gentyr 1.3.0

package/.claude/hooks/antipattern-hunter-hook.js

@@ -0,0 +1,401 @@
+#!/usr/bin/env node
+
+/**
+ * Antipattern Hunter Hook
+ *
+ * Called from husky post-commit hook. If 6 hours have passed since the last spawn,
+ * spawns TWO Claude sessions:
+ *   1. Repo-wide hunter: Scans the entire codebase for spec violations
+ *   2. Commit-focused hunter: Reviews only the files changed in the current commit
+ *
+ * Both hunters raise critical issues to the CTO via mcp__agent-reports__report_to_deputy_cto.
+ *
+ * Usage: node .claude/hooks/antipattern-hunter-hook.js
+ *
+ * @version 2.0.0
+ */
+
+import fs from 'fs';
+import path from 'path';
+import { spawn, execSync } from 'child_process';
+import { fileURLToPath } from 'url';
+import { registerSpawn, registerHookExecution, AGENT_TYPES, HOOK_TYPES } from './agent-tracker.js';
+import { getCooldown } from './config-reader.js';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+// Project directory
+const projectDir = process.env.CLAUDE_PROJECT_DIR || process.cwd();
+
+// Configuration
+const CONFIG = {
+  stateFile: path.join(projectDir, '.claude', 'state', 'antipattern-hunter-state.json'),
+  cooldownHours: getCooldown('antipattern_hunter', 360) / 60, // config is in minutes, convert to hours
+};
+
+/**
+ * Read state file
+ */
+function readState() {
+  try {
+    if (!fs.existsSync(CONFIG.stateFile)) {
+      return { lastSpawn: null };
+    }
+    return JSON.parse(fs.readFileSync(CONFIG.stateFile, 'utf8'));
+  } catch {
+    return { lastSpawn: null };
+  }
+}
+
+/**
+ * Write state file
+ */
+function writeState(state) {
+  fs.writeFileSync(CONFIG.stateFile, JSON.stringify(state, null, 2), 'utf8');
+}
+
+/**
+ * Check if cooldown has elapsed
+ */
+function isCooldownElapsed() {
+  const state = readState();
+
+  if (!state.lastSpawn) {
+    return true;
+  }
+
+  const lastSpawn = new Date(state.lastSpawn);
+  const now = new Date();
+  const hoursSince = (now - lastSpawn) / (1000 * 60 * 60);
+
+  return hoursSince >= CONFIG.cooldownHours;
+}
+
+/**
+ * Get the files changed in the most recent commit
+ * @returns {object} { files: string[], diff: string, commitMessage: string }
+ */
+function getCommitChanges() {
+  try {
+    // Get list of changed files
+    const filesOutput = execSync('git diff-tree --no-commit-id --name-only -r HEAD', {
+      cwd: projectDir,
+      encoding: 'utf8'
+    }).trim();
+
+    const files = filesOutput ? filesOutput.split('\n').filter(Boolean) : [];
+
+    // Get the diff for the commit
+    const diff = execSync('git show --stat HEAD', {
+      cwd: projectDir,
+      encoding: 'utf8',
+      maxBuffer: 1024 * 1024 // 1MB max
+    }).trim();
+
+    // Get commit message
+    const commitMessage = execSync('git log -1 --pretty=%B', {
+      cwd: projectDir,
+      encoding: 'utf8'
+    }).trim();
+
+    return { files, diff, commitMessage };
+  } catch (err) {
+    console.error(`[antipattern-hunter] Failed to get commit changes: ${err.message}`);
+    return { files: [], diff: '', commitMessage: '' };
+  }
+}
+
+/**
+ * CTO reporting instructions (shared by both hunters)
+ */
+const CTO_REPORTING_INSTRUCTIONS = `
+## CTO Reporting (CRITICAL)
+
+You MUST report important findings to the CTO using the agent-reports MCP server.
