codeforge-dev 1.11.0 → 1.12.0

package/.devcontainer/plugins/devs-marketplace/plugins/code-directive/README.md

@@ -0,0 +1,250 @@
+# code-directive
+
+The core Claude Code plugin for CodeForge. Provides 17 custom agent definitions, 28 coding reference skills, and 12 hook scripts spanning 6 lifecycle events. Handles agent redirection, skill suggestion, syntax validation, edited file collection, advisory testing, and session-start context injection.
+
+## What It Does
+
+### Agents (17)
+
+Custom agent definitions that replace Claude Code's built-in subagents with enhanced, purpose-built alternatives. Each agent is a markdown prompt file in `agents/` that defines the agent's role, constraints, tools, and workflow.
+
+| Agent | Role |
+|-------|------|
+| `architect` | System design, planning, architecture decisions |
+| `bash-exec` | Shell command execution with safety guardrails |
+| `claude-guide` | Claude Code usage guidance and troubleshooting |
+| `debug-logs` | Log analysis and debugging |
+| `dependency-analyst` | Dependency auditing, upgrades, and vulnerability analysis |
+| `doc-writer` | Documentation authoring |
+| `explorer` | Codebase exploration and context gathering |
+| `generalist` | General-purpose tasks |
+| `git-archaeologist` | Git history investigation and forensics |
+| `migrator` | Code migration and framework upgrades |
+| `perf-profiler` | Performance profiling and optimization |
+| `refactorer` | Code refactoring and restructuring |
+| `researcher` | Research and information gathering |
+| `security-auditor` | Security review and vulnerability assessment |
+| `spec-writer` | Specification authoring |
+| `statusline-config` | Status line configuration |
+| `test-writer` | Test authoring |
+
+### Agent Redirection
+
+The `redirect-builtin-agents.py` PreToolUse hook transparently swaps built-in agent types to custom agents whenever Claude spawns a subagent via the Task tool:
+
+| Built-in Agent | Redirects To |
+|----------------|--------------|
+| `Explore` | `explorer` |
+| `Plan` | `architect` |
+| `general-purpose` | `generalist` |
+| `Bash` | `bash-exec` |
+| `claude-code-guide` | `claude-guide` |
+| `statusline-setup` | `statusline-config` |
+
+See `AGENT-REDIRECTION.md` for the full technical guide on how the PreToolUse hook contract works.
+
+### Skills (28)
+
+Reference skill packages that provide domain-specific knowledge. Each skill lives in its own directory under `skills/` with a `SKILL.md` entry point and optional `references/` subdirectory. Skills are loaded on demand via slash commands.
+
+| Skill | Domain |
+|-------|--------|
+| `api-design` | REST conventions, error handling |
+| `ast-grep-patterns` | Structural code search patterns |
+| `claude-agent-sdk` | Claude Agent SDK (TypeScript) |
+| `claude-code-headless` | Claude Code CLI, SDK, and MCP |
+| `debugging` | Error patterns, log analysis |
+| `dependency-management` | Package ecosystems, license compliance |
+| `docker` | Dockerfile patterns, Compose services |
+| `docker-py` | Docker SDK for Python |
+| `documentation-patterns` | API docs, docstring formats |
+| `fastapi` | FastAPI routing, Pydantic, SSE, middleware |
+| `git-forensics` | Git investigation commands, playbooks |
+| `migration-patterns` | Python and JavaScript migration guides |
+| `performance-profiling` | Profiling tools, result interpretation |
+| `pydantic-ai` | PydanticAI agents, tools, models |
+| `refactoring-patterns` | Safe transformations, code smell catalog |
+| `security-checklist` | OWASP patterns, secrets management |
+| `skill-building` | Skill authoring patterns and principles |
+| `spec-build` | Specification-driven implementation lifecycle |
