claude-dev-env 1.38.0 → 1.39.0

package/hooks/blocking/test_code_rules_enforcer_any_imports_and_cast.py

@@ -0,0 +1,92 @@
+"""Tests for `from typing import Any` and `cast()` detection in production.
+
+CODE_RULES.md §6 (no `Any`) and Plan Phase 1a require:
+- `from typing import Any` (and re-export forms) flagged in production
+- `from typing import *` flagged (introduces Any access)
+- `cast()` calls flagged in production
+- Test files exempt; hook infrastructure exempt
+"""
+
+from __future__ import annotations
+
+import importlib.util
+from pathlib import Path
+from types import ModuleType
+
+
+def _load_enforcer_module() -> ModuleType:
+    module_path = Path(__file__).parent / "code_rules_enforcer.py"
+    spec = importlib.util.spec_from_file_location("code_rules_enforcer", module_path)
+    assert spec is not None
+    assert spec.loader is not None
+    module = importlib.util.module_from_spec(spec)
+    spec.loader.exec_module(module)
+    return module
+
+
+code_rules_enforcer = _load_enforcer_module()
+check_type_escape_hatches = code_rules_enforcer.check_type_escape_hatches
+
+PRODUCTION_FILE_PATH = "/project/src/module.py"
+TEST_FILE_PATH = "/project/src/test_module.py"
+
+
+def test_should_flag_from_typing_import_any() -> None:
+    source = "from typing import Any\n"
+    issues = check_type_escape_hatches(source, PRODUCTION_FILE_PATH)
+    assert any(
+        "Any" in each_issue and "import" in each_issue.lower() for each_issue in issues
+    ), f"Expected 'from typing import Any' to be flagged, got: {issues!r}"
+
+
+def test_should_flag_from_typing_import_any_among_others() -> None:
+    source = "from typing import Optional, Any, Dict\n"
+    issues = check_type_escape_hatches(source, PRODUCTION_FILE_PATH)
+    assert any(
+        "Any" in each_issue and "import" in each_issue.lower() for each_issue in issues
+    ), f"Expected 'Any' inside multi-import to be flagged, got: {issues!r}"
+
+
+def test_should_not_flag_from_typing_import_without_any() -> None:
+    source = "from typing import Optional, Dict, List\n"
+    issues = check_type_escape_hatches(source, PRODUCTION_FILE_PATH)
+    assert issues == [], (
+        f"Expected no issues for typing import without Any, got: {issues!r}"
+    )
+
+
+def test_should_flag_from_typing_import_star() -> None:
+    source = "from typing import *\n"
+    issues = check_type_escape_hatches(source, PRODUCTION_FILE_PATH)
+    assert any(
+        "import *" in each_issue or "wildcard" in each_issue.lower()
+        for each_issue in issues
+    ), f"Expected 'from typing import *' to be flagged, got: {issues!r}"
+
+
+def test_should_flag_cast_call_in_production() -> None:
+    source = "from typing import cast\n\nx = cast(str, value)\n"
+    issues = check_type_escape_hatches(source, PRODUCTION_FILE_PATH)
+    assert any("cast" in each_issue for each_issue in issues), (
+        f"Expected cast() call to be flagged, got: {issues!r}"
+    )
+
+
+def test_should_flag_typing_cast_call() -> None:
+    source = "import typing\n\nx = typing.cast(int, value)\n"
+    issues = check_type_escape_hatches(source, PRODUCTION_FILE_PATH)
+    assert any("cast" in each_issue for each_issue in issues), (
+        f"Expected typing.cast() call to be flagged, got: {issues!r}"
+    )
+
+
+def test_should_not_flag_cast_in_test_file() -> None:
+    source = "from typing import cast\nx = cast(str, value)\n"
+    issues = check_type_escape_hatches(source, TEST_FILE_PATH)
+    assert issues == [], f"Test files must be exempt, got: {issues!r}"
+
+
+def test_should_not_flag_typing_import_any_in_test_file() -> None:
+    source = "from typing import Any\nx: Any = 1\n"
+    issues = check_type_escape_hatches(source, TEST_FILE_PATH)
+    assert issues == [], f"Test files must be exempt, got: {issues!r}"

package/hooks/blocking/test_code_rules_enforcer_banned_import_alias.py

@@ -0,0 +1,143 @@
+"""Unit tests for banned-identifier coverage of import aliases.