+
+**Report when you find:**
+- Security violations (G004 hardcoded credentials, G009 missing RLS, G010 missing auth)
+- Architecture boundary violations (cross-product separation)
+- Critical spec violations requiring immediate attention
+- Patterns of repeated violations (3+ similar issues)
+
+**How to report:**
+\`\`\`javascript
+mcp__agent-reports__report_to_deputy_cto({
+  reporting_agent: "antipattern-hunter",
+  title: "Brief title (max 200 chars)",
+  summary: "Detailed summary with file paths, line numbers, and severity (max 2000 chars)",
+  category: "security" | "architecture" | "performance" | "breaking-change" | "blocker" | "decision" | "other",
+  priority: "low" | "normal" | "high" | "critical"
+})
+\`\`\`
+
+**Priority guidelines:**
+- critical: Security issues, data exposure risks
+- high: Architecture violations, widespread pattern issues
+- normal: Standard spec violations
+- low: Minor style/consistency issues
+`;
+
+/**
+ * Spawn repo-wide antipattern hunter
+ */
+function spawnRepoWideHunter() {
+  const prompt = `[Task][antipattern-hunter-repo] REPO-WIDE ANTIPATTERN HUNT - Scan the entire codebase for spec violations.
+
+## IMMEDIATE ACTION
+
+Your first action MUST be to spawn the antipattern-hunter sub-agent:
+\`\`\`
+Task(subagent_type='antipattern-hunter', prompt='Perform a REPO-WIDE antipattern hunt. Systematically scan the entire codebase for spec violations, focusing on areas with accumulated technical debt. Prioritize G001, G004, G009, G010, G016.')
+\`\`\`
+
+The antipattern-hunter sub-agent has specialized instructions loaded from .claude/agents/antipattern-hunter.md.
+
+You are a REPO-WIDE antipattern hunter. Your job is to systematically scan the ENTIRE codebase
+looking for spec violations, focusing on areas that may have accumulated technical debt.
+
+## Your Focus Areas
+- Hunt across ALL directories: src/, packages/, products/, integrations/
+- Look for systemic patterns of violations
+- Check areas that don't change frequently (may have old violations)
+- Prioritize high-severity specs (G001, G004, G009, G010, G016)
+
+## Workflow
+
+### Step 1: Load Specifications
+\`\`\`javascript
+mcp__specs-browser__list_specs({})
+mcp__specs-browser__get_spec({ spec_id: "G001" })  // No graceful fallbacks
+mcp__specs-browser__get_spec({ spec_id: "G004" })  // No hardcoded credentials
+mcp__specs-browser__get_spec({ spec_id: "G009" })  // RLS policies required
+mcp__specs-browser__get_spec({ spec_id: "G010" })  // Session auth validation
+mcp__specs-browser__get_spec({ spec_id: "G016" })  // Integration boundary
+\`\`\`
+
+### Step 2: Hunt for Violations
+Use Grep to systematically scan for violation patterns:
+- G001: \`|| null\`, \`|| undefined\`, \`?? 0\`, \`|| []\`, \`|| {}\`
+- G002: \`TODO\`, \`FIXME\`, \`throw new Error('Not implemented')\`
+- G004: Hardcoded API keys, credentials, secrets
+- G011: \`MOCK_MODE\`, \`isSimulation\`, \`isMockMode\`
+
+### Step 3: For Each Violation
+a. Call code-reviewer sub-agent to review proposed fix
+b. Create TODO item:
+   \`\`\`javascript
+   mcp__todo-db__create_task({
+     section: "CODE-WRITER",
+     title: "Fix [SPEC-ID] violation in [file]",
+     description: "[Details and approved fix]",
+     assigned_by: "ANTIPATTERN-HUNTER-REPO"
+   })
+   \`\`\`
+
+### Step 4: Report Critical Issues to CTO
+${CTO_REPORTING_INSTRUCTIONS}
+
+### Step 5: END SESSION
+After creating TODO items and CTO reports, provide a summary and END YOUR SESSION.
+Do NOT implement fixes yourself.
