cold-shower 2.0.0

package/.claude-plugin/marketplace.json

@@ -0,0 +1,17 @@
+{
+  "$schema": "https://anthropic.com/claude-code/marketplace.schema.json",
+  "name": "cold-shower",
+  "description": "Reality check for vibe-coded apps. Vibe Score 0-100, LLM cost audit, AI security scan, git hygiene, and plan-gate enforcement.",
+  "owner": {
+    "name": "PradiptaPutra",
+    "url": "https://github.com/PradiptaPutra"
+  },
+  "plugins": [
+    {
+      "name": "cold-shower",
+      "description": "Six parallel audits → Vibe Score. Plan-gate blocks edits until approved. Persistent second brain across sessions.",
+      "source": "./",
+      "category": "productivity"
+    }
+  ]
+}

package/.claude-plugin/plugin.json

@@ -0,0 +1,42 @@
+{
+  "name": "cold-shower",
+  "version": "2.0.0",
+  "description": "Reality check for vibe-coded apps. 6 audits → Vibe Score 0-100. Plan-gate blocks edits until approved. Persistent second brain across sessions.",
+  "author": {
+    "name": "PradiptaPutra",
+    "url": "https://github.com/PradiptaPutra"
+  },
+  "homepage": "https://github.com/PradiptaPutra/cold-shower",
+  "repository": "https://github.com/PradiptaPutra/cold-shower",
+  "license": "MIT",
+  "hooks": {
+    "SessionStart": [{
+      "hooks": [{
+        "type": "command",
+        "command": "node \"${CLAUDE_PLUGIN_DIR}/hooks/activate.js\"",
+        "timeout": 5
+      }]
+    }],
+    "UserPromptSubmit": [{
+      "hooks": [{
+        "type": "command",
+        "command": "node \"${CLAUDE_PLUGIN_DIR}/hooks/trigger.js\"",
+        "timeout": 10
+      }]
+    }],
+    "PreToolUse": [{
+      "hooks": [{
+        "type": "command",
+        "command": "node \"${CLAUDE_PLUGIN_DIR}/hooks/gate.js\"",
+        "timeout": 5
+      }]
+    }],
+    "Stop": [{
+      "hooks": [{
+        "type": "command",
+        "command": "node \"${CLAUDE_PLUGIN_DIR}/hooks/capture.js\"",
+        "timeout": 10
+      }]
+    }]
+  }
+}

