claude-dev-env 1.31.0 → 1.33.0

package/hooks/diagnostic/hook_log_stop_wrapper.py

@@ -1,12 +1,25 @@
 #!/usr/bin/env python3
-"""Stop-hook wrapper for hook_log_extractor that never surfaces a hook failure.
-
-Invokes ``hook_log_extractor.py --incremental`` via ``bws run`` only when
-both ``bws`` is on PATH and ``BWS_ACCESS_TOKEN`` is set; otherwise falls
-through to run the extractor directly. The extractor itself exits 0 when
-``NEON_HOOK_LOGS_DATABASE_URL`` is unset, so the wrapper can rely on that
-offline-graceful path. This wrapper always exits 0 so the Stop hook
-never blocks session end on a missing dependency.
+"""Stop-hook wrapper for hook_log_extractor: debounced, fire-and-forget.
+
+Runs after every assistant turn (Stop hook), so per-turn latency must
+stay near zero. The wrapper:
+
+1. Reads the last-spawn timestamp; if it falls within the debounce
+   window, exits 0 immediately without spawning anything (typical fast
+   path: a small file read, well under 10ms).
+2. Otherwise records the current timestamp, then launches the extractor
+   as a fully detached background process (no stdio, separate process
+   group on POSIX or DETACHED_PROCESS|CREATE_NEW_PROCESS_GROUP on
+   Windows) and returns without waiting for it.
+
+Bitwarden injection: when both ``bws`` is on PATH and
+``BWS_ACCESS_TOKEN`` is set, the extractor is launched via
+``bws run --`` so the Neon URL never hits disk; otherwise it is
+launched directly. The extractor itself exits 0 when
+``NEON_HOOK_LOGS_DATABASE_URL`` is unset, so missing dependencies
+cannot block session shutdown.
+
+This wrapper always exits 0 so the Stop hook never surfaces a failure.
 """
 
 from __future__ import annotations
@@ -15,6 +28,7 @@ import os
 import shutil
 import subprocess
 import sys
+import time
 from pathlib import Path
 
 if str(Path(__file__).resolve().parent.parent) not in sys.path:
@@ -27,7 +41,12 @@ from config.hook_log_extractor_constants import (
     BWS_RUN_SUBCOMMAND,
     EXIT_CODE_SUCCESS,
     FLAG_INCREMENTAL,
+    STOP_WRAPPER_DEBOUNCE_SECONDS,
     STOP_WRAPPER_EXTRACTOR_SCRIPT_NAME,
+    STOP_WRAPPER_LAST_RUN_TIMESTAMP_FILE,
+    WINDOWS_CREATE_NEW_PROCESS_GROUP_FLAG,
+    WINDOWS_DETACHED_PROCESS_FLAG,
+    WINDOWS_OS_NAME,
 )
 
 
@@ -37,14 +56,77 @@ def _extractor_script_path() -> str:
     )
 
 
+def _last_run_timestamp_path() -> Path:
+    return Path(STOP_WRAPPER_LAST_RUN_TIMESTAMP_FILE)
+
+
+def _is_within_debounce_window() -> bool:
+    timestamp_path = _last_run_timestamp_path()
+    if not timestamp_path.exists():
+        return False
+    try:
+        previous_timestamp = float(timestamp_path.read_text().strip())
+    except (OSError, ValueError):
+        return False
+    seconds_since_previous_spawn = time.time() - previous_timestamp
+    if seconds_since_previous_spawn < 0:
+        return False
+    return seconds_since_previous_spawn < STOP_WRAPPER_DEBOUNCE_SECONDS
+
+
+def _record_current_timestamp() -> None:
+    timestamp_path = _last_run_timestamp_path()
+    timestamp_path.parent.mkdir(parents=True, exist_ok=True)
+    timestamp_path.write_text(str(time.time()))
+
+
+def _clear_recorded_timestamp() -> None:
+    """Remove the debounce timestamp regardless of which process wrote it.
+
+    The unlink is unconditional: if process A writes a timestamp, process
+    B observes it and debounces, then A's spawn fails, A's rollback here
+    deletes the timestamp B already saw. The next Stop hook then spawns
+    a fresh extractor instead of debouncing the remainder of the window.
+    Consequence is benign because the extractor's own offset-file lock
+    (LOCK_MAXIMUM_RETRY_COUNT in hook_log_extractor_constants) serializes
+    concurrent extractor runs, so at most one extra extractor briefly
+    waits on the lock. Scoping the rollback to A's own write would
+    require a per-process sentinel and tighter atomicity than the
+    benefit warrants for this Stop-hook fast path.
+    """
+    timestamp_path = _last_run_timestamp_path()
+    timestamp_path.unlink(missing_ok=True)
+
+
 def _can_use_bws() -> bool:
     if not os.environ.get(BWS_ACCESS_TOKEN_ENV_VAR):
         return False
     return shutil.which(BWS_EXECUTABLE_NAME) is not None
 
