qualia-framework 2.6.0 → 3.2.0

package/framework/agents/teams/ship-team.md

@@ -1,86 +0,0 @@
-# Ship Team
-
-> Quality gate → Deploy → Verify. Pipeline pattern — abort if any step fails.
-
-## Agents
-
-- **quality-gate**
-  - subagent_type: test-agent
-  - role: Run tsc, eslint, build. Ensure no type errors, lint violations, or build failures.
-  - commands: |
-    npx tsc --noEmit
-    npx next lint (or eslint .)
-    npm run build (or next build)
-  - abort_on_fail: true
-
-- **deploy**
-  - subagent_type: backend-agent
-  - role: Commit staged changes, push to remote, deploy to hosting platform
-  - commands: |
-    git add -A && git commit (if uncommitted changes)
-    git push origin {branch}
-    vercel --prod (default) OR wrangler deploy (if armenius)
-  - abort_on_fail: true
-
-- **verify**
-  - subagent_type: test-agent
-  - role: Run 6-check post-deploy verification against production URL
-  - checks: |
-    1. HTTP 200 — homepage loads
-    2. Auth flow — login/signup endpoint responds
-    3. Console errors — no critical JS errors
-    4. API latency — key endpoints < 500ms
-    5. SSL — valid certificate
-    6. Build artifacts — no source maps exposed
-  - abort_on_fail: false (report issues but don't rollback)
-
-## Pattern
-
-pipeline: quality-gate → deploy → verify
-
-Each step must succeed before the next begins. If quality-gate fails, deployment is blocked. If deploy fails, verification is skipped.
-
-## Shared Context
-
-- ~/.claude/knowledge/qualia-context.md — project inventory, deploy commands, Supabase refs
-- .planning/STATE.md — current project state
-- Project's local CLAUDE.md — project-specific deploy config
-
-## Coordination Rules
-
-- quality-gate runs ALL checks before passing — partial pass is a fail
-- deploy detects hosting platform from project context (Vercel default, Cloudflare for armenius)
-- verify uses the production URL from deploy output
-- If Supabase project: deploy also runs `supabase db push` if pending migrations exist
-
-## Output
-
-SHIP-REPORT.md in current directory:
-
-```markdown
-# Ship Report
-
-**Date:** {date}
-**Branch:** {branch}
-**Deploy URL:** {url}
-
-## Quality Gate
-- tsc: ✓ / ✗ ({error count})
-- lint: ✓ / ✗ ({warning count})
-- build: ✓ / ✗ ({duration})
-
-## Deployment
-- Platform: Vercel / Cloudflare
-- URL: {production url}
-- Commit: {sha}
-
-## Verification
-| Check | Status | Details |
-|-------|--------|---------|
-| HTTP 200 | ✓/✗ | {status code} |
-| Auth flow | ✓/✗ | {details} |
-| Console errors | ✓/✗ | {count} |
-| API latency | ✓/✗ | {ms} |
-| SSL | ✓/✗ | {expiry} |
-| Source maps | ✓/✗ | {exposed?} |
-```