+
+Covers the gap surfaced during PR #419: ``from config import rebase_constants as rc``
+slipped past both the Write/Edit hook and the commit-time gate because the
+banned-identifier check inspected only assignment targets, never import-alias
+binding targets. Also covers the expanded abbreviation list (rc, cfg, ctx,
+cnt, btn, idx, tmp, msg, elem, val) added per CODE_RULES.md §5.
+"""
+
+import importlib.util
+import pathlib
+import sys
+
+_HOOK_DIR = pathlib.Path(__file__).parent
+if str(_HOOK_DIR) not in sys.path:
+    sys.path.insert(0, str(_HOOK_DIR))
+
+hook_spec = importlib.util.spec_from_file_location(
+    "code_rules_enforcer",
+    _HOOK_DIR / "code_rules_enforcer.py",
+)
+assert hook_spec is not None
+assert hook_spec.loader is not None
+hook_module = importlib.util.module_from_spec(hook_spec)
+hook_spec.loader.exec_module(hook_module)
+check_banned_identifiers = hook_module.check_banned_identifiers
+
+PRODUCTION_FILE_PATH = "packages/app/services/loader.py"
+TEST_FILE_PATH = "packages/app/services/test_loader.py"
+
+
+def test_should_flag_from_import_alias_rc() -> None:
+    content = "from config import rebase_constants as rc\n"
+    issues = check_banned_identifiers(content, PRODUCTION_FILE_PATH)
+    assert any("'rc'" in each_issue for each_issue in issues), (
+        f"Expected 'rc' import alias flagged, got: {issues}"
+    )
+
+
+def test_should_flag_import_alias_rc() -> None:
+    content = "import rebase_constants as rc\n"
+    issues = check_banned_identifiers(content, PRODUCTION_FILE_PATH)
+    assert any("'rc'" in each_issue for each_issue in issues), (
+        f"Expected 'rc' bare-import alias flagged, got: {issues}"
+    )
+
+
+def test_should_flag_from_import_alias_cfg() -> None:
+    content = "from app import configuration as cfg\n"
+    issues = check_banned_identifiers(content, PRODUCTION_FILE_PATH)
+    assert any("'cfg'" in each_issue for each_issue in issues), (
+        f"Expected 'cfg' import alias flagged, got: {issues}"
+    )
+
+
+def test_should_flag_from_import_alias_ctx() -> None:
+    content = "from app import context as ctx\n"
+    issues = check_banned_identifiers(content, PRODUCTION_FILE_PATH)
+    assert any("'ctx'" in each_issue for each_issue in issues), (
+        f"Expected 'ctx' import alias flagged, got: {issues}"
+    )
+
+
+def test_should_flag_idx_assignment() -> None:
+    content = "def pick(items):\n    idx = 0\n    return items[idx]\n"
+    issues = check_banned_identifiers(content, PRODUCTION_FILE_PATH)
+    assert any("'idx'" in each_issue for each_issue in issues), (
+        f"Expected 'idx' assignment flagged — use index, got: {issues}"
+    )
+
+
+def test_should_flag_tmp_assignment() -> None:
+    content = "def swap(a, b):\n    tmp = a\n    return tmp\n"
+    issues = check_banned_identifiers(content, PRODUCTION_FILE_PATH)
+    assert any("'tmp'" in each_issue for each_issue in issues), (
+        f"Expected 'tmp' assignment flagged — use temporary_value, got: {issues}"
+    )
+
+
+def test_should_flag_msg_assignment() -> None:
+    content = "def notify():\n    msg = build_message()\n    return msg\n"
+    issues = check_banned_identifiers(content, PRODUCTION_FILE_PATH)
+    assert any("'msg'" in each_issue for each_issue in issues), (
+        f"Expected 'msg' assignment flagged — use message, got: {issues}"
+    )
+
+
+def test_should_flag_elem_assignment() -> None:
+    content = "def first(items):\n    elem = items[0]\n    return elem\n"
+    issues = check_banned_identifiers(content, PRODUCTION_FILE_PATH)
+    assert any("'elem'" in each_issue for each_issue in issues), (
+        f"Expected 'elem' assignment flagged — use element, got: {issues}"
+    )
+
+
+def test_should_flag_val_assignment() -> None:
+    content = "def read():\n    val = compute()\n    return val\n"
+    issues = check_banned_identifiers(content, PRODUCTION_FILE_PATH)
+    assert any("'val'" in each_issue for each_issue in issues), (
+        f"Expected 'val' assignment flagged — use value, got: {issues}"
+    )
+
+
+def test_should_flag_cnt_assignment() -> None:
