claude-dev-env 1.73.0 → 1.74.0

package/hooks/blocking/test_docstring_rule_gate_count_blocker.py

@@ -0,0 +1,203 @@
+"""Tests for docstring_rule_gate_count_blocker hook."""
+
+import json
+import os
+import subprocess
+import sys
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).resolve().parent.parent))
+
+from docstring_rule_gate_count_blocker import (
+    find_gate_count_drift,
+    is_target_rule_file,
+)
+
+from hooks_constants.docstring_rule_gate_count_blocker_constants import (
+    GATE_COUNT_SYSTEM_MESSAGE,
+    TARGET_RULE_BASENAME,
+)
+
+HOOK_SCRIPT_PATH = os.path.join(os.path.dirname(__file__), "docstring_rule_gate_count_blocker.py")
+
+IN_STEP_RULE_TEXT = (
+    "The gate validator `check_docstring_args_match_signature` covers the Args "
+    "section parameter names. Four more gate validators each cover one "
+    "deterministic slice of the free-form prose. `check_docstring_fallback_branch_coverage` "
+    "covers a fallback. `check_class_docstring_names_public_methods` covers a "
+    "class. `check_docstring_no_consumer_claim` covers a producer. "
+    "`check_docstring_unguarded_malformed_payload_claim` covers a malformed "
+    "payload. The audit lane covers everything outside the five gated slices.\n"
+)
+
+STALE_FREE_FORM_COUNT_RULE_TEXT = (
+    "The gate validator `check_docstring_args_match_signature` covers the Args "
+    "section parameter names. Three more gate validators each cover one "
+    "deterministic slice of the free-form prose. `check_docstring_fallback_branch_coverage` "
+    "covers a fallback. `check_class_docstring_names_public_methods` covers a "
+    "class. `check_docstring_no_consumer_claim` covers a producer. "
+    "`check_docstring_unguarded_malformed_payload_claim` covers a malformed "
+    "payload. The audit lane covers everything outside the four gated slices.\n"
+)
+
+THREE_VALIDATORS_IN_STEP_RULE_TEXT = (
+    "The gate validator `check_docstring_args_match_signature` covers the Args "
+    "section parameter names. Three more gate validators each cover one "
+    "deterministic slice of the free-form prose. `check_docstring_fallback_branch_coverage` "
+    "covers a fallback. `check_class_docstring_names_public_methods` covers a "
+    "class. `check_docstring_no_consumer_claim` covers a producer. The audit lane "
+    "covers everything outside the four gated slices.\n"
+)
+
+FENCED_COUNT_CLAUSE_RULE_TEXT = (
+    "This rule names no live count outside a fence.\n\n"
+    "```\n"
+    "Three more gate validators each cover a slice: "
+    "`check_docstring_fallback_branch_coverage`, "
+    "`check_class_docstring_names_public_methods`. The four gated slices.\n"
+    "```\n"
+)
+
+NO_COUNT_CLAUSE_RULE_TEXT = (
+    "This rule prose names `check_docstring_fallback_branch_coverage` and "
+    "`check_class_docstring_names_public_methods` but states no spelled-out "
+    "gate count or gated-slice total.\n"
+)
+
+OUT_OF_WINDOW_VALIDATOR_RULE_TEXT = (
+    "The gate validator `check_docstring_args_match_signature` covers the Args "
+    "section parameter names. Three more gate validators each cover one "
+    "deterministic slice of the free-form prose. `check_docstring_fallback_branch_coverage` "
+    "covers a fallback. `check_class_docstring_names_public_methods` covers a "
+    "class. `check_docstring_no_consumer_claim` covers a producer. The audit lane "
+    "covers everything outside the four gated slices. The worked example below "
+    "also names `check_docstring_step_enumeration_dispatch_coverage`, which the "
+    "enforcement section discusses but the count clause does not enumerate.\n"
+)
+
+REVERSED_COUNT_CLAUSE_ORDER_RULE_TEXT = (
+    "The audit lane covers everything outside the five gated slices. "
+    "`check_docstring_fallback_branch_coverage` covers a fallback. "
+    "`check_class_docstring_names_public_methods` covers a class. Four more gate "
+    "validators each cover one deterministic slice of the free-form prose.\n"
+)
+
+
+class _RunHook:
+    """Helper to drive the hook via subprocess, mirroring the sibling test style."""
+
