claude-dev-env 1.36.1 → 1.36.2

package/_shared/pr-loop/scripts/config/claude_permissions_constants.py

@@ -0,0 +1,36 @@
+"""Constants shared by grant_project_claude_permissions and revoke_project_claude_permissions."""
+
+from pathlib import Path
+
+from config.preflight_constants import GIT_DIRECTORY_NAME
+
+__all__ = (
+    "ALL_PERMISSION_ALLOW_TOOLS",
+    "AUTO_MODE_ENVIRONMENT_ENTRY_TEMPLATE",
+    "CLAUDE_SETTINGS_DIRECTORY_NAME",
+    "CLAUDE_SETTINGS_FILENAME",
+    "GIT_DIRECTORY_NAME",
+    "TEXT_FILE_ENCODING",
+    "UNIQUE_TEMPORARY_SUFFIX_BYTE_LENGTH",
+    "get_claude_user_settings_path",
+)
+
+
+ALL_PERMISSION_ALLOW_TOOLS: tuple[str, ...] = ("Edit", "Write", "Read")
+
+AUTO_MODE_ENVIRONMENT_ENTRY_TEMPLATE: str = (
+    "Trusted local workspace: {project_path}/.claude/** is the user's "
+    "project Claude Code config tree; edits inside are routine"
+)
+
+CLAUDE_SETTINGS_DIRECTORY_NAME: str = ".claude"
+
+CLAUDE_SETTINGS_FILENAME: str = "settings.json"
+
+TEXT_FILE_ENCODING: str = "utf-8"
+
+UNIQUE_TEMPORARY_SUFFIX_BYTE_LENGTH: int = 8
+
+
+def get_claude_user_settings_path() -> Path:
+    return Path.home() / CLAUDE_SETTINGS_DIRECTORY_NAME / CLAUDE_SETTINGS_FILENAME

package/_shared/pr-loop/scripts/config/claude_settings_keys_constants.py

@@ -0,0 +1,11 @@
+"""JSON key names for ~/.claude/settings.json sections used by grant/revoke."""
+
+CLAUDE_SETTINGS_PERMISSIONS_KEY: str = "permissions"
+
+CLAUDE_SETTINGS_ALLOW_KEY: str = "allow"
+
+CLAUDE_SETTINGS_ADDITIONAL_DIRECTORIES_KEY: str = "additionalDirectories"
+
+CLAUDE_SETTINGS_AUTO_MODE_KEY: str = "autoMode"
+
+CLAUDE_SETTINGS_ENVIRONMENT_KEY: str = "environment"

package/_shared/pr-loop/scripts/config/code_rules_gate_constants.py

@@ -0,0 +1,56 @@
+"""Constants for code_rules_gate.py per CODE_RULES centralized-config rule."""
+
+MAX_VIOLATIONS_PER_CHECK: int = 3
+EXPECTED_TUPLE_PAIR_LENGTH: int = 2
+
+ALL_CODE_FILE_EXTENSIONS: frozenset[str] = frozenset(
+    {".py", ".js", ".ts", ".tsx", ".jsx"}
+)
+
+ALL_LITERAL_KEYWORD_EXEMPTIONS: frozenset[str] = frozenset(
+    {"true", "false", "none", "null"}
+)
+
+CONFIG_PATH_SEGMENT: str = "/config/"
+
+TESTS_PATH_SEGMENT: str = "/tests/"
+
+ALL_TEST_FILENAME_SUFFIXES: tuple[str, ...] = ("_test.py",)
+
+ALL_TEST_FILENAME_GLOB_SUFFIXES: tuple[str, ...] = (
+    ".test.",
+    ".spec.",
+)
+
+TEST_CONFTEST_FILENAME: str = "conftest.py"
+
+TEST_FILENAME_PREFIX: str = "test_"
+
+MINIMUM_COLUMN_NAME_LENGTH_AFTER_FIRST_CHAR: int = 2
+
+COLUMN_KEY_PATTERN_TEMPLATE: str = r"^[a-z][a-z0-9_]{{{minimum_length},}}$"
+
+GIT_NAME_STATUS_ADDED_PREFIX: str = "A"
+
+GIT_NAME_STATUS_RENAMED_PREFIX: str = "R"
+
+EXPECTED_RENAME_COLUMN_COUNT: int = 3
+
+EXPECTED_NON_RENAME_COLUMN_COUNT: int = 2
+
+PYTHON_FILE_EXTENSION: str = ".py"
+
+ALL_GIT_DIFF_CACHED_NAME_ONLY_NULL_TERMINATED_COMMAND: tuple[str, ...] = (
+    "git",
+    "diff",
+    "--cached",
+    "--name-only",
+    "-z",
+)
+
+ALL_GIT_DIFF_NAME_ONLY_NULL_TERMINATED_COMMAND_PREFIX: tuple[str, ...] = (
+    "git",
+    "diff",
+    "--name-only",
+    "-z",
+)

