claude-dev-env 1.17.1 → 1.17.5

package/hooks/blocking/destructive-command-blocker.py

@@ -1,8 +1,10 @@
 #!/usr/bin/env python3
+import datetime
 import json
 import os
 import re
 import sys
+from pathlib import Path
 
 CLAUDE_DIRECTORY_PATH = os.path.normpath(os.path.expanduser("~/.claude"))
 
@@ -25,10 +27,6 @@ DESTRUCTIVE_BASH_PATTERNS = [
     (re.compile(r'\bDROP\s+TABLE\b', re.IGNORECASE), "DROP TABLE (destroys database table)"),
     (re.compile(r'\bDROP\s+DATABASE\b', re.IGNORECASE), "DROP DATABASE (destroys entire database)"),
     (re.compile(r'\bTRUNCATE\s+TABLE\b', re.IGNORECASE), "TRUNCATE TABLE (removes all table rows)"),
-    (re.compile(r'\bgh\s+api\b.*/(comments|reviews)\b.*-X\s+POST', re.IGNORECASE), "gh api comment/review POST (visible to others)"),
-    (re.compile(r'\bgh\s+pr\s+comment\b', re.IGNORECASE), "gh pr comment (visible to others)"),
-    (re.compile(r'\bgh\s+pr\s+review\b', re.IGNORECASE), "gh pr review (visible to others)"),
-    (re.compile(r'\bgh\s+issue\s+comment\b', re.IGNORECASE), "gh issue comment (visible to others)"),
 ]
 
 def find_destructive_pattern(command: str) -> str | None:
@@ -38,6 +36,51 @@ def find_destructive_pattern(command: str) -> str | None:
     return None
 
 
+def find_redirected_gh_pattern(command: str) -> str | None:
+    redirected_gh_bash_patterns = [
+        (re.compile(r'\bgh\s+api\b.*/(comments|reviews)\b.*-X\s+POST', re.IGNORECASE), "gh api comment/review POST"),
+        (re.compile(r'\bgh\s+pr\s+comment\b', re.IGNORECASE), "gh pr comment"),
+        (re.compile(r'\bgh\s+pr\s+review\b', re.IGNORECASE), "gh pr review"),
+        (re.compile(r'\bgh\s+issue\s+comment\b', re.IGNORECASE), "gh issue comment"),
+    ]
+    for pattern_regex, pattern_description in redirected_gh_bash_patterns:
+        if pattern_regex.search(command):
+            return pattern_description
+    return None
+
+
+def _append_destructive_gate_log_entry(brief_label: str, full_reason: str) -> None:
+    destructive_gate_log_path = Path.home() / ".claude" / "logs" / "destructive-gate.log"
+    try:
+        destructive_gate_log_path.parent.mkdir(parents=True, exist_ok=True)
+        timestamp_iso = datetime.datetime.now().isoformat()
+        log_entry = f"{timestamp_iso}\t{brief_label}\t{full_reason}\n"
+        with destructive_gate_log_path.open("a", encoding="utf-8") as log_handle:
+            log_handle.write(log_entry)
+    except OSError:
+        pass
+
+
+def _build_silent_gh_deny_response(matched_description: str) -> dict:
+    gh_gate_user_facing_prefix = "[gh-gate]"
+    brief_label = f"blocked redirected {matched_description}"
+    full_reason = (
+        f"GH-REDIRECT GATE: {matched_description} already executed by "
+        "gh-wsl-to-windows-redirect.py via PowerShell. Denying the original "
+        "Bash call prevents duplicate execution."
+    )
+    _append_destructive_gate_log_entry(brief_label, full_reason)
+    return {
+        "hookSpecificOutput": {
+            "hookEventName": "PreToolUse",
+            "permissionDecision": "deny",
+            "permissionDecisionReason": full_reason,
+        },
+        "suppressOutput": True,
+        "systemMessage": f"{gh_gate_user_facing_prefix} {brief_label}",
+    }
+
+
 def targets_only_claude_directory(command: str) -> bool:
     """Check if rm command targets only paths under ~/.claude/."""
     all_rm_target_paths = re.findall(
@@ -72,6 +115,12 @@ def main() -> None:
         sys.exit(0)
 
