pumuki-ast-hooks 5.3.1

package/scripts/hooks-system/infrastructure/events/EventListeners.js

@@ -0,0 +1,143 @@
+const { execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+
+class EventListeners {
+    constructor(orchestrator, repoRoot) {
+        this.orchestrator = orchestrator;
+        this.repoRoot = repoRoot || process.cwd();
+        this.listeners = [];
+        this.pollingInterval = null;
+        this.lastGitState = null;
+    }
+
+    async subscribeToEvents() {
+        console.error('[EventListeners] Subscribing to events...');
+
+        this.onSessionLoad(() => this.triggerAnalysis('session-load'));
+        this.onPreCommit(() => this.triggerAnalysis('pre-commit'));
+        this.startGitWatcher();
+        this.onBranchSwitch(() => this.triggerAnalysis('branch-switch'));
+
+        console.error('[EventListeners] Event subscriptions active');
+    }
+
+    onSessionLoad(callback) {
+        console.error('[EventListeners] Session load listener registered');
+        this.listeners.push({ event: 'session-load', callback });
+    }
+
+    onPreCommit(callback) {
+        console.error('[EventListeners] Pre-commit listener registered');
+        this.listeners.push({ event: 'pre-commit', callback });
+    }
+
+    onBranchSwitch(callback) {
+        console.error('[EventListeners] Branch switch listener registered');
+        this.listeners.push({ event: 'branch-switch', callback });
+    }
+
+    startGitWatcher() {
+        if (this.pollingInterval) {
+            return;
+        }
+
+        console.error('[EventListeners] Starting Git watcher (poll every 30s)...');
+
+        this.lastGitState = this.getGitState();
+
+        this.pollingInterval = setInterval(async () => {
+            const currentState = this.getGitState();
+
+            if (this.hasGitStateChanged(currentState)) {
+                console.error('[EventListeners] Git state changed, triggering analysis...');
+                await this.triggerAnalysis('git-change');
+                this.lastGitState = currentState;
+            }
+        }, 30000);
+    }
+
+    getGitState() {
+        try {
+            const branch = execSync('git branch --show-current', {
+                cwd: this.repoRoot,
+                encoding: 'utf-8'
+            }).trim();
+
+            const staged = execSync('git diff --cached --name-only', {
+                cwd: this.repoRoot,
+                encoding: 'utf-8'
+            }).trim();
+
+            const modified = execSync('git status --porcelain', {
+                cwd: this.repoRoot,
+                encoding: 'utf-8'
+            }).trim();
+
+            return {
+                branch,
+                staged: staged ? staged.split('\n') : [],
+                modified: modified ? modified.split('\n').map(l => l.substring(3)) : []
+            };
+        } catch (error) {
+            return { branch: 'unknown', staged: [], modified: [] };
+        }
+    }
+
+    hasGitStateChanged(currentState) {
+        if (!this.lastGitState) return true;
+
+        const branchChanged = currentState.branch !== this.lastGitState.branch;
+        const stagedChanged = JSON.stringify(currentState.staged) !== JSON.stringify(this.lastGitState.staged);
+
+        return branchChanged || stagedChanged;
+    }
+
+    async triggerAnalysis(event) {
+        try {
+            console.error(`[EventListeners] Triggered by event: ${event}`);
+
+            const result = await this.orchestrator.analyzeContext();
+
+            console.error(`[EventListeners] Analysis result: ${result.action} (confidence: ${result.confidence}%)`);
+
+            if (result.action === 'auto-execute') {
+                console.error(`[EventListeners] Auto-executing ai-start for: ${result.platforms.map(p => p.platform).join(', ')}`);
+                return { executed: true, result };
+            }
+
+            if (result.action === 'ask') {
+                console.error(`[EventListeners] AI should ask user about: ${result.platforms.map(p => p.platform).join(', ')}`);
+                return { executed: false, shouldAsk: true, result };
+            }
+
+            console.error(`[EventListeners] Action: ${result.action} - ${result.reason}`);
+            return { executed: false, result };
+
+        } catch (error) {
+            console.error(`[EventListeners] Error triggering analysis:`, error.message);
+            return { executed: false, error: error.message };
+        }
+    }
+
+    stopWatching() {
+        if (this.pollingInterval) {
+            clearInterval(this.pollingInterval);
+            this.pollingInterval = null;
+            console.error('[EventListeners] Git watcher stopped');
+        }
+    }
+
+    emit(event, data) {
+        const eventListeners = this.listeners.filter(l => l.event === event);
+        eventListeners.forEach(listener => {
+            try {
+                listener.callback(data);
+            } catch (error) {
+                console.error(`[EventListeners] Error in ${event} listener:`, error.message);
+            }
+        });
+    }
+}
+
+module.exports = EventListeners;

