oh-my-customcodex 0.5.18 → 0.5.20
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli/index.js +1 -1
- package/dist/index.js +1 -1
- package/package.json +1 -1
- package/templates/.claude/hooks/hooks.json +10 -0
- package/templates/.claude/hooks/scripts/shell-reserved-var-advisor.sh +25 -0
- package/templates/.claude/rules/MUST-completion-verification.md +4 -2
- package/templates/manifest.json +1 -1
- package/templates/workflows/auto-dev.yaml +5 -0
package/dist/cli/index.js
CHANGED
package/dist/index.js
CHANGED
package/package.json
CHANGED
|
@@ -102,6 +102,16 @@
|
|
|
102
102
|
],
|
|
103
103
|
"description": "Block Bash/Write/Edit writes into .claude/ sensitive paths before Claude Code permission prompts fire"
|
|
104
104
|
},
|
|
105
|
+
{
|
|
106
|
+
"matcher": "tool == \"Bash\" && tool_input.command matches \"(^|[[:space:];&|])(status|path|argv)[[:space:]]*=\"",
|
|
107
|
+
"hooks": [
|
|
108
|
+
{
|
|
109
|
+
"type": "command",
|
|
110
|
+
"command": "bash .codex/hooks/scripts/shell-reserved-var-advisor.sh"
|
|
111
|
+
}
|
|
112
|
+
],
|
|
113
|
+
"description": "Warn on zsh/bash reserved variable assignments such as status=, path=, or argv= before shell execution (R020/#1491)"
|
|
114
|
+
},
|
|
105
115
|
{
|
|
106
116
|
"matcher": "tool == \"Bash\"",
|
|
107
117
|
"hooks": [
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
#!/usr/bin/env bash
|
|
2
|
+
# shell-reserved-var-advisor.sh — advisory guard for zsh/bash special variable assignments.
|
|
3
|
+
# Trigger: PreToolUse (Bash matcher)
|
|
4
|
+
|
|
5
|
+
set -euo pipefail
|
|
6
|
+
|
|
7
|
+
input=$(cat)
|
|
8
|
+
command=$(printf '%s' "$input" | jq -r '.tool_input.command // ""' 2>/dev/null || true)
|
|
9
|
+
|
|
10
|
+
if [ -z "$command" ]; then
|
|
11
|
+
printf '%s' "$input"
|
|
12
|
+
exit 0
|
|
13
|
+
fi
|
|
14
|
+
|
|
15
|
+
# zsh exposes several lowercase special parameters as read-only or semantically
|
|
16
|
+
# dangerous. `status=...` is the frequent footgun in polling snippets; `path`
|
|
17
|
+
# and `argv` are arrays/special parameters. Match assignment starts after common
|
|
18
|
+
# shell separators or whitespace, but do not match safe names like run_status=.
|
|
19
|
+
if printf '%s\n' "$command" | grep -Eq '(^|[[:space:];&|])(status|path|argv)[[:space:]]*='; then
|
|
20
|
+
echo '[Hook] WARNING: reserved shell variable assignment detected (R020/#1491).' >&2
|
|
21
|
+
echo '[Hook] Avoid zsh/bash special names: status, path, argv.' >&2
|
|
22
|
+
echo '[Hook] Use safe names such as run_status, cmd_path, or args before executing.' >&2
|
|
23
|
+
fi
|
|
24
|
+
|
|
25
|
+
printf '%s' "$input"
|
|
@@ -85,8 +85,10 @@ Before invoking or registering generated workflow code, run a Tier-1 sanity pass
|
|
|
85
85
|
|
|
86
86
|
1. Search for unresolved placeholders, malformed identifiers, and known dead-line patterns.
|
|
87
87
|
2. Assemble the exact script body before execution; do not concatenate facts or guardrails after the call starts.
|
|
88
|
-
3.
|
|
89
|
-
4.
|
|
88
|
+
3. For compound shell verification or release gates, start the script with `set -euo pipefail`; `set -o pipefail` alone does not stop later sequential gates after an earlier command fails.
|
|
89
|
+
4. For zsh/bash snippets, avoid reserved or special variable names such as `status`, `path`, and `argv`; use `run_status`, `cmd_path`, `args`, or similarly specific names.
|
|
90
|
+
5. Run the language parser or the narrowest no-side-effect syntax check available.
|
|
91
|
+
6. If syntax validation is unavailable, read the generated body back and perform a focused self-review before launch.
|
|
90
92
|
|
|
91
93
|
This check is mandatory for workflow scripts that will run automation, mutate GitHub state, or gate a release.
|
|
92
94
|
|
package/templates/manifest.json
CHANGED
|
@@ -126,6 +126,11 @@ steps:
|
|
|
126
126
|
- If a scoped issue is added or materially changed after verify-build starts, reset this phase and re-run the full verify-build gate for the new aggregate scope.
|
|
127
127
|
- Do not proceed to release from a verify-build result collected before the latest scoped implementation change.
|
|
128
128
|
|
|
129
|
+
Shell execution discipline:
|
|
130
|
+
- Run compound verification commands under `set -euo pipefail` so lint, typecheck, tests, and build halt on the first failed gate.
|
|
131
|
+
- Do not rely on `set -o pipefail` alone for sequential verification chains.
|
|
132
|
+
- Avoid reserved shell variable names in polling or status snippets (`status`, `path`, `argv`); use `run_status`, `cmd_path`, or `args` instead.
|
|
133
|
+
|
|
129
134
|
For Node/Bun projects:
|
|
130
135
|
1. Run `bun install` and halt on lockfile drift.
|
|
131
136
|
2. Run `bun run lint` when available.
|