qualia-framework-v2 2.6.0 → 2.8.0

package/hooks/migration-guard.js

@@ -0,0 +1,60 @@
+#!/usr/bin/env node
+// ~/.claude/hooks/migration-guard.js — catch dangerous SQL patterns in migrations.
+// PreToolUse hook on Edit/Write tool calls. Reads tool input as JSON on stdin.
+// Exits 2 to BLOCK. Exits 0 to allow.
+// Cross-platform (Windows/macOS/Linux).
+
+const fs = require("fs");
+
+function readInput() {
+  try {
+    const raw = fs.readFileSync(0, "utf8");
+    return JSON.parse(raw);
+  } catch {
+    return {};
+  }
+}
+
+const input = readInput();
+const ti = input.tool_input || {};
+const file = String(ti.file_path || "").replace(/\\/g, "/");
+const content = String(ti.content || ti.new_string || "");
+
+// Only inspect migration/SQL files
+if (!/migration|migrate|\.sql$/i.test(file)) {
+  process.exit(0);
+}
+
+const errors = [];
+
+// DROP TABLE without IF EXISTS
+if (/DROP\s+TABLE/i.test(content) && !/IF\s+EXISTS/i.test(content)) {
+  errors.push("DROP TABLE without IF EXISTS");
+}
+
+// DELETE without WHERE
+if (/DELETE\s+FROM/i.test(content) && !/WHERE/i.test(content)) {
+  errors.push("DELETE FROM without WHERE clause");
+}
+
+// TRUNCATE (almost always wrong in migrations)
+if (/TRUNCATE/i.test(content)) {
+  errors.push("TRUNCATE detected — are you sure?");
+}
+
+// CREATE TABLE without RLS
+if (/CREATE\s+TABLE/i.test(content) && !/ENABLE\s+ROW\s+LEVEL\s+SECURITY/i.test(content)) {
+  errors.push("CREATE TABLE without ENABLE ROW LEVEL SECURITY");
+}
+
+if (errors.length > 0) {
+  console.log("◆ Migration guard — dangerous patterns found:");
+  for (const e of errors) {
+    console.log(`  ✗ ${e}`);
+  }
+  console.log("");
+  console.log("Fix these before proceeding. If intentional, ask Fawzi to approve.");
+  process.exit(2);
+}
+
+process.exit(0);

package/hooks/pre-compact.js

@@ -0,0 +1,32 @@
+#!/usr/bin/env node
+// ~/.claude/hooks/pre-compact.js — commit STATE.md before context compaction.
+// PreCompact hook. Silent on failure — context compaction must never be blocked.
+// Cross-platform (Windows/macOS/Linux).
+
+const fs = require("fs");
+const path = require("path");
+const { spawnSync } = require("child_process");
+
+const STATE_FILE = path.join(".planning", "STATE.md");
+
+try {
+  if (fs.existsSync(STATE_FILE)) {
+    console.log("QUALIA: Saving state before compaction...");
+    // Check if STATE.md has uncommitted changes
+    const diff = spawnSync("git", ["diff", "--name-only", STATE_FILE], {
+      encoding: "utf8",
+      timeout: 3000,
+    });
+    if ((diff.stdout || "").includes("STATE.md")) {
+      spawnSync("git", ["add", STATE_FILE], { timeout: 3000 });
+      spawnSync("git", ["commit", "-m", "state: pre-compaction save"], {
+        timeout: 5000,
+        stdio: "ignore",
+      });
+    }
+  }
+} catch {
+  // Silent — never block compaction
+}
+
+process.exit(0);