package/README.md

@@ -0,0 +1,264 @@
+<div align="center">
+
+<img src="assets/logo.png" width="180" alt="cold-shower"/>
+
+# cold-shower
+
+**The reality check your vibe-coded app didn't ask for.**
+
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
+[![Claude Code](https://img.shields.io/badge/Claude%20Code-Skill-blueviolet)](https://claude.ai/code)
+[![Version](https://img.shields.io/badge/version-2.0-brightgreen)](#)
+[![Install](https://img.shields.io/badge/install-curl%20%7C%20bash-orange)](#-install)
+
+*One install. Three modes. Auto-triggers. No commands to memorize.*
+
+</div>
+
+---
+
+## 🥶 Why this exists
+
+> **65%** of vibe-coded production apps have at least one security vulnerability.
+> **45%** of AI-generated code fails basic security checks.
+> **2x** more secrets get leaked in AI-assisted commits vs human-written code.
+
+You shipped fast. Claude helped. But nobody audited what came out.
+
+**cold-shower does.**
+
+---
+
+## ⚡ Three modes, one skill
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│                        cold-shower                          │
+├──────────────┬──────────────────────┬───────────────────────┤
+│  🔍 AUDIT   │     📋 PLAN-GATE     │      🧠 RECALL        │
+│             │                      │                        │
+│ 6 parallel  │ Structured plan      │ Persistent second      │
+│ audits →    │ BEFORE any code.     │ brain across all       │
+│ Vibe Score  │ Blocks edits via     │ sessions. Replaces     │
+│ 0–100       │ PreToolUse hook      │ Obsidian for devs.     │
+│             │ until APPROVED.      │                        │
+│ "audit me"  │ "implement X"        │ "remember this"        │
+└─────────────┴──────────────────────┴───────────────────────-┘
+```
+
+---
+
+## 🚿 Install
+
+```bash
+curl -fsSL https://raw.githubusercontent.com/PradiptaPutra/cold-shower/main/install.sh | bash
+```
+
+Done. Works on every project you open from that moment forward.
+
+**What the installer wires:**
+
+| Hook | Event | Does |
+|------|-------|------|
+| `activate.js` | `SessionStart` | Injects skill + loads brain memories |
+| `trigger.js` | `UserPromptSubmit` | Detects intent, routes to correct mode |
+| `gate.js` | `PreToolUse` | Blocks edits until plan approved |
+| `capture.js` | `Stop` | Suggests memories to save at session end |
+
+Idempotent — safe to re-run for updates.
+
+---
+
+## 🤖 You never type a command
+
+| You say... | Mode | What happens |
+|-----------|------|-------------|
+| `"audit my codebase"` | 🔍 | Full 6-audit health check → Vibe Score |
+| `"is this ready to deploy?"` | 🔍 | Pre-deploy gate scan |
+| `"my LLM bill is insane"` | 🔍 | Cost audit → caching + routing fixes |
+| `"app crashed on Product Hunt"` | 🔍 | Emergency mode → 5-min triage |
+| `"re-audit"` | 🔍 | Re-runs, compares to last score |
+| `"implement stripe payments"` | 📋 | Structured plan → blocks edits until APPROVED |
+| `"fix this bug"` | 📋 | Plan first, then implementation |
+| `"I committed my .env"` | 🔴 | Rotate secrets + scrub git history |
+| `"remember this decision"` | 🧠 | Saves to brain with WHY + date |
+| `"what did we decide about auth"` | 🧠 | Searches brain files |
+
+---
+
+## 📊 Audit output
+
+```
+╔══════════════════════════════════════════════════════════════╗
+║  🚿 COLD SHOWER — myapp — 2026-06-29                        ║
+╚══════════════════════════════════════════════════════════════╝
+
+📊 Last score: 45/100 (D) on 2026-06-15 — let's see if it improved.
+
+VIBE SCORE: 71/100  Grade: C  ▲ +26 from last audit
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+[A] LLM COSTS      — ✅ CLEAN
+[B] AI SECURITY    — 1 issue  (no per-user token budget)
+[C] CODE HEALTH    — 3 god files | 2.9% dup | 0 floating promises
+[D] DEPENDENCIES   — 18 moderate CVEs (dev-only) | 0 critical
+[E] PROD READINESS — ✅ CLEAN
+[F] GIT/DEVOPS     — 2 issues (no Dependabot, no branch protection)
+
+🔴 CRITICAL — None
+
+🟡 HIGH
+  [B] No per-user token budget — one user can drain your OpenAI key
+  [C] AppShell.tsx 1768 lines — auth+routing+sidebar+chat all in one
+
+🟢 QUICK WINS (15 min)
+  Add .github/dependabot.yml
+  Set branch protection on main
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+Score saved. History: 2 entries. Type re-audit after next sprint.
+```
+
+---
+
+## 🔍 What each audit catches
+
+| # | Audit | Key checks |
+|---|-------|-----------|
+| 🤑 **A — LLM Costs** | Missing semantic cache, hardcoded expensive model, no conversation history trim |
+| 🔐 **B — AI Security** | Prompt injection in your endpoints, PII sent to OpenAI, no per-user budget, jailbreak surface |
+| 🧹 **C — Code Health** | God files >500 lines, circular deps, duplicate logic >10%, floating promises |
+| 📦 **D — Dependencies** | Unused packages (knip), CVEs (npm audit), archived libs, semantic duplicates |
+| 🚀 **E — Prod Readiness** | N+1 queries, connection pool exhaustion, no rate limits, missing indexes |
+| 🛡️ **F — Git/DevOps** | `.env` committed, unpinned Actions, no CI, no branch protection, workflow injection |
