claude-dev-env 1.58.0 → 1.59.0

package/hooks/blocking/test_workflow_substitution_slot_blocker.py

@@ -0,0 +1,242 @@
+"""Unit tests for workflow_substitution_slot_blocker PreToolUse hook."""
+
+import importlib.util
+import io
+import json
+import pathlib
+import sys
+from unittest import mock
+
+_HOOK_DIR = pathlib.Path(__file__).parent
+_HOOKS_ROOT = _HOOK_DIR.parent
+for _each_root in (str(_HOOK_DIR), str(_HOOKS_ROOT)):
+    if _each_root not in sys.path:
+        sys.path.insert(0, _each_root)
+
+hook_spec = importlib.util.spec_from_file_location(
+    "workflow_substitution_slot_blocker",
+    _HOOK_DIR / "workflow_substitution_slot_blocker.py",
+)
+assert hook_spec is not None
+assert hook_spec.loader is not None
+hook_module = importlib.util.module_from_spec(hook_spec)
+hook_spec.loader.exec_module(hook_module)
+
+content_has_violation = hook_module.content_has_violation
+find_bare_index_segments = hook_module.find_bare_index_segments
+find_bare_path_segments = hook_module.find_bare_path_segments
+has_iteration_loop = hook_module.has_iteration_loop
+written_content = hook_module.written_content
+
+
+_VIOLATING_TEMPLATE = (
+    "For EACH candidate i, build a bible dir cand_i per the contract.\n"
+    "   & ${PY} -c \"...Path(r'${args.work_dir}\\\\cand_i\\\\plate.svg')...\"\n"
+    "   & ${PY} compose.py --out ${args.work_dir}\\\\cand_i\\\\sample.png "
+    "--glow <candidate glow_hex>\n"
+    'Return: {key: "cand_i", name, sample_png}\n'
+)
+
+_FIXED_TEMPLATE = (
+    "For EACH candidate i, build a bible dir cand_<i> per the contract.\n"
+    "   & ${PY} -c \"...Path(r'${args.work_dir}\\\\cand_<i>\\\\plate.svg')...\"\n"
+    "   & ${PY} compose.py --out ${args.work_dir}\\\\cand_<i>\\\\sample.png "
+    "--glow <candidate glow_hex>\n"
+    'Return: {key: "cand_<i>", name, sample_png}\n'
+)
+
+
+def test_detects_bare_index_in_path_segment() -> None:
+    assert find_bare_index_segments(
+        "render Path(r'${args.work_dir}\\\\cand_i\\\\plate.svg')"
+    ) == {"cand_i"}
+
+
+def test_detects_quoted_key_when_token_also_appears_as_path_segment() -> None:
+    looped_path_and_key = "write ${work}\\\\cand_i\\\\plate.svg\n{key: \"cand_i\", name}"
+    assert "cand_i" in find_bare_index_segments(looped_path_and_key)
+
+
+def test_quoted_key_alone_without_path_segment_is_not_detected() -> None:
+    assert find_bare_index_segments('{key: "metric_i", name}') == set()
+
+
+def test_index_segments_equal_path_segments_for_looped_path_and_key() -> None:
+    looped_path_and_key = "write ${work}\\\\cand_i\\\\plate.svg\n{key: \"cand_i\", name}"
+    assert find_bare_index_segments(looped_path_and_key) == find_bare_path_segments(
+        looped_path_and_key
+    )
+
+
+def test_index_segments_equal_path_segments_for_quoted_only_key() -> None:
+    quoted_only_key = '{key: "metric_i", name}'
+    assert find_bare_index_segments(quoted_only_key) == find_bare_path_segments(
+        quoted_only_key
+    )
+
+
+def test_marked_substitution_slot_is_not_a_bare_segment() -> None:
+    assert (
+        find_bare_index_segments(
+            "render Path(r'${args.work_dir}\\\\cand_<i>\\\\plate.svg')"
+        )
+        == set()
+    )
+
+
+def test_violating_template_is_flagged() -> None:
+    assert content_has_violation(_VIOLATING_TEMPLATE) is True
+
+
+def test_fixed_template_passes() -> None:
+    assert content_has_violation(_FIXED_TEMPLATE) is False
+
+
+def test_template_without_angle_convention_is_not_flagged() -> None:
+    no_convention = (
+        "For EACH candidate i, write to ${work}\\\\cand_i\\\\plate.svg and return.\n"
+    )
+    assert content_has_violation(no_convention) is False
+
+
+def test_template_without_loop_is_not_flagged() -> None:
+    no_loop = "Write the plate to ${work}\\\\cand_i\\\\plate.svg using <glow_hex>.\n"
+    assert content_has_violation(no_loop) is False
+
+
+def test_each_inside_an_ordinary_word_is_not_a_loop() -> None:
+    for each_word in ("reach", "teach", "breach", "bleach", "preach", "impeach"):
+        assert has_iteration_loop(each_word + " the end") is False
+
+
+def test_standalone_lowercase_each_in_prose_is_not_a_loop() -> None:
+    assert has_iteration_loop("use each color once") is False
+
+
+def test_standalone_each_keyword_is_a_loop() -> None:
+    assert has_iteration_loop("For EACH candidate i") is True
+
+
+def test_lowercase_for_each_phrase_is_still_a_loop() -> None:
+    assert has_iteration_loop("for each candidate") is True
+
+
+def test_benign_prose_each_with_fixed_literal_is_not_flagged() -> None:
+    benign_template = (
+        "Render each layer to <layer.svg>.\n"
+        "The protocol field is named 'tier_i' as a permanent identifier.\n"
+    )
+    assert content_has_violation(benign_template) is False
+
+
+def test_quoted_permanent_identifier_key_is_not_flagged() -> None:
+    permanent_identifier_template = (
+        'For EACH candidate, render <plate.svg>.\nReturn {key: "metric_i", value}'
+    )
+    assert content_has_violation(permanent_identifier_template) is False
+
+
+def test_quoted_key_flagged_only_when_token_also_appears_as_path_segment() -> None:
+    looping_path_and_key = (
+        "For EACH candidate, write <plate.svg> to ${work}\\\\cand_i\\\\plate.svg.\n"
+        'Return {key: "cand_i", name}\n'
+    )
+    assert content_has_violation(looping_path_and_key) is True
+
+
+def test_written_content_reads_multiedit_new_strings() -> None:
+    multi_edit_input = {
+        "edits": [
+            {"old_string": "x", "new_string": "first ${work}\\\\cand_i\\\\plate.svg"},
+            {"old_string": "y", "new_string": "second <glow_hex>"},
+        ]
+    }
+    combined = written_content("MultiEdit", multi_edit_input)
+    assert "cand_i" in combined
+    assert "<glow_hex>" in combined
+
+
+def _run_main_with_io(input_text: str) -> str:
+    with mock.patch("sys.stdin", io.StringIO(input_text)):
+        with mock.patch("sys.stdout", new_callable=io.StringIO) as mock_stdout:
+            try:
+                hook_module.main()
+            except SystemExit:
+                pass
+            return mock_stdout.getvalue()
+
+
+def test_main_blocks_violating_workflow_write() -> None:
+    hook_input = {
+        "tool_name": "Write",
+        "tool_input": {
+            "file_path": "/repo/scripts/shared_palette_gate.workflow.js",
+            "content": _VIOLATING_TEMPLATE,
+        },
+    }
+    output_text = _run_main_with_io(json.dumps(hook_input))
+    payload = json.loads(output_text)
+    assert payload["hookSpecificOutput"]["permissionDecision"] == "deny"
+
+
+def test_main_blocks_violating_workflow_edit() -> None:
+    hook_input = {
+        "tool_name": "Edit",
+        "tool_input": {
+            "file_path": "/repo/scripts/shared_palette_gate.workflow.js",
+            "new_string": _VIOLATING_TEMPLATE,
+        },
+    }
+    output_text = _run_main_with_io(json.dumps(hook_input))
+    payload = json.loads(output_text)
+    assert payload["hookSpecificOutput"]["permissionDecision"] == "deny"
+
+
+def test_main_blocks_violating_workflow_multiedit() -> None:
+    hook_input = {
+        "tool_name": "MultiEdit",
+        "tool_input": {
+            "file_path": "/repo/scripts/shared_palette_gate.workflow.js",
+            "edits": [{"old_string": "placeholder", "new_string": _VIOLATING_TEMPLATE}],
+        },
+    }
+    output_text = _run_main_with_io(json.dumps(hook_input))
+    payload = json.loads(output_text)
+    assert payload["hookSpecificOutput"]["permissionDecision"] == "deny"
+
+
+def test_main_passes_fixed_workflow_write() -> None:
+    hook_input = {
+        "tool_name": "Write",
+        "tool_input": {
+            "file_path": "/repo/scripts/shared_palette_gate.workflow.js",
+            "content": _FIXED_TEMPLATE,
+        },
+    }
+    assert _run_main_with_io(json.dumps(hook_input)) == ""
+
+
+def test_main_passes_non_workflow_path() -> None:
+    hook_input = {
+        "tool_name": "Write",
+        "tool_input": {
+            "file_path": "/repo/scripts/helper.js",
+            "content": _VIOLATING_TEMPLATE,
+        },
+    }
+    assert _run_main_with_io(json.dumps(hook_input)) == ""
+
+
+def test_main_passes_wrong_tool_name() -> None:
+    hook_input = {
+        "tool_name": "Bash",
+        "tool_input": {
+            "file_path": "/repo/scripts/x.workflow.js",
+            "command": "echo cand_i",
+        },
+    }
+    assert _run_main_with_io(json.dumps(hook_input)) == ""
+
+
+def test_main_passes_malformed_json() -> None:
+    assert _run_main_with_io("not valid json {{{") == ""

