rhachet-roles-ehmpathy 1.12.0 → 1.13.0

package/dist/logic/roles/mechanic/.skills/claude.hooks/check.pretooluse.permissions.sh

@@ -112,8 +112,27 @@ match_pattern() {
   local cmd="$1"
   local pattern="$2"
 
-  # Convert glob * to regex .*
-  local regex="^${pattern//\*/.*}$"
+  # Handle Claude Code's :* suffix matcher
+  # :* means "optionally match colon and anything after"
+  # e.g., "npm run test:*" matches "npm run test", "npm run test:", "npm run test:unit"
+
+  # First, escape regex special chars except * and :
+  local escaped_pattern
+  escaped_pattern=$(printf '%s' "$pattern" | sed 's/[.^$+?{}()[\]|\\]/\\&/g')
+
+  # Convert :* to placeholder first (to avoid * -> .* conversion interfering)
+  # Using a unique placeholder that won't appear in commands
+  escaped_pattern="${escaped_pattern//:\*/__COLON_STAR_PLACEHOLDER__}"
+
+  # Convert remaining * to .* (glob-style wildcard)
+  escaped_pattern="${escaped_pattern//\*/.*}"
+
+  # Now replace placeholder with the actual regex for :*
+  # (:.*)? matches: nothing, ":", ":foo", ":foo:bar"
+  escaped_pattern="${escaped_pattern//__COLON_STAR_PLACEHOLDER__/(:.*)?}"
+
+  # Build final regex
+  local regex="^${escaped_pattern}$"
 
   if [[ "$cmd" =~ $regex ]]; then
     return 0
@@ -121,6 +140,21 @@ match_pattern() {
   return 1
 }
 
+# Transform raw permission pattern to compact bracket notation for display
+format_pattern() {
+  local pattern="$1"
+
+  # Check if pattern ends with :*
+  if [[ "$pattern" == *":*" ]]; then
+    # Remove :* suffix and format with [p]: label (prefix match)
+    local prefix="${pattern%:*}"
+    echo "[p]: $prefix"
+  else
+    # Exact match - format with [e]: label
+    echo "[e]: $pattern"
+  fi
+}
+
 for pattern in "${ALLOWED_PATTERNS[@]}"; do
   if match_pattern "$COMMAND" "$pattern"; then
     exit 0  # Command matches an allowed pattern
@@ -137,10 +171,14 @@ if [[ "$MODE" == "SOFTNUDGE" ]]; then
   echo ""
   echo "Before requesting user approval, check if you can accomplish this task using one of these pre-approved patterns:"
   echo ""
+  echo "([e] = exact match, [p] = prefix match)"
+  echo ""
   for pattern in "${ALLOWED_PATTERNS[@]}"; do
-    echo "  • $pattern"
+    echo "  • $(format_pattern "$pattern")"
   done
   echo ""
+  echo "([e] = exact match, [p] = prefix match)"
+  echo ""
   echo "If an existing permission pattern can solve your task, use that instead."
   echo "If not, proceed with requesting approval."
   echo ""
@@ -182,10 +220,14 @@ jq --arg cmd "$COMMAND" --argjson ts "$now" '. + {($cmd): $ts}' "$ATTEMPTED_FILE
   echo ""
   echo "Before requesting user approval, check if you can accomplish this task using one of these pre-approved patterns:"
   echo ""
+  echo "([e] = exact match, [p] = prefix match)"
+  echo ""
   for pattern in "${ALLOWED_PATTERNS[@]}"; do
-    echo "  • $pattern"
+    echo "  • $(format_pattern "$pattern")"
   done
   echo ""
+  echo "([e] = exact match, [p] = prefix match)"
+  echo ""
   echo "If an existing permission pattern can solve your task, use that instead."
   echo "If you've considered the alternatives and still need this specific command, retry it."
   echo ""

