claude-code-pilot 3.2.0 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (93) hide show
  1. package/CHANGELOG.md +57 -0
  2. package/README.md +14 -9
  3. package/bin/install.js +113 -15
  4. package/manifest.json +18 -3
  5. package/package.json +3 -2
  6. package/src/agents/django-build-resolver.md +252 -0
  7. package/src/agents/django-reviewer.md +169 -0
  8. package/src/agents/fastapi-reviewer.md +79 -0
  9. package/src/agents/fsharp-reviewer.md +109 -0
  10. package/src/agents/swift-build-resolver.md +170 -0
  11. package/src/agents/swift-reviewer.md +116 -0
  12. package/src/commands/ccp/cost-report.md +107 -0
  13. package/src/commands/ccp/intel.md +3 -3
  14. package/src/commands/ccp/mvp-phase.md +45 -0
  15. package/src/commands/ccp/plan-prd.md +160 -0
  16. package/src/commands/ccp/pr-ecc.md +184 -0
  17. package/src/commands/ccp/security-scan.md +74 -0
  18. package/src/hooks/ccp-bash-hook-dispatcher.js +96 -0
  19. package/src/hooks/ccp-context-monitor.js +23 -0
  20. package/src/hooks/ccp-doc-file-warning.js +93 -0
  21. package/src/hooks/ccp-pre-bash-dispatcher.js +24 -0
  22. package/src/hooks/ccp-write-gateguard.js +868 -0
  23. package/src/lib/project-detect.js +0 -2
  24. package/src/lib/shell-substitution.js +499 -0
  25. package/src/pilot/references/execute-mvp-tdd.md +81 -0
  26. package/src/pilot/references/mvp-concepts.md +49 -0
  27. package/src/pilot/references/planner-graphify-auto-update.md +67 -0
  28. package/src/pilot/references/planner-human-verify-mode.md +57 -0
  29. package/src/pilot/references/planner-mvp-mode.md +53 -0
  30. package/src/pilot/references/skeleton-template.md +48 -0
  31. package/src/pilot/references/spidr-splitting.md +69 -0
  32. package/src/pilot/references/user-story-template.md +58 -0
  33. package/src/pilot/references/verify-mvp-mode.md +85 -0
  34. package/src/pilot/references/worktree-path-safety.md +89 -0
  35. package/src/pilot/workflows/help.md +5 -0
  36. package/src/pilot/workflows/mvp-phase.md +199 -0
  37. package/src/skills/agent-architecture-audit/SKILL.md +256 -0
  38. package/src/skills/agent-harness-design/SKILL.md +73 -0
  39. package/src/skills/angular-developer/SKILL.md +154 -0
  40. package/src/skills/angular-developer/references/angular-animations.md +160 -0
  41. package/src/skills/angular-developer/references/angular-aria.md +410 -0
  42. package/src/skills/angular-developer/references/cli.md +86 -0
  43. package/src/skills/angular-developer/references/component-harnesses.md +59 -0
  44. package/src/skills/angular-developer/references/component-styling.md +91 -0
  45. package/src/skills/angular-developer/references/components.md +117 -0
  46. package/src/skills/angular-developer/references/creating-services.md +97 -0
  47. package/src/skills/angular-developer/references/data-resolvers.md +69 -0
  48. package/src/skills/angular-developer/references/define-routes.md +67 -0
  49. package/src/skills/angular-developer/references/defining-providers.md +72 -0
  50. package/src/skills/angular-developer/references/di-fundamentals.md +120 -0
  51. package/src/skills/angular-developer/references/e2e-testing.md +56 -0
  52. package/src/skills/angular-developer/references/effects.md +83 -0
  53. package/src/skills/angular-developer/references/hierarchical-injectors.md +43 -0
  54. package/src/skills/angular-developer/references/host-elements.md +80 -0
  55. package/src/skills/angular-developer/references/injection-context.md +63 -0
  56. package/src/skills/angular-developer/references/inputs.md +101 -0
  57. package/src/skills/angular-developer/references/linked-signal.md +59 -0
  58. package/src/skills/angular-developer/references/loading-strategies.md +61 -0
  59. package/src/skills/angular-developer/references/mcp.md +108 -0
  60. package/src/skills/angular-developer/references/navigate-to-routes.md +69 -0
  61. package/src/skills/angular-developer/references/outputs.md +86 -0
  62. package/src/skills/angular-developer/references/reactive-forms.md +122 -0
  63. package/src/skills/angular-developer/references/rendering-strategies.md +44 -0
  64. package/src/skills/angular-developer/references/resource.md +77 -0
  65. package/src/skills/angular-developer/references/route-animations.md +56 -0
  66. package/src/skills/angular-developer/references/route-guards.md +52 -0
  67. package/src/skills/angular-developer/references/router-lifecycle.md +45 -0
  68. package/src/skills/angular-developer/references/router-testing.md +87 -0
  69. package/src/skills/angular-developer/references/show-routes-with-outlets.md +68 -0
  70. package/src/skills/angular-developer/references/signal-forms.md +795 -0
  71. package/src/skills/angular-developer/references/signals-overview.md +94 -0
  72. package/src/skills/angular-developer/references/tailwind-css.md +69 -0