+| `spec-check` | Specification health audit |
+| `spec-init` | Initialize `.specs/` directory |
+| `spec-new` | Create new specification from template |
+| `spec-refine` | Validate spec assumptions with user |
+| `spec-review` | Verify implementation against spec |
+| `spec-update` | As-built spec update |
+| `specification-writing` | EARS templates, criteria patterns |
+| `sqlite` | SQLite patterns (Python, JavaScript, advanced) |
+| `svelte5` | Svelte 5 runes, components, routing |
+| `testing` | FastAPI testing, Svelte testing |
+
+### Hook Scripts (12)
+
+| Script | Hook Event | Matcher | Purpose |
+|--------|-----------|---------|---------|
+| `redirect-builtin-agents.py` | PreToolUse | Task | Redirects built-in agents to custom agents |
+| `skill-suggester.py` | UserPromptSubmit | * | Suggests relevant skills based on prompt keywords |
+| `ticket-linker.py` | UserPromptSubmit | * | Auto-fetches GitHub issues/PRs referenced by #123 or URL |
+| `skill-suggester.py` | SubagentStart | Plan | Suggests skills for planning agents |
+| `inject-cwd.py` | SubagentStart | * | Injects working directory into subagent context |
+| `advisory-test-runner.py` | Stop | * | Runs affected tests and injects results as context |
+| `commit-reminder.py` | Stop | * | Advises about uncommitted changes |
+| `spec-reminder.py` | Stop | * | Advises about spec updates after code changes |
+| `git-state-injector.py` | SessionStart | * | Injects branch, status, and recent commits at session start |
+| `todo-harvester.py` | SessionStart | * | Surfaces TODO/FIXME/HACK/XXX comments from the codebase |
+| `syntax-validator.py` | PostToolUse | Edit\|Write | Validates JSON, JSONC, YAML, TOML syntax after edits |
+| `collect-edited-files.py` | PostToolUse | Edit\|Write | Records edited file paths for batch formatting/linting |
+
+## How It Works
+
+### Hook Lifecycle
+
+```
+Session starts
+  │
+  ├─→ git-state-injector.py     Injects branch, status, recent commits
+  └─→ todo-harvester.py         Surfaces TODO/FIXME markers
+
+User submits a prompt
+  │
+  ├─→ skill-suggester.py        Suggests skills matching prompt keywords
+  └─→ ticket-linker.py          Fetches GitHub issues referenced by #123 or URL
+
+Claude spawns a subagent
+  │
+  ├─→ redirect-builtin-agents.py  Swaps built-in agents for custom ones (Task matcher)
+  ├─→ skill-suggester.py          Suggests skills for Plan agents
+  └─→ inject-cwd.py               Tells subagent the working directory
+
+Claude edits a file (Edit/Write)
+  │
+  ├─→ syntax-validator.py       Validates JSON/YAML/TOML syntax immediately
+  └─→ collect-edited-files.py   Appends path to session temp files
+
+Claude stops responding
+  │
+  ├─→ advisory-test-runner.py   Runs affected tests, injects results
+  ├─→ commit-reminder.py        Advises about uncommitted changes
+  └─→ spec-reminder.py          Advises about spec updates
+```
+
+### Temp File Convention
+
+Edited file paths are stored in session-scoped temp files for downstream consumption:
+- `/tmp/claude-edited-files-{session_id}` — consumed by the `auto-formatter` plugin
+- `/tmp/claude-lint-files-{session_id}` — consumed by the `auto-linter` plugin
+
+### Advisory Test Runner
+
+The test runner maps edited source files to their corresponding test files, runs only affected tests, and injects pass/fail results as `additionalContext`. It never blocks Claude — results are purely informational.
+
+### Skill Suggester
+
+Matches user prompts against keyword maps (phrases + individual terms) for each skill. When a skill matches, it injects a suggestion as `systemMessage` (UserPromptSubmit) or `additionalContext` (SubagentStart) so Claude knows which skill to load.
+