package/scripts/hooks-system/infrastructure/events/__tests__/events.spec.js

@@ -0,0 +1,14 @@
+describe('events', () => {
+    describe('EventListeners', () => {
+        it('should export class', () => {
+            const EventListeners = require('../EventListeners');
+            expect(EventListeners).toBeDefined();
+        });
+
+        it('should be instantiable', () => {
+            const EventListeners = require('../EventListeners');
+            const instance = new EventListeners({}, '/tmp');
+            expect(instance).toBeDefined();
+        });
+    });
+});

package/scripts/hooks-system/infrastructure/external-tools/GitOperations.js

@@ -0,0 +1,54 @@
+
+const { exec } = require('child_process');
+const util = require('util');
+const execPromise = util.promisify(exec);
+
+class GitOperations {
+  async getStagedFiles() {
+    try {
+      const { stdout } = await execPromise('git diff --cached --name-only --diff-filter=ACM');
+
+      if (!stdout.trim()) {
+        return [];
+      }
+
+      return stdout
+        .trim()
+        .split('\n')
+        .filter(file => file && file.length > 0);
+
+    } catch (error) {
+      console.error('[GitOperations] Error getting staged files:', error.message);
+      return [];
+    }
+  }
+
+  async hasUnstagedChanges() {
+    try {
+      const { stdout } = await execPromise('git diff --name-only');
+      return stdout.trim().length > 0;
+    } catch (error) {
+      return false;
+    }
+  }
+
+  async getCurrentBranch() {
+    try {
+      const { stdout } = await execPromise('git branch --show-current');
+      return stdout.trim();
+    } catch (error) {
+      return 'unknown';
+    }
+  }
+
+  async getRepoRoot() {
+    try {
+      const { stdout } = await execPromise('git rev-parse --show-toplevel');
+      return stdout.trim();
+    } catch (error) {
+      return process.cwd();
+    }
+  }
+}
+
+module.exports = GitOperations;

package/scripts/hooks-system/infrastructure/external-tools/eslint/backend.config.template.mjs

@@ -0,0 +1,58 @@
+
+import tseslint from '@typescript-eslint/eslint-plugin';
+import tsparser from '@typescript-eslint/parser';
+import sonarjs from 'eslint-plugin-sonarjs';
+import security from 'eslint-plugin-security';
+
+export default [
+  {
+    ignores: [
+      'dist/**',
+      'node_modules/**',
+      'coverage/**',
+      'test/**',
+      '*.js'
+    ]
+  },
+  {
+    languageOptions: {
+      parser: tsparser,
+      parserOptions: {
+        project: true,
+        sourceType: 'module',
+      }
+    },
+    plugins: {
+      '@typescript-eslint': tseslint,
+      'sonarjs': sonarjs,
+      'security': security
+    },
+    rules: {
+      'complexity': ['error', 15],
+      'max-lines-per-function': ['error', { max: 50, skipBlankLines: true, skipComments: true }],
+      'max-lines': ['warn', { max: 500, skipBlankLines: true, skipComments: true }],
+      'max-depth': ['error', 4],
+      'max-params': ['warn', 4],
+
+      'sonarjs/cognitive-complexity': ['error', 15],
+      'sonarjs/no-duplicate-string': ['error', { threshold: 5 }],
+      'sonarjs/no-identical-functions': 'error',
+      'sonarjs/no-duplicated-branches': 'error',
+
+      '@typescript-eslint/no-explicit-any': 'error',
+      '@typescript-eslint/no-unused-vars': ['error', { argsIgnorePattern: '^_' }],
+      '@typescript-eslint/no-floating-promises': 'error',
+      '@typescript-eslint/require-await': 'error',
+      '@typescript-eslint/return-await': ['error', 'in-try-catch'],
+
+      'security/detect-unsafe-regex': 'error',
+      'security/detect-eval-with-expression': 'error',
+
+      'no-console': ['warn', { allow: ['warn', 'error'] }],
+      'no-var': 'error',
+      'prefer-const': 'error',
+      'eqeqeq': ['error', 'always'],
+      'curly': ['error', 'all']
+    }
+  }
+];

