claude-dev-env 1.36.1 → 1.36.2

package/_shared/pr-loop/scripts/grant_project_claude_permissions.py

@@ -0,0 +1,130 @@
+"""Grant Edit/Write/Read permissions on the current directory's .claude tree.
+
+Run from the project root whose .claude/** you want a Claude Code session
+(including spawned subagents) to edit without prompting. Writes idempotent
+entries into the user-scope settings at ~/.claude/settings.json and prints
+the changes applied. No-op when the entries already exist.
+"""
+
+import sys
+from pathlib import Path
+
+sys.modules.pop("config", None)
+if str(Path(__file__).resolve().parent) not in sys.path:
+    sys.path.insert(0, str(Path(__file__).resolve().parent))
+
+from _claude_permissions_common import (  # noqa: E402
+    append_if_missing,
+    build_permission_rules,
+    ensure_dict_section,
+    ensure_list_entry,
+    exit_with_error,
+    get_current_project_path,
+    is_valid_project_root,
+    load_settings,
+    save_settings,
+)
+from config.claude_permissions_constants import (  # noqa: E402
+    ALL_PERMISSION_ALLOW_TOOLS,
+    AUTO_MODE_ENVIRONMENT_ENTRY_TEMPLATE,
+    get_claude_user_settings_path,
+)
+from config.claude_settings_keys_constants import (  # noqa: E402
+    CLAUDE_SETTINGS_ADDITIONAL_DIRECTORIES_KEY,
+    CLAUDE_SETTINGS_ALLOW_KEY,
+    CLAUDE_SETTINGS_AUTO_MODE_KEY,
+    CLAUDE_SETTINGS_ENVIRONMENT_KEY,
+    CLAUDE_SETTINGS_PERMISSIONS_KEY,
+)
+
+
+def add_rules_to_allow_list(
+    all_settings: dict[str, object], all_rules_to_add: list[str]
+) -> int:
+    permissions_section = ensure_dict_section(
+        all_settings, CLAUDE_SETTINGS_PERMISSIONS_KEY
+    )
+    existing_allow_list = ensure_list_entry(
+        permissions_section, CLAUDE_SETTINGS_ALLOW_KEY
+    )
+    return sum(
+        1
+        for each_rule in all_rules_to_add
+        if append_if_missing(existing_allow_list, each_rule)
+    )
+
+
+def add_directory_to_additional_directories(
+    all_settings: dict[str, object], directory_path: str
+) -> int:
+    permissions_section = ensure_dict_section(
+        all_settings, CLAUDE_SETTINGS_PERMISSIONS_KEY
+    )
+    existing_directories = ensure_list_entry(
+        permissions_section, CLAUDE_SETTINGS_ADDITIONAL_DIRECTORIES_KEY
+    )
+    if append_if_missing(existing_directories, directory_path):
+        return 1
+    return 0
+
+
+def add_auto_mode_environment_entry(
+    all_settings: dict[str, object], entry_text: str
+) -> int:
+    auto_mode_section = ensure_dict_section(
+        all_settings, CLAUDE_SETTINGS_AUTO_MODE_KEY
+    )
+    existing_environment = ensure_list_entry(
+        auto_mode_section, CLAUDE_SETTINGS_ENVIRONMENT_KEY
+    )
+    if append_if_missing(existing_environment, entry_text):
+        return 1
+    return 0
+
+
+def grant_permissions_for_current_directory() -> None:
+    claude_user_settings_path: Path = get_claude_user_settings_path()
+    project_root_path = Path.cwd()
+    if not is_valid_project_root(project_root_path):
+        print(
+            f"ERROR: cwd {project_root_path} is not a project root "
+            f"(no .git or .claude). Run from a project root.",
+            file=sys.stderr,
+        )
+        raise SystemExit(1)
+    project_path = get_current_project_path()
+    all_permission_rules = build_permission_rules(
+        project_path, ALL_PERMISSION_ALLOW_TOOLS
+    )
+    environment_entry = AUTO_MODE_ENVIRONMENT_ENTRY_TEMPLATE.format(
+        project_path=project_path
+    )
+    settings = load_settings(claude_user_settings_path)
+    rules_added_count = add_rules_to_allow_list(settings, all_permission_rules)
+    directories_added_count = add_directory_to_additional_directories(
+        settings, project_path
+    )
+    environment_entries_added_count = add_auto_mode_environment_entry(
+        settings, environment_entry
+    )
+    total_changes_count = (
+        rules_added_count + directories_added_count + environment_entries_added_count
+    )
+    if total_changes_count == 0:
+        print(f"Project path: {project_path}")
+        print(f"Settings file: {claude_user_settings_path}")
+        print("No changes needed; settings file left untouched.")