+
+Focus on finding SYSTEMIC issues across the codebase, not just isolated violations.`;
+
+  // Register spawn
+  const agentId = registerSpawn({
+    type: AGENT_TYPES.ANTIPATTERN_HUNTER_REPO,
+    hookType: HOOK_TYPES.ANTIPATTERN_HUNTER,
+    description: 'Repo-wide antipattern hunt after commit',
+    prompt,
+    metadata: { trigger: 'post-commit', scope: 'repo-wide', cooldownHours: CONFIG.cooldownHours },
+    projectDir
+  });
+
+  // Spawn Claude session (fire-and-forget, detached)
+  const claude = spawn('claude', [
+    '--dangerously-skip-permissions',
+    '-p',
+    prompt
+  ], {
+    detached: true,
+    stdio: 'ignore',
+    cwd: projectDir,
+    env: {
+      ...process.env,
+      CLAUDE_PROJECT_DIR: projectDir,
+      CLAUDE_SPAWNED_SESSION: 'true'
+    }
+  });
+
+  claude.unref();
+
+  console.log(`[antipattern-hunter] Spawned REPO-WIDE hunter ${agentId} (PID: ${claude.pid})`);
+  return agentId;
+}
+
+/**
+ * Spawn commit-focused antipattern hunter
+ */
+function spawnCommitFocusedHunter() {
+  const { files, diff, commitMessage } = getCommitChanges();
+
+  if (files.length === 0) {
+    console.log('[antipattern-hunter] No files in commit, skipping commit-focused hunter');
+    return null;
+  }
+
+  const fileList = files.join('\n  - ');
+
+  const prompt = `[Task][antipattern-hunter-commit] COMMIT-FOCUSED ANTIPATTERN HUNT - Review only the changes in the current commit.
+
+## IMMEDIATE ACTION
+
+Your first action MUST be to spawn the antipattern-hunter sub-agent:
+\`\`\`
+Task(subagent_type='antipattern-hunter', prompt='Perform a COMMIT-FOCUSED antipattern hunt. Review ONLY the files changed in the most recent commit for spec violations. Commit: ${commitMessage.split('\n')[0]}. Changed files: ${fileList}')
+\`\`\`
+
+The antipattern-hunter sub-agent has specialized instructions loaded from .claude/agents/antipattern-hunter.md.
+
+You are a COMMIT-FOCUSED antipattern hunter. Your job is to deeply review ONLY the files
+that were changed in the most recent commit, checking for spec violations introduced or
+existing in those specific files.
+
+## Commit Information
+**Message:** ${commitMessage}
+
+**Changed Files:**
+  - ${fileList}
+
+**Commit Summary:**
+\`\`\`
+${diff}
+\`\`\`
+
+## Your Focus
+- ONLY examine the files listed above
+- Check for violations INTRODUCED by this commit
+- Check for PRE-EXISTING violations in these files that should be fixed
+- Be thorough - read each changed file completely
+
+## Workflow
+
+### Step 1: Load Relevant Specifications
+\`\`\`javascript
+mcp__specs-browser__list_specs({})
+// Load specs most relevant to the changed files
+mcp__specs-browser__get_spec({ spec_id: "G001" })  // No graceful fallbacks
+mcp__specs-browser__get_spec({ spec_id: "G003" })  // Input validation required
+mcp__specs-browser__get_spec({ spec_id: "G004" })  // No hardcoded credentials
+\`\`\`
+
+### Step 2: Read and Analyze Each Changed File
+For each file in the commit:
+1. Read the file using the Read tool
+2. Check against ALL relevant specs
+3. Note any violations with exact line numbers
+
+### Step 3: For Each Violation
+a. Call code-reviewer sub-agent to review proposed fix
+b. Create TODO item:
+   \`\`\`javascript
+   mcp__todo-db__create_task({
+     section: "CODE-WRITER",
+     title: "Fix [SPEC-ID] violation in [file]:[line]",
+     description: "[Details and approved fix]. Found in commit: ${commitMessage.split('\n')[0]}",
+     assigned_by: "ANTIPATTERN-HUNTER-COMMIT"
+   })
+   \`\`\`
+
+### Step 4: Report Critical Issues to CTO
+${CTO_REPORTING_INSTRUCTIONS}
+
+### Step 5: END SESSION
+After creating TODO items and CTO reports, provide a summary and END YOUR SESSION.
+Do NOT implement fixes yourself.