package/scripts/hooks-system/infrastructure/git-hooks/pre-push

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+# Pre-push hook: BLOCK push if Git Flow is incomplete
+
+HOOKS_SYSTEM_ROOT="$(cd "$(dirname "$0")/../../scripts/hooks-system" && pwd)"
+
+# Check if we're pushing only tags (read from stdin)
+while read local_ref local_sha remote_ref remote_sha; do
+  # If pushing a tag (refs/tags/*), allow it
+  if [[ "$local_ref" =~ ^refs/tags/ ]]; then
+    echo ""
+    echo "✅ Tag push detected - allowing release workflow"
+    echo ""
+    exit 0
+  fi
+done
+
+echo ""
+echo "🔍 Validating Git Flow compliance before push..."
+echo ""
+
+if ! bash "${HOOKS_SYSTEM_ROOT}/infrastructure/shell/gitflow-enforcer.sh" check; then
+  echo ""
+  echo "🚨 PUSH BLOCKED: Complete Git Flow cycle first"
+  echo ""
+  echo "Missing steps detected. Complete them before pushing."
+  echo ""
+  exit 1
+fi
+
+echo ""
+echo "✅ Git Flow validation passed. Proceeding with push..."
+echo ""
+
+exit 0

package/scripts/hooks-system/infrastructure/git-server/pre-receive-hook

@@ -0,0 +1,253 @@
+#!/usr/bin/env bash
+# =============================================================================
+# Server-Side Pre-Receive Hook (GitHub Enterprise / Self-hosted Git)
+# =============================================================================
+# Purpose: Validate commits on server BEFORE accepting push
+# Cannot be bypassed - runs on server side
+# Author: Pumuki Team®
+# Version: 1.0.0
+# =============================================================================
+# Installation:
+#   1. For GitHub Enterprise: Configure as pre-receive hook in repository settings
+#   2. For Self-hosted Git: Copy to hooks/pre-receive on bare repository
+#   3. Make executable: chmod +x pre-receive-hook
+# =============================================================================
+
+set -euo pipefail
+
+# Read stdin (format: <old-value> <new-value> <ref-name>)
+while read oldrev newrev refname; do
+  # Extract branch name
+  branch=$(echo "$refname" | sed 's/refs\/heads\///')
+
+  echo "[SERVER] Validating push to: $branch"
+
+  # =============================================================================
+  # 1. PREVENT DIRECT PUSH TO MAIN
+  # =============================================================================
+  if [ "$branch" = "main" ]; then
+    echo "❌ [SERVER] Direct push to main is FORBIDDEN"
+    echo "   → Use Pull Request workflow instead"
+    echo "   → Push to feature/fix branch and create PR"
+    exit 1
+  fi
+
+  # =============================================================================
+  # 2. PREVENT FORCE PUSH TO PROTECTED BRANCHES
+  # =============================================================================
+  if [ "$branch" = "develop" ] || [ "$branch" = "main" ]; then
+    # Check if this is a force push
+    if git rev-list "$newrev" "^$oldrev" > /dev/null 2>&1; then
+      : # Normal push, OK
+    else
+      echo "❌ [SERVER] Force push to $branch is FORBIDDEN"
+      echo "   → Protected branches cannot be force-pushed"
+      exit 1
+    fi
+  fi
+
+  # =============================================================================
+  # 3. VALIDATE BRANCH NAMING CONVENTION
+  # =============================================================================
+  if ! echo "$branch" | grep -qE '^(main|develop|feature/|fix/|hotfix/|release/)'; then
+    echo "❌ [SERVER] Invalid branch name: $branch"
+    echo "   → Must match: feature/*, fix/*, hotfix/*, release/*, develop, main"
+    echo "   → Example: feature/user-authentication"
+    exit 1
+  fi
+
+  # =============================================================================
+  # 4. VALIDATE COMMIT MESSAGES
+  # =============================================================================
+  echo "[SERVER] Validating commit messages..."
+  commits=$(git rev-list "$oldrev".."$newrev")
+  invalid_count=0
+
+  for commit in $commits; do
+    msg=$(git log --format=%B -n 1 "$commit" | head -1)
+
+    # Check conventional commit format: type(scope): description
+    if ! echo "$msg" | grep -qE '^(feat|fix|docs|style|refactor|test|chore|perf|ci|build|revert)(\(.+\))?: .{10,}'; then
+      echo "❌ [SERVER] Invalid commit message: $commit"
+      echo "   Message: $msg"
+      echo "   → Required format: type(scope): description"
+      echo "   → Examples:"
+      echo "      • feat(auth): add JWT authentication"
+      echo "      • fix(api): resolve null pointer in users endpoint"
+      echo "      • docs: update README with installation steps"
+      invalid_count=$((invalid_count + 1))
+    fi
+  done
+
+  if [ $invalid_count -gt 0 ]; then
+    echo ""
+    echo "❌ [SERVER] $invalid_count commit(s) have invalid messages"
+    echo "   → Fix commit messages and try again"
+    exit 1
+  fi
+
+  # =============================================================================
+  # 5. CHECK FOR MERGE CONFLICT MARKERS
+  # =============================================================================
+  echo "[SERVER] Checking for conflict markers..."
+  for commit in $commits; do
+    if git diff-tree --no-commit-id --name-only -r "$commit" | xargs git show "$commit" -- | grep -qE '^(<<<<<<<|>>>>>>>|=======)'; then
+      echo "❌ [SERVER] Merge conflict markers detected in commit: $commit"