  73. package/src/skills/angular-developer/references/template-driven-forms.md +114 -0
  74. package/src/skills/angular-developer/references/testing-fundamentals.md +65 -0
  75. package/src/skills/error-handling/SKILL.md +376 -0
  76. package/src/skills/fastapi-patterns/SKILL.md +327 -0
  77. package/src/skills/flox-environments/SKILL.md +496 -0
  78. package/src/skills/fsharp-testing/SKILL.md +280 -0
  79. package/src/skills/ios-icon-gen/SKILL.md +157 -0
  80. package/src/skills/ios-icon-gen/scripts/generate_icons.swift +258 -0
  81. package/src/skills/ios-icon-gen/scripts/iconify_gen.sh +235 -0
  82. package/src/skills/make-interfaces-feel-better/SKILL.md +151 -0
  83. package/src/skills/mysql-patterns/SKILL.md +412 -0
  84. package/src/skills/plan-orchestrate/SKILL.md +220 -0
  85. package/src/skills/prisma-patterns/SKILL.md +371 -0
  86. package/src/skills/production-audit/SKILL.md +206 -0
  87. package/src/skills/security-scan/references/agentshield-policy-exception/candidate-playbook.md +49 -0
  88. package/src/skills/security-scan/references/agentshield-policy-exception/report.json +35 -0
  89. package/src/skills/security-scan/references/agentshield-policy-exception/scenario.json +62 -0
  90. package/src/skills/security-scan/references/agentshield-policy-exception/trace.json +45 -0
  91. package/src/skills/security-scan/references/agentshield-policy-exception/verifier-result.json +35 -0
  92. package/src/skills/vite-patterns/SKILL.md +449 -0
  93. package/src/skills/windows-desktop-e2e/SKILL.md +887 -0
@@ -0,0 +1,868 @@
1
+ #!/usr/bin/env node
2
+ /**
3
+ * PreToolUse Hook: GateGuard Fact-Forcing Gate
4
+ *
5
+ * Forces investigation before editing files or running commands. Instead of
6
+ * asking "are you sure?" (which LLMs always answer "yes"), it demands concrete
7
+ * facts: importers, public API, data schemas, rollback plans. The act of
8
+ * investigation creates awareness that self-evaluation never did.
9
+ *
10
+ * Gates:
11
+ * - Edit/Write: list importers, affected API, verify data schemas, quote instruction
12
+ * - Bash (destructive): list targets, rollback plan, quote instruction
13
+ * - Bash (routine): quote current instruction (once per session)
14
+ *
15
+ * OPT-IN (default OFF): GateGuard's DENY-then-retry design is built for
16
+ * interactive use and would stall non-interactive plan-execution runs. It is
17
+ * gated behind the `strict` hook profile via src/lib/hook-flags.js, so it stays
18
+ * inert in standard/yolo runs. Enable it by setting CCP_HOOK_PROFILE=strict.
19
+ * See the `gateguard` skill for usage guidance. Re-authored from ECC 744f4169;
20
+ * carries no plugin-discovery resolver and exits 0 on empty stdin.
21
+ *
22
+ * Exports run(rawInput) for chaining via the pre-bash dispatcher; also runnable
23
+ * directly as a CLI hook (reads stdin, writes stdout/stderr, sets exit code).
24
+ */
25
+
26
+ 'use strict';
27
+
28
+ const crypto = require('crypto');
29
+ const fs = require('fs');
30
+ const path = require('path');
31
+ const {
32
+ extractCommandSubstitutions,
33
+ extractSubshellGroups,
34
+ extractBraceGroups
35
+ } = require('../lib/shell-substitution');
36
+ const { isHookEnabled } = require('../lib/hook-flags');
37
+
38
+ // Hook id used for the Open-Q2 strict-profile gate at the top of run().
39
+ const HOOK_ID = 'write:gateguard-fact-force';
40
+
41
+ // Session state — scoped per session to avoid cross-session races.
42
+ const STATE_DIR = process.env.GATEGUARD_STATE_DIR || path.join(process.env.HOME || process.env.USERPROFILE || '/tmp', '.gateguard');
43
+ let activeStateFile = null;
44
+
45
+ // State expires after 30 minutes of inactivity
46
+ const SESSION_TIMEOUT_MS = 30 * 60 * 1000;
47
+ const READ_HEARTBEAT_MS = 60 * 1000;
48
+
49
+ // Maximum checked entries to prevent unbounded growth
50
+ const MAX_CHECKED_ENTRIES = 500;
51
+ const MAX_SESSION_KEYS = 50;
52
+ const ROUTINE_BASH_SESSION_KEY = '__bash_session__';
53
+ const EDIT_WRITE_HOOK_ID = 'pre:edit-write:gateguard-fact-force';
54
+ const BASH_HOOK_ID = 'pre:bash:gateguard-fact-force';
55
+ const DISABLE_VALUES = new Set(['0', 'false', 'off', 'disabled', 'disable']);
56
+
57
+ // SQL-keyword + dd patterns stay as a single regex — they are stable
58
+ // phrases without shell-flag ordering concerns. Quoted strings are
59
+ // stripped before this regex runs so a commit message mentioning
60
+ // "drop table" no longer triggers a false positive.
61
+ const DESTRUCTIVE_SQL_DD = /\b(drop\s+table|delete\s+from|truncate|dd\s+if=)\b/i;
62
+
63
+ /**
64
+ * Strip the contents of single- and double-quoted strings so phrases
65
+ * mentioned inside a commit message or echoed argument do not trigger
66
+ * the destructive detector. Command substitutions are scanned separately
67
+ * before this runs because they execute even inside double quotes.
