claude-launchpad 1.10.0 → 1.10.1

package/README.md

@@ -70,7 +70,7 @@ The three-file split keeps each concern where it belongs:
 | `TASKS.md` | What we're doing now | Current sprint, session log (empty between sprints) |
 | `BACKLOG.md` | What we're doing later | WP-NNN template, 7 mandatory fields, P0/P1/P2/P3 sections |
 
-Init generates all three plus `.claude/rules/workflow.md` (path-scoped — auto-loads only when editing BACKLOG/TASKS) and a `workflow-check.sh` hook that warns on drift: duplicate WP IDs across files, TASKS.md > 80 lines, `## Current Sprint` > 15 items, `## Session Log` > 3 entries.
+Init generates all three plus `.claude/rules/workflow.md`, a path-scoped rule file Claude auto-loads only when editing BACKLOG.md or TASKS.md. It also installs a `workflow-check.sh` hook that warns on drift: duplicate WP IDs across files, TASKS.md > 80 lines, Current Sprint > 15 items, Session Log > 3 entries.
 
 Doctor flags MEDIUM when workflow.md is missing, LOW when the hook is missing, and MEDIUM on duplicate `## Memory` headings in CLAUDE.md. `--fix` installs or repairs any of them without clobbering existing user content. See the [workflow docs](https://mboss37.github.io/claude-launchpad/docs/workflow) for the full lifecycle.
 

package/dist/{chunk-5KQ2JDZN.js → chunk-3OFOCOXM.js}

@@ -32,15 +32,15 @@ async function readJsonOrNull(path) {
 }
 
 // src/lib/settings.ts
-import { readFile as readFile5, writeFile as writeFile5, mkdir as mkdir4 } from "fs/promises";
-import { join as join7 } from "path";
+import { readFile as readFile6, writeFile as writeFile5, mkdir as mkdir4 } from "fs/promises";
+import { join as join8 } from "path";
 
 // src/lib/output.ts
 import chalk from "chalk";
 
 // src/commands/doctor/fixer.ts
-import { readFile as readFile4, writeFile as writeFile4, mkdir as mkdir3, access as access2 } from "fs/promises";
-import { join as join6 } from "path";
+import { readFile as readFile5, writeFile as writeFile4, mkdir as mkdir3, access as access2 } from "fs/promises";
+import { join as join7 } from "path";
 import { homedir } from "os";
 
 // src/lib/sections.ts
@@ -714,6 +714,18 @@ async function addHookToSettings(root, event, dedupKeyword, entry, successMsg) {
   return true;
 }
 
+// src/lib/hook-input.ts
+function jqField(field, fromVar) {
+  if (fromVar) {
+    return `$(echo "$${fromVar}" | jq -r '.tool_input.${field} // empty' 2>/dev/null)`;
+  }
+  return `$(jq -r '.tool_input.${field} // empty' 2>/dev/null)`;
+}
+var ENV_VAR_PATTERN = /\$\{?TOOL_INPUT_(FILE_PATH|COMMAND|NEW_TEXT|CONTENT)/;
+function hasEnvVarHookPattern(commandString) {
+  return ENV_VAR_PATTERN.test(commandString);
+}
+
 // src/lib/hook-scripts.ts
 import { writeFile, mkdir, chmod } from "fs/promises";
 import { join as join2 } from "path";
@@ -757,7 +769,7 @@ var SPRINT_OPEN_CHECK = `#!/usr/bin/env bash
 # from CLAUDE.md was skipped. Non-blocking (always exits 0).
 
 set -u
-cmd="\${TOOL_INPUT_COMMAND:-}"
+cmd=$(jq -r '.tool_input.command // empty' 2>/dev/null)
 
 # Only act on \`git commit\`, word-boundary match.
 echo "$cmd" | grep -qE '(^|[^a-zA-Z0-9_-])git[[:space:]]+commit([[:space:]]|$)' || exit 0
@@ -797,7 +809,7 @@ var WORKFLOW_CHECK = `#!/usr/bin/env bash
 #   4. \\\`## Session Log\\\` has more than 3 entries.
 
 set -u
-fp="\${TOOL_INPUT_FILE_PATH:-}"
+fp=$(jq -r '.tool_input.file_path // empty' 2>/dev/null)
 
