pumuki-ast-hooks 5.5.49 → 5.5.51

package/hooks/git-status-monitor.ts

@@ -42,6 +42,7 @@ function getGitStatus(projectDir: string): GitStatus | null {
             hasUncommittedChanges: lines.length > 0
         };
     } catch (err) {
+        console.error(`[git-status-monitor] Failed to read git status: ${(err as Error).message}`);
         return null;
     }
 }
@@ -79,6 +80,7 @@ function detectPlatformFromFiles(projectDir: string): string[] {
             }
         }
     } catch (err) {
+        console.error(`[git-status-monitor] Failed to detect platforms from files: ${(err as Error).message}`);
     }
 
     return platforms.length > 0 ? platforms : ['frontend', 'backend', 'ios', 'android'];
@@ -134,6 +136,7 @@ async function main() {
                     sound: 'Ping'
                 });
             } catch (err) {
+                console.error(`[git-status-monitor] Notification failed (staged): ${(err as Error).message}`);
             }
         } else if (totalChanges > 10) {
             try {
@@ -144,11 +147,13 @@ async function main() {
                     sound: 'Glass'
                 });
             } catch (err) {
+                console.error(`[git-status-monitor] Notification failed (unstaged): ${(err as Error).message}`);
             }
         }
 
         process.exit(0);
     } catch (err) {
+        console.error(`[git-status-monitor] Unexpected error: ${(err as Error).message}`);
         process.exit(0);
     }
 }

package/hooks/notify-macos.ts

@@ -24,6 +24,7 @@ export function sendMacOSNotification(options: NotificationOptions): void {
     try {
         execSync(`osascript -e '${script}'`, { stdio: 'ignore' });
     } catch (err) {
+        console.error(`[notify-macos] Failed to send notification: ${(err as Error).message}`);
     }
 }
 

package/hooks/pre-tool-use-evidence-validator.ts

@@ -235,6 +235,7 @@ async function main() {
                     sound: 'Basso'
                 });
             } catch (err) {
+                process.stderr.write(`Notification failed: ${err instanceof Error ? err.message : String(err)}\n`);
             }
             process.stderr.write(`${validation.error || ''}\n`);
             process.exit(2);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki-ast-hooks",
-  "version": "5.5.49",
+  "version": "5.5.51",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {

