dw-kit 1.1.0 → 1.2.1

package/.claude/hooks/post-write.sh

@@ -6,17 +6,15 @@
 INPUT=$(cat)
 
 # Extract file path từ tool result
-FILE_PATH=$(echo "$INPUT" | python3 -c "
-import sys, json
-try:
-    data = json.load(sys.stdin)
-    # PostToolUse result có thể chứa file path theo nhiều cách
-    for key in ['file_path', 'path', 'filePath']:
-        if key in data:
-            print(data[key])
-            break
-except:
-    pass
+FILE_PATH=$(echo "$INPUT" | node -e "
+let d='';
+process.stdin.on('data',c=>d+=c).on('end',()=>{
+  try{
+    const data=JSON.parse(d);
+    const p=data.file_path||data.path||data.filePath||(data.tool_input&&(data.tool_input.file_path||data.tool_input.path))||'';
+    process.stdout.write(p);
+  }catch(e){}
+});
 " 2>/dev/null || true)
 
 [ -z "$FILE_PATH" ] && exit 0

package/.claude/hooks/privacy-block.sh

@@ -0,0 +1,94 @@
+#!/usr/bin/env bash
+# .claude/hooks/privacy-block.sh — dw-kit v1.2
+# Block agent reads vào sensitive files (credentials, secrets, private keys).
+# Học từ claudekit privacy-block pattern.
+#
+# PreToolUse hook cho: Read
+# exit 0 = allow, exit 2 = block
+
+INPUT=$(cat)
+
+TOOL_NAME=$(echo "$INPUT" | node -e "
+let d='';
+process.stdin.on('data',c=>d+=c).on('end',()=>{
+  try{ process.stdout.write(JSON.parse(d).tool_name||''); }catch(e){}
+});
+" 2>/dev/null || true)
+
+[ "$TOOL_NAME" != "Read" ] && exit 0
+
+FILE_PATH=$(echo "$INPUT" | node -e "
+let d='';
+process.stdin.on('data',c=>d+=c).on('end',()=>{
+  try{ const p=JSON.parse(d); process.stdout.write((p.tool_input&&p.tool_input.file_path)||''); }catch(e){}
+});
+" 2>/dev/null || true)
+
+[ -z "$FILE_PATH" ] && exit 0
+
+BASENAME=$(basename "$FILE_PATH")
+NORM=$(echo "$FILE_PATH" | tr '\\' '/')
+
+# ── Allow-list: safe files dù tên giống sensitive ─────────────────────────────
+ALLOWED_PATTERNS=(
+  ".env.example"
+  ".env.sample"
+  ".env.template"
+  ".env.test"
+  ".env.local.example"
+  "*.example"
+  "*.sample"
+)
+
+for allow in "${ALLOWED_PATTERNS[@]}"; do
+  if [[ "$BASENAME" == $allow ]]; then
+    exit 0
+  fi
+done
+
+# ── Block patterns ──────────────────────────────────────────────────────────────
+BLOCKED=false
+REASON=""
+
+# .env files (nhưng không phải .env.example đã allow ở trên)
+if [[ "$BASENAME" == ".env" ]] || [[ "$BASENAME" == .env.* ]]; then
+  BLOCKED=true
+  REASON="Environment file (có thể chứa secrets/API keys)"
+fi
+
+# Private key files
+if [[ "$BASENAME" == *.pem ]] || [[ "$BASENAME" == *.key ]] || \
+   [[ "$BASENAME" == *.p12 ]] || [[ "$BASENAME" == *.pfx ]] || \
+   [[ "$BASENAME" == *.jks ]]; then
+  BLOCKED=true
+  REASON="Private key / certificate file"
+fi
+
+# Credentials & secrets files
+if echo "$BASENAME" | grep -qiE '^(credentials|secrets?|secret[-_]key|api[-_]key|auth[-_]token|access[-_]token)(\.[a-z]+)?$'; then
+  BLOCKED=true
+  REASON="Credentials / secrets file"
+fi
+
+# Known credential file patterns
+if [[ "$BASENAME" == "*.credentials.json" ]] || \
+   echo "$NORM" | grep -qiE '/(credentials|secrets)/'; then
+  BLOCKED=true
+  REASON="Credentials directory hoặc file"
+fi
+
+# Service account / GCP keys
+if echo "$BASENAME" | grep -qiE 'service[-_]account.*\.json$|gcp.*key.*\.json$|firebase.*key.*\.json$'; then
+  BLOCKED=true
+  REASON="Service account / cloud credentials"
+fi
+
+if [ "$BLOCKED" = true ]; then
+  echo "🔒 privacy-block: Blocked sensitive file read" >&2
+  echo "   File: $FILE_PATH" >&2
+  echo "   Lý do: $REASON" >&2
+  echo "   Nếu thực sự cần đọc file này, hãy confirm rõ ràng trong prompt." >&2
+  exit 2
+fi
+
+exit 0