package/_shared/pr-loop/scripts/config/fix_hookspath_constants.py

@@ -0,0 +1,25 @@
+"""Configuration constants for fix_hookspath auto-remediation script."""
+
+ALL_CANONICAL_HOOKS_DIRECTORY_COMPONENTS: tuple[str, str, str] = (
+    ".claude",
+    "hooks",
+    "git-hooks",
+)
+
+HOOKS_PATH_SUFFIX: str = "/".join(ALL_CANONICAL_HOOKS_DIRECTORY_COMPONENTS)
+
+HOOKS_PATH_VERIFICATION_SUFFIX: str = "/".join(ALL_CANONICAL_HOOKS_DIRECTORY_COMPONENTS[-2:])
+
+ALL_HOME_ENV_VAR_NAMES: tuple[str, str] = ("HOME", "USERPROFILE")
+
+PREFLIGHT_NO_PYTEST_FLAG: str = "--no-pytest"
+
+PREFLIGHT_REPO_ROOT_FLAG: str = "--repo-root"
+
+ALL_GIT_GLOBAL_GET_CORE_HOOKS_PATH_COMMAND: tuple[str, ...] = (
+    "git",
+    "config",
+    "--global",
+    "--get",
+    "core.hooksPath",
+)

package/_shared/pr-loop/scripts/config/gh_util_constants.py

@@ -0,0 +1,31 @@
+"""Constants for gh_util.py per CODE_RULES centralized-config rule."""
+
+DEFAULT_TIMEOUT_SECONDS: int = 30
+DEFAULT_RETRIES: int = 2
+DEFAULT_BACKOFF_SECONDS: float = 1.0
+EXPONENTIAL_BACKOFF_BASE: int = 2
+GH_TIMEOUT_RETURN_CODE: int = 124
+INLINE_REVIEW_COMMENTS_PATH_TEMPLATE: str = (
+    "/repos/{owner}/{repo}/pulls/{pull_number}/comments"
+)
+
+ALL_TRANSIENT_ERROR_MARKERS: tuple[str, ...] = (
+    "connection reset",
+    "connection refused",
+    "timeout",
+    "timed out",
+    "temporarily unavailable",
+    "502",
+    "503",
+    "504",
+    "rate limit",
+)
+
+ALL_AUTH_ERROR_MARKERS: tuple[str, ...] = (
+    "gh auth login",
+    "authentication failed",
+    "http 401",
+    "http 403",
+    "forbidden",
+    "resource not accessible",
+)

