claude-dev-env 1.58.0 → 1.60.0

package/hooks/blocking/code_rules_enforcer.py

@@ -30,6 +30,7 @@ if _HOOKS_DIRECTORY not in sys.path:
 
 from code_rules_annotations_length import (  # noqa: E402
     check_function_length,
+    check_known_pytest_fixture_annotations,
     check_parameter_annotations,
     check_return_annotations,
 )
@@ -50,10 +51,20 @@ from code_rules_constants_config import (  # noqa: E402
     check_constants_outside_config_advisory,
     check_file_global_constants_use_count,
 )
+from code_rules_dead_dataclass_field import (  # noqa: E402
+    check_dead_dataclass_fields,
+)
+from code_rules_dead_module_constant import (  # noqa: E402
+    check_dead_module_constants,
+)
 from code_rules_docstrings import (  # noqa: E402
     check_docstring_args_match_signature,
     check_docstring_format,
 )
+from code_rules_duplicate_body import (  # noqa: E402
+    advise_cross_skill_duplicate_helper,
+    check_duplicate_function_body_across_files,
+)
 from code_rules_imports_logging import (  # noqa: E402
     advise_file_line_count,
     check_e2e_test_naming,
@@ -113,6 +124,7 @@ from code_rules_typeddict_stub import (  # noqa: E402
     check_stub_implementations,
     check_thin_wrapper_files,
     check_typed_dict_encode_decode,
+    check_zero_payload_function_alias,
 )
 from code_rules_unused_imports import (  # noqa: E402
     check_unused_module_level_imports,
@@ -122,6 +134,7 @@ from hooks_constants.code_rules_enforcer_constants import (  # noqa: E402
     ALL_CODE_EXTENSIONS,
     ALL_JAVASCRIPT_EXTENSIONS,
     ALL_PYTHON_EXTENSIONS,
+    DENY_REASON_ISSUE_PREVIEW_COUNT,
     PRECHECK_USAGE_EXIT_CODE,
     PRECHECK_USAGE_MESSAGE,
 )
@@ -137,6 +150,7 @@ def validate_content(
     full_file_content: str | None = None,
     prior_full_file_content: str = "",
     defer_scope_to_caller: bool = False,
+    sibling_directory: Path | None = None,
 ) -> list[str]:
     """Run all applicable validators on content.
 
@@ -167,6 +181,12 @@ def validate_content(
             checks return their violations unscoped for the gate to classify.
             PreToolUse new-file or full-file writes leave this False: this
             enforcer is terminal, so it marks every violation in scope.
+        sibling_directory: The absolute directory the cross-file duplicate-body
+            check scans for sibling modules. The commit/push gate passes the
+            resolved file's parent so the on-disk sibling scan stays anchored to
+            the repository regardless of the gate process's working directory.
+            None (the PreToolUse default) derives the directory from
+            ``file_path``'s parent, which is already absolute on that path.
     """
     extension = get_file_extension(file_path)
     all_issues = []
@@ -188,6 +208,15 @@ def validate_content(
         all_issues.extend(check_constants_outside_config(content, file_path))
         all_issues.extend(check_constants_outside_config_advisory(content, file_path))
         all_issues.extend(check_file_global_constants_use_count(content, file_path))
+        all_issues.extend(
+            check_duplicate_function_body_across_files(
+                effective_content,
+                file_path,
+                all_changed_lines,
+                defer_scope_to_caller,
+                sibling_directory,
+            )
+        )
         all_issues.extend(check_type_escape_hatches(effective_content, file_path))
         all_issues.extend(check_banned_identifiers(content, file_path))
         all_issues.extend(
@@ -204,6 +233,7 @@ def validate_content(
         all_issues.extend(check_test_branching_in_production(effective_content, file_path))
         all_issues.extend(check_bare_except(effective_content, file_path))
         all_issues.extend(check_thin_wrapper_files(effective_content, file_path))
+        all_issues.extend(check_zero_payload_function_alias(effective_content, file_path))
         all_issues.extend(check_boundary_types(effective_content, file_path))
         all_issues.extend(check_docstring_format(effective_content, file_path))
         all_issues.extend(check_docstring_args_match_signature(effective_content, file_path))
@@ -242,8 +272,15 @@ def validate_content(
         all_issues.extend(
             check_unused_module_level_imports(content, file_path, full_file_content)
         )
+        all_issues.extend(
+            check_dead_dataclass_fields(content, file_path, full_file_content)
+        )
+        all_issues.extend(
+            check_dead_module_constants(content, file_path, full_file_content)
+        )
         all_issues.extend(check_library_print(content, file_path))
         all_issues.extend(check_parameter_annotations(content, file_path))
+        all_issues.extend(check_known_pytest_fixture_annotations(content, file_path))
         all_issues.extend(check_return_annotations(content, file_path))
         all_issues.extend(
             check_function_length(
@@ -259,6 +296,7 @@ def validate_content(
         all_issues.extend(check_string_literal_magic(content, file_path))
         check_incomplete_mocks(content, file_path)
         check_duplicated_format_patterns(content, file_path)
+        advise_cross_skill_duplicate_helper(effective_content, file_path)
 