+### Ticket Linker
+
+Detects `#123` references and full GitHub issue/PR URLs in user prompts, fetches the ticket body via `gh`, and injects it as `additionalContext`. Handles up to 3 references per prompt with a 1500-character cap per ticket body.
+
+### Timeouts
+
+| Script | Timeout |
+|--------|---------|
+| redirect-builtin-agents.py | 5s |
+| skill-suggester.py | 3s |
+| ticket-linker.py | 12s |
+| inject-cwd.py | 3s |
+| advisory-test-runner.py | 20s |
+| commit-reminder.py | 8s |
+| spec-reminder.py | 8s |
+| git-state-injector.py | 10s |
+| todo-harvester.py | 8s |
+| syntax-validator.py | 5s |
+| collect-edited-files.py | 3s |
+
+## Documentation
+
+- `AGENT-REDIRECTION.md` — Technical guide to the PreToolUse hook contract for agent redirection
+- `REVIEW-RUBRIC.md` — Quality rubric for agent and skill design, based on Anthropic's prompt engineering documentation
+
+## Plugin Structure
+
+```
+code-directive/
+├── .claude-plugin/
+│   ├── plugin.json              # Plugin metadata
+│   └── commands/
+│       └── debug.md             # /debug slash command
+├── agents/                      # 17 custom agent definitions
+│   ├── architect.md
+│   ├── bash-exec.md
+│   ├── claude-guide.md
+│   ├── debug-logs.md
+│   ├── dependency-analyst.md
+│   ├── doc-writer.md
+│   ├── explorer.md
+│   ├── generalist.md
+│   ├── git-archaeologist.md
+│   ├── migrator.md
+│   ├── perf-profiler.md
+│   ├── refactorer.md
+│   ├── researcher.md
+│   ├── security-auditor.md
+│   ├── spec-writer.md
+│   ├── statusline-config.md
+│   └── test-writer.md
+├── skills/                      # 28 coding reference skills
+│   ├── api-design/
+│   ├── ast-grep-patterns/
+│   ├── claude-agent-sdk/
+│   ├── claude-code-headless/
+│   ├── debugging/
+│   ├── dependency-management/
+│   ├── docker/
+│   ├── docker-py/
+│   ├── documentation-patterns/
+│   ├── fastapi/
+│   ├── git-forensics/
+│   ├── migration-patterns/
+│   ├── performance-profiling/
+│   ├── pydantic-ai/
+│   ├── refactoring-patterns/
+│   ├── security-checklist/
+│   ├── skill-building/
+│   ├── spec-build/
+│   ├── spec-check/
+│   ├── spec-init/
+│   ├── spec-new/
+│   ├── spec-refine/
+│   ├── spec-review/
+│   ├── spec-update/
+│   ├── specification-writing/
+│   ├── sqlite/
+│   ├── svelte5/
+│   └── testing/
+├── hooks/
+│   └── hooks.json               # All hook registrations (6 events, 12 scripts)
+├── scripts/
+│   ├── advisory-test-runner.py  # Stop: runs affected tests
+│   ├── collect-edited-files.py  # PostToolUse: records edited file paths
+│   ├── commit-reminder.py       # Stop: uncommitted changes advisory
+│   ├── git-state-injector.py    # SessionStart: injects git state
+│   ├── guard-readonly-bash.py   # Read-only bash guard (used by agents)
+│   ├── inject-cwd.py            # SubagentStart: injects working directory
+│   ├── redirect-builtin-agents.py # PreToolUse: agent redirection
+│   ├── skill-suggester.py       # UserPromptSubmit/SubagentStart: skill suggestions
+│   ├── spec-reminder.py         # Stop: spec update advisory
+│   ├── syntax-validator.py      # PostToolUse: JSON/YAML/TOML validation
+│   ├── ticket-linker.py         # UserPromptSubmit: auto-fetch GitHub issues
+│   ├── todo-harvester.py        # SessionStart: TODO/FIXME surfacing
+│   ├── verify-no-regression.py  # Test verification utility
+│   └── verify-tests-pass.py     # Test verification utility
+├── AGENT-REDIRECTION.md         # Agent redirection technical guide
+└── REVIEW-RUBRIC.md             # Agent & skill quality rubric
+```
+
+## Requirements
+
+- Python 3.11+
+- Claude Code with plugin hook support
+- [GitHub CLI](https://cli.github.com/) (`gh`) for ticket-linker functionality