package/.claude/hooks/scout-block.sh

@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+# .claude/hooks/scout-block.sh — dw-kit v1.2
+# Block agent reads vào heavy/irrelevant directories để tăng performance.
+# Học từ claudekit scout-block pattern.
+#
+# PreToolUse hook cho: Read, Glob
+# exit 0 = allow, exit 2 = block
+
+INPUT=$(cat)
+
+# Extract tool name và file path từ JSON input
+TOOL_NAME=$(echo "$INPUT" | node -e "
+let d='';
+process.stdin.on('data',c=>d+=c).on('end',()=>{
+  try{ process.stdout.write(JSON.parse(d).tool_name||''); }catch(e){}
+});
+" 2>/dev/null || true)
+
+# Extract path tùy theo tool
+if [ "$TOOL_NAME" = "Read" ]; then
+  TARGET=$(echo "$INPUT" | node -e "
+let d='';
+process.stdin.on('data',c=>d+=c).on('end',()=>{
+  try{ const p=JSON.parse(d); process.stdout.write((p.tool_input&&p.tool_input.file_path)||''); }catch(e){}
+});
+" 2>/dev/null || true)
+elif [ "$TOOL_NAME" = "Glob" ]; then
+  TARGET=$(echo "$INPUT" | node -e "
+let d='';
+process.stdin.on('data',c=>d+=c).on('end',()=>{
+  try{ const p=JSON.parse(d); const ti=p.tool_input||{}; process.stdout.write(ti.path||ti.pattern||''); }catch(e){}
+});
+" 2>/dev/null || true)
+else
+  exit 0
+fi
+
+[ -z "$TARGET" ] && exit 0
+
+# Normalize: lowercase, forward slashes
+NORM=$(echo "$TARGET" | tr '\\' '/')
+
+# ── Danh sách heavy/irrelevant directories ─────────────────────────────────────
+BLOCKED_PATTERNS=(
+  "node_modules/"
+  "/node_modules"
+  "dist/"
+  "/dist/"
+  "build/"
+  "/build/"
+  ".git/"
+  "/__pycache__/"
+  "/.pytest_cache/"
+  "/.next/"
+  "/.nuxt/"
+  "/vendor/"
+  "/coverage/"
+  "/.tmp/"
+  "/tmp/"
+  "/.cache/"
+)
+
+for pattern in "${BLOCKED_PATTERNS[@]}"; do
+  if echo "$NORM" | grep -q "$pattern"; then
+    echo "⚡ scout-block: Skipped heavy directory [${TOOL_NAME}] $(basename "$TARGET")/" >&2
+    echo "   Path: $TARGET" >&2
+    echo "   Dùng path cụ thể hơn nếu thực sự cần đọc file này." >&2
+    exit 2
+  fi
+done
+
+# Block pattern: kết thúc bằng thư mục blocked (không có trailing slash)
+BLOCKED_EXACT=("node_modules" ".git" "dist" "build" "__pycache__" ".next" ".nuxt" "vendor" "coverage")
+BASENAME=$(basename "$NORM")
+for exact in "${BLOCKED_EXACT[@]}"; do
+  if [ "$BASENAME" = "$exact" ]; then
+    echo "⚡ scout-block: Skipped heavy directory [${TOOL_NAME}] $BASENAME/" >&2
+    exit 2
+  fi
+done
+
+exit 0

