oco-claude-plugin 0.1.0

package/plugin/agents/codebase-investigator.md

@@ -0,0 +1,63 @@
+---
+name: codebase-investigator
+description: Read many files in isolation and produce a compact evidence summary. Use when broad codebase exploration would bloat the main context.
+model: haiku
+tools:
+  - Read
+  - Grep
+  - Glob
+  - Bash
+---
+
+# Codebase Investigator
+
+You are an isolated investigation agent. Your job is to read files, search code, and produce a **compact structured summary** — never dump raw file contents back.
+
+## Input
+
+You will receive:
+- A **question** or **area to investigate**
+- An optional **list of candidate files**
+- An optional **workspace root**
+
+## Process
+
+1. **Search** for relevant files using Grep and Glob
+2. **Read** the most relevant files (prioritize by relevance)
+3. **Extract** key information: types, functions, relationships, patterns
+4. **Summarize** findings into a structured report
+
+## Output Format
+
+Always return this structure:
+
+```
+## Investigation: [topic]
+
+### Key Findings
+- [finding 1]
+- [finding 2]
+- [finding 3]
+
+### Relevant Files
+| File | Purpose | Key Symbols |
+|------|---------|-------------|
+| path/to/file.rs | description | symbol1, symbol2 |
+
+### Data Flow
+[brief description of how data moves through the area]
+
+### Concerns
+- [any issues, risks, or complexity hotspots found]
+
+### Confidence: [high/medium/low]
+[why this confidence level]
+```
+
+## Rules
+
+- **Never return raw file contents** — always summarize
+- Read at most 20 files per investigation
+- If you need more than 20 files, report what you found and suggest follow-up areas
+- Focus on answering the specific question, not exhaustive documentation
+- Flag anything suspicious (dead code, inconsistencies, missing error handling)

package/plugin/agents/patch-verifier.md

@@ -0,0 +1,68 @@
+---
+name: patch-verifier
+description: Review a proposed change for consistency, correctness, and completeness. Use after code changes to verify quality before completion.
+model: sonnet
+tools:
+  - Read
+  - Grep
+  - Glob
+  - Bash
+---
+
+# Patch Verifier
+
+You are a verification agent. Your job is to review a proposed code change and assess its correctness, consistency, and completeness.
+
+## Input
+
+You will receive:
+- A **description of the change** (what was done and why)
+- A **list of modified files** or a diff
+- The **original task/plan** that motivated the change
+
+## Process
+
+1. **Read the diff** or changed files
+2. **Check consistency**: Does the change match the stated intent?
+3. **Check completeness**: Are all necessary changes present? (imports, tests, docs, types)
+4. **Check correctness**: Are there logical errors, edge cases, or regressions?
+5. **Check conventions**: Does the code follow project conventions?
+
+## Output Format
+
+```
+## Patch Verification Report
+
+### Summary
+[1-2 sentence assessment]
+
+### Verdict: PASS | FAIL | NEEDS_WORK
+
+### Checklist
+- [ ] Change matches stated intent
+- [ ] All affected files updated
+- [ ] No missing imports or type errors
+- [ ] Error handling present where needed
+- [ ] No obvious regressions
+- [ ] Tests updated/added if applicable
+- [ ] No secrets or sensitive data exposed
+
+### Issues Found
+| Severity | File | Line | Description |
+|----------|------|------|-------------|
+| high/medium/low | path | N | description |
+
+### Missing Items
+- [anything that should have been done but wasn't]
+
+### Suggestions
+- [optional improvements, not blockers]
+```
+
+## Rules
+
+- Be thorough but concise
+- Distinguish between blockers (FAIL) and suggestions (PASS with notes)
+- Never approve a change that introduces obvious bugs or security issues
+- Flag missing test coverage explicitly
+- Do not rewrite the code — only identify issues