package/framework/agents/test-agent.md

@@ -1,182 +0,0 @@
----
-name: test-agent
-description: Testing and QA specialist - unit tests, integration tests, E2E with Playwright. Spawned for parallel test development.
-category: testing
-tools: Read, Write, Edit, Glob, Grep, Bash
-model: inherit
-tags: [testing, jest, vitest, playwright, qa]
----
-
-# Test Agent
-
-Specialized agent for testing and QA. Spawned for parallel test development.
-
-## Capabilities
-
-- Write unit tests (Jest, Vitest)
-- Write integration tests
-- Create E2E tests (Playwright)
-- Generate test fixtures
-- Analyze code coverage
-- Find edge cases
-
-## When to Spawn
-
-Use this agent when:
-- Writing tests in parallel with implementation
-- Need comprehensive test coverage
-- E2E testing for user flows
-- Test debugging and fixes
-
-## Tools Available
-
-| Tool | Purpose |
-|------|---------|
-| Read | Read code to test |
-| Write | Create test files |
-| Edit | Fix existing tests |
-| Glob | Find test files |
-| Grep | Search for patterns |
-| Bash | Run tests |
-
-## Example Tasks
-
-```
-"Write tests for the ProfileCard component"
-"Create E2E test for the checkout flow"
-"Add integration tests for the API endpoints"
-"Fix the failing user registration tests"
-```
-
-## My Process
-
-1. **Analyze code** - Understand what to test
-2. **Identify test cases** - Happy paths, edge cases, errors
-3. **Write tests** - Clean, descriptive tests
-4. **Run tests** - Verify they work
-5. **Check coverage** - Ensure adequate coverage
-6. **Report back** - Return test summary
-
-## Constraints
-
-- Focus on testing, not implementation
-- Use project's test framework
-- Follow existing test patterns
-- Don't modify production code (unless fixing test setup)
-
-## Output Format
-
-When done, I return:
-```markdown
-## Testing Complete
-
-### Tests Created
-- __tests__/ProfileCard.test.tsx (8 tests)
-- e2e/checkout.spec.ts (5 tests)
-
-### Coverage Summary
-| File | Statements | Branches | Functions | Lines |
-|------|------------|----------|-----------|-------|
-| ProfileCard.tsx | 95% | 88% | 100% | 95% |
-
-### Test Cases
-**Unit Tests:**
-- ✅ renders user profile
-- ✅ shows loading skeleton
-- ✅ handles edit click
-- ✅ displays error state
-
-**E2E Tests:**
-- ✅ complete checkout flow
-- ✅ handles payment failure
-- ✅ applies discount code
-
-### Run Command
-\`\`\`bash
-npm test ProfileCard
-npx playwright test checkout
-\`\`\`
-```
-
-## Spawn Example
-
-```typescript
-// From main orchestrator
-await Task({
-  subagent_type: "test-agent",
-  prompt: "Write comprehensive tests for the ProfileCard component including: render states, user interactions, loading skeleton, error handling.",
-  run_in_background: true
-});
-```
-
-## Test Patterns
-
-### Component Test Template
-```typescript
-import { render, screen } from '@testing-library/react';
-import userEvent from '@testing-library/user-event';
-import { Component } from './Component';
-
-describe('Component', () => {
-  it('renders correctly', () => {
-    render(<Component />);
-    expect(screen.getByRole('button')).toBeInTheDocument();
-  });
-
-  it('handles user interaction', async () => {
-    const onClick = vi.fn();
-    render(<Component onClick={onClick} />);
-    await userEvent.click(screen.getByRole('button'));
-    expect(onClick).toHaveBeenCalled();
-  });
-
-  it('shows loading state', () => {
-    render(<Component loading />);
-    expect(screen.getByTestId('skeleton')).toBeInTheDocument();
-  });
-
-  it('displays error', () => {
-    render(<Component error="Failed" />);
-    expect(screen.getByText('Failed')).toBeInTheDocument();
-  });
-});
-```
-
-### E2E Test Template
-```typescript
-import { test, expect } from '@playwright/test';
-
-test.describe('Feature', () => {
-  test('completes flow', async ({ page }) => {
-    await page.goto('/');
-    await page.click('button:has-text("Start")');
-    await page.fill('input[name="email"]', 'test@example.com');
-    await page.click('button:has-text("Submit")');
-    await expect(page.locator('.success')).toBeVisible();
-  });
-
-  test('handles error', async ({ page }) => {
-    await page.route('**/api/**', route => route.fulfill({ status: 500 }));
-    await page.goto('/');
-    await page.click('button:has-text("Submit")');
-    await expect(page.locator('.error')).toBeVisible();
-  });
-});
-```
-
-### API Test Template
-```typescript
-describe('API: /api/users', () => {
-  it('returns user list', async () => {
-    const response = await fetch('/api/users');
-    const data = await response.json();
-    expect(response.status).toBe(200);
-    expect(data).toHaveProperty('users');
-  });
-
-  it('requires authentication', async () => {
-    const response = await fetch('/api/users');
-    expect(response.status).toBe(401);
-  });
-});
-```

