rhachet-roles-ehmpathy 1.12.1 → 1.13.0

package/dist/logic/roles/mechanic/.skills/claude.hooks/forbid.stderr.redirect.sh

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+######################################################################
+# .what = PreToolUse hook to forbid 2>&1 (stderr redirection)
+#
+# .why  = redirecting stderr to stdout (2>&1) hides error messages
+#         and makes debugging harder. Claude should see stderr
+#         separately to understand when commands fail.
+#
+# .how  = reads JSON from stdin, extracts tool_input.command,
+#         checks if it contains 2>&1 and blocks if found.
+#
+# usage:
+#   configure in .claude/settings.local.json under hooks.PreToolUse
+#
+# guarantee:
+#   ✔ blocks commands containing 2>&1
+#   ✔ fast: simple string matching
+#   ✔ helpful: explains why it's blocked
+######################################################################
+
+set -euo pipefail
+
+# Read JSON from stdin (Claude Code passes input via stdin)
+STDIN_INPUT=$(cat)
+
+# failfast: if no input received, something is wrong
+if [[ -z "$STDIN_INPUT" ]]; then
+  echo "ERROR: PreToolUse hook received no input via stdin" >&2
+  exit 2
+fi
+
+# Extract command from stdin JSON
+# Claude passes: {"tool_name": "Bash", "tool_input": {"command": "..."}}
+COMMAND=$(echo "$STDIN_INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null || echo "")
+
+# Skip if not a Bash command or empty
+if [[ -z "$COMMAND" ]]; then
+  exit 0
+fi
+
+# Check if command contains 2>&1
+if [[ "$COMMAND" == *"2>&1"* ]]; then
+  {
+    echo ""
+    echo "🛑 BLOCKED: Command contains '2>&1' (stderr redirect to stdout)."
+    echo ""
+    echo "Redirecting stderr to stdout hides error messages and makes debugging harder."
+    echo "Claude should see stderr separately to understand when commands fail."
+    echo ""
+    echo "Please remove '2>&1' from your command and try again."
+    echo ""
+  } >&2
+  exit 2
+fi
+
+# Command is allowed
+exit 0

package/dist/logic/roles/mechanic/.skills/init.claude.hooks.forbid.stderr.redirect.sh