package/dist/logic/roles/mechanic/.skills/claude.hooks/forbid.stderr.redirect.sh

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+######################################################################
+# .what = PreToolUse hook to forbid 2>&1 (stderr redirection)
+#
+# .why  = redirecting stderr to stdout (2>&1) hides error messages
+#         and makes debugging harder. Claude should see stderr
+#         separately to understand when commands fail.
+#
+# .how  = reads JSON from stdin, extracts tool_input.command,
+#         checks if it contains 2>&1 and blocks if found.
+#
+# usage:
+#   configure in .claude/settings.local.json under hooks.PreToolUse
+#
+# guarantee:
+#   ✔ blocks commands containing 2>&1
+#   ✔ fast: simple string matching
+#   ✔ helpful: explains why it's blocked
+######################################################################
+
+set -euo pipefail
+
+# Read JSON from stdin (Claude Code passes input via stdin)
+STDIN_INPUT=$(cat)
+
+# failfast: if no input received, something is wrong
+if [[ -z "$STDIN_INPUT" ]]; then
+  echo "ERROR: PreToolUse hook received no input via stdin" >&2
+  exit 2
+fi
+
+# Extract command from stdin JSON
+# Claude passes: {"tool_name": "Bash", "tool_input": {"command": "..."}}
+COMMAND=$(echo "$STDIN_INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null || echo "")
+
+# Skip if not a Bash command or empty
+if [[ -z "$COMMAND" ]]; then
+  exit 0
+fi
+
+# Check if command contains 2>&1
+if [[ "$COMMAND" == *"2>&1"* ]]; then
+  {
+    echo ""
+    echo "🛑 BLOCKED: Command contains '2>&1' (stderr redirect to stdout)."
+    echo ""
+    echo "Redirecting stderr to stdout hides error messages and makes debugging harder."
+    echo "Claude should see stderr separately to understand when commands fail."
+    echo ""
+    echo "Please remove '2>&1' from your command and try again."
+    echo ""
+  } >&2
+  exit 2
+fi
+
+# Command is allowed
+exit 0

package/dist/logic/roles/mechanic/.skills/init.claude.hooks.forbid.stderr.redirect.sh