package/scripts/hooks-system/.audit_tmp/hook-metrics.jsonl

@@ -102,3 +102,59 @@
 {"timestamp":1767739777882,"hook":"audit_logger","operation":"ensure_dir","status":"started"}
 {"timestamp":1767739777882,"hook":"audit_logger","operation":"ensure_dir","status":"success"}
 {"timestamp":1767739777882,"hook":"audit_logger","operation":"constructor","status":"success","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767772854432,"hook":"audit_logger","operation":"constructor","status":"started","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767772854432,"hook":"audit_logger","operation":"ensure_dir","status":"started"}
+{"timestamp":1767772854432,"hook":"audit_logger","operation":"ensure_dir","status":"success"}
+{"timestamp":1767772854432,"hook":"audit_logger","operation":"constructor","status":"success","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767772971939,"hook":"audit_logger","operation":"constructor","status":"started","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767772971939,"hook":"audit_logger","operation":"ensure_dir","status":"started"}
+{"timestamp":1767772971939,"hook":"audit_logger","operation":"ensure_dir","status":"success"}
+{"timestamp":1767772971939,"hook":"audit_logger","operation":"constructor","status":"success","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767775802167,"hook":"audit_logger","operation":"constructor","status":"started","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767775802167,"hook":"audit_logger","operation":"ensure_dir","status":"started"}
+{"timestamp":1767775802167,"hook":"audit_logger","operation":"ensure_dir","status":"success"}
+{"timestamp":1767775802167,"hook":"audit_logger","operation":"constructor","status":"success","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767775833943,"hook":"audit_logger","operation":"constructor","status":"started","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767775833943,"hook":"audit_logger","operation":"ensure_dir","status":"started"}
+{"timestamp":1767775833943,"hook":"audit_logger","operation":"ensure_dir","status":"success"}
+{"timestamp":1767775833943,"hook":"audit_logger","operation":"constructor","status":"success","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767776135844,"hook":"audit_logger","operation":"constructor","status":"started","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767776135844,"hook":"audit_logger","operation":"ensure_dir","status":"started"}
+{"timestamp":1767776135844,"hook":"audit_logger","operation":"ensure_dir","status":"success"}
+{"timestamp":1767776135844,"hook":"audit_logger","operation":"constructor","status":"success","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767776384649,"hook":"audit_logger","operation":"constructor","status":"started","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767776384649,"hook":"audit_logger","operation":"ensure_dir","status":"started"}
+{"timestamp":1767776384649,"hook":"audit_logger","operation":"ensure_dir","status":"success"}
+{"timestamp":1767776384649,"hook":"audit_logger","operation":"constructor","status":"success","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767777653343,"hook":"audit_logger","operation":"constructor","status":"started","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767777653343,"hook":"audit_logger","operation":"ensure_dir","status":"started"}
+{"timestamp":1767777653343,"hook":"audit_logger","operation":"ensure_dir","status":"success"}
+{"timestamp":1767777653344,"hook":"audit_logger","operation":"constructor","status":"success","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767778142566,"hook":"audit_logger","operation":"constructor","status":"started","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767778142567,"hook":"audit_logger","operation":"ensure_dir","status":"started"}
+{"timestamp":1767778142567,"hook":"audit_logger","operation":"ensure_dir","status":"success"}
+{"timestamp":1767778142567,"hook":"audit_logger","operation":"constructor","status":"success","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767778800954,"hook":"audit_logger","operation":"constructor","status":"started","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767778800955,"hook":"audit_logger","operation":"ensure_dir","status":"started"}
+{"timestamp":1767778800955,"hook":"audit_logger","operation":"ensure_dir","status":"success"}
+{"timestamp":1767778800955,"hook":"audit_logger","operation":"constructor","status":"success","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767779528552,"hook":"audit_logger","operation":"constructor","status":"started","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767779528552,"hook":"audit_logger","operation":"ensure_dir","status":"started"}
+{"timestamp":1767779528552,"hook":"audit_logger","operation":"ensure_dir","status":"success"}
+{"timestamp":1767779528552,"hook":"audit_logger","operation":"constructor","status":"success","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767779903813,"hook":"audit_logger","operation":"constructor","status":"started","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767779903813,"hook":"audit_logger","operation":"ensure_dir","status":"started"}
+{"timestamp":1767779903813,"hook":"audit_logger","operation":"ensure_dir","status":"success"}
+{"timestamp":1767779903813,"hook":"audit_logger","operation":"constructor","status":"success","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767780497468,"hook":"audit_logger","operation":"constructor","status":"started","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767780497468,"hook":"audit_logger","operation":"ensure_dir","status":"started"}
+{"timestamp":1767780497468,"hook":"audit_logger","operation":"ensure_dir","status":"success"}
+{"timestamp":1767780497468,"hook":"audit_logger","operation":"constructor","status":"success","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767780655724,"hook":"audit_logger","operation":"constructor","status":"started","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767780655725,"hook":"audit_logger","operation":"ensure_dir","status":"started"}
+{"timestamp":1767780655725,"hook":"audit_logger","operation":"ensure_dir","status":"success"}
+{"timestamp":1767780655725,"hook":"audit_logger","operation":"constructor","status":"success","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767782291627,"hook":"audit_logger","operation":"constructor","status":"started","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}
+{"timestamp":1767782291627,"hook":"audit_logger","operation":"ensure_dir","status":"started"}
+{"timestamp":1767782291627,"hook":"audit_logger","operation":"ensure_dir","status":"success"}
+{"timestamp":1767782291627,"hook":"audit_logger","operation":"constructor","status":"success","repoRoot":"/Users/juancarlosmerlosalbarracin/Developer/Projects/ast-intelligence-hooks/scripts/hooks-system"}

package/scripts/hooks-system/application/services/guard/GuardConfig.js

@@ -3,9 +3,11 @@ const AuditLogger = require('../logging/AuditLogger');
 