package/plugin/agents/refactor-reviewer.md

@@ -0,0 +1,81 @@
+---
+name: refactor-reviewer
+description: Inspect refactor scope, hidden impact, and risky omissions. Use during or after refactoring to catch missed references and breaking changes.
+model: sonnet
+tools:
+  - Read
+  - Grep
+  - Glob
+  - Bash
+---
+
+# Refactor Reviewer
+
+You are a refactoring review agent. Your job is to verify that a refactoring operation is complete and safe — catching missed references, broken imports, and hidden impact.
+
+## Input
+
+You will receive:
+- **What was refactored** (rename, move, extract, restructure)
+- **List of changed files**
+- **The old and new names/paths/structure**
+
+## Process
+
+1. **Search for stale references** to the old name/path/structure:
+   - Grep for old symbol names, old import paths, old file references
+   - Check string literals, comments, documentation, config files
+   - Check test files for old references
+
+2. **Verify new references are correct**:
+   - All imports resolve
+   - All type references are valid
+   - Re-exports are updated if applicable
+
+3. **Check for hidden consumers**:
+   - External APIs or CLI commands that reference the old structure
+   - Dynamic references (string-based imports, reflection)
+   - Build scripts, CI configs, documentation
+
+4. **Assess breaking change risk**:
+   - Is this a public API change?
+   - Are there downstream consumers?
+   - Is there a migration path?
+
+## Output Format
+
+```
+## Refactor Review Report
+
+### Summary
+[1-2 sentence assessment]
+
+### Verdict: CLEAN | STALE_REFS | BREAKING
+
+### Stale References Found
+| File | Line | Reference | Status |
+|------|------|-----------|--------|
+| path | N | old_name | needs update / false positive |
+
+### Breaking Changes
+- [list of breaking changes, if any]
+
+### Hidden Impact
+- [any indirect effects discovered]
+
+### Verification Commands
+```bash
+# Commands to verify the refactor is complete
+[specific build/test/lint commands]
+```
+
+### Confidence: [high/medium/low]
+```
+
+## Rules
+
+- Always search for the **old** name/path in the entire codebase
+- Check at least: source code, tests, docs, configs, CI files
+- Distinguish between actual stale references and false positives (e.g., in comments describing history)
+- Never approve a refactor without verifying no stale imports remain
+- If the scope is very large (>20 files), focus on the highest-risk areas first