 
-def _run_with_bws() -> None:
-    subprocess.run(
+def _detached_spawn_keyword_arguments() -> dict[str, object]:
+    spawn_arguments: dict[str, object] = {
+        "stdin": subprocess.DEVNULL,
+        "stdout": subprocess.DEVNULL,
+        "stderr": subprocess.DEVNULL,
+        "close_fds": True,
+    }
+    if os.name == WINDOWS_OS_NAME:
+        spawn_arguments["creationflags"] = (
+            WINDOWS_DETACHED_PROCESS_FLAG
+            | WINDOWS_CREATE_NEW_PROCESS_GROUP_FLAG
+        )
+        startup_info = subprocess.STARTUPINFO()
+        startup_info.dwFlags |= subprocess.STARTF_USESHOWWINDOW
+        startup_info.wShowWindow = subprocess.SW_HIDE
+        spawn_arguments["startupinfo"] = startup_info
+    else:
+        spawn_arguments["start_new_session"] = True
+    return spawn_arguments
+
+
+def _spawn_with_bws() -> None:
+    subprocess.Popen(
         [
             BWS_EXECUTABLE_NAME,
             BWS_RUN_SUBCOMMAND,
@@ -53,28 +135,34 @@ def _run_with_bws() -> None:
             _extractor_script_path(),
             FLAG_INCREMENTAL,
         ],
-        check=False,
+        **_detached_spawn_keyword_arguments(),
     )
 
 
-def _run_without_bws() -> None:
-    subprocess.run(
+def _spawn_without_bws() -> None:
+    subprocess.Popen(
         [
             sys.executable,
             _extractor_script_path(),
             FLAG_INCREMENTAL,
         ],
-        check=False,
+        **_detached_spawn_keyword_arguments(),
     )
 
 
 def main() -> int:
-    """Invoke the extractor with or without bws; swallow all failures."""
+    """Debounce, then fire-and-forget the extractor; always exit 0."""
     try:
-        if _can_use_bws():
-            _run_with_bws()
-        else:
-            _run_without_bws()
+        if _is_within_debounce_window():
+            return EXIT_CODE_SUCCESS
+        _record_current_timestamp()
+        try:
+            if _can_use_bws():
+                _spawn_with_bws()
+            else:
+                _spawn_without_bws()
+        except Exception:
+            _clear_recorded_timestamp()
     except Exception:
         pass
     return EXIT_CODE_SUCCESS

package/hooks/diagnostic/test_hook_log_stop_wrapper.py

@@ -1,8 +1,11 @@
-"""Tests for hook_log_stop_wrapper — Stop-hook wrapper that never fails."""
+"""Tests for hook_log_stop_wrapper -- debounced, fire-and-forget Stop hook."""
 
 from __future__ import annotations
 
+import os
+import subprocess
 import sys
+import time
 from pathlib import Path
 
 import pytest
@@ -16,26 +19,88 @@ from config.hook_log_extractor_constants import (
     BWS_ACCESS_TOKEN_ENV_VAR,
     BWS_EXECUTABLE_NAME,
     FLAG_INCREMENTAL,
+    STOP_WRAPPER_DEBOUNCE_SECONDS,
 )
 