+    content = "def tally(items):\n    cnt = len(items)\n    return cnt\n"
+    issues = check_banned_identifiers(content, PRODUCTION_FILE_PATH)
+    assert any("'cnt'" in each_issue for each_issue in issues), (
+        f"Expected 'cnt' assignment flagged — use count, got: {issues}"
+    )
+
+
+def test_should_flag_btn_assignment() -> None:
+    content = "def click_handler():\n    btn = locate_button()\n    return btn\n"
+    issues = check_banned_identifiers(content, PRODUCTION_FILE_PATH)
+    assert any("'btn'" in each_issue for each_issue in issues), (
+        f"Expected 'btn' assignment flagged — use button, got: {issues}"
+    )
+
+
+def test_should_not_flag_import_alias_in_test_file() -> None:
+    content = "from config import rebase_constants as rc\n"
+    issues = check_banned_identifiers(content, TEST_FILE_PATH)
+    assert issues == [], (
+        f"Test files are exempt from banned-identifier checks, got: {issues}"
+    )
+
+
+def test_should_not_flag_import_alias_with_descriptive_name() -> None:
+    content = (
+        "from config import rebase_constants\n"
+        "import json as json_module\n"
+        "from typing import Optional as OptionalType\n"
+    )
+    issues = check_banned_identifiers(content, PRODUCTION_FILE_PATH)
+    assert issues == [], f"Descriptive import aliases must not flag, got: {issues}"
+
+
+def test_should_include_line_number_for_import_alias() -> None:
+    content = "import json\nfrom config import rebase_constants as rc\n"
+    issues = check_banned_identifiers(content, PRODUCTION_FILE_PATH)
+    assert len(issues) >= 1
+    assert "Line 2" in issues[0]
+    assert "'rc'" in issues[0]

package/hooks/blocking/test_code_rules_enforcer_banned_prefixes.py

@@ -0,0 +1,152 @@
+"""Tests for check_banned_prefixes — flags function names with generic prefixes.
+
+CODE_RULES.md §5 / AGENTS.md "Naming → Function names use specific verbs:
+parse_invoice, dispatch_event, migrate_schema. Generic prefixes to replace:
+handle_, process_, manage_, do_."
+
+The check fires on def / async def names (functions and methods) in
+production code, exempting test files and hook infrastructure.
+"""
+
+from __future__ import annotations
+
+import importlib.util
+from pathlib import Path
+from types import ModuleType
+
+
+def _load_enforcer_module() -> ModuleType:
+    module_path = Path(__file__).parent / "code_rules_enforcer.py"
+    spec = importlib.util.spec_from_file_location("code_rules_enforcer", module_path)
+    assert spec is not None
+    assert spec.loader is not None
+    module = importlib.util.module_from_spec(spec)
+    spec.loader.exec_module(module)
+    return module
+
+
+code_rules_enforcer = _load_enforcer_module()
+
+PRODUCTION_FILE_PATH = "src/example_production.py"
+TEST_FILE_PATH = "src/test_example.py"
+HOOK_INFRASTRUCTURE_FILE_PATH = "/home/user/.claude/hooks/blocking/example_hook.py"
+
+
+def test_should_flag_handle_prefixed_function() -> None:
+    content = "def handle_request(payload):\n    return payload\n"
+    issues = code_rules_enforcer.check_banned_prefixes(content, PRODUCTION_FILE_PATH)
+    assert any("handle_request" in each_issue for each_issue in issues), (
+        f"Expected 'handle_request' to be flagged, got: {issues!r}"
+    )
+
+
+def test_should_flag_process_prefixed_function() -> None:
+    content = "def process_data(items):\n    return items\n"
+    issues = code_rules_enforcer.check_banned_prefixes(content, PRODUCTION_FILE_PATH)
+    assert any("process_data" in each_issue for each_issue in issues), (
+        f"Expected 'process_data' to be flagged, got: {issues!r}"
+    )
+
+
+def test_should_flag_manage_prefixed_function() -> None:
+    content = "def manage_session(session_id):\n    return session_id\n"
+    issues = code_rules_enforcer.check_banned_prefixes(content, PRODUCTION_FILE_PATH)
+    assert any("manage_session" in each_issue for each_issue in issues), (
+        f"Expected 'manage_session' to be flagged, got: {issues!r}"
+    )
+
+
+def test_should_flag_do_prefixed_function() -> None:
+    content = "def do_thing(argument):\n    return argument\n"
