rhachet-roles-ehmpathy 1.13.13 → 1.15.0

package/dist/logic/roles/mechanic/.skills/claude.hooks/sessionstart.notify-permissions.sh

@@ -0,0 +1,106 @@
+#!/usr/bin/env bash
+######################################################################
+# .what = SessionStart hook to notify Claude of allowed permissions
+#
+# .why  = proactively informing Claude of pre-approved Bash commands
+#         at session start reduces interruptions from permission
+#         prompts by guiding it to use allowed patterns upfront.
+#
+#         this complements the PreToolUse hook which blocks/nudges
+#         when Claude attempts unapproved commands, by providing
+#         the information before any attempts are made.
+#
+# .how  = reads .claude/settings.local.json, extracts Bash permissions,
+#         outputs a formatted list of allowed commands for Claude
+#         to reference throughout the session.
+#
+# usage:
+#   configure in .claude/settings.local.json under hooks.SessionStart
+#
+# guarantee:
+#   ✔ non-blocking: always exits 0
+#   ✔ informational only: no side effects
+#   ✔ graceful fallback: exits silently if no settings found
+######################################################################
+
+set -euo pipefail
+
+# Find the .claude directory (search upward from current directory)
+find_claude_dir() {
+  local dir="$PWD"
+  while [[ "$dir" != "/" ]]; do
+    if [[ -d "$dir/.claude" ]]; then
+      echo "$dir/.claude"
+      return 0
+    fi
+    dir="$(dirname "$dir")"
+  done
+  return 1
+}
+
+# Find the settings file
+find_settings_file() {
+  local claude_dir
+  claude_dir=$(find_claude_dir) || return 1
+  local settings_file="$claude_dir/settings.local.json"
+  if [[ -f "$settings_file" ]]; then
+    echo "$settings_file"
+    return 0
+  fi
+  return 1
+}
+
+SETTINGS_FILE=$(find_settings_file) || {
+  # No settings file found, exit silently
+  exit 0
+}
+
+# Extract Bash permissions from settings file
+# Patterns look like: "Bash(npm run test:*)" -> extract "npm run test:*"
+mapfile -t ALLOWED_PATTERNS < <(
+  jq -r '.permissions.allow // [] | .[] | select(startswith("Bash(")) | sub("^Bash\\("; "") | sub("\\)$"; "")' "$SETTINGS_FILE" 2>/dev/null
+)
+
+# If no Bash permissions found, exit silently
+if [[ ${#ALLOWED_PATTERNS[@]} -eq 0 ]]; then
+  exit 0
+fi
+
+# Transform raw permission pattern to compact bracket notation for display
+format_pattern() {
+  local pattern="$1"
+
+  # Check if pattern ends with :*
+  if [[ "$pattern" == *":*" ]]; then
+    # Remove :* suffix and format with [p]: label (prefix match)
+    local prefix="${pattern%:*}"
+    echo "[p]: $prefix"
+  else
+    # Exact match - format with [e]: label
+    echo "[e]: $pattern"
+  fi
+}
+
+# Output the allowed permissions notification
+echo ""
+echo "=================================================="
+echo "PRE-APPROVED BASH PERMISSIONS"
+echo "=================================================="
+echo ""
+echo "The following Bash commands are pre-approved and can be used without"
+echo "requesting permission from the user:"
+echo ""
+echo "([e] = exact match, [p] = prefix match - anything starting with this)"
+echo ""
+for pattern in "${ALLOWED_PATTERNS[@]}"; do
+  echo "  $(format_pattern "$pattern")"
+done
+echo ""
+echo "IMPORTANT: If you attempt a Bash command NOT on this list, you will be"
+echo "blocked and asked to reconsider. Please check this list first before"
+echo "using Bash commands to minimize interruptions to the user."
+echo ""
+echo "=================================================="
+echo ""
+
+exit 0

package/dist/logic/roles/mechanic/.skills/{init.claude.hooks.pretooluse.sh → init.claude.hooks.pretooluse.check-permissions.sh}