@@ -0,0 +1,116 @@
+#!/usr/bin/env bash
+######################################################################
+# .what = bind forbid.stderr.redirect hook to Claude settings
+#
+# .why  = when Claude uses 2>&1, error messages are hidden and
+#         debugging becomes harder. this hook blocks such commands.
+#
+# .how  = uses jq to findsert the PreToolUse hook configuration
+#         into .claude/settings.local.json
+#
+# guarantee:
+#   ✔ creates .claude/settings.local.json if missing
+#   ✔ preserves existing settings (permissions, other hooks)
+#   ✔ idempotent: no-op if hook already present
+#   ✔ prepends to hooks array (runs before other Bash hooks)
+#   ✔ fail-fast on errors
+######################################################################
+
+set -euo pipefail
+
+PROJECT_ROOT="$PWD"
+SETTINGS_FILE="$PROJECT_ROOT/.claude/settings.local.json"
+SKILLS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+HOOK_SCRIPT="$SKILLS_DIR/claude.hooks/forbid.stderr.redirect.sh"
+
+# Verify hook script exists
+if [[ ! -f "$HOOK_SCRIPT" ]]; then
+  echo "❌ hook script not found: $HOOK_SCRIPT" >&2
+  exit 1
+fi
+
+# Define the hook configuration to findsert
+HOOK_CONFIG=$(cat <<EOF
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "$HOOK_SCRIPT",
+            "timeout": 5
+          }
+        ]
+      }
+    ]
+  }
+}
+EOF
+)
+
+# Ensure .claude directory exists
+mkdir -p "$(dirname "$SETTINGS_FILE")"
+
+# Initialize settings file if it doesn't exist
+if [[ ! -f "$SETTINGS_FILE" ]]; then
+  echo "{}" > "$SETTINGS_FILE"
+fi
+
+# Findsert: ensure hook is at the front of the hooks array
+jq --argjson hook "$HOOK_CONFIG" '
+  # Define the target command for comparison
+  def targetCmd: $hook.hooks.PreToolUse[0].hooks[0].command;
+
+  # Check if hook is already first in the Bash matcher
+  def hookIsFirst:
+    (.hooks.PreToolUse // [])
+    | map(select(.matcher == "Bash") | .hooks // [])
+    | flatten
+    | first
+    | .command == targetCmd;
+
+  # If hook is already first, return unchanged
+  if hookIsFirst then
+    .
+  else
+    # Ensure .hooks exists
+    .hooks //= {} |
+
+    # Ensure .hooks.PreToolUse exists
+    .hooks.PreToolUse //= [] |
+
+    # Check if our matcher already exists
+    if (.hooks.PreToolUse | map(.matcher) | index("Bash")) then
+      # Matcher exists - remove our hook if present, then prepend it
+      .hooks.PreToolUse |= map(
+        if .matcher == "Bash" then
+          # Remove existing instance of our hook, then prepend
+          .hooks = $hook.hooks.PreToolUse[0].hooks + (.hooks | map(select(.command != targetCmd)))
+        else
+          .
+        end
+      )
+    else
+      # Matcher does not exist, add the entire entry
+      .hooks.PreToolUse += $hook.hooks.PreToolUse
+    end
+  end
+' "$SETTINGS_FILE" > "$SETTINGS_FILE.tmp"
+
+# Check if any changes were made
+if diff -q "$SETTINGS_FILE" "$SETTINGS_FILE.tmp" >/dev/null 2>&1; then
+  rm "$SETTINGS_FILE.tmp"
+  echo "👌 forbid.stderr.redirect hook already bound"
+  echo "   $SETTINGS_FILE"
+  exit 0
+fi
+
+# Atomic replace
+mv "$SETTINGS_FILE.tmp" "$SETTINGS_FILE"
+
+echo "🔗 forbid.stderr.redirect hook bound successfully!"
+echo "   $SETTINGS_FILE"
+echo ""
+echo "✨ Claude will now be blocked from using 2>&1 in commands"

package/dist/logic/roles/mechanic/.skills/init.claude.hooks.sh

@@ -21,4 +21,5 @@ SKILLS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 # Dispatch to each hook initializer
 "$SKILLS_DIR/init.claude.hooks.sessionstart.sh"
+"$SKILLS_DIR/init.claude.hooks.forbid.stderr.redirect.sh"
 "$SKILLS_DIR/init.claude.hooks.pretooluse.sh"

package/dist/logic/roles/mechanic/.skills/init.claude.permissions.sh

@@ -34,11 +34,16 @@ PERMISSIONS_CONFIG=$(cat <<'EOF'
 {
   "permissions": {
     "deny": [
-      "Bash(git commit:*)"
+      "Bash(git commit:*)",
+      "Bash(sed:*)",
+      "Bash(tee:*)",
+      "Bash(find:*)",
+      "Bash(echo:*)"
     ],
     "ask": [
       "Bash(bash:*)",
       "Bash(chmod:*)",
+      "Bash(npm install:*)",
       "Bash(pnpm install:*)",
       "Bash(pnpm add:*)"
     ],
@@ -48,20 +53,39 @@ PERMISSIONS_CONFIG=$(cat <<'EOF'
       "WebFetch(domain:www.npmjs.com)",
       "WebFetch(domain:hub.docker.com)",
       "WebFetch(domain:raw.githubusercontent.com)",
+      "WebFetch(domain:biomejs.dev)",
 
-      "Bash(npm run build:*)",
-      "Bash(npm run start:testdb:*)",
-      "Bash(AWS_PROFILE=ahbode.dev npm run deploy:dev:*)",
 
