claude-smith 3.0.0 → 3.2.0

package/lib/event-log.mjs

@@ -0,0 +1,96 @@
+#!/usr/bin/env node
+
+/**
+ * Event Log Library
+ * Appends structured events to .smith/events/YYYY-MM-DD.jsonl
+ * Provides project-level audit trail of hook activity
+ */
+
+import { appendFileSync, readFileSync, mkdirSync, existsSync, readdirSync, lstatSync } from 'fs';
+import { join } from 'path';
+
+/**
+ * Append an event to the project-level event log.
+ * Writes to .smith/events/YYYY-MM-DD.jsonl
+ *
+ * @param {string} projectDir - project root (process.cwd())
+ * @param {object} event - { hook, event, file?, message? }
+ */
+export function appendEvent(projectDir, { hook, event, file = '', message = '' }) {
+  try {
+    const eventsDir = join(projectDir, '.smith', 'events');
+    mkdirSync(eventsDir, { recursive: true, mode: 0o700 });
+
+    // Symlink check: ensure events dir is a real directory, not a symlink
+    const stat = lstatSync(eventsDir);
+    if (!stat.isDirectory()) return; // Don't write to symlinks
+
+    const today = new Date().toISOString().split('T')[0]; // YYYY-MM-DD
+    const logFile = join(eventsDir, `${today}.jsonl`);
+
+    // Also check the log file isn't a symlink
+    if (existsSync(logFile)) {
+      const fileStat = lstatSync(logFile);
+      if (!fileStat.isFile()) return;
+    }
+
+    const entry = JSON.stringify({
+      t: new Date().toISOString(),
+      h: hook,
+      e: event,
+      f: file,
+      m: message
+    }) + '\n';
+
+    appendFileSync(logFile, entry, { mode: 0o600 });
+  } catch {
+    // Silent fail — event logging should never break hooks
+  }
+}
+
+/**
+ * Read events from the last N days
+ *
+ * @param {string} projectDir - project root
+ * @param {object} options - { days: 7 }
+ * @returns {Array} events
+ */
+export function readEvents(projectDir, { days = 7 } = {}) {
+  try {
+    const eventsDir = join(projectDir, '.smith', 'events');
+    if (!existsSync(eventsDir)) return [];
+
+    // Symlink check: ensure events dir is a real directory
+    const stat = lstatSync(eventsDir);
+    if (!stat.isDirectory()) return [];
+
+    // Calculate cutoff date for filtering
+    const cutoff = new Date();
+    cutoff.setDate(cutoff.getDate() - days);
+    const cutoffStr = cutoff.toISOString().split('T')[0]; // YYYY-MM-DD
+
+    const files = readdirSync(eventsDir)
+      .filter(f => f.endsWith('.jsonl'))
+      .filter(f => {
+        const dateStr = f.replace('.jsonl', '');
+        return /^\d{4}-\d{2}-\d{2}$/.test(dateStr) && dateStr >= cutoffStr;
+      })
+      .sort();
+
+    const events = [];
+    for (const file of files) {
+      const content = readFileSync(join(eventsDir, file), 'utf8');
+      for (const line of content.split('\n')) {
+        if (!line.trim()) continue;
+        try {
+          events.push(JSON.parse(line));
+        } catch {
+          // Skip malformed lines
+        }
+      }
+    }
+    return events;
+  } catch {
+    return [];
+  }
+}