+
+Be THOROUGH with the commit files - this is a deep review, not a surface scan.`;
+
+  // Register spawn
+  const agentId = registerSpawn({
+    type: AGENT_TYPES.ANTIPATTERN_HUNTER_COMMIT,
+    hookType: HOOK_TYPES.ANTIPATTERN_HUNTER,
+    description: `Commit-focused antipattern hunt: ${commitMessage.split('\n')[0].substring(0, 50)}`,
+    prompt,
+    metadata: {
+      trigger: 'post-commit',
+      scope: 'commit-focused',
+      filesChanged: files.length,
+      files: files.slice(0, 20), // Store first 20 files
+      cooldownHours: CONFIG.cooldownHours
+    },
+    projectDir
+  });
+
+  // Spawn Claude session (fire-and-forget, detached)
+  const claude = spawn('claude', [
+    '--dangerously-skip-permissions',
+    '-p',
+    prompt
+  ], {
+    detached: true,
+    stdio: 'ignore',
+    cwd: projectDir,
+    env: {
+      ...process.env,
+      CLAUDE_PROJECT_DIR: projectDir,
+      CLAUDE_SPAWNED_SESSION: 'true'
+    }
+  });
+
+  claude.unref();
+
+  console.log(`[antipattern-hunter] Spawned COMMIT-FOCUSED hunter ${agentId} (PID: ${claude.pid})`);
+  return agentId;
+}
+
+/**
+ * Main entry point
+ */
+function main() {
+  const startTime = Date.now();
+
+  // Check cooldown
+  if (!isCooldownElapsed()) {
+    const state = readState();
+    const hoursSince = (Date.now() - new Date(state.lastSpawn).getTime()) / (1000 * 60 * 60);
+    const hoursRemaining = CONFIG.cooldownHours - hoursSince;
+    console.log(`[antipattern-hunter] Cooldown active (${hoursRemaining.toFixed(1)}h remaining)`);
+
+    registerHookExecution({
+      hookType: HOOK_TYPES.ANTIPATTERN_HUNTER,
+      status: 'skipped',
+      durationMs: Date.now() - startTime,
+      metadata: { reason: 'cooldown', hoursRemaining: hoursRemaining.toFixed(1) }
+    });
+    return;
+  }
+
+  console.log('[antipattern-hunter] Spawning antipattern hunters...');
+
+  // Spawn BOTH hunters
+  const repoAgentId = spawnRepoWideHunter();
+  const commitAgentId = spawnCommitFocusedHunter();
+
+  // Update state (cooldown applies to both)
+  writeState({ lastSpawn: new Date().toISOString() });
+
+  console.log(`[antipattern-hunter] Spawned 2 hunters:`);
+  console.log(`  - Repo-wide: ${repoAgentId}`);
+  console.log(`  - Commit-focused: ${commitAgentId || 'skipped (no files)'}`);
+
+  registerHookExecution({
+    hookType: HOOK_TYPES.ANTIPATTERN_HUNTER,
+    status: 'success',
+    durationMs: Date.now() - startTime,
+    metadata: { repoAgentId, commitAgentId }
+  });
+}
+
+main();

package/.claude/hooks/api-key-watcher.js

@@ -0,0 +1,289 @@
+#!/usr/bin/env node
+/**
+ * API Key Rotation Hook
+ *
+ * Runs on SessionStart to track multiple Claude API keys and automatically
+ * rotate between them based on utilization thresholds.
+ *
+ * Features:
+ * - Captures new keys from all sources (env var, macOS Keychain, credentials file)
+ * - Monitors usage via Anthropic Usage API
+ * - Rotates to lower-utilization keys when current key hits 90%+ usage
+ * - Attempts OAuth token refresh for expired keys
+ * - Logs all rotation events for debugging
+ *
+ * Storage:
+ * - ~/.claude/api-key-rotation.json - Tracked keys and state (user-level, cross-project)
+ * - <project>/.claude/api-key-rotation.log - Human-readable event log (project-level)
+ *
+ * @version 2.0.0
+ */
+
+import { fileURLToPath } from 'url';
+import { registerHookExecution, HOOK_TYPES } from './agent-tracker.js';
+import {
+  syncKeys,
+  readRotationState,
+  writeRotationState,
+  logRotationEvent,
+  updateActiveCredentials,
+  refreshExpiredToken,
+  checkKeyHealth,
+  selectActiveKey,
+  fetchAccountProfile,
+  HIGH_USAGE_THRESHOLD,
+  EXHAUSTED_THRESHOLD,
+} from './key-sync.js';
+
+const __filename = fileURLToPath(import.meta.url);
+
+/**
+ * Main entry point
+ */
+async function main() {
+  const startTime = Date.now();
+
+  // Skip for spawned sessions
+  if (process.env.CLAUDE_SPAWNED_SESSION === 'true') {
+    registerHookExecution({