package/framework/hooks/auto-format.sh

@@ -1,54 +0,0 @@
-#!/bin/bash
-# Auto-format hook for PostToolUse(Write/Edit)
-# Runs prettier on supported file types if available in the project
-source "$(dirname "$0")/qualia-colors.sh"
-
-# Parse file path from stdin JSON (Claude Code hook protocol)
-if [ ! -t 0 ]; then
-    INPUT=$(cat)
-    FILE_PATH=$(echo "$INPUT" | node -e "try{const d=JSON.parse(require('fs').readFileSync('/dev/stdin','utf8'));process.stdout.write(d.tool_input?.file_path||'')}catch(e){}" 2>/dev/null)
-else
-    FILE_PATH=""
-fi
-
-# Skip if no file path
-[ -z "$FILE_PATH" ] || [ ! -f "$FILE_PATH" ] && exit 0
-
-# Get file extension
-EXT="${FILE_PATH##*.}"
-
-# Only format supported file types
-case "$EXT" in
-  ts|tsx|js|jsx|json|css|scss|html|md|yaml|yml) ;;
-  *) exit 0 ;;
-esac
-
-# Find project root (look for package.json or .git)
-DIR="$(dirname "$FILE_PATH")"
-PROJECT_ROOT=""
-while [ "$DIR" != "/" ]; do
-  if [ -f "$DIR/package.json" ] || [ -d "$DIR/.git" ]; then
-    PROJECT_ROOT="$DIR"
-    break
-  fi
-  DIR="$(dirname "$DIR")"
-done
-
-# Try to format with prettier if available in the project
-if [ -n "$PROJECT_ROOT" ]; then
-  if [ -f "$PROJECT_ROOT/node_modules/.bin/prettier" ]; then
-    "$PROJECT_ROOT/node_modules/.bin/prettier" --write "$FILE_PATH" 2>/dev/null
-    exit 0
-  fi
-fi
-
-# No formatter found — notify once per project
-if [ -n "$PROJECT_ROOT" ]; then
-  STAMP="/tmp/.no-formatter-$(echo "$PROJECT_ROOT" | md5sum | cut -c1-8)"
-  if [ ! -f "$STAMP" ]; then
-    touch "$STAMP"
-    printf '{"continue":true,"systemMessage":"◆ AUTO-FORMAT: No prettier found in %s — files will not be auto-formatted."}' "$(basename "$PROJECT_ROOT")"
-    exit 0
-  fi
-fi
-exit 0

package/framework/hooks/block-env-edit.sh

@@ -1,42 +0,0 @@
-#!/bin/bash
-# Block .env and credential file editing
-source "$(dirname "$0")/qualia-colors.sh"
-
-if [ ! -t 0 ]; then
-    INPUT=$(cat)
-    FILE_PATH=$(echo "$INPUT" | node -e "try{const d=JSON.parse(require('fs').readFileSync('/dev/stdin','utf8'));process.stdout.write(d.tool_input?.file_path||d.tool_input?.filePath||'')}catch(e){}" 2>/dev/null)
-else
-    FILE_PATH="${1:-}"
-fi
-
-if [ -z "$FILE_PATH" ]; then
-    printf '{"continue":true}'
-    exit 0
-fi
-
-BASENAME=$(basename "$FILE_PATH")
-
-if [[ "$BASENAME" == .env* ]] || [[ "$FILE_PATH" == */.env ]] || [[ "$FILE_PATH" == */.env.* ]]; then
-    cat <<EOJSON
-{
-  "continue": false,
-  "stopReason": "◆ ENV GUARD: editing ${BASENAME} blocked",
-  "systemMessage": "◆ BLOCKED: Cannot edit .env files through Claude Code. Tell the user EXACTLY what needs to change: which file, which variable, what value."
-}
-EOJSON
-    exit 2
-fi
-
-if [[ "$FILE_PATH" == *credentials* ]] || [[ "$FILE_PATH" == *secret* ]] || [[ "$FILE_PATH" == *.pem ]] || [[ "$FILE_PATH" == *.key ]]; then
-    cat <<EOJSON
-{
-  "continue": false,
-  "stopReason": "◆ ENV GUARD: credential file blocked",
-  "systemMessage": "◆ BLOCKED: Cannot edit credential/secret files through Claude. Tell the user what needs changing."
-}
-EOJSON
-    exit 2
-fi
-
-printf '{"continue":true}'
-exit 0