package/plugin/hooks/lib/utils.mjs

@@ -0,0 +1,109 @@
+// OCO Hooks — Shared utilities (cross-platform: Windows, Linux, macOS)
+import { createHash } from 'node:crypto';
+import { execSync, execFileSync } from 'node:child_process';
+import { existsSync, mkdirSync, readFileSync, readSync, writeFileSync, appendFileSync, lstatSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir, tmpdir } from 'node:os';
+
+/** Read JSON from stdin (Claude Code pipes hook input). */
+export function readStdin() {
+  try {
+    const chunks = [];
+    const fd = 0; // stdin
+    const buf = Buffer.alloc(65536);
+    let n;
+    try { while ((n = readSync(fd, buf)) > 0) chunks.push(buf.slice(0, n)); } catch {}
+    return JSON.parse(Buffer.concat(chunks).toString('utf8'));
+  } catch { return {}; }
+}
+
+/** Async version using process.stdin */
+export async function readStdinAsync() {
+  return new Promise((resolve) => {
+    let data = '';
+    let resolved = false;
+    const done = () => {
+      if (resolved) return;
+      resolved = true;
+      try { resolve(JSON.parse(data)); } catch { resolve({}); }
+    };
+    process.stdin.setEncoding('utf8');
+    process.stdin.on('data', (chunk) => { data += chunk; });
+    process.stdin.on('end', done);
+    process.stdin.on('error', done);
+    // Timeout after 3s in case stdin never closes
+    setTimeout(done, 3000);
+  });
+}
+
+/** Get a stable session state directory, cross-platform. */
+export function getStateDir() {
+  let workspaceRoot;
+  try {
+    workspaceRoot = execSync('git rev-parse --show-toplevel', { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
+  } catch {
+    workspaceRoot = process.env.CLAUDE_PROJECT_DIR || process.cwd();
+  }
+
+  const hash = createHash('md5').update(workspaceRoot).digest('hex').slice(0, 12);
+  const cacheRoot = process.env.XDG_RUNTIME_DIR || join(homedir(), '.cache', 'oco');
+
+  const stateDir = join(cacheRoot, `session-${hash}`);
+  try {
+    mkdirSync(stateDir, { recursive: true });
+    // Basic symlink guard
+    if (lstatSync(stateDir).isSymbolicLink()) return join(tmpdir(), 'oco-fallback');
+  } catch {}
+
+  return stateDir;
+}
+
+/** Check if a command exists on PATH. */
+export function commandExists(cmd) {
+  try {
+    const check = process.platform === 'win32' ? `where ${cmd}` : `command -v ${cmd}`;
+    execSync(check, { stdio: ['pipe', 'pipe', 'pipe'] });
+    return true;
+  } catch { return false; }
+}
+
+/** Run OCO CLI command and return parsed JSON. Degrades gracefully. */
+export function ocoRun(args) {
+  const bin = process.env.OCO_BIN || 'oco';
+  if (!commandExists(bin)) return null;
+  try {
+    const result = execFileSync(bin, args, {
+      encoding: 'utf8',
+      timeout: 5000,
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+    return JSON.parse(result);
+  } catch { return null; }
+}
+
+/** Read a state file (returns content or default). */
+export function readState(stateDir, filename, defaultVal = '') {
+  const p = join(stateDir, filename);
+  try { return readFileSync(p, 'utf8').trim(); } catch { return defaultVal; }
+}
+
+/** Write a state file. */
+export function writeState(stateDir, filename, content) {
+  try { writeFileSync(join(stateDir, filename), String(content)); } catch {}
+}
+
+/** Append to a state file. */
+export function appendState(stateDir, filename, content) {
+  try { appendFileSync(join(stateDir, filename), content + '\n'); } catch {}
+}
+
+/** Output structured hook response as JSON. */
+export function respond(obj) {
+  process.stdout.write(JSON.stringify(obj));
+}
+
+/** Write error to stderr (shown to Claude when exit 2). */
+export function blockWith(message) {
+  process.stderr.write(message);
+  process.exit(2);
+}

