claudenv 1.0.2 → 1.2.0

package/src/hooks-gen.js

@@ -0,0 +1,279 @@
+// =============================================
+// Hook & config file generation for autonomy profiles
+// =============================================
+
+import { CREDENTIAL_PATHS } from './profiles.js';
+
+/**
+ * Generate .claude/settings.json content for a given profile.
+ * @param {object} profile - Autonomy profile
+ * @param {object} detected - Tech stack detection result
+ * @returns {string} JSON string
+ */
+export function generateSettingsJson(profile, detected = {}) {
+  const settings = {};
+
+  if (profile.allowedTools && profile.allowedTools.length > 0) {
+    settings.permissions = settings.permissions || {};
+    settings.permissions.allow = profile.allowedTools;
+  }
+
+  if (profile.disallowedTools && profile.disallowedTools.length > 0) {
+    settings.permissions = settings.permissions || {};
+    settings.permissions.deny = profile.disallowedTools;
+  }
+
+  // Add stack-aware package manager restrictions for moderate/safe
+  if (detected.packageManager && !profile.skipPermissions) {
+    settings.permissions = settings.permissions || {};
+    settings.permissions.deny = settings.permissions.deny || [];
+    const wrongManagers = getWrongPackageManagers(detected.packageManager);
+    for (const cmd of wrongManagers) {
+      if (!settings.permissions.deny.includes(cmd)) {
+        settings.permissions.deny.push(cmd);
+      }
+    }
+  }
+
+  // Hooks config — PascalCase keys, command objects per Claude Code format
+  const preToolUseHook = {
+    type: 'command',
+    command: 'bash .claude/hooks/pre-tool-use.sh',
+    timeout: 10,
+  };
+  const auditLogHook = {
+    type: 'command',
+    command: 'bash .claude/hooks/audit-log.sh',
+    timeout: 10,
+  };
+
+  settings.hooks = {
+    PreToolUse: [
+      {
+        matcher: 'Bash',
+        hooks: [preToolUseHook],
+      },
+      {
+        matcher: 'Edit',
+        hooks: [preToolUseHook],
+      },
+      {
+        matcher: 'Write',
+        hooks: [preToolUseHook],
+      },
+      {
+        matcher: 'Read',
+        hooks: [preToolUseHook],
+      },
+    ],
+    PostToolUse: [
+      {
+        matcher: '',
+        hooks: [auditLogHook],
+      },
+    ],
+  };
+
+  settings.enableAllProjectMcpServers = false;
+
+  return JSON.stringify(settings, null, 2) + '\n';
+}
+
+/**
+ * Generate pre-tool-use hook script.
+ * @param {object} profile - Autonomy profile
+ * @param {object} detected - Tech stack detection result
+ * @returns {string} Bash script
+ */
+export function generatePreToolUseHook(profile, detected = {}) {
+  const credentialPathsStr = CREDENTIAL_PATHS.map((p) => `  "${p}"`).join('\n');
+  const wrongManagerBlock = buildWrongManagerBlock(detected.packageManager);
+
+  const credentialAction =
+    profile.credentialPolicy === 'block'
+      ? `      echo "BLOCKED: Access to credential path: $input_path" >&2
+      exit 2`
+      : `      echo "WARNING: Accessing credential path: $input_path" >&2
+      # Log warning to audit
+      echo "{\\"ts\\":\\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\\",\\"event\\":\\"credential_warning\\",\\"path\\":\\"$input_path\\"}" >> .claude/audit-log.jsonl
