claude-git-hooks 2.66.1 → 2.68.0

package/lib/utils/skill-registry/runner.js

@@ -0,0 +1,265 @@
+/**
+ * File: skill-registry/runner.js
+ * Purpose: Run the parsed skill-registry's Verify patterns against a set of
+ *          staged files. Returns structured findings the pre-commit hook
+ *          can surface alongside (or instead of) AI analysis.
+ *
+ * Design:
+ *   - Inputs: array of rules from parser.js + array of staged absolute file paths.
+ *   - For each staged file:
+ *       1. Read its content.
+ *       2. Pick the rules whose scope matches the file's language (backend
+ *          rules for .java, frontend for .jsx/.tsx/.js/.css, SQL rules for
+ *          .sql — eventually; for now we map by scope tag).
+ *       3. For each rule with an extractable regex from its Verify command,
+ *          search the file and emit findings with line numbers.
+ *   - Returns: { totalFindings, byFile: { path → [findings] }, bySeverity: {…} }
+ *
+ * NOT done here:
+ *   - File-level greps (e.g. "files that DON'T contain X" / inverted verifies):
+ *     those need a different model (whole-repo audit, not pre-commit).
+ *   - Cross-file dependencies (verifies that pipe through xargs).
+ *   - The deny-list / allow-list around which rules block vs warn — caller
+ *     decides via the severity field on each rule.
+ */
+
+import { readFileSync } from 'fs';
+import { extname } from 'path';
+import { SCOPE_BY_EXT } from './parser.js';
+
+/**
+ * Run all applicable rules against a set of staged files.
+ * @param {Array<object>} rules - From parser.loadRegistry().rules
+ * @param {Array<string>} stagedAbsPaths - Absolute file paths
+ * @param {object} [options]
+ * @param {string} [options.repoRoot] - For displaying relative paths in output
+ * @returns {{ totalFindings: number, findings: Array, byFile: object, bySeverity: object }}
+ */
+export function runRules(rules, stagedAbsPaths, options = {}) {
+    const repoRoot = options.repoRoot || '';
+    const findings = [];
+
+    // Precompile each rule's matchers once.
+    const compiled = compileRules(rules);
+
+    for (const absPath of stagedAbsPaths) {
+        const ext = extname(absPath).toLowerCase();
+        const scope = SCOPE_BY_EXT[ext];
+        if (!scope) continue;
+
+        // Skip binary / very large files defensively.
+        let content;
+        try {
+            content = readFileSync(absPath, 'utf8');
+            if (content.length > 1_000_000) continue; // 1MB cap
+        } catch {
+            continue;
+        }
+
+        const applicable = compiled.filter((r) => r.scope === scope);
+        if (applicable.length === 0) continue;
+
+        const lines = content.split('\n');
+        for (const rule of applicable) {
+            for (const matcher of rule.matchers) {
+                // Try matching each line; collect line numbers.
+                for (let i = 0; i < lines.length; i++) {
+                    const line = lines[i];
+                    if (matcher.exclude && matcher.exclude.test(line)) continue;
+                    if (matcher.regex.test(line)) {
+                        // Reset lastIndex for global regexes; we only need the first hit per line.
+                        matcher.regex.lastIndex = 0;
+                        findings.push({
+                            ruleId: rule.id,
+                            severity: rule.severity,