package/hooks/pre-deploy-gate.js

@@ -0,0 +1,110 @@
+#!/usr/bin/env node
+// ~/.claude/hooks/pre-deploy-gate.js — quality gates before production deploy.
+// PreToolUse hook on `vercel --prod*` commands. Runs tsc, lint, tests, build,
+// then scans for service_role leaks in client code.
+// Exits 1 to BLOCK deploy. Exits 0 to allow.
+// Cross-platform (Windows/macOS/Linux). No `grep` or `find` — pure Node.
+
+const fs = require("fs");
+const path = require("path");
+const { spawnSync } = require("child_process");
+
+function runGate(label, cmd, args, { required = true } = {}) {
+  const r = spawnSync(cmd, args, {
+    stdio: "ignore",
+    timeout: 180000,
+    shell: process.platform === "win32",
+  });
+  if (r.status === 0) {
+    console.log(`  ✓ ${label}`);
+    return true;
+  }
+  if (required) {
+    console.log(`BLOCKED: ${label} errors. Fix before deploying.`);
+    process.exit(1);
+  }
+  return false;
+}
+
+function hasScript(name) {
+  try {
+    const pkg = JSON.parse(fs.readFileSync("package.json", "utf8"));
+    return pkg.scripts && typeof pkg.scripts[name] === "string";
+  } catch {
+    return false;
+  }
+}
+
+function walk(dir, out = []) {
+  if (!fs.existsSync(dir)) return out;
+  let entries;
+  try {
+    entries = fs.readdirSync(dir, { withFileTypes: true });
+  } catch {
+    return out;
+  }
+  for (const e of entries) {
+    if (e.name === "node_modules" || e.name.startsWith(".")) continue;
+    const full = path.join(dir, e.name);
+    if (e.isDirectory()) {
+      walk(full, out);
+    } else if (/\.(ts|tsx|js|jsx|mjs|cjs)$/.test(e.name)) {
+      out.push(full);
+    }
+  }
+  return out;
+}
+
+function scanServiceRoleLeaks() {
+  const roots = ["app", "components", "src", "pages", "lib"];
+  const leaks = [];
+  for (const root of roots) {
+    for (const file of walk(root)) {
+      // Skip server-only files (convention: *.server.ts, server/ dirs)
+      if (/\.server\.|[\\/]server[\\/]/.test(file)) continue;
+      try {
+        const content = fs.readFileSync(file, "utf8");
+        if (/service_role/.test(content)) {
+          leaks.push(file);
+        }
+      } catch {}
+    }
+  }
+  return leaks;
+}
+
+console.log("◆ Pre-deploy gate...");
+
+// TypeScript
+if (fs.existsSync("tsconfig.json")) {
+  runGate("TypeScript", "npx", ["tsc", "--noEmit"]);
+}
+
+// Lint
+if (hasScript("lint")) {
+  runGate("Lint", "npm", ["run", "lint"]);
+}
+
+// Tests
+if (hasScript("test")) {
+  runGate("Tests", "npm", ["test"]);
+}
+
+// Build
+if (hasScript("build")) {
+  runGate("Build", "npm", ["run", "build"]);
+}
+
+// Security: no service_role in client code
+const leaks = scanServiceRoleLeaks();
+if (leaks.length > 0) {
+  console.log("BLOCKED: service_role found in client code. Remove before deploying.");
+  for (const f of leaks.slice(0, 10)) {
+    console.log(`  ✗ ${f}`);
+  }
+  process.exit(1);
+}
+console.log("  ✓ Security");
+console.log("◆ All gates passed.");
+
+process.exit(0);

package/hooks/pre-push.js

@@ -0,0 +1,33 @@
+#!/usr/bin/env node
+// ~/.claude/hooks/pre-push.js — update tracking.json with last commit + timestamp.
+// PreToolUse hook on `git push*` commands. state.js handles phase/status sync;
+// this just stamps the file so the ERP sees fresh commit info on every push.
+// Cross-platform (Windows/macOS/Linux).
+
+const fs = require("fs");
+const path = require("path");
+const { spawnSync } = require("child_process");
+
+const TRACKING = path.join(".planning", "tracking.json");
+
+try {
+  if (fs.existsSync(TRACKING)) {
+    const r = spawnSync("git", ["log", "--oneline", "-1", "--format=%h"], {
+      encoding: "utf8",
+      timeout: 3000,
+    });
+    const lastCommit = ((r.stdout || "").trim());
+    const now = new Date().toISOString().replace(/\.\d+Z$/, "Z");
+
+    const t = JSON.parse(fs.readFileSync(TRACKING, "utf8"));
+    if (lastCommit) t.last_commit = lastCommit;
+    t.last_updated = now;
+    fs.writeFileSync(TRACKING, JSON.stringify(t, null, 2) + "\n");
+
+    spawnSync("git", ["add", TRACKING], { timeout: 3000 });
+  }
+} catch (err) {
+  process.stderr.write(`WARNING: tracking sync failed: ${err.message}\n`);
+}
+
+process.exit(0);