+        return
+    save_settings(claude_user_settings_path, settings)
+    print(f"Project path: {project_path}")
+    print(f"Settings file: {claude_user_settings_path}")
+    print(f"Allow rules added: {rules_added_count} of {len(all_permission_rules)}")
+    print(f"Additional directories added: {directories_added_count}")
+    print(f"Auto-mode environment entries added: {environment_entries_added_count}")
+
+
+if __name__ == "__main__":
+    try:
+        grant_permissions_for_current_directory()
+    except ValueError as path_error:
+        exit_with_error(str(path_error))

package/_shared/pr-loop/scripts/preflight.py

@@ -0,0 +1,227 @@
+import argparse
+import os
+import subprocess
+import sys
+from pathlib import Path
+
+sys.modules.pop("config", None)
+if str(Path(__file__).resolve().parent) not in sys.path:
+    sys.path.insert(0, str(Path(__file__).resolve().parent))
+
+from config.fix_hookspath_constants import HOOKS_PATH_VERIFICATION_SUFFIX
+from config.preflight_constants import (
+    ALL_GIT_CONFIG_GET_CORE_HOOKS_PATH_SUBCOMMAND,
+    ALL_PRE_COMMIT_RUN_ALL_FILES_COMMAND,
+    ALL_TEST_FILE_PATTERNS_FOR_DISCOVERY,
+    ALL_TESTS_DIRECTORY_IGNORE_PARTS,
+    BUGTEAM_PREFLIGHT_SKIP_ENABLED_VALUE,
+    BUGTEAM_PREFLIGHT_SKIP_ENV_VAR_NAME,
+    GIT_DIRECTORY_NAME,
+    PRE_COMMIT_CONFIG_YAML_FILENAME,
+    PYPROJECT_TOML_FILENAME,
+    PYTEST_INI_FILENAME,
+    PYTEST_NO_TESTS_COLLECTED_EXIT_CODE,
+    PYTEST_TOML_TABLE_PREFIX,
+)
+
+
+def verify_git_hooks_path(repository_root: Path | None = None) -> int:
+    """Check that core.hooksPath resolves to the claude-dev-env git-hooks directory.
+
+    When *repository_root* is provided, queries the effective config for that
+    repository (``git -C <root> config --get``), which detects repo-level
+    overrides such as Husky or lefthook. Falls back to the current working
+    directory's effective config when *repository_root* is None.
+
+    Returns zero when the configured path ends with the expected hooks suffix.
+    Returns non-zero and prints a correction message when unset or pointing elsewhere.