+                            title: rule.title,
+                            scope: rule.scope,
+                            file: repoRoot ? relativizePath(absPath, repoRoot) : absPath,
+                            absPath,
+                            line: i + 1,
+                            lineText: line.trim().slice(0, 200),
+                            // Lightweight pointer back to the registry entry for the UI.
+                            registryRef: `${rule.scope}/improvement-registry.md → ${rule.id}`,
+                        });
+                    } else {
+                        matcher.regex.lastIndex = 0;
+                    }
+                }
+            }
+        }
+    }
+
+    return summarize(findings);
+}
+
+/**
+ * Convert each rule's verify commands into JS RegExp matchers we can run
+ * line-by-line. Rules where the verify can't be extracted are skipped (they
+ * remain in the registry for other features like `lookup`).
+ */
+function compileRules(rules) {
+    const out = [];
+    for (const rule of rules) {
+        const matchers = [];
+        for (const v of rule.verifies) {
+            const m = extractMatcher(v.command);
+            if (m) matchers.push(m);
+        }
+        if (matchers.length > 0) {
+            out.push({
+                id: rule.id,
+                severity: rule.severity,
+                title: rule.title,
+                scope: rule.scope,
+                matchers,
+            });
+        }
+    }
+    return out;
+}
+
+/**
+ * Extract a regex + optional exclude regex from a Verify grep command.
+ *
+ * Supported shapes (covers ~50 of the 95 current registry entries):
+ *   grep -rn "PATTERN" path
+ *   grep -rEn "REGEX" path
+ *   grep -rn "PATTERN" path --include=*.ext
+ *   grep -rn "PATTERN" path | grep -v "EXCLUDE"
+ *   grep -rEn "REGEX1" path | grep -E "REGEX2"          (we treat the pipe as AND)
+ *   rg "PATTERN" path
+ *
+ * Returns { regex, exclude } or null if the command doesn't fit the supported shapes.
+ */
+function extractMatcher(command) {
+    if (!command) return null;
+
+    // Strip quoted strings before checking for shell control characters —
+    // a literal `;` inside the grep regex (e.g. `^import .*\.\*;`) must
+    // not trip our reject heuristic.
+    const outsideQuotes = command
+        .replace(/"[^"]*"/g, '"_"')
+        .replace(/'[^']*'/g, "'_'");
+
+    if (/xargs/.test(outsideQuotes)) return null;
+    // Shell control outside quotes (||, &&, ;, $(), backticks for command sub) → file-level / audit-style.
+    if (/\|\||&&|;|\$\(|`/.test(outsideQuotes)) return null;
+    if (/\s\|\s/.test(outsideQuotes) && !/\|\s+grep/.test(outsideQuotes)) return null;
+
+    // Split on the (optional) `| grep` pipe. We support: first grep matches,
+    // pipe-through grep further filters (positive or `-v` excludes).
+    const segments = command.split(/\s\|\s/).map((s) => s.trim());
+    const primary = segments[0];
+
+    const tokens = tokenizeGrepInvocation(primary);
+    if (!tokens) return null;
+
+    // Reject FILE-LEVEL grep modes (list filenames only) — those are
+    // whole-repo audits, not line-level pre-commit checks.
+    // -l → list matching filenames only
+    // -L → list NON-matching filenames only (inverted file presence)
+    // We accept `-ln`/`-rln`/`-Ln` because `n` is line numbers (still file-level).
+    if (tokens.flags.includes('l') || tokens.flags.includes('L')) return null;