+      echo "   → Resolve conflicts before pushing"
+      exit 1
+    fi
+  done
+
+  # =============================================================================
+  # 6. VALIDATE AI EVIDENCE (Enterprise Guard - mandatory)
+  # =============================================================================
+  echo "[SERVER] Validating AI evidence..."
+  for commit in $commits; do
+    commit_epoch=$(git show -s --format=%ct "$commit")
+    evidence_blob=$(git show "$commit:.AI_EVIDENCE.json" 2>/dev/null || true)
+
+    if [ -z "$evidence_blob" ]; then
+      echo "❌ [SERVER] .AI_EVIDENCE.json missing in commit: $commit"
+      echo "   → AI protocol evidence must be committed with every change"
+      exit 1
+    fi
+
+    if ! echo "$evidence_blob" | python3 - "$commit" "$commit_epoch" <<'PY'
+import sys
+import json
+from datetime import datetime, timezone
+
+commit_hash = sys.argv[1]
+commit_epoch = int(sys.argv[2])
+
+errors = []
+
+try:
+    evidence = json.load(sys.stdin)
+except json.JSONDecodeError as exc:
+    print(f"Invalid JSON format ({exc})")
+    sys.exit(1)
+
+timestamp = evidence.get("timestamp")
+if not timestamp or not isinstance(timestamp, str) or not timestamp.strip():
+    errors.append("Missing timestamp in .AI_EVIDENCE.json")
+else:
+    try:
+        dt = datetime.strptime(timestamp.strip(), "%Y-%m-%dT%H:%M:%SZ").replace(tzinfo=timezone.utc)
+        diff_seconds = abs(commit_epoch - int(dt.timestamp()))
+        if diff_seconds > 600:
+            errors.append(f"Timestamp drift {diff_seconds}s exceeds 600s limit")
+    except ValueError:
+        errors.append(f"Invalid timestamp format: {timestamp}")
+
+questions = evidence.get("protocol_3_questions") or {}
+answered = questions.get("answered")
+
+def is_placeholder(value):
+    if value is None:
+        return True
+    text = str(value).strip()
+    if not text:
+        return True
+    return text.lower().startswith("todo")
+
+if answered is not True:
+    errors.append("Protocol 3 questions not answered")
+
+q1 = questions.get("question_1_file_type")
+q2 = questions.get("question_2_similar_exists")
+q3 = questions.get("question_3_clean_architecture")
+
+if any(is_placeholder(val) for val in (q1, q2, q3)):
+    errors.append("Protocol 3 questions contain placeholders or empty values")
+
+justification = evidence.get("justification")
+if is_placeholder(justification):
+    errors.append("Justification is missing or marked as TODO")
+
+rules_read = evidence.get("rules_read")
+verified_rules = []
+all_verified = True
+
+if isinstance(rules_read, list):
+    for entry in rules_read:
+        if not isinstance(entry, dict):
+            continue
+        if entry.get("verified") is not True:
+            all_verified = False
+        file_name = entry.get("file")
+        if file_name:
+            verified_rules.append(file_name)
+elif isinstance(rules_read, dict):
+    if rules_read.get("verified") is not True:
+        all_verified = False
+    file_name = rules_read.get("file")
+    if file_name:
+        verified_rules.append(file_name)
+else:
+    errors.append("rules_read missing or invalid format")
+
+if not verified_rules:
+    errors.append("No rules recorded in rules_read")
+elif not all_verified:
+    errors.append("Some rules in rules_read are not marked as verified")
+
+if errors:
+    for err in errors:
+        print(f"{commit_hash}: {err}")
+    sys.exit(1)
+PY
+    then
+      echo "❌ [SERVER] AI evidence validation failed for commit: $commit"
+      exit 1
+    fi
+  done
+
+  # =============================================================================
+  # 7. CHECK FOR SECRETS / SENSITIVE DATA
+  # =============================================================================
+  echo "[SERVER] Scanning for hardcoded secrets..."
+  for commit in $commits; do
+    # Get files changed in commit
+    files=$(git diff-tree --no-commit-id --name-only -r "$commit" | grep -E '\.(ts|js|tsx|jsx|py|java|kt|swift)$' || true)
+
+    for file in $files; do
+      if git show "$commit:$file" 2>/dev/null | grep -qiE '(password|api_key|secret|token|bearer)\s*[:=]\s*["\x27][^"\x27]{8,}["\x27]'; then
+        echo "❌ [SERVER] Potential hardcoded secret detected"
+        echo "   Commit: $commit"
+        echo "   File: $file"
+        echo "   → Remove sensitive data and use environment variables"
+        exit 1
+      fi
+    done
+  done
+
+  # =============================================================================
+  # 8. VALIDATE FILE SIZE LIMITS
+  # =============================================================================
+  echo "[SERVER] Checking file sizes..."
+  for commit in $commits; do
+    # Get files changed with sizes
+    large_files=$(git diff-tree --no-commit-id -r --diff-filter=ACMRT "$commit" | \
+      awk '{print $4, $5}' | \
+      while read size file; do
+        if [ "$size" -gt 1048576 ]; then # 1MB
+          echo "$file ($((size / 1024))KB)"
+        fi
+      done)
+
+    if [ -n "$large_files" ]; then
+      echo "⚠️  [SERVER] Large files detected in commit: $commit"
+      echo "$large_files"
+      echo "   → Consider using Git LFS for large files"
+    fi
+  done
+
+  echo "[SERVER] ✅ All validations passed for branch: $branch"
+done
+
+# All validations passed
+echo ""
+echo "✅ [SERVER] Push accepted"
+echo "   All commits validated successfully"
+exit 0