package/_shared/pr-loop/scripts/config/preflight_constants.py

@@ -0,0 +1,47 @@
+"""Configuration constants for the bugteam preflight script."""
+
+BUGTEAM_PREFLIGHT_SKIP_ENV_VAR_NAME: str = "BUGTEAM_PREFLIGHT_SKIP"
+
+BUGTEAM_PREFLIGHT_SKIP_ENABLED_VALUE: str = "1"
+
+GIT_DIRECTORY_NAME: str = ".git"
+
+CLAUDE_DIRECTORY_NAME: str = ".claude"
+
+VENV_DIRECTORY_NAME: str = ".venv"
+
+PYTEST_INI_FILENAME: str = "pytest.ini"
+
+PYPROJECT_TOML_FILENAME: str = "pyproject.toml"
+
+PRE_COMMIT_CONFIG_YAML_FILENAME: str = ".pre-commit-config.yaml"
+
+PYTEST_TOML_TABLE_PREFIX: str = "[tool.pytest"
+
+ALL_TEST_FILE_PATTERNS_FOR_DISCOVERY: tuple[str, str] = (
+    "test_*.py",
+    "*_test.py",
+)
+
+ALL_TESTS_DIRECTORY_IGNORE_PARTS: frozenset[str] = frozenset(
+    {"site-packages", VENV_DIRECTORY_NAME, "venv", "node_modules"}
+)
+
+ALL_REPOSITORY_ROOT_MARKER_FILENAMES: tuple[str, str] = (
+    GIT_DIRECTORY_NAME,
+    PYTEST_INI_FILENAME,
+)
+
+ALL_GIT_CONFIG_GET_CORE_HOOKS_PATH_SUBCOMMAND: tuple[str, str, str] = (
+    "config",
+    "--get",
+    "core.hooksPath",
+)
+
+ALL_PRE_COMMIT_RUN_ALL_FILES_COMMAND: tuple[str, str, str] = (
+    "pre-commit",
+    "run",
+    "--all-files",
+)
+
+PYTEST_NO_TESTS_COLLECTED_EXIT_CODE: int = 5