package/hooks/session-start.js

@@ -0,0 +1,84 @@
+#!/usr/bin/env node
+// ~/.claude/hooks/session-start.js — branded context panel on session start.
+// Cross-platform (Windows/macOS/Linux). Zero shell dependencies.
+//
+// CRITICAL: this hook must NEVER exit non-zero. Claude Code treats any non-zero
+// exit from a SessionStart hook as a "hook error" and shows a red banner. The
+// banner is purely informational — we'd rather render nothing than block a
+// session. Every call is wrapped in try/catch and we always exit 0 at the end.
+
+const fs = require("fs");
+const path = require("path");
+const os = require("os");
+const { spawnSync } = require("child_process");
+
+const HOME = os.homedir();
+const UI = path.join(HOME, ".claude", "bin", "qualia-ui.js");
+const STATE_FILE = path.join(".planning", "STATE.md");
+const CONTINUE_HERE = ".continue-here.md";
+
+function runUi(...args) {
+  if (!fs.existsSync(UI)) return;
+  try {
+    spawnSync(process.execPath, [UI, ...args], {
+      stdio: "inherit",
+      timeout: 3000,
+    });
+  } catch {}
+}
+
+function getNextCommand() {
+  const stateJs = path.join(HOME, ".claude", "bin", "state.js");
+  if (!fs.existsSync(stateJs)) return "";
+  try {
+    const r = spawnSync(process.execPath, [stateJs, "check"], {
+      encoding: "utf8",
+      timeout: 3000,
+    });
+    if (!r.stdout) return "";
+    const j = JSON.parse(r.stdout);
+    return j.next_command || "";
+  } catch {
+    return "";
+  }
+}
+
+function fallbackText() {
+  // If qualia-ui.js is missing, emit plain text. Keeps the session informative
+  // even on a broken install.
+  if (fs.existsSync(STATE_FILE)) {
+    try {
+      const content = fs.readFileSync(STATE_FILE, "utf8");
+      const phase = (content.match(/^Phase:\s*(.+)$/m) || [])[1] || "—";
+      const status = (content.match(/^Status:\s*(.+)$/m) || [])[1] || "—";
+      console.log(`QUALIA: Project loaded. Phase: ${phase.trim()} | Status: ${status.trim()}`);
+      console.log("QUALIA: Run /qualia for next step.");
+    } catch {
+      console.log("QUALIA: Project detected but STATE.md could not be read.");
+    }
+  } else if (fs.existsSync(CONTINUE_HERE)) {
+    console.log("QUALIA: Handoff file found. Read .continue-here.md to resume.");
+  } else {
+    console.log("QUALIA: No project detected. Run /qualia-new to start.");
+  }
+}
+
+try {
+  if (!fs.existsSync(UI)) {
+    fallbackText();
+  } else if (fs.existsSync(STATE_FILE)) {
+    runUi("banner", "router");
+    const next = getNextCommand();
+    if (next) runUi("info", `Run ${next} to continue`);
+  } else if (fs.existsSync(CONTINUE_HERE)) {
+    runUi("banner", "router");
+    runUi("warn", "Handoff found — read .continue-here.md to resume");
+  } else {
+    runUi("banner", "router");
+    runUi("info", "No project detected. Run /qualia-new to start.");
+  }
+} catch {
+  // Deliberately silent — hook must never fail
+}
+
+process.exit(0);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "qualia-framework-v2",
-  "version": "2.6.0",
+  "version": "2.8.0",
   "description": "Claude Code workflow framework by Qualia Solutions. Plan, build, verify, ship.",
   "bin": {
     "qualia-framework-v2": "./bin/cli.js"
@@ -23,7 +23,7 @@
   },
   "homepage": "https://github.com/qualia-solutions/qualia-framework-v2#readme",
   "scripts": {
-    "test": "bash tests/hooks.test.sh"
+    "test": "bash tests/hooks.test.sh && bash tests/state.test.sh"
   },
   "files": [
     "bin/",
@@ -34,8 +34,7 @@
     "templates/",
     "tests/",
     "CLAUDE.md",
-    "guide.md",
-    "statusline.sh"
+    "guide.md"
   ],
   "engines": {
     "node": ">=18"