 # Only act on edits to BACKLOG.md or TASKS.md.
 echo "$fp" | grep -qE '(^|/)(BACKLOG|TASKS)\\.md$' || exit 0
@@ -893,7 +905,7 @@ async function addSprintCompleteNudge(root) {
     matcher: "Edit|Write",
     hooks: [{
       type: "command",
-      command: `echo "$TOOL_INPUT_FILE_PATH" | grep -q TASKS.md || exit 0; section=$(sed -n '/^## Current/,/^## /p' TASKS.md 2>/dev/null); [ -z "$section" ] && exit 0; unchecked=$(echo "$section" | grep -cF '- [ ]' || true); checked=$(echo "$section" | grep -cF '- [x]' || true); [ "$unchecked" -eq 0 ] && [ "$checked" -gt 0 ] && echo 'Sprint complete \u2014 all current tasks done. Consider a quick quality check before committing: scan for dead code, debug artifacts, TODO hacks, and convention violations. Run tests if available. Skip if trivial.'; exit 0`
+      command: `fp=${jqField("file_path")}; echo "$fp" | grep -q TASKS.md || exit 0; section=$(sed -n '/^## Current/,/^## /p' TASKS.md 2>/dev/null); [ -z "$section" ] && exit 0; unchecked=$(echo "$section" | grep -cF '- [ ]' || true); checked=$(echo "$section" | grep -cF '- [x]' || true); [ "$unchecked" -eq 0 ] && [ "$checked" -gt 0 ] && echo 'Sprint complete \u2014 all current tasks done. Consider a quick quality check before committing: scan for dead code, debug artifacts, TODO hacks, and convention violations. Run tests if available. Skip if trivial.'; exit 0`
     }]
   }, "Added sprint-complete nudge hook");
 }
@@ -1040,6 +1052,207 @@ A PostToolUse hook fires warnings on these conditions (treat as bugs):
 `;
 }
 