package/.devcontainer/plugins/devs-marketplace/plugins/code-directive/agents/claude-guide.md

@@ -11,7 +11,7 @@ description: >-
   spawning a new instance, check if there is already a running or recently
   completed claude-guide agent that you can resume using the "resume" parameter.
 tools: Glob, Grep, Read, WebFetch, WebSearch
-model: haiku
+model: sonnet
 color: cyan
 memory:
   scope: user

package/.devcontainer/plugins/devs-marketplace/plugins/code-directive/agents/debug-logs.md

@@ -5,7 +5,7 @@ description: >-
   application frameworks, and system services to identify errors, crashes,
   and performance issues. Reports structured findings with root cause assessment.
 tools: Bash, Read, Glob, Grep
-model: sonnet
+model: opus
 color: red
 skills:
   - debugging

package/.devcontainer/plugins/devs-marketplace/plugins/code-directive/agents/dependency-analyst.md

@@ -10,7 +10,7 @@ description: >-
   dependency analysis across Node.js, Python, Rust, or Go ecosystems.
   Reports findings without modifying any files.
 tools: Read, Bash, Glob, Grep
-model: haiku
+model: sonnet
 color: blue
 memory:
   scope: project

package/.devcontainer/plugins/devs-marketplace/plugins/code-directive/agents/explorer.md

@@ -10,7 +10,7 @@ description: >-
   very thorough. Reports findings with absolute file paths and never
   modifies any files.
 tools: Read, Glob, Grep, Bash
-model: haiku
+model: sonnet
 color: blue
 memory:
   scope: project

package/.devcontainer/plugins/devs-marketplace/plugins/code-directive/agents/generalist.md

@@ -8,7 +8,7 @@ description: >-
   any complex task that doesn't fit a specialist agent's domain. Has access
   to all tools and can both read and write files.
 tools: "*"
-model: inherit
+model: opus
 color: green
 memory:
   scope: project

package/.devcontainer/plugins/devs-marketplace/plugins/code-directive/agents/git-archaeologist.md

@@ -9,7 +9,7 @@ description: >-
   of this file", "who contributed to this module", "recover lost commit",
   "trace this function's evolution", or needs any git history forensics.
 tools: Read, Grep, Bash
-model: haiku
+model: sonnet
 color: blue
 memory:
   scope: project
@@ -52,7 +52,7 @@ Before starting work, read project-specific instructions:
 - **NEVER** change the working tree — no `git checkout`, `git reset`, `git restore`, `git clean`, or `git switch`. Changing the working tree could discard the user's uncommitted work.
 - **NEVER** modify refs — no `git tag`, `git branch -d`, `git branch -m`, or `git update-ref`.
 - **NEVER** modify configuration — no `git config` writes.
-- Your Bash usage is **git-read-only guarded**. Only these git subcommands are permitted: `log`, `blame`, `show`, `diff`, `bisect` (view mode only), `reflog`, `shortlog`, `rev-list`, `rev-parse`, `ls-files`, `ls-tree`, `cat-file`, `name-rev`, `describe`, `merge-base`, `branch -a` / `branch --list`, `remote -v`, `stash list`.
+- Your Bash usage is **git-read-only guarded**. Only these git subcommands are permitted: `log`, `blame`, `show`, `diff`, `bisect` (view mode only), `reflog`, `shortlog`, `rev-list`, `rev-parse`, `ls-files`, `ls-tree`, `cat-file`, `name-rev`, `describe`, `merge-base`, `branch -a` / `branch --list`, `remote -v`, `stash list`, `worktree list`.
 - You may also use `Read`, `Grep`, and non-git Bash commands that are read-only (`wc`, `sort`, `head`, `uniq`).
 
 ## Investigation Workflow

package/.devcontainer/plugins/devs-marketplace/plugins/code-directive/agents/researcher.md

@@ -9,7 +9,7 @@ description: >-
   technology comparison, or technical deep-dives. Reports structured findings
   with citations without modifying any files.
 tools: Read, Glob, Grep, WebSearch, WebFetch, Bash
-model: sonnet
+model: opus
 color: cyan
 memory:
   scope: user

package/.devcontainer/plugins/devs-marketplace/plugins/code-directive/agents/security-auditor.md

@@ -10,7 +10,7 @@ description: >-
   Reports findings with severity ratings and remediation guidance without
   modifying any files.
 tools: Read, Glob, Grep, Bash
-model: sonnet
+model: opus
 color: red
 memory:
   scope: user