+      "Bash(ls:*)",
+      "Bash(tree:*)",
       "Bash(cat:*)",
-      "Bash(unzip:*)",
+      "Bash(head:*)",
+      "Bash(tail:*)",
+      "Bash(grep:*)",
+      "Bash(wc:*)",
+      "Bash(diff:*)",
+      "Bash(which:*)",
+      "Bash(file:*)",
+      "Bash(pwd)",
       "Bash(npm view:*)",
       "Bash(npm list:*)",
-      "Bash(pnpm list:*)",
+      "Bash(npm remove:*)",
 
       "Bash(npx rhachet roles boot --repo ehmpathy --role mechanic)",
+      "Bash(npx tsx ./bin/run:*)",
+      "Bash(npx tsc:*)",
+      "Bash(npx biome:*)",
+      "Bash(npx jest:*)",
+
+      "Bash(npm run build:*)",
+      "Bash(npm run build:compile)",
+      "Bash(npm run start:testdb:*)",
+
 
       "Bash(npm run test:*)",
+      "Bash(npm run test:types:*)",
+      "Bash(npm run test:format:*)",
+      "Bash(npm run test:lint:*)",
       "Bash(npm run test:unit:*)",
       "Bash(npm run test:integration:*)",
       "Bash(npm run test:acceptance:*)",
@@ -71,15 +95,12 @@ PERMISSIONS_CONFIG=$(cat <<'EOF'
       "Bash(THOROUGH=true npm run test:integration:*)",
       "Bash(THOROUGH=true npm run test:acceptance:*)",
 
-      "Bash(AWS_PROFILE=ahbode.dev npm run test:integration:*)",
-      "Bash(AWS_PROFILE=ahbode.dev STAGE=dev npm run test:acceptance:*)",
-
       "Bash(npm run fix:*)",
       "Bash(npm run fix:format:*)",
       "Bash(npm run fix:lint:*)",
-      "Bash(npm run fix:types:*)",
 
-      "Bash(find:*)",
+      "Bash(gh pr checks:*)",
+      "Bash(gh pr status:*)",
 
       "Bash(source .agent/repo=.this/skills/*)"
     ]

package/dist/logic/roles/mechanic/.skills/init.claude.sh

@@ -12,6 +12,7 @@
 # .how  = runs both init scripts in sequence from the same directory.
 #
 # guarantee:
+#   ✔ backs up settings.local.json before changes (if exists)
 #   ✔ runs both hooks and permissions initialization
 #   ✔ fail-fast on any error
 #   ✔ idempotent: safe to rerun
@@ -20,10 +21,21 @@
 set -euo pipefail
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+GITROOT="$(git rev-parse --show-toplevel)"
+SETTINGS_FILE="$GITROOT/.claude/settings.local.json"
 
 echo "🔧 init claude config for mechanic role..."
 echo ""
 
+# backup existing settings before changes
+if [[ -f "$SETTINGS_FILE" ]]; then
+  ISODATETIME="$(date -u +%Y-%m-%dT%H-%M-%SZ)"
+  BACKUP_FILE="$GITROOT/.claude/settings.$ISODATETIME.bak.local.json"
+  cp "$SETTINGS_FILE" "$BACKUP_FILE"
+  echo "📦 backed up settings to: ${BACKUP_FILE#$GITROOT/}"
+  echo ""
+fi
+
 # initialize hooks
 "$SCRIPT_DIR/init.claude.hooks.sh"
 echo ""

package/package.json

@@ -2,7 +2,7 @@
   "name": "rhachet-roles-ehmpathy",
   "author": "ehmpathy",
   "description": "empathetic software construction roles and skills, via rhachet",
-  "version": "1.12.1",
+  "version": "1.13.0",
   "repository": "ehmpathy/rhachet-roles-ehmpathy",
   "homepage": "https://github.com/ehmpathy/rhachet-roles-ehmpathy",
   "keywords": [