+    def __call__(self, tool_name: str, tool_input: dict) -> subprocess.CompletedProcess:
+        payload = json.dumps({"tool_name": tool_name, "tool_input": tool_input})
+        return subprocess.run(
+            [sys.executable, HOOK_SCRIPT_PATH],
+            input=payload,
+            capture_output=True,
+            text=True,
+            check=False,
+        )
+
+
+_run_hook = _RunHook()
+
+
+def _target_rule_path(tmp_path: Path) -> Path:
+    """Return a path inside *tmp_path* named after the guarded rule basename."""
+    return tmp_path / TARGET_RULE_BASENAME
+
+
+def should_flag_target_rule_basename() -> None:
+    assert is_target_rule_file("/somewhere/" + TARGET_RULE_BASENAME) is True
+
+
+def should_ignore_unrelated_markdown_file() -> None:
+    assert is_target_rule_file("/somewhere/other-rule.md") is False
+
+
+def should_report_no_drift_when_counts_match_named_validators() -> None:
+    assert find_gate_count_drift(IN_STEP_RULE_TEXT) == []
+
+
+def should_report_no_drift_for_three_validators_in_step() -> None:
+    assert find_gate_count_drift(THREE_VALIDATORS_IN_STEP_RULE_TEXT) == []
+
+
+def should_flag_stale_free_form_count_after_a_validator_is_added() -> None:
+    issues = find_gate_count_drift(STALE_FREE_FORM_COUNT_RULE_TEXT)
+    assert len(issues) == 2
+    assert any("Three more gate validators" in each_issue for each_issue in issues)
+    assert any("four gated slices" in each_issue for each_issue in issues)
+
+
+def should_ignore_count_clauses_inside_a_code_fence() -> None:
+    assert find_gate_count_drift(FENCED_COUNT_CLAUSE_RULE_TEXT) == []
+
+
+def should_report_no_drift_when_no_count_clause_is_present() -> None:
+    assert find_gate_count_drift(NO_COUNT_CLAUSE_RULE_TEXT) == []
+
+
+def should_exclude_validators_named_outside_the_enumeration_window() -> None:
+    assert find_gate_count_drift(OUT_OF_WINDOW_VALIDATOR_RULE_TEXT) == []
+
+
+def should_report_no_drift_when_count_clauses_appear_out_of_order() -> None:
+    assert find_gate_count_drift(REVERSED_COUNT_CLAUSE_ORDER_RULE_TEXT) == []
+
+
+def should_deny_a_write_with_a_stale_gate_count() -> None:
+    completed = _run_hook(
+        "Write",
+        {
+            "file_path": "/anywhere/" + TARGET_RULE_BASENAME,
+            "content": STALE_FREE_FORM_COUNT_RULE_TEXT,
+        },
+    )
+    parsed_output = json.loads(completed.stdout)
+    hook_specific = parsed_output["hookSpecificOutput"]
+    assert hook_specific["permissionDecision"] == "deny"
+    assert parsed_output["systemMessage"] == GATE_COUNT_SYSTEM_MESSAGE
+
+
+def should_allow_a_write_with_in_step_counts() -> None:
+    completed = _run_hook(
+        "Write",
+        {"file_path": "/anywhere/" + TARGET_RULE_BASENAME, "content": IN_STEP_RULE_TEXT},
+    )
+    assert completed.stdout.strip() == ""
+
+
+def should_allow_a_write_to_an_unrelated_markdown_file() -> None:
+    completed = _run_hook(
+        "Write",
+        {"file_path": "/anywhere/other-rule.md", "content": STALE_FREE_FORM_COUNT_RULE_TEXT},
+    )
+    assert completed.stdout.strip() == ""
+
+
+def should_deny_an_edit_that_makes_the_count_stale(tmp_path: Path) -> None:
+    rule_path = _target_rule_path(tmp_path)
+    rule_path.write_text(IN_STEP_RULE_TEXT, encoding="utf-8")
+    completed = _run_hook(
+        "Edit",
+        {
+            "file_path": str(rule_path),
+            "old_string": "Four more gate validators",
+            "new_string": "Three more gate validators",
+        },
+    )
+    parsed_output = json.loads(completed.stdout)
+    assert parsed_output["hookSpecificOutput"]["permissionDecision"] == "deny"
+
+
+def should_allow_an_edit_that_keeps_the_count_in_step(tmp_path: Path) -> None:
+    rule_path = _target_rule_path(tmp_path)
+    rule_path.write_text(IN_STEP_RULE_TEXT, encoding="utf-8")
+    completed = _run_hook(
+        "Edit",
+        {
+            "file_path": str(rule_path),
+            "old_string": "covers a malformed payload.",
+            "new_string": "covers a malformed payload case.",
+        },
+    )
+    assert completed.stdout.strip() == ""