@@ -0,0 +1,116 @@
+#!/usr/bin/env bash
+######################################################################
+# .what = bind forbid.stderr.redirect hook to Claude settings
+#
+# .why  = when Claude uses 2>&1, error messages are hidden and
+#         debugging becomes harder. this hook blocks such commands.
+#
+# .how  = uses jq to findsert the PreToolUse hook configuration
+#         into .claude/settings.local.json
+#
+# guarantee:
+#   ✔ creates .claude/settings.local.json if missing
+#   ✔ preserves existing settings (permissions, other hooks)
+#   ✔ idempotent: no-op if hook already present
+#   ✔ prepends to hooks array (runs before other Bash hooks)
+#   ✔ fail-fast on errors
+######################################################################
+
+set -euo pipefail
+
+PROJECT_ROOT="$PWD"
+SETTINGS_FILE="$PROJECT_ROOT/.claude/settings.local.json"
+SKILLS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+HOOK_SCRIPT="$SKILLS_DIR/claude.hooks/forbid.stderr.redirect.sh"
+
+# Verify hook script exists
+if [[ ! -f "$HOOK_SCRIPT" ]]; then
+  echo "❌ hook script not found: $HOOK_SCRIPT" >&2
+  exit 1
+fi
+
+# Define the hook configuration to findsert
+HOOK_CONFIG=$(cat <<EOF
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "$HOOK_SCRIPT",
+            "timeout": 5
+          }
+        ]
+      }
+    ]
+  }
+}
+EOF
+)
+
+# Ensure .claude directory exists
+mkdir -p "$(dirname "$SETTINGS_FILE")"
+
+# Initialize settings file if it doesn't exist
+if [[ ! -f "$SETTINGS_FILE" ]]; then
+  echo "{}" > "$SETTINGS_FILE"
+fi
+
+# Findsert: ensure hook is at the front of the hooks array
+jq --argjson hook "$HOOK_CONFIG" '
+  # Define the target command for comparison
+  def targetCmd: $hook.hooks.PreToolUse[0].hooks[0].command;
+
+  # Check if hook is already first in the Bash matcher
+  def hookIsFirst:
+    (.hooks.PreToolUse // [])
+    | map(select(.matcher == "Bash") | .hooks // [])
+    | flatten
+    | first
+    | .command == targetCmd;
+
+  # If hook is already first, return unchanged
+  if hookIsFirst then
+    .
+  else
+    # Ensure .hooks exists
+    .hooks //= {} |
+
+    # Ensure .hooks.PreToolUse exists
+    .hooks.PreToolUse //= [] |
+
+    # Check if our matcher already exists
+    if (.hooks.PreToolUse | map(.matcher) | index("Bash")) then
+      # Matcher exists - remove our hook if present, then prepend it
+      .hooks.PreToolUse |= map(
+        if .matcher == "Bash" then
+          # Remove existing instance of our hook, then prepend
+          .hooks = $hook.hooks.PreToolUse[0].hooks + (.hooks | map(select(.command != targetCmd)))
+        else
+          .
+        end
+      )
+    else
+      # Matcher does not exist, add the entire entry
+      .hooks.PreToolUse += $hook.hooks.PreToolUse
+    end
+  end
+' "$SETTINGS_FILE" > "$SETTINGS_FILE.tmp"
+
+# Check if any changes were made
+if diff -q "$SETTINGS_FILE" "$SETTINGS_FILE.tmp" >/dev/null 2>&1; then
+  rm "$SETTINGS_FILE.tmp"
+  echo "👌 forbid.stderr.redirect hook already bound"
+  echo "   $SETTINGS_FILE"
+  exit 0
+fi
+
+# Atomic replace
+mv "$SETTINGS_FILE.tmp" "$SETTINGS_FILE"
+
+echo "🔗 forbid.stderr.redirect hook bound successfully!"
+echo "   $SETTINGS_FILE"
+echo ""
+echo "✨ Claude will now be blocked from using 2>&1 in commands"

package/dist/logic/roles/mechanic/.skills/init.claude.hooks.sh

@@ -21,4 +21,5 @@ SKILLS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 # Dispatch to each hook initializer
 "$SKILLS_DIR/init.claude.hooks.sessionstart.sh"
+"$SKILLS_DIR/init.claude.hooks.forbid.stderr.redirect.sh"
 "$SKILLS_DIR/init.claude.hooks.pretooluse.sh"

package/dist/logic/roles/mechanic/.skills/init.claude.permissions.sh

@@ -34,11 +34,16 @@ PERMISSIONS_CONFIG=$(cat <<'EOF'
 {
   "permissions": {
     "deny": [
-      "Bash(git commit:*)"
+      "Bash(git commit:*)",
+      "Bash(sed:*)",
+      "Bash(tee:*)",
+      "Bash(find:*)",
+      "Bash(echo:*)"
     ],
     "ask": [
       "Bash(bash:*)",
       "Bash(chmod:*)",
+      "Bash(npm install:*)",
       "Bash(pnpm install:*)",
       "Bash(pnpm add:*)"
     ],
@@ -48,20 +53,39 @@ PERMISSIONS_CONFIG=$(cat <<'EOF'
       "WebFetch(domain:www.npmjs.com)",
       "WebFetch(domain:hub.docker.com)",
       "WebFetch(domain:raw.githubusercontent.com)",
+      "WebFetch(domain:biomejs.dev)",
 
-      "Bash(npm run build:*)",
-      "Bash(npm run start:testdb:*)",
-      "Bash(AWS_PROFILE=ahbode.dev npm run deploy:dev:*)",
 