package/.claude/hooks/session-init.sh

@@ -0,0 +1,85 @@
+#!/usr/bin/env bash
+# .claude/hooks/session-init.sh — dw-kit v1.2
+# Inject active task context vào đầu session, giải quyết "session amnesia".
+# Chỉ chạy một lần mỗi session (track bằng session_id).
+#
+# UserPromptSubmit hook
+# Stdout output → được inject vào context của user prompt
+# exit 0 = allow
+
+INPUT=$(cat)
+
+SESSION_ID=$(echo "$INPUT" | node -e "
+let d='';
+process.stdin.on('data',c=>d+=c).on('end',()=>{
+  try{ process.stdout.write(JSON.parse(d).session_id||''); }catch(e){}
+});
+" 2>/dev/null || true)
+
+# Tier 2: pure-bash grep fallback — works without node (e.g. node absent or CRLF-corrupt shebang)
+if [ -z "$SESSION_ID" ]; then
+  SESSION_ID=$(echo "$INPUT" | grep -o '"session_id":"[^"]*"' | cut -d'"' -f4 2>/dev/null || true)
+fi
+
+# Tier 3: project-scoped + hour-scoped stable ID
+# cksum is POSIX — available on Linux, macOS, and Git Bash on Windows.
+# Ensures marker is always created so re-injection is suppressed even when tiers 1+2 fail.
+if [ -z "$SESSION_ID" ]; then
+  _dir_hash=$(pwd | cksum | cut -d' ' -f1)
+  SESSION_ID="fallback-${_dir_hash}-$(date +%Y%m%d-%H)"
+fi
+
+# ── Track session: chỉ chạy một lần mỗi session ───────────────────────────────
+SESSION_MARKER="/tmp/dw-session-${SESSION_ID}"
+if [ -f "$SESSION_MARKER" ]; then
+  exit 0
+fi
+touch "$SESSION_MARKER" 2>/dev/null || true
+
+# ── Scan .dw/tasks/ tìm tasks In Progress ─────────────────────────────────────
+PROJECT_DIR="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+TASKS_DIR="$PROJECT_DIR/.dw/tasks"
+
+[ ! -d "$TASKS_DIR" ] && exit 0
+
+ACTIVE_TASKS=()
+ACTIVE_SUMMARIES=()
+
+while IFS= read -r progress_file; do
+  if grep -q "Trạng thái: In Progress" "$progress_file" 2>/dev/null; then
+    task_name=$(basename "$(dirname "$progress_file")")
+
+    # Extract current subtask (dòng "In Progress" trong table)
+    current_st=$(grep -m1 "In Progress" "$progress_file" 2>/dev/null \
+      | grep -oP '\| ST-\d+ \| [^|]+' | sed 's/|//g' | xargs 2>/dev/null || echo "")
+
+    # Extract last handoff note nếu có
+    last_handoff=$(awk '/## Handoff Notes/{found=1} found{print}' "$progress_file" 2>/dev/null \
+      | grep -m1 "Bước tiếp theo:" | sed 's/.*Bước tiếp theo://' | xargs 2>/dev/null || echo "")
+
+    ACTIVE_TASKS+=("$task_name")
+    summary="$task_name"
+    [ -n "$current_st" ] && summary="$summary — $current_st"
+    [ -n "$last_handoff" ] && summary="$summary | Next: $last_handoff"
+    ACTIVE_SUMMARIES+=("$summary")
+  fi
+done < <(find "$TASKS_DIR" -name "*-progress.md" 2>/dev/null)
+
+[ ${#ACTIVE_TASKS[@]} -eq 0 ] && exit 0
+
+# ── Output context vào stdout (injected vào conversation) ─────────────────────
+echo ""
+echo "---"
+echo "[dw-kit session-init] Task đang in-progress:"
+for summary in "${ACTIVE_SUMMARIES[@]}"; do
+  echo "  • $summary"
+done
+if [ ${#ACTIVE_TASKS[@]} -eq 1 ]; then
+  echo "Context: .dw/tasks/${ACTIVE_TASKS[0]}/"
+else
+  echo "Nhiều tasks đang active — hỏi user task nào cần tiếp tục."
+fi
+echo "---"
+echo ""
+
+exit 0