+    """
+    expected_hooks_path_suffix = HOOKS_PATH_VERIFICATION_SUFFIX
+    enforcement_absent_message = (
+        "Git-side CODE_RULES enforcement is not active on this host.\n"
+        "Run: npx claude-dev-env .\n"
+        "Or set core.hooksPath at any scope, e.g.:\n"
+        "  git config --global core.hooksPath ~/.claude/hooks/git-hooks"
+    )
+    git_command: list[str] = ["git"]
+    if repository_root is not None:
+        git_command.extend(["-C", str(repository_root)])
+    git_command.extend(list(ALL_GIT_CONFIG_GET_CORE_HOOKS_PATH_SUBCOMMAND))
+    try:
+        query_result = subprocess.run(
+            git_command,
+            capture_output=True,
+            text=True,
+            encoding="utf-8",
+            errors="replace",
+            check=False,
+        )
+    except FileNotFoundError:
+        print(
+            "bugteam_preflight: git is not installed or not available on PATH.\n"
+            f"{enforcement_absent_message}",
+            file=sys.stderr,
+        )
+        return 1
+    except OSError as os_error:
+        print(
+            f"bugteam_preflight: failed to run git: {os_error}\n"
+            f"{enforcement_absent_message}",
+            file=sys.stderr,
+        )
+        return 1
+    if query_result.returncode != 0:
+        print(
+            f"bugteam_preflight: {enforcement_absent_message}",
+            file=sys.stderr,
+        )
+        return 1
+    configured_path = query_result.stdout.strip().replace("\\", "/").rstrip("/")
+    if not configured_path.endswith(expected_hooks_path_suffix):
+        print(
+            f"bugteam_preflight: core.hooksPath is '{configured_path}' — "
+            f"expected path ending in '{expected_hooks_path_suffix}'.\n"
+            f"{enforcement_absent_message}",
+            file=sys.stderr,
+        )
+        return 1
+    return 0
+
+
+def find_repository_root(start: Path) -> Path:
+    resolved = start.resolve()
+    all_candidates = [resolved, *resolved.parents]
+    for each_candidate in all_candidates:
+        git_marker = each_candidate / GIT_DIRECTORY_NAME
+        if git_marker.is_dir() or git_marker.is_file():
+            return each_candidate
+    for each_candidate in all_candidates:
+        if (each_candidate / PYTEST_INI_FILENAME).is_file():
+            return each_candidate
+    return resolved
+
+
+def has_pytest_configuration(root: Path) -> bool:
+    if (root / PYTEST_INI_FILENAME).is_file():
+        return True
+    pyproject = root / PYPROJECT_TOML_FILENAME
+    if not pyproject.is_file():
+        return False
+    text = pyproject.read_text(encoding="utf-8", errors="replace")
+    return PYTEST_TOML_TABLE_PREFIX in text
+
+
+def has_discoverable_tests(root: Path) -> bool:
+    all_ignored_parts = ALL_TESTS_DIRECTORY_IGNORE_PARTS
+    test_filename_glob, test_suffix_glob = ALL_TEST_FILE_PATTERNS_FOR_DISCOVERY
+    for each_path in root.rglob(test_filename_glob):
+        if any(each_part in all_ignored_parts for each_part in each_path.parts):
+            continue
+        return True
+    for each_path in root.rglob(test_suffix_glob):
+        if any(each_part in all_ignored_parts for each_part in each_path.parts):
+            continue
+        return True
+    return False
+
+
+def _pytest_exit_code_no_tests_collected() -> int:
+    pytest_no_tests_collected_exit_code = PYTEST_NO_TESTS_COLLECTED_EXIT_CODE
+    return pytest_no_tests_collected_exit_code
+
+
+def run_pytest(repository_root: Path, verbose: bool) -> int:
+    command = [sys.executable, "-m", "pytest"]
+    if not verbose:
+        command.append("-q")
+    completed = subprocess.run(
+        command,
+        cwd=str(repository_root),
+        check=False,
+    )
+    if completed.returncode == _pytest_exit_code_no_tests_collected():
+        return 0
+    return completed.returncode
+
+
+def run_pre_commit(repository_root: Path) -> int:
+    completed = subprocess.run(
+        list(ALL_PRE_COMMIT_RUN_ALL_FILES_COMMAND),
+        cwd=str(repository_root),
+        check=False,
+    )
+    return completed.returncode
+
+
+def parse_arguments(all_arguments: list[str]) -> argparse.Namespace:
+    parser = argparse.ArgumentParser(