+// src/commands/init/generators/hooks-rule.ts
+var HOOKS_RULE_VERSION = 1;
+function generateHooksRule() {
+  return `---
+paths: [".claude/settings.json", ".claude/settings.local.json"]
+---
+
+# Claude Code Hook Authoring Rules
+
+<!-- lp-hooks-version: ${HOOKS_RULE_VERSION} -->
+
+Applies to every hook entry in \`.claude/settings.json\` and \`.claude/settings.local.json\`. Hooks are the project's automated safety net. Getting the API wrong silently disables the protection without any error. **A broken hook is worse than no hook because it gives false confidence.**
+
+Reference: https://code.claude.com/docs/en/hooks
+
+## Anatomy of a hook entry
+
+\`\`\`json
+{
+  "hooks": {
+    "<EventName>": [
+      {
+        "matcher": "<ToolMatcher>",
+        "hooks": [
+          { "type": "command", "command": "<shell-string>" }
+        ]
+      }
+    ]
+  }
+}
+\`\`\`
+
+- \`EventName\`: \`SessionStart\`, \`SessionEnd\`, \`PreToolUse\`, \`PostToolUse\`, \`PostCompact\`, \`PreCompact\`, \`UserPromptSubmit\`, \`Stop\`, etc.
+- \`matcher\`: a regex-style string matching tool names (e.g. \`Bash\`, \`Read|Write|Edit\`). Empty string matches all tools for the event. For SessionStart use \`startup\`, \`resume\`, \`clear\`, or \`compact\`.
+- \`hooks\` array: every entry runs in parallel when the matcher fires. Identical command strings are deduplicated automatically.
+
+## Input \u2014 JSON on stdin, NOT env vars
+
+The hook receives a JSON payload on stdin. **There are no \`TOOL_INPUT_*\` environment variables in current Claude Code.** A hook that does \`cmd="$TOOL_INPUT_COMMAND"\` reads an empty string and silently no-ops. This is the single most common authoring bug.
+
+Canonical extraction:
+
+\`\`\`bash
+fp=$(jq -r '.tool_input.file_path // empty' 2>/dev/null)   # PreToolUse Read|Write|Edit
+cmd=$(jq -r '.tool_input.command // empty' 2>/dev/null)    # PreToolUse Bash
+new=$(jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)  # PostToolUse Edit|Write
+\`\`\`
+
+Top-level keys you can read: \`session_id\`, \`transcript_path\`, \`cwd\`, \`permission_mode\`, \`hook_event_name\`, \`tool_name\`, \`tool_input\`, \`tool_use_id\`. \`PostToolUse\` adds \`tool_response\`.
+
+\`jq\` is a project-level requirement. Install via \`brew install jq\` (macOS) or your distro's package manager.
+
+## Exit codes \u2014 2 blocks, 1 does not
+
+| Exit code | Effect |
+|---|---|
+| \`0\` | Allow the action. Hook stdout becomes context (SessionStart) or is informational (PostToolUse). |
+| \`2\` | Block the action. Hook stderr is fed back to Claude as the error reason. |
+| any other non-zero (\`1\`, \`127\`, \u2026) | Treated as a non-blocking hook error. **The action proceeds anyway.** |
+
+\`exit 1\` does NOT block. If the hook is meant to enforce a policy, it must end in \`exit 2\`.
+
+Block reasons go to **stderr** (\`echo '...' >&2\`), not stdout. Stdout is ignored when exit code is 2 unless the hook returns the JSON envelope (see "Richer control" below).
+
+## Output \u2014 stderr for blocks, stdout for warnings
+
+\`\`\`bash
+# Blocking: stderr + exit 2
+echo 'BLOCKED: <reason shown to Claude>' >&2
+exit 2
+
+# Informational warning that does not block: stdout + exit 0
+echo 'WARNING: <message printed to user>'
+exit 0
+\`\`\`
+
+Richer control (only use when the simple form is insufficient):
+
+\`\`\`bash
+jq -n '{
+  hookSpecificOutput: {
+    hookEventName: "PreToolUse",
+    permissionDecision: "deny",
+    permissionDecisionReason: "<reason>"
+  }
+}'
+exit 0
+\`\`\`
+
+## Multi-hook same matcher \u2014 combine into ONE entry
+
+If two top-level entries share the same matcher (e.g. two \`PreToolUse\` entries both with \`matcher: "Bash"\`), behavior is undefined: in practice the second entry can fail to fire. **Always combine commands for the same matcher into a single entry's \`hooks\` array.**