package/.devcontainer/plugins/devs-marketplace/plugins/codeforge-lsp/README.md

@@ -0,0 +1,41 @@
+# codeforge-lsp
+
+Purely declarative Claude Code plugin that registers Language Server Protocol (LSP) servers for Python, TypeScript/JavaScript, and Go. No hooks, no scripts — just server definitions in the plugin manifest.
+
+## What It Does
+
+Provides Claude Code with language intelligence (type checking, diagnostics, go-to-definition) by registering three LSP servers:
+
+| Server | Command | Languages | File Extensions |
+|--------|---------|-----------|-----------------|
+| [Pyright](https://github.com/microsoft/pyright) | `pyright-langserver --stdio` | Python | `.py`, `.pyi` |
+| [TypeScript Language Server](https://github.com/typescript-language-server/typescript-language-server) | `typescript-language-server --stdio` | TypeScript, JavaScript | `.ts`, `.tsx`, `.js`, `.jsx`, `.mts`, `.cts`, `.mjs`, `.cjs` |
+| [gopls](https://pkg.go.dev/golang.org/x/tools/gopls) | `gopls serve` | Go | `.go`, `.mod`, `.sum` |
+
+Servers activate only if their binary is available on PATH. Missing servers are silently skipped — the plugin never fails on a missing tool.
+
+## How It Works
+
+The plugin uses the `lspServers` field in `plugin.json` to declare server configurations. Claude Code reads this at startup and launches each server whose command binary exists. There is no hook logic or runtime behavior — everything is static configuration.
+
+Each server maps file extensions to language identifiers. When Claude Code opens a file matching a registered extension, it routes it to the corresponding LSP server for diagnostics, completions, and other language features.
+
+## Plugin Structure
+
+```
+codeforge-lsp/
+├── .claude-plugin/
+│   └── plugin.json    # Plugin metadata + LSP server definitions
+└── README.md          # This file
+```
+
+## Requirements
+
+- Claude Code with LSP plugin support
+- Install the language servers you need:
+
+| Server | Install |
+|--------|---------|
+| Pyright | `npm i -g pyright` |
+| TypeScript Language Server | `npm i -g typescript-language-server typescript` |
+| gopls | `go install golang.org/x/tools/gopls@latest` |

package/.devcontainer/plugins/devs-marketplace/plugins/dangerous-command-blocker/README.md

@@ -0,0 +1,72 @@
+# dangerous-command-blocker
+
+Claude Code plugin that intercepts Bash tool calls and blocks destructive commands before they execute. Acts as a safety net against accidental or misguided destructive operations.
+
+## What It Does
+
+Inspects every Bash command Claude attempts to run against a set of dangerous patterns. If a match is found, the command is blocked with an error message explaining why. Safe commands pass through untouched.
+
+### Blocked Patterns
+
+| Category | Examples |
+|----------|----------|
+| Destructive filesystem deletion | `rm -rf /`, `rm -rf ~`, `rm -rf ../` |
+| Privileged deletion | `sudo rm` |
+| World-writable permissions | `chmod 777`, `chmod -R 777` |
+| Force push to main/master | `git push --force origin main`, `git push -f origin master` |
+| Bare force push | `git push -f`, `git push --force` (no branch specified) |
+| Git history destruction | `git reset --hard origin/main`, `git clean -f` |
+| System directory writes | `> /usr/`, `> /etc/`, `> /bin/`, `> /sbin/` |
+| Disk formatting | `mkfs.*`, `dd of=/dev/` |
+| Docker container escape | `docker run --privileged`, `docker run -v /:/...` |
+| Destructive Docker operations | `docker stop`, `docker rm`, `docker kill`, `docker rmi` |
+| Dangerous find operations | `find -exec rm`, `find -delete` |
+
+## How It Works
+
+### Hook Lifecycle
+
+```
+Claude calls the Bash tool
+  │
+  └─→ PreToolUse hook fires for Bash
+       │
+       └─→ block-dangerous.py reads the command from stdin
+            │
+            ├─→ Pattern match found → exit 2 (block with error)
+            └─→ No match → exit 0 (allow)
+```
+
+### Exit Code Behavior
+
+| Exit Code | Meaning |
+|-----------|---------|
+| 0 | Command is safe — allow execution |
+| 2 | Command matches a dangerous pattern — block with error message |
+
+### Error Handling
+
+- **JSON parse failure**: Fails closed (exit 2) — if the input can't be read, the command is blocked
+- **Other exceptions**: Fails open (exit 0) — logs the error to stderr but does not block
+
+### Timeout
+
+The hook has a 5-second timeout. If the script takes longer, Claude Code proceeds with the command.
+
+## Plugin Structure
+
+```
+dangerous-command-blocker/
+├── .claude-plugin/
+│   └── plugin.json          # Plugin metadata
+├── hooks/
+│   └── hooks.json           # PreToolUse/Bash hook registration
+├── scripts/
+│   └── block-dangerous.py   # Pattern matcher (PreToolUse)
+└── README.md                # This file
+```
+
+## Requirements
+
+- Python 3.11+
+- Claude Code with plugin hook support

package/.devcontainer/plugins/devs-marketplace/plugins/dangerous-command-blocker/scripts/block-dangerous.py

