claude-dev-env 1.69.1 → 1.69.2

package/hooks/blocking/code_rules_enforcer.py

@@ -108,6 +108,7 @@ from code_rules_paths_syspath import (  # noqa: E402
 from code_rules_shared import (  # noqa: E402
     changed_line_numbers,
     get_file_extension,
+    is_ephemeral_script_path,
     is_hook_infrastructure,
     is_test_file,
 )
@@ -395,6 +396,8 @@ def _is_validated_target(file_path: str) -> bool:
     """
     if not file_path:
         return False
+    if is_ephemeral_script_path(file_path):
+        return False
     if is_hook_infrastructure(file_path):
         return False
     return get_file_extension(file_path) in ALL_CODE_EXTENSIONS
@@ -416,6 +419,8 @@ def _is_hook_infrastructure_python_target(file_path: str) -> bool:
     """
     if not file_path:
         return False
+    if is_ephemeral_script_path(file_path):
+        return False
     if not is_hook_infrastructure(file_path):
         return False
     return get_file_extension(file_path) in ALL_PYTHON_EXTENSIONS

package/hooks/blocking/code_rules_shared.py

@@ -2,6 +2,7 @@
 
 import ast
 import difflib
+import os
 import sys
 from collections.abc import Iterator
 from pathlib import Path
@@ -15,10 +16,16 @@ if _hooks_directory not in sys.path:
 
 from hooks_constants.code_rules_enforcer_constants import (  # noqa: E402
     ALL_DIFF_CHANGED_OPCODE_TAGS,
+    ALL_EPHEMERAL_EXEMPT_DISABLE_TRUTHY_VALUES,
     ALL_HOOK_INFRASTRUCTURE_PATTERNS,
     ALL_MIGRATION_PATH_PATTERNS,
+    ALL_ROOT_ANCHORED_EPHEMERAL_DIRECTORIES,
     ALL_TEST_PATH_PATTERNS,
     ALL_WORKFLOW_REGISTRY_PATTERNS,
+    CLAUDE_JOB_DIR_ENVIRONMENT_VARIABLE_NAME,
+    CLAUDE_JOB_DIR_SCRATCH_SUBDIRECTORY,
+    EPHEMERAL_EXEMPT_DISABLE_ENVIRONMENT_VARIABLE_NAME,
+    LEADING_DRIVE_LETTER_PATTERN,
 )
 from hooks_constants.unused_module_import_constants import (  # noqa: E402
     TYPE_CHECKING_IDENTIFIER,
@@ -201,6 +208,46 @@ def _extract_fstring_literal_parts(
     return "".join(display_segments), "".join(shape_segments)
 
 
+def is_ephemeral_script_path(file_path: str) -> bool:
+    """Return True when the path is rooted at a throwaway scratch directory.
+
+    Checks these sources in order:
+    - ``$CLAUDE_JOB_DIR/tmp`` — only when ``CLAUDE_JOB_DIR`` is set.
+    - Root-anchored ``/tmp`` and ``/temp`` (drive-letter tolerant).
+
+    The shared OS temp directory is deliberately not a source: pytest writes
+    its sandbox fixtures there, so matching it would exempt the suite's own
+    targets. Returns False when ``CLAUDE_CODE_RULES_DISABLE_EPHEMERAL_EXEMPT``
+    is truthy, when ``file_path`` is empty, and when no root matches. Path
+    classification is string-only; the file need not exist.
+
+    Args:
+        file_path: The candidate path to classify.
+
+    Returns:
+        True when the path is rooted at a recognized ephemeral scratch directory.
+    """
+    if not file_path:
+        return False
+    disable_value = os.environ.get(EPHEMERAL_EXEMPT_DISABLE_ENVIRONMENT_VARIABLE_NAME, "").strip().lower()
+    if disable_value in ALL_EPHEMERAL_EXEMPT_DISABLE_TRUTHY_VALUES:
+        return False
+    normalized = LEADING_DRIVE_LETTER_PATTERN.sub("", os.path.abspath(file_path).replace("\\", "/").lower())
+    all_temp_roots: list[str] = []
+    job_dir = os.environ.get(CLAUDE_JOB_DIR_ENVIRONMENT_VARIABLE_NAME)
+    if job_dir:
+        job_dir_scratch = LEADING_DRIVE_LETTER_PATTERN.sub(
+            "", os.path.join(job_dir, CLAUDE_JOB_DIR_SCRATCH_SUBDIRECTORY).replace("\\", "/").lower()
+        )
+        all_temp_roots.append(job_dir_scratch)
+    for each_root in ALL_ROOT_ANCHORED_EPHEMERAL_DIRECTORIES:
+        all_temp_roots.append(each_root)
+    for each_temp_root in all_temp_roots:
+        if normalized == each_temp_root or normalized.startswith(each_temp_root + "/"):
+            return True
+    return False
+
+
 def is_migration_file(file_path: str) -> bool:
     """Check if file is a Django migration (must be self-contained)."""
     path_lower = file_path.lower().replace("\\", "/")