+
+Wrong:
+
+\`\`\`jsonc
+"PreToolUse": [
+  { "matcher": "Bash", "hooks": [{ "type": "command", "command": "<destructive-guard>" }] },
+  { "matcher": "Bash", "hooks": [{ "type": "command", "command": "<sprint-open-check>" }] }
+]
+\`\`\`
+
+Right:
+
+\`\`\`jsonc
+"PreToolUse": [
+  {
+    "matcher": "Bash",
+    "hooks": [
+      { "type": "command", "command": "<destructive-guard>" },
+      { "type": "command", "command": "<sprint-open-check>" }
+    ]
+  }
+]
+\`\`\`
+
+## Hot-reload \u2014 there is none
+
+Edits to \`.claude/settings.json\` or \`.claude/settings.local.json\` only take effect after a Claude Code session restart. Mid-session edits parse fine and persist to disk, but the running session keeps the hooks it loaded at start.
+
+When fixing or adding a hook:
+
+1. Edit settings.json
+2. Test the hook command in isolation (see "Testing" below)
+3. Restart Claude Code
+4. Verify the hook fires by triggering the conditions it watches
+
+Skipping step 3 means the new hook does not exist yet, no matter what the file says.
+
+## Testing a hook command in isolation
+
+Before installing or restarting, verify the command works by piping a fake JSON payload to it:
+
+\`\`\`bash
+HOOK=$(jq -r '.hooks.PreToolUse[<index>].hooks[<index>].command' .claude/settings.json)
+echo '{"tool_input":{"command":"git push --force"}}' | bash -c "$HOOK"
+echo "exit=$?"
+\`\`\`
+
+Expected for a correctly-blocking hook: stderr contains the BLOCKED reason, \`exit=2\`. If you see \`exit=0\` here, the hook will not block in production either.
+
+For PostToolUse hooks that read file paths or content, build the JSON to mirror the tool you're matching:
+
+\`\`\`bash
+echo '{"tool_input":{"file_path":"docs/architecture.md","new_string":"..."}}' | bash -c "$HOOK"
+\`\`\`
+
+## Canonical templates
+
+### PreToolUse Bash gate (block on regex match)
+
+\`\`\`bash
+cmd=$(jq -r '.tool_input.command // empty' 2>/dev/null); echo "$cmd" | grep -qE '<your-pattern>' || exit 0; echo 'BLOCKED: <reason>' >&2; exit 2
+\`\`\`
+
+**Do not anchor the pattern with \`^[[:space:]]*\`** when you want to catch chained commands. The hook receives the entire shell command string verbatim, so an anchored pattern silently misses commands like \`git status && git push\`. Use \`(^|[^[:alnum:]])<token>([[:space:]]|$)\` to match the token at start-of-line OR after a non-alphanumeric separator.
+
+### PreToolUse Read|Write|Edit gate (block on file-path match)
+
+\`\`\`bash
+fp=$(jq -r '.tool_input.file_path // empty' 2>/dev/null); echo "$fp" | grep -qE '<your-pattern>' || exit 0; echo 'BLOCKED: <reason>' >&2; exit 2
+\`\`\`
+
+### PostToolUse informational warner (never blocks; just prints)
+
+\`\`\`bash
+fp=$(jq -r '.tool_input.file_path // empty' 2>/dev/null); echo "$fp" | grep -qE '<your-pattern>' || exit 0; echo '<warning text>'; exit 0
+\`\`\`
+
+PostToolUse blocking (exit 2) is supported but rare. By the time PostToolUse fires, the file write has already happened. Almost always you want exit 0 with a stdout message.
+
+### SessionStart context injection
+
+\`\`\`bash
+cat <some-file> 2>/dev/null; exit 0
+\`\`\`
+
+Output goes into the session's context. Always exit 0; SessionStart blocking is not a thing.
+
+## Adding a new hook \u2014 checklist
+
+- [ ] Identify the event and matcher you actually need (\`PreToolUse\` for blocking before, \`PostToolUse\` for after-the-fact warnings).
+- [ ] Read the input via stdin JSON with \`jq\`, **not env vars**.
+- [ ] If it blocks: send reason to stderr, end with \`exit 2\`. If it warns: stdout, end with \`exit 0\`.
+- [ ] If a hook for the same matcher already exists, add your command to its existing \`hooks\` array \u2014 do NOT create a second entry with the same matcher.