package/framework/hooks/branch-guard.sh

@@ -1,43 +0,0 @@
-#!/bin/bash
-# Branch protection — role-aware
-# OWNER: allowed to push to main/master
-# DEVELOPER/EMPLOYEE: blocked, told to use /qualia-ship
-source "$(dirname "$0")/qualia-colors.sh"
-
-if [ ! -t 0 ]; then
-    INPUT=$(cat)
-    COMMAND=$(echo "$INPUT" | node -e "try{const d=JSON.parse(require('fs').readFileSync('/dev/stdin','utf8'));process.stdout.write(d.tool_input?.command||d.tool_input||'')}catch(e){}" 2>/dev/null)
-else
-    COMMAND="${1:-}"
-fi
-
-case "$COMMAND" in
-    git\ push*) ;;
-    *) exit 0 ;;
-esac
-
-BRANCH=$(git branch --show-current 2>/dev/null) || true
-[ -z "$BRANCH" ] && exit 0
-
-# Only guard main/master
-if [ "$BRANCH" != "main" ] && [ "$BRANCH" != "master" ]; then
-    exit 0
-fi
-
-# Check role from CLAUDE.md
-ROLE=$(grep -m1 "^## Role:" "$HOME/.claude/CLAUDE.md" 2>/dev/null | sed 's/^## Role: *//')
-
-# OWNER can push anywhere
-if [ "$ROLE" = "OWNER" ]; then
-    exit 0
-fi
-
-# DEVELOPER/EMPLOYEE blocked
-cat <<EOJSON
-{
-  "continue": false,
-  "stopReason": "◆ BRANCH GUARD: push to ${BRANCH} blocked (${ROLE:-unknown} role)",
-  "systemMessage": "◆ BLOCKED: As ${ROLE:-DEVELOPER}, cannot push to ${BRANCH}. Use /ship for feature branch workflow."
-}
-EOJSON
-exit 2

package/framework/hooks/confirm-delete.sh

@@ -1,59 +0,0 @@
-#!/bin/bash
-# Destructive command guard — blocks dangerous operations
-source "$(dirname "$0")/qualia-colors.sh"
-
-if [ ! -t 0 ]; then
-    INPUT=$(cat)
-    COMMAND=$(echo "$INPUT" | node -e "try{const d=JSON.parse(require('fs').readFileSync('/dev/stdin','utf8'));process.stdout.write(d.tool_input?.command||d.tool_input||'')}catch(e){}" 2>/dev/null)
-else
-    COMMAND="${1:-}"
-fi
-
-# Early exit for safe commands
-case "$COMMAND" in
-    ls*|cat*|echo*|pwd|cd*|node*|npm\ install*|npm\ run*|npm\ test*|npx*|bun*|pnpm*|grep*|find*|which*|whoami|date|head*|tail*|wc*|sort*|diff*|test*|"["*|true|false|mkdir*|touch*|cp*|mv*|chmod*|stat*|readlink*|basename*|dirname*|realpath*|tsc*|eslint*|prettier*|vitest*|jest*|python*|pip*|curl*|wget*|gh*)
-        exit 0
-        ;;
-esac