 class GuardConfig {
     constructor(env = envHelper) {
-        
-        this.auditLogger = new AuditLogger({ repoRoot: process.cwd() });const getNumber = (name, def) =>
+        this.auditLogger = new AuditLogger({ repoRoot: process.cwd() });
+
+        const getNumber = (name, def) =>
             typeof env.getNumber === 'function' ? env.getNumber(name, def) : Number(env[name] || def);
+
         const getBool = (name, def) =>
             typeof env.getBool === 'function' ? env.getBool(name, def) : (env[name] !== 'false');
 

package/scripts/hooks-system/application/services/installation/GitEnvironmentService.js

@@ -128,6 +128,20 @@ if [[ "$CURRENT_BRANCH" == "main" ]] || [[ "$CURRENT_BRANCH" == "master" ]] || [
   exit 1
 fi
 
+# Enforce Git Flow checks (strict) before allowing commit
+ENFORCER_SCRIPT="scripts/hooks-system/infrastructure/shell/gitflow/gitflow-enforcer.sh"
+if [[ -f "$ENFORCER_SCRIPT" ]]; then
+  echo ""
+  echo "🔍 Running Git Flow checks (strict)..."
+  echo ""
+  if ! GITFLOW_STRICT_CHECK=true bash "$ENFORCER_SCRIPT" check; then
+    echo ""
+    echo "🚨 COMMIT BLOCKED: Git Flow checks failed"
+    echo ""
+    exit 1
+  fi
+fi
+
 # Check if there are staged files
 STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM 2>/dev/null | grep -E '\\.(ts|tsx|js|jsx|swift|kt)$' || true)
 if [ -z "$STAGED_FILES" ]; then
@@ -263,10 +277,14 @@ fi
 # Run gitflow-enforcer if available (optional validation)
 ENFORCER_SCRIPT="scripts/hooks-system/infrastructure/shell/gitflow/gitflow-enforcer.sh"
 if [[ -f "$ENFORCER_SCRIPT" ]]; then
-  if ! bash "$ENFORCER_SCRIPT" check 2>/dev/null; then
+  echo ""
+  echo "🔍 Running Git Flow checks (strict)..."
+  echo ""
+  if ! GITFLOW_STRICT_CHECK=true bash "$ENFORCER_SCRIPT" check; then
     echo ""
-    echo "⚠️  Git Flow check completed with warnings (non-blocking)"
+    echo "🚨 PUSH BLOCKED: Git Flow checks failed"
     echo ""
+    exit 1
   fi
 fi
 

package/scripts/hooks-system/application/services/installation/McpConfigurator.js

@@ -130,33 +130,99 @@ class McpConfigurator {
             }
         };
 
-        const globalConfigPath = this.getGlobalWindsurfConfigPath();
-        const globalConfigDir = path.dirname(globalConfigPath);
-        if (!fs.existsSync(globalConfigDir)) {
-            fs.mkdirSync(globalConfigDir, { recursive: true });
-        }
+        this.configureProjectScoped(mcpConfig, serverId);
+        this.cleanupGlobalConfig(serverId);
+    }
+
+    configureProjectScoped(mcpConfig, serverId) {
+        const windsurfProjectDir = path.join(this.targetRoot, '.windsurf');
+        const windsurfProjectPath = path.join(windsurfProjectDir, 'mcp.json');
 