+- [ ] Test the command in isolation by piping a fake JSON payload (see "Testing" above) \u2014 verify the exit code matches your intent.
+- [ ] Restart Claude Code.
+- [ ] Verify the hook fires under the conditions it watches and does not fire under benign conditions.
+
+## Do not
+
+- Don't reference \`$TOOL_INPUT_COMMAND\`, \`$TOOL_INPUT_FILE_PATH\`, \`$TOOL_INPUT_NEW_TEXT\`, or any other \`TOOL_INPUT_*\` env var. They do not exist; the hook silently no-ops.
+- Don't \`exit 1\` to block. It is silently non-blocking. Use \`exit 2\`.
+- Don't echo the block reason to stdout when exiting 2. Stdout is ignored in that case; only stderr reaches Claude.
+- Don't create a second top-level entry with a matcher that already has an entry. Combine commands in the existing entry's \`hooks\` array.
+- Don't expect mid-session settings.json edits to take effect. Restart is required.
+- Don't ship a hook without isolation-testing the command first. A silent no-op is worse than no hook.
+- Don't put long debug logging into a production hook. If you need diagnostics during development, write to \`/tmp/<name>.log\` and remove the line before commit.
+`;
+}
+
 // src/commands/doctor/fixer-quality.ts
 async function createWorkflowRule(root) {
   const rulesDir = join4(root, ".claude", "rules");
@@ -1050,6 +1263,15 @@ async function createWorkflowRule(root) {
   log.success("Created .claude/rules/workflow.md (path-scoped BACKLOG/TASKS workflow rules)");
   return true;
 }
+async function createHooksRule(root) {
+  const rulesDir = join4(root, ".claude", "rules");
+  const hooksPath = join4(rulesDir, "hooks.md");
+  if (await fileExists(hooksPath)) return false;
+  await mkdir2(rulesDir, { recursive: true });
+  await writeFile3(hooksPath, generateHooksRule());
+  log.success("Created .claude/rules/hooks.md (path-scoped hook authoring rules)");
+  return true;
+}
 function isMemoryHeading(line) {
   return /^## Memory( \(agentic-memory\))?\s*$/.test(line);
 }
@@ -1118,7 +1340,7 @@ async function addEnvProtectionHook(root) {
     matcher: "Read|Write|Edit",
     hooks: [{
       type: "command",
-      command: `echo "$TOOL_INPUT_FILE_PATH" | grep -qE '\\.(env|env\\..*)$' && ! echo "$TOOL_INPUT_FILE_PATH" | grep -q '.env.example' && echo 'BLOCKED: .env files contain secrets' && exit 1; exit 0`
+      command: `fp=${jqField("file_path")}; echo "$fp" | grep -qE '\\.(env|env\\..*)$' && ! echo "$fp" | grep -q '.env.example' && { echo 'BLOCKED: .env files contain secrets' >&2; exit 2; }; exit 0`
     }]
   }, "Added .env file protection hook (PreToolUse)");
 }
@@ -1131,7 +1353,7 @@ async function addAutoFormatHook(root, detected) {
     matcher: "Write|Edit",
     hooks: [{
       type: "command",
-      command: `ext=\${TOOL_INPUT_FILE_PATH##*.}; (${extChecks}) && ${config.command} "$TOOL_INPUT_FILE_PATH" 2>/dev/null; exit 0`
+      command: `fp=${jqField("file_path")}; ext="\${fp##*.}"; (${extChecks}) && ${config.command} "$fp" 2>/dev/null; exit 0`
     }]
   }, `Added auto-format hook (PostToolUse \u2192 ${config.command})`);
 }
@@ -1140,7 +1362,7 @@ async function addForcePushProtection(root) {
     matcher: "Bash",
     hooks: [{
       type: "command",
-      command: `echo "$TOOL_INPUT_COMMAND" | grep -qE 'push.*--force|push.*-f' && echo 'WARNING: Force push detected \u2014 this can destroy remote history' && exit 1; exit 0`
+      command: `cmd=${jqField("command")}; echo "$cmd" | grep -qE 'push.*--force|push.*-f' && { echo 'WARNING: Force push detected \u2014 this can destroy remote history' >&2; exit 2; }; exit 0`
     }]
   }, "Added force-push protection hook (PreToolUse \u2192 Bash)");
 }
@@ -1157,9 +1379,90 @@ async function addSessionStartHook(root) {
   }, "Added SessionStart hook (injects TASKS.md at startup)");
 }
 