+
+**Audit F alone is worth the install.** CVE-2025-30066 (March 2025): a floating `@v4` Action tag got rewritten — 23,000 repos exposed. Audit F catches this.
+
+---
+
+## 📋 Plan-gate — no more AI slop
+
+Every time you say "implement X" or "fix X", cold-shower generates a structured plan **before writing a single line**:
+
+```markdown
+## Plan: Add Stripe payments
+
+### Files to Touch
+| File                  | Change        |
+|-----------------------|---------------|
+| src/checkout/Form.tsx | Add Stripe UI |
+| src/api/payments.ts   | New endpoint  |
+
+### Files NOT to Touch
+| File                    | Reason                        |
+|-------------------------|-------------------------------|
+| src/auth/middleware.ts  | Fragile — race condition #234 |
+
+### Pre-Mortem
+"Most likely failure: webhook arrives before order row exists."
+
+### Rollback
+Revert 3 files. No migration needed.
+```
+
+→ **"Type `APPROVED` to proceed."**
+
+The `PreToolUse` hook physically blocks all `Edit`/`Write` calls until you type APPROVED.
+**No other Claude Code skill enforces planning at the hook level.**
+
+---
+
+## 🧠 Recall — second brain without Obsidian
+
+| | Obsidian | cold-shower recall |
+|--|---------|-------------------|
+| Setup | Separate app + vault + MCP config | Included in `curl \| bash` |
+| Capture | Manual note-taking | `"remember this"` or auto-suggested |
+| Token cost | **~7M tokens** (full vault scan) | **~100 tokens** (grep) |
+| Anti-regression | ❌ | ✅ Warns before touching fragile files |
+| Survives context loss | Manually | Automatically |
+
+```
+~/.claude/brain/preferences.md              ← global preferences
+~/.claude/projects/myapp/brain/
+  decisions.md  ← "chose Supabase — Prisma 380KB kills edge cold start"
+  avoid.md      ← "don't touch auth — race condition, fixed 3 times"
+  bugs.md       ← "N+1 in getUserList, fixed 2026-05-01, regression-prone"
+  context.md    ← domain knowledge, user base, compliance requirements
+```
+
+Before editing any file in `avoid.md`:
+```
+RECALL WARNING: auth/middleware.ts marked fragile (2026-05-01).
+Reason: race condition in token refresh. Proceed carefully.
+```
+
+---
+
+## 🏃 Fix sprints
+
+Each sprint generates **working code files** — not a todo list.
+
+| Sprint | Time | What gets generated |
+|--------|------|-------------------|
+| **0.5** 🔴 | 15 min | Secret rotation + `git filter-repo` history scrub |
+| **1** | 30 min | Dep cleanup + `knip.json` |
+| **2** | 2 hr | Rate limiting + async error handling |
+| **3** | 2 hr | Connection pool fix + N+1 detection |
+| **4** | 4 hr | `lib/llm-cache.ts` + `lib/llm-router.ts` + `lib/llm-client.ts` |
+| **5** | 1 day | God component extraction playbook |
+| **6** | 1 hr | `ci.yml` + `dependabot.yml` + `src/env.ts` + branch protection |
+
+Sprint 0.5 fires **before everything else** if `.env` is committed. First action: rotate all secrets.
+
+After any sprint → type `re-audit` → score compared to previous run automatically.
+
+---
+
+## 🆚 vs other top skills
+
+| | 🪨 caveman (~78k ⭐) | 🐴 ponytail (~66k ⭐) | 🧊 cold-shower |
+|--|-----|-----|-----|
+| **What it changes** | How Claude *talks* | What Claude *builds* | What you *already built* |
+| **When it acts** | During session | During coding | Retrospective + pre-deploy |
+| **Hook enforcement** | ❌ soft | ❌ soft | ✅ PreToolUse hard block |
+| **Generates fix code** | ❌ | ❌ | ✅ real TS/JS files |
+| **Persistent memory** | ❌ | ❌ | ✅ survives sessions |
+| **Score over time** | ❌ | ❌ | ✅ history + trend |
+| **Multi-platform** | ✅ 30+ | ✅ 16+ | Claude Code |
+
+> caveman fixes verbosity. ponytail fixes over-engineering. cold-shower fixes what's already in production.
+> Install all three — they don't overlap.
+
+---
+
+## 🎯 Stats that make this real
+
+- **GitClear 2024:** AI code averages 12.3% duplication — triple human baseline. cold-shower Audit C catches this.
+- **Escape.tech:** 65% of 1,400 vibe-coded apps have a security issue. Audit B catches the common patterns.
+- **GitGuardian 2026:** AI-assisted commits have 2x the secret leak rate vs human code. Audit F catches committed secrets.
+- **CVE-2025-30066:** Floating `@v4` tag rewritten → 23,000 repos exposed. Audit F flags all unpinned Actions.
+- **Veracode 2026:** 45% of AI code from 100+ LLMs fails security checks. Audits B + D cover the main failure modes.
+
+---
+
+## 📋 Requirements
+
+- [Claude Code](https://claude.ai/code) — skill uses native hook system
+- Node.js 18+
+- `gh` CLI — optional, enables branch protection check in Audit F
+
+---
+
+## 🗺️ Roadmap
+
+- [ ] Benchmarks: 15-repo study (Juice Shop, NodeGoat, real vibe-coded apps)
+- [ ] Cursor `.cursorrules` port for wider reach
+- [ ] `cold-shower diff` — scan only PR-changed files
+
+---
+
+<div align="center">
+
+MIT &nbsp;·&nbsp; [Issues](https://github.com/PradiptaPutra/cold-shower/issues) &nbsp;·&nbsp; [PradiptaPutra](https://github.com/PradiptaPutra)
+
+</div>