     command = tool_input.get("command", "")
+
+    redirected_gh_description = find_redirected_gh_pattern(command)
+    if redirected_gh_description is not None:
+        print(json.dumps(_build_silent_gh_deny_response(redirected_gh_description)))
+        sys.exit(0)
+
     matched_description = find_destructive_pattern(command)
 
     if matched_description is not None and targets_only_claude_directory(command):

package/hooks/blocking/prompt_workflow_validate.py

@@ -0,0 +1,218 @@
+#!/usr/bin/env python3
+"""Shared prompt-workflow validator callable from tests, CLI, and the Stop hook.
+
+Public API
+----------
+validate_prompt_workflow(assistant_message, user_context="")
+    Returns a ``ValidationResult`` with allowed/blocked status and reasons.
+
+CLI
+---
+    python prompt_workflow_validate.py path/to/draft.md
+    cat draft.md | python prompt_workflow_validate.py
+
+Exit codes match hook conventions: 0 allowed, 2 blocked.
+"""
+
+from __future__ import annotations
+
+import sys
+from dataclasses import dataclass, field
+from pathlib import Path
+
+from prompt_workflow_gate_core import (
+    find_ambiguous_scope_terms,
+    find_negative_keywords_in_fenced_xml,
+    has_checklist_container,
+    has_debug_intent,
+    has_internal_object_leak,
+    is_prompt_workflow_response,
+    missing_checklist_rows,
+    missing_context_control_signals,
+    missing_required_xml_sections,
+    missing_scope_anchors,
+)
+
+@dataclass(frozen=True)
+class ValidationReason:
+    code: str
+    message: str
+
+
+@dataclass(frozen=True)
+class ValidationResult:
+    allowed: bool
+    reasons: tuple[ValidationReason, ...] = field(default_factory=tuple)
+
+    @property
+    def reason_messages(self) -> list[str]:
+        return [each_reason.message for each_reason in self.reasons]
+
+    @property
+    def reason_codes(self) -> list[str]:
+        return [each_reason.code for each_reason in self.reasons]
+
+
+def _blocked(code: str, message: str) -> ValidationResult:
+    return ValidationResult(
+        allowed=False,
+        reasons=(ValidationReason(code=code, message=message),),
+    )
+
+
+def _check_internal_leak(
+    assistant_message: str,
+    debug_requested: bool,
+) -> ValidationResult | None:
+    if not has_internal_object_leak(assistant_message) or debug_requested:
+        return None
+    return _blocked(
+        code="internal_object_leak",
+        message=(
+            "Raw internal refinement object leakage detected. "
+            "Return sanitized user-facing output unless explicit debug intent is present."
+        ),
+    )
+
+
+def _check_required_sections(assistant_message: str) -> ValidationResult | None:
+    missing_sections = missing_required_xml_sections(assistant_message)
+    if not missing_sections:
+        return None
+    return _blocked(
+        code="missing_xml_sections",
+        message=(
+            "Fenced XML artifact missing required sections: "
+            + ", ".join(missing_sections)
+        ),
+    )
+
+
+def _check_checklist_rows(assistant_message: str) -> ValidationResult | None:
+    if not has_checklist_container(assistant_message):
+        return None
+    missing_rows = missing_checklist_rows(assistant_message)
+    if not missing_rows:
+        return None
+    return _blocked(
+        code="missing_checklist_rows",
+        message=("Deterministic checklist rows missing: " + ", ".join(missing_rows)),
+    )
+
+
+def _check_scope_anchors(assistant_message: str) -> ValidationResult | None:
+    missing_anchors = missing_scope_anchors(assistant_message)
+    if not missing_anchors:
+        return None
+    return _blocked(
+        code="missing_scope_anchors",