-// src/commands/doctor/fixer-memory.ts
+// src/commands/doctor/fixer-hook-input.ts
 import { readFile as readFile3 } from "fs/promises";
 import { join as join5 } from "path";
+function rewriteEnvVarHookCommand(cmd) {
+  if (!hasEnvVarHookPattern(cmd)) return null;
+  if (cmd.includes("BLOCKED: .env files contain secrets")) {
+    return `fp=${jqField("file_path")}; echo "$fp" | grep -qE '\\.(env|env\\..*)$' && ! echo "$fp" | grep -q '.env.example' && { echo 'BLOCKED: .env files contain secrets' >&2; exit 2; }; exit 0`;
+  }
+  if (cmd.includes("BLOCKED: Destructive command detected")) {
+    return `cmd=${jqField("command")}; echo "$cmd" | grep -qE 'rm\\s+-rf\\s+/|DROP\\s+TABLE|DROP\\s+DATABASE|push.*--force|push.*-f' && { echo 'BLOCKED: Destructive command detected' >&2; exit 2; }; exit 0`;
+  }
+  if (cmd.includes("WARNING: Force push detected") || cmd.includes("Force push detected")) {
+    return `cmd=${jqField("command")}; echo "$cmd" | grep -qE 'push.*--force|push.*-f' && { echo 'WARNING: Force push detected \u2014 this can destroy remote history' >&2; exit 2; }; exit 0`;
+  }
+  if (cmd.includes("Sprint complete") && cmd.includes("TASKS.md")) {
+    return `fp=${jqField("file_path")}; echo "$fp" | grep -q TASKS.md || exit 0; section=$(sed -n '/^## Current/,/^## /p' TASKS.md 2>/dev/null); [ -z "$section" ] && exit 0; unchecked=$(echo "$section" | grep -cF '- [ ]' || true); checked=$(echo "$section" | grep -cF '- [x]' || true); [ "$unchecked" -eq 0 ] && [ "$checked" -gt 0 ] && echo 'Sprint complete \u2014 all current tasks done. Consider a quick quality check before committing: scan for dead code, debug artifacts, TODO hacks, and convention violations. Run tests if available. Skip if trivial.'; exit 0`;
+  }
+  const formatMatch = cmd.match(/ext=\$\{TOOL_INPUT_FILE_PATH##\*\.\};\s*\((.+?)\)\s*&&\s*(.+?)\s*"\$TOOL_INPUT_FILE_PATH"/);
+  if (formatMatch) {
+    const extChecks = formatMatch[1].trim();
+    const formatter = formatMatch[2].trim();
+    return `fp=${jqField("file_path")}; ext="\${fp##*.}"; (${extChecks}) && ${formatter} "$fp" 2>/dev/null; exit 0`;
+  }
+  return null;
+}
+function rewriteSettingsHooks(settings) {
+  const hooks = settings.hooks;
+  if (!hooks) return { settings, changed: false };
+  let changed = false;
+  const next = {};
+  for (const [event, groups] of Object.entries(hooks)) {
+    next[event] = groups.map((group) => ({
+      ...group,
+      hooks: group.hooks.map((hook) => {
+        if (hook.type !== "command") return hook;
+        if (!hasEnvVarHookPattern(hook.command)) return hook;
+        const rewritten = rewriteEnvVarHookCommand(hook.command);
+        if (rewritten === null) return hook;
+        changed = true;
+        return { ...hook, command: rewritten };
+      })
+    }));
+  }
+  if (!changed) return { settings, changed: false };
+  return { settings: { ...settings, hooks: next }, changed: true };
+}
+async function rewriteWrapperScript(scriptPath, rewriter) {
+  let content;
+  try {
+    content = await readFile3(scriptPath, "utf-8");
+  } catch {
+    return false;
+  }
+  if (!hasEnvVarHookPattern(content)) return false;
+  await rewriter();
+  return true;
+}
+async function rewriteEnvVarHooks(root) {
+  let didFix = false;
+  const settings = await readSettingsJson(root);
+  if (settings !== null) {
+    const outcome = rewriteSettingsHooks(settings);
+    if (outcome.changed) {
+      await writeSettingsJson(root, outcome.settings);
+      log.success("Rewrote inert $TOOL_INPUT_* hooks in settings.json to canonical jq+stdin form");
+      didFix = true;
+    }
+  }
+  const workflowCheckPath = join5(root, ".claude", "hooks", "workflow-check.sh");
+  if (await rewriteWrapperScript(workflowCheckPath, () => writeWorkflowCheckScript(root))) {
+    log.success("Rewrote .claude/hooks/workflow-check.sh to canonical jq+stdin form");
+    didFix = true;
+  }
+  const sprintOpenPath = join5(root, ".claude", "hooks", "sprint-open-check.sh");
+  if (await rewriteWrapperScript(sprintOpenPath, () => writeSprintHygieneScripts(root))) {
+    log.success("Rewrote .claude/hooks/sprint-open-check.sh to canonical jq+stdin form");
+    didFix = true;
+  }
+  return didFix;
+}
+
+// src/commands/doctor/fixer-memory.ts
+import { readFile as readFile4 } from "fs/promises";
+import { join as join6 } from "path";
 async function addPlacementHook(root, placement, event, dedupKeyword, entry, prepend, successMsg) {
   const read = placement === "local" ? readSettingsLocalJson : readSettingsJson;
   const write = placement === "local" ? writeSettingsLocalJson : writeSettingsJson;
@@ -1313,9 +1616,9 @@ async function addAllowedMcpServers(root, placement) {
   if (settingsServers && typeof settingsServers === "object") {
     for (const name of Object.keys(settingsServers)) serverNames.add(name);