package/hooks/blocking/workflow_substitution_slot_blocker.py

@@ -0,0 +1,159 @@
+#!/usr/bin/env python3
+"""PreToolUse hook: block bare per-iteration index tokens in .workflow.js templates.
+
+Root cause: a `.workflow.js` agent-prompt block that loops over an index (for
+example "For EACH candidate i, build a dir cand_i ...") sometimes writes the
+per-iteration directory or output key as a bare token like `cand_i`. A bare
+`_i`-suffixed token reads as a fixed literal rather than a substitution slot, so
+an agent can plausibly create one literal directory named `cand_i` and overwrite
+it across every iteration -- collapsing an N-iteration gate into a single run.
+
+The established convention in these templates marks every per-call substitution
+slot with angle brackets (`<plate.svg>`, `<object.svg>`, `<glow_hex>`). The fix
+is to mark the index the same way: `cand_<i>`.
+
+Detection strategy: act only on Write/Edit to a path ending in `.workflow.js`.
+Within the written content, fire only when ALL of the following hold, so the
+hook catches exactly the bare-literal shape and never a template that does not
+use the substitution convention at all:
+
+  1. the content uses the angle-bracket substitution convention somewhere
+     (a `<...>` slot), proving the author marks per-call values that way;
+  2. the content establishes a per-iteration loop (an "each"/"EACH"/"for i"
+     style phrase, or an explicit `cand_0` enumeration);
+  3. a bare `<word>_<i|j|k>` token appears as a per-iteration path segment
+     (adjacent to a path separator). A quoted structured-output key whose name
+     ends in `_i|_j|_k` (a permanent identifier with no per-iteration path) does
+     not fire on its own; only the per-iteration path shape triggers a block.
+
+Fails OPEN (approves) on malformed input or a non-workflow path; the violation
+shape is narrow enough that a false negative is preferable to blocking
+unrelated edits.
+"""
+
+import json
+import re
+import sys
+from pathlib import Path
+
+_hooks_dir = str(Path(__file__).resolve().parent.parent)
+if _hooks_dir not in sys.path:
+    sys.path.insert(0, _hooks_dir)
+
+from hooks_constants.workflow_substitution_slot_blocker_constants import (  # noqa: E402
+    CORRECTIVE_MESSAGE,
+    EDIT_TOOL_NAME,
+    MULTI_EDIT_TOOL_NAME,
+    WORKFLOW_FILE_SUFFIX,
+    WRITE_TOOL_NAME,
+)
+
+def multi_edit_new_strings(all_tool_input: dict[str, object]) -> str:
+    all_edits = all_tool_input.get("edits", [])
+    if not isinstance(all_edits, list):
+        return ""
+    all_new_strings = [
+        each_edit["new_string"]
+        for each_edit in all_edits
+        if isinstance(each_edit, dict) and isinstance(each_edit.get("new_string"), str)
+    ]
+    return "\n".join(all_new_strings)
+
+
+def written_content(tool_name: str, all_tool_input: dict[str, object]) -> str:
+    if tool_name == WRITE_TOOL_NAME:
+        content = all_tool_input.get("content", "")