68
+ *
69
+ * @param {string} input
70
+ * @returns {string}
71
+ */
72
+ function stripQuotedStrings(input) {
73
+ return input
74
+ .replace(/'(?:[^'\\]|\\.)*'/g, "''")
75
+ .replace(/"(?:[^"\\]|\\.)*"/g, '""');
76
+ }
77
+
78
+ /**
79
+ * Promote subshell delimiters to top-level segment separators so the
80
+ * destructive check applies inside `$(...)` and backtick subshells.
81
+ * Run iteratively to handle a layer of nesting.
82
+ *
83
+ * @param {string} input
84
+ * @returns {string}
85
+ */
86
+ function explodeSubshells(input) {
87
+ let out = input;
88
+ for (let i = 0; i < 4; i += 1) {
89
+ const before = out;
90
+ out = out.replace(/\$\(([^()`]*)\)/g, ';$1;');
91
+ out = out.replace(/`([^`]*)`/g, ';$1;');
92
+ if (out === before) break;
93
+ }
94
+ return out;
95
+ }
96
+
97
+ /**
98
+ * Split a command line into top-level segments at unquoted shell
99
+ * separators (`;`, `|`, `&`, `&&`, `||`) and across subshells
100
+ * (`$(...)` / backticks). Quoted strings are stripped first so
101
+ * separators inside quotes are not split on. Per-segment comments
102
+ * are also stripped.
103
+ *
104
+ * @param {string} input
105
+ * @returns {string[]}
106
+ */
107
+ function splitCommandSegments(input) {
108
+ const stripped = explodeSubshells(stripQuotedStrings(input));
109
+ return stripped
110
+ .split(/[;|&]+/)
111
+ .map(segment => segment.replace(/(^|\s)#.*/, '$1').trim())
112
+ .filter(Boolean);
113
+ }
114
+
115
+ /**
116
+ * Tokenize a single command segment by whitespace. Quoted strings
117
+ * are already collapsed to empty quotes by `stripQuotedStrings`, so
118
+ * naive whitespace splitting is sufficient.
119
+ *
120
+ * @param {string} segment
121
+ * @returns {string[]}
122
+ */
123
+ function tokenize(segment) {
124
+ return segment.split(/\s+/).filter(Boolean);
125
+ }
126
+
127
+ /**
128
+ * Strip a leading path and trailing `.exe` from a command token so
129
+ * `/usr/bin/git`, `git.exe`, and `GIT` all normalize to `git`.
130
+ *
131
+ * @param {string} token
132
+ * @returns {string}
133
+ */
134
+ function commandBasename(token) {
135
+ if (!token) return '';
136
+ return token.replace(/^.*[\\/]/, '').replace(/\.exe$/i, '').toLowerCase();
137
+ }
138
+
139
+ /**
140
+ * Detect `rm` invocations that recursively force-delete files. Handles
141
+ * combined (`-rf`, `-fr`, `-Rf`) and split (`-r -f`) flag forms.
142
+ *
143
+ * @param {string[]} tokens
144
+ * @returns {boolean}
145
+ */
146
+ function isDestructiveRm(tokens) {
147
+ if (tokens.length === 0 || commandBasename(tokens[0]) !== 'rm') return false;
148
+ let hasR = false;
149
+ let hasF = false;
150
+ for (const t of tokens.slice(1)) {
151
+ if (t === '--recursive') {
152
+ hasR = true;
153
+ continue;
154
+ }
155
+ if (t === '--force') {
156
+ hasF = true;
157
+ continue;
158
+ }
159
+ if (!t.startsWith('-') || t.startsWith('--')) continue;
160
+ const body = t.slice(1);
161
+ if (/[rR]/.test(body)) hasR = true;
162
+ if (/f/.test(body)) hasF = true;
163
+ }
164
+ return hasR && hasF;
165
+ }
166
+
167
+ /**
168
+ * Locate the git subcommand within a token list, skipping over git's
169
+ * global options like `-c key=value`, `-C <path>`, `--git-dir=...`,
170
+ * `--work-tree=...`, `--namespace=...`, `--super-prefix=...`.
171
+ *
172
+ * @param {string[]} tokens
173
+ * @returns {{ command: string, rest: string[] } | null}
174
+ */
175
+ function findGitSubcommand(tokens) {
176
+ if (tokens.length === 0 || commandBasename(tokens[0]) !== 'git') return null;
177
+ const valueConsumingShort = new Set(['-c', '-C']);
178
+ const valueConsumingLong = new Set(['--git-dir', '--work-tree', '--namespace', '--super-prefix']);
179
+ let i = 1;
180
+ while (i < tokens.length) {
181
+ const t = tokens[i];
182
+ if (valueConsumingShort.has(t) || valueConsumingLong.has(t)) {
183
+ i += 2;
184
+ continue;
185
+ }
186
+ if (t.startsWith('--git-dir=') || t.startsWith('--work-tree=') || t.startsWith('--namespace=') || t.startsWith('--super-prefix=')) {
187
+ i += 1;
188
+ continue;
189
+ }
190
+ if (t.startsWith('-')) {
191
+ // Unknown global option — skip without consuming a value.