package/hooks/blocking/test_hook_block_logger_coverage.py

@@ -0,0 +1,53 @@
+"""Meta-test: every blocking hook must call log_hook_block at its block site.
+
+Discovers every .py under hooks/ whose source contains a block-emit pattern
+(``"permissionDecision": "deny"`` or ``"decision": "block"``), excludes test
+files and the logger module itself, then asserts each one imports and calls
+``log_hook_block(``.
+"""
+
+from __future__ import annotations
+
+import re
+from pathlib import Path
+
+_HOOKS_ROOT = Path(__file__).resolve().parent.parent
+
+_DENY_PATTERN = re.compile(r'"permissionDecision":\s*"deny"')
+_BLOCK_PATTERN = re.compile(r'"decision":\s*"block"')
+_LOG_CALL_PATTERN = re.compile(r"\blog_hook_block\(")
+
+_LOGGER_MODULE_NAME = "hook_block_logger.py"
+
+
+def _is_test_file(path: Path) -> bool:
+    return path.name.startswith("test_") or path.name.endswith("_test.py")
+
+
+def _discover_blocking_hook_paths() -> list[Path]:
+    all_blocking_hook_paths: list[Path] = []
+    for each_py_file in _HOOKS_ROOT.rglob("*.py"):
+        if _is_test_file(each_py_file):
+            continue
+        if each_py_file.name == _LOGGER_MODULE_NAME:
+            continue
+        source = each_py_file.read_text(encoding="utf-8", errors="replace")
+        if _DENY_PATTERN.search(source) or _BLOCK_PATTERN.search(source):
+            all_blocking_hook_paths.append(each_py_file)
+    return sorted(all_blocking_hook_paths)
+
+
+def test_every_blocking_hook_calls_log_hook_block() -> None:
+    all_blocking_hooks = _discover_blocking_hook_paths()
+    assert all_blocking_hooks, "No blocking hooks discovered — check _HOOKS_ROOT path"
+
+    all_uninstrumented_hooks: list[str] = []
+    for each_hook_path in all_blocking_hooks:
+        source = each_hook_path.read_text(encoding="utf-8", errors="replace")
+        if not _LOG_CALL_PATTERN.search(source):
+            all_uninstrumented_hooks.append(str(each_hook_path.relative_to(_HOOKS_ROOT)))
+
+    assert not all_uninstrumented_hooks, (
+        f"{len(all_uninstrumented_hooks)} blocking hook(s) missing log_hook_block call:\n"
+        + "\n".join(f"  - {each_path}" for each_path in all_uninstrumented_hooks)
+    )