+        message=("Required scope anchors missing: " + ", ".join(missing_anchors)),
+    )
+
+
+def _check_context_signals(assistant_message: str) -> ValidationResult | None:
+    missing_signals = missing_context_control_signals(assistant_message)
+    if not missing_signals:
+        return None
+    return _blocked(
+        code="missing_context_signals",
+        message=(
+            "Runtime context-control preamble missing. "
+            "Include the two required lines from prompt-workflow-context-controls "
+            "(minimal instruction layer and on-demand skill loading)."
+        ),
+    )
+
+
+def _check_ambiguous_scope(assistant_message: str) -> ValidationResult | None:
+    ambiguous_terms = find_ambiguous_scope_terms(assistant_message)
+    if not ambiguous_terms:
+        return None
+    return _blocked(
+        code="ambiguous_scope",
+        message=("Ambiguous scope phrasing detected: " + ", ".join(ambiguous_terms)),
+    )
+
+
+def _check_negative_keywords(assistant_message: str) -> ValidationResult | None:
+    violations = find_negative_keywords_in_fenced_xml(assistant_message)
+    if not violations:
+        return None
+    violation_descriptions = [
+        f"  line {each_violation['line_number']}: "
+        f'"{each_violation["keyword"]}" in: {each_violation["line_text"]}'
+        for each_violation in violations
+    ]
+    return _blocked(
+        code="negative_keywords_in_artifact",
+        message=(
+            "Banned negative keywords found inside fenced XML artifact. "
+            "Rephrase as positive directives (what TO do, not what to avoid):\n"
+            + "\n".join(violation_descriptions)
+        ),
+    )
+
+
+def validate_prompt_workflow(
+    assistant_message: str,
+    user_context: str = "",
+) -> ValidationResult:
+    """Run all prompt-workflow gates on *assistant_message*.
+
+    Returns ``ValidationResult.allowed == True`` when every gate passes.
+    The first failing gate short-circuits and its reason is returned.
+    """
+    allowed_result = ValidationResult(allowed=True)
+
+    if not assistant_message.strip():
+        return allowed_result
+
+    debug_requested = has_debug_intent(user_context)
+
+    leak_result = _check_internal_leak(assistant_message, debug_requested)
+    if leak_result is not None:
+        return leak_result
+
+    if not is_prompt_workflow_response(assistant_message):
+        return allowed_result
+
+    workflow_checks = (
+        _check_required_sections,
+        _check_checklist_rows,
+        _check_scope_anchors,
+        _check_context_signals,
+        _check_ambiguous_scope,
+        _check_negative_keywords,
+    )
+    for each_check in workflow_checks:
+        gate_result = each_check(assistant_message)
+        if gate_result is not None:
+            return gate_result
+
+    return allowed_result
+
+
+def main() -> None:
+    blocked_exit_code: int = 2
+    allowed_exit_code: int = 0
+
+    if len(sys.argv) > 1:
+        file_path = Path(sys.argv[1])
+        assistant_text = file_path.read_text(encoding="utf-8")
+    elif not sys.stdin.isatty():
+        assistant_text = sys.stdin.read()
+    else:
+        sys.stderr.write("Usage: prompt_workflow_validate.py [path/to/draft.md]\n")
+        sys.stderr.write("       cat draft.md | prompt_workflow_validate.py\n")
+        sys.exit(blocked_exit_code)
+
+    validation_result = validate_prompt_workflow(assistant_text)
+    if validation_result.allowed:
+        sys.exit(allowed_exit_code)
+    for each_reason in validation_result.reasons:
+        sys.stderr.write(f"[{each_reason.code}] {each_reason.message}\n")
+    sys.exit(blocked_exit_code)
+
+
+if __name__ == "__main__":
+    main()