package/skills/qualia-skill-new/SKILL.md

@@ -29,9 +29,27 @@ options:
     description: "This is a subagent role, not a slash command. Creates agents/{name}.md."
 ```
 
-**Framework** → target: `/home/qualia/Projects/qualia/qualia-framework-v2/skills/{name}/SKILL.md`
+### 1a. Resolve framework directory
+
+If the user chose **Framework skill** or a framework-scoped **Agent**, resolve `${FRAMEWORK_DIR}` — the checkout path of this user's qualia-framework-v2 repo — BEFORE computing any target paths. Never hardcode `/home/<user>/...`; different teammates and operating systems have different paths.
+
+```bash
+# Priority order: env var → git detection → ask user
+FRAMEWORK_DIR="${QUALIA_FRAMEWORK_DIR:-}"
+if [ -z "$FRAMEWORK_DIR" ] && git -C . rev-parse --show-toplevel >/dev/null 2>&1; then
+  ORIGIN=$(git -C . config --get remote.origin.url 2>/dev/null)
+  case "$ORIGIN" in
+    *qualia-framework-v2*) FRAMEWORK_DIR=$(git -C . rev-parse --show-toplevel) ;;
+  esac
+fi
+echo "${FRAMEWORK_DIR:-UNRESOLVED}"
+```
+
+If the command prints `UNRESOLVED`, ask the user: *"Where is your qualia-framework-v2 checkout? (absolute path, or type 'local' to save only to ~/.claude/)"*. If they type `local`, downgrade the scope to Local. Otherwise store the answer as `${FRAMEWORK_DIR}` for the rest of the session.
+
+**Framework** → target: `${FRAMEWORK_DIR}/skills/{name}/SKILL.md`
 **Local** → target: `~/.claude/skills/{name}/SKILL.md`
-**Agent** → target: `/home/qualia/Projects/qualia/qualia-framework-v2/agents/{name}.md` (framework) or `~/.claude/agents/{name}.md` (local)
+**Agent** → target: `${FRAMEWORK_DIR}/agents/{name}.md` (framework) or `~/.claude/agents/{name}.md` (local)
 
 ### 2. Gather Requirements
 
@@ -119,10 +137,11 @@ Fix any ambiguity the test agent found.
 
 ```bash
 # Framework skill — copy to local .claude for immediate testing
-cp /home/qualia/Projects/qualia/qualia-framework-v2/skills/{name}/SKILL.md ~/.claude/skills/{name}/SKILL.md
+mkdir -p ~/.claude/skills/{name}
+cp "${FRAMEWORK_DIR}/skills/{name}/SKILL.md" ~/.claude/skills/{name}/SKILL.md
 