package/scripts/hooks-system/infrastructure/guards/git-wrapper.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+# Git Wrapper - Prevents --no-verify bypass
+# Install: alias git='/path/to/git-wrapper.sh'
+
+RED='\033[0;31m'
+NC='\033[0m'
+
+REAL_GIT=$(which git | grep -v "git-wrapper" | head -1)
+
+# Check for --no-verify in arguments
+if [[ "$*" == *"--no-verify"* ]]; then
+  echo -e "${RED}╔══════════════════════════════════════════════════════════╗${NC}"
+  echo -e "${RED}║  ❌ ABSOLUTELY FORBIDDEN: --no-verify                   ║${NC}"
+  echo -e "${RED}║                                                          ║${NC}"
+  echo -e "${RED}║  Hook system took 6 months to build.                    ║${NC}"
+  echo -e "${RED}║  It exists to PREVENT bad code.                         ║${NC}"
+  echo -e "${RED}║                                                          ║${NC}"
+  echo -e "${RED}║  FIX THE VIOLATIONS. DO NOT BYPASS.                     ║${NC}"
+  echo -e "${RED}╚══════════════════════════════════════════════════════════╝${NC}"
+
+  # Log attempt
+  mkdir -p .audit_tmp
+  echo "$(date -u +%Y-%m-%dT%H:%M:%SZ)|BLOCKED|--no-verify|$USER|$(git branch --show-current 2>/dev/null)||$*" >> .audit_tmp/bypass-attempts.log
+
+  # Notify
+  osascript -e 'display notification "Blocked --no-verify attempt!" with title "🚫 Hook Bypass Blocked" sound name "Basso"' 2>/dev/null || true
+
+  exit 1
+fi
+
+# Execute real git
+exec "$REAL_GIT" "$@"