+        return content if isinstance(content, str) else ""
+    if tool_name == EDIT_TOOL_NAME:
+        new_string = all_tool_input.get("new_string", "")
+        return new_string if isinstance(new_string, str) else ""
+    if tool_name == MULTI_EDIT_TOOL_NAME:
+        return multi_edit_new_strings(all_tool_input)
+    return ""
+
+
+def target_path(all_tool_input: dict[str, object]) -> str:
+    file_path = all_tool_input.get("file_path", "")
+    return file_path if isinstance(file_path, str) else ""
+
+
+def uses_angle_slot_convention(content: str) -> bool:
+    angle_slot_pattern = re.compile(r"<[^<>\n]+>")
+    return bool(angle_slot_pattern.search(content))
+
+
+def has_iteration_loop(content: str) -> bool:
+    loop_phrase_pattern = re.compile(
+        r"\b(?:for\s+each|each\s+candidate|for\s+[ijk]\b|candidate\s+[ijk]\b|cand_0)\b",
+        re.IGNORECASE,
+    )
+    uppercase_each_keyword_pattern = re.compile(r"\bEACH\b")
+    return bool(
+        loop_phrase_pattern.search(content)
+        or uppercase_each_keyword_pattern.search(content)
+    )
+
+
+def find_bare_path_segments(content: str) -> set[str]:
+    loop_letters = "ijk"
+    path_context = re.compile(
+        r"(?:[\\/]\s*([A-Za-z][\w]*?_[" + loop_letters + r"])(?![\w>])"
+        r"|([A-Za-z][\w]*?_[" + loop_letters + r"])(?![\w>])\s*[\\/])"
+    )
+    all_path_segments: set[str] = set()
+    for each_match in path_context.finditer(content):
+        each_token = next(
+            (each_group for each_group in each_match.groups() if each_group),
+            "",
+        )
+        if each_token:
+            all_path_segments.add(each_token)
+    return all_path_segments
+
+
+def find_bare_index_segments(content: str) -> set[str]:
+    return find_bare_path_segments(content)
+
+
+def content_has_violation(content: str) -> bool:
+    if not uses_angle_slot_convention(content):
+        return False
+    if not has_iteration_loop(content):
+        return False
+    return bool(find_bare_index_segments(content))
+
+
+def main() -> None:
+    try:
+        hook_input = json.load(sys.stdin)
+    except json.JSONDecodeError:
+        sys.exit(0)
+
+    tool_name = hook_input.get("tool_name", "")
+    if tool_name not in (WRITE_TOOL_NAME, EDIT_TOOL_NAME, MULTI_EDIT_TOOL_NAME):
+        sys.exit(0)
+
+    all_tool_input = hook_input.get("tool_input", {})
+    if not isinstance(all_tool_input, dict):
+        sys.exit(0)
+
+    if not target_path(all_tool_input).endswith(WORKFLOW_FILE_SUFFIX):
+        sys.exit(0)
+
+    if not content_has_violation(written_content(tool_name, all_tool_input)):
+        sys.exit(0)
+
+    deny_payload = {
+        "hookSpecificOutput": {
+            "hookEventName": "PreToolUse",
+            "permissionDecision": "deny",
+            "permissionDecisionReason": CORRECTIVE_MESSAGE,
+        }
+    }
+    print(json.dumps(deny_payload))
+    sys.stdout.flush()
+    sys.exit(0)
+
+
+if __name__ == "__main__":
+    main()