         try {
-            if (!fs.existsSync(globalConfigPath)) {
-                fs.writeFileSync(globalConfigPath, JSON.stringify(mcpConfig, null, 2));
-                this.logSuccess(`Configured global Windsurf MCP at ${globalConfigPath}`);
-                if (this.logger) this.logger.info('MCP_GLOBAL_CONFIGURED', { path: globalConfigPath });
-            } else {
-                const existing = JSON.parse(fs.readFileSync(globalConfigPath, 'utf8'));
+            if (!fs.existsSync(windsurfProjectDir)) {
+                fs.mkdirSync(windsurfProjectDir, { recursive: true });
+            }
+
+            let finalConfig = mcpConfig;
+            if (fs.existsSync(windsurfProjectPath)) {
+                const existing = JSON.parse(fs.readFileSync(windsurfProjectPath, 'utf8'));
                 if (!existing.mcpServers) existing.mcpServers = {};
+                Object.keys(existing.mcpServers).forEach(id => {
+                    if (id.startsWith('ast-intelligence-automation-') && id !== serverId) {
+                        delete existing.mcpServers[id];
+                    }
+                });
+                existing.mcpServers[serverId] = mcpConfig.mcpServers[serverId];
+                finalConfig = existing;
+            }
+
+            fs.writeFileSync(windsurfProjectPath, JSON.stringify(finalConfig, null, 2));
+            this.logSuccess(`Configured project-scoped Windsurf MCP at ${windsurfProjectPath}`);
+            if (this.logger) this.logger.info('MCP_PROJECT_CONFIGURED', { path: windsurfProjectPath, serverId });
+        } catch (error) {
+            this.logWarning(`Failed to configure project-scoped MCP: ${error.message}`);
+            if (this.logger) this.logger.warn('MCP_PROJECT_CONFIGURE_FAILED', { error: error.message });
+        }
 
-                // Prevent duplicate MCP servers for the same repoRoot by disabling legacy entries.
-                this.disableDuplicateServersForRepo(existing, serverId);
+        const cursorProjectDir = path.join(this.targetRoot, '.cursor');
+        const cursorProjectPath = path.join(cursorProjectDir, 'mcp.json');
 
+        try {
+            if (!fs.existsSync(cursorProjectDir)) {
+                fs.mkdirSync(cursorProjectDir, { recursive: true });
+            }
+
+            let finalConfig = mcpConfig;
+            if (fs.existsSync(cursorProjectPath)) {
+                const existing = JSON.parse(fs.readFileSync(cursorProjectPath, 'utf8'));
+                if (!existing.mcpServers) existing.mcpServers = {};
+                Object.keys(existing.mcpServers).forEach(id => {
+                    if (id.startsWith('ast-intelligence-automation-') && id !== serverId) {
+                        delete existing.mcpServers[id];
+                    }
+                });
                 existing.mcpServers[serverId] = mcpConfig.mcpServers[serverId];
+                finalConfig = existing;
+            }
+
+            fs.writeFileSync(cursorProjectPath, JSON.stringify(finalConfig, null, 2));
+            this.logSuccess(`Configured project-scoped Cursor MCP at ${cursorProjectPath}`);
+            if (this.logger) this.logger.info('MCP_CURSOR_CONFIGURED', { path: cursorProjectPath, serverId });
+        } catch (error) {
+            this.logWarning(`Failed to configure Cursor MCP: ${error.message}`);
+            if (this.logger) this.logger.warn('MCP_CURSOR_CONFIGURE_FAILED', { error: error.message });
+        }
+    }
+
+    cleanupGlobalConfig(currentServerId) {
+        const globalConfigPath = this.getGlobalWindsurfConfigPath();
 
+        try {
+            if (!fs.existsSync(globalConfigPath)) return;
+
+            const existing = JSON.parse(fs.readFileSync(globalConfigPath, 'utf8'));
+            if (!existing.mcpServers) return;
+
+            let modified = false;
+            Object.keys(existing.mcpServers).forEach(id => {
+                const server = existing.mcpServers[id];
+                if (!server || !server.env) return;
+
+                if (server.env.REPO_ROOT === this.targetRoot) {
+                    delete existing.mcpServers[id];
+                    modified = true;
+                    this.logInfo(`Removed ${id} from global config (now project-scoped)`);
+                }
+            });
+
+            if (modified) {
                 fs.writeFileSync(globalConfigPath, JSON.stringify(existing, null, 2));
-                this.logSuccess(`Updated global Windsurf MCP at ${globalConfigPath}`);
-                if (this.logger) this.logger.info('MCP_GLOBAL_UPDATED', { path: globalConfigPath });
+                if (this.logger) this.logger.info('MCP_GLOBAL_CLEANUP', { removedForRepo: this.targetRoot });
+            }
+        } catch (error) {
+            if (process.env.DEBUG) {
+                process.stderr.write(`[MCP] cleanupGlobalConfig failed: ${error.message}\n`);
             }
-        } catch (mergeError) {
-            this.logWarning(`${globalConfigPath} exists but couldn't be merged, skipping`);
-            if (this.logger) this.logger.warn('MCP_GLOBAL_MERGE_FAILED', { error: mergeError.message });
         }
     }
 

