claude-dev-env 1.73.0 → 1.75.0

package/hooks/blocking/test_code_verifier_spawn_preflight_gate.py

@@ -8,6 +8,7 @@ test_precommit_code_rules_gate.py lines 1-70.
 """
 
 import json
+import shutil
 import subprocess
 import sys
 from pathlib import Path
@@ -341,6 +342,22 @@ def test_real_code_rules_violation_on_added_line_denies(tmp_path: Path) -> None:
     assert "Line " in reason
 
 
+def test_committed_on_branch_violation_with_clean_working_tree_denies(tmp_path: Path) -> None:
+    repository_root = tmp_path / "repo"
+    repository_root.mkdir()
+    initialize_repository(repository_root)
+    run_git(repository_root, "checkout", "-b", "feature")
+    commit_file(repository_root, "committed.py", VIOLATING_MODULE_SOURCE, "commit violation")
+    status_output = run_git(repository_root, "status", "--porcelain")
+    assert status_output == "", "working tree must be clean so the deny comes from the committed line"
+    payload = write_agent_payload("code-verifier", "verify the change", repository_root)
+    result = run_hook(payload, repository_root)
+    assert not is_allow(result)
+    reason = deny_reason(result)
+    assert "committed.py" in reason
+    assert "Line " in reason
+
+
 def test_preexisting_violation_on_untouched_line_allows(tmp_path: Path) -> None:
     repository_root = tmp_path / "repo"
     repository_root.mkdir()
@@ -454,3 +471,47 @@ def test_conflict_and_violation_single_deny_names_both(tmp_path: Path) -> None:
     assert "shared.py" in reason
     assert "CODE_RULES violations on changed lines:" in reason
     assert "violator.py" in reason
+
+
+def test_hook_imports_real_config_when_parent_holds_shadowing_config(
+    tmp_path: Path,
+) -> None:
+    real_hooks_directory = HOOK_PATH.parent.parent
+    real_package_directory = real_hooks_directory.parent
+
+    staged_package_directory = tmp_path / "claude-dev-env"
+    shutil.copytree(
+        real_hooks_directory,
+        staged_package_directory / "hooks",
+    )
+    shutil.copytree(
+        real_package_directory / "_shared",
+        staged_package_directory / "_shared",
+    )
+
+    shadowing_config_directory = staged_package_directory / "hooks" / "config"
+    shadowing_config_directory.mkdir(parents=True, exist_ok=True)
+    (shadowing_config_directory / "__init__.py").write_text("", encoding="utf-8")
+    (shadowing_config_directory / "unrelated_constants.py").write_text(
+        "UNRELATED_VALUE = 1\n", encoding="utf-8"
+    )
+
+    staged_hook = (
+        staged_package_directory
+        / "hooks"
+        / "blocking"
+        / "code_verifier_spawn_preflight_gate.py"
+    )
+    payload = write_agent_payload("general-purpose", "unrelated work", tmp_path)
+    completed = subprocess.run(
+        [sys.executable, str(staged_hook)],
+        check=False,
+        input=payload,
+        capture_output=True,
+        text=True,
+        cwd=str(tmp_path),
+        timeout=120,
+    )
+
+    assert "ModuleNotFoundError" not in completed.stderr
+    assert completed.returncode == 0

