commit current work, push the branch,\n' +
-                    'and create the PR with whatever is ready. Log a WIP entry if incomplete.'
-                  );
-                } else {
-                  messages.push(
-                    `TIME WARNING: Ticket implementation at ${elapsedMin}min of ${timeLimit}min limit (${pct}%).\n` +
-                    'Wrap up implementation and prepare for delivery. Avoid starting new approaches.'
-                  );
-                }
-              }
-            }
-          }
-        } catch {}
-      }
-    }
-
-    // ── Persist debounce state (only when a threshold was reached) ──
-    if (messages.length > 0 || contextFired || warnData.callsSinceWarn > 0 || warnData.timeCallsSinceWarn > 0) {
-      fs.writeFileSync(warnPath, JSON.stringify(warnData));
-    }
-
-    // ── Output ──────────────────────────────────────────────────
-    if (messages.length === 0) process.exit(0);
-
-    const output = {
-      hookSpecificOutput: {
-        hookEventName: 'PostToolUse',
-        additionalContext: messages.join('\n'),
-      },
-    };
-
-    process.stdout.write(JSON.stringify(output));
-  } catch {
-    process.exit(0);
-  }
-});

package/hooks/clancy-credential-guard.js

@@ -1,120 +0,0 @@
-#!/usr/bin/env node
-// Clancy Credential Guard — PreToolUse hook.
-// Scans file content being written or edited for credential patterns
-// (API keys, tokens, passwords, private keys) and blocks the operation
-// if a match is found. Best-effort — never fails the tool call on error.
-
-'use strict';
-
-const CREDENTIAL_PATTERNS = [
-  // Generic API keys and tokens
-  { name: 'Generic API key', pattern: /(?:api[_-]?key|apikey)\s*[:=]\s*["']?[A-Za-z0-9\-_.]{20,}["']?/i },
-  { name: 'Generic secret', pattern: /(?:secret|private[_-]?key)\s*[:=]\s*["']?[A-Za-z0-9\-_.]{20,}["']?/i },
-  { name: 'Generic token', pattern: /(?:auth[_-]?token|access[_-]?token|bearer)\s*[:=]\s*["']?[A-Za-z0-9\-_.]{20,}["']?/i },
-  { name: 'Generic password', pattern: /(?:password|passwd|pwd)\s*[:=]\s*["']?[^\s"']{8,}["']?/i },
-
-  // AWS
-  { name: 'AWS Access Key', pattern: /AKIA[0-9A-Z]{16}/ },
-  { name: 'AWS Secret Key', pattern: /(?:aws_secret_access_key|aws_secret)\s*[:=]\s*["']?[A-Za-z0-9/+=]{40}["']?/i },
-
-  // GitHub
-  { name: 'GitHub PAT (classic)', pattern: /ghp_[A-Za-z0-9]{36}/ },
-  { name: 'GitHub PAT (fine-grained)', pattern: /github_pat_[A-Za-z0-9_]{82}/ },
-  { name: 'GitHub OAuth token', pattern: /gho_[A-Za-z0-9]{36}/ },
-
-  // Slack
-  { name: 'Slack token', pattern: /xox[bpors]-[0-9]{10,}-[A-Za-z0-9-]+/ },
-
-  // Stripe
-  { name: 'Stripe key', pattern: /(?:sk|pk)_(?:live|test)_[A-Za-z0-9]{24,}/ },
-
-  // Private keys
-  { name: 'Private key', pattern: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/ },
-
-  // Jira/Atlassian API tokens (base64-like, 24+ chars after the prefix)
-  { name: 'Atlassian API token', pattern: /(?:jira_api_token|atlassian[_-]?token)\s*[:=]\s*["']?[A-Za-z0-9+/=]{24,}["']?/i },
-
-  // Linear API key
-  { name: 'Linear API key', pattern: /lin_api_[A-Za-z0-9]{40,}/ },
-
-  // Generic connection strings
-  { name: 'Database connection string', pattern: /(?:mongodb|postgres|mysql|redis):\/\/[^\s"']+:[^\s"']+@/i },
-];
-
-// Files that are expected to contain credentials — skip them
-const ALLOWED_PATHS = [
-  '.clancy/.env',
-  '.env.local',
-  '.env.example',
-  '.env.development',
-  '.env.test',
-];
-
-function isAllowedPath(filePath) {
-  if (!filePath) return false;
-  return ALLOWED_PATHS.some(allowed => filePath.endsWith(allowed));
-}
-
-function scanForCredentials(content) {
-  if (!content || typeof content !== 'string') return [];
-  const matches = [];
-  for (const { name, pattern } of CREDENTIAL_PATTERNS) {
-    if (pattern.test(content)) {
-      matches.push(name);
-    }
-  }
-  return matches;
-}
-
-// Read hook input — Claude Code passes PreToolUse data as a JSON argument.
-// Fall back to stdin for forward compatibility with potential API changes.
-function readInput() {
-  if (process.argv[2]) return process.argv[2];
-  try { return require('fs').readFileSync('/dev/stdin', 'utf8'); } catch { return '{}'; }
-}
-
-try {
-  const input = JSON.parse(readInput());
-  const toolName = input.tool_name || '';
-  const toolInput = input.tool_input || {};
-
-  // Only check file-writing tools
-  if (!['Write', 'Edit', 'MultiEdit'].includes(toolName)) {
-    // Pass through — not a file write
-    console.log(JSON.stringify({ decision: 'approve' }));
-    process.exit(0);
-  }
-
-  const filePath = toolInput.file_path || '';
-
-  // Skip files that are expected to contain credentials
-  if (isAllowedPath(filePath)) {
-    console.log(JSON.stringify({ decision: 'approve' }));
-    process.exit(0);
-  }
-
-  // Collect content to scan based on tool type
-  let contentToScan = '';
-  if (toolName === 'Write') {
-    contentToScan = toolInput.content || '';
-  } else if (toolName === 'Edit') {
-    contentToScan = toolInput.new_string || '';
-  } else if (toolName === 'MultiEdit') {
-    const edits = toolInput.edits || [];
-    contentToScan = edits.map(e => e.new_string || '').join('\n');
-  }
-
-  const found = scanForCredentials(contentToScan);
-
-  if (found.length > 0) {
-    console.log(JSON.stringify({
-      decision: 'block',
-      reason: `Credential guard: blocked writing to ${filePath}. Detected: ${found.join(', ')}. Move credentials to .clancy/.env instead.`,
-    }));
-  } else {
-    console.log(JSON.stringify({ decision: 'approve' }));
-  }
-} catch {
-  // Best-effort — never block on error
-  console.log(JSON.stringify({ decision: 'approve' }));
-}