package/hooks/blocking/tdd_enforcer.py

@@ -16,10 +16,15 @@ from pathlib import Path
 
 
 _hooks_root_path_string = str(Path(__file__).resolve().parent.parent)
+_blocking_directory_path_string = str(Path(__file__).resolve().parent)
 if _hooks_root_path_string not in sys.path:
     sys.path.insert(0, _hooks_root_path_string)
+if _blocking_directory_path_string not in sys.path:
+    sys.path.insert(0, _blocking_directory_path_string)
 
-from hooks_constants.messages import USER_FACING_TDD_NOTICE
+from code_rules_shared import is_ephemeral_script_path  # noqa: E402
+
+from hooks_constants.messages import USER_FACING_TDD_NOTICE  # noqa: E402
 
 PRODUCTION_EXTENSIONS = {'.py', '.ts', '.tsx', '.js', '.jsx'}
 SKIP_PATTERNS = {
@@ -581,7 +586,7 @@ def main() -> None:
     if not file_path:
         sys.exit(0)
 
-    if _is_inside_dotclaude_segment(file_path):
+    if _is_inside_dotclaude_segment(file_path) or is_ephemeral_script_path(file_path):
         sys.exit(0)
 
     path = Path(file_path)

package/hooks/blocking/test_code_rules_enforcer_ephemeral.py

@@ -0,0 +1,383 @@
+"""Ephemeral-path exemption tests for code_rules_enforcer and the classifier."""
+
+from __future__ import annotations
+
+import io
+import json
+import os
+import subprocess
+import sys
+import tempfile
+from pathlib import Path
+from types import SimpleNamespace
+
+import pytest
+
+_BLOCKING_DIRECTORY = str(Path(__file__).resolve().parent)
+_HOOKS_DIRECTORY = str(Path(__file__).resolve().parent.parent)
+if _BLOCKING_DIRECTORY not in sys.path:
+    sys.path.insert(0, _BLOCKING_DIRECTORY)
+if _HOOKS_DIRECTORY not in sys.path:
+    sys.path.insert(0, _HOOKS_DIRECTORY)
+
+from code_rules_enforcer import main as enforcer_main  # noqa: E402
+from code_rules_shared import is_ephemeral_script_path  # noqa: E402
+
+_ENFORCER_SCRIPT = Path(__file__).resolve().parent / "code_rules_enforcer.py"
+_TDD_SCRIPT = Path(__file__).resolve().parent / "tdd_enforcer.py"
+
+_VIOLATING_PRODUCTION_SOURCE = "def process_data(payload: str) -> None:\n    print(payload)\n"
+
+code_rules_enforcer_module = SimpleNamespace(main=enforcer_main, sys=sys)
+
+
+def _run_enforcer_cli(
+    all_cli_arguments: list[str],
+    extra_env: dict[str, str],
+) -> subprocess.CompletedProcess[str]:
+    """Drive the enforcer script through its real argv entry point.
+
+    Args:
+        all_cli_arguments: The argument vector appended after the script path.
+        extra_env: Additional environment variables merged into the subprocess env.
+
+    Returns:
+        The completed process carrying stdout, stderr, and the exit code.
+    """
+    subprocess_env = {**os.environ, **extra_env}
+    return subprocess.run(
+        [sys.executable, str(_ENFORCER_SCRIPT), *all_cli_arguments],
+        input="",
+        capture_output=True,
+        text=True,
+        check=False,
+        env=subprocess_env,
+    )
+
+
+def _run_main_with_write_payload(
+    file_path: str,
+    content: str,
+    monkeypatch: pytest.MonkeyPatch,
+    capsys: pytest.CaptureFixture[str],
+) -> tuple[str, int]:
+    """Drive enforcer_main through its stdin entry point for a Write payload.
+
+    Args:
+        file_path: The destination path the Write targets.
+        content: The content of the Write.
+        monkeypatch: The pytest fixture used to redirect sys.stdin.
+        capsys: The pytest fixture used to capture the deny payload on stdout.
+
+    Returns:
+        A tuple of (captured_stdout, exit_code).
+    """
+    write_payload = json.dumps(
+        {
+            "tool_name": "Write",
+            "tool_input": {"file_path": file_path, "content": content},
+        }
+    )
+    monkeypatch.setattr(code_rules_enforcer_module.sys, "stdin", io.StringIO(write_payload))
+    exit_code = 0
+    try:
+        code_rules_enforcer_module.main([])