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 ######################################################################
-# .what = bind mechanic PreToolUse hook to Claude settings
+# .what = bind pretooluse.check-permissions hook to Claude settings
 #
 # .why  = when Claude attempts a Bash command not covered by existing
 #         permissions, this hook provides feedback asking it to
@@ -24,7 +24,7 @@ set -euo pipefail
 PROJECT_ROOT="$PWD"
 SETTINGS_FILE="$PROJECT_ROOT/.claude/settings.local.json"
 SKILLS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-HOOK_SCRIPT="$SKILLS_DIR/claude.hooks/check.pretooluse.permissions.sh"
+HOOK_SCRIPT="$SKILLS_DIR/claude.hooks/pretooluse.check-permissions.sh"
 
 # Verify hook script exists
 if [[ ! -f "$HOOK_SCRIPT" ]]; then
@@ -104,7 +104,7 @@ jq --argjson hook "$HOOK_CONFIG" '
 # Check if any changes were made
 if diff -q "$SETTINGS_FILE" "$SETTINGS_FILE.tmp" >/dev/null 2>&1; then
   rm "$SETTINGS_FILE.tmp"
-  echo "👌 mechanic PreToolUse hook already bound"
+  echo "👌 pretooluse.check-permissions hook already bound"
   echo "   $SETTINGS_FILE"
   exit 0
 fi
@@ -112,7 +112,7 @@ fi
 # Atomic replace
 mv "$SETTINGS_FILE.tmp" "$SETTINGS_FILE"
 
-echo "🔗 mechanic PreToolUse hook bound successfully!"
+echo "🔗 pretooluse.check-permissions hook bound successfully!"
 echo "   $SETTINGS_FILE"
 echo ""
 echo "✨ Claude will now be reminded to check existing permissions before requesting new ones"

package/dist/logic/roles/mechanic/.skills/{init.claude.hooks.forbid.stderr.redirect.sh → init.claude.hooks.pretooluse.forbid-stderr-redirect.sh}

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 ######################################################################
-# .what = bind forbid.stderr.redirect hook to Claude settings
+# .what = bind pretooluse.forbid-stderr-redirect hook to Claude settings
 #
 # .why  = when Claude uses 2>&1, error messages are hidden and
 #         debugging becomes harder. this hook blocks such commands.
@@ -21,7 +21,7 @@ set -euo pipefail
 PROJECT_ROOT="$PWD"
 SETTINGS_FILE="$PROJECT_ROOT/.claude/settings.local.json"
 SKILLS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-HOOK_SCRIPT="$SKILLS_DIR/claude.hooks/forbid.stderr.redirect.sh"
+HOOK_SCRIPT="$SKILLS_DIR/claude.hooks/pretooluse.forbid-stderr-redirect.sh"
 
 # Verify hook script exists
 if [[ ! -f "$HOOK_SCRIPT" ]]; then
@@ -102,7 +102,7 @@ jq --argjson hook "$HOOK_CONFIG" '
 # Check if any changes were made
 if diff -q "$SETTINGS_FILE" "$SETTINGS_FILE.tmp" >/dev/null 2>&1; then
   rm "$SETTINGS_FILE.tmp"
-  echo "👌 forbid.stderr.redirect hook already bound"
+  echo "👌 pretooluse.forbid-stderr-redirect hook already bound"
   echo "   $SETTINGS_FILE"
   exit 0
 fi
@@ -110,7 +110,7 @@ fi
 # Atomic replace
 mv "$SETTINGS_FILE.tmp" "$SETTINGS_FILE"
 
-echo "🔗 forbid.stderr.redirect hook bound successfully!"
+echo "🔗 pretooluse.forbid-stderr-redirect hook bound successfully!"
 echo "   $SETTINGS_FILE"
 echo ""
 echo "✨ Claude will now be blocked from using 2>&1 in commands"

package/dist/logic/roles/mechanic/.skills/init.claude.hooks.sessionstart.notify-permissions.sh

