peaks-cli 2.0.3 → 2.0.4

package/CHANGELOG.md

@@ -7,6 +7,53 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [2.0.4] — 2026-06-13 (hotfix)
+
+### Fixed
+
+- **PreToolUse hook `command` field was bare JavaScript source, not a
+  `node -e "..."` one-liner.** `peaks workspace init` writes
+  `.claude/settings.local.json` containing two PreToolUse hooks (one
+  for `Bash`, one for `Write|Edit|MultiEdit`) whose `command` field
+  was the inner JS payload without the `node -e "..."` wrapper.
+  Claude Code executes the `command` field as a shell string, so
+  bash saw literal `const c=process.argv[1]...` and tripped
+  `syntax error near unexpected token`. Net effect on every 2.0.3
+  install on Windows + macOS + Linux:
+  - Every Bash tool call (peaks CLI or otherwise) was rejected.
+  - Every Write / Edit / MultiEdit call was rejected.
+  - The [Fact-Forcing Gate] bypass that `peaks workspace init` was
+    supposed to install was therefore self-defeating — the bypass
+    broke the gate itself, and the gate could not be reached to fix
+    it.
+  Recovery required the user to delete `.claude/settings.local.json`
+  manually (losing the bypass permanently) or hand-patch the
+  `command` field (drift vs the template).
+  The fix wraps both builders' JS payloads in a real shell-evaluable
+  `node -e "<js>"` form via a new `wrapAsNodeOneLiner` helper in
+  `src/services/workspace/claude-settings-template.ts`. Inner `"`
+  are escaped to `\"`; backslashes pass through unchanged so regex
+  literals like `/\.peaks\//` still match correctly. `process.argv[1]`
+  is the correct slot under `-e` per Node.js docs
+  (https://nodejs.org/api/process.html#processargv) — consistent
+  across Windows, macOS, and Linux. The docstring is reconciled
+  with the implementation (the previous docstring incorrectly said
+  `argv[2]`).
+
+  Regression tests cover:
+  - `buildBashHookCommand()` and `buildWriteHookCommand()` return
+    `node -e "..."` form.
+  - Inner `"` are escaped to `\"`.
+  - Spawning the wrapped command with `peaks workspace init --project . --json`
+    exits 0; with `npm install foo` exits non-zero.
+  - Spawning the Write hook with `.peaks/_runtime/...` and
+    `.peaks/<changeId>/...` paths exits 0; with `src/...`,
+    `package.json`, `.peaks/_archive/...` exits non-zero.
+  - The existing workspace-init round-trip test (case A/B/C) still
+    passes with the wrapper.
+
+---
+
 ## [2.0.3] — 2026-06-13
 