-
-block() {
-    cat <<EOJSON
-{
-  "continue": false,
-  "stopReason": "◆ BLOCKED: That would $1 — finding a safer way",
-  "systemMessage": "◆ BLOCKED: $1. This could cause damage. Find a safer alternative and explain to the user what was blocked and what safer approach you're using instead."
-}
-EOJSON
-    exit 2
-}
-
-# Dangerous rm patterns
-echo "$COMMAND" | grep -qE 'rm\s+(-rf|-fr|-r)\s+(/|~/|\.\.|[A-Za-z]+/$)' && block "Dangerous recursive delete"
-echo "$COMMAND" | grep -qE 'rm\s.*\s(src/|app/|lib/|components/|public/|pages/|supabase/)' && block "Deleting critical project directory"
-echo "$COMMAND" | grep -qE 'rm\s+(-rf|-fr)\s+\.$' && block "rm -rf current directory"
-
-# Dangerous SQL
-echo "$COMMAND" | grep -qiE 'DROP\s+(TABLE|DATABASE|SCHEMA)\s' && block "DROP TABLE/DATABASE/SCHEMA"
-echo "$COMMAND" | grep -qiE 'TRUNCATE\s+TABLE\s' && block "TRUNCATE TABLE"
-echo "$COMMAND" | grep -qiE 'DELETE\s+FROM\s+\w+\s*;' && block "DELETE without WHERE"
-
-# Dangerous git
-echo "$COMMAND" | grep -qE 'git\s+push\s+.*--force($|\s)' && ! echo "$COMMAND" | grep -qE '\-\-force-with-lease' && block "git push --force (use --force-with-lease)"
-echo "$COMMAND" | grep -qE 'git\s+reset\s+--hard' && block "git reset --hard discards work"
-echo "$COMMAND" | grep -qE 'git\s+clean\s+-[a-z]*f' && block "git clean -f deletes untracked files"
-
-# Supabase destructive
-echo "$COMMAND" | grep -qE 'supabase\s+functions\s+delete' && block "supabase functions delete"
-echo "$COMMAND" | grep -qE 'supabase\s+secrets\s+unset' && block "supabase secrets unset"
-echo "$COMMAND" | grep -qE 'supabase\s+projects\s+delete' && block "supabase projects delete"
-
-# Infrastructure
-echo "$COMMAND" | grep -qE 'kubectl\s+delete\s' && block "kubectl delete"
-echo "$COMMAND" | grep -qE 'docker\s+(rm|rmi)\s+-f' && block "docker force remove"
-
-# Platform
-echo "$COMMAND" | grep -qiE 'supabase\s+db\s+reset' && block "supabase db reset destroys database"
-echo "$COMMAND" | grep -qiE 'vercel\s+(rm|remove)\s' && block "vercel rm/remove"
-echo "$COMMAND" | grep -qiE 'npm\s+unpublish' && block "npm unpublish"
-
-exit 0