+        description="Run local checks before /bugteam (pytest, optional pre-commit).",
+    )
+    parser.add_argument(
+        "--repo-root",
+        type=Path,
+        default=None,
+        help="Repository root (default: discover from cwd).",
+    )
+    parser.add_argument(
+        "--no-pytest",
+        action="store_true",
+        help="Skip pytest.",
+    )
+    parser.add_argument(
+        "--pre-commit",
+        action="store_true",
+        help=f"Run pre-commit when {PRE_COMMIT_CONFIG_YAML_FILENAME} exists.",
+    )
+    parser.add_argument(
+        "-v",
+        "--verbose",
+        action="store_true",
+        help="Verbose pytest output.",
+    )
+    return parser.parse_args(all_arguments)
+
+
+def main(all_arguments: list[str]) -> int:
+    arguments = parse_arguments(all_arguments)
+    skip_env_var_name = BUGTEAM_PREFLIGHT_SKIP_ENV_VAR_NAME
+    skip_enabled_value = BUGTEAM_PREFLIGHT_SKIP_ENABLED_VALUE
+    if os.environ.get(skip_env_var_name, "").strip() == skip_enabled_value:
+        print(
+            f"bugteam_preflight: skipped ({skip_env_var_name}={skip_enabled_value}).",
+            file=sys.stderr,
+        )
+        return 0
+    start = Path.cwd()
+    repository_root = (
+        arguments.repo_root.resolve()
+        if arguments.repo_root is not None
+        else find_repository_root(start)
+    )
+    hooks_path_exit_code = verify_git_hooks_path(repository_root)
+    if hooks_path_exit_code != 0:
+        return hooks_path_exit_code
+    if not arguments.no_pytest and has_pytest_configuration(repository_root):
+        if not has_discoverable_tests(repository_root):
+            print(
+                "bugteam_preflight: pytest configured but no tests found; skipping pytest.",
+                file=sys.stderr,
+            )
+        else:
+            exit_code = run_pytest(repository_root, arguments.verbose)
+            if exit_code != 0:
+                return exit_code
+    elif not arguments.no_pytest:
+        print(
+            "bugteam_preflight: no pytest configuration found; skipping pytest.",
+            file=sys.stderr,
+        )
+    if arguments.pre_commit and (repository_root / PRE_COMMIT_CONFIG_YAML_FILENAME).is_file():
+        exit_code = run_pre_commit(repository_root)
+        if exit_code != 0:
+            return exit_code
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main(sys.argv[1:]))

package/_shared/pr-loop/scripts/revoke_project_claude_permissions.py

@@ -0,0 +1,156 @@
+"""Revoke the permissions previously granted by grant_project_claude_permissions.
+
+Run from the same project root you previously granted. Removes the matching
+allow rules, the additionalDirectories entry, and the autoMode environment
+entry from ~/.claude/settings.json. Safe to run when no prior grant exists.
+After removals, prunes any newly empty lists and their parent permissions or
+autoMode sections so repeated grant/revoke cycles leave no dead structure.
+"""
+
+import sys
+from pathlib import Path
+
+sys.modules.pop("config", None)
+if str(Path(__file__).resolve().parent) not in sys.path:
+    sys.path.insert(0, str(Path(__file__).resolve().parent))
+
+from _claude_permissions_common import (  # noqa: E402
+    build_permission_rules,
+    exit_with_error,
+    get_current_project_path,
+    is_valid_project_root,
+    load_settings,
+    prune_empty_list_then_empty_section,
+    save_settings,
+)
+from config.claude_permissions_constants import (  # noqa: E402
+    ALL_PERMISSION_ALLOW_TOOLS,
+    AUTO_MODE_ENVIRONMENT_ENTRY_TEMPLATE,
+    get_claude_user_settings_path,
+)
+from config.claude_settings_keys_constants import (  # noqa: E402
+    CLAUDE_SETTINGS_ADDITIONAL_DIRECTORIES_KEY,
+    CLAUDE_SETTINGS_ALLOW_KEY,
+    CLAUDE_SETTINGS_AUTO_MODE_KEY,
+    CLAUDE_SETTINGS_ENVIRONMENT_KEY,
+    CLAUDE_SETTINGS_PERMISSIONS_KEY,
+)
+
+
+def remove_values_from_list(
+    all_target_list: list[object], all_values_to_remove: set[str]
+) -> int:
+    original_length = len(all_target_list)
+    all_target_list[:] = [
+        each_value
+        for each_value in all_target_list
+        if not (isinstance(each_value, str) and each_value in all_values_to_remove)
+    ]
+    return original_length - len(all_target_list)
+
+