package/bin/cold-shower.js

@@ -0,0 +1,120 @@
+#!/usr/bin/env node
+'use strict'
+
+const fs = require('fs')
+const path = require('path')
+const os = require('os')
+
+const cmd = process.argv[2] || 'help'
+const HOME = os.homedir()
+const SKILLS_DIR = path.join(HOME, '.claude', 'skills', 'cold-shower')
+const HOOKS_DIR = path.join(HOME, '.claude', 'hooks')
+const BRAIN_DIR = path.join(HOME, '.claude', 'brain')
+const SETTINGS = path.join(HOME, '.claude', 'settings.json')
+const PKG_ROOT = path.join(__dirname, '..')
+
+function copyFile(src, dest) {
+  fs.mkdirSync(path.dirname(dest), { recursive: true })
+  fs.copyFileSync(src, dest)
+}
+
+function wireHook(settings, event, hookFile, label) {
+  settings.hooks = settings.hooks || {}
+  settings.hooks[event] = settings.hooks[event] || []
+  const command = `node "${path.join(HOOKS_DIR, hookFile)}"`
+  const timeout = hookFile.includes('capture') ? 10 : 5
+  const hook = { hooks: [{ type: 'command', command, timeout }] }
+  if (!JSON.stringify(settings.hooks[event]).includes(label)) {
+    settings.hooks[event].push(hook)
+  }
+}
+
+function install() {
+  console.log('\n🧊 Installing cold-shower v2...\n')
+
+  copyFile(
+    path.join(PKG_ROOT, 'skills', 'cold-shower', 'SKILL.md'),
+    path.join(SKILLS_DIR, 'SKILL.md')
+  )
+  console.log('✓ Skill installed')
+
+  const hooks = [
+    ['activate.js', 'cold-shower-activate.js'],
+    ['trigger.js',  'cold-shower-trigger.js'],
+    ['gate.js',     'cold-shower-gate.js'],
+    ['capture.js',  'cold-shower-capture.js'],
+  ]
+  hooks.forEach(([src, dest]) => copyFile(path.join(PKG_ROOT, 'hooks', src), path.join(HOOKS_DIR, dest)))
+  console.log('✓ Hooks copied')
+
+  let settings = {}
+  try { settings = JSON.parse(fs.readFileSync(SETTINGS, 'utf8')) } catch {}
+  wireHook(settings, 'SessionStart',     'cold-shower-activate.js', 'cold-shower-activate')
+  wireHook(settings, 'UserPromptSubmit', 'cold-shower-trigger.js',  'cold-shower-trigger')
+  wireHook(settings, 'PreToolUse',       'cold-shower-gate.js',     'cold-shower-gate')
+  wireHook(settings, 'Stop',             'cold-shower-capture.js',  'cold-shower-capture')
+  fs.writeFileSync(SETTINGS, JSON.stringify(settings, null, 2))
+  console.log('✓ Hooks wired into ~/.claude/settings.json')
+
+  fs.mkdirSync(BRAIN_DIR, { recursive: true })
+  console.log('✓ Brain directory created\n')
+
+  console.log(`cold-shower v2 installed. Open a new Claude Code session to activate.
+
+Three modes — all auto-trigger:
+  🔍 Audit:   "audit my codebase", "about to deploy", "re-audit"
+  📋 Plan:    "implement X", "add X", "fix X", "refactor X"
+  🧠 Recall:  "remember this", "what did we decide", "/recall"
+`)
+}
+
+function update() {
+  console.log('\n🧊 Updating cold-shower...\n')
+  copyFile(
+    path.join(PKG_ROOT, 'skills', 'cold-shower', 'SKILL.md'),
+    path.join(SKILLS_DIR, 'SKILL.md')
+  )
+  const hooks = [
+    ['activate.js', 'cold-shower-activate.js'],
+    ['trigger.js',  'cold-shower-trigger.js'],
+    ['gate.js',     'cold-shower-gate.js'],
+    ['capture.js',  'cold-shower-capture.js'],
+  ]
+  hooks.forEach(([src, dest]) => {
+    try { copyFile(path.join(PKG_ROOT, 'hooks', src), path.join(HOOKS_DIR, dest)) } catch {}
+  })
+  console.log('✓ Updated. Restart Claude Code session to apply.')
+}
+
+function uninstall() {
+  console.log('\n🧊 Uninstalling cold-shower...\n')
+  try { fs.rmSync(SKILLS_DIR, { recursive: true }) } catch {}
+  const hookDest = ['cold-shower-activate.js','cold-shower-trigger.js','cold-shower-gate.js','cold-shower-capture.js']
+  hookDest.forEach(f => { try { fs.unlinkSync(path.join(HOOKS_DIR, f)) } catch {} })
+  try {
+    let s = JSON.parse(fs.readFileSync(SETTINGS, 'utf8'))
+    ;['SessionStart','UserPromptSubmit','PreToolUse','Stop'].forEach(event => {
+      if (s.hooks?.[event]) {
+        s.hooks[event] = s.hooks[event].filter(h => !JSON.stringify(h).includes('cold-shower'))
+      }
+    })
+    fs.writeFileSync(SETTINGS, JSON.stringify(s, null, 2))
+  } catch {}
+  console.log('✓ cold-shower removed.')
+}
+
+function help() {
+  console.log(`
+🧊 cold-shower v2 — Reality check for vibe-coded apps
+
+Usage:
+  npx cold-shower install     Install skill + wire all 4 hooks
+  npx cold-shower update      Update to latest version
+  npx cold-shower uninstall   Remove everything
+
+github.com/PradiptaPutra/cold-shower
+`)
+}
+
+const commands = { install, update, uninstall, help }
+;(commands[cmd] || help)()