+
+    const isExtended = tokens.flags.includes('E');
+    let pattern;
+    try {
+        pattern = isExtended ? tokens.pattern : escapeForRegex(tokens.pattern);
+    } catch {
+        return null;
+    }
+
+    let regex;
+    try {
+        regex = new RegExp(pattern);
+    } catch {
+        return null;
+    }
+
+    // Optional exclude from a `| grep -v "X"` follow-up.
+    let exclude = null;
+    for (const seg of segments.slice(1)) {
+        const t = tokenizeGrepInvocation(seg);
+        if (!t) continue;
+        if (t.flags.includes('v')) {
+            try {
+                const excPat = t.flags.includes('E') ? t.pattern : escapeForRegex(t.pattern);
+                exclude = new RegExp(excPat);
+            } catch {
+                /* leave exclude null */
+            }
+        }
+        // Non-inverted secondary grep == narrowing AND. We could AND it with
+        // primary but in practice the registry uses this for file-list filtering
+        // (e.g. JBE-004 piping into `grep -A 1`), which is whole-file context
+        // not single-line. Conservative: skip.
+    }
+
+    return { regex, exclude };
+}
+
+/**
+ * Tokenize a single `grep ...` invocation into { flags, pattern, paths }.
+ *
+ * The pattern is the FIRST positional argument after the flags.
+ * Patterns may be quoted with " or ' or backticks; flags can be combined or split.
+ *
+ * Returns null if we can't recognise the shape (in which case the rule's
+ * verify just doesn't fire — silently skipped).
+ */
+function tokenizeGrepInvocation(s) {
+    const trimmed = s.trim();
+    // Must start with grep / rg / git grep
+    let rest;
+    if (/^grep\s/.test(trimmed)) rest = trimmed.slice(5).trim();
+    else if (/^rg\s/.test(trimmed)) rest = trimmed.slice(3).trim();
+    else if (/^git\s+grep\s/.test(trimmed)) rest = trimmed.replace(/^git\s+grep\s/, '').trim();
+    else return null;
+
+    const flags = [];
+    while (rest.startsWith('-')) {
+        // Stop at '--' (separator)
+        if (rest.startsWith('-- ')) {
+            rest = rest.slice(3).trim();
+            break;
+        }
+        const m = rest.match(/^-(-?)([A-Za-z]+)(=(\S+))?\s*/);
+        if (!m) break;
+        const isLong = m[1] === '-';
+        if (isLong) {
+            flags.push(m[2]);
+        } else {
+            for (const ch of m[2]) flags.push(ch);
+        }
+        rest = rest.slice(m[0].length);
+    }
+
+    // First positional: the pattern. Strip surrounding quotes if any.
+    const patMatch = rest.match(/^("([^"]*)"|'([^']*)'|(\S+))/);
+    if (!patMatch) return null;
+    const pattern = patMatch[2] ?? patMatch[3] ?? patMatch[4];
+
+    return { flags, pattern };
+}
+
+function escapeForRegex(s) {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
+function relativizePath(abs, root) {
+    const r = root.replace(/[\\/]+$/, '');
+    if (abs.startsWith(r)) {
+        return abs.slice(r.length + 1).replace(/\\/g, '/');
+    }
+    return abs.replace(/\\/g, '/');
+}
+
+function summarize(findings) {
+    const byFile = {};
+    const bySeverity = { critical: 0, high: 0, medium: 0, low: 0, unknown: 0 };
+    for (const f of findings) {
+        (byFile[f.file] ||= []).push(f);
+        bySeverity[f.severity] = (bySeverity[f.severity] || 0) + 1;
+    }
+    return { totalFindings: findings.length, findings, byFile, bySeverity };
+}