package/.claude/hooks/stop-check.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+# Stop hook: warn nếu có uncommitted changes hoặc task in-progress chưa update
+# Output ra stderr để hiện thị cho user, exit 0 để không block
+
+PROJECT_DIR="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+WARNINGS=()
+
+# Check uncommitted changes
+if git -C "$PROJECT_DIR" diff --quiet && git -C "$PROJECT_DIR" diff --cached --quiet; then
+  : # clean
+else
+  CHANGED=$(git -C "$PROJECT_DIR" diff --stat --cached && git -C "$PROJECT_DIR" diff --stat)
+  WARNINGS+=("Uncommitted changes:"$'\n'"$CHANGED")
+fi
+
+# Check in-progress tasks
+TASKS_DIR="$PROJECT_DIR/.dw/tasks"
+if [ -d "$TASKS_DIR" ]; then
+  while IFS= read -r progress_file; do
+    if grep -q "Trạng thái: In Progress" "$progress_file" 2>/dev/null; then
+      task_name=$(basename "$(dirname "$progress_file")")
+      WARNINGS+=("Task in-progress chưa được update: $task_name")
+    fi
+  done < <(find "$TASKS_DIR" -name "*-progress.md" 2>/dev/null)
+fi
+
+# Print warnings
+if [ ${#WARNINGS[@]} -gt 0 ]; then
+  echo "--- dw stop-check ---" >&2
+  for w in "${WARNINGS[@]}"; do
+    printf "⚠ %b\n" "$w" >&2
+  done
+  echo "---------------------" >&2
+fi
+
+exit 0

package/.claude/rules/dw-core.md

@@ -0,0 +1,100 @@
+<!-- dw-kit | core: 1.2 -->
+# dw Workflow
+
+Config: `.dw/config/dw.config.yml`
+Full methodology: `.dw/core/WORKFLOW.md` · `.dw/core/THINKING.md` · `.dw/core/QUALITY.md` · `.dw/core/ROLES.md`
+
+---
+
+## Override
+
+If the prompt contains `--no-dw`: ignore all dw instructions, work as plain Claude Code. Applies only to that request.
+
+---
+
+## Depth Routing
+
+Read `workflow.default_depth` from config. Assess per task based on facts (file count, API changes, git blame) — not assumptions:
+
+| Scope | Depth | Approach |
+|-------|-------|----------|
+| ≤2 files, hotfix, familiar module | quick | Understand → Execute → Close |
+| 3–5 files, new module | standard | Full 6-phase |
+| 6+ files, API/DB/security changes | thorough | Full + arch-review + test-plan |
+
+When unsure → default to `standard`.
+
+---
+
+## Session Start
+
+1. Read `.dw/config/dw.config.yml` — depth, roles, quality commands
+2. Check `.dw/tasks/` for active tasks; if one is in progress, resume from its `[task]-progress.md`
+
+> `session-init` hook auto-injects active task context — no manual action needed.
+
+---
+
+## Task Docs
+
+For tasks spanning 3+ files, research → plan → approve → execute gives better outcomes.
+
+```
+.dw/tasks/[task-name]/
+├── [name]-context.md    # Research findings
+├── [name]-plan.md       # Implementation plan
+└── [name]-progress.md   # Progress + handoff notes
+```
+
+---
+
+## Commit Format
+
+```
+<type>(<scope>): <description ≤72 chars>
+```
+
+Types: `feat` `fix` `refactor` `test` `docs` `chore` `style` `perf`
+
+---
+
+## Hooks (v1.2)
+
+Auto-run — no user action needed:
+
+| Hook | Trigger | Effect |
+|------|---------|--------|
+| `session-init` | Session start | Inject active task context |
+| `scout-block` | Read/Glob | Block node_modules/, dist/, .git/ etc. |
+| `privacy-block` | Read | Block .env*, *.pem, credentials* |
+| `pre-commit-gate` | Bash (git commit) | Quality check + sensitive data scan |
+| `safety-guard` | Bash | Block destructive commands |
+| `post-write` | Write/Edit | Lint reminder |
+| `stop-check` | Stop | Warn on uncommitted changes + in-progress tasks |
+
+---
+
+## Agent Reports (v1.2)
+
+For multi-phase tasks (standard/thorough), create reports for audit trail:
+
+```
+.dw/tasks/[task-name]/reports/[YYMMDD-HHMM]-from-[role]-to-[role]-[desc].md
+```
+
+Status: `DONE | DONE_WITH_CONCERNS | BLOCKED | NEEDS_CONTEXT`
+Template: `.claude/templates/agent-report.md` · Guide: `.dw/core/AGENTS.md`
+
+---
+
+## Config Local Override (v1.2)
+
+`.dw/config/dw.config.local.yml` (gitignored) for machine-specific settings:
+
+```yaml
+claude:
+  models:
+    plan: "claude-opus-4-6"
+quality:
+  test_command: "npm test"
+```