package/lib/hook-utils.mjs

@@ -0,0 +1,69 @@
+/**
+ * Hook Utilities
+ * Common functions used across hook scripts
+ */
+
+import { readFileSync } from 'fs';
+import { join } from 'path';
+
+/**
+ * Sanitize session/agent IDs to prevent path traversal
+ * Currently duplicated 11 times across hooks
+ * @param {string} id - The ID to sanitize
+ * @returns {string} Sanitized ID safe for filesystem use
+ */
+export function sanitizeId(id) {
+  if (!id || typeof id !== 'string') return 'default';
+  return id.replace(/[^a-zA-Z0-9_-]/g, '').slice(0, 128) || 'default';
+}
+
+/**
+ * Check if OMC autonomous mode is active
+ * Currently duplicated 4 times (debug-loop, scope-guard, batch-checkpoint, plan-guard)
+ * @param {string} cwd - Current working directory
+ * @returns {boolean} True if any OMC autonomous mode is active
+ */
+export function isOmcAutoMode(cwd) {
+  const omcStateDir = join(cwd, '.omc', 'state');
+  const omcAutoModes = ['autopilot-state.json', 'ultrawork-state.json', 'ralph-state.json'];
+  return omcAutoModes.some(f => {
+    try {
+      const state = JSON.parse(readFileSync(join(omcStateDir, f), 'utf8'));
+      return state.active === true || state.status === 'running';
+    } catch { return false; }
+  });
+}
+
+/**
+ * Parse hook input from stdin (JSON)
+ * Common pattern across all hooks
+ * @returns {object|null} Parsed input or null if parsing fails
+ */
+export function parseHookInput() {
+  try {
+    return JSON.parse(readFileSync(0, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Send a brief notification to stderr for user visibility
+ * Only active when notify: true in .claude-smith.json
+ * @param {boolean} notify - Whether notifications are enabled
+ * @param {string} hookName - Display name of the hook
+ * @param {string} eventType - fire|warn|block|inject|track
+ * @param {string} message - Brief description
+ */
+export function notifyUser(notify, hookName, eventType, message) {
+  if (!notify) return;
+  const icons = {
+    fire: '✅',
+    warn: '⚠️',
+    block: '🚫',
+    inject: '🤖',
+    track: '📊'
+  };
+  const icon = icons[eventType] || '📝';
+  process.stderr.write(`🕵️ Smith — ${icon} ${hookName}: ${message}\n`);
+}

package/lib/stats.mjs

@@ -7,8 +7,20 @@ import { readFileSync, writeFileSync, existsSync, mkdirSync, readdirSync } from
 import { join } from 'path';
 import { tmpdir } from 'os';
 
+const KNOWN_EVENTS = ['fire', 'warn', 'block'];
+
 export function recordEvent(sessionId, hookName, eventType) {
-  const stateDir = join(tmpdir(), '.claude-smith', sessionId || 'default');
+  // Guard: only record known event types
+  if (!KNOWN_EVENTS.includes(eventType)) return;
+
+  // Sanitize sessionId and validate path
+  const safeId = (sessionId || 'default').replace(/[^a-zA-Z0-9_-]/g, '').slice(0, 128) || 'default';
+  const stateDir = join(tmpdir(), '.claude-smith', safeId);
+
+  // Verify resolved path is under expected parent
+  const expectedParent = join(tmpdir(), '.claude-smith');
+  if (!stateDir.startsWith(expectedParent)) return;
+
   mkdirSync(stateDir, { recursive: true, mode: 0o700 });
 
   const counterFile = join(stateDir, `stat-${hookName}-${eventType}`);
@@ -18,16 +30,31 @@ export function recordEvent(sessionId, hookName, eventType) {
 }
 
 export function readStats(sessionId) {
-  const stateDir = join(tmpdir(), '.claude-smith', sessionId || 'default');
+  // Sanitize sessionId and validate path
+  const safeId = (sessionId || 'default').replace(/[^a-zA-Z0-9_-]/g, '').slice(0, 128) || 'default';
+  const stateDir = join(tmpdir(), '.claude-smith', safeId);
+
+  // Verify resolved path is under expected parent
+  const expectedParent = join(tmpdir(), '.claude-smith');
+  if (!stateDir.startsWith(expectedParent)) return {};
+
   const stats = {};
 
   try {
     const files = readdirSync(stateDir).filter(f => f.startsWith('stat-'));
     for (const f of files) {
       // Format: stat-{hookName}-{eventType}
-      const parts = f.replace('stat-', '').split('-');
-      const eventType = parts.pop();
-      const hookName = parts.join('-');
+      // Use safer parsing with explicit known event types
+      const raw = f.replace('stat-', ''); // e.g., "batch-checkpoint-warn"
+      const lastDash = raw.lastIndexOf('-');
+      if (lastDash === -1) continue;
+
+      const eventType = raw.slice(lastDash + 1);
+      const hookName = raw.slice(0, lastDash);
+
+      // Skip unknown event types
+      if (!KNOWN_EVENTS.includes(eventType)) continue;
+
       if (!stats[hookName]) stats[hookName] = { fire: 0, warn: 0, block: 0 };
       try {
         stats[hookName][eventType] = parseInt(readFileSync(join(stateDir, f), 'utf8'), 10) || 0;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-smith",
-  "version": "3.0.0",
+  "version": "3.2.0",
   "description": "Claude Code workflow enforcement CLI - forging coding discipline into every session",
   "type": "module",
   "scripts": {

package/templates/commands/smith-dashboard.md

@@ -0,0 +1,10 @@
+Generate the visual HTML compliance dashboard and open it in the browser.
+
+Run: `npx claude-smith dashboard`
+
+Then open the generated file:
+- macOS: `open claude-smith-dashboard.html`
+- Linux: `xdg-open claude-smith-dashboard.html`
+- Windows: `start claude-smith-dashboard.html`
+
+Display a brief summary of the dashboard contents to the user.