package/plugin/hooks/post-tool-use.mjs

@@ -0,0 +1,88 @@
+// OCO Hook: PostToolUse (cross-platform)
+// Records observations, tracks modifications and verification timestamps.
+// MUST exit within 4s no matter what.
+import { execFile } from 'node:child_process';
+import { existsSync, readFileSync, writeFileSync, appendFileSync, mkdirSync, lstatSync } from 'node:fs';
+import { join } from 'node:path';
+import { createHash } from 'node:crypto';
+import { homedir, tmpdir } from 'node:os';
+
+const killTimer = setTimeout(() => process.exit(0), 4000);
+killTimer.unref();
+process.on('uncaughtException', () => process.exit(0));
+process.on('unhandledRejection', () => process.exit(0));
+
+// --- Helpers (inlined) ---
+function getStateDir() {
+  let root;
+  try { root = require('node:child_process').execFileSync('git', ['rev-parse', '--show-toplevel'], { encoding: 'utf8', timeout: 2000, stdio: ['pipe', 'pipe', 'pipe'], windowsHide: true }).trim(); } catch { root = process.env.CLAUDE_PROJECT_DIR || process.cwd(); }
+  const hash = createHash('md5').update(root).digest('hex').slice(0, 12);
+  const dir = join(process.env.XDG_RUNTIME_DIR || join(homedir(), '.cache', 'oco'), `session-${hash}`);
+  try { mkdirSync(dir, { recursive: true }); if (lstatSync(dir).isSymbolicLink()) return join(tmpdir(), 'oco-fallback'); } catch {}
+  return dir;
+}
+function readState(dir, file, def = '') { try { return readFileSync(join(dir, file), 'utf8').trim(); } catch { return def; } }
+function writeState(dir, file, val) { try { writeFileSync(join(dir, file), String(val)); } catch {} }
+function appendState(dir, file, val) { try { appendFileSync(join(dir, file), val + '\n'); } catch {} }
+
+function readStdin() {
+  return new Promise((resolve) => {
+    let data = '', done = false;
+    const finish = () => { if (done) return; done = true; try { resolve(JSON.parse(data)); } catch { resolve(null); } };
+    process.stdin.setEncoding('utf8');
+    process.stdin.on('data', (c) => { data += c; });
+    process.stdin.on('end', finish);
+    process.stdin.on('error', finish);
+    setTimeout(finish, 1000);
+  });
+}
+
+try {
+  const input = await readStdin();
+  const toolName = input?.tool_name || '';
+  const toolError = input?.error || '';
+  if (!toolName) process.exit(0);
+
+  const stateDir = getStateDir();
+  const now = Math.floor(Date.now() / 1000);
+
+  // --- Telemetry: record observation (async, fire-and-forget) ---
+  try {
+    const bin = process.env.OCO_BIN || 'oco';
+    execFile(bin, ['observe', '--tool', toolName, '--status', toolError ? 'error' : 'ok', '--format', 'json'], { timeout: 3000, windowsHide: true });
+  } catch {}
+
+  // --- Track modified files ---
+  if (['Edit', 'Write', 'MultiEdit'].includes(toolName)) {
+    const filePath = input.tool_input?.file_path || input.tool_input?.path || input.tool_input?.destination || '';
+    if (filePath) {
+      appendState(stateDir, 'modified-files', filePath);
+      writeState(stateDir, 'last-modified-ts', String(now));
+    }
+  }
+
+  // --- Detect verification commands ---
+  if (!toolError && (toolName === 'Bash' || toolName === 'bash')) {
+    const command = (input.tool_input?.command || '').toLowerCase();
+    const verifyCmds = [
+      'cargo test', 'cargo build', 'cargo check', 'cargo clippy',
+      'npm test', 'npm run build', 'npm run lint',
+      'pytest', 'python -m pytest', 'go test', 'go build',
+      'tsc --noemit', 'npx tsc', 'mypy', 'ruff check',
+    ];
+    for (const vc of verifyCmds) {
+      if (command.startsWith(vc) || command.includes(` && ${vc}`) || command.includes(`; ${vc}`)) {
+        writeState(stateDir, 'verify-done', String(now));
+        break;
+      }
+    }
+  }
+
+  // --- Reset loop counter on success ---
+  if (!toolError) {
+    const loopFile = `loop-${toolName.replace(/[^a-zA-Z0-9]/g, '_')}`;
+    writeState(stateDir, loopFile, '0');
+  }
+} catch {}
+
+process.exit(0);