@@ -0,0 +1,121 @@
+#!/usr/bin/env bash
+######################################################################
+# .what = bind sessionstart.notify-permissions hook to Claude settings
+#
+# .why  = proactively informing Claude of pre-approved Bash commands
+#         at session start reduces interruptions from permission
+#         prompts by guiding it to use allowed patterns upfront.
+#
+#         this script "findserts" (find-or-insert) the SessionStart
+#         hook into .claude/settings.local.json, ensuring:
+#           - the hook is present after running this skill
+#           - no duplication if already present
+#           - idempotent: safe to rerun
+#
+# .how  = uses jq to merge the SessionStart hook configuration
+#         into the existing hooks structure, creating it if absent.
+#
+# guarantee:
+#   ✔ creates .claude/settings.local.json if missing
+#   ✔ preserves existing settings (permissions, other hooks)
+#   ✔ idempotent: no-op if hook already present
+#   ✔ fail-fast on errors
+######################################################################
+
+set -euo pipefail
+
+PROJECT_ROOT="$PWD"
+SETTINGS_FILE="$PROJECT_ROOT/.claude/settings.local.json"
+SKILLS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+HOOK_SCRIPT="$SKILLS_DIR/claude.hooks/sessionstart.notify-permissions.sh"
+
+# Verify hook script exists
+if [[ ! -f "$HOOK_SCRIPT" ]]; then
+  echo "❌ hook script not found: $HOOK_SCRIPT" >&2
+  exit 1
+fi
+
+# Define the hook configuration to findsert
+HOOK_CONFIG=$(cat <<EOF
+{
+  "hooks": {
+    "SessionStart": [
+      {
+        "matcher": "*",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "$HOOK_SCRIPT",
+            "timeout": 5
+          }
+        ]
+      }
+    ]
+  }
+}
+EOF
+)
+
+# Ensure .claude directory exists
+mkdir -p "$(dirname "$SETTINGS_FILE")"
+
+# Initialize settings file if it doesn't exist
+if [[ ! -f "$SETTINGS_FILE" ]]; then
+  echo "{}" > "$SETTINGS_FILE"
+fi
+
+# Findsert: merge the hook configuration if not already present
+jq --argjson hook "$HOOK_CONFIG" '
+  # Define the target command for comparison
+  def targetCmd: $hook.hooks.SessionStart[0].hooks[0].command;
+
+  # Check if hook already exists
+  def hookExists:
+    (.hooks.SessionStart // [])
+    | map(select(.matcher == "*") | .hooks // [])
+    | flatten
+    | map(.command)
+    | any(. == targetCmd);
+
+  # If hook already exists, return unchanged
+  if hookExists then
+    .
+  else
+    # Ensure .hooks exists
+    .hooks //= {} |
+
+    # Ensure .hooks.SessionStart exists
+    .hooks.SessionStart //= [] |
+
+    # Check if our matcher already exists
+    if (.hooks.SessionStart | map(.matcher) | index("*")) then
+      # Matcher exists, add our hook to its hooks array
+      .hooks.SessionStart |= map(
+        if .matcher == "*" then
+          .hooks += $hook.hooks.SessionStart[0].hooks
+        else
+          .
+        end
+      )
+    else
+      # Matcher does not exist, add the entire entry
+      .hooks.SessionStart += $hook.hooks.SessionStart
+    end
+  end
+' "$SETTINGS_FILE" > "$SETTINGS_FILE.tmp"
+
+# Check if any changes were made
+if diff -q "$SETTINGS_FILE" "$SETTINGS_FILE.tmp" >/dev/null 2>&1; then
+  rm "$SETTINGS_FILE.tmp"
+  echo "👌 sessionstart.notify-permissions hook already bound"
+  echo "   $SETTINGS_FILE"
+  exit 0
+fi
+
+# Atomic replace
+mv "$SETTINGS_FILE.tmp" "$SETTINGS_FILE"
+
+echo "🔗 sessionstart.notify-permissions hook bound successfully!"
+echo "   $SETTINGS_FILE"
+echo ""
+echo "✨ Claude will now see allowed permissions at the start of each session"