+    except SystemExit as each_exit:
+        exit_code = int(each_exit.code or 0)
+    captured = capsys.readouterr()
+    return captured.out, exit_code
+
+
+def _run_tdd_with_write_payload(
+    file_path: str,
+    content: str,
+) -> subprocess.CompletedProcess[str]:
+    """Drive the TDD enforcer through subprocess with a Write payload.
+
+    Args:
+        file_path: The destination path the Write targets.
+        content: The production-looking content to write.
+
+    Returns:
+        The completed process carrying stdout, stderr, and the exit code.
+    """
+    write_payload = json.dumps(
+        {
+            "tool_name": "Write",
+            "tool_input": {"file_path": file_path, "content": content},
+        }
+    )
+    return subprocess.run(
+        [sys.executable, str(_TDD_SCRIPT)],
+        input=write_payload,
+        capture_output=True,
+        text=True,
+        check=False,
+    )
+
+
+def _decision_from(completed: subprocess.CompletedProcess[str]) -> str | None:
+    """Extract the permissionDecision from a hook's JSON stdout.
+
+    Args:
+        completed: The completed subprocess carrying the hook's stdout.
+
+    Returns:
+        The permissionDecision string, or None when stdout is empty.
+    """
+    if not completed.stdout:
+        return None
+    parsed = json.loads(completed.stdout)
+    hook_output = parsed.get("hookSpecificOutput", {})
+    return hook_output.get("permissionDecision")
+
+
+def test_should_return_true_for_claude_job_dir_tmp_path(
+    tmp_path: Path,
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    """B1: classifier returns True for a path under $CLAUDE_JOB_DIR/tmp."""
+    monkeypatch.delenv("CLAUDE_CODE_RULES_DISABLE_EPHEMERAL_EXEMPT", raising=False)
+    monkeypatch.setenv("CLAUDE_JOB_DIR", str(tmp_path))
+    scratch_path = str(tmp_path / "tmp" / "scratch.py")
+    assert is_ephemeral_script_path(scratch_path) is True
+
+
+def test_should_return_false_for_os_tempfile_gettempdir_root(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    """B2: the shared OS temp directory is not an ephemeral source.
+
+    pytest sandbox fixtures live under tempfile.gettempdir(); matching it
+    would exempt the suite's own enforcer test targets.
+    """
+    monkeypatch.delenv("CLAUDE_CODE_RULES_DISABLE_EPHEMERAL_EXEMPT", raising=False)
+    monkeypatch.delenv("CLAUDE_JOB_DIR", raising=False)
+    system_temp_root = tempfile.gettempdir()
+    scratch_path = str(Path(system_temp_root) / "scratch_work.py")
+    assert is_ephemeral_script_path(scratch_path) is False
+
+
+@pytest.mark.parametrize("env_name", ["TMPDIR", "TEMP", "TMP"])
+def test_should_return_false_for_tmpdir_temp_tmp_env_roots(
+    env_name: str,
+    tmp_path: Path,
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    """B3: $TMPDIR / $TEMP / $TMP are not ephemeral sources.
+
+    A path under one of these env roots that is neither $CLAUDE_JOB_DIR/tmp
+    nor root-anchored /tmp must classify False.
+    """
+    monkeypatch.delenv("CLAUDE_CODE_RULES_DISABLE_EPHEMERAL_EXEMPT", raising=False)
+    monkeypatch.delenv("CLAUDE_JOB_DIR", raising=False)
+    monkeypatch.setenv(env_name, str(tmp_path / "env_root"))
+    scratch_path = str(tmp_path / "env_root" / "scratch.py")
+    assert is_ephemeral_script_path(scratch_path) is False
+
+
+def test_should_return_false_for_pytest_tmp_path_when_job_dir_elsewhere(
+    tmp_path: Path,
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    """Regression guard: a pytest tmp_path under %TEMP% returns False.
+
+    This is the exact path class that broke the enforcer suite when the OS
+    temp directory was an ephemeral source: pytest tmp_path fixtures live
+    under tempfile.gettempdir(), so the enforcer's own test targets must not
+    classify as ephemeral. CLAUDE_JOB_DIR points elsewhere (its scratch dir