package/plugin/hooks/pre-tool-use.mjs

@@ -0,0 +1,100 @@
+// OCO Hook: PreToolUse (cross-platform)
+// Enforces tool policy gates before execution.
+// MUST exit within 4s no matter what.
+import { execFileSync } from 'node:child_process';
+import { existsSync, readFileSync, writeFileSync, mkdirSync, lstatSync } from 'node:fs';
+import { join } from 'node:path';
+import { createHash } from 'node:crypto';
+import { homedir, tmpdir } from 'node:os';
+
+const killTimer = setTimeout(() => process.exit(0), 4000);
+killTimer.unref();
+process.on('uncaughtException', () => process.exit(0));
+process.on('unhandledRejection', () => process.exit(0));
+
+// --- Helpers (inlined, no external deps) ---
+function getStateDir() {
+  let root;
+  try { root = execFileSync('git', ['rev-parse', '--show-toplevel'], { encoding: 'utf8', timeout: 2000, stdio: ['pipe', 'pipe', 'pipe'], windowsHide: true }).trim(); } catch { root = process.env.CLAUDE_PROJECT_DIR || process.cwd(); }
+  const hash = createHash('md5').update(root).digest('hex').slice(0, 12);
+  const dir = join(process.env.XDG_RUNTIME_DIR || join(homedir(), '.cache', 'oco'), `session-${hash}`);
+  try { mkdirSync(dir, { recursive: true }); if (lstatSync(dir).isSymbolicLink()) return join(tmpdir(), 'oco-fallback'); } catch {}
+  return dir;
+}
+function readState(dir, file, def = '') { try { return readFileSync(join(dir, file), 'utf8').trim(); } catch { return def; } }
+function writeState(dir, file, val) { try { writeFileSync(join(dir, file), String(val)); } catch {} }
+function respond(obj) { process.stdout.write(JSON.stringify(obj)); }
+function blockWith(msg) { process.stderr.write(msg); process.exit(2); }
+
+function readStdin() {
+  return new Promise((resolve) => {
+    let data = '', done = false;
+    const finish = () => { if (done) return; done = true; try { resolve(JSON.parse(data)); } catch { resolve(null); } };
+    process.stdin.setEncoding('utf8');
+    process.stdin.on('data', (c) => { data += c; });
+    process.stdin.on('end', finish);
+    process.stdin.on('error', finish);
+    setTimeout(finish, 1000);
+  });
+}
+
+try {
+  const input = await readStdin();
+  const toolName = input?.tool_name || '';
+  const toolInput = input?.tool_input || {};
+  if (!toolName) process.exit(0);
+
+  const stateDir = getStateDir();
+
+  // --- Destructive command detection ---
+  if (toolName === 'Bash' || toolName === 'bash') {
+    const command = (toolInput.command || '').toLowerCase();
+    const destructive = [
+      'rm -rf', 'rm -r ', 'rmdir',
+      'git reset --hard', 'git push --force', 'git push -f ',
+      'git clean -fd', 'git checkout -- .', 'git restore .',
+      'drop table', 'drop database', 'truncate table',
+    ];
+    for (const pattern of destructive) {
+      if (command.includes(pattern)) {
+        blockWith(`OCO policy: destructive command detected (${pattern}). Use a safer alternative or confirm explicitly.`);
+      }
+    }
+  }
+
+  // --- Sensitive file protection ---
+  if (['Edit', 'Write', 'MultiEdit'].includes(toolName)) {
+    const filePath = (toolInput.file_path || toolInput.path || '').toLowerCase();
+    const sensitive = ['.env', 'credentials', 'secrets', '.key', '.pem', 'id_rsa'];
+    for (const pattern of sensitive) {
+      if (filePath.includes(pattern)) {
+        blockWith(`OCO policy: write to sensitive file (${pattern}) blocked. Review manually.`);
+      }
+    }
+  }
+
+  // --- Loop detection ---
+  const loopFile = `loop-${toolName.replace(/[^a-zA-Z0-9]/g, '_')}`;
+  let count = parseInt(readState(stateDir, loopFile, '0'), 10) + 1;
+  writeState(stateDir, loopFile, String(count));
+
+  if (count >= 5) {
+    if (count >= 8) writeState(stateDir, loopFile, '0');
+    respond({ hookSpecificOutput: { additionalContext: `OCO: tool '${toolName}' called ${count} times. Possible loop — consider a different approach.` } });
+    process.exit(0);
+  }
+
+  // --- OCO advanced gate check (optional, fire-and-forget on failure) ---
+  try {
+    const bin = process.env.OCO_BIN || 'oco';
+    const raw = execFileSync(bin, ['gate-check', '--tool', toolName, '--input', JSON.stringify(toolInput), '--format', 'json'], {
+      encoding: 'utf8', timeout: 2000, stdio: ['pipe', 'pipe', 'pipe'], windowsHide: true,
+    });
+    const gateResult = JSON.parse(raw);
+    if (gateResult?.decision === 'deny') {
+      blockWith(`OCO policy: ${gateResult.reason || 'denied by policy'}`);
+    }
+  } catch {}
+} catch {}
+
+process.exit(0);

