shimwrappercheck 0.2.0

package/scripts/supabase-checked.sh

@@ -0,0 +1,330 @@
+#!/usr/bin/env bash
+# Shim wrapper for Supabase CLI: run checks, call real CLI, then run optional hooks.
+set -euo pipefail
+
+WRAPPER_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+
+resolve_project_root() {
+  if [[ -n "${SHIM_PROJECT_ROOT:-}" ]]; then
+    echo "$SHIM_PROJECT_ROOT"
+    return
+  fi
+  if command -v git >/dev/null 2>&1; then
+    local root
+    root="$(git rev-parse --show-toplevel 2>/dev/null || true)"
+    if [[ -n "$root" ]]; then
+      echo "$root"
+      return
+    fi
+  fi
+  pwd
+}
+
+PROJECT_ROOT="$(resolve_project_root)"
+cd "$PROJECT_ROOT"
+
+CONFIG_FILE="${SHIM_CONFIG_FILE:-$PROJECT_ROOT/.shimwrappercheckrc}"
+if [[ -f "$CONFIG_FILE" ]]; then
+  # shellcheck disable=SC1090
+  source "$CONFIG_FILE"
+fi
+
+ARGS_IN=("$@")
+ARGS_TEXT_RAW=" ${*:-} "
+SUPABASE_ARGS=()
+CHECKS_PASSTHROUGH=()
+
+RUN_CHECKS=true
+CHECKS_ONLY=false
+RUN_HOOKS=true
+RUN_PUSH=true
+FORCE_FRONTEND=false
+
+matches_command_list() {
+  local list="$1"
+  local text="$2"
+
+  list="$(echo "$list" | tr '[:upper:]' '[:lower:]')"
+  text="$(echo "$text" | tr '[:upper:]' '[:lower:]')"
+
+  if [[ -z "$list" ]] || [[ "$list" == "all" ]]; then
+    return 0
+  fi
+  if [[ "$list" == "none" ]]; then
+    return 1
+  fi
+
+  IFS=',' read -r -a items <<< "$list"
+  for item in "${items[@]}"; do
+    item="$(echo "$item" | xargs)"
+    [[ -z "$item" ]] && continue
+    if [[ "$text" == *" $item "* ]]; then
+      return 0
+    fi
+  done
+  return 1
+}
+
+for arg in "${ARGS_IN[@]}"; do
+  case "$arg" in
+    --no-checks) RUN_CHECKS=false ;;
+    --checks-only) CHECKS_ONLY=true ;;
+    --no-hooks) RUN_HOOKS=false ;;
+    --no-push) RUN_PUSH=false ;;
+    --with-frontend) FORCE_FRONTEND=true ;;
+    --no-ai-review) CHECKS_PASSTHROUGH+=("$arg") ;;
+    --ai-review) CHECKS_PASSTHROUGH+=("$arg") ;;
+    *) SUPABASE_ARGS+=("$arg") ;;
+  esac
+done
+
+[[ -n "${SHIM_DISABLE_CHECKS:-}" ]] && RUN_CHECKS=false
+[[ -n "${SHIM_DISABLE_HOOKS:-}" ]] && RUN_HOOKS=false
+if [[ -n "${SHIM_AUTO_PUSH:-}" ]]; then
+  case "${SHIM_AUTO_PUSH}" in
+    1|true|TRUE|yes|YES) RUN_PUSH=true ;;
+    0|false|FALSE|no|NO) RUN_PUSH=false ;;
+  esac
+fi
+
+if [[ "${#SUPABASE_ARGS[@]}" -eq 0 ]] && [[ "$CHECKS_ONLY" != true ]]; then
+  echo "No Supabase command provided. Usage: supabase [shim flags] <supabase args>" >&2
+  echo "Shim flags: --no-checks --checks-only --no-hooks --no-push --no-ai-review" >&2
+  exit 1
+fi
+
+ARGS_TEXT=" ${SUPABASE_ARGS[*]:-} "
+if [[ "$CHECKS_ONLY" != true ]]; then
+  enforce_list="${SHIM_ENFORCE_COMMANDS:-all}"
+  if ! matches_command_list "$enforce_list" "$ARGS_TEXT"; then
+    RUN_CHECKS=false
+  fi
+fi
+
+resolve_checks_script() {
+  local script="${SHIM_CHECKS_SCRIPT:-}"
+  if [[ -n "$script" ]]; then
+    if [[ "$script" != /* ]]; then
+      script="$PROJECT_ROOT/$script"
+    fi
+    echo "$script"
+    return
+  fi
+  local candidates=("scripts/run-checks.sh" "scripts/shim-checks.sh")
+  for candidate in "${candidates[@]}"; do
+    if [[ -f "$PROJECT_ROOT/$candidate" ]]; then
+      echo "$PROJECT_ROOT/$candidate"
+      return
+    fi
+  done
+  echo ""
+}
+
+if [[ "$RUN_CHECKS" = true ]]; then
+  run_frontend=false
+  run_backend=false
+  run_ai_review=true
+
+  changed_files=""
+  if command -v git >/dev/null 2>&1; then