package/hooks/blocking/test_package_inventory_stale_blocker.py

@@ -0,0 +1,329 @@
+"""Tests for package_inventory_stale_blocker hook."""
+
+import json
+import os
+import subprocess
+import sys
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).resolve().parent.parent))
+
+from package_inventory_stale_blocker import (
+    find_stale_inventory,
+    inventory_named_basenames,
+    is_inventoried_production_file,
+)
+
+from hooks_constants.package_inventory_stale_blocker_constants import (
+    STALE_INVENTORY_SYSTEM_MESSAGE,
+)
+
+HOOK_SCRIPT_PATH = os.path.join(os.path.dirname(__file__), "package_inventory_stale_blocker.py")
+
+README_LISTING_TWO_FILES = (
+    "# Pipeline\n\n"
+    "| Path | Role |\n"
+    "|---|---|\n"
+    "| `pipeline/dialer_compose.py` | Composes a dialer strip. |\n"
+    "| `compose_dialer_cli.py` | CLI for the dialer strip. |\n"
+)
+
+CLAUDE_MD_BULLET_LIST = (
+    "# package\n\n"
+    "## Key files\n\n"
+    "- `compose_dialer_cli.py` — composes one dialer strip.\n"
+    "- `compose_aod_cli.py` — composes the AOD image.\n"
+)
+
+README_LISTING_ONE_FILE = "# package\n\nSome prose mentioning `single_module.py` once.\n"
+
+README_LISTING_ONLY_GLOB_TOKENS = (
+    "# package\n\n"
+    "This directory holds files matching `*.py` and `*.mjs`.\n"
+)
+
+README_LISTING_ONLY_FENCED_FILENAMES = (
+    "# package\n\n"
+    "Example inventory table:\n\n"
+    "```\n"
+    "| Path | Role |\n"
+    "|---|---|\n"
+    "| `example_alpha.py` | Sample row. |\n"
+    "| `example_beta.py` | Sample row. |\n"
+    "```\n"
+)
+
+README_LISTING_ONLY_COMMAND_EXAMPLES = (
+    "# package\n\n"
+    "Run `parent:node_modules package.json` to find the manifest, then "
+    "`python <file>.py` and `psql $DATABASE_URL -f <query>.sql`. Import via "
+    "`from git_hooks_constants import VALUE`.\n"
+)
+
+README_PROSE_NAMES_NON_SIBLING_FILES = (
+    "# package\n\n"
+    "This directory works alongside `install.mjs` and is documented in "
+    "`source-material-section-types.md`.\n"
+)
+
+
+class _RunHook:
+    """Helper to test the hook via subprocess, mirroring the sibling test style."""
+
+    def __call__(self, tool_name: str, tool_input: dict) -> subprocess.CompletedProcess:
+        payload = json.dumps({"tool_name": tool_name, "tool_input": tool_input})
+        return subprocess.run(
+            [sys.executable, HOOK_SCRIPT_PATH],
+            input=payload,
+            capture_output=True,
+            text=True,
+            check=False,
+        )
+
+
+_run_hook = _RunHook()
+
+
+def _package_directory_with_readme(tmp_path: Path, readme_content: str) -> Path:
+    """Return a fresh package directory holding a README.md with the given content."""
+    package_directory = tmp_path / "package_directory"
+    package_directory.mkdir()
+    (package_directory / "README.md").write_text(readme_content, encoding="utf-8")
+    return package_directory
+
+
+def _write_sibling_files(package_directory: Path, all_basenames: list[str]) -> None:
+    """Create each named file on disk inside *package_directory*."""
+    for each_basename in all_basenames:
+        (package_directory / each_basename).write_text("x = 1\n", encoding="utf-8")
+
+
+def test_inventory_named_basenames_strips_path_to_basename():
+    named_basenames = inventory_named_basenames(README_LISTING_TWO_FILES)
+    assert named_basenames == {"dialer_compose.py", "compose_dialer_cli.py"}
+
+
+def test_inventory_named_basenames_reads_bullet_list():
+    named_basenames = inventory_named_basenames(CLAUDE_MD_BULLET_LIST)
+    assert named_basenames == {"compose_dialer_cli.py", "compose_aod_cli.py"}
+
+
+def test_inventory_named_basenames_rejects_glob_tokens():
+    named_basenames = inventory_named_basenames(README_LISTING_ONLY_GLOB_TOKENS)
+    assert named_basenames == set()
+
+
+def test_inventory_named_basenames_skips_fenced_code_block():
+    named_basenames = inventory_named_basenames(README_LISTING_ONLY_FENCED_FILENAMES)
+    assert named_basenames == set()
+
+
+def test_inventory_named_basenames_rejects_command_example_spans():
+    named_basenames = inventory_named_basenames(README_LISTING_ONLY_COMMAND_EXAMPLES)
+    assert named_basenames == set()
+
+