+    issues = code_rules_enforcer.check_banned_prefixes(content, PRODUCTION_FILE_PATH)
+    assert any("do_thing" in each_issue for each_issue in issues), (
+        f"Expected 'do_thing' to be flagged, got: {issues!r}"
+    )
+
+
+def test_should_flag_async_function_with_banned_prefix() -> None:
+    content = "async def handle_event(event):\n    return event\n"
+    issues = code_rules_enforcer.check_banned_prefixes(content, PRODUCTION_FILE_PATH)
+    assert any("handle_event" in each_issue for each_issue in issues), (
+        f"Expected async 'handle_event' to be flagged, got: {issues!r}"
+    )
+
+
+def test_should_flag_method_with_banned_prefix() -> None:
+    content = (
+        "class OrderService:\n"
+        "    def process_order(self, order):\n"
+        "        return order\n"
+    )
+    issues = code_rules_enforcer.check_banned_prefixes(content, PRODUCTION_FILE_PATH)
+    assert any("process_order" in each_issue for each_issue in issues), (
+        f"Expected method 'process_order' to be flagged, got: {issues!r}"
+    )
+
+
+def test_should_not_flag_function_without_banned_prefix() -> None:
+    content = "def parse_invoice(payload):\n    return payload\n"
+    issues = code_rules_enforcer.check_banned_prefixes(content, PRODUCTION_FILE_PATH)
+    assert issues == [], f"Expected no issues for 'parse_invoice', got: {issues!r}"
+
+
+def test_should_not_flag_function_with_handle_substring_but_no_underscore() -> None:
+    content = "def handler(payload):\n    return payload\n"
+    issues = code_rules_enforcer.check_banned_prefixes(content, PRODUCTION_FILE_PATH)
+    assert issues == [], (
+        f"'handler' is a noun, not a banned 'handle_' prefix; got: {issues!r}"
+    )
+
+
+def test_should_not_flag_function_with_doctor_prefix() -> None:
+    content = "def doctor_visit(patient):\n    return patient\n"
+    issues = code_rules_enforcer.check_banned_prefixes(content, PRODUCTION_FILE_PATH)
+    assert issues == [], (
+        f"'doctor_visit' starts with 'do' but not 'do_'; got: {issues!r}"
+    )
+
+
+def test_should_skip_test_file() -> None:
+    content = "def handle_request(payload):\n    return payload\n"
+    issues = code_rules_enforcer.check_banned_prefixes(content, TEST_FILE_PATH)
+    assert issues == [], f"Test files must be exempt, got: {issues!r}"
+
+
+def test_should_skip_hook_infrastructure() -> None:
+    content = "def handle_request(payload):\n    return payload\n"
+    issues = code_rules_enforcer.check_banned_prefixes(
+        content, HOOK_INFRASTRUCTURE_FILE_PATH
+    )
+    assert issues == [], f"Hook infrastructure must be exempt, got: {issues!r}"
+
+
+def test_should_handle_syntax_error_gracefully() -> None:
+    content = "def handle_request(\n"
+    issues = code_rules_enforcer.check_banned_prefixes(content, PRODUCTION_FILE_PATH)
+    assert issues == [], f"Syntax errors must yield no issues, got: {issues!r}"
+
+
+def test_should_include_line_number_and_function_name() -> None:
+    content = "x = 1\n\ndef handle_event(event):\n    return event\n"
+    issues = code_rules_enforcer.check_banned_prefixes(content, PRODUCTION_FILE_PATH)
+    assert len(issues) == 1, f"Expected exactly one issue, got: {issues!r}"
+    assert "Line 3" in issues[0], (
+        f"Issue must include the line number, got: {issues[0]!r}"
+    )
+    assert "handle_event" in issues[0], (
+        f"Issue must include the function name, got: {issues[0]!r}"
+    )
+
+
+def test_should_cap_at_three_issues() -> None:
+    content = (
+        "def handle_one():\n    pass\n"
+        "def handle_two():\n    pass\n"
+        "def handle_three():\n    pass\n"
+        "def handle_four():\n    pass\n"
+        "def handle_five():\n    pass\n"
+    )
+    issues = code_rules_enforcer.check_banned_prefixes(content, PRODUCTION_FILE_PATH)
+    assert len(issues) <= 3, (
+        f"Issue count must be capped at 3, got {len(issues)}: {issues!r}"
+    )

package/hooks/blocking/test_code_rules_enforcer_bare_except.py

@@ -0,0 +1,120 @@
+"""Tests for check_bare_except — flags except: / except Exception: / except BaseException:.