192
+ i += 1;
193
+ continue;
194
+ }
195
+ return { command: t.toLowerCase(), rest: tokens.slice(i + 1) };
196
+ }
197
+ return null;
198
+ }
199
+
200
+ /**
201
+ * Detect destructive `git` invocations: `reset --hard`, `checkout --`,
202
+ * `clean -f...`, `push --force` (but not `--force-with-lease`),
203
+ * `commit --amend`, `rm -rf`, destructive `switch`.
204
+ *
205
+ * @param {string[]} tokens
206
+ * @returns {boolean}
207
+ */
208
+ function isDestructiveGit(tokens) {
209
+ const sub = findGitSubcommand(tokens);
210
+ if (!sub) return false;
211
+ const { command, rest } = sub;
212
+
213
+ if (command === 'reset') {
214
+ return rest.includes('--hard');
215
+ }
216
+
217
+ if (command === 'checkout') {
218
+ return rest.includes('--');
219
+ }
220
+
221
+ if (command === 'clean') {
222
+ // `git clean -f`, `-fd`, `-fdx`, `-df`, `--force`
223
+ return rest.some(t => {
224
+ if (t === '--force') return true;
225
+ if (!t.startsWith('-') || t.startsWith('--')) return false;
226
+ return t.slice(1).includes('f');
227
+ });
228
+ }
229
+
230
+ if (command === 'push') {
231
+ // Only `--force-with-lease` qualifies as a safety-checked force.
232
+ // A `+` refspec prefix also forces a non-fast-forward update of that
233
+ // ref and is destructive on its own.
234
+ let withLease = false;
235
+ let bareForce = false;
236
+ let plusRefspecForce = false;
237
+ for (const t of rest) {
238
+ if (t === '--force-with-lease' || t.startsWith('--force-with-lease=')) {
239
+ withLease = true;
240
+ continue;
241
+ }
242
+ if (t === '--force' || t.startsWith('--force=')) {
243
+ bareForce = true;
244
+ continue;
245
+ }
246
+ if (t.startsWith('-') && !t.startsWith('--') && t.slice(1).includes('f')) {
247
+ bareForce = true;
248
+ continue;
249
+ }
250
+ if (t.startsWith('+') && t.length > 1 && /^\+(?:[a-zA-Z_/.:]|HEAD)/.test(t)) {
251
+ plusRefspecForce = true;
252
+ }
253
+ }
254
+ return bareForce || (plusRefspecForce && !withLease);
255
+ }
256
+
257
+ if (command === 'commit') {
258
+ return rest.includes('--amend');
259
+ }
260
+
261
+ if (command === 'rm') {
262
+ let hasR = false;
263
+ for (const t of rest) {
264
+ if (!t.startsWith('-') || t.startsWith('--')) continue;
265
+ if (/[rR]/.test(t.slice(1))) hasR = true;
266
+ }
267
+ return hasR;
268
+ }
269
+
270
+ if (command === 'switch') {
271
+ // `git switch` can discard local working-tree changes via
272
+ // --discard-changes, --force/-f, or -C <branch> (force-create).
273
+ return rest.some(t => {
274
+ if (t === '--discard-changes' || t === '--force') return true;
275
+ if (!t.startsWith('-') || t.startsWith('--')) return false;
276
+ const body = t.slice(1);
277
+ return /[fC]/.test(body);
278
+ });
279
+ }
280
+
281
+ return false;
282
+ }
283
+
284
+ /**
285
+ * Walk every executable body reachable from a raw command line and
286
+ * return them as a flat list. Bodies that bash will execute live in
287
+ * three syntactic constructs, each handled by a sibling extractor in
288
+ * src/lib/shell-substitution.js. The BFS here adds cross-syntax
289
+ * discovery by feeding every harvested body back through all three
290
+ * extractors. A `seen` set bounds the cost to O(unique bodies).
291
+ *
292
+ * @param {string} raw
293
+ * @returns {string[]}
294
+ */
295
+ function collectExecutableBodies(raw) {
296
+ const bodies = [raw];
297
+ const queue = [raw];
298
+ const seen = new Set();
299
+
300
+ while (queue.length) {
301
+ const current = queue.shift();
302
+ if (seen.has(current)) continue;
303
+ seen.add(current);
304
+
305
+ for (const body of extractCommandSubstitutions(current)) {
306
+ if (seen.has(body)) continue;
307
+ bodies.push(body);
308
+ queue.push(body);
309
+ }
310
+ for (const body of extractSubshellGroups(current)) {
311
+ if (seen.has(body)) continue;
312
+ bodies.push(body);
313
+ queue.push(body);
314
+ }
315
+ for (const body of extractBraceGroups(current)) {
316
+ if (seen.has(body)) continue;
317
+ bodies.push(body);
318
+ queue.push(body);
319
+ }
320
+ }
321
+
322
+ return bodies;
323
+ }
324
+
325
+ function isDestructiveBash(command) {
326
+ const raw = String(command || '');
327
+ const flattened = explodeSubshells(stripQuotedStrings(raw));
328
+ if (DESTRUCTIVE_SQL_DD.test(flattened)) return true;
329
+
330
+ const segments = collectExecutableBodies(raw).flatMap(splitCommandSegments);
331
+ for (const segment of segments) {
332
+ if (DESTRUCTIVE_SQL_DD.test(stripQuotedStrings(segment))) return true;
333
+ const tokens = tokenize(segment);
334
+ if (isDestructiveRm(tokens)) return true;
335
+ if (isDestructiveGit(tokens)) return true;
336
+ }
337
+ return false;
338
+ }
339
+
340