 ### Fixed

package/dist/src/services/workspace/claude-settings-template.js

@@ -52,10 +52,43 @@ const PEAKS_SUBCOMMAND_ALLOWLIST = [
     'upgrade'
 ];
 /**
- * Build the Bash matcher command. The command is a node -e one-liner
- * that reads its candidate command string from argv[2] and exits 0
- * iff the command starts with `peaks <whitelisted-subcommand> ` (or
- * is exactly `peaks <whitelisted-subcommand>` with no trailing args).
+ * Wrap an inner JavaScript payload as a shell-evaluable `node -e "..."`
+ * one-liner. The returned string is what Claude Code writes verbatim
+ * into `.claude/settings.local.json` under the `command` field. Per
+ * Node.js docs (https://nodejs.org/api/process.html#processargv), when
+ * using `-e` there is no script-file slot, so `process.argv[1]` is the
+ * first user-passed extra argument. This is consistent across Windows,
+ * macOS, and Linux.
+ *
+ * Every `"` character in the inner JS must be JSON-escaped as `\\"`
+ * so that the surrounding wrapper `node -e "..."` parses correctly:
+ * the shell sees the escape and passes a literal `"` to Node. A
+ * single missed escape closes the wrapper early and the entire hook
+ * regresses to the bash-syntax-error class of bug.
+ *
+ * @param js Inner JavaScript payload. Must be a single statement or a
+ *           sequence of statements joined with `;`. The wrapper does
+ *           not insert any `;` between the payload and the closing
+ *           `"` because Node accepts a trailing expression with `;`
+ *           already terminated by the payload itself.
+ */
+function wrapAsNodeOneLiner(js) {
+    // Only `"` needs JSON-escaping: the wrapper uses double quotes, so an
+    // unescaped inner `"` would close the wrapper prematurely. Backslashes
+    // do NOT need escaping here — bash inside a `"..."` wrapper reduces
+    // `\\` to `\`, so any `\X` in the inner JS reaches Node as `\X`,
+    // which is what regex literals like `/\.peaks\//` need. Adding a
+    // second `\\` → `\\` pass would double-escape backslashes and break
+    // every regex literal the inner JS contains.
+    const escaped = js.replace(/"/g, '\\"');
+    return `node -e "${escaped}"`;
+}
+/**
+ * Build the Bash matcher command. The command is a `node -e "..."`
+ * one-liner that reads its candidate command string from `argv[1]`
+ * and exits 0 iff the command starts with
+ * `peaks <whitelisted-subcommand> ` (or is exactly
+ * `peaks <whitelisted-subcommand>` with no trailing args).
  *
  * The list is serialised as a JSON array literal embedded in the
  * command string so we avoid regex special-character pitfalls and
@@ -63,15 +96,17 @@ const PEAKS_SUBCOMMAND_ALLOWLIST = [
  */
 function buildBashHookCommand() {
     const allowlistLiteral = JSON.stringify(PEAKS_SUBCOMMAND_ALLOWLIST);
-    // The command reads process.argv[2] (the tool-call command string),
-    // checks it starts with `peaks `, splits on whitespace, and looks
-    // up the second token in the allowlist. Exit 0 = allow, exit 1 =
-    // deny (so the gate fires for non-peaks commands).
-    return ('const c=process.argv[1]||"";' +
+    // The command reads process.argv[1] (the tool-call command string
+    // passed by Claude Code), checks it starts with `peaks `, splits on
+    // whitespace, and looks up the second token in the allowlist. Exit
+    // 0 = allow, exit 1 = deny (so the gate fires for non-peaks
+    // commands).
+    const js = 'const c=process.argv[1]||"";' +
         'if(!c.startsWith("peaks "))process.exit(1);' +
         'const sub=c.slice(6).trim().split(/\\s+/)[0];' +
         `if(${allowlistLiteral}.indexOf(sub)===-1)process.exit(1);` +
-        'process.exit(0)');
+        'process.exit(0)';
+    return wrapAsNodeOneLiner(js);
 }
 /**
  * Build the Write|Edit|MultiEdit matcher command. The command reads
@@ -91,12 +126,14 @@ function buildWriteHookCommand() {
     // Path-matching: allow when the path contains `.peaks/_runtime/`
     // OR when the second `.peaks/` segment starts with anything that
     // looks like a change-id (kebab-case slug). Exit 0 for allow, exit
-    // 1 for deny.
-    return ('const p=process.argv[1]||"";' +
+    // 1 for deny. The candidate path arrives on `process.argv[1]` per
+    // Node.js argv layout under `-e` (cross-platform consistent).
+    const js = 'const p=process.argv[1]||"";' +
         'if(p.includes(".peaks/_runtime/"))process.exit(0);' +
         'const m=p.match(/\\.peaks\\/([a-z0-9][a-z0-9.-]*)\\//);' +
         'if(m&&m[1]&&m[1]!=="_runtime"&&m[1]!=="_dogfood"&&m[1]!=="_sub_agents"&&m[1]!=="_archive"&&m[1]!=="memory"&&m[1]!=="issues"&&m[1]!=="sops"&&m[1]!=="retrospective"&&m[1]!=="project-scan"&&m[1]!=="perf-baseline")process.exit(0);' +
-        'process.exit(1)');
+        'process.exit(1)';
+    return wrapAsNodeOneLiner(js);
 }
 /**
  * Build the full template object. The shape is the subset of Claude

package/dist/src/shared/version.d.ts

@@ -1 +1 @@
-export declare const CLI_VERSION = "2.0.3";
+export declare const CLI_VERSION = "2.0.4";

package/dist/src/shared/version.js

@@ -1 +1 @@
-export const CLI_VERSION = "2.0.3";
+export const CLI_VERSION = "2.0.4";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "peaks-cli",
-  "version": "2.0.3",
+  "version": "2.0.4",
   "description": "Cross-AI-IDE workflow-gating CLI + skill family (Claude Code shipped, Trae in progress; Codex / Cursor / Qoder / Tongyi Lingma on the roadmap).",
   "author": "SquabbyZ",
   "license": "MIT",