+
+Per Plan 1c.bare_except_detector / Phase B4: bare exceptions swallow every
+error including KeyboardInterrupt and SystemExit. They hide bugs and make
+debugging impossible. Production code names the specific exception class
+it intends to catch.
+"""
+
+from __future__ import annotations
+
+import importlib.util
+from pathlib import Path
+from types import ModuleType
+
+
+def _load_enforcer_module() -> ModuleType:
+    module_path = Path(__file__).parent / "code_rules_enforcer.py"
+    spec = importlib.util.spec_from_file_location("code_rules_enforcer", module_path)
+    assert spec is not None
+    assert spec.loader is not None
+    module = importlib.util.module_from_spec(spec)
+    spec.loader.exec_module(module)
+    return module
+
+
+code_rules_enforcer = _load_enforcer_module()
+
+
+def check_bare_except(content: str, file_path: str) -> list[str]:
+    return code_rules_enforcer.check_bare_except(content, file_path)
+
+
+PRODUCTION_FILE_PATH = "/project/src/services.py"
+TEST_FILE_PATH = "/project/src/test_services.py"
+HOOK_INFRASTRUCTURE_PATH = "/home/user/.claude/hooks/blocking/example.py"
+
+
+def test_should_flag_bare_except() -> None:
+    source = "def fetch():\n    try:\n        do_thing()\n    except:\n        pass\n"
+    issues = check_bare_except(source, PRODUCTION_FILE_PATH)
+    assert any("bare except" in each.lower() for each in issues), (
+        f"Expected bare except: flagged, got: {issues!r}"
+    )
+
+
+def test_should_flag_except_exception() -> None:
+    source = (
+        "def fetch():\n"
+        "    try:\n"
+        "        do_thing()\n"
+        "    except Exception:\n"
+        "        pass\n"
+    )
+    issues = check_bare_except(source, PRODUCTION_FILE_PATH)
+    assert any("Exception" in each for each in issues), (
+        f"Expected 'except Exception:' flagged, got: {issues!r}"
+    )
+
+
+def test_should_flag_except_base_exception() -> None:
+    source = (
+        "def fetch():\n"
+        "    try:\n"
+        "        do_thing()\n"
+        "    except BaseException:\n"
+        "        pass\n"
+    )
+    issues = check_bare_except(source, PRODUCTION_FILE_PATH)
+    assert any("BaseException" in each for each in issues), (
+        f"Expected 'except BaseException:' flagged, got: {issues!r}"
+    )
+
+
+def test_should_not_flag_specific_exception() -> None:
+    source = (
+        "def fetch():\n"
+        "    try:\n"
+        "        do_thing()\n"
+        "    except ValueError:\n"
+        "        pass\n"
+    )
+    issues = check_bare_except(source, PRODUCTION_FILE_PATH)
+    assert issues == [], f"Specific exception must not be flagged, got: {issues!r}"
+
+
+def test_should_not_flag_tuple_of_exceptions() -> None:
+    source = (
+        "def fetch():\n"
+        "    try:\n"
+        "        do_thing()\n"
+        "    except (ValueError, KeyError):\n"
+        "        pass\n"
+    )
+    issues = check_bare_except(source, PRODUCTION_FILE_PATH)
+    assert issues == [], f"Tuple of exceptions must not be flagged, got: {issues!r}"
+
+
+def test_should_skip_test_file() -> None:
+    source = "try:\n    do_thing()\nexcept:\n    pass\n"
+    issues = check_bare_except(source, TEST_FILE_PATH)
+    assert issues == [], f"Test files exempt, got: {issues!r}"
+
+
+def test_should_skip_hook_infrastructure() -> None:
+    source = "try:\n    do_thing()\nexcept:\n    pass\n"
+    issues = check_bare_except(source, HOOK_INFRASTRUCTURE_PATH)
+    assert issues == [], f"Hook infrastructure exempt, got: {issues!r}"
+
+
+def test_should_handle_syntax_error_gracefully() -> None:
+    source = "try:\n  do(\n"
+    issues = check_bare_except(source, PRODUCTION_FILE_PATH)
+    assert issues == [], f"Syntax error must yield no issues, got: {issues!r}"
+
+
+def test_should_include_line_number() -> None:
+    source = "def fetch():\n    try:\n        do_thing()\n    except:\n        pass\n"
+    issues = check_bare_except(source, PRODUCTION_FILE_PATH)
+    assert len(issues) >= 1
+    assert "Line 4" in issues[0], f"Issue must include line number, got: {issues[0]!r}"

package/hooks/blocking/test_code_rules_enforcer_boundary_types.py

@@ -0,0 +1,175 @@
+"""Tests for check_boundary_types — flags Any at module boundaries.