+ // --- State management (per-session, atomic writes, bounded) ---
341
+
342
+ function normalizeEnvValue(value) {
343
+ return String(value || '').trim().toLowerCase();
344
+ }
345
+
346
+ function isGateGuardDisabled() {
347
+ if (normalizeEnvValue(process.env.GATEGUARD_DISABLED) === '1') {
348
+ return true;
349
+ }
350
+
351
+ return DISABLE_VALUES.has(normalizeEnvValue(process.env.CCP_GATEGUARD));
352
+ }
353
+
354
+ function sanitizeSessionKey(value) {
355
+ const raw = String(value || '').trim();
356
+ if (!raw) {
357
+ return '';
358
+ }
359
+
360
+ const sanitized = raw.replace(/[^a-zA-Z0-9_-]/g, '_');
361
+ if (sanitized && sanitized.length <= 64) {
362
+ return sanitized;
363
+ }
364
+
365
+ return hashSessionKey('sid', raw);
366
+ }
367
+
368
+ function hashSessionKey(prefix, value) {
369
+ return `${prefix}-${crypto.createHash('sha256').update(String(value)).digest('hex').slice(0, 24)}`;
370
+ }
371
+
372
+ function resolveSessionKey(data) {
373
+ const directCandidates = [
374
+ data && data.session_id,
375
+ data && data.sessionId,
376
+ data && data.session && data.session.id,
377
+ process.env.CLAUDE_SESSION_ID,
378
+ process.env.CCP_SESSION_ID
379
+ ];
380
+
381
+ for (const candidate of directCandidates) {
382
+ const sanitized = sanitizeSessionKey(candidate);
383
+ if (sanitized) {
384
+ return sanitized;
385
+ }
386
+ }
387
+
388
+ const transcriptPath = (data && (data.transcript_path || data.transcriptPath)) || process.env.CLAUDE_TRANSCRIPT_PATH;
389
+ if (transcriptPath && String(transcriptPath).trim()) {
390
+ return hashSessionKey('tx', path.resolve(String(transcriptPath).trim()));
391
+ }
392
+
393
+ const projectFingerprint = process.env.CLAUDE_PROJECT_DIR || process.cwd();
394
+ return hashSessionKey('proj', path.resolve(projectFingerprint));
395
+ }
396
+
397
+ function getStateFile(data) {
398
+ if (!activeStateFile) {
399
+ const sessionKey = resolveSessionKey(data);
400
+ activeStateFile = path.join(STATE_DIR, `state-${sessionKey}.json`);
401
+ }
402
+ return activeStateFile;
403
+ }
404
+
405
+ function loadState() {
406
+ const stateFile = getStateFile();
407
+ try {
408
+ if (fs.existsSync(stateFile)) {
409
+ const state = JSON.parse(fs.readFileSync(stateFile, 'utf8'));
410
+ const lastActive = state.last_active || 0;
411
+ if (Date.now() - lastActive > SESSION_TIMEOUT_MS) {
412
+ try {
413
+ fs.unlinkSync(stateFile);
414
+ } catch (_) {
415
+ /* ignore */
416
+ }
417
+ return { checked: [], last_active: Date.now() };
418
+ }
419
+ return state;
420
+ }
421
+ } catch (_) {
422
+ /* ignore */
423
+ }
424
+ return { checked: [], last_active: Date.now() };
425
+ }
426
+
427
+ function pruneCheckedEntries(checked) {
428
+ if (checked.length <= MAX_CHECKED_ENTRIES) {
429
+ return checked;
430
+ }
431
+
432
+ const preserved = checked.includes(ROUTINE_BASH_SESSION_KEY) ? [ROUTINE_BASH_SESSION_KEY] : [];
433
+ const sessionKeys = checked.filter(k => k.startsWith('__') && k !== ROUTINE_BASH_SESSION_KEY);
434
+ const fileKeys = checked.filter(k => !k.startsWith('__'));
435
+ const remainingSessionSlots = Math.max(MAX_SESSION_KEYS - preserved.length, 0);
436
+ const cappedSession = sessionKeys.slice(-remainingSessionSlots);
437
+ const remainingFileSlots = Math.max(MAX_CHECKED_ENTRIES - preserved.length - cappedSession.length, 0);
438
+ const cappedFiles = fileKeys.slice(-remainingFileSlots);
439
+ return [...preserved, ...cappedSession, ...cappedFiles];
440
+ }
441
+
442
+ function saveState(state) {
443
+ const stateFile = getStateFile();
444
+ let tmpFile = null;
445
+ try {
446
+ fs.mkdirSync(STATE_DIR, { recursive: true });
447
+
448
+ let mergedChecked = Array.isArray(state.checked) ? state.checked : [];
449
+ let mergedLastActive = typeof state.last_active === 'number' ? state.last_active : 0;
450
+
451
+ try {
452
+ if (fs.existsSync(stateFile)) {
453
+ const diskState = JSON.parse(fs.readFileSync(stateFile, 'utf8'));
454
+ if (Array.isArray(diskState.checked)) {
455
+ mergedChecked = Array.from(new Set([...diskState.checked, ...mergedChecked]));
456
+ }
457
+ if (typeof diskState.last_active === 'number') {
458
+ mergedLastActive = Math.max(mergedLastActive, diskState.last_active);
459
+ }
460
+ }
461
+ } catch (_) {
462
+ /* ignore malformed or transient disk state */
463
+ }
464
+
465
+ const finalState = {
466
+ checked: pruneCheckedEntries(mergedChecked),
467
+ last_active: Math.max(mergedLastActive, Date.now())
468
+ };
469
+
470
+ // Atomic write: temp file + rename prevents partial reads
471
+ tmpFile = `${stateFile}.tmp.${process.pid}.${crypto.randomBytes(4).toString('hex')}`;
472
+ fs.writeFileSync(tmpFile, JSON.stringify(finalState, null, 2), 'utf8');
473
+ try {
474
+ fs.renameSync(tmpFile, stateFile);