   }
-  const mcpJsonPath = join5(root, ".mcp.json");
+  const mcpJsonPath = join6(root, ".mcp.json");
   try {
-    const mcpJson = JSON.parse(await readFile3(mcpJsonPath, "utf-8"));
+    const mcpJson = JSON.parse(await readFile4(mcpJsonPath, "utf-8"));
     const mcpServers = mcpJson.mcpServers;
     if (mcpServers && typeof mcpServers === "object") {
       for (const name of Object.keys(mcpServers)) serverNames.add(name);
@@ -1351,6 +1654,7 @@ async function applyFixes(issues, projectRoot) {
   return { fixed, skipped };
 }
 var FIX_TABLE = [
+  { analyzer: "Hooks", match: "$TOOL_INPUT_* env var", fix: (root) => rewriteEnvVarHooks(root) },
   { analyzer: "Hooks", match: "No hooks configured", fix: async (root, detected) => {
     const a = await addEnvProtectionHook(root);
     const b = await addAutoFormatHook(root, detected);
@@ -1380,6 +1684,7 @@ var FIX_TABLE = [
   { analyzer: "Rules", match: "No BACKLOG.md", fix: (root) => createBacklogMd(root) },
   { analyzer: "Rules", match: "No .claudeignore", fix: (root, detected) => createClaudeignore(root, detected) },
   { analyzer: "Rules", match: "No .claude/rules/workflow.md", fix: (root) => createWorkflowRule(root) },
+  { analyzer: "Rules", match: "No .claude/rules/hooks.md", fix: (root) => createHooksRule(root) },
   { analyzer: "Rules", match: "No .claude/rules/", fix: (root) => createStarterRules(root) },
   { analyzer: "Hooks", match: "PostCompact", fix: (root) => addPostCompactHook(root) },
   { analyzer: "Permissions", match: "force-push", fix: (root) => addForcePushProtection(root) },
@@ -1407,7 +1712,7 @@ var FIX_TABLE = [
   { analyzer: "Memory", match: "SessionEnd push hook is not nohup-wrapped", fix: (root) => upgradeStaleSessionEndPushHook(root) },
   { analyzer: "Memory", match: "CLAUDE.md missing memory guidance", fix: (root, _det, placement) => {
     const content = "Use agentic-memory to persist knowledge across sessions:\n- Memories are automatically injected at session start\n- STORE IMMEDIATELY when: a dependency strategy changes, an architecture decision is made, a convention is established, a bug pattern is discovered, or a feature is killed/added\n- Use memory_search before memory_store to check for duplicates\n- NEVER store credentials, API keys, tokens, or secrets in memories";
-    const target = placement === "local" ? join6(root, ".claude", "CLAUDE.md") : void 0;
+    const target = placement === "local" ? join7(root, ".claude", "CLAUDE.md") : void 0;
     return addClaudeMdSection(root, "## Memory", wrapStub(content), target);
   } }
 ];
@@ -1464,10 +1769,10 @@ async function removeSandboxSettings(root) {
   return true;
 }
 async function addEnvToClaudeignore(root) {
-  const ignorePath = join6(root, ".claudeignore");
+  const ignorePath = join7(root, ".claudeignore");
   let content;
   try {
-    content = await readFile4(ignorePath, "utf-8");
+    content = await readFile5(ignorePath, "utf-8");
   } catch {
     return false;
   }
@@ -1478,13 +1783,13 @@ async function addEnvToClaudeignore(root) {
   return true;
 }
 async function addClaudeMdSection(root, heading, content, targetPath) {
-  const claudeMdPath = targetPath ?? join6(root, "CLAUDE.md");
+  const claudeMdPath = targetPath ?? join7(root, "CLAUDE.md");
   let existing;
   try {
-    existing = await readFile4(claudeMdPath, "utf-8");
+    existing = await readFile5(claudeMdPath, "utf-8");
   } catch {
     if (!targetPath) return false;
-    await mkdir3(join6(root, ".claude"), { recursive: true });
+    await mkdir3(join7(root, ".claude"), { recursive: true });
     existing = "# Local Claude Config\n";
   }
   if (existing.includes(heading)) return false;
@@ -1502,7 +1807,7 @@ ${content}
   return true;
 }
 async function createBacklogMd(root) {
-  const backlogPath = join6(root, "BACKLOG.md");
+  const backlogPath = join7(root, "BACKLOG.md");
   try {
     await access2(backlogPath);
     return false;
@@ -1514,7 +1819,7 @@ async function createBacklogMd(root) {
   return true;
 }
 async function createClaudeignore(root, detected) {
-  const ignorePath = join6(root, ".claudeignore");
+  const ignorePath = join7(root, ".claudeignore");
   try {
     await access2(ignorePath);
     return false;
@@ -1531,7 +1836,7 @@ var SKILL_AUTHORING_SECTION = `
 ${SKILL_AUTHORING_CONTENT}
 `;
 async function createStarterRules(root) {
-  const rulesDir = join6(root, ".claude", "rules");
+  const rulesDir = join7(root, ".claude", "rules");
   try {
     await access2(rulesDir);
     return false;
@@ -1539,7 +1844,7 @@ async function createStarterRules(root) {
   }
   await mkdir3(rulesDir, { recursive: true });
   await writeFile4(
-    join6(rulesDir, "conventions.md"),
+    join7(rulesDir, "conventions.md"),
     `# Project Conventions
 