package/framework/hooks/migration-validate.sh

@@ -1,77 +0,0 @@
-#!/bin/bash
-# Migration validation — checks SQL for destructive ops and missing RLS
-source "$(dirname "$0")/qualia-colors.sh"
-
-if [ ! -t 0 ]; then
-    INPUT=$(cat)
-    FILE_PATH=$(echo "$INPUT" | node -e "try{const d=JSON.parse(require('fs').readFileSync('/dev/stdin','utf8'));process.stdout.write(d.tool_input?.file_path||'')}catch(e){}" 2>/dev/null)
-    if [ -z "$FILE_PATH" ]; then
-        COMMAND=$(echo "$INPUT" | node -e "try{const d=JSON.parse(require('fs').readFileSync('/dev/stdin','utf8'));process.stdout.write(d.tool_input?.command||d.tool_input||'')}catch(e){}" 2>/dev/null)
-    fi
-fi
-
-DESTRUCTIVE=0
-WARNINGS_COUNT=0
-
-check_sql_file() {
-    local file="$1"
-    [ ! -f "$file" ] && return 0
-
-    # Destructive ops → block
-    if grep -iE '\bDROP\s+(TABLE|SCHEMA|DATABASE)\b' "$file" > /dev/null 2>&1; then
-        q_fail "DROP TABLE/SCHEMA in ${file}"
-        DESTRUCTIVE=$((DESTRUCTIVE + 1))
-    fi
-    if grep -iE '\bTRUNCATE\b' "$file" > /dev/null 2>&1; then
-        q_fail "TRUNCATE in ${file}"
-        DESTRUCTIVE=$((DESTRUCTIVE + 1))
-    fi
-    # DELETE-without-WHERE: count DELETEs vs WHERE clauses (per-statement approximation)
-    local delete_count=$(grep -ciE '\bDELETE\s+FROM\b' "$file" 2>/dev/null || echo 0)
-    local where_count=$(grep -ciE '\bWHERE\b' "$file" 2>/dev/null || echo 0)
-    if [ "$delete_count" -gt 0 ] && [ "$delete_count" -gt "$where_count" ]; then
-        q_fail "DELETE without WHERE in ${file} (${delete_count} DELETEs, ${where_count} WHEREs)"
-        DESTRUCTIVE=$((DESTRUCTIVE + 1))
-    fi
-    if grep -iE '\bALTER\s+TABLE\b.*\bDROP\s+COLUMN\b' "$file" > /dev/null 2>&1; then
-        q_fail "DROP COLUMN in ${file}"
-        DESTRUCTIVE=$((DESTRUCTIVE + 1))
-    fi
-    # Missing RLS → warn only (reminder, not destructive)
-    if grep -iE '\bCREATE\s+TABLE\b' "$file" > /dev/null 2>&1 && ! grep -iE '\bENABLE\s+ROW\s+LEVEL\s+SECURITY\b' "$file" > /dev/null 2>&1; then
-        q_warn "New table needs RLS in ${file} — tell Claude: 'add RLS policies to the new table'"
-        WARNINGS_COUNT=$((WARNINGS_COUNT + 1))
-    fi
-}
-
-TRIGGERED=false
-
-# Mode 1: SQL file written
-if [ -n "$FILE_PATH" ] && [[ "$FILE_PATH" == *.sql ]]; then
-    TRIGGERED=true
-    check_sql_file "$FILE_PATH"
-fi
-
-# Mode 2: supabase db push — only scan new/modified migrations (not historical)
-if [ -n "$COMMAND" ] && echo "$COMMAND" | grep -qE 'supabase\s+db\s+push'; then
-    TRIGGERED=true
-    # Scan only uncommitted or recently modified migration files
-    MODIFIED_MIGRATIONS=$(git diff --name-only HEAD -- supabase/migrations/*.sql 2>/dev/null; git diff --cached --name-only -- supabase/migrations/*.sql 2>/dev/null; git ls-files --others -- supabase/migrations/*.sql 2>/dev/null)
-    if [ -n "$MODIFIED_MIGRATIONS" ]; then
-        while IFS= read -r sql_file; do
-            [ -f "$sql_file" ] && check_sql_file "$sql_file"
-        done < <(echo "$MODIFIED_MIGRATIONS" | sort -u)
-    fi
-fi
-
-# Block on destructive ops, warn on missing RLS
-if $TRIGGERED && [ "$DESTRUCTIVE" -gt 0 ]; then
-    printf '{"continue":false,"stopReason":"◆ MIGRATION: %d destructive operation(s) blocked","systemMessage":"◆ MIGRATION BLOCKED: %d destructive operation(s) found. Tell Claude to review the SQL and confirm these operations are intentional."}' "$DESTRUCTIVE" "$DESTRUCTIVE"
-    exit 2
-elif $TRIGGERED && [ "$WARNINGS_COUNT" -gt 0 ]; then
-    printf '{"continue":true,"systemMessage":"◆ MIGRATION CHECK: %d warning(s) — tell Claude to review missing RLS policies."}' "$WARNINGS_COUNT"
-elif $TRIGGERED; then
-    printf '{"continue":true,"systemMessage":"◆ MIGRATION CHECK: clean"}'
-fi
-
-exit 0

package/framework/hooks/notification-speak.sh

@@ -1,16 +0,0 @@
-#!/bin/bash
-# Notification hook — passes notification message to TTS
-# Reads message from stdin JSON (Claude Code hook protocol)
-
-TEXT=""
-if [ ! -t 0 ]; then
-    INPUT=$(cat)
-    TEXT=$(echo "$INPUT" | node -e "try{const d=JSON.parse(require('fs').readFileSync('/dev/stdin','utf8'));process.stdout.write(d.message||'')}catch(e){}" 2>/dev/null)
-fi
-
-if [ -n "$TEXT" ]; then
-    ~/.claude/scripts/speak.sh "$TEXT" &
-fi
-
-printf '{"continue":true}'
-exit 0