package/dist/logic/roles/mechanic/.skills/init.claude.hooks.sh

@@ -4,6 +4,7 @@
 #
 # .why  = the mechanic role uses multiple hooks:
 #           • SessionStart: boot mechanic on every session
+#           • SessionStart: notify Claude of allowed permissions upfront
 #           • PreToolUse: check existing permissions before new requests
 #
 #         this script dispatches to each hook initializer.
@@ -21,5 +22,6 @@ SKILLS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 # Dispatch to each hook initializer
 "$SKILLS_DIR/init.claude.hooks.sessionstart.sh"
-"$SKILLS_DIR/init.claude.hooks.forbid.stderr.redirect.sh"
-"$SKILLS_DIR/init.claude.hooks.pretooluse.sh"
+"$SKILLS_DIR/init.claude.hooks.sessionstart.notify-permissions.sh"
+"$SKILLS_DIR/init.claude.hooks.pretooluse.forbid-stderr-redirect.sh"
+"$SKILLS_DIR/init.claude.hooks.pretooluse.check-permissions.sh"

package/dist/logic/roles/mechanic/.skills/init.claude.permissions.jsonc

@@ -41,7 +41,59 @@
       // test runners - should use npm run test:* scripts instead
       // direct invocation bypasses project test configuration
       "Bash(npx biome:*)",
-      "Bash(npx jest:*)"
+      "Bash(npx jest:*)",
+
+      // github cli write operations - require explicit user approval
+      // pr mutations
+      "Bash(gh pr create:*)",
+      "Bash(gh pr merge:*)",
+      "Bash(gh pr close:*)",
+      "Bash(gh pr edit:*)",
+      "Bash(gh pr review:*)",
+      "Bash(gh pr comment:*)",
+      "Bash(gh pr reopen:*)",
+      // issue mutations
+      "Bash(gh issue create:*)",
+      "Bash(gh issue close:*)",
+      "Bash(gh issue edit:*)",
+      "Bash(gh issue comment:*)",
+      "Bash(gh issue reopen:*)",
+      // repo mutations
+      "Bash(gh repo create:*)",
+      "Bash(gh repo delete:*)",
+      "Bash(gh repo fork:*)",
+      "Bash(gh repo edit:*)",
+      // release mutations
+      "Bash(gh release create:*)",
+      "Bash(gh release delete:*)",
+      "Bash(gh release edit:*)",
+      // workflow/run mutations
+      "Bash(gh run cancel:*)",
+      "Bash(gh run rerun:*)",
+      "Bash(gh workflow disable:*)",
+      "Bash(gh workflow enable:*)",
+      "Bash(gh workflow run:*)",
+      // gist mutations
+      "Bash(gh gist create:*)",
+      "Bash(gh gist delete:*)",
+      "Bash(gh gist edit:*)",
+      // label mutations
+      "Bash(gh label create:*)",
+      "Bash(gh label delete:*)",
+      "Bash(gh label edit:*)",
+      // project mutations
+      "Bash(gh project create:*)",
+      "Bash(gh project delete:*)",
+      "Bash(gh project edit:*)",
+      // api write methods - can mutate anything
+      "Bash(gh api -X POST:*)",
+      "Bash(gh api -X PUT:*)",
+      "Bash(gh api -X PATCH:*)",
+      "Bash(gh api -X DELETE:*)",
+      "Bash(gh api --method POST:*)",
+      "Bash(gh api --method PUT:*)",
+      "Bash(gh api --method PATCH:*)",
+      "Bash(gh api --method DELETE:*)"
     ],
 
     // commands that require explicit user approval each time
@@ -83,8 +135,9 @@
       "Bash(mkdir:*)",
       "Bash(pwd)",
 
-      // safe custom tools
-      "Bash(bash src/logic/roles/mechanic/.skills/claude.tools/mvsafe.sh:*)",
+      // git mv/rm are safe - constrained to repo, all changes revertable
+      "Bash(git mv:*)",
+      "Bash(git rm:*)",
 
       // npm read operations
       "Bash(npm view:*)",
@@ -126,8 +179,37 @@
       "Bash(npm run fix:lint:*)",
 