package/hooks/blocking/test_content_search_to_zoekt_redirector_integration.py

@@ -0,0 +1,54 @@
+"""Subprocess integration tests for content-search-to-zoekt-redirector PreToolUse hook."""
+
+import json
+import pathlib
+import subprocess
+import sys
+import unittest
+from typing import Any
+
+
+class ContentSearchHookIntegrationTests(unittest.TestCase):
+    def test_bash_grep_command_emits_stdout_json_deny(self) -> None:
+        hook_directory = pathlib.Path(__file__).resolve().parent
+        if str(hook_directory) not in sys.path:
+            sys.path.insert(0, str(hook_directory))
+        from content_search_zoekt_redirect_guidance import get_zoekt_redirect_guidance
+
+        hook_path = hook_directory / "content-search-to-zoekt-redirector.py"
+        destructive_gate_label_prefix = "[destructive-gate]"
+        destructive_gate_label_prefix_value = f"{destructive_gate_label_prefix} "
+        expected_decision = "deny"
+        hook_stdin_payload = json.dumps(
+            {"tool_name": "Bash", "tool_input": {"command": "grep foo bar"}},
+        )
+
+        completed = subprocess.run(
+            [sys.executable, str(hook_path)],
+            input=hook_stdin_payload,
+            capture_output=True,
+            text=True,
+            cwd=str(hook_directory),
+        )
+        self.assertEqual(completed.returncode, 0)
+        self.assertEqual(completed.stderr, "")
+        payload: dict[str, Any] = json.loads(completed.stdout)
+        self.assertTrue(
+            payload["systemMessage"].startswith(destructive_gate_label_prefix_value),
+        )
+        self.assertEqual(
+            payload["hookSpecificOutput"]["permissionDecisionReason"],
+            get_zoekt_redirect_guidance(),
+        )
+        self.assertEqual(
+            payload["hookSpecificOutput"]["permissionDecision"],
+            expected_decision,
+        )
+        self.assertEqual(
+            payload["hookSpecificOutput"]["hookEventName"],
+            "PreToolUse",
+        )
+
+
+if __name__ == "__main__":
+    unittest.main()

package/hooks/blocking/test_content_search_to_zoekt_redirector_unit.py

@@ -0,0 +1,51 @@
+"""Unit tests for Zoekt redirector PreToolUse deny payload (build_block_payload)."""
+
+import json
+import pathlib
+import sys
+import unittest
+from typing import Any
+
+HOOK_DIRECTORY = pathlib.Path(__file__).resolve().parent
+if str(HOOK_DIRECTORY) not in sys.path:
+    sys.path.insert(0, str(HOOK_DIRECTORY))
+
+from content_search_zoekt_block_payload import build_block_payload
+from content_search_zoekt_redirect_guidance import get_zoekt_redirect_guidance
+
+
+class BuildBlockPayloadTests(unittest.TestCase):
+    def test_payload_matches_pretooluse_contract(self) -> None:
+        destructive_gate_label_prefix = "[destructive-gate]"
+        payload: dict[str, Any] = build_block_payload("demo", "body")
+        prefix_with_space = f"{destructive_gate_label_prefix} "
+        self.assertTrue(payload["systemMessage"].startswith(prefix_with_space))
+        self.assertEqual(
+            payload["hookSpecificOutput"]["permissionDecisionReason"],
+            "body",
+        )
+        self.assertEqual(payload["hookSpecificOutput"]["permissionDecision"], "deny")
+        self.assertEqual(
+            payload["hookSpecificOutput"]["hookEventName"],
+            "PreToolUse",
+        )
+        self.assertEqual(payload["suppressOutput"], True)
+        self.assertNotIn("decision", payload)
+        self.assertNotIn("reason", payload)
+
+    def test_serialized_payload_under_documented_context_cap(self) -> None:
+        cap_characters = 10_000
+        payload = build_block_payload(
+            brief_label="blocked Bash(grep); use Zoekt MCP",
+            permission_decision_reason=get_zoekt_redirect_guidance(),
+        )
+        serialized = json.dumps(payload)
+        self.assertLessEqual(
+            len(serialized),
+            cap_characters,
+            msg="Hooks doc caps additionalContext/systemMessage/plain stdout injection at 10,000 characters",
+        )
+
+
+if __name__ == "__main__":
+    unittest.main()