     elif extension in ALL_JAVASCRIPT_EXTENSIONS:
         if not is_test_file(file_path):
@@ -334,6 +372,69 @@ def _is_validated_target(file_path: str) -> bool:
     return get_file_extension(file_path) in ALL_CODE_EXTENSIONS
 
 
+def _is_hook_infrastructure_python_target(file_path: str) -> bool:
+    """Return whether the path is a hook-infrastructure Python file.
+
+    The full code-rules suite exempts hook-infrastructure files, but the
+    cross-file duplicate-body check must still guard them: a helper copied
+    across sibling hook modules is the exact violation it targets. This
+    predicate selects the hook ``.py`` files that route to that single check.
+
+    Args:
+        file_path: The destination path of the write, edit, or pre-check target.
+
+    Returns:
+        True when the path names a Python file inside hook infrastructure.
+    """
+    if not file_path:
+        return False
+    if not is_hook_infrastructure(file_path):
+        return False
+    return get_file_extension(file_path) in ALL_PYTHON_EXTENSIONS
+
+
+def _hook_infrastructure_blocking_issues(
+    content: str,
+    file_path: str,
+    full_file_content: str | None = None,
+    prior_full_file_content: str = "",
+) -> list[str]:
+    """Run the checks that still guard a hook Python target.
+
+    The whole code-rules verdict stays off hook-infrastructure files, so this
+    runs the two checks that must still guard them: the cross-file duplicate-body
+    check, span-scoped to the lines an edit touched exactly as ``validate_content``
+    scopes it for production code; and the zero-payload alias check, whose
+    docstring names hook modules as its motivating case, run over the whole
+    post-edit file.
+
+    Args:
+        content: The fragment or whole-file body under validation.
+        file_path: The hook-infrastructure destination path.
+        full_file_content: The reconstructed post-edit file body on an Edit, or
+            None for a whole-file Write.
+        prior_full_file_content: The file content before the edit applied, used to
+            recover the changed lines on an Edit.
+
+    Returns:
+        The in-scope duplicate-body violations and the zero-payload alias
+        violations for the target.
+    """
+    effective_content = content if full_file_content is None else full_file_content
+    all_changed_lines = (
+        changed_line_numbers(prior_full_file_content, full_file_content)
+        if full_file_content is not None
+        else None
+    )
+    all_issues = check_duplicate_function_body_across_files(
+        effective_content,
+        file_path,
+        all_changed_lines,
+    )
+    all_issues.extend(check_zero_payload_function_alias(effective_content, file_path))
+    return all_issues
+
+
 def _without_line_prefix(violation_text: str) -> str:
     """Return the violation message body with its ``Line <n>: `` locator removed.
 