475
+ } catch (error) {
476
+ if (error && (error.code === 'EEXIST' || error.code === 'EPERM')) {
477
+ try {
478
+ fs.unlinkSync(stateFile);
479
+ } catch (_) {
480
+ /* ignore */
481
+ }
482
+ fs.renameSync(tmpFile, stateFile);
483
+ } else {
484
+ throw error;
485
+ }
486
+ }
487
+ tmpFile = null;
488
+ return true;
489
+ } catch (_) {
490
+ if (tmpFile) {
491
+ try {
492
+ fs.unlinkSync(tmpFile);
493
+ } catch (_) {
494
+ /* ignore */
495
+ }
496
+ }
497
+ return false;
498
+ }
499
+ }
500
+
501
+ function markChecked(key) {
502
+ const state = loadState();
503
+ if (!state.checked.includes(key)) {
504
+ state.checked.push(key);
505
+ return saveState(state);
506
+ }
507
+ return true;
508
+ }
509
+
510
+ function isChecked(key) {
511
+ const state = loadState();
512
+ const found = state.checked.includes(key);
513
+ if (found && Date.now() - (state.last_active || 0) > READ_HEARTBEAT_MS) {
514
+ saveState(state);
515
+ }
516
+ return found;
517
+ }
518
+
519
+ // Prune stale session files older than 1 hour. Only runs when GateGuard is
520
+ // actually enabled (called from run()) so default/inert runs touch no disk.
521
+ function pruneStaleFiles() {
522
+ try {
523
+ const files = fs.readdirSync(STATE_DIR);
524
+ const now = Date.now();
525
+ for (const f of files) {
526
+ const isStateFile = f.startsWith('state-') && (f.endsWith('.json') || f.includes('.json.tmp.'));
527
+ if (!isStateFile) continue;
528
+ const fp = path.join(STATE_DIR, f);
529
+ try {
530
+ const stat = fs.statSync(fp);
531
+ if (now - stat.mtimeMs > SESSION_TIMEOUT_MS * 2) {
532
+ fs.unlinkSync(fp);
533
+ }
534
+ } catch (_) {
535
+ // Ignore files that disappear between readdir/stat/unlink.
536
+ }
537
+ }
538
+ } catch (_) {
539
+ /* ignore */
540
+ }
541
+ }
542
+
543
+ // --- Sanitize file path against injection ---
544
+
545
+ function sanitizePath(filePath) {
546
+ // Strip control chars (including null), bidi overrides, and newlines
547
+ let sanitized = '';
548
+ for (const char of String(filePath || '')) {
549
+ const code = char.codePointAt(0);
550
+ const isAsciiControl = code <= 0x1f || code === 0x7f;
551
+ const isBidiOverride = (code >= 0x200e && code <= 0x200f) || (code >= 0x202a && code <= 0x202e) || (code >= 0x2066 && code <= 0x2069);
552
+ sanitized += isAsciiControl || isBidiOverride ? ' ' : char;
553
+ }
554
+ return sanitized.trim().slice(0, 500);
555
+ }
556
+
557
+ function normalizeForMatch(value) {
558
+ return String(value || '')
559
+ .replace(/\\/g, '/')
560
+ .toLowerCase();
561
+ }
562
+
563
+ function isClaudeSettingsPath(filePath) {
564
+ const normalized = normalizeForMatch(filePath);
565
+ return /(^|\/)\.claude\/settings(?:\.[^/]+)?\.json$/.test(normalized);
566
+ }
567
+
568
+ function isReadOnlyGitIntrospection(command) {
569
+ const trimmed = String(command || '').trim();
570
+ if (!trimmed || /[\r\n;&|><`$()]/.test(trimmed)) {
571
+ return false;
572
+ }
573
+
574
+ const tokens = trimmed.split(/\s+/);
575
+ if (tokens[0] !== 'git' || tokens.length < 2) {
576
+ return false;
577
+ }
578
+
579
+ const subcommand = tokens[1].toLowerCase();
580
+ const args = tokens.slice(2);
581
+
582
+ if (subcommand === 'status') {
583
+ return args.every(arg => ['--porcelain', '--short', '--branch'].includes(arg));
584
+ }
585
+
586
+ if (subcommand === 'diff') {
587
+ return args.length <= 1 && args.every(arg => ['--name-only', '--name-status'].includes(arg));
588
+ }
589
+
590
+ if (subcommand === 'log') {
591
+ return args.every(arg => arg === '--oneline' || /^--max-count=\d+$/.test(arg));
592
+ }
593
+
594
+ if (subcommand === 'show') {
595
+ return args.length === 1 && !args[0].startsWith('--') && /^[a-zA-Z0-9._:/-]+$/.test(args[0]);
596
+ }
597
+
598
+ if (subcommand === 'branch') {
599
+ return args.length === 1 && args[0] === '--show-current';
600
+ }
601
+
602
+ if (subcommand === 'rev-parse') {
603
+ return args.length === 2 && args[0] === '--abbrev-ref' && /^head$/i.test(args[1]);
604
+ }
605
+
606
+ return false;
607
+ }
608
+
609
+ // --- Gate messages ---
610
+
611
+ function editGateMsg(filePath) {
612
+ const safe = sanitizePath(filePath);
613
+ return [
614
+ '[Fact-Forcing Gate]',
615
+ '',
616
+ `Before editing ${safe}, present these facts:`,
617
+ '',
618
+ '1. List ALL files that import/require this file (use Grep)',
619
+ '2. List the public functions/classes affected by this change',
620
+ '3. If this file reads/writes data files, show field names, structure, and date format (use redacted or synthetic values, not raw production data)',
621
+ "4. Quote the user's current instruction verbatim",
622
+ '',
623
+ 'Present the facts, then retry the same operation.'