package/scripts/hooks-system/application/services/monitoring/EvidenceMonitor.js

@@ -1,7 +1,6 @@
 const fs = require('fs');
 const path = require('path');
-const { execSync } = require('child_process');
-const { ConfigurationError, DomainError } = require('../../../domain/errors');
+const { EvidenceRefreshRunner } = require('./EvidenceRefreshRunner');
 const AuditLogger = require('../logging/AuditLogger');
 
 class EvidenceMonitor {
@@ -14,98 +13,9 @@ class EvidenceMonitor {
         this.lastStaleNotification = 0;
         this.pollTimer = null;
         this.evidencePath = path.join(repoRoot, '.AI_EVIDENCE.json');
-        this.tempDir = path.join(repoRoot, '.audit_tmp');
-        this.updateScript = this.resolveUpdateEvidenceScript();
-        this.refreshInFlight = false;
-        this.refreshTimeoutMs = options.refreshTimeoutMs || 120000;
-        this.refreshLockFile = path.join(this.tempDir, 'evidence-refresh.lock');
-    }
-
-    isPidRunning(pid) {
-        if (!pid || !Number.isFinite(pid) || pid <= 0) return false;
-        try {
-            process.kill(pid, 0);
-            return true;
-        } catch {
-            return false;
-        }
-    }
-
-    acquireRefreshLock() {
-        try {
-            fs.mkdirSync(this.tempDir, { recursive: true });
-        } catch (error) {
-            console.warn('[EvidenceMonitor] Failed to ensure temp dir:', error.message);
-        }
-
-        try {
-            const fd = fs.openSync(this.refreshLockFile, 'wx');
-            const payload = JSON.stringify({ pid: process.pid, timestamp: new Date().toISOString() });
-            fs.writeFileSync(fd, payload, { encoding: 'utf8' });
-            fs.closeSync(fd);
-            return { acquired: true };
-        } catch (error) {
-            if (error && error.code !== 'EEXIST') {
-                return { acquired: false, reason: 'error', error };
-            }
-
-            try {
-                const raw = String(fs.readFileSync(this.refreshLockFile, 'utf8') || '').trim();
-                const data = raw ? JSON.parse(raw) : null;
-                const lockPid = data && Number(data.pid);
-                if (lockPid && this.isPidRunning(lockPid)) {
-                    return { acquired: false, reason: 'locked', pid: lockPid };
-                }
-            } catch (error) {
-                console.warn('[EvidenceMonitor] Failed to read refresh lock file:', error.message);
-            }
-
-            try {
-                fs.unlinkSync(this.refreshLockFile);
-            } catch (error) {
-                console.warn('[EvidenceMonitor] Failed to remove stale refresh lock:', error.message);
-            }
-
-            try {
-                const fd = fs.openSync(this.refreshLockFile, 'wx');
-                const payload = JSON.stringify({ pid: process.pid, timestamp: new Date().toISOString() });
-                fs.writeFileSync(fd, payload, { encoding: 'utf8' });
-                fs.closeSync(fd);
-                return { acquired: true };
-            } catch (retryError) {
-                return { acquired: false, reason: 'locked', error: retryError };
-            }
-        }
-    }
-
-    releaseRefreshLock() {
-        try {
-            if (!fs.existsSync(this.refreshLockFile)) return;
-            const raw = String(fs.readFileSync(this.refreshLockFile, 'utf8') || '').trim();
-            const data = raw ? JSON.parse(raw) : null;
-            const lockPid = data && Number(data.pid);
-            if (lockPid === process.pid) {
-                fs.unlinkSync(this.refreshLockFile);
-            }
-        } catch (error) {
-            console.warn('[EvidenceMonitor] Failed to release refresh lock:', error.message);
-        }
-    }
-
-    resolveUpdateEvidenceScript() {
-        const candidates = [
-            path.join(this.repoRoot, 'node_modules/@pumuki/ast-intelligence-hooks/bin/update-evidence.sh'),
-            path.join(this.repoRoot, 'scripts/hooks-system/bin/update-evidence.sh'),
-            path.join(this.repoRoot, 'bin/update-evidence.sh')
-        ];
-
-        for (const candidate of candidates) {
-            if (fs.existsSync(candidate)) {
-                return candidate;
-            }
-        }
-
-        return null;
+        this.refreshRunner = new EvidenceRefreshRunner(repoRoot, {
+            refreshTimeoutMs: options.refreshTimeoutMs
+        });
     }
 