package/hooks/clancy-drift-detector.js

@@ -1,96 +0,0 @@
-#!/usr/bin/env node
-// Clancy Drift Detector — PostToolUse hook (debounced, once per session).
-// Compares .clancy/version.json against the installed chief-clancy package
-// version. If mismatched, warns that Clancy files are outdated.
-//
-// Debounce: writes a session flag to os.tmpdir() (same pattern as context-monitor).
-// Best-effort — never crashes, exit 0 on any error.
-
-'use strict';
-
-const fs = require('fs');
-const os = require('os');
-const path = require('path');
-
-/**
- * Compare two semver-like version strings.
- * Returns true if they differ.
- */
-function versionsDiffer(a, b) {
-  if (!a || !b) return false;
-  return a.trim() !== b.trim();
-}
-
-let input = '';
-const stdinTimeout = setTimeout(() => process.exit(0), 3000);
-process.stdin.setEncoding('utf8');
-process.stdin.on('data', chunk => { input += chunk; });
-process.stdin.on('end', () => {
-  clearTimeout(stdinTimeout);
-  try {
-    const data = JSON.parse(input);
-    const session = data.session_id;
-    if (!session) process.exit(0);
-
-    // Debounce — only check once per session
-    const safeSession = String(session).replace(/[^a-zA-Z0-9_-]/g, '');
-    const flagPath = path.join(os.tmpdir(), `clancy-drift-${safeSession}`);
-    if (fs.existsSync(flagPath)) process.exit(0);
-
-    // Write the flag immediately to prevent future checks this session
-    try { fs.writeFileSync(flagPath, '1'); } catch { /* best-effort */ }
-
-    const cwd = data.cwd || process.cwd();
-
-    // Read .clancy/version.json (written by installer)
-    const versionJsonPath = path.join(cwd, '.clancy', 'version.json');
-    if (!fs.existsSync(versionJsonPath)) process.exit(0);
-
-    let versionData;
-    try {
-      versionData = JSON.parse(fs.readFileSync(versionJsonPath, 'utf8'));
-    } catch {
-      process.exit(0);
-    }
-
-    const installedVersion = versionData.version;
-    if (!installedVersion) process.exit(0);
-
-    // Read the package version from the installed commands' VERSION file
-    // Check local then global
-    const localVersion = path.join(cwd, '.claude', 'commands', 'clancy', 'VERSION');
-    const homeDir = os.homedir();
-    const globalVersion = path.join(homeDir, '.claude', 'commands', 'clancy', 'VERSION');
-
-    let packageVersion = null;
-    for (const vPath of [localVersion, globalVersion]) {
-      if (fs.existsSync(vPath)) {
-        try {
-          packageVersion = fs.readFileSync(vPath, 'utf8').trim();
-          break;
-        } catch { /* try next */ }
-      }
-    }
-
-    if (!packageVersion) process.exit(0);
-
-    if (versionsDiffer(installedVersion, packageVersion)) {
-      const output = {
-        hookSpecificOutput: {
-          hookEventName: 'PostToolUse',
-          additionalContext:
-            `DRIFT WARNING: Clancy runtime files are outdated (runtime: ${installedVersion}, commands: ${packageVersion}). ` +
-            'Run /clancy:update to sync your installation.',
-        },
-      };
-      process.stdout.write(JSON.stringify(output));
-    }
-  } catch {
-    process.exit(0);
-  }
-});
-
-// Export for testing
-if (typeof module !== 'undefined') {
-  module.exports = { versionsDiffer };
-}