 
-def test_main_returns_zero_when_bws_missing_and_extractor_fails(
+def _redirect_timestamp_path(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: Path
+) -> Path:
+    timestamp_file = tmp_path / "stop_wrapper_last_run.txt"
+    monkeypatch.setattr(
+        hook_log_stop_wrapper,
+        "_last_run_timestamp_path",
+        lambda: timestamp_file,
+    )
+    return timestamp_file
+
+
+def test_main_returns_zero_when_extractor_spawn_raises(
     monkeypatch: pytest.MonkeyPatch,
+    tmp_path: Path,
 ) -> None:
+    timestamp_file = _redirect_timestamp_path(monkeypatch, tmp_path)
     monkeypatch.delenv(BWS_ACCESS_TOKEN_ENV_VAR, raising=False)
     monkeypatch.setattr(hook_log_stop_wrapper.shutil, "which", lambda _name: None)
 
     def _raise(*_args: object, **_kwargs: object) -> None:
         raise RuntimeError("boom")
 
-    monkeypatch.setattr(hook_log_stop_wrapper.subprocess, "run", _raise)
+    monkeypatch.setattr(hook_log_stop_wrapper.subprocess, "Popen", _raise)
 
     assert hook_log_stop_wrapper.main() == 0
+    assert not timestamp_file.exists()
+
+
+def test_main_writes_timestamp_before_spawn_to_narrow_toctou_window(
+    monkeypatch: pytest.MonkeyPatch,
+    tmp_path: Path,
+) -> None:
+    timestamp_file = _redirect_timestamp_path(monkeypatch, tmp_path)
+    monkeypatch.delenv(BWS_ACCESS_TOKEN_ENV_VAR, raising=False)
+    monkeypatch.setattr(hook_log_stop_wrapper.shutil, "which", lambda _name: None)
+
+    timestamp_file_existed_at_spawn_time: list[bool] = []
+
+    def _capture_timestamp_state(*_args: object, **_kwargs: object) -> object:
+        timestamp_file_existed_at_spawn_time.append(timestamp_file.exists())
+        return object()
+
+    monkeypatch.setattr(
+        hook_log_stop_wrapper.subprocess, "Popen", _capture_timestamp_state
+    )
+
+    hook_log_stop_wrapper.main()
+
+    assert timestamp_file_existed_at_spawn_time == [True]
+
+
+def test_main_removes_timestamp_when_spawn_fails_to_allow_retry(
+    monkeypatch: pytest.MonkeyPatch,
+    tmp_path: Path,
+) -> None:
+    timestamp_file = _redirect_timestamp_path(monkeypatch, tmp_path)
+    timestamp_file.parent.mkdir(parents=True, exist_ok=True)
+    stale_timestamp = time.time() - STOP_WRAPPER_DEBOUNCE_SECONDS - 1
+    timestamp_file.write_text(str(stale_timestamp))
+
+    monkeypatch.delenv(BWS_ACCESS_TOKEN_ENV_VAR, raising=False)
+    monkeypatch.setattr(hook_log_stop_wrapper.shutil, "which", lambda _name: None)
+
+    def _raise(*_args: object, **_kwargs: object) -> None:
+        raise RuntimeError("boom")
+
+    monkeypatch.setattr(hook_log_stop_wrapper.subprocess, "Popen", _raise)
+
+    assert hook_log_stop_wrapper.main() == 0
+    assert not timestamp_file.exists()
 
 
 def test_main_uses_bws_when_token_and_binary_present(
     monkeypatch: pytest.MonkeyPatch,
+    tmp_path: Path,
 ) -> None:
+    _redirect_timestamp_path(monkeypatch, tmp_path)
     monkeypatch.setenv(BWS_ACCESS_TOKEN_ENV_VAR, "secret-value")
     monkeypatch.setattr(
         hook_log_stop_wrapper.shutil,
@@ -45,10 +110,11 @@ def test_main_uses_bws_when_token_and_binary_present(
 
     captured_commands: list[list[str]] = []
 
-    def _fake_run(command_list: list[str], **_kwargs: object) -> None:
+    def _fake_popen(command_list: list[str], **_kwargs: object) -> object:
         captured_commands.append(list(command_list))
+        return object()
 