+def remove_rules_from_allow_list(
+    all_settings: dict[str, object], all_rules_to_remove: list[str]
+) -> int:
+    permissions_section = all_settings.get(CLAUDE_SETTINGS_PERMISSIONS_KEY)
+    if not isinstance(permissions_section, dict):
+        return 0
+    existing_allow_list = permissions_section.get(CLAUDE_SETTINGS_ALLOW_KEY)
+    if not isinstance(existing_allow_list, list):
+        return 0
+    return remove_values_from_list(existing_allow_list, set(all_rules_to_remove))
+
+
+def remove_directory_from_additional_directories(
+    all_settings: dict[str, object], directory_path: str
+) -> int:
+    permissions_section = all_settings.get(CLAUDE_SETTINGS_PERMISSIONS_KEY)
+    if not isinstance(permissions_section, dict):
+        return 0
+    existing_directories = permissions_section.get(
+        CLAUDE_SETTINGS_ADDITIONAL_DIRECTORIES_KEY
+    )
+    if not isinstance(existing_directories, list):
+        return 0
+    return remove_values_from_list(existing_directories, {directory_path})
+
+
+def remove_auto_mode_environment_entry(
+    all_settings: dict[str, object], entry_text: str
+) -> int:
+    auto_mode_section = all_settings.get(CLAUDE_SETTINGS_AUTO_MODE_KEY)
+    if not isinstance(auto_mode_section, dict):
+        return 0
+    existing_environment = auto_mode_section.get(CLAUDE_SETTINGS_ENVIRONMENT_KEY)
+    if not isinstance(existing_environment, list):
+        return 0
+    return remove_values_from_list(existing_environment, {entry_text})
+
+
+def prune_settings_after_revoke(all_settings: dict[str, object]) -> None:
+    prune_empty_list_then_empty_section(
+        all_settings,
+        CLAUDE_SETTINGS_PERMISSIONS_KEY,
+        CLAUDE_SETTINGS_ALLOW_KEY,
+    )
+    prune_empty_list_then_empty_section(
+        all_settings,
+        CLAUDE_SETTINGS_PERMISSIONS_KEY,
+        CLAUDE_SETTINGS_ADDITIONAL_DIRECTORIES_KEY,
+    )
+    prune_empty_list_then_empty_section(
+        all_settings,
+        CLAUDE_SETTINGS_AUTO_MODE_KEY,
+        CLAUDE_SETTINGS_ENVIRONMENT_KEY,
+    )
+
+
+def revoke_permissions_for_current_directory() -> None:
+    claude_user_settings_path: Path = get_claude_user_settings_path()
+    project_root_path = Path.cwd()
+    if not is_valid_project_root(project_root_path):
+        print(
+            f"ERROR: cwd {project_root_path} is not a project root "
+            f"(no .git or .claude). Run from a project root.",
+            file=sys.stderr,
+        )
+        raise SystemExit(1)
+    project_path = get_current_project_path()
+    permission_rules = build_permission_rules(project_path, ALL_PERMISSION_ALLOW_TOOLS)
+    environment_entry = AUTO_MODE_ENVIRONMENT_ENTRY_TEMPLATE.format(
+        project_path=project_path
+    )
+    settings = load_settings(claude_user_settings_path)
+    rules_removed_count = remove_rules_from_allow_list(settings, permission_rules)
+    directories_removed_count = remove_directory_from_additional_directories(
+        settings, project_path
+    )
+    environment_entries_removed_count = remove_auto_mode_environment_entry(
+        settings, environment_entry
+    )
+    total_changes_count = (
+        rules_removed_count
+        + directories_removed_count
+        + environment_entries_removed_count
+    )
+    if total_changes_count == 0:
+        print(f"Project path: {project_path}")
+        print(f"Settings file: {claude_user_settings_path}")
+        print("No changes to revoke; settings file left untouched.")
+        return
+    prune_settings_after_revoke(settings)
+    save_settings(claude_user_settings_path, settings)
+    print(f"Project path: {project_path}")
+    print(f"Settings file: {claude_user_settings_path}")
+    print(f"Allow rules removed: {rules_removed_count} of {len(permission_rules)}")
+    print(f"Additional directories removed: {directories_removed_count}")
+    print(
+        f"Auto-mode environment entries removed: {environment_entries_removed_count}"
+    )
+
+
+if __name__ == "__main__":
+    try:
+        revoke_permissions_for_current_directory()
+    except ValueError as path_error:
+        exit_with_error(str(path_error))

package/_shared/pr-loop/scripts/tests/conftest.py

@@ -0,0 +1,51 @@
+"""Test fixtures for _shared/pr-loop/scripts/.