@@ -13,54 +13,82 @@ import sys
 
 DANGEROUS_PATTERNS = [
     # Destructive filesystem deletion
-    (r'\brm\s+.*-[^\s]*r[^\s]*f[^\s]*\s+[/~](?:\s|$)',
-     "Blocked: rm -rf on root or home directory"),
-    (r'\brm\s+.*-[^\s]*f[^\s]*r[^\s]*\s+[/~](?:\s|$)',
-     "Blocked: rm -rf on root or home directory"),
-    (r'\brm\s+-rf\s+/(?:\s|$)',
-     "Blocked: rm -rf /"),
-    (r'\brm\s+-rf\s+~(?:\s|$)',
-     "Blocked: rm -rf ~"),
-
+    (
+        r"\brm\s+.*-[^\s]*r[^\s]*f[^\s]*\s+[/~](?:\s|$)",
+        "Blocked: rm -rf on root or home directory",
+    ),
+    (
+        r"\brm\s+.*-[^\s]*f[^\s]*r[^\s]*\s+[/~](?:\s|$)",
+        "Blocked: rm -rf on root or home directory",
+    ),
+    (r"\brm\s+-rf\s+/(?:\s|$)", "Blocked: rm -rf /"),
+    (r"\brm\s+-rf\s+~(?:\s|$)", "Blocked: rm -rf ~"),
     # Root-level file removal
-    (r'\bsudo\s+rm\b',
-     "Blocked: sudo rm - use caution with privileged deletion"),
-
+    (r"\bsudo\s+rm\b", "Blocked: sudo rm - use caution with privileged deletion"),
     # World-writable permissions
-    (r'\bchmod\s+777\b',
-     "Blocked: chmod 777 creates security vulnerability"),
-    (r'\bchmod\s+-R\s+777\b',
-     "Blocked: recursive chmod 777 creates security vulnerability"),
-
+    (r"\bchmod\s+777\b", "Blocked: chmod 777 creates security vulnerability"),
+    (
+        r"\bchmod\s+-R\s+777\b",
+        "Blocked: recursive chmod 777 creates security vulnerability",
+    ),
     # Force push to main/master
-    (r'\bgit\s+push\s+.*--force.*\s+(origin\s+)?(main|master)\b',
-     "Blocked: force push to main/master destroys history"),
-    (r'\bgit\s+push\s+.*-f\s+.*\s+(origin\s+)?(main|master)\b',
-     "Blocked: force push to main/master destroys history"),
-    (r'\bgit\s+push\s+-f\s+(origin\s+)?(main|master)\b',
-     "Blocked: force push to main/master destroys history"),
-    (r'\bgit\s+push\s+--force\s+(origin\s+)?(main|master)\b',
-     "Blocked: force push to main/master destroys history"),
-
+    (
+        r"\bgit\s+push\s+.*--force.*\s+(origin\s+)?(main|master)\b",
+        "Blocked: force push to main/master destroys history",
+    ),
+    (
+        r"\bgit\s+push\s+.*-f\s+.*\s+(origin\s+)?(main|master)\b",
+        "Blocked: force push to main/master destroys history",
+    ),
+    (
+        r"\bgit\s+push\s+-f\s+(origin\s+)?(main|master)\b",
+        "Blocked: force push to main/master destroys history",
+    ),
+    (
+        r"\bgit\s+push\s+--force\s+(origin\s+)?(main|master)\b",
+        "Blocked: force push to main/master destroys history",
+    ),
     # System directory modification
-    (r'>\s*/usr/',
-     "Blocked: writing to /usr system directory"),
-    (r'>\s*/etc/',
-     "Blocked: writing to /etc system directory"),
-    (r'>\s*/bin/',
-     "Blocked: writing to /bin system directory"),
-    (r'>\s*/sbin/',
-     "Blocked: writing to /sbin system directory"),
-
+    (r">\s*/usr/", "Blocked: writing to /usr system directory"),
+    (r">\s*/etc/", "Blocked: writing to /etc system directory"),
+    (r">\s*/bin/", "Blocked: writing to /bin system directory"),
+    (r">\s*/sbin/", "Blocked: writing to /sbin system directory"),
     # Disk formatting
-    (r'\bmkfs\.\w+',
-     "Blocked: disk formatting command"),
-    (r'\bdd\s+.*of=/dev/',
-     "Blocked: dd writing to device"),
-
+    (r"\bmkfs\.\w+", "Blocked: disk formatting command"),
+    (r"\bdd\s+.*of=/dev/", "Blocked: dd writing to device"),
     # History manipulation
-    (r'\bgit\s+reset\s+--hard\s+origin/(main|master)\b',
-     "Blocked: hard reset to remote main/master - destructive operation"),
+    (
+        r"\bgit\s+reset\s+--hard\s+origin/(main|master)\b",
+        "Blocked: hard reset to remote main/master - destructive operation",
+    ),
+    # Docker container escape
+    (
+        r"\bdocker\s+run\s+.*--privileged",
+        "Blocked: docker run --privileged allows container escape",
+    ),
+    (
+        r"\bdocker\s+run\s+.*-v\s+/:/\w",
+        "Blocked: docker run mounting host root filesystem",
+    ),
+    # Destructive Docker operations
+    (
+        r"\bdocker\s+(stop|rm|kill|rmi)\s+",
+        "Blocked: destructive docker operation - use with caution",
+    ),
+    # Additional rm patterns
+    (r"\brm\s+.*-[^\s]*r[^\s]*f[^\s]*\s+\.\./", "Blocked: rm -rf on parent directory"),
+    (r"\bfind\s+.*-exec\s+rm\b", "Blocked: find -exec rm is dangerous"),
+    (r"\bfind\s+.*-delete\b", "Blocked: find -delete is dangerous"),
+    # Git history destruction
+    (r"\bgit\s+push\s+-f\b", "Blocked: bare force push - specify remote and branch"),
+    (
+        r"\bgit\s+push\s+--force\b",
+        "Blocked: bare force push - specify remote and branch",
+    ),
+    (
+        r"\bgit\s+clean\s+-[^\s]*f",
+        "Blocked: git clean -f removes untracked files permanently",
+    ),
 ]
 