 - Use conventional commits (feat:, fix:, docs:, refactor:, test:, chore:)
@@ -1552,10 +1857,10 @@ ${SKILL_AUTHORING_SECTION}`
   return true;
 }
 async function addSkillAuthoringConventions(root) {
-  const conventionsPath = join6(root, ".claude", "rules", "conventions.md");
+  const conventionsPath = join7(root, ".claude", "rules", "conventions.md");
   let content;
   try {
-    content = await readFile4(conventionsPath, "utf-8");
+    content = await readFile5(conventionsPath, "utf-8");
   } catch {
     return false;
   }
@@ -1565,11 +1870,11 @@ async function addSkillAuthoringConventions(root) {
   return true;
 }
 async function createEnhanceSkill(root) {
-  const skillDir = join6(root, ".claude", "skills", "lp-enhance");
-  const skillPath = join6(skillDir, "SKILL.md");
-  const globalPath = join6(homedir(), ".claude", "skills", "lp-enhance", "SKILL.md");
-  const legacyProject = join6(root, ".claude", "commands", "lp-enhance.md");
-  const legacyGlobal = join6(homedir(), ".claude", "commands", "lp-enhance.md");
+  const skillDir = join7(root, ".claude", "skills", "lp-enhance");
+  const skillPath = join7(skillDir, "SKILL.md");
+  const globalPath = join7(homedir(), ".claude", "skills", "lp-enhance", "SKILL.md");
+  const legacyProject = join7(root, ".claude", "commands", "lp-enhance.md");
+  const legacyGlobal = join7(homedir(), ".claude", "commands", "lp-enhance.md");
   if (await fileExists(skillPath) || await fileExists(globalPath) || await fileExists(legacyProject) || await fileExists(legacyGlobal)) return false;
   await mkdir3(skillDir, { recursive: true });
   await writeFile4(skillPath, generateEnhanceSkill());
@@ -1577,8 +1882,8 @@ async function createEnhanceSkill(root) {
   return true;
 }
 async function updateEnhanceSkill(root) {
-  const projectPath = join6(root, ".claude", "skills", "lp-enhance", "SKILL.md");
-  const globalPath = join6(homedir(), ".claude", "skills", "lp-enhance", "SKILL.md");
+  const projectPath = join7(root, ".claude", "skills", "lp-enhance", "SKILL.md");
+  const globalPath = join7(homedir(), ".claude", "skills", "lp-enhance", "SKILL.md");
   const targetPath = await fileExists(projectPath) ? projectPath : await fileExists(globalPath) ? globalPath : null;
   if (!targetPath) return false;
   await writeFile4(targetPath, generateEnhanceSkill());
@@ -1692,7 +1997,7 @@ function renderDoctorReport(results, options) {
 async function readJsonFile(path) {
   let raw;
   try {
-    raw = await readFile5(path, "utf-8");
+    raw = await readFile6(path, "utf-8");
   } catch (err) {
     const code = err.code;
     if (code === "ENOENT") return {};
@@ -1707,20 +2012,20 @@ async function readJsonFile(path) {
   }
 }
 async function readSettingsJson(root) {
-  return readJsonFile(join7(root, ".claude", "settings.json"));
+  return readJsonFile(join8(root, ".claude", "settings.json"));
 }
 async function writeSettingsJson(root, settings) {
-  const dir = join7(root, ".claude");
+  const dir = join8(root, ".claude");
   await mkdir4(dir, { recursive: true });
-  await writeFile5(join7(dir, "settings.json"), JSON.stringify(settings, null, 2) + "\n");
+  await writeFile5(join8(dir, "settings.json"), JSON.stringify(settings, null, 2) + "\n");
 }
 async function readSettingsLocalJson(root) {
-  return readJsonFile(join7(root, ".claude", "settings.local.json"));
+  return readJsonFile(join8(root, ".claude", "settings.local.json"));
 }
 async function writeSettingsLocalJson(root, settings) {
-  const dir = join7(root, ".claude");
+  const dir = join8(root, ".claude");
   await mkdir4(dir, { recursive: true });
-  await writeFile5(join7(dir, "settings.local.json"), JSON.stringify(settings, null, 2) + "\n");
+  await writeFile5(join8(dir, "settings.local.json"), JSON.stringify(settings, null, 2) + "\n");
 }
 
 export {
@@ -1744,13 +2049,16 @@ export {
   getMemoryPlacement,
   LP_STUB_OPEN,
   addOrUpdateHook,
+  jqField,
+  hasEnvVarHookPattern,
   writeSprintHygieneScripts,
   writeWorkflowCheckScript,
   generateWorkflowRule,
+  generateHooksRule,
   applyFixes,
   log,
   printBanner,
   printScoreCard,
   renderDoctorReport
 };
-//# sourceMappingURL=chunk-5KQ2JDZN.js.map
+//# sourceMappingURL=chunk-3OFOCOXM.js.map