package/_shared/pr-loop/scripts/fix_hookspath.py

@@ -0,0 +1,260 @@
+import argparse
+import subprocess
+import sys
+from pathlib import Path
+
+sys.modules.pop("config", None)
+if str(Path(__file__).resolve().parent) not in sys.path:
+    sys.path.insert(0, str(Path(__file__).resolve().parent))
+
+from config.fix_hookspath_constants import (
+    ALL_CANONICAL_HOOKS_DIRECTORY_COMPONENTS,
+    ALL_GIT_GLOBAL_GET_CORE_HOOKS_PATH_COMMAND,
+    ALL_HOME_ENV_VAR_NAMES,
+    HOOKS_PATH_SUFFIX,
+    PREFLIGHT_NO_PYTEST_FLAG,
+    PREFLIGHT_REPO_ROOT_FLAG,
+)
+from config.preflight_constants import GIT_DIRECTORY_NAME
+
+
+def resolve_canonical_hooks_directory(
+    all_environment_overrides: dict[str, str] | None,
+) -> Path:
+    if all_environment_overrides is not None:
+        for each_env_var_name in ALL_HOME_ENV_VAR_NAMES:
+            home_value = all_environment_overrides.get(each_env_var_name)
+            if home_value:
+                return Path(home_value).joinpath(*ALL_CANONICAL_HOOKS_DIRECTORY_COMPONENTS)
+    return Path.home().joinpath(*ALL_CANONICAL_HOOKS_DIRECTORY_COMPONENTS)
+
+
+def list_local_core_hooks_path_values(
+    repository_root: Path,
+    all_environment_overrides: dict[str, str] | None,
+) -> list[str]:
+    git_command = [
+        "git",
+        "-C",
+        str(repository_root),
+        "config",
+        "--local",
+        "--get-all",
+        "core.hooksPath",
+    ]
+    completed_process = subprocess.run(
+        git_command,
+        capture_output=True,
+        text=True,
+        encoding="utf-8",
+        errors="replace",
+        check=False,
+        env=all_environment_overrides,
+    )
+    if completed_process.returncode != 0:
+        diagnostic_stderr = completed_process.stderr.strip()
+        if diagnostic_stderr:
+            print(
+                "fix_hookspath: git read of local core.hooksPath on "
+                f"{repository_root} exited {completed_process.returncode}: "
+                f"{diagnostic_stderr}",
+                file=sys.stderr,
+            )
+        return []
+    return [
+        each_line.strip()
+        for each_line in completed_process.stdout.splitlines()
+        if each_line.strip()
+    ]
+
+
+def read_global_core_hooks_path(
+    all_environment_overrides: dict[str, str] | None,
+) -> str:
+    git_command = list(ALL_GIT_GLOBAL_GET_CORE_HOOKS_PATH_COMMAND)
+    completed_process = subprocess.run(
+        git_command,
+        capture_output=True,
+        text=True,
+        encoding="utf-8",
+        errors="replace",
+        check=False,
+        env=all_environment_overrides,
+    )
+    if completed_process.returncode != 0:
+        diagnostic_stderr = completed_process.stderr.strip()
+        if diagnostic_stderr:
+            print(
+                "fix_hookspath: git read of global core.hooksPath exited "
+                f"{completed_process.returncode}: {diagnostic_stderr}",
+                file=sys.stderr,
+            )
+        return ""
+    return completed_process.stdout.strip()
+
+
+def unset_local_core_hooks_path(
+    repository_root: Path,
+    all_environment_overrides: dict[str, str] | None,
+) -> int:
+    git_command = [
+        "git",
+        "-C",
+        str(repository_root),
+        "config",
+        "--local",
+        "--unset-all",
+        "core.hooksPath",
+    ]
+    completed_process = subprocess.run(
+        git_command,
+        capture_output=True,
+        text=True,
+        check=False,
+        env=all_environment_overrides,
+    )
+    return completed_process.returncode
+
+
+def set_global_core_hooks_path(
+    target_value: str,
+    all_environment_overrides: dict[str, str] | None,
+) -> int:
+    git_command = ["git", "config", "--global", "core.hooksPath", target_value]
+    completed_process = subprocess.run(
+        git_command,
+        capture_output=True,
+        text=True,
+        check=False,
+        env=all_environment_overrides,
+    )
+    return completed_process.returncode
+
+
+def normalize_hooks_path(raw_value: str) -> str:
+    return raw_value.replace("\\", "/").rstrip("/")
+
+
+def is_canonical_hooks_path(raw_value: str) -> bool:
+    if not raw_value:
+        return False
+    return normalize_hooks_path(raw_value).endswith(HOOKS_PATH_SUFFIX)
+
+