package/framework/hooks/pre-commit.sh

@@ -1,100 +0,0 @@
-#!/bin/bash
-# Pre-commit validation — secrets, debug statements, TypeScript, lint
-source "$(dirname "$0")/qualia-colors.sh"
-
-if ! command -v node &>/dev/null; then
-    [ ! -t 0 ] && cat > /dev/null
-    printf '{"continue":false,"stopReason":"PRE-COMMIT: node is not installed — cannot verify safety. Install node to proceed."}'
-    exit 2
-fi
-
-if [ ! -t 0 ]; then
-    INPUT=$(cat)
-    COMMAND=$(echo "$INPUT" | node -e "try{const d=JSON.parse(require('fs').readFileSync('/dev/stdin','utf8'));process.stdout.write(d.tool_input?.command||d.tool_input||'')}catch(e){}" 2>/dev/null)
-else
-    COMMAND="${1:-}"
-fi
-
-case "$COMMAND" in
-    git\ commit*) ;;
-    *) exit 0 ;;
-esac
-
-git rev-parse --is-inside-work-tree &>/dev/null || exit 0
-
-STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
-[ -z "$STAGED_FILES" ] && exit 0
-
-q_header "PRE-COMMIT"
-BLOCKED=false
-FAIL_DETAILS=""
-
-# Check for secrets
-SECRETS_PATTERN="(api[_-]?key|apikey|secret[_-]?key|password|passwd|pwd|token|auth[_-]?token|access[_-]?token|private[_-]?key)[\s]*[=:][\"'\s]*[A-Za-z0-9+/=_-]{20,}"
-for file in $STAGED_FILES; do
-    if [ -f "$file" ] && grep -iE "$SECRETS_PATTERN" "$file" > /dev/null 2>&1; then
-        q_fail "Secret in ${file}"
-        FAIL_DETAILS="${FAIL_DETAILS}A password or API key was found in ${file} — tell Claude: 'remove the secret and use an environment variable instead.' "
-        BLOCKED=true
-    fi
-done
-
-# Check for .env files
-ENV_FILES=$(echo "$STAGED_FILES" | grep -E '\.env($|\.)' | grep -v '.example' | grep -v '.sample' || true)
-if [ -n "$ENV_FILES" ]; then
-    q_fail ".env file staged: ${ENV_FILES}"
-    FAIL_DETAILS="${FAIL_DETAILS}.env file contains secrets and shouldn't be committed — tell Claude: 'unstage the .env file.' "
-    BLOCKED=true
-fi
-
-# Debug statements in JS/TS (block in production code, allow in tests/stories)
-JS_PROD_FILES=$(echo "$STAGED_FILES" | grep -E '\.(js|jsx|ts|tsx)$' | grep -vE '\.test\.|\.spec\.|__tests__/|\.stories\.' || true)
-if [ -n "$JS_PROD_FILES" ]; then
-    for file in $JS_PROD_FILES; do
-        if [ -f "$file" ] && grep -E "console\.(log|debug|info)|debugger" "$file" > /dev/null 2>&1; then
-            q_fail "Debug statement in ${file}"
-            FAIL_DETAILS="${FAIL_DETAILS}Debug statement in ${file} — tell Claude: 'remove console.log/debugger from production code.' "
-            BLOCKED=true
-        fi
-    done
-fi
-
-# TypeScript check (skip if tsc passed in last 5 minutes — pre-deploy-gate also runs tsc)
-TSC_STAMP="/tmp/.tsc-pass-$(echo "$PWD" | md5sum | cut -c1-8)"
-if [ -f "tsconfig.json" ]; then
-    if [ -f "$TSC_STAMP" ]; then
-        AGE=$(( $(date +%s) - $(stat -c %Y "$TSC_STAMP" 2>/dev/null || echo 0) ))
-        if [ "$AGE" -lt 300 ]; then
-            q_pass "TypeScript (cached)"
-        else
-            rm -f "$TSC_STAMP"
-        fi
-    fi
-    # Run tsc only if no valid cache
-    if [ ! -f "$TSC_STAMP" ]; then
-        if command -v npx &> /dev/null; then
-            if npx tsc --noEmit 2>/dev/null; then
-                q_pass "TypeScript"
-                touch "$TSC_STAMP"
-            else
-                q_fail "TypeScript errors"
-                FAIL_DETAILS="${FAIL_DETAILS}Code errors found — tell Claude: 'fix the TypeScript errors and try committing again.' "
-                BLOCKED=true
-            fi
-        fi
-    fi
-fi
-
-if $BLOCKED; then
-    cat <<EOJSON
-{
-  "continue": false,
-  "stopReason": "◆ Pre-commit: blocked",
-  "systemMessage": "◆ PRE-COMMIT BLOCKED: ${FAIL_DETAILS}Tell Claude to fix these issues and try committing again."
-}
-EOJSON
-    exit 2
-fi
-
-printf '{"continue":true,"systemMessage":"◆ PRE-COMMIT: all checks passed"}'
-exit 0