package/hooks/hooks.json

@@ -44,12 +44,27 @@
             "type": "command",
             "command": "python3 ${CLAUDE_PLUGIN_ROOT}/hooks/blocking/state_description_blocker.py",
             "timeout": 10
+          },
+          {
+            "type": "command",
+            "command": "python3 ${CLAUDE_PLUGIN_ROOT}/hooks/blocking/subprocess_budget_completeness.py",
+            "timeout": 10
+          },
+          {
+            "type": "command",
+            "command": "python3 ${CLAUDE_PLUGIN_ROOT}/hooks/blocking/hook_prose_detector_consistency.py",
+            "timeout": 10
           }
         ]
       },
       {
         "matcher": "Write|Edit|MultiEdit",
         "hooks": [
+          {
+            "type": "command",
+            "command": "python3 ${CLAUDE_PLUGIN_ROOT}/hooks/blocking/workflow_substitution_slot_blocker.py",
+            "timeout": 10
+          },
           {
             "type": "command",
             "command": "python3 ${CLAUDE_PLUGIN_ROOT}/hooks/blocking/open_questions_in_plans_blocker.py",

package/hooks/hooks_constants/code_rules_enforcer_constants.py

@@ -24,6 +24,8 @@ ALL_MIGRATION_PATH_PATTERNS = {"/migrations/", "\\migrations\\"}
 ADVISORY_LINE_THRESHOLD_SOFT = 400
 ADVISORY_LINE_THRESHOLD_HARD = 1000
 
+DENY_REASON_ISSUE_PREVIEW_COUNT = 10
+
 ALL_BOOLEAN_NAME_PREFIXES: tuple[str, ...] = ("is_", "has_", "should_", "can_", "was_", "did_")
 UPPER_SNAKE_CONSTANT_PATTERN = re.compile(r"^[A-Z][A-Z0-9_]*$")
 
@@ -108,6 +110,20 @@ ALL_BUILTIN_DICT_METHOD_NAMES: frozenset[str] = frozenset({
 })
 ALL_UNION_TYPING_NAMES: frozenset[str] = frozenset({"Optional", "Union"})
 ALL_SELF_AND_CLS_PARAMETER_NAMES: frozenset[str] = frozenset({"self", "cls"})
+ANNOTATION_BY_PYTEST_FIXTURE: dict[str, str] = {
+    "tmp_path": "Path",
+    "tmp_path_factory": "pytest.TempPathFactory",
+    "monkeypatch": "pytest.MonkeyPatch",
+    "capsys": "pytest.CaptureFixture[str]",
+    "capfd": "pytest.CaptureFixture[str]",
+    "caplog": "pytest.LogCaptureFixture",
+    "request": "pytest.FixtureRequest",
+}
+KNOWN_PYTEST_FIXTURE_ANNOTATION_MESSAGE_SUFFIX: str = (
+    "known pytest fixture parameter must carry its single documented type "
+    "(CODE_RULES §6; pytest builtin fixture reference "
+    "https://docs.pytest.org/en/stable/reference/fixtures.html)"
+)
 ALL_LOOP_INDEX_LETTER_EXEMPTIONS: frozenset[str] = frozenset({"i", "j", "k", "_"})
 EACH_PREFIX = "each_"
 BARE_EACH_TOKEN = "each"