+    lives under .claude-ev/jobs, not %TEMP%).
+    """
+    monkeypatch.delenv("CLAUDE_CODE_RULES_DISABLE_EPHEMERAL_EXEMPT", raising=False)
+    monkeypatch.setenv("CLAUDE_JOB_DIR", str(tmp_path / "elsewhere"))
+    pytest_sandbox_target = str(tmp_path / "candidate.py")
+    assert is_ephemeral_script_path(pytest_sandbox_target) is False
+
+
+@pytest.mark.parametrize(
+    "raw_path",
+    [
+        "/tmp/scratch.py",
+        "/temp/scratch.py",
+        "C:/Temp/scratch.py",
+        "c:/tmp/scratch.py",
+    ],
+)
+def test_should_return_true_for_root_anchored_tmp_and_temp(
+    raw_path: str,
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    """B4: classifier returns True for root-anchored /tmp and /temp paths."""
+    monkeypatch.delenv("CLAUDE_CODE_RULES_DISABLE_EPHEMERAL_EXEMPT", raising=False)
+    assert is_ephemeral_script_path(raw_path) is True
+
+
+@pytest.mark.parametrize(
+    "lookalike_path",
+    [
+        "/repo/tmp_helper.py",
+        "/repo/temp/foo.py",
+        "/repo/src/temperature.py",
+        "/repo/contemporary/x.py",
+    ],
+)
+def test_should_return_false_for_lookalike_tmp_temp_paths(
+    lookalike_path: str,
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    """B5: classifier returns False for paths that merely contain tmp/temp substrings."""
+    monkeypatch.delenv("CLAUDE_CODE_RULES_DISABLE_EPHEMERAL_EXEMPT", raising=False)
+    assert is_ephemeral_script_path(lookalike_path) is False
+
+
+def test_should_resolve_relative_path_before_classifying(
+    tmp_path: Path,
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    """B6: a relative path resolving under $CLAUDE_JOB_DIR/tmp returns True."""
+    monkeypatch.delenv("CLAUDE_CODE_RULES_DISABLE_EPHEMERAL_EXEMPT", raising=False)
+    monkeypatch.setenv("CLAUDE_JOB_DIR", str(tmp_path))
+    (tmp_path / "tmp").mkdir(parents=True, exist_ok=True)
+    monkeypatch.chdir(tmp_path / "tmp")
+    assert is_ephemeral_script_path("scratch.py") is True
+
+
+def test_should_return_false_when_job_dir_unset(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    """B7: with CLAUDE_JOB_DIR unset, a non-temp path returns False."""
+    monkeypatch.delenv("CLAUDE_JOB_DIR", raising=False)
+    monkeypatch.delenv("CLAUDE_CODE_RULES_DISABLE_EPHEMERAL_EXEMPT", raising=False)
+    assert is_ephemeral_script_path("/repo/src/orders.py") is False
+
+
+@pytest.mark.parametrize("truthy_value", ["1", "true", "yes", "on"])
+def test_should_return_false_when_disable_override_truthy(
+    truthy_value: str,
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    """B8: override set to each truthy value returns False even for a temp path."""
+    monkeypatch.setenv("CLAUDE_CODE_RULES_DISABLE_EPHEMERAL_EXEMPT", truthy_value)
+    assert is_ephemeral_script_path("/tmp/scratch.py") is False
+
+
+def test_should_classify_nonexistent_path_without_error(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    """B9: a path that does not exist is classified by string, with no exception."""
+    monkeypatch.delenv("CLAUDE_CODE_RULES_DISABLE_EPHEMERAL_EXEMPT", raising=False)
+    classification_result = is_ephemeral_script_path("/tmp/does_not_exist.py")
+    assert isinstance(classification_result, bool)
+    assert classification_result is True
+
+
+def test_should_return_false_for_empty_path() -> None:
+    """B10: an empty string returns False."""
+    assert is_ephemeral_script_path("") is False
+
+
+def test_should_exit_zero_for_ephemeral_pretooluse_target(
+    tmp_path: Path,
+    monkeypatch: pytest.MonkeyPatch,
+    capsys: pytest.CaptureFixture[str],
+) -> None:
+    """B11: enforcer main exits 0 with no deny payload for an ephemeral file_path."""
+    monkeypatch.setenv("CLAUDE_JOB_DIR", str(tmp_path))
+    ephemeral_path = str(tmp_path / "tmp" / "scratch.py")