-    monkeypatch.setattr(hook_log_stop_wrapper.subprocess, "run", _fake_run)
+    monkeypatch.setattr(hook_log_stop_wrapper.subprocess, "Popen", _fake_popen)
 
     exit_code = hook_log_stop_wrapper.main()
 
@@ -58,7 +124,11 @@ def test_main_uses_bws_when_token_and_binary_present(
     assert FLAG_INCREMENTAL in captured_commands[0]
 
 
-def test_main_skips_bws_when_token_missing(monkeypatch: pytest.MonkeyPatch) -> None:
+def test_main_skips_bws_when_token_missing(
+    monkeypatch: pytest.MonkeyPatch,
+    tmp_path: Path,
+) -> None:
+    _redirect_timestamp_path(monkeypatch, tmp_path)
     monkeypatch.delenv(BWS_ACCESS_TOKEN_ENV_VAR, raising=False)
     monkeypatch.setattr(
         hook_log_stop_wrapper.shutil,
@@ -68,10 +138,11 @@ def test_main_skips_bws_when_token_missing(monkeypatch: pytest.MonkeyPatch) -> N
 
     captured_commands: list[list[str]] = []
 
-    def _fake_run(command_list: list[str], **_kwargs: object) -> None:
+    def _fake_popen(command_list: list[str], **_kwargs: object) -> object:
         captured_commands.append(list(command_list))
+        return object()
 
-    monkeypatch.setattr(hook_log_stop_wrapper.subprocess, "run", _fake_run)
+    monkeypatch.setattr(hook_log_stop_wrapper.subprocess, "Popen", _fake_popen)
 
     exit_code = hook_log_stop_wrapper.main()
 
@@ -80,19 +151,195 @@ def test_main_skips_bws_when_token_missing(monkeypatch: pytest.MonkeyPatch) -> N
     assert BWS_EXECUTABLE_NAME not in captured_commands[0]
 
 
-def test_main_skips_bws_when_binary_missing(monkeypatch: pytest.MonkeyPatch) -> None:
+def test_main_skips_bws_when_binary_missing(
+    monkeypatch: pytest.MonkeyPatch,
+    tmp_path: Path,
+) -> None:
+    _redirect_timestamp_path(monkeypatch, tmp_path)
     monkeypatch.setenv(BWS_ACCESS_TOKEN_ENV_VAR, "secret-value")
     monkeypatch.setattr(hook_log_stop_wrapper.shutil, "which", lambda _name: None)
 
     captured_commands: list[list[str]] = []
 
-    def _fake_run(command_list: list[str], **_kwargs: object) -> None:
+    def _fake_popen(command_list: list[str], **_kwargs: object) -> object:
         captured_commands.append(list(command_list))
+        return object()
 
-    monkeypatch.setattr(hook_log_stop_wrapper.subprocess, "run", _fake_run)
+    monkeypatch.setattr(hook_log_stop_wrapper.subprocess, "Popen", _fake_popen)
 
     exit_code = hook_log_stop_wrapper.main()
 