@@ -441,15 +542,22 @@ def _run_precheck(
         Exit code 1 when any violation exists or the candidate cannot be read,
         and 0 when the candidate is clean or the target is exempt.
     """
-    if not _is_validated_target(target_path):
+    runs_full_verdict = _is_validated_target(target_path)
+    runs_hook_duplicate_body = _is_hook_infrastructure_python_target(target_path)
+    if not runs_full_verdict and not runs_hook_duplicate_body:
         return 0
     candidate_content = _read_existing_file_content(candidate_path)
     if candidate_content is None:
         error_stream.write(f"error: cannot read candidate file: {candidate_path}\n")
         return 1
     candidate_content = candidate_content.lstrip(UTF8_BYTE_ORDER_MARK)
-    old_content = _read_existing_file_content(target_path) or ""
-    all_issues = validate_content(candidate_content, target_path, old_content)
+    if runs_full_verdict:
+        old_content = _read_existing_file_content(target_path) or ""
+        all_issues = validate_content(candidate_content, target_path, old_content)
+    else:
+        all_issues = _hook_infrastructure_blocking_issues(
+            candidate_content, target_path
+        )
     for each_issue in all_issues:
         violation_stream.write(f"{each_issue}\n")
     return 1 if all_issues else 0
@@ -576,7 +684,7 @@ def _deny_reason_for_issues(
     Returns:
         The complete ``permissionDecisionReason`` text.
     """
-    issue_list = "; ".join(all_blocking_issues[:10])
+    issue_list = "; ".join(all_blocking_issues[:DENY_REASON_ISSUE_PREVIEW_COUNT])
     deny_reason = (
         f"BLOCKED: [CODE_RULES] {len(all_blocking_issues)} violation(s): {issue_list}"
     )
@@ -593,7 +701,7 @@ def _deny_reason_for_issues(
             all_blocking_issues=all_blocking_issues,
         )
         if forecast_issues:
-            forecast_list = "; ".join(forecast_issues[:10])
+            forecast_list = "; ".join(forecast_issues[:DENY_REASON_ISSUE_PREVIEW_COUNT])
             deny_reason += (
                 f"; FULL-FILE FORECAST — {len(forecast_issues)} additional "
                 "violation(s) elsewhere in this file will block future edits "
@@ -602,6 +710,24 @@ def _deny_reason_for_issues(
     return deny_reason + _precheck_hint()
 
 
+def _write_deny_payload(deny_reason: str, deny_stream: TextIO) -> None:
+    """Write a PreToolUse deny payload carrying the given reason.
+
+    Args:
+        deny_reason: The composed ``permissionDecisionReason`` text.
+        deny_stream: The stream the JSON deny payload is written to.
+    """
+    deny_payload = {
+        "hookSpecificOutput": {
+            "hookEventName": "PreToolUse",
+            "permissionDecision": "deny",
+            "permissionDecisionReason": deny_reason,
+        }
+    }
+    deny_stream.write(json.dumps(deny_payload) + "\n")
+    deny_stream.flush()
+
+
 def _report_blocking_violations(
     content: str,
     tool_name: str,
@@ -632,21 +758,53 @@ def _report_blocking_violations(
     )
     if not all_blocking_issues:
         return
-    deny_payload = {
-        "hookSpecificOutput": {
-            "hookEventName": "PreToolUse",
-            "permissionDecision": "deny",
-            "permissionDecisionReason": _deny_reason_for_issues(
-                all_blocking_issues,
-                tool_name,
-                file_path,
-                full_file_content_after_edit,
-                prior_full_file_content,
-            ),
-        }
-    }
-    deny_stream.write(json.dumps(deny_payload) + "\n")
-    deny_stream.flush()
+    _write_deny_payload(
+        _deny_reason_for_issues(
+            all_blocking_issues,
+            tool_name,
+            file_path,
+            full_file_content_after_edit,
+            prior_full_file_content,
+        ),
+        deny_stream,
+    )
+
+
+def _report_hook_blocking_issues(
+    content: str,
+    file_path: str,
+    full_file_content_after_edit: str | None,
+    prior_full_file_content: str,
+    deny_stream: TextIO,
+) -> None:
+    """Write a deny payload when a hook target trips a check that still guards it.
+
+    The full code-rules verdict stays off hook-infrastructure files; this runs the
+    two checks that must still guard them — the cross-file duplicate-body check and
+    the zero-payload alias check — and emits the deny payload when either fires.
+
+    Args:
+        content: The fragment or whole-file body under validation.
+        file_path: The hook-infrastructure destination path.
+        full_file_content_after_edit: The reconstructed post-edit file body,
+            or None when the payload is not an Edit.
+        prior_full_file_content: The on-disk content before the edit.
+        deny_stream: The stream the JSON deny payload is written to.
+    """
+    all_blocking_issues = _hook_infrastructure_blocking_issues(
+        content,
+        file_path,
+        full_file_content_after_edit,
+        prior_full_file_content,
+    )
+    if not all_blocking_issues:
+        return
+    issue_list = "; ".join(all_blocking_issues[:DENY_REASON_ISSUE_PREVIEW_COUNT])
+    deny_reason = (
+        f"BLOCKED: [CODE_RULES] {len(all_blocking_issues)} violation(s): {issue_list}"
+        + _precheck_hint()
+    )
+    _write_deny_payload(deny_reason, deny_stream)
 
 
 def main(all_arguments: list[str]) -> None:
@@ -671,7 +829,8 @@ def main(all_arguments: list[str]) -> None:
     tool_input = pretooluse_payload.get("tool_input", {})
     file_path = tool_input.get("file_path", "")
 