+    captured_stdout, exit_code = _run_main_with_write_payload(
+        ephemeral_path,
+        _VIOLATING_PRODUCTION_SOURCE,
+        monkeypatch,
+        capsys,
+    )
+    assert exit_code == 0
+    assert "deny" not in captured_stdout.lower()
+
+
+def test_should_exit_zero_for_ephemeral_path_with_hooks_substring(
+    tmp_path: Path,
+    monkeypatch: pytest.MonkeyPatch,
+    capsys: pytest.CaptureFixture[str],
+) -> None:
+    """B12: an ephemeral path carrying /hooks/ exits 0 (hook-infra route short-circuited)."""
+    monkeypatch.setenv("CLAUDE_JOB_DIR", str(tmp_path))
+    ephemeral_hooks_path = str(tmp_path / "tmp" / "hooks" / "scratch.py")
+    captured_stdout, exit_code = _run_main_with_write_payload(
+        ephemeral_hooks_path,
+        _VIOLATING_PRODUCTION_SOURCE,
+        monkeypatch,
+        capsys,
+    )
+    assert exit_code == 0
+    assert "deny" not in captured_stdout.lower()
+
+
+def test_should_return_zero_from_precheck_for_ephemeral_target(
+    tmp_path: Path,
+) -> None:
+    """B13: enforcer CLI returns 0 for an ephemeral root-anchored /tmp --as target."""
+    candidate_file = tmp_path / "candidate.py"
+    candidate_file.write_text(_VIOLATING_PRODUCTION_SOURCE, encoding="utf-8")
+    ephemeral_target = "/tmp/target.py"
+    completed = _run_enforcer_cli(["--check", str(candidate_file), "--as", ephemeral_target], extra_env={})
+    assert completed.returncode == 0
+
+
+def test_should_run_full_suite_for_non_ephemeral_target(
+    tmp_path: Path,
+) -> None:
+    """B14: a non-ephemeral violating path still produces a deny payload."""
+    candidate_file = tmp_path / "candidate.py"
+    candidate_file.write_text(_VIOLATING_PRODUCTION_SOURCE, encoding="utf-8")
+    non_ephemeral_target = "/repo/src/orders.py"
+    completed = _run_enforcer_cli(
+        ["--check", str(candidate_file), "--as", non_ephemeral_target],
+        extra_env={},
+    )
+    assert completed.returncode == 1
+
+
+def test_should_run_full_suite_when_override_truthy(
+    tmp_path: Path,
+) -> None:
+    """B15: with override set, an ephemeral violating path produces a deny."""
+    candidate_file = tmp_path / "candidate.py"
+    candidate_file.write_text(_VIOLATING_PRODUCTION_SOURCE, encoding="utf-8")
+    ephemeral_target = "/tmp/scratch.py"
+    completed = _run_enforcer_cli(
+        ["--check", str(candidate_file), "--as", ephemeral_target],
+        extra_env={"CLAUDE_CODE_RULES_DISABLE_EPHEMERAL_EXEMPT": "1"},
+    )
+    assert completed.returncode == 1
+
+
+def test_should_exempt_same_path_set_on_both_gates(
+    tmp_path: Path,
+    monkeypatch: pytest.MonkeyPatch,
+    capsys: pytest.CaptureFixture[str],
+) -> None:
+    """B21: every ephemeral path exits 0 on both enforcer main and TDD enforcer main."""
+    monkeypatch.setenv("CLAUDE_JOB_DIR", str(tmp_path))
+    all_ephemeral_paths = [
+        str(tmp_path / "tmp" / "scratch.py"),
+        "/tmp/scratch.py",
+        "/temp/scratch.py",
+    ]
+    for each_ephemeral_path in all_ephemeral_paths:
+        captured_stdout, exit_code = _run_main_with_write_payload(
+            each_ephemeral_path,
+            _VIOLATING_PRODUCTION_SOURCE,
+            monkeypatch,
+            capsys,
+        )
+        assert exit_code == 0, (
+            f"enforcer must exit 0 for ephemeral path {each_ephemeral_path!r}, "
+            f"got exit_code={exit_code}, stdout={captured_stdout!r}"
+        )
+        assert "deny" not in captured_stdout.lower(), (
+            f"enforcer must not deny ephemeral path {each_ephemeral_path!r}"
+        )
+        completed = _run_tdd_with_write_payload(each_ephemeral_path, _VIOLATING_PRODUCTION_SOURCE)
+        assert _decision_from(completed) != "deny", (
+            f"TDD enforcer must not deny ephemeral path {each_ephemeral_path!r}"
+        )