package/templates/commands/smith-update.md

@@ -4,6 +4,6 @@ Steps:
 1. Run: `npx claude-smith --version` to get the current installed version
 2. Run: `npm view claude-smith version 2>/dev/null` to check the latest published version
 3. Compare the two versions:
-   - If they match: Report "🔨 Smith is up to date (vX.X.X)"
+   - If they match: Report "🕵️ Smith is up to date (vX.X.X)"
    - If latest is newer: Report the version difference and run `npx claude-smith update` to apply the update
    - If npm check fails: Report that version check failed (possibly offline) and suggest running `npx claude-smith update` manually

package/templates/rules.en.md

@@ -1,7 +1,7 @@
-<!-- CLAUDE-SMITH:START v1.0.0 -->
-# 🔨 Smith - Workflow Enforcement Rules
+<!-- CLAUDE-SMITH:START {{SMITH_VERSION}} -->
+# 🕵️ Smith - Workflow Enforcement Rules
 
-> Installed by 🔨 Smith v1.0.0. Do not edit manually.
+> Installed by 🕵️ Smith {{SMITH_VERSION}}. Do not edit manually.
 > Update with: `claude-smith update`
 
 ## 1. Workflow Protocol (auto-applied)

package/templates/rules.ja.md

@@ -1,7 +1,7 @@
-<!-- CLAUDE-SMITH:START v1.0.0 -->
-# 🔨 Smith - ワークフロー実行ルール
+<!-- CLAUDE-SMITH:START {{SMITH_VERSION}} -->
+# 🕵️ Smith - ワークフロー実行ルール
 
-> 🔨 Smith v1.0.0 によりインストール。手動で編集しないでください。
+> 🕵️ Smith {{SMITH_VERSION}} によりインストール。手動で編集しないでください。
 > 更新コマンド：`claude-smith update`
 
 ## 1. ワークフロープロトコル（自動適用）

package/templates/rules.ko.md

@@ -1,7 +1,7 @@
-<!-- CLAUDE-SMITH:START v1.0.0 -->
-# 🔨 Smith - Workflow Enforcement Rules
+<!-- CLAUDE-SMITH:START {{SMITH_VERSION}} -->
+# 🕵️ Smith - Workflow Enforcement Rules
 
-> Installed by 🔨 Smith v1.0.0. Do not edit manually.
+> Installed by 🕵️ Smith {{SMITH_VERSION}}. Do not edit manually.
 > Update with: `claude-smith update`
 
 ## 1. Workflow Protocol (자동 적용)

package/templates/rules.md

@@ -1,7 +1,7 @@
-<!-- CLAUDE-SMITH:START v1.0.0 -->
-# 🔨 Smith - Workflow Enforcement Rules
+<!-- CLAUDE-SMITH:START {{SMITH_VERSION}} -->
+# 🕵️ Smith - Workflow Enforcement Rules
 
-> Installed by 🔨 Smith v1.0.0. Do not edit manually.
+> Installed by 🕵️ Smith {{SMITH_VERSION}}. Do not edit manually.
 > Update with: `claude-smith update`
 
 ## 1. Workflow Protocol (auto-applied)

package/templates/rules.zh.md

@@ -1,7 +1,7 @@
-<!-- CLAUDE-SMITH:START v1.0.0 -->
-# 🔨 Smith - 工作流执行规则
+<!-- CLAUDE-SMITH:START {{SMITH_VERSION}} -->
+# 🕵️ Smith - 工作流执行规则
 
-> 由 🔨 Smith v1.0.0 安装。请勿手动编辑。
+> 由 🕵️ Smith {{SMITH_VERSION}} 安装。请勿手动编辑。
 > 更新命令：`claude-smith update`
 
 ## 1. 工作流协议（自动应用）