package/lib/utils/version-manager.js

@@ -247,15 +247,21 @@ export function discoverVersionFiles(options = {}) {
             for (const fileType of fileTypes) {
                 const registry = VERSION_FILE_TYPES[fileType];
                 if (registry && entry.name === registry.filename) {
-                    const version = registry.readVersion(fullPath);
-                    const isSemver = version !== null && validateVersionFormat(version);
+                    const rawVersion = registry.readVersion(fullPath);
+                    const version = rawVersion !== null && validateVersionFormat(rawVersion) ? rawVersion : null;
+                    if (rawVersion !== null && version === null) {
+                        logger.debug('version-manager - discoverVersionFiles', 'Non-semver version skipped', {
+                            relativePath: path.relative(repoRoot, fullPath),
+                            rawVersion
+                        });
+                    }
                     const descriptor = {
                         path: fullPath,
                         relativePath: path.relative(repoRoot, fullPath),
                         type: fileType,
                         projectLabel: registry.projectLabel,
                         version,
-                        selected: isSemver
+                        selected: version !== null
                     };
                     discoveredFiles.push(descriptor);
                     logger.debug('version-manager - discoverVersionFiles', 'Found version file', {

package/package.json

@@ -1,85 +1,84 @@
-{
-    "name": "claude-git-hooks",
-    "version": "2.66.1",
-    "description": "Git hooks with Claude CLI for code analysis and automatic commit messages",
-    "type": "module",
-    "bin": {
-        "claude-hooks": "./bin/claude-hooks"
-    },
-    "scripts": {
-        "test": "npm run test:all",
-        "test:all": "npm run lint && npm run test:smoke && npm run test:unit && npm run test:integration",
-        "test:smoke": "node --experimental-vm-modules node_modules/jest/bin/jest.js test/smoke --maxWorkers=1",
-        "test:unit": "node --experimental-vm-modules node_modules/jest/bin/jest.js test/unit --forceExit",
-        "test:integration": "node --experimental-vm-modules node_modules/jest/bin/jest.js test/integration --maxWorkers=1 --testTimeout=30000 --forceExit",
-        "test:integration:ci": "node --experimental-vm-modules node_modules/jest/bin/jest.js test/integration/ci-safe.test.js --maxWorkers=1 --testTimeout=30000 --forceExit",
-        "test:changed": "node --experimental-vm-modules node_modules/jest/bin/jest.js test/unit --changedSince=main --forceExit",
-        "test:watch": "node --experimental-vm-modules node_modules/jest/bin/jest.js --watch",
-        "test:coverage": "node --experimental-vm-modules node_modules/jest/bin/jest.js --coverage",
-        "test:e2e": "bash test/manual/sdlc-stability-check.sh",
-        "test:full": "npm run test:all && npm run test:e2e",
-        "lint": "eslint lib/ bin/claude-hooks .library/librarian/",
-        "lint:fix": "eslint lib/ bin/claude-hooks .library/librarian/ --fix",
-        "format": "prettier --write \"lib/**/*.js\" \"bin/**\" \"test/**/*.js\"",
-        "precommit": "npm run lint && npm run test:smoke",
-        "prepublishOnly": "npm run test:all",
-        "library:check": "node .library/bin/library check",
-        "library:regenerate": "node .library/bin/library regenerate",
-        "library:extract": "node .library/bin/library extract",
-        "library:tokens": "node .library/bin/library tokens",
-        "library:graph": "node .library/bin/library graph",
-        "library:inject": "node .library/bin/library inject",
-        "library:validate": "node .library/bin/library validate",
-        "library:report": "node .library/bin/library report"
-    },
-    "keywords": [
-        "git",
-        "hooks",
-        "claude",
-        "ai",
-        "code-review",
-        "commit-messages",
-        "pre-commit",
-        "automation"
-    ],
-    "author": "Pablo Rovito",
-    "license": "MIT",
-    "repository": {
-        "type": "git",
-        "url": "https://github.com/mscope-S-L/git-hooks.git"