+      hookType: HOOK_TYPES.API_KEY_WATCHER,
+      status: 'skipped',
+      durationMs: Date.now() - startTime,
+      metadata: { reason: 'spawned_session' }
+    });
+    console.log(JSON.stringify({
+      continue: true,
+      suppressOutput: true,
+    }));
+    return;
+  }
+
+  // Step 1: Sync keys from all credential sources (env, keychain, file)
+  const syncResult = await syncKeys();
+
+  // Step 2: Read the synced rotation state for health checks + rotation
+  const state = readRotationState();
+  const now = Date.now();
+
+  if (Object.keys(state.keys).length === 0) {
+    // No keys tracked, nothing to do
+    console.log(JSON.stringify({
+      continue: true,
+      suppressOutput: true,
+    }));
+    return;
+  }
+
+  // Step 3: Run health checks on all tracked keys (with token refresh for expired)
+  const healthCheckPromises = Object.entries(state.keys).map(async ([keyId, keyData]) => {
+    // Skip invalid keys
+    if (keyData.status === 'invalid') {
+      return { keyId, result: null };
+    }
+
+    // Check if token is expired - attempt refresh first
+    if (keyData.expiresAt && keyData.expiresAt < now) {
+      if (keyData.status !== 'expired') {
+        const refreshed = await refreshExpiredToken(keyData);
+        if (refreshed === 'invalid_grant') {
+          keyData.status = 'invalid';
+          logRotationEvent(state, {
+            timestamp: now,
+            event: 'key_removed',
+            key_id: keyId,
+            reason: 'refresh_token_invalid_grant',
+          });
+          return { keyId, result: null };
+        } else if (refreshed) {
+          keyData.accessToken = refreshed.accessToken;
+          keyData.refreshToken = refreshed.refreshToken;
+          keyData.expiresAt = refreshed.expiresAt;
+          keyData.status = 'active';
+          logRotationEvent(state, {
+            timestamp: now,
+            event: 'key_added',
+            key_id: keyId,
+            reason: 'token_refreshed_during_health_check',
+          });
+        } else {
+          keyData.status = 'expired';
+          logRotationEvent(state, {
+            timestamp: now,
+            event: 'key_removed',
+            key_id: keyId,
+            reason: 'token_expired',
+          });
+          return { keyId, result: null };
+        }
+      } else {
+        return { keyId, result: null };
+      }
+    }
+
+    // Run health check
+    const result = await checkKeyHealth(keyData.accessToken);
+
+    // Fetch account profile if not already known (non-blocking)
+    if (result.valid && !keyData.account_uuid) {
+      const profile = await fetchAccountProfile(keyData.accessToken);
+      if (profile) {
+        keyData.account_uuid = profile.account_uuid;
+        keyData.account_email = profile.email;
+      }
+    }
+
+    return { keyId, result };
+  });
+
+  const healthResults = await Promise.all(healthCheckPromises);
+
+  // Process health check results
+  for (const { keyId, result } of healthResults) {
+    if (!result) continue;
+
+    const keyData = state.keys[keyId];
+    keyData.last_health_check = now;
+
+    if (!result.valid) {
+      keyData.status = 'invalid';
+      logRotationEvent(state, {
+        timestamp: now,
+        event: 'key_removed',
+        key_id: keyId,
+        reason: `health_check_failed_${result.error}`,
+      });
+    } else if (result.usage) {
+      keyData.last_usage = {
+        ...result.usage,
+        checked_at: now,
+      };
+
+      // Check if exhausted
+      const isExhausted = result.usage.five_hour >= EXHAUSTED_THRESHOLD ||
+                          result.usage.seven_day >= EXHAUSTED_THRESHOLD ||
+                          result.usage.seven_day_sonnet >= EXHAUSTED_THRESHOLD;
+
+      if (isExhausted && keyData.status !== 'exhausted') {
+        keyData.status = 'exhausted';
+        logRotationEvent(state, {
+          timestamp: now,
+          event: 'key_exhausted',