+def test_blocks_new_production_file_absent_from_readme(tmp_path: Path):
+    package_directory = _package_directory_with_readme(tmp_path, README_LISTING_TWO_FILES)
+    _write_sibling_files(package_directory, ["dialer_compose.py", "compose_dialer_cli.py"])
+    new_file_path = package_directory / "check_dialer_seam_cli.py"
+    result = _run_hook(
+        "Write",
+        {"file_path": str(new_file_path), "content": "x = 1\n"},
+    )
+    assert result.returncode == 0
+    payload = json.loads(result.stdout)
+    assert payload["hookSpecificOutput"]["permissionDecision"] == "deny"
+    assert "check_dialer_seam_cli.py" in payload["hookSpecificOutput"]["permissionDecisionReason"]
+    assert payload["systemMessage"] == STALE_INVENTORY_SYSTEM_MESSAGE
+
+
+def test_blocks_new_file_absent_from_claude_md_bullet_list(tmp_path: Path):
+    package_directory = tmp_path / "package_directory"
+    package_directory.mkdir()
+    (package_directory / "CLAUDE.md").write_text(CLAUDE_MD_BULLET_LIST, encoding="utf-8")
+    _write_sibling_files(package_directory, ["compose_dialer_cli.py", "compose_aod_cli.py"])
+    new_file_path = package_directory / "build_dialer_aod_roster_cli.py"
+    result = _run_hook(
+        "Write",
+        {"file_path": str(new_file_path), "content": "x = 1\n"},
+    )
+    assert result.returncode == 0
+    payload = json.loads(result.stdout)
+    assert payload["hookSpecificOutput"]["permissionDecision"] == "deny"
+
+
+def test_allows_new_file_already_named_in_readme(tmp_path: Path):
+    package_directory = _package_directory_with_readme(tmp_path, README_LISTING_TWO_FILES)
+    new_file_path = package_directory / "compose_dialer_cli.py"
+    result = _run_hook(
+        "Write",
+        {"file_path": str(new_file_path), "content": "x = 1\n"},
+    )
+    assert result.returncode == 0
+    assert result.stdout.strip() == ""
+
+
+def test_allows_new_file_named_by_path_form_in_readme(tmp_path: Path):
+    package_directory = _package_directory_with_readme(tmp_path, README_LISTING_TWO_FILES)
+    pipeline_directory = package_directory / "pipeline"
+    pipeline_directory.mkdir()
+    new_file_path = package_directory / "dialer_compose.py"
+    result = _run_hook(
+        "Write",
+        {"file_path": str(new_file_path), "content": "x = 1\n"},
+    )
+    assert result.returncode == 0
+    assert result.stdout.strip() == ""
+
+
+def test_allows_directory_with_no_inventory(tmp_path: Path):
+    package_directory = tmp_path / "package_directory"
+    package_directory.mkdir()
+    new_file_path = package_directory / "lonely_module.py"
+    result = _run_hook(
+        "Write",
+        {"file_path": str(new_file_path), "content": "x = 1\n"},
+    )
+    assert result.returncode == 0
+    assert result.stdout.strip() == ""
+
+
+def test_allows_directory_whose_readme_names_too_few_files(tmp_path: Path):
+    package_directory = _package_directory_with_readme(tmp_path, README_LISTING_ONE_FILE)
+    new_file_path = package_directory / "another_module.py"
+    result = _run_hook(
+        "Write",
+        {"file_path": str(new_file_path), "content": "x = 1\n"},
+    )
+    assert result.returncode == 0
+    assert result.stdout.strip() == ""
+
+
+def test_allows_new_file_when_inventory_holds_only_glob_tokens(tmp_path: Path):
+    package_directory = _package_directory_with_readme(
+        tmp_path, README_LISTING_ONLY_GLOB_TOKENS
+    )
+    new_file_path = package_directory / "new_sibling_module.py"
+    result = _run_hook(
+        "Write",
+        {"file_path": str(new_file_path), "content": "x = 1\n"},
+    )
+    assert result.returncode == 0
+    assert result.stdout.strip() == ""
+
+
+def test_allows_new_file_when_inventory_filenames_live_in_code_fence(tmp_path: Path):
+    package_directory = _package_directory_with_readme(
+        tmp_path, README_LISTING_ONLY_FENCED_FILENAMES
+    )
+    new_file_path = package_directory / "new_sibling_module.py"
+    result = _run_hook(
+        "Write",
+        {"file_path": str(new_file_path), "content": "x = 1\n"},
+    )
+    assert result.returncode == 0
+    assert result.stdout.strip() == ""
+
+
+def test_allows_new_file_when_inventory_names_only_non_sibling_files(tmp_path: Path):
+    package_directory = _package_directory_with_readme(