package/plugin/hooks/stop.mjs

@@ -0,0 +1,98 @@
+// OCO Hook: Stop (cross-platform)
+// Prevents premature completion when code was modified without verification.
+// MUST exit within 4s no matter what.
+import { execFileSync } from 'node:child_process';
+import { existsSync, readFileSync, writeFileSync, unlinkSync, mkdirSync, lstatSync } from 'node:fs';
+import { join } from 'node:path';
+import { createHash } from 'node:crypto';
+import { homedir, tmpdir } from 'node:os';
+
+const killTimer = setTimeout(() => process.exit(0), 4000);
+killTimer.unref();
+process.on('uncaughtException', () => process.exit(0));
+process.on('unhandledRejection', () => process.exit(0));
+
+// --- Helpers (inlined) ---
+function getStateDir() {
+  let root;
+  try { root = execFileSync('git', ['rev-parse', '--show-toplevel'], { encoding: 'utf8', timeout: 2000, stdio: ['pipe', 'pipe', 'pipe'], windowsHide: true }).trim(); } catch { root = process.env.CLAUDE_PROJECT_DIR || process.cwd(); }
+  const hash = createHash('md5').update(root).digest('hex').slice(0, 12);
+  const dir = join(process.env.XDG_RUNTIME_DIR || join(homedir(), '.cache', 'oco'), `session-${hash}`);
+  try { mkdirSync(dir, { recursive: true }); if (lstatSync(dir).isSymbolicLink()) return join(tmpdir(), 'oco-fallback'); } catch {}
+  return dir;
+}
+function readState(dir, file, def = '') { try { return readFileSync(join(dir, file), 'utf8').trim(); } catch { return def; } }
+
+function readStdin() {
+  return new Promise((resolve) => {
+    let data = '', done = false;
+    const finish = () => { if (done) return; done = true; try { resolve(JSON.parse(data)); } catch { resolve(null); } };
+    process.stdin.setEncoding('utf8');
+    process.stdin.on('data', (c) => { data += c; });
+    process.stdin.on('end', finish);
+    process.stdin.on('error', finish);
+    setTimeout(finish, 1000);
+  });
+}
+
+try {
+  const input = await readStdin();
+  const stopReason = input?.reason || 'complete';
+
+  // Only enforce verification for completion stops
+  if (stopReason !== 'complete' && stopReason !== '') process.exit(0);
+
+  const stateDir = getStateDir();
+
+  // Check if files were modified during this session
+  const modifiedLog = join(stateDir, 'modified-files');
+  if (!existsSync(modifiedLog)) process.exit(0);
+
+  let modifiedFiles;
+  try {
+    modifiedFiles = [...new Set(readFileSync(modifiedLog, 'utf8').split('\n').filter(Boolean))];
+  } catch { process.exit(0); }
+
+  if (modifiedFiles.length === 0) process.exit(0);
+
+  // Ignore non-source files (hooks, configs, docs) — no verification needed
+  // Paths may be absolute; match against full path patterns
+  const nonSourcePatterns = [/[/\\]\.claude[/\\]/, /[/\\]\.github[/\\]/, /[/\\]docs[/\\]/, /\.md$/i, /\.json$/i, /\.ya?ml$/i, /\.toml$/i, /\.mjs$/i, /\.cjs$/i];
+  const sourceFiles = modifiedFiles.filter(f => !nonSourcePatterns.some(p => p.test(f)));
+  if (sourceFiles.length === 0) process.exit(0);
+
+  // Check verification timestamp vs last modification
+  const verifyTs = parseInt(readState(stateDir, 'verify-done', '0'), 10);
+  const modifiedTs = parseInt(readState(stateDir, 'last-modified-ts', '0'), 10);
+
+  if (verifyTs >= modifiedTs && verifyTs > 0) {
+    // Verification happened after last modification — clean and allow
+    try {
+      unlinkSync(modifiedLog);
+      unlinkSync(join(stateDir, 'verify-done'));
+      unlinkSync(join(stateDir, 'last-modified-ts'));
+    } catch {}
+    process.exit(0);
+  }
+
+  // Determine needed checks from project manifests
+  const cwd = input.cwd || process.env.CLAUDE_PROJECT_DIR || process.cwd();
+  const checks = [];
+  if (existsSync(join(cwd, 'Cargo.toml'))) checks.push('build', 'test', 'clippy');
+  if (existsSync(join(cwd, 'package.json'))) {
+    try {
+      const pkg = JSON.parse(readFileSync(join(cwd, 'package.json'), 'utf8'));
+      if (pkg.scripts?.test) checks.push('test');
+      if (pkg.scripts?.lint) checks.push('lint');
+    } catch { checks.push('test'); }
+  }
+  if (existsSync(join(cwd, 'pyproject.toml')) || existsSync(join(cwd, 'setup.py'))) checks.push('test', 'typecheck');
+
+  if (checks.length === 0) process.exit(0);
+
+  const fileList = sourceFiles.slice(0, 10).join(',');
+  process.stderr.write(`OCO: ${sourceFiles.length} file(s) modified [${fileList}] but no verification run detected. Recommended checks: ${checks.join(',')}. Run build/test/lint before completing.`);
+  process.exit(2);
+} catch {}
+
+process.exit(0);