+def find_repository_root(start: Path) -> Path:
+    resolved_start = start.resolve()
+    candidate_paths = [resolved_start, *resolved_start.parents]
+    for each_candidate in candidate_paths:
+        marker = each_candidate / GIT_DIRECTORY_NAME
+        if marker.is_dir() or marker.is_file():
+            return each_candidate
+    return resolved_start
+
+
+def rerun_preflight(
+    repository_root: Path,
+    all_environment_overrides: dict[str, str] | None,
+) -> int:
+    preflight_script_path = Path(__file__).resolve().parent / "preflight.py"
+    rerun_command = [
+        sys.executable,
+        str(preflight_script_path),
+        PREFLIGHT_NO_PYTEST_FLAG,
+        PREFLIGHT_REPO_ROOT_FLAG,
+        str(repository_root),
+    ]
+    completed_process = subprocess.run(
+        rerun_command,
+        check=False,
+        env=all_environment_overrides,
+    )
+    return completed_process.returncode
+
+
+def parse_arguments(all_arguments: list[str] | None) -> argparse.Namespace:
+    parser = argparse.ArgumentParser(
+        description=(
+            "Auto-fix core.hooksPath when bugteam preflight detects a stale override. "
+            "Removes a local-scope override and ensures global core.hooksPath points "
+            "at the canonical claude-dev-env git-hooks directory."
+        ),
+    )
+    parser.add_argument(
+        "--repo-root",
+        type=Path,
+        default=None,
+        help="Repository root (default: discover from cwd).",
+    )
+    return parser.parse_args(all_arguments)
+
+
+def main(
+    all_arguments: list[str],
+    all_environment_overrides: dict[str, str] | None,
+) -> int:
+    arguments = parse_arguments(all_arguments)
+    start_directory = Path.cwd()
+    repository_root = (
+        arguments.repo_root.resolve()
+        if arguments.repo_root is not None
+        else find_repository_root(start_directory)
+    )
+    canonical_hooks_directory = resolve_canonical_hooks_directory(all_environment_overrides)
+    expected_suffix = HOOKS_PATH_SUFFIX
+    if not canonical_hooks_directory.is_dir():
+        print(
+            "fix_hookspath: canonical hooks directory does not exist: "
+            f"{canonical_hooks_directory}\n"
+            "Run: npx claude-dev-env .\n"
+            "Then re-run /bugteam. The directory must end in "
+            f"'{expected_suffix}' and contain the claude-dev-env git hook shims.",
+            file=sys.stderr,
+        )
+        return 1
+    local_hooks_path_values = list_local_core_hooks_path_values(
+        repository_root,
+        all_environment_overrides,
+    )
+    has_non_canonical_local_override = any(
+        not is_canonical_hooks_path(each_value)
+        for each_value in local_hooks_path_values
+    )
+    if has_non_canonical_local_override:
+        unset_local_returncode = unset_local_core_hooks_path(
+            repository_root, all_environment_overrides
+        )
+        if unset_local_returncode != 0:
+            print(
+                "fix_hookspath: failed to unset local core.hooksPath on "
+                f"{repository_root} (git exit {unset_local_returncode}).",
+                file=sys.stderr,
+            )
+            return 1
+        print(
+            "fix_hookspath: removed stale local core.hooksPath override on "
+            f"{repository_root}",
+            file=sys.stderr,
+        )
+    current_global_value = read_global_core_hooks_path(all_environment_overrides)
+    if not is_canonical_hooks_path(current_global_value):
+        canonical_target_value = str(canonical_hooks_directory).replace("\\", "/")
+        global_set_exit_code = set_global_core_hooks_path(
+            canonical_target_value,
+            all_environment_overrides,
+        )
+        if global_set_exit_code != 0:
+            print(
+                "fix_hookspath: failed to set global core.hooksPath to "
+                f"{canonical_target_value} (git exit {global_set_exit_code}).",
+                file=sys.stderr,
+            )
+            return 1
+        print(
+            f"fix_hookspath: set global core.hooksPath to {canonical_target_value}",
+            file=sys.stderr,
+        )
+    return rerun_preflight(repository_root, all_environment_overrides)
+
+
+if __name__ == "__main__":
+    raise SystemExit(main(sys.argv[1:], None))