     assert exit_code == 0
     assert len(captured_commands) == 1
     assert BWS_EXECUTABLE_NAME not in captured_commands[0]
+
+
+def test_main_skips_spawn_when_recent_timestamp_within_debounce_window(
+    monkeypatch: pytest.MonkeyPatch,
+    tmp_path: Path,
+) -> None:
+    timestamp_file = _redirect_timestamp_path(monkeypatch, tmp_path)
+    timestamp_file.parent.mkdir(parents=True, exist_ok=True)
+    timestamp_file.write_text(str(time.time()))
+
+    captured_commands: list[list[str]] = []
+
+    def _fake_popen(command_list: list[str], **_kwargs: object) -> object:
+        captured_commands.append(list(command_list))
+        return object()
+
+    monkeypatch.setattr(hook_log_stop_wrapper.subprocess, "Popen", _fake_popen)
+
+    exit_code = hook_log_stop_wrapper.main()
+
+    assert exit_code == 0
+    assert len(captured_commands) == 0
+
+
+def test_main_spawns_when_timestamp_older_than_debounce_window(
+    monkeypatch: pytest.MonkeyPatch,
+    tmp_path: Path,
+) -> None:
+    timestamp_file = _redirect_timestamp_path(monkeypatch, tmp_path)
+    timestamp_file.parent.mkdir(parents=True, exist_ok=True)
+    stale_timestamp = time.time() - STOP_WRAPPER_DEBOUNCE_SECONDS - 1
+    timestamp_file.write_text(str(stale_timestamp))
+
+    monkeypatch.delenv(BWS_ACCESS_TOKEN_ENV_VAR, raising=False)
+    monkeypatch.setattr(hook_log_stop_wrapper.shutil, "which", lambda _name: None)
+
+    captured_commands: list[list[str]] = []
+
+    def _fake_popen(command_list: list[str], **_kwargs: object) -> object:
+        captured_commands.append(list(command_list))
+        return object()
+
+    monkeypatch.setattr(hook_log_stop_wrapper.subprocess, "Popen", _fake_popen)
+
+    exit_code = hook_log_stop_wrapper.main()
+
+    assert exit_code == 0
+    assert len(captured_commands) == 1
+
+
+def test_main_writes_current_timestamp_to_file(
+    monkeypatch: pytest.MonkeyPatch,
+    tmp_path: Path,
+) -> None:
+    timestamp_file = _redirect_timestamp_path(monkeypatch, tmp_path)
+    monkeypatch.delenv(BWS_ACCESS_TOKEN_ENV_VAR, raising=False)
+    monkeypatch.setattr(hook_log_stop_wrapper.shutil, "which", lambda _name: None)
+    monkeypatch.setattr(
+        hook_log_stop_wrapper.subprocess,
+        "Popen",
+        lambda *_args, **_kwargs: object(),
+    )
+
+    timestamp_before_call = time.time()
+    hook_log_stop_wrapper.main()
+    timestamp_after_call = time.time()
+
+    assert timestamp_file.exists()
+    written_timestamp = float(timestamp_file.read_text().strip())
+    assert timestamp_before_call <= written_timestamp <= timestamp_after_call
+
+
+def test_main_passes_devnull_streams_to_detached_spawn(
+    monkeypatch: pytest.MonkeyPatch,
+    tmp_path: Path,
+) -> None:
+    _redirect_timestamp_path(monkeypatch, tmp_path)
+    monkeypatch.delenv(BWS_ACCESS_TOKEN_ENV_VAR, raising=False)
+    monkeypatch.setattr(hook_log_stop_wrapper.shutil, "which", lambda _name: None)
+
+    captured_kwargs: dict[str, object] = {}
+
+    def _fake_popen(command_list: list[str], **kwargs: object) -> object:
+        captured_kwargs.update(kwargs)
+        return object()
+
+    monkeypatch.setattr(hook_log_stop_wrapper.subprocess, "Popen", _fake_popen)
+
+    hook_log_stop_wrapper.main()
+
+    assert captured_kwargs.get("stdin") is hook_log_stop_wrapper.subprocess.DEVNULL
+    assert captured_kwargs.get("stdout") is hook_log_stop_wrapper.subprocess.DEVNULL
+    assert captured_kwargs.get("stderr") is hook_log_stop_wrapper.subprocess.DEVNULL
+
+
+def test_main_recovers_when_timestamp_file_is_corrupted(
+    monkeypatch: pytest.MonkeyPatch,
+    tmp_path: Path,
+) -> None:
+    timestamp_file = _redirect_timestamp_path(monkeypatch, tmp_path)
+    timestamp_file.parent.mkdir(parents=True, exist_ok=True)
+    timestamp_file.write_text("not-a-float")
+
+    monkeypatch.delenv(BWS_ACCESS_TOKEN_ENV_VAR, raising=False)
+    monkeypatch.setattr(hook_log_stop_wrapper.shutil, "which", lambda _name: None)
+
+    captured_commands: list[list[str]] = []
+
+    def _fake_popen(command_list: list[str], **_kwargs: object) -> object:
+        captured_commands.append(list(command_list))
+        return object()
+
+    monkeypatch.setattr(hook_log_stop_wrapper.subprocess, "Popen", _fake_popen)
+
+    exit_code = hook_log_stop_wrapper.main()
+
+    assert exit_code == 0
+    assert len(captured_commands) == 1
+
+
+def test_main_treats_future_timestamp_as_not_debounced(
+    monkeypatch: pytest.MonkeyPatch,
+    tmp_path: Path,
+) -> None:
+    timestamp_file = _redirect_timestamp_path(monkeypatch, tmp_path)
+    timestamp_file.parent.mkdir(parents=True, exist_ok=True)
+    far_future_timestamp = time.time() + 3600
+    timestamp_file.write_text(str(far_future_timestamp))
+
+    monkeypatch.delenv(BWS_ACCESS_TOKEN_ENV_VAR, raising=False)
+    monkeypatch.setattr(hook_log_stop_wrapper.shutil, "which", lambda _name: None)
+
+    captured_commands: list[list[str]] = []
+
+    def _fake_popen(command_list: list[str], **_kwargs: object) -> object:
+        captured_commands.append(list(command_list))
+        return object()
+
+    monkeypatch.setattr(hook_log_stop_wrapper.subprocess, "Popen", _fake_popen)
+
+    exit_code = hook_log_stop_wrapper.main()
+
+    assert exit_code == 0
+    assert len(captured_commands) == 1
+
+
+def test_main_passes_hidden_startupinfo_on_windows(
+    monkeypatch: pytest.MonkeyPatch,
+    tmp_path: Path,
+) -> None:
+    _redirect_timestamp_path(monkeypatch, tmp_path)
+    monkeypatch.delenv(BWS_ACCESS_TOKEN_ENV_VAR, raising=False)
+    monkeypatch.setattr(hook_log_stop_wrapper.shutil, "which", lambda _name: None)
+
+    captured_kwargs: dict[str, object] = {}
+
+    def _fake_popen(command_list: list[str], **kwargs: object) -> object:
+        captured_kwargs.update(kwargs)
+        return object()
+
+    monkeypatch.setattr(hook_log_stop_wrapper.subprocess, "Popen", _fake_popen)
+
+    hook_log_stop_wrapper.main()
+
+    if os.name == "nt":
+        startup_info = captured_kwargs.get("startupinfo")
+        assert startup_info is not None
+        assert startup_info.dwFlags & subprocess.STARTF_USESHOWWINDOW
+        assert startup_info.wShowWindow == subprocess.SW_HIDE
+    else:
+        assert captured_kwargs.get("start_new_session") is True