+      "Bash(ls:*)",
+      "Bash(tree:*)",
       "Bash(cat:*)",
-      "Bash(unzip:*)",
+      "Bash(head:*)",
+      "Bash(tail:*)",
+      "Bash(grep:*)",
+      "Bash(wc:*)",
+      "Bash(diff:*)",
+      "Bash(which:*)",
+      "Bash(file:*)",
+      "Bash(pwd)",
       "Bash(npm view:*)",
       "Bash(npm list:*)",
-      "Bash(pnpm list:*)",
+      "Bash(npm remove:*)",
+
+      "Bash(npx rhachet roles boot --repo ehmpathy --role mechanic)",
+      "Bash(npx tsx ./bin/run:*)",
+      "Bash(npx tsc:*)",
+      "Bash(npx biome:*)",
+      "Bash(npx jest:*)",
+
+      "Bash(npm run build:*)",
+      "Bash(npm run build:compile)",
+      "Bash(npm run start:testdb:*)",
 
-      "Bash(npx rhachet:*)",
 
       "Bash(npm run test:*)",
+      "Bash(npm run test:types:*)",
+      "Bash(npm run test:format:*)",
+      "Bash(npm run test:lint:*)",
       "Bash(npm run test:unit:*)",
       "Bash(npm run test:integration:*)",
       "Bash(npm run test:acceptance:*)",
@@ -71,15 +95,12 @@ PERMISSIONS_CONFIG=$(cat <<'EOF'
       "Bash(THOROUGH=true npm run test:integration:*)",
       "Bash(THOROUGH=true npm run test:acceptance:*)",
 
-      "Bash(AWS_PROFILE=ahbode.dev npm run test:integration:*)",
-      "Bash(AWS_PROFILE=ahbode.dev STAGE=dev npm run test:acceptance:*)",
-
       "Bash(npm run fix:*)",
       "Bash(npm run fix:format:*)",
       "Bash(npm run fix:lint:*)",
-      "Bash(npm run fix:types:*)",
 
-      "Bash(find:*)",
+      "Bash(gh pr checks:*)",
+      "Bash(gh pr status:*)",
 
       "Bash(source .agent/repo=.this/skills/*)"
     ]

package/dist/logic/roles/mechanic/.skills/init.claude.sh

@@ -12,6 +12,7 @@
 # .how  = runs both init scripts in sequence from the same directory.
 #
 # guarantee:
+#   ✔ backs up settings.local.json before changes (if exists)
 #   ✔ runs both hooks and permissions initialization
 #   ✔ fail-fast on any error
 #   ✔ idempotent: safe to rerun
@@ -20,10 +21,21 @@
 set -euo pipefail
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+GITROOT="$(git rev-parse --show-toplevel)"
+SETTINGS_FILE="$GITROOT/.claude/settings.local.json"
 
 echo "🔧 init claude config for mechanic role..."
 echo ""
 
+# backup existing settings before changes
+if [[ -f "$SETTINGS_FILE" ]]; then
+  ISODATETIME="$(date -u +%Y-%m-%dT%H-%M-%SZ)"
+  BACKUP_FILE="$GITROOT/.claude/settings.$ISODATETIME.bak.local.json"
+  cp "$SETTINGS_FILE" "$BACKUP_FILE"
+  echo "📦 backed up settings to: ${BACKUP_FILE#$GITROOT/}"
+  echo ""
+fi
+
 # initialize hooks
 "$SCRIPT_DIR/init.claude.hooks.sh"
 echo ""

package/package.json

@@ -2,7 +2,7 @@
   "name": "rhachet-roles-ehmpathy",
   "author": "ehmpathy",
   "description": "empathetic software construction roles and skills, via rhachet",
-  "version": "1.12.0",
+  "version": "1.13.0",
   "repository": "ehmpathy/rhachet-roles-ehmpathy",
   "homepage": "https://github.com/ehmpathy/rhachet-roles-ehmpathy",
   "keywords": [