package/plugin/hooks/user-prompt-submit.cjs

@@ -0,0 +1,61 @@
+// OCO Hook: UserPromptSubmit (CommonJS, callback-based, no deadlock)
+// Non-blocking stdin — avoids readSync deadlock on Windows.
+// ALWAYS writes JSON to stdout — empty stdout triggers false "hook error" in Claude Code.
+// See: https://github.com/anthropics/claude-code/issues/36948
+'use strict';
+
+const EMPTY = JSON.stringify({});
+
+const killTimer = setTimeout(() => { process.stdout.write(EMPTY); process.exit(0); }, 3000);
+killTimer.unref();
+process.on('uncaughtException', () => { process.stdout.write(EMPTY); process.exit(0); });
+process.on('unhandledRejection', () => { process.stdout.write(EMPTY); process.exit(0); });
+
+let data = '';
+let handled = false;
+
+function done(json) {
+  if (handled) return;
+  handled = true;
+  process.stdout.write(json || EMPTY);
+  process.exit(0);
+}
+
+function handle() {
+  try {
+    const input = data ? JSON.parse(data) : null;
+    if (!input || !input.prompt) return done();
+
+    const prompt = input.prompt.toLowerCase();
+
+    const highPatterns = /\b(refactor|rewrite|migrate|redesign|overhaul|rearchitect|restructure)\b/;
+    const criticalPatterns = /\b(delete.*prod|drop.*database|reset.*hard|force.*push|rm\s+-rf)\b/;
+    const verifyPatterns = /\b(fix|bug|patch|repair|resolve|debug|test|build|deploy)\b/;
+
+    let complexity = 'medium';
+    if (criticalPatterns.test(prompt)) complexity = 'critical';
+    else if (highPatterns.test(prompt)) complexity = 'high';
+    else if (prompt.length < 30 && !verifyPatterns.test(prompt)) complexity = 'trivial';
+
+    if (complexity === 'trivial') return done();
+
+    const needsVerify = verifyPatterns.test(prompt) || complexity === 'high' || complexity === 'critical';
+
+    let guidance = '[OCO] complexity=' + complexity + ' verify=' + needsVerify;
+    if (complexity === 'high' || complexity === 'critical') {
+      guidance += ' | Recommended: investigate before acting.';
+    } else if (needsVerify) {
+      guidance += ' | Verify after changes.';
+    }
+
+    done(JSON.stringify({ hookSpecificOutput: { additionalContext: guidance } }));
+  } catch (e) {
+    done();
+  }
+}
+
+process.stdin.setEncoding('utf8');
+process.stdin.on('data', (chunk) => { data += chunk; });
+process.stdin.on('end', handle);
+process.stdin.on('error', () => done());
+setTimeout(handle, 500);