package/hooks/blocking/test_content_search_zoekt_indexed_roots_config.py

@@ -0,0 +1,102 @@
+"""Tests for Zoekt indexed root resolution (env, file, empty built-in fallback, WSL variants)."""
+
+import json
+import os
+import pathlib
+import sys
+import tempfile
+import unittest
+from unittest.mock import patch
+
+HOOK_DIRECTORY = pathlib.Path(__file__).resolve().parent
+if str(HOOK_DIRECTORY) not in sys.path:
+    sys.path.insert(0, str(HOOK_DIRECTORY))
+
+from content_search_zoekt_indexed_paths import is_in_indexed_repo
+from content_search_zoekt_indexed_roots_config import (
+    clear_indexed_root_prefixes_cache,
+    indexed_root_prefixes,
+)
+
+
+class IndexedRootsConfigTests(unittest.TestCase):
+    def tearDown(self) -> None:
+        clear_indexed_root_prefixes_cache()
+
+    def test_environment_json_array_defines_prefixes(self) -> None:
+        roots_json = json.dumps(["Y:/OnlyOne/Indexed/"])
+        with patch.dict(os.environ, {"ZOEKT_REDIRECT_INDEXED_ROOTS": roots_json}, clear=False):
+            clear_indexed_root_prefixes_cache()
+            prefixes = indexed_root_prefixes()
+        self.assertIn("y:/onlyone/indexed/", prefixes)
+        self.assertIn("/mnt/y/onlyone/indexed/", prefixes)
+
+    def test_empty_environment_array_yields_no_prefixes(self) -> None:
+        with patch.dict(os.environ, {"ZOEKT_REDIRECT_INDEXED_ROOTS": "[]"}, clear=False):
+            clear_indexed_root_prefixes_cache()
+            prefixes = indexed_root_prefixes()
+        self.assertEqual(prefixes, ())
+
+    def test_json_file_used_when_env_missing(self) -> None:
+        with tempfile.TemporaryDirectory() as tmp_str:
+            home = pathlib.Path(tmp_str)
+            config_dir = home / ".claude"
+            config_dir.mkdir(parents=True)
+            roots_payload = {"roots": ["Y:/FromFile/Project/"]}
+            (config_dir / "zoekt-indexed-roots.json").write_text(
+                json.dumps(roots_payload),
+                encoding="utf-8",
+            )
+            with patch("pathlib.Path.home", return_value=home):
+                saved = os.environ.pop("ZOEKT_REDIRECT_INDEXED_ROOTS", None)
+                try:
+                    clear_indexed_root_prefixes_cache()
+                    prefixes = indexed_root_prefixes()
+                finally:
+                    if saved is not None:
+                        os.environ["ZOEKT_REDIRECT_INDEXED_ROOTS"] = saved
+        self.assertIn("y:/fromfile/project/", prefixes)
+
+    def test_environment_overrides_file(self) -> None:
+        with tempfile.TemporaryDirectory() as tmp_str:
+            home = pathlib.Path(tmp_str)
+            config_dir = home / ".claude"
+            config_dir.mkdir(parents=True)
+            (config_dir / "zoekt-indexed-roots.json").write_text(
+                json.dumps({"roots": ["Y:/FromFile/"]}),
+                encoding="utf-8",
+            )
+            with patch("pathlib.Path.home", return_value=home):
+                with patch.dict(
+                    os.environ,
+                    {"ZOEKT_REDIRECT_INDEXED_ROOTS": json.dumps(["Y:/FromEnv/"])},
+                    clear=False,
+                ):
+                    clear_indexed_root_prefixes_cache()
+                    prefixes = indexed_root_prefixes()
+        self.assertIn("y:/fromenv/", prefixes)
+        self.assertNotIn("y:/fromfile/", prefixes)
+
+    def test_longer_prefix_matches_before_shorter_parent(self) -> None:
+        roots_json = json.dumps(["Y:/parent/", "Y:/parent/child/"])
+        with patch.dict(os.environ, {"ZOEKT_REDIRECT_INDEXED_ROOTS": roots_json}, clear=False):
+            clear_indexed_root_prefixes_cache()
+            self.assertTrue(is_in_indexed_repo("Y:/parent/child/file.py"))
+
+    def test_invalid_environment_json_falls_through_to_empty_builtin(self) -> None:
+        with patch(
+            "content_search_zoekt_indexed_roots_config._roots_from_json_file",
+            return_value=None,
+        ):
+            with patch.dict(
+                os.environ,
+                {"ZOEKT_REDIRECT_INDEXED_ROOTS": "not-json"},
+                clear=False,
+            ):
+                clear_indexed_root_prefixes_cache()
+                prefixes = indexed_root_prefixes()
+        self.assertEqual(prefixes, ())
+
+
+if __name__ == "__main__":
+    unittest.main()