+
+Per Plan 1c.boundary_type_check / Phase B6: a function signature or class
+attribute typed with `Any` (directly or nested inside a generic) makes
+no type promise to callers. Production code at boundaries should name
+the concrete shape it accepts and returns. Local variables are exempt
+(they are private to the function); `if TYPE_CHECKING:` blocks are
+exempt (those imports never reach runtime); `protocols.py` and
+`types.py` are exempt (interface declaration files).
+"""
+
+from __future__ import annotations
+
+import importlib.util
+from pathlib import Path
+from types import ModuleType
+
+
+def _load_enforcer_module() -> ModuleType:
+    module_path = Path(__file__).parent / "code_rules_enforcer.py"
+    spec = importlib.util.spec_from_file_location("code_rules_enforcer", module_path)
+    assert spec is not None
+    assert spec.loader is not None
+    module = importlib.util.module_from_spec(spec)
+    spec.loader.exec_module(module)
+    return module
+
+
+code_rules_enforcer = _load_enforcer_module()
+
+
+def check_boundary_types(content: str, file_path: str) -> list[str]:
+    return code_rules_enforcer.check_boundary_types(content, file_path)
+
+
+PRODUCTION_FILE_PATH = "/project/src/services.py"
+PROTOCOLS_FILE_PATH = "/project/src/protocols.py"
+TYPES_FILE_PATH = "/project/src/types.py"
+TEST_FILE_PATH = "/project/src/test_services.py"
+HOOK_INFRASTRUCTURE_PATH = "/home/user/.claude/hooks/blocking/example.py"
+
+
+def test_should_flag_any_as_direct_param_annotation() -> None:
+    source = (
+        "from typing import Any\n\ndef fetch(payload: Any) -> None:\n    return None\n"
+    )
+    issues = check_boundary_types(source, PRODUCTION_FILE_PATH)
+    assert any("Any" in each for each in issues), (
+        f"Expected Any-in-signature flag, got: {issues!r}"
+    )
+
+
+def test_should_flag_any_in_dict_param() -> None:
+    source = (
+        "from typing import Any\n"
+        "\n"
+        "def fetch(payload: dict[str, Any]) -> None:\n"
+        "    return None\n"
+    )
+    issues = check_boundary_types(source, PRODUCTION_FILE_PATH)
+    assert any("Any" in each for each in issues), (
+        f"Expected dict[str, Any] flagged, got: {issues!r}"
+    )
+
+
+def test_should_flag_any_as_return_type() -> None:
+    source = (
+        "from typing import Any, List\n\ndef fetch() -> List[Any]:\n    return []\n"
+    )
+    issues = check_boundary_types(source, PRODUCTION_FILE_PATH)
+    assert any("Any" in each for each in issues), (
+        f"Expected List[Any] return flagged, got: {issues!r}"
+    )
+
+
+def test_should_flag_any_nested_two_levels() -> None:
+    source = (
+        "from typing import Any\n"
+        "\n"
+        "def fetch(payload: dict[str, list[Any]]) -> None:\n"
+        "    return None\n"
+    )
+    issues = check_boundary_types(source, PRODUCTION_FILE_PATH)
+    assert any("Any" in each for each in issues), (
+        f"Expected nested Any flagged, got: {issues!r}"
+    )
+
+
+def test_should_flag_callable_returning_any() -> None:
+    source = (
+        "from typing import Any, Callable\n"
+        "\n"
+        "def fetch() -> Callable[..., Any]:\n"
+        "    return lambda: 1\n"
+    )
+    issues = check_boundary_types(source, PRODUCTION_FILE_PATH)
+    assert any("Any" in each for each in issues), (