+        tmp_path, README_PROSE_NAMES_NON_SIBLING_FILES
+    )
+    new_file_path = package_directory / "new_helper.py"
+    result = _run_hook(
+        "Write",
+        {"file_path": str(new_file_path), "content": "x = 1\n"},
+    )
+    assert result.returncode == 0
+    assert result.stdout.strip() == ""
+
+
+def test_blocks_new_file_when_inventory_names_sibling_files_on_disk(tmp_path: Path):
+    package_directory = _package_directory_with_readme(tmp_path, README_LISTING_TWO_FILES)
+    (package_directory / "dialer_compose.py").write_text("x = 1\n", encoding="utf-8")
+    (package_directory / "compose_dialer_cli.py").write_text("x = 1\n", encoding="utf-8")
+    new_file_path = package_directory / "check_dialer_seam_cli.py"
+    result = _run_hook(
+        "Write",
+        {"file_path": str(new_file_path), "content": "x = 1\n"},
+    )
+    assert result.returncode == 0
+    payload = json.loads(result.stdout)
+    assert payload["hookSpecificOutput"]["permissionDecision"] == "deny"
+    assert "check_dialer_seam_cli.py" in payload["hookSpecificOutput"]["permissionDecisionReason"]
+
+
+def test_allows_test_file_absent_from_inventory(tmp_path: Path):
+    package_directory = _package_directory_with_readme(tmp_path, README_LISTING_TWO_FILES)
+    new_file_path = package_directory / "test_check_dialer_seam_cli.py"
+    result = _run_hook(
+        "Write",
+        {"file_path": str(new_file_path), "content": "x = 1\n"},
+    )
+    assert result.returncode == 0
+    assert result.stdout.strip() == ""
+
+
+def test_allows_init_file_absent_from_inventory(tmp_path: Path):
+    package_directory = _package_directory_with_readme(tmp_path, README_LISTING_TWO_FILES)
+    new_file_path = package_directory / "__init__.py"
+    result = _run_hook(
+        "Write",
+        {"file_path": str(new_file_path), "content": "x = 1\n"},
+    )
+    assert result.returncode == 0
+    assert result.stdout.strip() == ""
+
+
+def test_allows_non_code_file_absent_from_inventory(tmp_path: Path):
+    package_directory = _package_directory_with_readme(tmp_path, README_LISTING_TWO_FILES)
+    new_file_path = package_directory / "notes.txt"
+    result = _run_hook(
+        "Write",
+        {"file_path": str(new_file_path), "content": "x = 1\n"},
+    )
+    assert result.returncode == 0
+    assert result.stdout.strip() == ""
+
+
+def test_allows_edit_of_existing_file(tmp_path: Path):
+    package_directory = _package_directory_with_readme(tmp_path, README_LISTING_TWO_FILES)
+    existing_file_path = package_directory / "seam_continuity.py"
+    existing_file_path.write_text("x = 1\n", encoding="utf-8")
+    result = _run_hook(
+        "Write",
+        {"file_path": str(existing_file_path), "content": "x = 2\n"},
+    )
+    assert result.returncode == 0
+    assert result.stdout.strip() == ""
+
+
+def test_is_inventoried_production_file_rejects_config_directory(tmp_path: Path):
+    config_directory = tmp_path / "config"
+    config_directory.mkdir()
+    config_file_path = config_directory / "constants.py"
+    assert is_inventoried_production_file(str(config_file_path)) is False
+
+
+def test_is_inventoried_production_file_accepts_production_file(tmp_path: Path):
+    production_file_path = tmp_path / "dialer_compose.py"
+    assert is_inventoried_production_file(str(production_file_path)) is True
+
+
+def test_find_stale_inventory_returns_survey_for_omission(tmp_path: Path):
+    package_directory = _package_directory_with_readme(tmp_path, README_LISTING_TWO_FILES)
+    _write_sibling_files(package_directory, ["dialer_compose.py", "compose_dialer_cli.py"])
+    new_file_path = package_directory / "seam_continuity.py"
+    survey = find_stale_inventory(str(new_file_path))
+    assert survey is not None
+    assert survey.present_inventory_names == ["README.md"]
+    assert survey.named_basenames == {"dialer_compose.py", "compose_dialer_cli.py"}
+
+
+def test_find_stale_inventory_skips_prose_only_directory():
+    audit_rubrics_directory = (
+        Path(__file__).resolve().parent.parent.parent / "audit-rubrics"
+    )
+    new_file_path = audit_rubrics_directory / "new_helper.py"
+    assert find_stale_inventory(str(new_file_path)) is None