package/hooks/blocking/test_destructive_command_blocker.py

@@ -0,0 +1,108 @@
+"""Tests for destructive-command-blocker hook."""
+
+import json
+import subprocess
+import sys
+from pathlib import Path
+
+
+SCRIPT_PATH = Path(__file__).parent / "destructive-command-blocker.py"
+GH_GATE_USER_FACING_PREFIX = "[gh-gate]"
+
+
+def _run_hook(payload: dict) -> subprocess.CompletedProcess[str]:
+    return subprocess.run(
+        [sys.executable, str(SCRIPT_PATH)],
+        input=json.dumps(payload),
+        text=True,
+        capture_output=True,
+        check=False,
+    )
+
+
+def _make_bash_payload(command: str) -> dict:
+    return {
+        "tool_name": "Bash",
+        "tool_input": {"command": command},
+    }
+
+
+def test_denies_gh_issue_comment_as_redirect_duplicate_guard() -> None:
+    payload = _make_bash_payload(
+        'gh issue comment 83 --repo jl-cmd/claude-code-config --body "hello"'
+    )
+    result = _run_hook(payload)
+    response = json.loads(result.stdout)
+    assert response["hookSpecificOutput"]["permissionDecision"] == "deny"
+    assert (
+        "gh issue comment" in response["hookSpecificOutput"]["permissionDecisionReason"]
+    )
+    assert (
+        "duplicate execution"
+        in response["hookSpecificOutput"]["permissionDecisionReason"]
+    )
+
+
+def test_denies_gh_pr_comment_as_redirect_duplicate_guard() -> None:
+    payload = _make_bash_payload('gh pr comment 42 --body "ok"')
+    result = _run_hook(payload)
+    response = json.loads(result.stdout)
+    assert response["hookSpecificOutput"]["permissionDecision"] == "deny"
+    assert "gh pr comment" in response["hookSpecificOutput"]["permissionDecisionReason"]
+
+
+def test_denies_gh_pr_review_as_redirect_duplicate_guard() -> None:
+    payload = _make_bash_payload("gh pr review 42 --approve")
+    result = _run_hook(payload)
+    response = json.loads(result.stdout)
+    assert response["hookSpecificOutput"]["permissionDecision"] == "deny"
+    assert "gh pr review" in response["hookSpecificOutput"]["permissionDecisionReason"]
+
+
+def test_denies_gh_api_post_comment_as_redirect_duplicate_guard() -> None:
+    payload = _make_bash_payload(
+        "gh api /repos/owner/name/issues/1/comments -X POST -f body=hello"
+    )
+    result = _run_hook(payload)
+    response = json.loads(result.stdout)
+    assert response["hookSpecificOutput"]["permissionDecision"] == "deny"
+
+
+def test_suppresses_output_on_gh_redirect_deny() -> None:
+    payload = _make_bash_payload('gh issue comment 1 --body "x"')
+    result = _run_hook(payload)
+    response = json.loads(result.stdout)
+    assert response["suppressOutput"] is True
+    assert response["systemMessage"].startswith(GH_GATE_USER_FACING_PREFIX)
+
+
+def test_asks_on_rm_rf_still_works() -> None:
+    payload = _make_bash_payload("rm -rf /tmp/somewhere")
+    result = _run_hook(payload)
+    response = json.loads(result.stdout)
+    assert response["hookSpecificOutput"]["permissionDecision"] == "ask"
+    assert "rm -rf" in response["hookSpecificOutput"]["permissionDecisionReason"]
+
+
+def test_asks_on_git_push_force_still_works() -> None:
+    payload = _make_bash_payload("git push --force origin main")
+    result = _run_hook(payload)
+    response = json.loads(result.stdout)
+    assert response["hookSpecificOutput"]["permissionDecision"] == "ask"
+    assert (
+        "git push --force" in response["hookSpecificOutput"]["permissionDecisionReason"]
+    )
+
+
+def test_allows_plain_command_without_destructive_pattern() -> None:
+    payload = _make_bash_payload("ls -la")
+    result = _run_hook(payload)
+    assert result.stdout.strip() == ""
+    assert result.returncode == 0
+
+
+def test_ignores_non_bash_tool() -> None:
+    payload = {"tool_name": "Read", "tool_input": {"file_path": "/tmp/x"}}
+    result = _run_hook(payload)
+    assert result.stdout.strip() == ""
+    assert result.returncode == 0