package/.claude/rules/dw-skills.md

@@ -0,0 +1,53 @@
+<!-- dw-kit | core: 1.2 -->
+# dw Skills
+
+Invoke via Claude Code slash commands. Availability governed by config flags and `workflow.default_depth`.
+
+## Core Workflow
+
+| Skill | Description | Depth |
+|-------|-------------|-------|
+| `/dw-flow [task]` | Full workflow shortcut | all |
+| `/dw-task-init [name]` | Init task docs | all |
+| `/dw-research [name]` | Survey codebase | all |
+| `/dw-plan [name]` | Design plan (waits for approval) | standard+ |
+| `/dw-execute [name]` | Implement per plan (TDD) | all |
+| `/dw-commit [msg]` | Smart commit + quality gates | all |
+| `/dw-handoff` | Session handoff | all |
+
+## Dev
+
+| Skill | Description |
+|-------|-------------|
+| `/dw-debug [issue]` | Investigate → diagnose → fix |
+| `/dw-review` | Code review with checklist |
+| `/dw-thinking [question]` | Apply thinking framework |
+| `/dw-prompt [desc]` | Build structured prompt |
+| `/dw-docs-update` | Update living docs |
+
+## Role-Specific
+
+| Skill | Role | Description |
+|-------|------|-------------|
+| `/dw-requirements` | BA | Requirements + user stories |
+| `/dw-test-plan` | QC | Test plan + regression |
+| `/dw-arch-review` | TechLead | Architecture review |
+| `/dw-dashboard` | PM | Metrics report |
+| `/dw-sprint-review` | All | Retrospective |
+| `/dw-estimate [name]` | if enabled | Effort estimation |
+| `/dw-log-work [name]` | if enabled | Log actual effort |
+
+## Setup & Maintenance
+
+| Skill | Description |
+|-------|-------------|
+| `/dw-onboard` | Onboard dw to existing project (breadth-first scan) |
+| `/dw-retroactive [name]` | Document existing feature (depth-first) |
+| `/dw-config-init` | Initialize new config |
+| `/dw-config-validate` | Validate config file |
+| `/dw-upgrade` | Upgrade toolkit |
+| `/dw-rollback [name]` | Rollback task docs |
+| `/dw-archive [name]` | Archive completed task |
+| `/dw-kit-report [desc]` | Submit feedback/bug to GitHub |
+
+> **Maintainer-only** (TechLead, dw-kit repo): `/dw-kit-evolve [issue#]` · `/dw-kit-audit [days]`