+
+Two unrelated Python packages live under the name ``config`` in this repo:
+  - ``_shared/pr-loop/scripts/config/`` (constants for grant/revoke/gate/preflight scripts)
+  - ``hooks/config/`` (constants for the code-rules enforcer and other hooks)
+
+When tests under this directory exercise the gate (which loads
+``hooks/blocking/code_rules_enforcer.py``) and also load the grant/revoke
+scripts in the same pytest process, ``sys.modules['config']`` and
+``sys.modules['config.<submodule>']`` cache entries from one package leak
+into the other. The next ``from config.<submodule> import ...`` then fails
+with ``ModuleNotFoundError`` because the cached parent package does not
+expose that submodule.
+
+Independently, several scripts in this folder do
+``Path(__file__).resolve()`` then prepend the resulting directory to
+``sys.path``. On Windows when the working tree lives under a mapped drive
+backed by a UNC share (``Y:`` -> ``\\\\server\\share\\...``), ``.resolve()``
+returns the UNC form, and Python's import machinery on this host cannot
+locate ``config`` packages from a UNC ``sys.path`` entry. The Y:-form entry
+gets pushed to a later index by subsequent inserts, making ``from
+config.<submodule> import ...`` fail.
+
+This autouse fixture restores both invariants before each test:
+  1. evict every ``config`` and ``config.*`` entry from ``sys.modules``
+  2. prepend the drive-letter (``.absolute()``) form of the scripts
+     directory to ``sys.path`` so package resolution always has a
+     non-UNC path to search first
+"""
+
+from __future__ import annotations
+
+import sys
+from pathlib import Path
+
+import pytest
+
+SCRIPTS_DIRECTORY_DRIVE_LETTER_FORM = str(Path(__file__).absolute().parent.parent)
+
+
+@pytest.fixture(autouse=True)
+def _evict_config_namespace_between_tests() -> None:
+    for each_module_name in [
+        each_key
+        for each_key in list(sys.modules)
+        if each_key == "config" or each_key.startswith("config.")
+    ]:
+        sys.modules.pop(each_module_name, None)
+    if SCRIPTS_DIRECTORY_DRIVE_LETTER_FORM in sys.path:
+        sys.path.remove(SCRIPTS_DIRECTORY_DRIVE_LETTER_FORM)
+    sys.path.insert(0, SCRIPTS_DIRECTORY_DRIVE_LETTER_FORM)

package/_shared/pr-loop/scripts/tests/test__claude_permissions_common.py

@@ -0,0 +1,135 @@
+"""Regression tests for the leading-underscore _claude_permissions_common module.
+
+The companion test_claude_permissions_common.py covers the public-name
+matched suite. This file holds tests the TDD enforcer pairs to the
+leading-underscore production filename.
+"""
+
+import importlib.util
+import json
+import sys
+from pathlib import Path
+from types import ModuleType
+
+import pytest
+
+
+def _load_common_module() -> ModuleType:
+    module_path = Path(__file__).parent.parent / "_claude_permissions_common.py"
+    parent_directory = str(module_path.parent.resolve())
+    if parent_directory not in sys.path:
+        sys.path.insert(0, parent_directory)
+    spec = importlib.util.spec_from_file_location(
+        "_claude_permissions_common", module_path
+    )
+    assert spec is not None
+    assert spec.loader is not None
+    module = importlib.util.module_from_spec(spec)
+    spec.loader.exec_module(module)
+    return module
+
+
+common = _load_common_module()
+
+
+def test_save_settings_chmods_after_replace_to_defeat_umask(
+    tmp_path: Path, monkeypatch: pytest.MonkeyPatch
+) -> None:
+    """Regression: POSIX umask masks the mode passed to os.open, so the
+    "preserve mode" intent is silently defeated unless save_settings
+    chmods the final file after os.replace.
