claudemd-cli 0.9.32 → 0.9.34

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/CHANGELOG.md +80 -0
  2. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -8,6 +8,86 @@ All notable changes to the `claudemd` plugin. This changelog tracks plugin artif
8
8
  - **Canonical spec version source**: `spec/CLAUDE.md` top-line title (`# AI-CODING-SPEC vX.Y.Z — Core`) + `spec/CLAUDE-changelog.md` top `##` entry.
9
9
  - **Plugin semver vs spec semver** are independent: plugin patch (0.2.0 → 0.2.1) may ship when spec is unchanged (this release); plugin minor (0.1.9 → 0.2.0) ships when spec minor updates (v0.2.0 shipped spec v6.10.0).
10
10
 
11
+ ## [0.9.34] - 2026-05-11
12
+
13
+ **Patch — instrumentation bundle sub-patch 1B: tool_use_id column + audit `uniqueInvocations` dedup view + 5 remaining hooks plumbed for session_id.** Completes the schema half of the 1A/1B/1C bundle from 2026-05-11 dogfood audit. Post-cutover (this commit on), every rule-hits row carries enough identity to distinguish "one CC invocation logged twice" (registration / lib bug) from "Claude fast-retry after deny in same second" (not a bug).
14
+
15
+ ### Schema
16
+
17
+ - `[add]` **`rule_hits_append` accepts 6th positional arg `tool_use_id`** (`hooks/lib/rule-hits.sh`). Empty/omitted → JSONL row carries `tool_use_id: null`. Only PreToolUse / PostToolUse hooks populate it; Stop / SessionStart / SessionEnd / UserPromptSubmit leave it null (no per-tool context).
18
+ - `[doc]` **`docs/RULE-HITS-SCHEMA.md`** — `tool_use_id` field added; `session_id` field row updated to note all 12 emitter hooks now populate it (1A note revised).
19
+
20
+ ### Hook plumbing — round 2 (12 of 12 emitter hooks)
21
+
22
+ PreToolUse / PostToolUse hooks add `TOOL_USE_ID` extraction + thread it into all `hook_record` callsites:
23
+ - `[change]` **`hooks/banned-vocab-check.sh`** (2 callsites)
24
+ - `[change]` **`hooks/ship-baseline-check.sh`** (3 callsites)
25
+ - `[change]` **`hooks/pre-bash-safety-check.sh`** (4 callsites)
26
+ - `[change]` **`hooks/memory-read-check.sh`** (2 callsites)
27
+ - `[change]` **`hooks/transcript-vocab-scan.sh`** (1 callsite)
28
+
29
+ The 5 hooks not plumbed in 1A get `SESSION_ID` added (tool_use_id stays null — these are non-tool events):
30
+ - `[change]` **`hooks/sandbox-disposal-check.sh`** (Stop) — best-effort `cat` from stdin + jq extract, fail-open on any error (Stop cannot block).
31
+ - `[change]` **`hooks/residue-audit.sh`** (Stop) — same pattern.
32
+ - `[change]` **`hooks/mem-audit.sh`** (Stop) — same pattern.
33
+ - `[change]` **`hooks/session-start-check.sh`** (SessionStart) — env-var (`CLAUDE_SESSION_ID`) preferred, stdin fallback; threaded into both `hook_record` callsites (`bootstrap` + `upstream-banner`).
34
+ - `[change]` **`hooks/version-sync.sh`** (UserPromptSubmit) — uses existing `CLAUDE_SESSION_ID` env var (hook backgrounds itself, can't reliably re-read stdin).
35
+
36
+ ### Audit consumer
37
+
38
+ - `[add]` **`scripts/lib/rule-hits-parse.js` `uniqueInvocations()`** — per-hook dedup view. Key: `(ts, hook, session_id, tool_use_id)`. Output: `{rows, unique_invocations, duplicate_rows, legacy_rows}` per hook. `legacy_rows` counts pre-v0.9.33 rows (both session_id + tool_use_id null) so the operator can discount them — historical dedup over-collapses across sessions.
39
+ - `[change]` **`scripts/audit.js`** emits new top-level `uniqueInvocations` field (next to `byTrend`).
40
+ - `[change]` **`commands/claudemd-audit.md`** — renderer hint updated: surface `uniqueInvocations.<hook>.duplicate_rows > 0` for PreToolUse/PostToolUse hooks as candidate bug; treat `bySection['(unset)']` as historical pre-v0.7.0 data and exclude from heatmap leader unless window pre-dates 2026-05-09.
41
+
42
+ ### Tests
43
+
44
+ - `[add]` **`tests/hooks/rule-hits.test.sh` Cases 16–18** — Case 16: 6th arg lands as `tool_use_id`; Case 17 / 17b: omitted + empty normalize to null; Case 18: full-shape PreToolUse row (session_id + tool_use_id + spec_section + extra) byte-exact assertion.
45
+ - `[add]` **`tests/scripts/audit.test.js` `uniqueInvocations` case** — dedup-by-quadruple + legacy_rows counter + null tool_use_id passthrough for non-tool hooks.
46
+ - 19/19 hook tests + 361/361 JS tests pass; `tests/run-all.sh` `OVERALL: all suites passed`.
47
+
48
+ ### Out of scope (sub-patch 1C)
49
+
50
+ - `session_extended_read` boolean per row (point 4 from 2026-05-11 audit) — separate sub-patch.
51
+ - 7 days post-cutover data accumulation before `uniqueInvocations` will produce non-trivial dedup signal. Code path verified by unit test fixture in this release.