+          key_id: keyId,
+          reason: 'hit_100_percent',
+          usage_snapshot: result.usage,
+        });
+      } else if (!isExhausted && keyData.status === 'exhausted') {
+        keyData.status = 'active';
+      }
+
+      logRotationEvent(state, {
+        timestamp: now,
+        event: 'health_check',
+        key_id: keyId,
+        usage_snapshot: result.usage,
+      });
+    }
+  }
+
+  // Step 4: Select the best key
+  const selectedKeyId = selectActiveKey(state);
+
+  // Check if we need to switch keys
+  if (selectedKeyId && selectedKeyId !== state.active_key_id) {
+    const previousKeyId = state.active_key_id;
+    state.active_key_id = selectedKeyId;
+
+    const selectedKey = state.keys[selectedKeyId];
+    selectedKey.last_used_at = now;
+
+    logRotationEvent(state, {
+      timestamp: now,
+      event: 'key_switched',
+      key_id: selectedKeyId,
+      reason: previousKeyId ? `switched_from_${previousKeyId.slice(0, 8)}` : 'initial_selection',
+      usage_snapshot: selectedKey.last_usage ? {
+        five_hour: selectedKey.last_usage.five_hour,
+        seven_day: selectedKey.last_usage.seven_day,
+        seven_day_sonnet: selectedKey.last_usage.seven_day_sonnet,
+      } : undefined,
+    });
+
+    // Update credentials in all stores if switching to a different key
+    if (previousKeyId) {
+      updateActiveCredentials(selectedKey);
+    }
+  } else if (!state.active_key_id && selectedKeyId) {
+    // First time setting active key
+    state.active_key_id = selectedKeyId;
+    state.keys[selectedKeyId].last_used_at = now;
+  }
+
+  // Save state
+  writeRotationState(state);
+
+  // Build notification message — only count keys that responded to health checks,
+  // deduplicated per account (prefer account_uuid, fall back to usage fingerprint).
+  const respondingKeys = Object.entries(state.keys)
+    .filter(([_, k]) => k.last_usage && (k.status === 'active' || k.status === 'exhausted'));
+
+  // Deduplicate by account: prefer account_uuid, fall back to usage fingerprint
+  const seen = new Set();
+  const uniqueAccounts = respondingKeys.filter(([_, k]) => {
+    const dedupeKey = k.account_uuid || `fp:${k.last_usage.seven_day}:${k.last_usage.seven_day_sonnet}`;
+    if (seen.has(dedupeKey)) return false;
+    seen.add(dedupeKey);
+    return true;
+  });
+
+  const accountCount = uniqueAccounts.length;
+  let message = null;
+
+  if (accountCount > 1) {
+    const activeKey = state.keys[state.active_key_id];
+    const usage = activeKey?.last_usage;
+
+    if (usage) {
+      const maxUsage = Math.max(usage.five_hour, usage.seven_day, usage.seven_day_sonnet);
+      const activeLabel = activeKey.account_email || `${state.active_key_id.slice(0, 8)}...`;
+      message = `Accounts: ${accountCount} tracked | Active: ${activeLabel} (${Math.round(maxUsage)}% max usage)`;
+    } else {
+      const activeLabel2 = state.keys[state.active_key_id]?.account_email || `${state.active_key_id.slice(0, 8)}...`;
+      message = `Accounts: ${accountCount} tracked | Active: ${activeLabel2}`;
+    }
+  }
+
+  registerHookExecution({
+    hookType: HOOK_TYPES.API_KEY_WATCHER,
+    status: 'success',
+    durationMs: Date.now() - startTime,
+    metadata: {
+      keyCount: accountCount,
+      switched: selectedKeyId !== state.active_key_id,
+      keysAdded: syncResult.keysAdded,
+      tokensRefreshed: syncResult.tokensRefreshed,
+    }
+  });
+
+  console.log(JSON.stringify({
+    continue: true,
+    suppressOutput: !message,
+    ...(message && { systemMessage: message }),
+  }));
+}
+
+main().catch(err => {
+  console.error(`[api-key-watcher] Error: ${err.message}`);
+
+  registerHookExecution({
+    hookType: HOOK_TYPES.API_KEY_WATCHER,
+    status: 'failure',
+    durationMs: 0,
+    metadata: { error: err.message }
+  });
+
+  // Don't block on errors
+  console.log(JSON.stringify({
+    continue: true,
+    suppressOutput: true,
+  }));
+});