package/hooks/hooks_constants/dead_dataclass_field_constants.py

@@ -0,0 +1,25 @@
+"""Constants for the dead dataclass-field detector in ``code_rules_enforcer``.
+
+Lives under the hooks-tree ``hooks_constants`` package so module-level
+UPPER_SNAKE constants satisfy the CODE_RULES "constants live in config"
+requirement and share a home with the other hook-tree configuration.
+"""
+
+ALL_DATACLASS_DECORATOR_NAMES: frozenset[str] = frozenset({"dataclass", "dataclasses"})
+ATTRGETTER_FUNCTION_NAME: str = "attrgetter"
+CLASSVAR_ANNOTATION_NAME: str = "ClassVar"
+GETATTR_FUNCTION_NAME: str = "getattr"
+GETATTR_NAME_ARGUMENT_MINIMUM: int = 2
+ALL_REFLECTIVE_FIELD_CONSUMER_NAMES: frozenset[str] = frozenset(
+    {"asdict", "astuple", "fields", "replace", "vars"}
+)
+WHOLE_INSTANCE_DICT_ATTRIBUTE_NAME: str = "__dict__"
+ALL_WHOLE_INSTANCE_STRINGIFY_NAMES: frozenset[str] = frozenset(
+    {"str", "repr", "format"}
+)
+MAX_DEAD_DATACLASS_FIELD_ISSUES: int = 25
+DEAD_DATACLASS_FIELD_GUIDANCE: str = (
+    "field is assigned but never read in this file - remove the field and the code"
+    " that only exists to populate it, or read it where the value is needed"
+    " (CODE_RULES §9.8)"
+)

package/hooks/hooks_constants/destructive_command_segment_constants.py

@@ -0,0 +1,178 @@
+"""Segment-splitting and command-name constants for the destructive command blocker compound rm guard."""
+
+ALL_SHELL_CONTROL_OPERATOR_TOKENS: frozenset[str] = frozenset({"&&", "||", ";", "|&", "|", "&", "\n", "\r"})
+ALL_COMMAND_LAUNCHER_WRAPPER_COMMANDS: frozenset[str] = frozenset(
+    {
+        "timeout",
+        "nohup",
+        "nice",
+        "ionice",
+        "stdbuf",
+        "time",
+        "setsid",
+        "chrt",
+        "taskset",
+    }
+)
+ALL_LAUNCHERS_REQUIRING_A_POSITIONAL_VALUE: frozenset[str] = frozenset(
+    {
+        "timeout",
+        "chrt",
+        "taskset",
+    }
+)
+ALL_INTERPRETER_AND_WRAPPER_COMMANDS: frozenset[str] = frozenset(
+    {
+        "sh",
+        "bash",
+        "zsh",
+        "dash",
+        "ksh",
+        "tcsh",
+        "csh",
+        "fish",
+        "pwsh",
+        "powershell",
+        "cmd",
+        "eval",
+        "exec",
+        "source",
+        "sudo",
+        "su",
+        "env",
+        "xargs",
+        "awk",
+        "gawk",
+        "mawk",
+        "nawk",
+        "make",
+        "tclsh",
+        "expect",
+        "lua",
+    }
+)
+ALL_REMOTE_AND_PROGRAM_STRING_EXECUTORS: frozenset[str] = frozenset(
+    {
+        "ssh",
+        "python",
+        "python2",
+        "python3",
+        "perl",
+        "ruby",
+        "node",
+        "deno",
+        "bun",
+        "php",
+    }
+)
+ALL_STRING_ARGUMENT_EXECUTION_FLAGS: frozenset[str] = frozenset({"-c", "-e"})
+ALL_BENIGN_COMPOUND_SEGMENT_COMMANDS: frozenset[str] = frozenset(
+    {
+        "echo",
+        "printf",
+        "gh",
+        "head",
+        "tail",
+        "cat",
+        "ls",
+        "grep",
+        "wc",
+        "sort",
+        "uniq",
+        "true",
+        "git",
+    }
+)
+OUTPUT_REDIRECTION_OPERATOR_PATTERN: str = r"(?:\d+|&)?>>?\|?(?!&[\d-])"
+ALL_FILE_WRITING_OUTPUT_FLAGS_BY_BENIGN_PROGRAM: dict[str, frozenset[str]] = {
+    "sort": frozenset({"-o", "--output"}),
+}
+ALL_GIT_CONFIG_READ_ONLY_FLAGS: frozenset[str] = frozenset(