package/hooks/blocking/test_tdd_enforcer.py

@@ -1,6 +1,7 @@
 """Tests for tdd-enforcer hook (blocking behavior)."""
 
 import importlib.util
+import io
 import json
 import os
 import subprocess
@@ -8,6 +9,7 @@ import sys
 import time
 from pathlib import Path
 
+import pytest
 
 SCRIPT_PATH = Path(__file__).parent / "tdd_enforcer.py"
 
@@ -25,13 +27,18 @@ FRESHNESS_SECONDS = _PRODUCTION_MODULE._freshness_seconds()
 STALE_MTIME_OFFSET_SECONDS = FRESHNESS_SECONDS + 60
 
 
-def _run_hook_with_payload(payload: dict) -> subprocess.CompletedProcess[str]:
+def _run_hook_with_payload(
+    payload: dict,
+    extra_env: dict[str, str] | None = None,
+) -> subprocess.CompletedProcess[str]:
+    subprocess_env = {**os.environ, **(extra_env or {})}
     return subprocess.run(
         [sys.executable, str(SCRIPT_PATH)],
         input=json.dumps(payload),
         text=True,
         capture_output=True,
         check=False,
+        env=subprocess_env,
     )
 
 
@@ -810,6 +817,104 @@ def test_should_deny_edit_that_swaps_an_import_target(tmp_path: Path) -> None:
     assert _decision_from(completed) == "deny"
 
 
+def _run_hook_with_payload_and_env(
+    payload: dict,
+    extra_env: dict[str, str],
+) -> subprocess.CompletedProcess[str]:
+    return subprocess.run(
+        [sys.executable, str(SCRIPT_PATH)],
+        input=json.dumps(payload),
+        text=True,
+        capture_output=True,
+        check=False,
+        env={**os.environ, **extra_env},
+    )
+
+
+_BEHAVIOR_BEARING_CONTENT = "def fulfill_order(order: str) -> str:\n    return order\n"
+
+
+def test_should_exit_zero_for_ephemeral_scratch_python() -> None:
+    """B16: behavior-bearing scratch .py under root-anchored /tmp exits 0 with no deny."""
+    ephemeral_path = "/tmp/scratch_work.py"
+    payload = _make_write_payload(Path(ephemeral_path), _BEHAVIOR_BEARING_CONTENT)
+    completed = _run_hook_with_payload(payload)
+    assert _decision_from(completed) != "deny", (
+        f"TDD enforcer must not deny ephemeral Python path, got: {completed.stdout!r}"
+    )
+
+
+def test_should_exit_zero_for_ephemeral_scratch_typescript() -> None:
+    """B17: ephemeral .ts scratch file under root-anchored /tmp exits 0 with no deny."""
+    ephemeral_path = "/tmp/scratch_work.ts"
+    payload = {
+        "tool_name": "Write",
+        "tool_input": {
+            "file_path": ephemeral_path,
+            "content": "export function fulfillOrder(order: string): string { return order; }\n",
+        },
+    }
+    completed = _run_hook_with_payload(payload)
+    assert _decision_from(completed) != "deny", (
+        f"TDD enforcer must not deny ephemeral TypeScript path, got: {completed.stdout!r}"