package/_shared/pr-loop/scripts/gh_util.py

@@ -0,0 +1,193 @@
+"""Shared helpers for invoking GitHub CLI with basic resiliency."""
+
+import json
+import subprocess
+import sys
+import time
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Sequence
+
+sys.modules.pop("config", None)
+if str(Path(__file__).resolve().parent) not in sys.path:
+    sys.path.insert(0, str(Path(__file__).resolve().parent))
+
+from config.gh_util_constants import (
+    ALL_AUTH_ERROR_MARKERS,
+    ALL_TRANSIENT_ERROR_MARKERS,
+    DEFAULT_BACKOFF_SECONDS,
+    DEFAULT_RETRIES,
+    DEFAULT_TIMEOUT_SECONDS,
+    EXPONENTIAL_BACKOFF_BASE,
+    GH_TIMEOUT_RETURN_CODE,
+    INLINE_REVIEW_COMMENTS_PATH_TEMPLATE,
+)
+
+
+@dataclass(frozen=True)
+class GhResult:
+    returncode: int
+    stdout: str
+    stderr: str
+    is_timed_out: bool = False
+
+
+def _is_transient_error(message: str) -> bool:
+    lowered = message.lower()
+    return any(each_marker in lowered for each_marker in ALL_TRANSIENT_ERROR_MARKERS)
+
+
+def _is_auth_error(message: str) -> bool:
+    lowered = message.lower()
+    return any(each_marker in lowered for each_marker in ALL_AUTH_ERROR_MARKERS)
+
+
+def _ensure_text(text_or_bytes: str | bytes | None) -> str:
+    if text_or_bytes is None:
+        return ""
+    if isinstance(text_or_bytes, bytes):
+        return text_or_bytes.decode(errors="replace")
+    return text_or_bytes
+
+
+def run_gh(
+    all_command: Sequence[str],
+    *,
+    timeout_seconds: int = DEFAULT_TIMEOUT_SECONDS,
+) -> GhResult:
+    """Run a gh command with timeout + transient retry handling.
+
+    Retries are attempted only for transient failures (network/server/rate-limit style
+    messages). Auth/scope failures are returned immediately to fail closed.
+    """
+    if timeout_seconds <= 0:
+        raise ValueError("timeout_seconds must be positive")
+    max_attempts = DEFAULT_RETRIES + 1
+    each_attempt = 0
+    while True:
+        try:
+            gh_completion = subprocess.run(
+                all_command,
+                check=False,
+                capture_output=True,
+                text=True,
+                timeout=timeout_seconds,
+            )
+        except subprocess.TimeoutExpired as error:
+            error_stderr = _ensure_text(error.stderr)
+            error_stdout = _ensure_text(error.stdout)
+            message = (
+                error_stderr or error_stdout or ""
+            ).strip() or "gh command timed out"
+            last_result = GhResult(
+                returncode=GH_TIMEOUT_RETURN_CODE,
+                stdout="",
+                stderr=message,
+                is_timed_out=True,
+            )
+            if each_attempt < max_attempts - 1:
+                time.sleep(
+                    DEFAULT_BACKOFF_SECONDS
+                    * (EXPONENTIAL_BACKOFF_BASE**each_attempt)
+                )
+                each_attempt += 1
+                continue
+            return last_result
+
+        gh_result = GhResult(
+            returncode=gh_completion.returncode,
+            stdout=gh_completion.stdout,
+            stderr=gh_completion.stderr,
+        )
+        if gh_result.returncode == 0:
+            return gh_result
+
+        combined = f"{gh_result.stderr}\n{gh_result.stdout}".strip()
+        if _is_auth_error(combined):
+            return gh_result
+        if each_attempt < max_attempts - 1 and _is_transient_error(combined):
+            time.sleep(
+                DEFAULT_BACKOFF_SECONDS * (EXPONENTIAL_BACKOFF_BASE**each_attempt)
+            )
+            each_attempt += 1
+            continue
+        return gh_result
+
+
+def fetch_inline_review_comments(
+    owner: str,
+    repo: str,
+    pull_number: int,
+    timeout_seconds: int = DEFAULT_TIMEOUT_SECONDS,
+) -> list[dict[str, object]] | None:
+    """Fetch inline review comments for a pull request from the GitHub API.
+
+    Returns the parsed list of comment objects on success, or None when the
+    gh call fails or returns invalid/unexpected JSON. This preserves the
+    distinction between "no inline comments" and "unable to determine
+    inline comments".
+    """
+    api_path = INLINE_REVIEW_COMMENTS_PATH_TEMPLATE.format(
+        owner=owner, repo=repo, pull_number=pull_number
+    )
+    fetch_result = run_gh(
+        [
+            "gh",
+            "-R",
+            f"{owner}/{repo}",
+            "api",
+            api_path,
+            "--paginate",
+        ],
+        timeout_seconds=timeout_seconds,
+    )
+    if fetch_result.returncode != 0:
+        return None
+    parsed = _parse_paginated_json_array_documents(fetch_result.stdout)
+    if parsed is None:
+        return None
+    if not all(isinstance(each_item, dict) for each_item in parsed):
+        return None
+    return parsed
+
+
+def _parse_paginated_json_array_documents(
+    raw_output: str,
+) -> list[dict[str, object]] | None:
+    """Parse gh --paginate output that emits one JSON array per page.
+
+    Concatenated array documents (`[...][...]`) are decoded one at a time
+    using json.JSONDecoder.raw_decode and merged into a single flat list.
+    Returns None when any decoded document is not a JSON array.
+    """
+    decoder = json.JSONDecoder()
+    cursor_index = 0
+    output_length = len(raw_output)
+    flattened: list[dict[str, object]] = []
+    while cursor_index < output_length:
+        while cursor_index < output_length and raw_output[cursor_index].isspace():
+            cursor_index += 1
+        if cursor_index >= output_length:
+            break
+        try:
+            decoded_document, end_index = decoder.raw_decode(
+                raw_output, cursor_index
+            )
+        except json.JSONDecodeError:
+            return None
+        if not isinstance(decoded_document, list):
+            return None
+        flattened.extend(decoded_document)
+        cursor_index = end_index
+    return flattened
+
+
+def parse_owner_repo(repository: str) -> tuple[str, str]:
+    if "/" not in repository:
+        raise ValueError("repository must be owner/repo with exactly one slash")
+    owner, name = repository.split("/", maxsplit=1)
+    if not owner or not name:
+        raise ValueError("repository must be owner/repo with exactly one slash")
+    if "/" in name:
+        raise ValueError("repository must be owner/repo with exactly one slash")
+    return owner, name