     isStale() {
@@ -123,58 +33,7 @@ class EvidenceMonitor {
     }
 
     async refresh() {
-        if (!this.updateScript) {
-            throw new ConfigurationError('Update evidence script not found', 'updateScript');
-        }
-
-        if (this.refreshInFlight) {
-            return '';
-        }
-
-        const lock = this.acquireRefreshLock();
-        if (!lock.acquired) {
-            return '';
-        }
-
-        this.refreshInFlight = true;
-
-        return new Promise((resolve, reject) => {
-            const child = require('child_process').spawn('bash', [this.updateScript, '--auto', '--refresh-only'], {
-                cwd: this.repoRoot,
-                stdio: ['pipe', 'pipe', 'pipe']
-            });
-
-            let output = '';
-            child.stdout.on('data', (data) => {
-                output += data.toString();
-            });
-
-            const timeoutId = setTimeout(() => {
-                try {
-                    child.kill('SIGKILL');
-                } catch (error) {
-                    console.warn('[EvidenceMonitor] Failed to kill timed-out refresh process:', error.message);
-                }
-            }, this.refreshTimeoutMs);
-
-            child.on('close', (code) => {
-                clearTimeout(timeoutId);
-                this.refreshInFlight = false;
-                this.releaseRefreshLock();
-                if (code === 0) {
-                    resolve(output);
-                } else {
-                    reject(new DomainError(`Evidence refresh failed with code ${code}`, 'EVIDENCE_REFRESH_FAILED'));
-                }
-            });
-
-            child.on('error', (err) => {
-                clearTimeout(timeoutId);
-                this.refreshInFlight = false;
-                this.releaseRefreshLock();
-                reject(err);
-            });
-        });
+        return this.refreshRunner.refresh();
     }
 
     startPolling(onStale, onRefreshed) {

package/scripts/hooks-system/application/services/monitoring/EvidenceRefreshRunner.js