+      exit 0`;
+
+  return `#!/usr/bin/env bash
+# Pre-tool-use hook — generated by claudenv autonomy (profile: ${profile.name})
+# Exit 0 = allow, Exit 2 = block
+
+set -euo pipefail
+
+TOOL_NAME="\${CLAUDE_TOOL_NAME:-}"
+TOOL_INPUT="\${CLAUDE_TOOL_INPUT:-}"
+
+# === Hard blocks (all profiles) ===
+
+# Block rm -rf / rm -fr
+if echo "$TOOL_INPUT" | grep -qE 'rm\\s+.*-[rR].*-[fF]|rm\\s+.*-[fF].*-[rR]|rm\\s+-rf\\b|rm\\s+-fr\\b'; then
+  echo "BLOCKED: Destructive rm command detected" >&2
+  exit 2
+fi
+
+# Block force push to main/master
+if echo "$TOOL_INPUT" | grep -qE 'git\\s+push\\s+(--force|-f)\\s.*(main|master)|git\\s+push\\s+.*\\s(main|master)\\s+(--force|-f)'; then
+  echo "BLOCKED: Force push to main/master" >&2
+  exit 2
+fi
+
+# Block sudo
+if echo "$TOOL_INPUT" | grep -qE '^sudo\\s|\\bsudo\\s'; then
+  echo "BLOCKED: sudo command" >&2
+  exit 2
+fi
+
+# === Credential path checks ===
+CREDENTIAL_PATHS=(
+${credentialPathsStr}
+)
+
+# Expand ~ to HOME
+input_path=$(echo "$TOOL_INPUT" | grep -oE '~/[^ "]+|\\$HOME/[^ "]+' | head -1 || true)
+if [ -n "$input_path" ]; then
+  for cred_path in "\${CREDENTIAL_PATHS[@]}"; do
+    expanded_cred="\${cred_path/#\\~/$HOME}"
+    expanded_input="\${input_path/#\\~/$HOME}"
+    if [[ "$expanded_input" == "$expanded_cred"* ]]; then
+${credentialAction}
+    fi
+  done
+fi
+${wrongManagerBlock}
+# All checks passed
+exit 0
+`;
+}
+
+/**
+ * Generate audit log hook script.
+ * @returns {string} Bash script
+ */
+export function generateAuditLogHook() {
+  return `#!/usr/bin/env bash
+# Post-tool-use audit hook — generated by claudenv autonomy
+# Logs every tool invocation to .claude/audit-log.jsonl
+
+set -uo pipefail
+
+TOOL_NAME="\${CLAUDE_TOOL_NAME:-unknown}"
+TOOL_INPUT="\${CLAUDE_TOOL_INPUT:-}"
+SESSION_ID="\${CLAUDE_SESSION_ID:-}"
+
+# Truncate input for logging (max 500 chars)
+TRUNCATED_INPUT=$(echo "$TOOL_INPUT" | head -c 500)
+
+# Escape for JSON
+ESCAPED_INPUT=$(echo "$TRUNCATED_INPUT" | sed 's/\\\\/\\\\\\\\/g; s/"/\\\\"/g; s/\\t/\\\\t/g' | tr '\\n' ' ')
+
+mkdir -p .claude
+
+echo "{\\"ts\\":\\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\\",\\"tool\\":\\"$TOOL_NAME\\",\\"input\\":\\"$ESCAPED_INPUT\\",\\"session\\":\\"$SESSION_ID\\"}" >> .claude/audit-log.jsonl
+
+exit 0
+`;
+}
+
+/**
+ * Generate shell aliases.
+ * @param {object} profile - Autonomy profile
+ * @returns {string} Shell script with aliases
+ */
+export function generateAliases(profile) {
+  return `#!/usr/bin/env bash
+# Shell aliases — generated by claudenv autonomy (profile: ${profile.name})
+# Source this file: source .claude/aliases.sh
+
+# Safe mode — read-only, plan mode
+alias claude-safe='claude --allowedTools "Read,Glob,Grep,Bash(ls *),Bash(cat *),Bash(git status),Bash(git log *),Bash(git diff *)"'
+
+# Full autonomy — skip all permission prompts
+alias claude-yolo='claude --dangerously-skip-permissions'
+
+# CI mode — headless, JSON output, budget-limited
+alias claude-ci='claude -p --output-format json --dangerously-skip-permissions --max-turns 50'
+
+# Local dev — current profile (${profile.name})