-    if not _is_validated_target(file_path):
+    runs_full_verdict = _is_validated_target(file_path)
+    if not runs_full_verdict and not _is_hook_infrastructure_python_target(file_path):
         sys.exit(0)
 
     validation_contents = _contents_for_validation(
@@ -690,6 +849,16 @@ def main(all_arguments: list[str]) -> None:
     if not content:
         sys.exit(0)
 
+    if not runs_full_verdict:
+        _report_hook_blocking_issues(
+            content,
+            file_path,
+            full_file_content_after_edit,
+            prior_full_file_content,
+            sys.stdout,
+        )
+        sys.exit(0)
+
     _report_blocking_violations(
         content,
         tool_name,

package/hooks/blocking/code_rules_magic_values.py

@@ -54,6 +54,101 @@ def _mask_string_literals_preserving_length(source_line: str) -> str:
     return string_literal_pattern.sub(_replace_string_literal, source_line)
 
 
+def _carries_top_level_slice_colon(bracket_body: str) -> bool:
+    """Return True when ``bracket_body`` holds a slice colon at its own level.
+
+    The body is the text between one ``[...]`` pair. A slice colon is a ``:``
+    that sits at the body's top level — not nested inside any ``(``, ``[``,
+    or ``{`` opened within the body — and is not the ``:=`` walrus operator.
+    A slice writes ``[:N]`` or ``[1:N]``; a plain subscript (``[K]``), a
+    walrus subscript (``[(n := M)]``), and a lambda subscript
+    (``[(lambda: V)()]``) carry no such colon.
+    """
+    nesting_depth = 0
+    for each_position, each_character in enumerate(bracket_body):
+        if each_character in "([{":
+            nesting_depth += 1
+            continue
+        if each_character in ")]}":
+            nesting_depth -= 1
+            continue
+        if each_character == ":" and nesting_depth == 0:
+            next_position = each_position + 1
+            character_after_colon = bracket_body[next_position : next_position + 1]
+            follows_walrus = character_after_colon == "="
+            if not follows_walrus:
+                return True
+    return False
+
+
+def _innermost_bracket_body_around(masked_line: str, occurrence_position: int) -> str | None:
+    """Return the body of the innermost ``[...]`` pair enclosing a position.
+
+    Walks the line tracking open-bracket positions on a stack. The bracket
+    pair directly enclosing ``occurrence_position`` is the one whose ``[``
+    is on top of the stack when that position is reached; its body runs from
+    just after that ``[`` to its matching ``]``. Returns ``None`` when the
+    position lies outside every ``[...]`` pair.
+    """
+    open_bracket_positions: list[int] = []
+    enclosing_open_position = -1
+    for each_position, each_character in enumerate(masked_line):
+        if each_position == occurrence_position:
+            enclosing_open_position = open_bracket_positions[-1] if open_bracket_positions else -1
+        if each_character == "[":
+            open_bracket_positions.append(each_position)
+            continue
+        if each_character == "]" and open_bracket_positions:
+            open_bracket_positions.pop()
+
+    if enclosing_open_position == -1:
+        return None
+
+    closing_position = _matching_close_bracket_position(masked_line, enclosing_open_position)
+    if closing_position == -1:
+        return None
+    return masked_line[enclosing_open_position + 1 : closing_position]
+
+
+def _matching_close_bracket_position(masked_line: str, open_position: int) -> int:
+    """Return the index of the ``]`` that closes the ``[`` at ``open_position``.
+
+    Returns ``-1`` when the opening bracket has no matching close on the line.
+    """
+    depth = 0
+    for each_position in range(open_position, len(masked_line)):
+        each_character = masked_line[each_position]
+        if each_character == "[":
+            depth += 1
+            continue
+        if each_character == "]":
+            depth -= 1
+            if depth == 0:
+                return each_position
+    return -1
+
+
+def _is_magic_number_inside_slice_bound(masked_line: str, number_text: str) -> bool:
+    """Return True when ``number_text`` appears as a slice bound on the line.
+
+    For each standalone-token occurrence of ``number_text``, the innermost
+    ``[...]`` pair directly enclosing it is located. The number is a slice
+    bound only when that innermost pair carries a top-level slice colon
+    (``sha[:N]``, ``ts[1:N]``). A plain subscript index (``items[K]``), the
+    inner index of a nested subscript (``a[b[I]:N]`` — the inner index sits
+    inside the plain inner pair), a walrus subscript (``arr[(n := M)]``), and
+    a lambda subscript (``seq[(lambda: V)()]``) are not slice bounds.
+    """
+    token_boundary_pattern = r"(?<![.\w])" + re.escape(number_text) + r"(?![.\w])"
+    for each_match in re.finditer(token_boundary_pattern, masked_line):
+        bracket_body = _innermost_bracket_body_around(masked_line, each_match.start())
+        if bracket_body is None:
+            continue
+        if _carries_top_level_slice_colon(bracket_body):
+            return True
+    return False
+
+
 def check_magic_values(content: str, file_path: str) -> list[str]:
     """Check for magic values in function bodies."""
     if is_config_file(file_path) or is_test_file(file_path):
@@ -93,6 +188,9 @@ def check_magic_values(content: str, file_path: str) -> list[str]:
                 if each_number not in allowed_numbers:
                     if "range(" in stripped_without_string_literals or "enumerate(" in stripped_without_string_literals:
                         continue
+                    if _is_magic_number_inside_slice_bound(stripped_without_string_literals, each_number):
+                        issues.append(f"Line {each_line_number}: Magic value {each_number} - extract to named constant")
+                        break
                     if "[" in stripped_without_string_literals and "]" in stripped_without_string_literals:
                         continue
                     issues.append(f"Line {each_line_number}: Magic value {each_number} - extract to named constant")