package/hooks/activate.js

@@ -0,0 +1,40 @@
+#!/usr/bin/env node
+// SessionStart hook — injects cold-shower skill into every Claude Code session.
+// User never needs to type /cold-shower — Claude already knows it and offers it.
+
+const fs = require('fs')
+const path = require('path')
+
+const locations = [
+  process.env.CLAUDE_PLUGIN_ROOT
+    ? path.join(process.env.CLAUDE_PLUGIN_ROOT, 'skills', 'cold-shower', 'SKILL.md')
+    : null,
+  path.join(__dirname, '..', 'skills', 'cold-shower', 'SKILL.md'),
+  path.join(process.env.HOME || '', '.claude', 'skills', 'cold-shower', 'SKILL.md'),
+].filter(Boolean)
+
+const skillPath = locations.find(p => { try { return fs.existsSync(p) } catch { return false } })
+if (!skillPath) process.exit(0)
+
+process.stdout.write(fs.readFileSync(skillPath, 'utf8'))
+
+// Inject recall memories from brain files
+const os = require('os')
+const projectName = path.basename(process.cwd())
+const brainFiles = [
+  path.join(os.homedir(), '.claude', 'brain', 'preferences.md'),
+  path.join(os.homedir(), '.claude', 'projects', projectName, 'brain', 'context.md'),
+  path.join(os.homedir(), '.claude', 'projects', projectName, 'brain', 'avoid.md'),
+  path.join(os.homedir(), '.claude', 'projects', projectName, 'brain', 'decisions.md'),
+]
+const memoryLines = []
+for (const f of brainFiles) {
+  try {
+    const content = fs.readFileSync(f, 'utf8')
+    const headers = content.split('\n').filter(l => l.startsWith('##')).slice(0, 5)
+    if (headers.length > 0) memoryLines.push(...headers)
+  } catch {}
+}
+if (memoryLines.length > 0) {
+  process.stdout.write('\n\n## RECALL: Project Memory\n' + memoryLines.slice(0, 15).join('\n') + '\n')
+}