+        f"Expected Callable[..., Any] flagged, got: {issues!r}"
+    )
+
+
+def test_should_flag_any_in_class_attribute_annotation() -> None:
+    source = "from typing import Any\n\nclass Cache:\n    storage: dict[str, Any]\n"
+    issues = check_boundary_types(source, PRODUCTION_FILE_PATH)
+    assert any("Any" in each for each in issues), (
+        f"Expected class-attribute Any flagged, got: {issues!r}"
+    )
+
+
+def test_should_not_flag_specific_dict_value_type() -> None:
+    source = "def fetch(payload: dict[str, int]) -> dict[str, str]:\n    return {}\n"
+    issues = check_boundary_types(source, PRODUCTION_FILE_PATH)
+    assert issues == [], f"Specific types must not be flagged, got: {issues!r}"
+
+
+def test_should_not_flag_local_variable_annotation() -> None:
+    source = (
+        "from typing import Any\n"
+        "\n"
+        "def fetch() -> None:\n"
+        "    cache: dict[str, Any] = {}\n"
+        "    return None\n"
+    )
+    issues = check_boundary_types(source, PRODUCTION_FILE_PATH)
+    assert issues == [], f"Local var annotations must not be flagged, got: {issues!r}"
+
+
+def test_should_skip_protocols_file() -> None:
+    source = (
+        "from typing import Any, Protocol\n"
+        "\n"
+        "class Storage(Protocol):\n"
+        "    def get(self, key: str) -> Any: ...\n"
+    )
+    issues = check_boundary_types(source, PROTOCOLS_FILE_PATH)
+    assert issues == [], f"protocols.py exempt, got: {issues!r}"
+
+
+def test_should_skip_types_file() -> None:
+    source = (
+        "from typing import Any\n\ndef coerce(value: Any) -> Any:\n    return value\n"
+    )
+    issues = check_boundary_types(source, TYPES_FILE_PATH)
+    assert issues == [], f"types.py exempt, got: {issues!r}"
+
+
+def test_should_skip_test_file() -> None:
+    source = (
+        "from typing import Any\n\ndef fetch(payload: Any) -> None:\n    return None\n"
+    )
+    issues = check_boundary_types(source, TEST_FILE_PATH)
+    assert issues == [], f"Test files exempt, got: {issues!r}"
+
+
+def test_should_skip_hook_infrastructure() -> None:
+    source = (
+        "from typing import Any\n\ndef fetch(payload: Any) -> None:\n    return None\n"
+    )
+    issues = check_boundary_types(source, HOOK_INFRASTRUCTURE_PATH)
+    assert issues == [], f"Hook infrastructure exempt, got: {issues!r}"
+
+
+def test_should_handle_syntax_error_gracefully() -> None:
+    source = "def fetch(\n"
+    issues = check_boundary_types(source, PRODUCTION_FILE_PATH)
+    assert issues == [], f"Syntax error must yield no issues, got: {issues!r}"
+
+
+def test_should_include_line_number() -> None:
+    source = (
+        "from typing import Any\n\ndef fetch(payload: Any) -> None:\n    return None\n"
+    )
+    issues = check_boundary_types(source, PRODUCTION_FILE_PATH)
+    assert len(issues) >= 1
+    assert "Line 3" in issues[0], f"Issue must include line number, got: {issues[0]!r}"

package/hooks/blocking/test_code_rules_enforcer_cap_meta.py

@@ -67,7 +67,6 @@ KNOWN_UNCAPPED_CHECKS_PENDING_REVIEW: frozenset[str] = frozenset(
         "check_return_annotations",
         "check_skip_decorators_in_tests",
         "check_string_literal_magic",
-        "check_type_escape_hatches",
         "check_unused_optional_parameters",
         "check_windows_api_none",
     }