+alias claude-local='claude${profile.skipPermissions ? ' --dangerously-skip-permissions' : ''}${profile.disallowedTools && profile.disallowedTools.length > 0 ? ` --disallowedTools "${profile.disallowedTools.join(',')}"` : ''}'
+`;
+}
+
+/**
+ * Generate GitHub Actions workflow for CI profile.
+ * @returns {string} YAML content
+ */
+export function generateCIWorkflow() {
+  return `# Claude CI workflow — generated by claudenv autonomy (profile: ci)
+name: Claude CI
+
+on:
+  issues:
+    types: [opened, labeled]
+  pull_request_target:
+    types: [opened, synchronize]
+
+jobs:
+  claude:
+    if: |
+      (github.event_name == 'issues' && contains(github.event.issue.labels.*.name, 'claude')) ||
+      github.event_name == 'pull_request_target'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude
+        uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: \${{ secrets.ANTHROPIC_API_KEY }}
+          max_turns: "50"
+          timeout_minutes: "30"
+`;
+}
+
+// =============================================
+// Internal helpers
+// =============================================
+
+function getWrongPackageManagers(detected) {
+  const managers = {
+    npm: ['Bash(yarn *)', 'Bash(pnpm *)', 'Bash(bun *)'],
+    yarn: ['Bash(npm install *)', 'Bash(npm ci *)', 'Bash(pnpm *)', 'Bash(bun *)'],
+    pnpm: ['Bash(npm install *)', 'Bash(npm ci *)', 'Bash(yarn *)', 'Bash(bun *)'],
+    bun: ['Bash(npm install *)', 'Bash(npm ci *)', 'Bash(yarn *)', 'Bash(pnpm *)'],
+  };
+  return managers[detected] || [];
+}
+
+function buildWrongManagerBlock(packageManager) {
+  if (!packageManager) return '';
+  const wrong = getWrongPackageManagers(packageManager);
+  if (wrong.length === 0) return '';
+
+  const patterns = wrong
+    .map((t) => t.replace('Bash(', '').replace(')', '').replace(' *', ''))
+    .map((p) => `"${p}"`)
+    .join(' ');
+
+  return `
+# === Wrong package manager check ===
+WRONG_MANAGERS=(${patterns})
+for mgr in "\${WRONG_MANAGERS[@]}"; do
+  if echo "$TOOL_INPUT" | grep -qE "^$mgr\\b"; then
+    echo "BLOCKED: Use ${packageManager} instead of $mgr in this project" >&2
+    exit 2
+  fi
+done
+`;
+}

package/src/index.js

@@ -3,3 +3,7 @@ export { generateDocs, writeDocs } from './generator.js';
 export { validateClaudeMd, validateStructure, crossReferenceCheck } from './validator.js';
 export { runExistingProjectFlow, runColdStartFlow, buildDefaultConfig } from './prompts.js';
 export { installScaffold } from './generator.js';
+export { runLoop, spawnClaude, checkClaudeCli } from './loop.js';
+export { AUTONOMY_PROFILES, getProfile, listProfiles, CREDENTIAL_PATHS } from './profiles.js';
+export { generateSettingsJson, generatePreToolUseHook, generateAuditLogHook, generateAliases, generateCIWorkflow } from './hooks-gen.js';
+export { generateAutonomyConfig, printSecuritySummary, getFullModeWarning } from './autonomy.js';

package/src/installer.js

@@ -92,6 +92,8 @@ export async function uninstallGlobal(options = {}) {
 
   const targets = [
     join(targetBase, 'commands', 'claudenv.md'),
+    join(targetBase, 'commands', 'setup-mcp.md'),
+    join(targetBase, 'commands', 'improve.md'),
     join(targetBase, 'skills', 'claudenv'),
   ];