 # Verify it parses
-node -e "const fs=require('fs');const c=fs.readFileSync('/home/qualia/.claude/skills/{name}/SKILL.md','utf8');if(!c.includes('---'))throw new Error('missing frontmatter');if(!c.match(/^name:\s*\S/m))throw new Error('missing name');if(!c.match(/^description:\s*\S/m))throw new Error('missing description');console.log('OK')"
+node -e "const fs=require('fs');const os=require('os');const path=require('path');const c=fs.readFileSync(path.join(os.homedir(),'.claude/skills/{name}/SKILL.md'),'utf8');if(!c.includes('---'))throw new Error('missing frontmatter');if(!c.match(/^name:\s*\S/m))throw new Error('missing name');if(!c.match(/^description:\s*\S/m))throw new Error('missing description');console.log('OK')"
 ```
 
 ### 7. Commit (framework skills only)
@@ -131,7 +150,7 @@ Do NOT commit unless the user explicitly says "commit" or "ship it".
 
 When they do:
 ```bash
-cd /home/qualia/Projects/qualia/qualia-framework-v2
+cd "${FRAMEWORK_DIR}"
 git add skills/{name}/
 git commit -m "feat: add /{name} skill"
 ```

package/tests/hooks.test.sh

@@ -1,10 +1,12 @@
 #!/bin/bash
-# Qualia Framework v2 — Hook Tests
+# Qualia Framework v2 — Hook Tests (cross-platform Node.js hooks)
 # Run: bash tests/hooks.test.sh
 
 PASS=0
 FAIL=0
-HOOKS_DIR="$(dirname "$0")/../hooks"
+# Resolve HOOKS_DIR to an ABSOLUTE path so `cd` inside subshells doesn't break it.
+HOOKS_DIR="$(cd "$(dirname "$0")/../hooks" && pwd)"
+NODE="${NODE:-node}"
 
 assert_exit() {
   local name="$1" expected="$2" actual="$3"
@@ -17,139 +19,189 @@ assert_exit() {
   fi
 }
 
-echo "=== Hook Tests ==="
+echo "=== Hook Tests (Node.js) ==="
 echo ""
 
-# --- block-env-edit.sh ---
+# --- All hooks are syntactically valid Node.js ---
+echo "syntax:"
+for f in "$HOOKS_DIR"/*.js; do
+  if $NODE -c "$f" 2>/dev/null; then
+    echo "  ✓ $(basename "$f")"
+    PASS=$((PASS + 1))
+  else
+    echo "  ✗ $(basename "$f")"
+    FAIL=$((FAIL + 1))
+  fi
+done
+
+# --- block-env-edit.js ---
+echo ""
 echo "block-env-edit:"
 
-echo '{"tool_input":{"file_path":".env.local"}}' | bash "$HOOKS_DIR/block-env-edit.sh" > /dev/null 2>&1
+echo '{"tool_input":{"file_path":".env.local"}}' | $NODE "$HOOKS_DIR/block-env-edit.js" > /dev/null 2>&1
 assert_exit "blocks .env.local" 2 $?
 
-echo '{"tool_input":{"file_path":".env.production"}}' | bash "$HOOKS_DIR/block-env-edit.sh" > /dev/null 2>&1
+echo '{"tool_input":{"file_path":".env.production"}}' | $NODE "$HOOKS_DIR/block-env-edit.js" > /dev/null 2>&1
 assert_exit "blocks .env.production" 2 $?
 
-echo '{"tool_input":{"file_path":".env"}}' | bash "$HOOKS_DIR/block-env-edit.sh" > /dev/null 2>&1
+echo '{"tool_input":{"file_path":".env"}}' | $NODE "$HOOKS_DIR/block-env-edit.js" > /dev/null 2>&1
 assert_exit "blocks .env" 2 $?
 
-echo '{"tool_input":{"file_path":"src/app.tsx"}}' | bash "$HOOKS_DIR/block-env-edit.sh" > /dev/null 2>&1
+# Windows-style path with backslashes (normalized by the hook)
+echo '{"tool_input":{"file_path":"C:\\project\\.env.local"}}' | $NODE "$HOOKS_DIR/block-env-edit.js" > /dev/null 2>&1
+assert_exit "blocks windows .env.local" 2 $?
+
+echo '{"tool_input":{"file_path":"src/app.tsx"}}' | $NODE "$HOOKS_DIR/block-env-edit.js" > /dev/null 2>&1
 assert_exit "allows src/app.tsx" 0 $?
 
-echo '{"tool_input":{"file_path":"components/Footer.tsx"}}' | bash "$HOOKS_DIR/block-env-edit.sh" > /dev/null 2>&1
+echo '{"tool_input":{"file_path":"components/Footer.tsx"}}' | $NODE "$HOOKS_DIR/block-env-edit.js" > /dev/null 2>&1
 assert_exit "allows components/Footer.tsx" 0 $?
 
-# --- migration-guard.sh ---
+# --- migration-guard.js ---