package/hooks/blocking/test_docstring_rule_gate_count_blocker.py

@@ -0,0 +1,203 @@
+"""Tests for docstring_rule_gate_count_blocker hook."""
+
+import json
+import os
+import subprocess
+import sys
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).resolve().parent.parent))
+
+from docstring_rule_gate_count_blocker import (
+    find_gate_count_drift,
+    is_target_rule_file,
+)
+
+from hooks_constants.docstring_rule_gate_count_blocker_constants import (
+    GATE_COUNT_SYSTEM_MESSAGE,
+    TARGET_RULE_BASENAME,
+)
+
+HOOK_SCRIPT_PATH = os.path.join(os.path.dirname(__file__), "docstring_rule_gate_count_blocker.py")
+
+IN_STEP_RULE_TEXT = (
+    "The gate validator `check_docstring_args_match_signature` covers the Args "
+    "section parameter names. Four more gate validators each cover one "
+    "deterministic slice of the free-form prose. `check_docstring_fallback_branch_coverage` "
+    "covers a fallback. `check_class_docstring_names_public_methods` covers a "
+    "class. `check_docstring_no_consumer_claim` covers a producer. "
+    "`check_docstring_unguarded_malformed_payload_claim` covers a malformed "
+    "payload. The audit lane covers everything outside the five gated slices.\n"
+)
+
+STALE_FREE_FORM_COUNT_RULE_TEXT = (
+    "The gate validator `check_docstring_args_match_signature` covers the Args "
+    "section parameter names. Three more gate validators each cover one "
+    "deterministic slice of the free-form prose. `check_docstring_fallback_branch_coverage` "
+    "covers a fallback. `check_class_docstring_names_public_methods` covers a "
+    "class. `check_docstring_no_consumer_claim` covers a producer. "
+    "`check_docstring_unguarded_malformed_payload_claim` covers a malformed "
+    "payload. The audit lane covers everything outside the four gated slices.\n"
+)
+
+THREE_VALIDATORS_IN_STEP_RULE_TEXT = (
+    "The gate validator `check_docstring_args_match_signature` covers the Args "
+    "section parameter names. Three more gate validators each cover one "
+    "deterministic slice of the free-form prose. `check_docstring_fallback_branch_coverage` "
+    "covers a fallback. `check_class_docstring_names_public_methods` covers a "
+    "class. `check_docstring_no_consumer_claim` covers a producer. The audit lane "
+    "covers everything outside the four gated slices.\n"
+)
+
+FENCED_COUNT_CLAUSE_RULE_TEXT = (
+    "This rule names no live count outside a fence.\n\n"
+    "```\n"
+    "Three more gate validators each cover a slice: "
+    "`check_docstring_fallback_branch_coverage`, "
+    "`check_class_docstring_names_public_methods`. The four gated slices.\n"
+    "```\n"
+)
+
+NO_COUNT_CLAUSE_RULE_TEXT = (
+    "This rule prose names `check_docstring_fallback_branch_coverage` and "
+    "`check_class_docstring_names_public_methods` but states no spelled-out "
+    "gate count or gated-slice total.\n"
+)
+
+OUT_OF_WINDOW_VALIDATOR_RULE_TEXT = (
+    "The gate validator `check_docstring_args_match_signature` covers the Args "
+    "section parameter names. Three more gate validators each cover one "
+    "deterministic slice of the free-form prose. `check_docstring_fallback_branch_coverage` "
+    "covers a fallback. `check_class_docstring_names_public_methods` covers a "
+    "class. `check_docstring_no_consumer_claim` covers a producer. The audit lane "
+    "covers everything outside the four gated slices. The worked example below "
+    "also names `check_docstring_step_enumeration_dispatch_coverage`, which the "
+    "enforcement section discusses but the count clause does not enumerate.\n"
+)
+
+REVERSED_COUNT_CLAUSE_ORDER_RULE_TEXT = (
+    "The audit lane covers everything outside the five gated slices. "
+    "`check_docstring_fallback_branch_coverage` covers a fallback. "
+    "`check_class_docstring_names_public_methods` covers a class. Four more gate "
+    "validators each cover one deterministic slice of the free-form prose.\n"
+)
+
+
+class _RunHook:
+    """Helper to drive the hook via subprocess, mirroring the sibling test style."""
+