package/.claude/settings.json

@@ -1,71 +1,101 @@
-{
-  "permissions": {
-    "allow": [
-      "Read(*)",
-      "Grep(*)",
-      "Glob(*)",
-      "Bash(git log *)",
-      "Bash(git diff *)",
-      "Bash(git show *)",
-      "Bash(git status)",
-      "Bash(git blame *)",
-      "Bash(git stash list)",
-      "Bash(ls *)",
-      "Bash(wc *)"
-    ]
-  },
-  "mcpServers": {},
-  "hooks": {
-    "PreToolUse": [
-      {
-        "matcher": "Bash",
-        "hooks": [
-          {
-            "type": "command",
-            "command": "bash \"$CLAUDE_PROJECT_DIR/.claude/hooks/pre-commit-gate.sh\""
-          }
-        ]
-      },
-      {
-        "matcher": "Bash",
-        "hooks": [
-          {
-            "type": "command",
-            "command": "bash \"$CLAUDE_PROJECT_DIR/.claude/hooks/safety-guard.sh\""
-          }
-        ]
-      }
-    ],
-    "PostToolUse": [
-      {
-        "matcher": "Write|Edit",
-        "hooks": [
-          {
-            "type": "command",
-            "command": "bash \"$CLAUDE_PROJECT_DIR/.claude/hooks/post-write.sh\""
-          }
-        ]
-      }
-    ],
-    "Stop": [
-      {
-        "hooks": [
-          {
-            "type": "prompt",
-            "prompt": "Session context: $ARGUMENTS\n\nIf stop_hook_active is true in the context above, reply ONLY: {\"decision\":\"allow\"} to prevent infinite loops.\n\nOtherwise check: any uncommitted important changes? any in-progress task with outdated progress file? any unrecorded blockers?\n\nReply with ONLY valid JSON, no other text:\n- {\"decision\":\"block\",\"reason\":\"<describe what needs attention>\"} if action needed\n- {\"decision\":\"allow\"} if all clear"
-          }
-        ]
-      }
-    ],
-    "Notification": [
-      {
-        "hooks": [
-          {
-            "type": "command",
-            "command": "bash \"$CLAUDE_PROJECT_DIR/.claude/hooks/progress-ping.sh\""
-          }
-        ]
-      }
-    ]
-  }
-}
+{
+  "includeCoAuthoredBy": false,
+  "permissions": {
+    "allow": [
+      "Read(*)",
+      "Grep(*)",
+      "Glob(*)",
+      "Bash(git log *)",
+      "Bash(git diff *)",
+      "Bash(git show *)",
+      "Bash(git status)",
+      "Bash(git blame *)",
+      "Bash(git stash list)",
+      "Bash(ls *)",
+      "Bash(wc *)",
+      "Bash(node src/smoke-test.mjs)"
+    ]
+  },
+  "hooks": {
+    "UserPromptSubmit": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash \"$CLAUDE_PROJECT_DIR/.claude/hooks/session-init.sh\""
+          }
+        ]
+      }
+    ],
+    "PreToolUse": [
+      {
+        "matcher": "Read|Glob",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash \"$CLAUDE_PROJECT_DIR/.claude/hooks/scout-block.sh\""
+          }
+        ]
+      },
+      {
+        "matcher": "Read",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash \"$CLAUDE_PROJECT_DIR/.claude/hooks/privacy-block.sh\""
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash \"$CLAUDE_PROJECT_DIR/.claude/hooks/pre-commit-gate.sh\""
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash \"$CLAUDE_PROJECT_DIR/.claude/hooks/safety-guard.sh\""
+          }
+        ]
+      }
+    ],
+    "PostToolUse": [
+      {
+        "matcher": "Write|Edit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash \"$CLAUDE_PROJECT_DIR/.claude/hooks/post-write.sh\""
+          }
+        ]
+      }
+    ],
+    "Stop": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash \"$CLAUDE_PROJECT_DIR/.claude/hooks/stop-check.sh\""
+          }
+        ]
+      }
+    ],
+    "Notification": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash \"$CLAUDE_PROJECT_DIR/.claude/hooks/progress-ping.sh\""
+          }
+        ]
+      }
+    ]
+  },
+  "mcpServers": {}
+}