 echo ""
 echo "migration-guard:"
 
-echo '{"tool_input":{"file_path":"migrations/001.sql","content":"DROP TABLE users;"}}' | bash "$HOOKS_DIR/migration-guard.sh" > /dev/null 2>&1
+echo '{"tool_input":{"file_path":"migrations/001.sql","content":"DROP TABLE users;"}}' | $NODE "$HOOKS_DIR/migration-guard.js" > /dev/null 2>&1
 assert_exit "blocks DROP TABLE without IF EXISTS" 2 $?
 
-echo '{"tool_input":{"file_path":"migrations/001.sql","content":"DROP TABLE IF EXISTS old_users;"}}' | bash "$HOOKS_DIR/migration-guard.sh" > /dev/null 2>&1
+echo '{"tool_input":{"file_path":"migrations/001.sql","content":"DROP TABLE IF EXISTS old_users;"}}' | $NODE "$HOOKS_DIR/migration-guard.js" > /dev/null 2>&1
 assert_exit "allows DROP TABLE IF EXISTS" 0 $?
 
-echo '{"tool_input":{"file_path":"migrations/002.sql","content":"DELETE FROM users;"}}' | bash "$HOOKS_DIR/migration-guard.sh" > /dev/null 2>&1
+echo '{"tool_input":{"file_path":"migrations/002.sql","content":"DELETE FROM users;"}}' | $NODE "$HOOKS_DIR/migration-guard.js" > /dev/null 2>&1
 assert_exit "blocks DELETE without WHERE" 2 $?
 
-echo '{"tool_input":{"file_path":"migrations/003.sql","content":"TRUNCATE TABLE sessions;"}}' | bash "$HOOKS_DIR/migration-guard.sh" > /dev/null 2>&1
+echo '{"tool_input":{"file_path":"migrations/003.sql","content":"TRUNCATE TABLE sessions;"}}' | $NODE "$HOOKS_DIR/migration-guard.js" > /dev/null 2>&1
 assert_exit "blocks TRUNCATE" 2 $?
 
-echo '{"tool_input":{"file_path":"migrations/004.sql","content":"CREATE TABLE users (id uuid);"}}' | bash "$HOOKS_DIR/migration-guard.sh" > /dev/null 2>&1
+echo '{"tool_input":{"file_path":"migrations/004.sql","content":"CREATE TABLE users (id uuid);"}}' | $NODE "$HOOKS_DIR/migration-guard.js" > /dev/null 2>&1
 assert_exit "blocks CREATE TABLE without RLS" 2 $?
 
-echo '{"tool_input":{"file_path":"migrations/005.sql","content":"ALTER TABLE users ADD COLUMN email text;"}}' | bash "$HOOKS_DIR/migration-guard.sh" > /dev/null 2>&1
+echo '{"tool_input":{"file_path":"migrations/005.sql","content":"ALTER TABLE users ADD COLUMN email text;"}}' | $NODE "$HOOKS_DIR/migration-guard.js" > /dev/null 2>&1
 assert_exit "allows safe ALTER TABLE" 0 $?
 
-echo '{"tool_input":{"file_path":"src/app.tsx","content":"DROP TABLE users;"}}' | bash "$HOOKS_DIR/migration-guard.sh" > /dev/null 2>&1
+echo '{"tool_input":{"file_path":"src/app.tsx","content":"DROP TABLE users;"}}' | $NODE "$HOOKS_DIR/migration-guard.js" > /dev/null 2>&1
 assert_exit "skips non-migration files" 0 $?
 
-# --- branch-guard.sh ---
+# --- branch-guard.js (grep-based — full run needs git + real config) ---
 echo ""
 echo "branch-guard:"
 
-if [ -f "$HOOKS_DIR/branch-guard.sh" ]; then
-  echo "  ✓ branch-guard.sh exists"
+if grep -q '.qualia-config.json' "$HOOKS_DIR/branch-guard.js"; then
+  echo "  ✓ reads role from .qualia-config.json"
   PASS=$((PASS + 1))
 else
-  echo "  ✗ branch-guard.sh missing"
+  echo "  ✗ not reading from .qualia-config.json"
   FAIL=$((FAIL + 1))
 fi
 
-if grep -q 'ROLE' "$HOOKS_DIR/branch-guard.sh"; then
-  echo "  ✓ checks ROLE variable"
+if grep -q 'branch --show-current' "$HOOKS_DIR/branch-guard.js"; then
+  echo "  ✓ checks current git branch"
   PASS=$((PASS + 1))
 else
-  echo "  ✗ missing ROLE check"
+  echo "  ✗ missing branch check"
   FAIL=$((FAIL + 1))
 fi
 
-if grep -q 'z "$ROLE"' "$HOOKS_DIR/branch-guard.sh"; then
-  echo "  ✓ defaults to deny on missing ROLE"
+if grep -q 'OWNER' "$HOOKS_DIR/branch-guard.js"; then
+  echo "  ✓ enforces OWNER role"
   PASS=$((PASS + 1))
 else
-  echo "  ✗ missing empty-ROLE deny"