       // github cli read operations
-      "Bash(gh pr checks:*)",
+      // pr reads
+      "Bash(gh pr list:*)",
+      "Bash(gh pr view:*)",
       "Bash(gh pr status:*)",
+      "Bash(gh pr checks:*)",
+      "Bash(gh pr diff:*)",
+      // issue reads
+      "Bash(gh issue list:*)",
+      "Bash(gh issue view:*)",
+      "Bash(gh issue status:*)",
+      // repo reads
+      "Bash(gh repo list:*)",
+      "Bash(gh repo view:*)",
+      // run/workflow reads
+      "Bash(gh run list:*)",
+      "Bash(gh run view:*)",
+      "Bash(gh run watch:*)",
+      "Bash(gh workflow list:*)",
+      "Bash(gh workflow view:*)",
+      // release reads
+      "Bash(gh release list:*)",
+      "Bash(gh release view:*)",
+      // search (all read-only)
+      "Bash(gh search code:*)",
+      "Bash(gh search repos:*)",
+      "Bash(gh search issues:*)",
+      "Bash(gh search prs:*)",
+      "Bash(gh search commits:*)",
+      // api read operations (explicit GET for safe suffix matching)
+      "Bash(gh api -X GET:*)",
+      "Bash(gh api --method GET:*)",
 
       // skill sourcing
       "Bash(source .agent/repo=.this/skills/*)"

package/package.json

@@ -2,7 +2,7 @@
   "name": "rhachet-roles-ehmpathy",
   "author": "ehmpathy",
   "description": "empathetic software construction roles and skills, via rhachet",
-  "version": "1.13.13",
+  "version": "1.15.0",
   "repository": "ehmpathy/rhachet-roles-ehmpathy",
   "homepage": "https://github.com/ehmpathy/rhachet-roles-ehmpathy",
   "keywords": [

package/dist/logic/roles/mechanic/.skills/claude.tools/mvsafe.sh

@@ -1,75 +0,0 @@
-#!/usr/bin/env bash
-######################################################################
-# .what = safe mv wrapper that constrains moves to within the repo
-#
-# .why  = mv can move/overwrite files anywhere on the filesystem.
-#         this wrapper ensures both source and destination resolve
-#         to paths within the current working directory (repo root).
-#
-# .how  = uses realpath to resolve absolute paths, then validates
-#         both are prefixed by $PWD before executing mv.
-#
-# usage:
-#   bash mvsafe.sh <source> <destination>
-#
-# guarantee:
-#   ✔ fails if source is outside repo
-#   ✔ fails if destination is outside repo
-#   ✔ fails if source doesn't exist
-#   ✔ passes all arguments to mv if validation passes
-######################################################################
-
-set -euo pipefail
-
-if [[ $# -lt 2 ]]; then
-  echo "error: mvsafe requires at least 2 arguments" >&2
-  echo "usage: mvsafe.sh <source> <destination>" >&2
-  exit 1
-fi
-
-REPO_ROOT="$PWD"
-
-# get the last argument (destination)
-DEST="${*: -1}"
-
-# get all arguments except the last (sources, could be multiple)
-SOURCES=("${@:1:$#-1}")
-
-# resolve destination path
-# if dest doesn't exist yet, resolve its parent directory
-if [[ -e "$DEST" ]]; then
-  DEST_RESOLVED="$(realpath "$DEST")"
-else
-  DEST_PARENT="$(dirname "$DEST")"
-  if [[ ! -d "$DEST_PARENT" ]]; then
-    echo "error: destination parent directory does not exist: $DEST_PARENT" >&2
-    exit 1
-  fi
-  DEST_RESOLVED="$(realpath "$DEST_PARENT")/$(basename "$DEST")"
-fi
-
-# validate destination is within repo
-if [[ "$DEST_RESOLVED" != "$REPO_ROOT"* ]]; then
-  echo "error: destination is outside repo: $DEST_RESOLVED" >&2
-  echo "       repo root: $REPO_ROOT" >&2
-  exit 1
-fi
-
-# validate each source is within repo
-for SRC in "${SOURCES[@]}"; do
-  if [[ ! -e "$SRC" ]]; then
-    echo "error: source does not exist: $SRC" >&2
-    exit 1
-  fi
-
-  SRC_RESOLVED="$(realpath "$SRC")"
-
-  if [[ "$SRC_RESOLVED" != "$REPO_ROOT"* ]]; then
-    echo "error: source is outside repo: $SRC_RESOLVED" >&2
-    echo "       repo root: $REPO_ROOT" >&2
-    exit 1
-  fi
-done
-
-# all validations passed, execute mv
-exec mv "$@"