package/hooks/hooks.json

@@ -39,6 +39,11 @@
             "type": "command",
             "command": "python3 ${CLAUDE_PLUGIN_ROOT}/hooks/blocking/tdd_enforcer.py",
             "timeout": 10
+          },
+          {
+            "type": "command",
+            "command": "python3 ${CLAUDE_PLUGIN_ROOT}/hooks/blocking/windows_rmtree_blocker.py",
+            "timeout": 10
           }
         ]
       },
@@ -89,6 +94,11 @@
             "type": "command",
             "command": "python3 ${CLAUDE_PLUGIN_ROOT}/hooks/blocking/content_search_to_zoekt_redirector.py",
             "timeout": 10
+          },
+          {
+            "type": "command",
+            "command": "python3 ${CLAUDE_PLUGIN_ROOT}/hooks/blocking/windows_rmtree_blocker.py",
+            "timeout": 10
           }
         ]
       },
@@ -112,6 +122,11 @@
             "command": "python3 ${CLAUDE_PLUGIN_ROOT}/hooks/session/plugin_data_dir_cleanup.py",
             "timeout": 10
           },
+          {
+            "type": "command",
+            "command": "python3 ${CLAUDE_PLUGIN_ROOT}/hooks/session/session_env_cleanup.py",
+            "timeout": 10
+          },
           {
             "type": "command",
             "command": "python3 ${CLAUDE_PLUGIN_ROOT}/hooks/session/untracked_repo_detector.py",