+  echo "  ✗ missing OWNER check"
   FAIL=$((FAIL + 1))
 fi
 
-# --- pre-push.sh ---
+# --- pre-push.js ---
 echo ""
 echo "pre-push:"
 
-if grep -q 'command -v node' "$HOOKS_DIR/pre-push.sh"; then
-  echo "  ✓ checks for node availability"
+if grep -q 'tracking.json' "$HOOKS_DIR/pre-push.js"; then
+  echo "  ✓ updates tracking.json"
   PASS=$((PASS + 1))
 else
-  echo "  ✗ missing node check"
+  echo "  ✗ missing tracking.json update"
   FAIL=$((FAIL + 1))
 fi
 
-if grep -q 'tracking sync failed' "$HOOKS_DIR/pre-push.sh"; then
-  echo "  ✓ captures tracking sync errors"
+if grep -q 'last_commit' "$HOOKS_DIR/pre-push.js"; then
+  echo "  ✓ stamps last_commit"
   PASS=$((PASS + 1))
 else
-  echo "  ✗ missing tracking sync error capture"
+  echo "  ✗ missing last_commit stamp"
   FAIL=$((FAIL + 1))
 fi
 
-# --- branch-guard reads from .qualia-config.json ---
-echo ""
-echo "branch-guard config source:"
-
-if grep -q 'qualia-config.json' "$HOOKS_DIR/branch-guard.sh"; then
-  echo "  ✓ reads role from .qualia-config.json"
-  PASS=$((PASS + 1))
-else
-  echo "  ✗ not reading from .qualia-config.json"
-  FAIL=$((FAIL + 1))
-fi
+# Run pre-push.js in a dir with no tracking.json — must exit 0 cleanly
+TMP=$(mktemp -d)
+(cd "$TMP" && $NODE "$HOOKS_DIR/pre-push.js" >/dev/null 2>&1)
+assert_exit "exits 0 with no tracking.json" 0 $?
+rm -rf "$TMP"
 
-# --- pre-deploy-gate.sh ---
+# --- pre-deploy-gate.js ---
 echo ""
 echo "pre-deploy-gate:"
 
-if [ -f "$HOOKS_DIR/pre-deploy-gate.sh" ]; then
-  echo "  ✓ pre-deploy-gate.sh exists"
+if grep -q 'tsc' "$HOOKS_DIR/pre-deploy-gate.js"; then
+  echo "  ✓ runs TypeScript check"
   PASS=$((PASS + 1))
 else
-  echo "  ✗ pre-deploy-gate.sh missing"
+  echo "  ✗ missing TypeScript check"
   FAIL=$((FAIL + 1))
 fi
 
-if grep -q 'tsc --noEmit' "$HOOKS_DIR/pre-deploy-gate.sh"; then
-  echo "  ✓ runs TypeScript check"
+if grep -q 'service_role' "$HOOKS_DIR/pre-deploy-gate.js"; then
+  echo "  ✓ checks for service_role leaks"
   PASS=$((PASS + 1))
 else
-  echo "  ✗ missing TypeScript check"
+  echo "  ✗ missing service_role check"
   FAIL=$((FAIL + 1))
 fi
 
-if grep -q 'service_role' "$HOOKS_DIR/pre-deploy-gate.sh"; then
-  echo "  ✓ checks for service_role leaks"
+# --- session-start.js — must exit 0 always ---
+echo ""
+echo "session-start:"
+
+TMP=$(mktemp -d)
+(cd "$TMP" && $NODE "$HOOKS_DIR/session-start.js" >/dev/null 2>&1)
+assert_exit "exits 0 with no project" 0 $?
+
+# Simulate a project with STATE.md
+mkdir -p "$TMP/.planning"
+cat > "$TMP/.planning/STATE.md" <<'EOF'
+# Project State
+Phase: 1 of 3 — Foundation
+Status: setup
+EOF
+(cd "$TMP" && $NODE "$HOOKS_DIR/session-start.js" >/dev/null 2>&1)
+assert_exit "exits 0 with STATE.md" 0 $?
+rm -rf "$TMP"
+
+# --- pre-compact.js ---
+echo ""
+echo "pre-compact:"
+
+TMP=$(mktemp -d)
+(cd "$TMP" && $NODE "$HOOKS_DIR/pre-compact.js" >/dev/null 2>&1)
+assert_exit "exits 0 with no STATE.md" 0 $?
+rm -rf "$TMP"
+
+# --- auto-update.js ---
+echo ""
+echo "auto-update:"
+
+TMP=$(mktemp -d)
+mkdir -p "$TMP/.claude"
+echo '{"code":"QS-FAWZI-01","version":"99.99.99"}' > "$TMP/.claude/.qualia-config.json"
+HOME="$TMP" $NODE "$HOOKS_DIR/auto-update.js" >/dev/null 2>&1
+assert_exit "exits 0 (fast path)" 0 $?
+# Should now have cache file
+if [ -f "$TMP/.claude/.qualia-last-update-check" ]; then
+  echo "  ✓ writes cache timestamp"
   PASS=$((PASS + 1))
 else
-  echo "  ✗ missing service_role check"
+  echo "  ✗ missing cache timestamp"
   FAIL=$((FAIL + 1))
 fi
+rm -rf "$TMP"
 
 echo ""
 echo "=== Results: $PASS passed, $FAIL failed ==="