package/hooks/blocking/code_rules_shared.py

@@ -115,6 +115,47 @@ def _collect_annotated_arguments(function_node: ast.FunctionDef | ast.AsyncFunct
     return all_annotated_arguments
 
 
+def _collect_fixture_injection_arguments(
+    function_node: ast.FunctionDef | ast.AsyncFunctionDef,
+) -> list[ast.arg]:
+    """Return only the named parameters pytest fills by fixture injection.
+
+    Pytest passes fixtures by keyword (``testfunction(**testargs)``), so a
+    parameter can receive a fixture only when both conditions hold: it is
+    reachable by keyword, and pytest is responsible for supplying its value.
+    Positional-only parameters are NOT injection slots — a keyword-passed
+    fixture can never bind to one, and ``def test_x(tmp_path, /)`` raises a
+    missing-argument ``TypeError`` under pytest. A ``*args`` star-argument or
+    ``**kwargs`` double-star-argument never names a single fixture either.
+    A parameter carrying a default is NOT injected — pytest leaves its default
+    in place rather than supplying the fixture. So this collector keeps only the
+    positional-or-keyword and keyword-only parameters that have no default, and
+    omits ``args.posonlyargs``, ``args.vararg``, and ``args.kwarg``.
+
+    Args:
+        function_node: The function definition AST node to inspect.
+
+    Returns:
+        The undefaulted positional-or-keyword and keyword-only argument nodes,
+        in declaration order.
+    """
+    arguments = function_node.args
+    defaulted_positional_count = len(arguments.defaults)
+    undefaulted_positional_arguments = (
+        arguments.args[:-defaulted_positional_count]
+        if defaulted_positional_count
+        else arguments.args
+    )
+    undefaulted_keyword_only_arguments = [
+        each_keyword_argument
+        for each_keyword_argument, each_default in zip(
+            arguments.kwonlyargs, arguments.kw_defaults
+        )
+        if each_default is None
+    ]
+    return [*undefaulted_positional_arguments, *undefaulted_keyword_only_arguments]
+
+
 def _collect_target_names(target: ast.expr) -> list[ast.Name]:
     """Return every ast.Name reachable through tuple/list/starred unpacking targets."""
     if isinstance(target, ast.Name):