package/hooks/session/session_env_cleanup.py

@@ -0,0 +1,130 @@
+#!/usr/bin/env python3
+"""SessionStart hook — clean the Claude Code session-env directory on Windows.
+
+Claude Code's Bash tool sets up a per-session sandbox at
+``~/.claude/session-env/<session_id>/``. The mkdir call appears non-recursive,
+so once the directory exists, later Bash invocations in the same session can
+throw ``EEXIST`` and abort. PowerShell tool calls are unaffected.
+
+This hook removes the current session's pre-existing directory at start and
+prunes sibling entries whose mtime is older than the stale-age threshold so
+the parent directory does not grow without bound.
+
+Tracking: https://github.com/anthropics/claude-code/issues — Windows-only
+mkdir bug separate from the EEXIST fixes in v2.1.70-v2.1.72.
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import shutil
+import stat
+import sys
+import time
+from pathlib import Path
+from typing import Callable
+
+
+def _insert_hooks_tree_for_imports() -> None:
+    hooks_tree = Path(__file__).resolve().parent.parent
+    hooks_tree_string = str(hooks_tree)
+    if hooks_tree_string not in sys.path:
+        sys.path.insert(0, hooks_tree_string)
+
+
+_insert_hooks_tree_for_imports()
+
+from config.session_env_cleanup_constants import (
+    ALL_RMTREE_ONEXC_PYTHON_VERSION_PARTS,
+    SESSION_ENV_DIRECTORY,
+    SESSION_ID_PATTERN,
+    SESSION_ID_PAYLOAD_KEY,
+    STALE_AGE_SECONDS,
+    WINDOWS_PLATFORM_TAG,
+)
+
+
+def _strip_read_only_and_retry(
+    removal_function: Callable[[str], None],
+    target_path: str,
+    *_unused_exception_info: object,
+) -> None:
+    try:
+        os.chmod(target_path, stat.S_IWRITE)
+        removal_function(target_path)
+    except OSError:
+        pass
+
+
+def _force_rmtree(target_path: str) -> None:
+    rmtree_onexc_python_version = ALL_RMTREE_ONEXC_PYTHON_VERSION_PARTS
+    try:
+        if sys.version_info >= rmtree_onexc_python_version:
+            shutil.rmtree(target_path, onexc=_strip_read_only_and_retry)
+        else:
+            shutil.rmtree(target_path, onerror=_strip_read_only_and_retry)
+    except OSError:
+        pass
+
+
+def prune_session_env(
+    session_env_directory: str,
+    session_id: str,
+    stale_age_seconds: float,
+) -> None:
+    """Remove the current session's directory and prune stale siblings."""
+    if session_id:
+        current_session_path = os.path.join(session_env_directory, session_id)
+        if os.path.isdir(current_session_path):
+            _force_rmtree(current_session_path)
+    if not os.path.isdir(session_env_directory):
+        return
+    stale_cutoff_seconds = time.time() - stale_age_seconds
+    try:
+        all_entry_names = os.listdir(session_env_directory)
+    except OSError:
+        return
+    for each_entry_name in all_entry_names:
+        entry_path = os.path.join(session_env_directory, each_entry_name)
+        try:
+            entry_mtime_seconds = os.path.getmtime(entry_path)
+        except OSError:
+            continue
+        if entry_mtime_seconds >= stale_cutoff_seconds:
+            continue
+        _force_rmtree(entry_path)
+
+
+def _read_session_id_from_stdin() -> str:
+    session_id_pattern = SESSION_ID_PATTERN
+    try:
+        payload = json.load(sys.stdin)
+    except (json.JSONDecodeError, ValueError):
+        return ""
+    if not isinstance(payload, dict):
+        return ""
+    raw_session_id = payload.get(SESSION_ID_PAYLOAD_KEY)
+    if not isinstance(raw_session_id, str):
+        return ""
+    if not session_id_pattern.fullmatch(raw_session_id):
+        return ""
+    return raw_session_id
+
+
+def main() -> None:
+    windows_platform_tag = WINDOWS_PLATFORM_TAG
+    if sys.platform != windows_platform_tag:
+        return
+    session_env_directory = SESSION_ENV_DIRECTORY
+    stale_age_seconds = STALE_AGE_SECONDS
+    session_id = _read_session_id_from_stdin()
+    prune_session_env(
+        session_env_directory=session_env_directory,
+        session_id=session_id,
+        stale_age_seconds=stale_age_seconds,
+    )
+
+
+if __name__ == "__main__":
+    main()