-    },
-    "engines": {
-        "node": ">=16.9.0"
-    },
-    "engineStrict": false,
-    "os": [
-        "darwin",
-        "linux",
-        "win32"
-    ],
-    "preferGlobal": true,
-    "files": [
-        "bin/",
-        "lib/",
-        "templates/",
-        "README.md",
-        "CHANGELOG.md",
-        "CLAUDE.md",
-        "LICENSE"
-    ],
-    "dependencies": {
-        "@anthropic-ai/sdk": "^0.91.0",
-        "@octokit/rest": "^21.0.0",
-        "langfuse": "^3.38.20"
-    },
-    "devDependencies": {
-        "@types/jest": "^29.5.0",
-        "eslint": "^8.57.1",
-        "jest": "^29.7.0",
-        "js-tiktoken": "^1.0.18",
-        "madge": "^8.0.0",
-        "prettier": "^3.2.0",
-        "tree-sitter-wasms": "^0.1.13",
-        "web-tree-sitter": "^0.24.7"
-    }
-}
+{
+    "name": "claude-git-hooks",
+    "version": "2.68.0",
+    "description": "Git hooks with Claude CLI for code analysis and automatic commit messages",
+    "type": "module",
+    "bin": {
+        "claude-hooks": "./bin/claude-hooks"
+    },
+    "scripts": {
+        "test": "npm run test:all",
+        "test:all": "npm run lint && npm run test:smoke && npm run test:unit && npm run test:integration",
+        "test:smoke": "node --experimental-vm-modules node_modules/jest/bin/jest.js test/smoke --maxWorkers=1",
+        "test:unit": "node --experimental-vm-modules node_modules/jest/bin/jest.js test/unit --forceExit",
+        "test:integration": "node --experimental-vm-modules node_modules/jest/bin/jest.js test/integration --maxWorkers=1 --testTimeout=30000 --forceExit",
+        "test:integration:ci": "node --experimental-vm-modules node_modules/jest/bin/jest.js test/integration/ci-safe.test.js --maxWorkers=1 --testTimeout=30000 --forceExit",
+        "test:changed": "node --experimental-vm-modules node_modules/jest/bin/jest.js test/unit --changedSince=main --forceExit",
+        "test:watch": "node --experimental-vm-modules node_modules/jest/bin/jest.js --watch",
+        "test:coverage": "node --experimental-vm-modules node_modules/jest/bin/jest.js --coverage",
+        "test:e2e": "bash test/manual/sdlc-stability-check.sh",
+        "lint": "eslint lib/ bin/claude-hooks .library/librarian/",
+        "lint:fix": "eslint lib/ bin/claude-hooks .library/librarian/ --fix",
+        "format": "prettier --write \"lib/**/*.js\" \"bin/**\" \"test/**/*.js\"",
+        "precommit": "npm run lint && npm run test:smoke",
+        "prepublishOnly": "npm run test:all",
+        "library:check": "node .library/bin/library check",
+        "library:regenerate": "node .library/bin/library regenerate",
+        "library:extract": "node .library/bin/library extract",
+        "library:tokens": "node .library/bin/library tokens",
+        "library:graph": "node .library/bin/library graph",
+        "library:inject": "node .library/bin/library inject",
+        "library:validate": "node .library/bin/library validate",
+        "library:report": "node .library/bin/library report"
+    },
+    "keywords": [
+        "git",
+        "hooks",
+        "claude",
+        "ai",
+        "code-review",
+        "commit-messages",
+        "pre-commit",
+        "automation"
+    ],
+    "author": "Pablo Rovito",
+    "license": "MIT",
+    "repository": {
+        "type": "git",
+        "url": "https://github.com/mscope-S-L/git-hooks.git"
+    },
+    "engines": {
+        "node": ">=16.9.0"
+    },
+    "engineStrict": false,
+    "os": [
+        "darwin",
+        "linux",
+        "win32"
+    ],
+    "preferGlobal": true,
+    "files": [
+        "bin/",
+        "lib/",
+        "templates/",
+        "README.md",
+        "CHANGELOG.md",
+        "CLAUDE.md",
+        "LICENSE"
+    ],
+    "dependencies": {
+        "@anthropic-ai/sdk": "^0.91.0",
+        "@octokit/rest": "^21.0.0",
+        "langfuse": "^3.38.20"
+    },
+    "devDependencies": {
+        "@types/jest": "^29.5.0",
+        "eslint": "^8.57.1",
+        "jest": "^29.7.0",
+        "js-tiktoken": "^1.0.18",
+        "madge": "^8.0.0",
+        "prettier": "^3.2.0",
+        "tree-sitter-wasms": "^0.1.13",
+        "web-tree-sitter": "^0.24.7"
+    }
+}