624
+ ].join('\n');
625
+ }
626
+
627
+ function writeGateMsg(filePath) {
628
+ const safe = sanitizePath(filePath);
629
+ return [
630
+ '[Fact-Forcing Gate]',
631
+ '',
632
+ `Before creating ${safe}, present these facts:`,
633
+ '',
634
+ '1. Name the file(s) and line(s) that will call this new file',
635
+ '2. Confirm no existing file serves the same purpose (use Glob)',
636
+ '3. If this file reads/writes data files, show field names, structure, and date format (use redacted or synthetic values, not raw production data)',
637
+ "4. Quote the user's current instruction verbatim",
638
+ '',
639
+ 'Present the facts, then retry the same operation.'
640
+ ].join('\n');
641
+ }
642
+
643
+ function destructiveBashMsg() {
644
+ return [
645
+ '[Fact-Forcing Gate]',
646
+ '',
647
+ 'Destructive command detected. Before running, present:',
648
+ '',
649
+ '1. List all files/data this command will modify or delete',
650
+ '2. Write a one-line rollback procedure',
651
+ "3. Quote the user's current instruction verbatim",
652
+ '',
653
+ 'Present the facts, then retry the same operation.'
654
+ ].join('\n');
655
+ }
656
+
657
+ function routineBashMsg() {
658
+ return [
659
+ '[Fact-Forcing Gate]',
660
+ '',
661
+ 'Before the first Bash command this session, present these facts:',
662
+ '',
663
+ '1. The current user request in one sentence',
664
+ '2. What this specific command verifies or produces',
665
+ '',
666
+ 'Present the facts, then retry the same operation.'
667
+ ].join('\n');
668
+ }
669
+
670
+ function withRecoveryHint(message, hookIds = [EDIT_WRITE_HOOK_ID]) {
671
+ const disableTargets = hookIds.map(hookId => `\`${hookId}\``).join(' or ');
672
+ return [
673
+ message,
674
+ '',
675
+ `Recovery: if GateGuard is blocking setup or repair work, run this session with \`CCP_GATEGUARD=off\` or add ${disableTargets} to \`CCP_DISABLED_HOOKS\`.`
676
+ ].join('\n');
677
+ }
678
+
679
+ function isSubagentInvocation(data) {
680
+ if (!data || typeof data !== 'object') {
681
+ return false;
682
+ }
683
+
684
+ const candidates = [
685
+ data.agent_id,
686
+ data.agentId,
687
+ data.parent_tool_use_id,
688
+ data.parentToolUseId
689
+ ];
690
+
691
+ return candidates.some(candidate => typeof candidate === 'string' && candidate.trim());
692
+ }
693
+
694
+ // --- Deny helper ---
695
+
696
+ function denyResult(reason, options = {}) {
697
+ const includeRecoveryHint = options.includeRecoveryHint !== false;
698
+ const hookIds = Array.isArray(options.hookIds) && options.hookIds.length > 0 ? options.hookIds : [EDIT_WRITE_HOOK_ID];
699
+ return {
700
+ stdout: JSON.stringify({
701
+ hookSpecificOutput: {
702
+ hookEventName: 'PreToolUse',
703
+ permissionDecision: 'deny',
704
+ permissionDecisionReason: includeRecoveryHint ? withRecoveryHint(reason, hookIds) : reason
705
+ }
706
+ }),
707
+ exitCode: 0
708
+ };
709
+ }
710
+
711
+ function allowWithStateWarning() {
712
+ return {
713
+ stderr: '[Fact-Forcing Gate] GateGuard state could not be persisted; allowing this operation to avoid a permanent retry loop. Check GATEGUARD_STATE_DIR or filesystem permissions.',
714
+ exitCode: 0
715
+ };
716
+ }
717
+
718
+ // --- Core logic (exported for the pre-bash dispatcher / run-with-flags) ---
719
+
720
+ function run(rawInput) {
721
+ // Open-Q2 gate: GateGuard is opt-in (profile `strict` only). In standard/yolo
722
+ // runs it is inert and returns the rawInput passthrough (allow). Enable with
723
+ // CCP_HOOK_PROFILE=strict. This runs BEFORE any parsing/state I/O so default
724
+ // runs touch no disk.