+    def __call__(self, tool_name: str, tool_input: dict) -> subprocess.CompletedProcess:
+        payload = json.dumps({"tool_name": tool_name, "tool_input": tool_input})
+        return subprocess.run(
+            [sys.executable, HOOK_SCRIPT_PATH],
+            input=payload,
+            capture_output=True,
+            text=True,
+            check=False,
+        )
+
+
+_run_hook = _RunHook()
+
+
+def _target_rule_path(tmp_path: Path) -> Path:
+    """Return a path inside *tmp_path* named after the guarded rule basename."""
+    return tmp_path / TARGET_RULE_BASENAME
+
+
+def should_flag_target_rule_basename() -> None:
+    assert is_target_rule_file("/somewhere/" + TARGET_RULE_BASENAME) is True
+
+
+def should_ignore_unrelated_markdown_file() -> None:
+    assert is_target_rule_file("/somewhere/other-rule.md") is False
+
+
+def should_report_no_drift_when_counts_match_named_validators() -> None:
+    assert find_gate_count_drift(IN_STEP_RULE_TEXT) == []
+
+
+def should_report_no_drift_for_three_validators_in_step() -> None:
+    assert find_gate_count_drift(THREE_VALIDATORS_IN_STEP_RULE_TEXT) == []
+
+
+def should_flag_stale_free_form_count_after_a_validator_is_added() -> None:
+    issues = find_gate_count_drift(STALE_FREE_FORM_COUNT_RULE_TEXT)
+    assert len(issues) == 2
+    assert any("Three more gate validators" in each_issue for each_issue in issues)
+    assert any("four gated slices" in each_issue for each_issue in issues)
+
+
+def should_ignore_count_clauses_inside_a_code_fence() -> None:
+    assert find_gate_count_drift(FENCED_COUNT_CLAUSE_RULE_TEXT) == []
+
+
+def should_report_no_drift_when_no_count_clause_is_present() -> None:
+    assert find_gate_count_drift(NO_COUNT_CLAUSE_RULE_TEXT) == []
+
+
+def should_exclude_validators_named_outside_the_enumeration_window() -> None:
+    assert find_gate_count_drift(OUT_OF_WINDOW_VALIDATOR_RULE_TEXT) == []
+
+
+def should_report_no_drift_when_count_clauses_appear_out_of_order() -> None:
+    assert find_gate_count_drift(REVERSED_COUNT_CLAUSE_ORDER_RULE_TEXT) == []
+
+
+def should_deny_a_write_with_a_stale_gate_count() -> None:
+    completed = _run_hook(
+        "Write",
+        {
+            "file_path": "/anywhere/" + TARGET_RULE_BASENAME,
+            "content": STALE_FREE_FORM_COUNT_RULE_TEXT,
+        },
+    )
+    parsed_output = json.loads(completed.stdout)
+    hook_specific = parsed_output["hookSpecificOutput"]
+    assert hook_specific["permissionDecision"] == "deny"
+    assert parsed_output["systemMessage"] == GATE_COUNT_SYSTEM_MESSAGE
+
+
+def should_allow_a_write_with_in_step_counts() -> None:
+    completed = _run_hook(
+        "Write",
+        {"file_path": "/anywhere/" + TARGET_RULE_BASENAME, "content": IN_STEP_RULE_TEXT},
+    )
+    assert completed.stdout.strip() == ""
+
+
+def should_allow_a_write_to_an_unrelated_markdown_file() -> None:
+    completed = _run_hook(
+        "Write",
+        {"file_path": "/anywhere/other-rule.md", "content": STALE_FREE_FORM_COUNT_RULE_TEXT},
+    )
+    assert completed.stdout.strip() == ""
+
+
+def should_deny_an_edit_that_makes_the_count_stale(tmp_path: Path) -> None:
+    rule_path = _target_rule_path(tmp_path)
+    rule_path.write_text(IN_STEP_RULE_TEXT, encoding="utf-8")
+    completed = _run_hook(
+        "Edit",
+        {
+            "file_path": str(rule_path),
+            "old_string": "Four more gate validators",
+            "new_string": "Three more gate validators",
+        },
+    )
+    parsed_output = json.loads(completed.stdout)
+    assert parsed_output["hookSpecificOutput"]["permissionDecision"] == "deny"
+
+
+def should_allow_an_edit_that_keeps_the_count_in_step(tmp_path: Path) -> None:
+    rule_path = _target_rule_path(tmp_path)
+    rule_path.write_text(IN_STEP_RULE_TEXT, encoding="utf-8")
+    completed = _run_hook(
+        "Edit",
+        {
+            "file_path": str(rule_path),
+            "old_string": "covers a malformed payload.",
+            "new_string": "covers a malformed payload case.",
+        },
+    )
+    assert completed.stdout.strip() == ""