+    {"--get", "--get-all", "--get-regexp", "--list", "-l", "--get-urlmatch"}
+)
+ALL_GIT_REMOTE_READ_ONLY_VERBS: frozenset[str] = frozenset({"show", "get-url"})
+ALL_GIT_FETCH_FORCE_FLAGS: frozenset[str] = frozenset({"-f", "--force"})
+ALL_GH_HTTP_WRITE_METHOD_FLAGS: frozenset[str] = frozenset({"-X", "--method"})
+ALL_GH_HTTP_WRITE_METHODS: frozenset[str] = frozenset({"POST", "PUT", "PATCH", "DELETE"})
+GH_HTTP_READ_ONLY_METHOD: str = "GET"
+GH_SHORT_METHOD_FLAG_PREFIX: str = "-X"
+GH_LONG_METHOD_FLAG_EQUALS_PREFIX: str = "--method="
+ALL_GH_API_REQUEST_BODY_FIELD_FLAGS: frozenset[str] = frozenset(
+    {"-f", "--raw-field", "-F", "--field", "--input"}
+)
+ALL_GH_API_GLUED_REQUEST_BODY_FIELD_FLAG_PREFIXES: tuple[str, ...] = (
+    "-f",
+    "-F",
+    "--raw-field=",
+    "--field=",
+    "--input=",
+)
+ALL_READ_ONLY_GIT_SUBCOMMANDS: frozenset[str] = frozenset(
+    {
+        "status",
+        "log",
+        "show",
+        "diff",
+        "rev-parse",
+        "rev-list",
+        "describe",
+        "config",
+        "remote",
+        "fetch",
+        "ls-files",
+        "ls-remote",
+        "ls-tree",
+        "cat-file",
+        "blame",
+        "shortlog",
+        "name-rev",
+        "for-each-ref",
+        "symbolic-ref",
+        "merge-base",
+        "count-objects",
+        "version",
+        "help",
+    }
+)
+ALL_READ_ONLY_GH_SUBCOMMANDS: frozenset[str] = frozenset(
+    {
+        "view",
+        "list",
+        "status",
+        "checks",
+        "diff",
+        "search",
+        "browse",
+        "api",
+    }
+)
+ALL_READ_ONLY_SUBCOMMANDS_BY_DISPATCHING_PROGRAM: dict[str, frozenset[str]] = {
+    "git": ALL_READ_ONLY_GIT_SUBCOMMANDS,
+    "gh": ALL_READ_ONLY_GH_SUBCOMMANDS,
+}
+ALL_READ_ONLY_SUBCOMMAND_POSITION_DEPTHS_BY_DISPATCHING_PROGRAM: dict[str, int] = {
+    "git": 1,
+    "gh": 2,
+}
+LAUNCHER_POSITIONAL_VALUE_SHAPE_PATTERN: str = (
+    r"^(?:0x[0-9A-Fa-f]+"
+    r"|[0-9]+(?:[.,][0-9]+)?[smhd]?"
+    r"|[0-9]+(?:-[0-9]+)?(?:,[0-9]+(?:-[0-9]+)?)*)$"
+)
+ALL_LAUNCHER_OPTIONS_TAKING_SEPARATE_VALUE: frozenset[str] = frozenset(
+    {
+        "-s",
+        "--signal",
+        "-k",
+        "--kill-after",
+        "-n",
+        "-o",
+        "--output",
+        "-e",
+        "--error",
+        "-i",
+        "--input",
+        "--classdata",
+    }
+)
+ALL_SUBSHELL_GROUPING_CHARACTERS: str = "({"

package/hooks/hooks_constants/duplicate_function_body_constants.py

@@ -0,0 +1,17 @@
+"""Constants for the cross-file duplicate-function-body scan in ``code_rules_enforcer``.
+
+The scan flags a top-level function whose body is structurally identical to a
+top-level function already defined in a sibling ``.py`` module in the same
+directory. This catches the Reuse-before-create / DRY violation where a helper
+is copy-pasted across several modules instead of imported from one shared home.
+"""
+
+MINIMUM_DUPLICATE_BODY_STATEMENTS: int = 3
+MAX_DUPLICATE_BODY_ISSUES: int = 25
+DUNDER_INIT_FILENAME: str = "__init__.py"
+PYTHON_SOURCE_SUFFIX: str = ".py"
+DUPLICATE_BODY_GUIDANCE: str = (
+    "this function body is identical to one in a sibling module; "
+    "extract a single shared helper (for example in hooks_constants/) and "
+    "import it from both modules instead of copying it (Reuse before create / DRY)"
+)