package/hooks/capture.js

@@ -0,0 +1,132 @@
+#!/usr/bin/env node
+// Stop hook — scans session transcript at session end and suggests memories to save.
+// Fires once when Claude Code finishes a session. Silent on error — never breaks shutdown.
+
+const path = require('path')
+
+const DECISIONS_PATTERNS = [
+  "we'll use", "we will use", "we decided", "going with", "chose ", "chosen ",
+  "the reason we", "instead of", "switching to", "moved to", "migrated to",
+]
+const AVOID_PATTERNS = [
+  "don't touch", "do not touch", "leave alone", "leave it alone",
+  "fragile", "be careful with", "be careful about", "this is tricky",
+  "handle with care", "avoid touching", "don't modify",
+]
+const BUG_PATTERNS = [
+  "the bug was", "fixed by", "the issue was", "root cause", "to fix this",
+  "the fix was", "was caused by", "turned out to be", "discovered that",
+]
+const CONTEXT_PATTERNS = [
+  "this project", "the users are", "this app is", "remember that",
+  "important to note", "worth noting", "key thing is", "the system",
+]
+
+function classify(lower) {
+  if (AVOID_PATTERNS.some(p => lower.includes(p))) return 'avoid'
+  if (BUG_PATTERNS.some(p => lower.includes(p))) return 'bugs'
+  if (DECISIONS_PATTERNS.some(p => lower.includes(p))) return 'decisions'
+  if (CONTEXT_PATTERNS.some(p => lower.includes(p))) return 'context'
+  return null
+}
+
+// Extract a short one-line summary from the surrounding sentence.
+function extractSnippet(content, matchIndex) {
+  // Walk back to sentence start
+  let start = matchIndex
+  while (start > 0 && content[start - 1] !== '.' && content[start - 1] !== '\n') start--
+  // Walk forward to sentence end or 120 chars
+  let end = matchIndex
+  while (end < content.length && content[end] !== '.' && content[end] !== '\n' && end - start < 120) end++
+  return content.slice(start, end).trim().replace(/\s+/g, ' ')
+}
+
+function scanMessages(transcript) {
+  const candidates = []
+
+  for (const msg of transcript) {
+    if (msg.role !== 'assistant') continue
+    const raw = typeof msg.content === 'string'
+      ? msg.content
+      : Array.isArray(msg.content)
+        ? msg.content.map(b => (typeof b === 'string' ? b : b.text || '')).join(' ')
+        : ''
+    if (!raw) continue
+    const lower = raw.toLowerCase()
+
+    // Find the first matching pattern in this message
+    const allPatterns = [
+      ...AVOID_PATTERNS,
+      ...BUG_PATTERNS,
+      ...DECISIONS_PATTERNS,
+      ...CONTEXT_PATTERNS,
+    ]
+    for (const pat of allPatterns) {
+      const idx = lower.indexOf(pat)
+      if (idx === -1) continue
+      const category = classify(lower)
+      if (!category) continue
+      const snippet = extractSnippet(raw, idx)
+      if (snippet.length < 10) continue
+      // Avoid duplicate snippets
+      if (!candidates.some(c => c.snippet === snippet)) {
+        candidates.push({ category, snippet })
+      }
+      break // one candidate per assistant message
+    }
+  }
+
+  return candidates
+}
+
+function buildTag(category) {
+  const map = { decisions: '[decisions]', avoid: '[avoid]', bugs: '[bugs]', context: '[context]' }
+  return map[category] || '[context]'
+}
+
+function buildOutput(candidates, projectName) {
+  // Pick up to 5, most recent (last in array = most recent)
+  const top = candidates.slice(-5)
+  if (top.length === 0) return '{}'
+
+  const brainBase = `~/.claude/projects/${projectName}/brain`
+  const fileMap = {
+    decisions: `${brainBase}/decisions.md`,
+    avoid: `${brainBase}/avoid.md`,
+    bugs: `${brainBase}/bugs.md`,
+    context: `${brainBase}/context.md`,
+  }
+
+  const lines = top.map((c, i) => `${i + 1}. ${buildTag(c.category)} ${c.snippet}`)
+
+  const fileHints = [...new Set(top.map(c => fileMap[c.category]))]
+    .map(f => `  → ${f}`)
+    .join('\n')
+
+  const block = [
+    'COLD-SHOWER RECALL: Session ended. Suggested memories to save:',
+    '',
+    ...lines,
+    '',
+    `Memory files:\n${fileHints}`,
+    '',
+    "To save: tell Claude 'remember #1' or 'save all'. To skip: 'no memories'.",
+    'Or type /recall to manage memories anytime.',
+  ].join('\n')
+
+  return JSON.stringify({ additionalContext: block })
+}
+
+let input = ''
+process.stdin.on('data', chunk => { input += chunk })
+process.stdin.on('end', () => {
+  try {
+    const data = JSON.parse(input)
+    const transcript = Array.isArray(data.transcript) ? data.transcript : []
+    const candidates = scanMessages(transcript)
+    const projectName = path.basename(process.cwd())
+    process.stdout.write(buildOutput(candidates, projectName))
+  } catch {
+    process.stdout.write('{}')
+  }
+})