+    )
+
+
+def test_should_still_deny_non_ephemeral_python_without_test() -> None:
+    """B18: a non-ephemeral .py file with no matching test still receives a deny."""
+    non_ephemeral_path = "/repo/src/orders.py"
+    payload = _make_write_payload(Path(non_ephemeral_path), _BEHAVIOR_BEARING_CONTENT)
+    completed = _run_hook_with_payload(payload)
+    assert _decision_from(completed) == "deny", (
+        f"TDD enforcer must deny non-ephemeral production file, got: {completed.stdout!r}"
+    )
+
+
+def test_should_deny_ephemeral_scratch_when_override_truthy() -> None:
+    """B19: with override set, an ephemeral scratch .py with no test still receives a deny."""
+    ephemeral_path = "/tmp/scratch_work.py"
+    payload = _make_write_payload(Path(ephemeral_path), _BEHAVIOR_BEARING_CONTENT)
+    completed = _run_hook_with_payload_and_env(
+        payload,
+        extra_env={"CLAUDE_CODE_RULES_DISABLE_EPHEMERAL_EXEMPT": "1"},
+    )
+    assert _decision_from(completed) == "deny", (
+        f"TDD enforcer must deny ephemeral path when override is set, got: {completed.stdout!r}"
+    )
+
+
+def test_should_exit_before_fresh_test_lookup_for_ephemeral(
+    tmp_path: Path,
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    """B20: the ephemeral exit precedes the fresh-test candidate search.
+
+    Spies on candidate_test_paths_for and asserts it is never reached for a
+    scratch .py under $CLAUDE_JOB_DIR/tmp, proving the early exit short-circuits
+    before any test-file lookup runs.
+    """
+    monkeypatch.delenv("CLAUDE_CODE_RULES_DISABLE_EPHEMERAL_EXEMPT", raising=False)
+    monkeypatch.setenv("CLAUDE_JOB_DIR", str(tmp_path))
+    candidate_search_call_count = {"count": 0}
+
+    def _spy_candidate_test_paths_for(production_path: Path) -> list[Path]:
+        candidate_search_call_count["count"] += 1
+        return []
+
+    monkeypatch.setattr(
+        _PRODUCTION_MODULE, "candidate_test_paths_for", _spy_candidate_test_paths_for
+    )
+    scratch_path = str(tmp_path / "tmp" / "scratch_work.py")
+    payload = _make_write_payload(Path(scratch_path), _BEHAVIOR_BEARING_CONTENT)
+    monkeypatch.setattr(_PRODUCTION_MODULE.sys, "stdin", io.StringIO(json.dumps(payload)))
+    with pytest.raises(SystemExit) as raised_exit:
+        _PRODUCTION_MODULE.main()
+    assert int(raised_exit.value.code or 0) == 0
+    assert candidate_search_call_count["count"] == 0, (
+        "candidate_test_paths_for must not run for an ephemeral scratch path"
+    )
+
+
 def test_should_allow_edit_that_removes_an_import_statement(tmp_path: Path) -> None:
     sandbox = _sandbox(tmp_path)
     production_module = sandbox / "orders.py"