52
+
53
+ ### Plugin
54
+
55
+ - Plugin manifests bumped 0.9.33 → 0.9.34 (package.json + plugin.json + marketplace.json). Manifest description fields stay at `v6.11` family per `Versioning policy` (set in v0.2.1).
56
+
57
+ ## [0.9.33] - 2026-05-11
58
+
59
+ **Patch — rule-hits.jsonl schema additive: new `session_id` column.** Sub-patch 1A of the instrumentation bundle (points 2 + 4 from in-session dogfood audit on 2026-05-11). Disambiguates hook double-fire vs fast-retry in audit data — currently `banned-vocab/deny` shows ~50% byte-identical pair rows at the same timestamp, and existing schema cannot tell whether two rows came from one CC invocation (registration / lib bug) or two retries within the same second. Fully back-compat: pre-v0.9.33 rows have `session_id: null`; new callsites populate it from stdin EVENT JSON `.session_id`.
60
+
61
+ ### Schema
62
+
63
+ - `[add]` **`rule_hits_append` accepts 5th positional arg `session_id`** (`hooks/lib/rule-hits.sh`). Empty/omitted → JSONL row carries `session_id: null` (matches existing `spec_section` empty-arg semantics). Field positioned between `project` and `spec_section` in row JSON for grouping (project + session metadata together).
64
+ - `[doc]` **`docs/RULE-HITS-SCHEMA.md`** — new field row with `null` cases enumerated (5 hooks not yet plumbed: `sandbox-disposal`, `residue-audit`, `mem-audit`, `session-start`, `version-sync`; pre-v0.9.33 rows). Sub-patch 1A scope = hooks already extracting EVENT; remaining 5 ship in sub-patch 1B with their own EVENT-read addition.
65
+
66
+ ### Hook plumbing (7 of 12 emitter hooks)
67
+
68
+ - `[change]` **`hooks/banned-vocab-check.sh`** — `SESSION_ID` extracted from EVENT, threaded into both `hook_record` callsites (deny + bypass-escape-hatch).
69
+ - `[change]` **`hooks/ship-baseline-check.sh`** — same pattern, 3 callsites (pass / pass-known-red / deny).
70
+ - `[change]` **`hooks/pre-bash-safety-check.sh`** — same, 4 callsites (deny / bypass × 2 / npx-allow-local).
71
+ - `[change]` **`hooks/memory-read-check.sh`** — existing `SESSION_ID` extraction moved before bypass-escape-hatch branch so both rows carry it; threaded into 2 callsites.
72
+ - `[change]` **`hooks/transcript-structure-scan.sh`** — `SESSION_ID` extracted, threaded into structure-advisory callsite.
73
+ - `[change]` **`hooks/transcript-vocab-scan.sh`** — same, 1 callsite.
74
+ - `[change]` **`hooks/session-end-check.sh`** — existing `SESSION_ID` threaded into 1 callsite.
75
+
76
+ ### Tests
77
+
78
+ - `[add]` **`tests/hooks/rule-hits.test.sh` Cases 13–15** — Case 13: 5th arg lands as `session_id` field; Case 14 / 14b: omitted + empty-string normalize to null; Case 15: full-shape row (project + session_id + spec_section + extra) byte-exact assertion per `feedback_test_fixture_format_drift.md` (locks today's audit.js consumer field set).
79
+ - 19/19 `tests/hooks/*.test.sh` pass; 360/360 `tests/scripts/*.test.js` pass.
80
+
81
+ ### Out of scope (sub-patch 1B / 1C follow-ups)
82
+
83
+ - 5 hooks not yet plumbed (`sandbox-disposal`, `residue-audit`, `mem-audit`, `session-start`, `version-sync`) — adding EVENT-read to a hook that doesn't currently call `hook_read_event` is a separate behavior change with its own risk surface.
84
+ - `audit.js` `unique_invocations` dedup view — needs ≥7 days of post-cutover data to be meaningful.
85
+ - `tool_use_id` (sub-patch 1B) + `session_extended_read` (sub-patch 1C).
86
+
87
+ ### Plugin
88
+
89
+ - Plugin manifests bumped 0.9.32 → 0.9.33 (package.json + plugin.json + marketplace.json). Manifest description fields stay at `v6.11` family per `Versioning policy` (set in v0.2.1).
90
+
11
91
  ## [0.9.32] - 2026-05-11
12
92
 
13
93
  **Patch — spec v6.11.12 → v6.11.13. Compression-only release: discharges v6.11.12's `MUST net-delete or migrate` carry-forward by removing two long-standing redundancies in extended (§1.5-EXT GLOSSARY duplicate of core §1.5, §10-V illustrative-example bloat).** No rule add/remove/downgrade, no behavior change. Net delete: extended 49835 → 48384 bytes (−1451, recovered to 96.77% utilization from v6.11.12's 99.67% ceiling-grazing).
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "claudemd-cli",
3
- "version": "0.9.32",
3
+ "version": "0.9.34",
4
4
  "description": "Standalone CLI for §10-V banned-vocab + transcript scanning. Companion to the claudemd Claude Code plugin (github.com/sdsrss/claudemd) for use in git pre-commit hooks, GitHub Actions, and other agents.",
5
5
  "type": "module",
6
6
  "bin": {