package/templates/CLAUDE_ANALYSIS_PROMPT.md

@@ -30,7 +30,7 @@ OUTPUT_SCHEMA:
     "line":int,
     "method":"name",
     "message":"desc",
-    "rule":"optional"
+    "rule":"JBE-NNN|UIK-NNN|STR-NNN|...|empty"
   }],
   "blockingIssues":[{
     "description":"text",
@@ -53,5 +53,6 @@ RULES:
 - ratings:A(0issues),B(1-2minor),C(1major|3-5minor),D(2+major|1critical),E(1+blocker|2+critical)
 - IMPORTANT: @Autowired usage in Spring is NOT a BLOCKER/CRITICAL issue (max severity: MAJOR)
 - Spring dependency injection patterns (@Autowired) should NOT block commits
+- RULE CATALOGUE: if a `=== PLATFORM ANTIPATTERN CATALOGUE ===` section is present in this prompt, classify each finding against it. When a finding matches a catalogue entry, populate `details[].rule` with the rule ID exactly (e.g. "JBE-001", "UIK-002"). The catalogue's severity is the MINIMUM to assign — don't downgrade. Findings that don't match any catalogue entry leave `rule` empty (those become candidate skill-gaps for the team to review separately).
 
 ANALYZE_BELOW:

package/templates/config.advanced.example.json

@@ -33,6 +33,12 @@
             "model": "opus"
         },
 
+        "skillRegistry": {
+            "enabled": true,
+            "blockOn": "never",
+            "resumeOnCreatePr": true
+        },
+
         "prAnalysis": {
             "model": "sonnet",
             "timeout": 300000,
@@ -55,6 +61,11 @@
             "failOnError": true,
             "failOnWarning": false,
             "timeout": 30000
+        },
+
+        "autoUpdate": {
+            "enabled": true,
+            "intervalHours": 24
         }
     },
 
@@ -90,6 +101,25 @@
             "use_case": "Override the default sonnet model for judge passes"
         },
 
+        "skillRegistry.enabled": {
+            "description": "Enable/disable the mscope automation-skills integration: deterministic rule checks in pre-commit, antipattern catalogue injection into the analysis prompt, and the skill-gap writer. NOTE the cross-repo side effect: when the sibling automation-skills repo is found, unclassified AI findings are appended as [skill-gap] candidates to that repo's skill-feedback.md (reviewed via `automation-skills retro`; never auto-merged into the registry).",
+            "default": "true",
+            "use_case": "Set to false to fully disable the skill-registry integration (it auto-skips anyway when the skill repo isn't found)"
+        },
+
+        "skillRegistry.blockOn": {
+            "description": "Severity threshold at which deterministic skill-registry findings block the commit",
+            "default": "never",
+            "examples": ["never", "critical", "high", "medium", "low"],
+            "use_case": "Set to 'critical' or 'high' once the team is ready to enforce the mscope rule catalogue"
+        },
+
+        "skillRegistry.resumeOnCreatePr": {
+            "description": "Run `automation-skills resume` (interactive lessons-learned capture to the skill repo's implementation-history.md) during create-pr, before tags are pushed. Skipped automatically in headless mode or when the automation-skills CLI is not installed.",
+            "default": "true",
+            "use_case": "Set to false if your team captures lessons through another channel"
+        },
+
         "prAnalysis.model": {
             "description": "Claude model for PR analysis",
             "default": "sonnet",
@@ -143,6 +173,18 @@
             "description": "Timeout in milliseconds for each linter execution",
             "default": "30000",
             "use_case": "Increase for large projects where linters take longer"
+        },
+
+        "autoUpdate.enabled": {
+            "description": "Enable the silent, throttled pre-command auto-update check. When a newer published version is detected before running a command, claude-git-hooks updates itself globally, reinstalls hooks (--force), and asks you to re-run your command. Excludes update/install/uninstall/help/version/migrate-config, and is skipped in --headless mode. The manual `claude-hooks update` command runs verbosely regardless of this setting.",
+            "default": "true",
+            "use_case": "Set to false to disable automatic background updates and rely only on `claude-hooks update`"
+        },
+
+        "autoUpdate.intervalHours": {
+            "description": "Minimum hours between pre-command auto-update checks. Throttle state is stored in .claude/.last-update-check (gitignored).",
+            "default": "24",
+            "use_case": "Lower it for faster propagation of releases, or raise it to reduce network checks"
         }
     },