+    """
+    settings_path = tmp_path / "settings.json"
+    settings_path.write_text(json.dumps({}), encoding="utf-8")
+    captured_mode_to_preserve = 0o600
+    monkeypatch.setattr(
+        common, "get_mode_to_preserve", lambda _path: captured_mode_to_preserve
+    )
+
+    ordered_calls: list[tuple[str, str, int | None]] = []
+    real_replace = common.os.replace
+    real_chmod = common.os.chmod
+
+    def recording_replace(source_path: str, destination_path: str) -> None:
+        ordered_calls.append(("replace", str(destination_path), None))
+        real_replace(source_path, destination_path)
+
+    def recording_chmod(target_path: str, file_mode: int) -> None:
+        ordered_calls.append(("chmod", str(target_path), file_mode))
+        real_chmod(target_path, file_mode)
+
+    monkeypatch.setattr(common.os, "replace", recording_replace)
+    monkeypatch.setattr(common.os, "chmod", recording_chmod)
+
+    common.save_settings(settings_path, {"writer": "only"})
+
+    final_replace_index = next(
+        each_index
+        for each_index, each_call in enumerate(ordered_calls)
+        if each_call[0] == "replace" and each_call[1] == str(settings_path)
+    )
+    final_chmod_index = next(
+        (
+            each_index
+            for each_index, each_call in enumerate(ordered_calls)
+            if each_call[0] == "chmod"
+            and each_call[1] == str(settings_path)
+            and each_call[2] == captured_mode_to_preserve
+        ),
+        None,
+    )
+    assert final_chmod_index is not None
+    assert final_replace_index < final_chmod_index
+
+
+def test_path_contains_glob_metacharacters_rejects_true_metacharacters() -> None:
+    assert common.path_contains_glob_metacharacters("C:/some/path/*.py") is True
+    assert common.path_contains_glob_metacharacters("C:/some/path/[abc].py") is True
+    assert common.path_contains_glob_metacharacters("C:/some/{a,b}/file") is True
+
+
+
+
+def test_write_atomically_with_mode_closes_descriptor_when_fdopen_raises(
+    tmp_path: Path, monkeypatch: pytest.MonkeyPatch
+) -> None:
+    """Regression: if os.fdopen fails, the raw descriptor from os.open must close.
+
+    Cursor Bugbot: without a failure path, the descriptor
+    leaks when fdopen raises before the file object assumes ownership.
+    """
+    closed_descriptors: list[int] = []
+    sentinel_descriptor = 91
+
+    def fake_open(_path: str, _flags: int, _mode: int = 0o777) -> int:
+        return sentinel_descriptor
+
+    def fake_fdopen(_file_descriptor: int, *_args: object, **_kwargs: object) -> object:
+        raise OSError("simulated fdopen failure")
+
+    def recording_close(file_descriptor: int) -> None:
+        closed_descriptors.append(file_descriptor)
+
+    monkeypatch.setattr(common.os, "open", fake_open)
+    monkeypatch.setattr(common.os, "fdopen", fake_fdopen)
+    monkeypatch.setattr(common.os, "close", recording_close)
+
+    temporary_path = tmp_path / "tempfile.tmp"
+    with pytest.raises(OSError, match="simulated fdopen failure"):
+        common.write_atomically_with_mode(temporary_path, "{}", 0o600)
+
+    assert closed_descriptors == [sentinel_descriptor]
+
+
+def test_path_contains_glob_metacharacters_accepts_windows_paths_with_parens() -> None:
+    """Regression: Windows paths like C:/Program Files (x86)/ must not raise ValueError.
+
+    `(`, `)`, and `,` are not glob metacharacters in Claude Code's permission
+    rule matching. Including them in the metacharacter set causes
+    get_current_project_path to raise ValueError for any user whose home
+    directory contains parentheses (e.g. `C:/Users/Jon (Admin)/...`).
+    """
+    assert common.path_contains_glob_metacharacters("C:/Program Files (x86)/app") is False
+    assert common.path_contains_glob_metacharacters("C:/Users/Jon (Admin)/project") is False
+    assert common.path_contains_glob_metacharacters("C:/Projects/a,b/file.py") is False
+