package/hooks/blocking/test_plain_language_blocker.py

@@ -12,6 +12,7 @@ import os
 import subprocess
 import sys
 from pathlib import Path
+from unittest.mock import patch
 
 HOOK_SCRIPT_PATH = Path(__file__).parent / "plain_language_blocker.py"
 _HOOKS_DIR = str(Path(__file__).resolve().parent)
@@ -37,6 +38,8 @@ find_banned_terms = hook_module.find_banned_terms
 strip_non_prose_regions = hook_module.strip_non_prose_regions
 build_block_reason = hook_module.build_block_reason
 
+from pre_tool_use_dispatcher import NativeHook, run_native_hook  # noqa: E402
+
 
 def _run_hook_with_payload(payload: dict) -> subprocess.CompletedProcess[str]:
     return subprocess.run(
@@ -245,3 +248,36 @@ def test_prose_slash_token_is_not_stripped_as_path() -> None:
 
 def test_real_file_path_is_still_stripped() -> None:
     assert "initiate" not in strip_non_prose_regions("Edit src/initiate.py to wire it.")
+
+
+def test_native_dispatch_path_logs_the_block(tmp_path: Path) -> None:
+    """A deny routed through the dispatcher's native path logs one record.
+
+    On the Write|Edit|MultiEdit surface this hook runs only through
+    pre_tool_use_dispatcher's native path, which calls evaluate() and
+    build_deny_payload() — never _emit_deny() or main(). The block must still
+    land in the hook-blocks log, so the log call lives on build_deny_payload,
+    the function the native path executes.
+    """
+    deny_payload = {
+        "tool_name": "Edit",
+        "tool_input": {
+            "file_path": str(tmp_path / "notes.md"),
+            "new_string": "This guide explains how to utilize the new cache layer.",
+        },
+    }
+    native_hook = NativeHook(
+        evaluate=hook_module.evaluate,
+        build_deny_payload=hook_module.build_deny_payload,
+    )
+
+    with patch.object(Path, "home", return_value=tmp_path):
+        hosted_result = run_native_hook(native_hook, deny_payload, is_blocking=True)
+
+    assert hosted_result.captured_stdout
+    log_path = tmp_path / ".claude" / "logs" / "hook-blocks.log"
+    all_records = log_path.read_text(encoding="utf-8").strip().splitlines()
+    assert len(all_records) == 1
+    logged_record = json.loads(all_records[0])
+    assert logged_record["hook"] == "plain_language_blocker.py"
+    assert logged_record["event"] == "PreToolUse"

package/hooks/blocking/test_pre_tool_use_dispatcher.py

@@ -585,24 +585,24 @@ def test_dispatcher_write_applies_both_groups() -> None:
     assert "blocking/plain_language_blocker.py" in all_write_script_paths, (
         "plain_language_blocker (Group B) must be in Write applicable set"
     )
-    assert len(all_write_entries) == 15, (
-        f"Write tool must apply to all 15 hosted hooks, got {len(all_write_entries)}"
+    assert len(all_write_entries) == 17, (
+        f"Write tool must apply to all 17 hosted hooks, got {len(all_write_entries)}"
     )
 
 
 def test_dispatcher_edit_applies_both_groups() -> None:
     """Edit tool triggers both Group A and Group B hooks through the dispatcher."""
     all_edit_entries = _applicable_entries_for_tool(EDIT_TOOL_NAME)
-    assert len(all_edit_entries) == 15, (
-        f"Edit tool must apply to all 15 hosted hooks, got {len(all_edit_entries)}"
+    assert len(all_edit_entries) == 17, (
+        f"Edit tool must apply to all 17 hosted hooks, got {len(all_edit_entries)}"
     )
 
 
 def test_dispatcher_multi_edit_applies_only_group_b() -> None:
-    """MultiEdit tool triggers only Group B (5 hooks), not Group A."""
+    """MultiEdit tool triggers only Group B (7 hooks), not Group A."""
     all_multi_edit_entries = _applicable_entries_for_tool(MULTI_EDIT_TOOL_NAME)
-    assert len(all_multi_edit_entries) == 5, (
-        f"MultiEdit tool must apply to exactly 5 Group-B hooks, got {len(all_multi_edit_entries)}"
+    assert len(all_multi_edit_entries) == 7, (
+        f"MultiEdit tool must apply to exactly 7 Group-B hooks, got {len(all_multi_edit_entries)}"
     )
 
 
@@ -613,7 +613,7 @@ def test_proceed_after_run_all_validators_removal_allows() -> None:
     it was never a PreToolUse hook and never hosted by the PreToolUse dispatcher.
     A Python Write payload that run_all_validators would have flagged (mypy errors, for
     instance) still produces ALLOW from the PreToolUse dispatcher because the PreToolUse
-    dispatcher covers only its 15 hosted blocking hooks — none of which includes the
+    dispatcher covers only its 17 hosted blocking hooks — none of which includes the
     validators runner.
     """
     python_content_with_type_error = (