oh-my-customcodex 0.5.18 → 0.5.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/cli/index.js CHANGED
@@ -3091,7 +3091,7 @@ var init_package = __esm(() => {
3091
3091
  workspaces: [
3092
3092
  "packages/*"
3093
3093
  ],
3094
- version: "0.5.18",
3094
+ version: "0.5.20",
3095
3095
  requiresCC: ">=2.1.121",
3096
3096
  claudeCode: {
3097
3097
  minimumVersion: "2.1.121",
package/dist/index.js CHANGED
@@ -2316,7 +2316,7 @@ var package_default = {
2316
2316
  workspaces: [
2317
2317
  "packages/*"
2318
2318
  ],
2319
- version: "0.5.18",
2319
+ version: "0.5.20",
2320
2320
  requiresCC: ">=2.1.121",
2321
2321
  claudeCode: {
2322
2322
  minimumVersion: "2.1.121",
package/package.json CHANGED
@@ -3,7 +3,7 @@
3
3
  "workspaces": [
4
4
  "packages/*"
5
5
  ],
6
- "version": "0.5.18",
6
+ "version": "0.5.20",
7
7
  "requiresCC": ">=2.1.121",
8
8
  "claudeCode": {
9
9
  "minimumVersion": "2.1.121",
@@ -102,6 +102,16 @@
102
102
  ],
103
103
  "description": "Block Bash/Write/Edit writes into .claude/ sensitive paths before Claude Code permission prompts fire"
104
104
  },
105
+ {
106
+ "matcher": "tool == \"Bash\" && tool_input.command matches \"(^|[[:space:];&|])(status|path|argv)[[:space:]]*=\"",
107
+ "hooks": [
108
+ {
109
+ "type": "command",
110
+ "command": "bash .codex/hooks/scripts/shell-reserved-var-advisor.sh"
111
+ }
112
+ ],
113
+ "description": "Warn on zsh/bash reserved variable assignments such as status=, path=, or argv= before shell execution (R020/#1491)"
114
+ },
105
115
  {
106
116
  "matcher": "tool == \"Bash\"",
107
117
  "hooks": [
@@ -0,0 +1,25 @@
1
+ #!/usr/bin/env bash
2
+ # shell-reserved-var-advisor.sh — advisory guard for zsh/bash special variable assignments.
3
+ # Trigger: PreToolUse (Bash matcher)
4
+
5
+ set -euo pipefail
6
+
7
+ input=$(cat)
8
+ command=$(printf '%s' "$input" | jq -r '.tool_input.command // ""' 2>/dev/null || true)
9
+
10
+ if [ -z "$command" ]; then
11
+ printf '%s' "$input"
12
+ exit 0
13
+ fi
14
+
15
+ # zsh exposes several lowercase special parameters as read-only or semantically
16
+ # dangerous. `status=...` is the frequent footgun in polling snippets; `path`
17
+ # and `argv` are arrays/special parameters. Match assignment starts after common
18
+ # shell separators or whitespace, but do not match safe names like run_status=.
19
+ if printf '%s\n' "$command" | grep -Eq '(^|[[:space:];&|])(status|path|argv)[[:space:]]*='; then
20
+ echo '[Hook] WARNING: reserved shell variable assignment detected (R020/#1491).' >&2
21
+ echo '[Hook] Avoid zsh/bash special names: status, path, argv.' >&2
22
+ echo '[Hook] Use safe names such as run_status, cmd_path, or args before executing.' >&2
23
+ fi
24
+
25
+ printf '%s' "$input"
@@ -85,8 +85,10 @@ Before invoking or registering generated workflow code, run a Tier-1 sanity pass
85
85
 
86
86
  1. Search for unresolved placeholders, malformed identifiers, and known dead-line patterns.
87
87
  2. Assemble the exact script body before execution; do not concatenate facts or guardrails after the call starts.
88
- 3. Run the language parser or the narrowest no-side-effect syntax check available.
89
- 4. If syntax validation is unavailable, read the generated body back and perform a focused self-review before launch.
88
+ 3. For compound shell verification or release gates, start the script with `set -euo pipefail`; `set -o pipefail` alone does not stop later sequential gates after an earlier command fails.
89
+ 4. For zsh/bash snippets, avoid reserved or special variable names such as `status`, `path`, and `argv`; use `run_status`, `cmd_path`, `args`, or similarly specific names.
90
+ 5. Run the language parser or the narrowest no-side-effect syntax check available.
91
+ 6. If syntax validation is unavailable, read the generated body back and perform a focused self-review before launch.
90
92
 
91
93
  This check is mandatory for workflow scripts that will run automation, mutate GitHub state, or gate a release.
92
94
 
@@ -1,5 +1,5 @@
1
1
  {
2
- "version": "0.5.18",
2
+ "version": "0.5.20",
3
3
  "requiresCC": ">=2.1.121",
4
4
  "claudeCode": {
5
5
  "minimumVersion": "2.1.121",
@@ -126,6 +126,11 @@ steps:
126
126
  - If a scoped issue is added or materially changed after verify-build starts, reset this phase and re-run the full verify-build gate for the new aggregate scope.
127
127
  - Do not proceed to release from a verify-build result collected before the latest scoped implementation change.
128
128
 
129
+ Shell execution discipline:
130
+ - Run compound verification commands under `set -euo pipefail` so lint, typecheck, tests, and build halt on the first failed gate.
131
+ - Do not rely on `set -o pipefail` alone for sequential verification chains.
132
+ - Avoid reserved shell variable names in polling or status snippets (`status`, `path`, `argv`); use `run_status`, `cmd_path`, or `args` instead.
133
+
129
134
  For Node/Bun projects:
130
135
  1. Run `bun install` and halt on lockfile drift.
131
136
  2. Run `bun run lint` when available.