@@ -0,0 +1,161 @@
+const fs = require('fs');
+const path = require('path');
+const { spawn } = require('child_process');
+const { ConfigurationError, DomainError } = require('../../../domain/errors');
+
+class EvidenceRefreshRunner {
+    constructor(repoRoot, options = {}) {
+        this.repoRoot = repoRoot;
+        this.tempDir = path.join(repoRoot, '.audit_tmp');
+        this.refreshLockFile = path.join(this.tempDir, 'evidence-refresh.lock');
+        this.refreshTimeoutMs = options.refreshTimeoutMs || 120000;
+        this.refreshInFlight = false;
+        this.updateScript = this.resolveUpdateEvidenceScript();
+    }
+
+    resolveUpdateEvidenceScript() {
+        const candidates = [
+            path.join(this.repoRoot, 'node_modules/@pumuki/ast-intelligence-hooks/bin/update-evidence.sh'),
+            path.join(this.repoRoot, 'scripts/hooks-system/bin/update-evidence.sh'),
+            path.join(this.repoRoot, 'bin/update-evidence.sh')
+        ];
+
+        for (const candidate of candidates) {
+            if (fs.existsSync(candidate)) {
+                return candidate;
+            }
+        }
+
+        return null;
+    }
+
+    isPidRunning(pid) {
+        if (!pid || !Number.isFinite(pid) || pid <= 0) return false;
+        try {
+            process.kill(pid, 0);
+            return true;
+        } catch {
+            return false;
+        }
+    }
+
+    acquireRefreshLock() {
+        try {
+            fs.mkdirSync(this.tempDir, { recursive: true });
+        } catch (error) {
+            console.warn('[EvidenceRefreshRunner] Failed to ensure temp dir:', error.message);
+        }
+
+        try {
+            const fd = fs.openSync(this.refreshLockFile, 'wx');
+            const payload = JSON.stringify({ pid: process.pid, timestamp: new Date().toISOString() });
+            fs.writeFileSync(fd, payload, { encoding: 'utf8' });
+            fs.closeSync(fd);
+            return { acquired: true };
+        } catch (error) {
+            if (error && error.code !== 'EEXIST') {
+                return { acquired: false, reason: 'error', error };
+            }
+
+            try {
+                const raw = String(fs.readFileSync(this.refreshLockFile, 'utf8') || '').trim();
+                const data = raw ? JSON.parse(raw) : null;
+                const lockPid = data && Number(data.pid);
+                if (lockPid && this.isPidRunning(lockPid)) {
+                    return { acquired: false, reason: 'locked', pid: lockPid };
+                }
+            } catch (readError) {
+                console.warn('[EvidenceRefreshRunner] Failed to read refresh lock file:', readError.message);
+            }
+
+            try {
+                fs.unlinkSync(this.refreshLockFile);
+            } catch (removeError) {
+                console.warn('[EvidenceRefreshRunner] Failed to remove stale refresh lock:', removeError.message);
+            }
+
+            try {
+                const fd = fs.openSync(this.refreshLockFile, 'wx');
+                const payload = JSON.stringify({ pid: process.pid, timestamp: new Date().toISOString() });
+                fs.writeFileSync(fd, payload, { encoding: 'utf8' });
+                fs.closeSync(fd);
+                return { acquired: true };
+            } catch (retryError) {
+                return { acquired: false, reason: 'locked', error: retryError };
+            }
+        }
+    }
+
+    releaseRefreshLock() {
+        try {
+            if (!fs.existsSync(this.refreshLockFile)) return;
+            const raw = String(fs.readFileSync(this.refreshLockFile, 'utf8') || '').trim();
+            const data = raw ? JSON.parse(raw) : null;
+            const lockPid = data && Number(data.pid);
+            if (lockPid === process.pid) {
+                fs.unlinkSync(this.refreshLockFile);
+            }
+        } catch (error) {
+            console.warn('[EvidenceRefreshRunner] Failed to release refresh lock:', error.message);
+        }
+    }
+
+    async refresh() {
+        if (!this.updateScript) {
+            throw new ConfigurationError('Update evidence script not found', 'updateScript');
+        }
+
+        if (this.refreshInFlight) {
+            return '';
+        }
+
+        const lock = this.acquireRefreshLock();
+        if (!lock.acquired) {
+            return '';
+        }
+
+        this.refreshInFlight = true;
+
+        return new Promise((resolve, reject) => {
+            const child = spawn('bash', [this.updateScript, '--auto', '--refresh-only'], {
+                cwd: this.repoRoot,
+                stdio: ['pipe', 'pipe', 'pipe']
+            });
+
+            let output = '';
+            child.stdout.on('data', (data) => {
+                output += data.toString();
+            });
+
+            const timeoutId = setTimeout(() => {
+                try {
+                    child.kill('SIGKILL');
+                } catch (error) {
+                    console.warn('[EvidenceRefreshRunner] Failed to kill timed-out refresh process:', error.message);
+                }
+            }, this.refreshTimeoutMs);
+
+            const finalize = () => {
+                clearTimeout(timeoutId);
+                this.refreshInFlight = false;
+                this.releaseRefreshLock();
+            };
+
+            child.on('close', (code) => {
+                finalize();
+                if (code === 0) {
+                    resolve(output);
+                } else {
+                    reject(new DomainError(`Evidence refresh failed with code ${code}`, 'EVIDENCE_REFRESH_FAILED'));
+                }
+            });
+
+            child.on('error', (err) => {
+                finalize();
+                reject(err);
+            });
+        });
+    }
+}
+
+module.exports = { EvidenceRefreshRunner };