package/hooks/blocking/test_duplicate_rmtree_helper_blocker.py

@@ -0,0 +1,328 @@
+"""Unit tests for duplicate_rmtree_helper_blocker PreToolUse hook."""
+
+import importlib.util
+import io
+import json
+import pathlib
+import sys
+from contextlib import redirect_stderr, redirect_stdout
+
+_HOOK_DIR = pathlib.Path(__file__).parent
+if str(_HOOK_DIR) not in sys.path:
+    sys.path.insert(0, str(_HOOK_DIR))
+_HOOKS_ROOT = _HOOK_DIR.parent
+if str(_HOOKS_ROOT) not in sys.path:
+    sys.path.insert(0, str(_HOOKS_ROOT))
+
+hook_spec = importlib.util.spec_from_file_location(
+    "duplicate_rmtree_helper_blocker",
+    _HOOK_DIR / "duplicate_rmtree_helper_blocker.py",
+)
+assert hook_spec is not None
+assert hook_spec.loader is not None
+hook_module = importlib.util.module_from_spec(hook_spec)
+hook_spec.loader.exec_module(hook_module)
+
+payload_defines_sanctioned_helper = hook_module.payload_defines_sanctioned_helper
+path_is_exempt = hook_module.path_is_exempt
+extract_payload_text = hook_module.extract_payload_text
+
+COPIED_TRIO = (
+    "def _strip_read_only_and_retry(removal_function, target_path, *_exc_info):\n"
+    "    try:\n"
+    "        os.chmod(target_path, stat.S_IWRITE)\n"
+    "        removal_function(target_path)\n"
+    "    except OSError:\n"
+    "        pass\n\n\n"
+    "_rmtree_supports_onexc = 'onexc' in inspect.signature(shutil.rmtree).parameters\n\n\n"
+    "def _force_remove_tree(target_path):\n"
+    "    if _rmtree_supports_onexc:\n"
+    "        shutil.rmtree(target_path, onexc=_strip_read_only_and_retry)\n"
+)
+
+
+def test_detects_strip_read_only_definition() -> None:
+    assert payload_defines_sanctioned_helper(
+        "def _strip_read_only_and_retry(removal_function, target_path, *_exc_info):\n    pass"
+    )
+
+
+def test_detects_force_remove_tree_definition() -> None:
+    assert payload_defines_sanctioned_helper(
+        "def _force_remove_tree(target_path: Path) -> None:\n    pass"
+    )
+
+
+def test_detects_force_rmtree_definition() -> None:
+    assert payload_defines_sanctioned_helper(
+        "def force_rmtree(target_path: str) -> None:\n    pass"
+    )
+
+
+def test_detects_indented_method_definition() -> None:
+    assert payload_defines_sanctioned_helper(
+        "class FileTools:\n    def _strip_read_only_and_retry(self, fn, path):\n        pass"
+    )
+
+
+def test_detects_copied_trio_block() -> None:
+    assert payload_defines_sanctioned_helper(COPIED_TRIO)
+
+
+def test_allows_import_of_shared_helper() -> None:
+    assert not payload_defines_sanctioned_helper(
+        "from shared_utils.web_automation.utils.windows_filesystem import force_rmtree"
+    )
+
+
+def test_allows_call_site_without_definition() -> None:
+    assert not payload_defines_sanctioned_helper("force_rmtree(staging_directory)")
+
+
+def test_allows_helper_name_inside_string_literal() -> None:
+    corrective_message = (
+        '    "    def _strip_read_only_and_retry(removal_function, target_path):\\n"'
+    )
+    assert not payload_defines_sanctioned_helper(corrective_message)
+
+
+def test_allows_helper_definition_inside_triple_quoted_string() -> None:
+    documentation_snippet = (
+        'EXAMPLE = """\\\n'
+        'def _strip_read_only_and_retry(removal_function, target_path, *_exc_info):\n'
+        '    pass\n'
+        '"""\n'
+    )
+    assert not payload_defines_sanctioned_helper(documentation_snippet)
+
+
+def test_allows_force_rmtree_definition_inside_triple_quoted_string() -> None:
+    documentation_snippet = (
+        "snippet = '''\n"
+        "def force_rmtree(target_path: str) -> None:\n"
+        "    pass\n"
+        "'''\n"
+    )
+    assert not payload_defines_sanctioned_helper(documentation_snippet)
+
+
+def test_detects_real_definition_following_triple_quoted_docstring() -> None:
+    module_text = (
+        '"""Module docstring."""\n'
+        'def force_rmtree(target_path: str) -> None:\n'
+        '    pass\n'
+    )
+    assert payload_defines_sanctioned_helper(module_text)
+
+
+def test_detects_real_definition_between_two_triple_quoted_strings() -> None:
+    module_text = (
+        '"""Leading docstring."""\n'
+        'def _force_remove_tree(target_path: str) -> None:\n'
+        '    pass\n'
+        '"""Trailing docstring."""\n'
+    )
+    assert payload_defines_sanctioned_helper(module_text)
+
+
+def test_allows_unrelated_definition() -> None:
+    assert not payload_defines_sanctioned_helper("def categorize_and_move(theme_folder):\n    pass")
+
+
+def test_path_exempts_blocker_source() -> None:
+    assert path_is_exempt("packages/x/hooks/blocking/windows_rmtree_blocker.py")
+    assert path_is_exempt("packages/x/hooks/blocking/duplicate_rmtree_helper_blocker.py")
+
+
+def test_path_exempts_shared_helper_module() -> None:
+    assert path_is_exempt("shared_utils/web_automation/utils/windows_filesystem.py")
+
+
+def test_path_exempts_existing_session_env_cleanup_definition_site() -> None:
+    assert path_is_exempt("packages/claude-dev-env/hooks/session/session_env_cleanup.py")
+
+
+def test_path_exempts_existing_md_to_html_test_support_definition_site() -> None:
+    assert path_is_exempt(
+        "packages/claude-dev-env/hooks/blocking/_md_to_html_blocker_test_support.py"
+    )
+
+
+def test_path_exempts_existing_teardown_worktrees_definition_site() -> None:
+    assert path_is_exempt(
+        "packages/claude-dev-env/skills/_shared/pr-loop/scripts/teardown_worktrees.py"
+    )
+
+
+def test_main_allows_full_file_write_of_existing_definition_site() -> None:
+    stdout_text, exit_code = _run_hook(
+        {
+            "tool_name": "Write",
+            "tool_input": {
+                "file_path": "packages/claude-dev-env/hooks/session/session_env_cleanup.py",
+                "content": COPIED_TRIO,
+            },
+        }
+    )
+    assert exit_code == 0
+    assert stdout_text == ""
+
+
+def test_path_exempts_test_file_prefix() -> None:
+    assert path_is_exempt("hooks/blocking/test_duplicate_rmtree_helper_blocker.py")
+
+
+def test_path_exempts_test_file_suffix() -> None:
+    assert path_is_exempt("shared_utils/something_test.py")
+
+
+def test_path_does_not_exempt_production_module() -> None:
+    assert not path_is_exempt(
+        "shared_utils/samsung_utils/cert_failure_processor/failure_categorizer.py"
+    )
+
+
+def test_path_does_not_exempt_filename_containing_exempt_fragment() -> None:
+    assert not path_is_exempt("packages/x/not_windows_filesystem.py")
+    assert not path_is_exempt("packages/x/my_windows_filesystem.py")
+
+
+def test_path_does_not_exempt_backslash_path_with_containing_fragment() -> None:
+    assert not path_is_exempt("packages\\x\\not_windows_filesystem.py")
+
+
+def test_extract_payload_text_reads_write_content() -> None:
+    extracted = extract_payload_text("Write", {"file_path": "foo.py", "content": "abc"})
+    assert extracted == ("foo.py", "abc")
+
+
+def test_extract_payload_text_reads_edit_new_string() -> None:
+    extracted = extract_payload_text("Edit", {"file_path": "foo.py", "new_string": "abc"})
+    assert extracted == ("foo.py", "abc")
+
+
+def test_extract_payload_text_returns_empty_for_non_python_file() -> None:
+    extracted = extract_payload_text("Write", {"file_path": "notes.md", "content": COPIED_TRIO})
+    assert extracted == ("notes.md", "")
+
+
+def test_extract_payload_text_returns_empty_for_unknown_tool() -> None:
+    extracted = extract_payload_text("Read", {"file_path": "foo.py"})
+    assert extracted == ("", "")
+
+
+def _run_hook_with_stdin_text(stdin_text: str) -> tuple[str, str, int]:
+    captured_stdout = io.StringIO()
+    captured_stderr = io.StringIO()
+    exit_code = 0
+    sys.stdin = io.StringIO(stdin_text)
+    try:
+        with redirect_stdout(captured_stdout), redirect_stderr(captured_stderr):
+            try:
+                hook_module.main()
+            except SystemExit as exit_signal:
+                raw_exit_code = exit_signal.code
+                exit_code = raw_exit_code if isinstance(raw_exit_code, int) else 0
+    finally:
+        sys.stdin = sys.__stdin__
+    return captured_stdout.getvalue(), captured_stderr.getvalue(), exit_code
+
+
+def _run_hook(hook_input: dict) -> tuple[str, int]:
+    stdout_text, _stderr_text, exit_code = _run_hook_with_stdin_text(json.dumps(hook_input))
+    return stdout_text, exit_code
+
+
+def test_main_blocks_local_trio_copy_in_production_module() -> None:
+    stdout_text, exit_code = _run_hook(
+        {
+            "tool_name": "Write",
+            "tool_input": {
+                "file_path": (
+                    "shared_utils/samsung_utils/cert_failure_processor/failure_categorizer.py"
+                ),
+                "content": COPIED_TRIO,
+            },
+        }
+    )
+    assert exit_code == 0
+    response_payload = json.loads(stdout_text)
+    decision_block = response_payload["hookSpecificOutput"]
+    assert decision_block["permissionDecision"] == "deny"
+    assert "duplicate-rmtree-helper" in decision_block["permissionDecisionReason"]
+
+
+def test_main_allows_import_of_shared_helper() -> None:
+    stdout_text, exit_code = _run_hook(
+        {
+            "tool_name": "Write",
+            "tool_input": {
+                "file_path": "shared_utils/samsung_utils/cleanup.py",
+                "content": (
+                    "from shared_utils.web_automation.utils.windows_filesystem import "
+                    "force_rmtree\n\nforce_rmtree(path)\n"
+                ),
+            },
+        }
+    )
+    assert exit_code == 0
+    assert stdout_text == ""
+
+
+def test_main_allows_definition_in_shared_helper_module() -> None:
+    stdout_text, exit_code = _run_hook(
+        {
+            "tool_name": "Write",
+            "tool_input": {
+                "file_path": "shared_utils/web_automation/utils/windows_filesystem.py",
+                "content": COPIED_TRIO,
+            },
+        }
+    )
+    assert exit_code == 0
+    assert stdout_text == ""
+
+
+def test_main_allows_definition_in_test_file() -> None:
+    stdout_text, exit_code = _run_hook(
+        {
+            "tool_name": "Write",
+            "tool_input": {
+                "file_path": "shared_utils/test_windows_filesystem.py",
+                "content": COPIED_TRIO,
+            },
+        }
+    )
+    assert exit_code == 0
+    assert stdout_text == ""
+
+
+def test_main_passes_through_non_python_file() -> None:
+    stdout_text, exit_code = _run_hook(
+        {
+            "tool_name": "Write",
+            "tool_input": {"file_path": "docs/cleanup.md", "content": COPIED_TRIO},
+        }
+    )
+    assert exit_code == 0
+    assert stdout_text == ""
+
+
+def test_main_passes_through_unrelated_tool() -> None:
+    stdout_text, exit_code = _run_hook({"tool_name": "Read", "tool_input": {"file_path": "foo.py"}})
+    assert exit_code == 0
+    assert stdout_text == ""
+
+
+def test_main_with_empty_stdin_exits_silently() -> None:
+    stdout_text, stderr_text, exit_code = _run_hook_with_stdin_text("")
+    assert exit_code == 0
+    assert stdout_text == ""
+    assert stderr_text == ""
+
+
+def test_main_with_invalid_json_stdin_exits_silently() -> None:
+    stdout_text, stderr_text, exit_code = _run_hook_with_stdin_text("{broken")
+    assert exit_code == 0
+    assert stdout_text == ""
+    assert stderr_text == ""