 
@@ -89,17 +117,15 @@ def main():
 
         if is_dangerous:
             # Output error message and exit 2 to block
-            print(json.dumps({
-                "error": message
-            }))
+            print(json.dumps({"error": message}))
             sys.exit(2)
 
         # Allow command to proceed
         sys.exit(0)
 
     except json.JSONDecodeError:
-        # If we can't parse input, allow by default
-        sys.exit(0)
+        # Fail closed: can't parse means can't verify safety
+        sys.exit(2)
     except Exception as e:
         # Log error but don't block on hook failure
         print(f"Hook error: {e}", file=sys.stderr)

package/.devcontainer/plugins/devs-marketplace/plugins/notify-hook/README.md

@@ -0,0 +1,42 @@
+# notify-hook
+
+Ultra-lightweight Claude Code plugin that sends a desktop notification and audio chime when Claude finishes responding. No scripts — just a single hook definition that calls the `claude-notify` binary.
+
+## What It Does
+
+When Claude stops responding (Stop hook), it runs the `claude-notify` command to:
+1. Send a desktop notification
+2. Play an audio chime
+
+This lets you switch to other tasks while Claude works and get alerted when it needs your attention.
+
+## How It Works
+
+### Hook Lifecycle
+
+```
+Claude stops responding (Stop event)
+  │
+  └─→ claude-notify command fires
+       │
+       ├─→ Desktop notification sent
+       └─→ Audio chime played
+```
+
+The hook has a 5-second timeout. The plugin contains no scripts of its own — it delegates entirely to the `claude-notify` binary.
+
+## Plugin Structure
+
+```
+notify-hook/
+├── .claude-plugin/
+│   └── plugin.json    # Plugin metadata
+├── hooks/
+│   └── hooks.json     # Stop hook registration
+└── README.md          # This file
+```
+
+## Requirements
+
+- Claude Code with plugin hook support
+- The `notify-hook` devcontainer feature must be installed (provides the `claude-notify` binary)