package/hooks/hooks_constants/code_rules_enforcer_constants.py

@@ -17,6 +17,12 @@ ALL_JAVASCRIPT_EXTENSIONS = {".js", ".ts", ".tsx", ".jsx"}
 ALL_CODE_EXTENSIONS = ALL_PYTHON_EXTENSIONS | ALL_JAVASCRIPT_EXTENSIONS
 
 ALL_TEST_PATH_PATTERNS = {"test_", "_test.", ".test.", ".spec.", "/tests/", "\\tests\\", "/tests.py", "\\tests.py"}
+ALL_ROOT_ANCHORED_EPHEMERAL_DIRECTORIES: tuple[str, str] = ("/tmp", "/temp")
+CLAUDE_JOB_DIR_ENVIRONMENT_VARIABLE_NAME: str = "CLAUDE_JOB_DIR"
+CLAUDE_JOB_DIR_SCRATCH_SUBDIRECTORY: str = "tmp"
+EPHEMERAL_EXEMPT_DISABLE_ENVIRONMENT_VARIABLE_NAME: str = "CLAUDE_CODE_RULES_DISABLE_EPHEMERAL_EXEMPT"
+ALL_EPHEMERAL_EXEMPT_DISABLE_TRUTHY_VALUES: frozenset[str] = frozenset({"1", "true", "yes", "on"})
+LEADING_DRIVE_LETTER_PATTERN: re.Pattern[str] = re.compile(r"^[a-z]:")
 ALL_HOOK_INFRASTRUCTURE_PATTERNS = {"/.claude/hooks/", "\\.claude\\hooks\\", "\\.claude/hooks/", "/packages/claude-dev-env/hooks/", "\\packages\\claude-dev-env\\hooks\\"}
 ALL_WORKFLOW_REGISTRY_PATTERNS = {"/workflow/", "\\workflow\\", "_tab.py", "/states.py", "\\states.py", "/modules.py", "\\modules.py"}
 ALL_MIGRATION_PATH_PATTERNS = {"/migrations/", "\\migrations\\"}

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "claude-dev-env",
-    "version": "1.69.1",
+    "version": "1.69.2",
     "description": "Claude Code development standards — rules, hooks, agents, commands, and skills",
     "type": "module",
     "bin": {