package/hooks/blocking/test_hedging_language_blocker.py

@@ -17,6 +17,12 @@ if _HOOKS_ROOT not in sys.path:
     sys.path.insert(0, _HOOKS_ROOT)
 import hedging_language_blocker
 from hooks_constants.messages import USER_FACING_NOTICE
+from hooks_constants.text_stripping import strip_code_and_quotes
+
+
+def test_blocker_uses_shared_strip_code_and_quotes() -> None:
+    assert hedging_language_blocker.strip_code_and_quotes is strip_code_and_quotes
+
 
 RESEARCH_MODE_SKILL_BODY_MARKER = "Three anti-hallucination constraints are ALWAYS active."
 HEDGING_MESSAGE = "This is likely correct."

package/hooks/blocking/test_hook_block_logger_coverage.py

@@ -0,0 +1,53 @@
+"""Meta-test: every blocking hook must call log_hook_block at its block site.
+
+Discovers every .py under hooks/ whose source contains a block-emit pattern
+(``"permissionDecision": "deny"`` or ``"decision": "block"``), excludes test
+files and the logger module itself, then asserts each one imports and calls
+``log_hook_block(``.
+"""
+
+from __future__ import annotations
+
+import re
+from pathlib import Path
+
+_HOOKS_ROOT = Path(__file__).resolve().parent.parent
+
+_DENY_PATTERN = re.compile(r'"permissionDecision":\s*"deny"')
+_BLOCK_PATTERN = re.compile(r'"decision":\s*"block"')
+_LOG_CALL_PATTERN = re.compile(r"\blog_hook_block\(")
+
+_LOGGER_MODULE_NAME = "hook_block_logger.py"
+
+
+def _is_test_file(path: Path) -> bool:
+    return path.name.startswith("test_") or path.name.endswith("_test.py")
+
+
+def _discover_blocking_hook_paths() -> list[Path]:
+    all_blocking_hook_paths: list[Path] = []
+    for each_py_file in _HOOKS_ROOT.rglob("*.py"):
+        if _is_test_file(each_py_file):
+            continue
+        if each_py_file.name == _LOGGER_MODULE_NAME:
+            continue
+        source = each_py_file.read_text(encoding="utf-8", errors="replace")
+        if _DENY_PATTERN.search(source) or _BLOCK_PATTERN.search(source):
+            all_blocking_hook_paths.append(each_py_file)
+    return sorted(all_blocking_hook_paths)
+
+
+def test_every_blocking_hook_calls_log_hook_block() -> None:
+    all_blocking_hooks = _discover_blocking_hook_paths()
+    assert all_blocking_hooks, "No blocking hooks discovered — check _HOOKS_ROOT path"
+
+    all_uninstrumented_hooks: list[str] = []
+    for each_hook_path in all_blocking_hooks:
+        source = each_hook_path.read_text(encoding="utf-8", errors="replace")
+        if not _LOG_CALL_PATTERN.search(source):
+            all_uninstrumented_hooks.append(str(each_hook_path.relative_to(_HOOKS_ROOT)))
+
+    assert not all_uninstrumented_hooks, (
+        f"{len(all_uninstrumented_hooks)} blocking hook(s) missing log_hook_block call:\n"
+        + "\n".join(f"  - {each_path}" for each_path in all_uninstrumented_hooks)
+    )

package/hooks/blocking/test_intent_only_ending_blocker.py

@@ -16,6 +16,11 @@ if _HOOKS_ROOT not in sys.path:
     sys.path.insert(0, _HOOKS_ROOT)
 import intent_only_ending_blocker
 from hooks_constants.messages import USER_FACING_INTENT_ENDING_NOTICE
+from hooks_constants.text_stripping import strip_code_and_quotes
+
+def test_blocker_uses_shared_strip_code_and_quotes() -> None:
+    assert intent_only_ending_blocker.strip_code_and_quotes is strip_code_and_quotes
+
 
 INTENT_ENDING_MESSAGE = "I'll now run the test suite and fix any failures that come up."
 NEXT_STEPS_MESSAGE = "Next steps:"