725
+ if (!isHookEnabled(HOOK_ID, { profiles: 'strict' })) {
726
+ return rawInput;
727
+ }
728
+
729
+ let data;
730
+ try {
731
+ data = typeof rawInput === 'string' ? JSON.parse(rawInput) : rawInput;
732
+ } catch (_) {
733
+ return rawInput; // allow on parse error
734
+ }
735
+
736
+ if (isGateGuardDisabled()) {
737
+ return rawInput;
738
+ }
739
+
740
+ pruneStaleFiles();
741
+
742
+ activeStateFile = null;
743
+ getStateFile(data);
744
+
745
+ const rawToolName = data.tool_name || '';
746
+ const toolInput = data.tool_input || {};
747
+ // Normalize: case-insensitive matching via lookup map
748
+ const TOOL_MAP = { edit: 'Edit', write: 'Write', multiedit: 'MultiEdit', bash: 'Bash' };
749
+ const toolName = TOOL_MAP[rawToolName.toLowerCase()] || rawToolName;
750
+ const inSubagent = isSubagentInvocation(data);
751
+
752
+ if (toolName === 'Edit' || toolName === 'Write') {
753
+ const filePath = toolInput.file_path || '';
754
+ if (!filePath || isClaudeSettingsPath(filePath)) {
755
+ return rawInput; // allow
756
+ }
757
+
758
+ if (inSubagent) {
759
+ return rawInput; // parent session already passed the first-touch file gate
760
+ }
761
+
762
+ if (!isChecked(filePath)) {
763
+ if (!markChecked(filePath)) {
764
+ return allowWithStateWarning();
765
+ }
766
+ return denyResult(toolName === 'Edit' ? editGateMsg(filePath) : writeGateMsg(filePath));
767
+ }
768
+
769
+ return rawInput; // allow
770
+ }
771
+
772
+ if (toolName === 'MultiEdit') {
773
+ if (inSubagent) {
774
+ return rawInput; // parent session already passed the first-touch file gate
775
+ }
776
+
777
+ const edits = toolInput.edits || [];
778
+ for (const edit of edits) {
779
+ const filePath = edit.file_path || '';
780
+ if (filePath && !isClaudeSettingsPath(filePath) && !isChecked(filePath)) {
781
+ if (!markChecked(filePath)) {
782
+ return allowWithStateWarning();
783
+ }
784
+ return denyResult(editGateMsg(filePath));
785
+ }
786
+ }
787
+ return rawInput; // allow
788
+ }
789
+
790
+ if (toolName === 'Bash') {
791
+ const command = toolInput.command || '';
792
+ if (isReadOnlyGitIntrospection(command)) {
793
+ return rawInput;
794
+ }
795
+
796
+ if (isDestructiveBash(command)) {
797
+ // Gate destructive commands on first attempt; allow retry after facts presented
798
+ const key = '__destructive__' + crypto.createHash('sha256').update(command).digest('hex').slice(0, 16);
799
+ if (!isChecked(key)) {
800
+ if (!markChecked(key)) {
801
+ return allowWithStateWarning();
802
+ }
803
+ return denyResult(destructiveBashMsg(), { includeRecoveryHint: false });
804
+ }
805
+ return rawInput; // allow retry after facts presented
806
+ }
807
+
808
+ if (!isChecked(ROUTINE_BASH_SESSION_KEY)) {
809
+ if (!markChecked(ROUTINE_BASH_SESSION_KEY)) {
810
+ return allowWithStateWarning();
811
+ }
812
+ return denyResult(routineBashMsg(), { hookIds: [BASH_HOOK_ID] });
813
+ }
814
+
815
+ return rawInput; // allow
816
+ }
817
+
818
+ return rawInput; // allow
819
+ }
820
+
821
+ module.exports = { run };
822
+
823
+ // --- CLI entrypoint ---
824
+ // Reads JSON on stdin, runs the gate, and emits the result. Empty stdin and
825
+ // parse errors fall through run()'s passthrough contract, so this exits 0.
826
+ if (require.main === module) {
827
+ const MAX_STDIN = 1024 * 1024;
828
+ let raw = '';
829
+ let truncated = false;
830
+
831
+ process.stdin.setEncoding('utf8');
832
+ process.stdin.on('data', chunk => {
833
+ if (truncated) return;
834
+ raw += chunk;
835
+ if (raw.length > MAX_STDIN) {
836
+ raw = raw.slice(0, MAX_STDIN);
837
+ truncated = true;
838
+ }
839
+ });
840
+ process.stdin.on('end', () => {
841
+ let result;
842
+ try {
843
+ result = run(raw);
844
+ } catch (_) {
845
+ // Never block tool execution on an internal error.
846
+ process.exit(0);
847
+ }
848
+
849
+ if (typeof result === 'string' || Buffer.isBuffer(result)) {
850
+ // Passthrough (allow) — emit nothing, exit 0.
851
+ process.exit(0);
852
+ }
853
+
854
+ if (result && typeof result === 'object') {
855
+ if (typeof result.stderr === 'string' && result.stderr) {
856
+ process.stderr.write(result.stderr);
857
+ }
858
+ if (typeof result.stdout === 'string' && result.stdout) {
859
+ process.stdout.write(result.stdout);
860
+ }
861
+ process.exitCode = Number.isInteger(result.exitCode) ? result.exitCode : 0;
862
+ return;
863
+ }
864
+
865
+ process.exit(0);
866
+ });
867
+ process.stdin.on('error', () => process.exit(0));
868
+ }