+    unstaged=$(git diff --name-only --diff-filter=ACMR || true)
+    staged=$(git diff --name-only --cached --diff-filter=ACMR || true)
+    changed_files=$(printf "%s\n%s\n" "$unstaged" "$staged")
+  fi
+
+  if [[ -n "$changed_files" ]]; then
+    echo "$changed_files" | grep -q '^src/' && run_frontend=true
+    echo "$changed_files" | grep -q '^supabase/functions/' && run_backend=true
+  fi
+
+  ARGS_TEXT=" ${SUPABASE_ARGS[*]:-} "
+  if [[ "$ARGS_TEXT" == *" functions "* ]]; then
+    run_backend=true
+  fi
+
+  if [[ "$FORCE_FRONTEND" = true ]] || [[ "$ARGS_TEXT_RAW" == *" --with-frontend "* ]]; then
+    run_frontend=true
+  fi
+
+  if [[ "$ARGS_TEXT_RAW" == *" --no-ai-review "* ]]; then
+    run_ai_review=false
+  fi
+  if [[ -n "${SKIP_AI_REVIEW:-}" ]]; then
+    run_ai_review=false
+  fi
+
+  if [[ "$run_frontend" = true ]] || [[ "$run_backend" = true ]]; then
+    CHECKS_SCRIPT="$(resolve_checks_script)"
+    if [[ -n "$CHECKS_SCRIPT" ]]; then
+      CHECKS_ARGS=()
+      if [[ -n "${SHIM_CHECKS_ARGS:-}" ]]; then
+        read -r -a CHECKS_ARGS <<< "${SHIM_CHECKS_ARGS}"
+      fi
+      [[ "$run_frontend" = true ]] && CHECKS_ARGS+=(--frontend)
+      [[ "$run_backend" = true ]] && CHECKS_ARGS+=(--backend)
+      [[ "$run_ai_review" = false ]] && CHECKS_ARGS+=(--no-ai-review)
+      CHECKS_ARGS+=("${CHECKS_PASSTHROUGH[@]}")
+      bash "$CHECKS_SCRIPT" "${CHECKS_ARGS[@]}"
+    else
+      echo "Shim checks: no checks script found; skipping." >&2
+    fi
+  fi
+fi
+
+if [[ "$CHECKS_ONLY" = true ]]; then
+  exit 0
+fi
+
+REAL_BIN="${SHIM_SUPABASE_BIN:-${SUPABASE_REAL_BIN:-}}"
+if [[ -z "$REAL_BIN" ]] && [[ -f "$HOME/.supabase-real-bin" ]]; then
+  REAL_BIN="$(cat "$HOME/.supabase-real-bin")"
+fi
+if [[ -z "$REAL_BIN" ]]; then
+  REAL_BIN="$(command -v supabase || true)"
+fi
+if [[ -n "$REAL_BIN" ]] && { [[ "$REAL_BIN" == *"node_modules"* ]] || [[ "$REAL_BIN" == "$WRAPPER_DIR"* ]]; }; then
+  REAL_BIN=""
+fi
+
+retry_max=${SUPABASE_RETRY_MAX:-1}
+if ! [[ "$retry_max" =~ ^[0-9]+$ ]]; then
+  retry_max=1
+fi
+
+retry_backoffs="${SUPABASE_RETRY_BACKOFF_SECONDS:-5,15}"
+IFS=',' read -r -a retry_backoff_list <<< "$retry_backoffs"
+
+retry_extra_args=()
+if [[ -n "${SUPABASE_RETRY_EXTRA_ARGS:-}" ]]; then
+  read -r -a retry_extra_args <<< "${SUPABASE_RETRY_EXTRA_ARGS}"
+fi
+
+run_supabase_cli() {
+  local retry_mode="${1:-false}"
+  local -a cmd_args=("${SUPABASE_ARGS[@]}")
+
+  if [[ "$retry_mode" == "true" ]] && [[ "${#retry_extra_args[@]}" -gt 0 ]]; then
+    cmd_args+=("${retry_extra_args[@]}")
+  fi
+
+  RUN_OUTPUT_FILE="$(mktemp)"
+  set +e
+  if [[ -z "$REAL_BIN" ]] || [[ ! -x "$REAL_BIN" ]]; then
+    # Use registry package to avoid recursion when shim is the local bin.
+    npx --yes --package supabase supabase "${cmd_args[@]}" 2>&1 | tee "$RUN_OUTPUT_FILE"
+  else
+    "$REAL_BIN" "${cmd_args[@]}" 2>&1 | tee "$RUN_OUTPUT_FILE"
+  fi
+  local rc=${PIPESTATUS[0]}
+  set -e
+  return $rc
+}
+
+is_network_error() {
+  local file="$1"
+  local pattern="(timed out|timeout|context deadline exceeded|connection (reset|refused|aborted|closed|lost)|network is unreachable|temporary failure in name resolution|no such host|tls handshake timeout|i/o timeout|EOF|ECONNRESET|ECONNREFUSED|ETIMEDOUT|ENETUNREACH|EAI_AGAIN|ENOTFOUND|dial tcp)"
+  grep -E -i -q "$pattern" "$file"
+}
+
+attempt=1
+max_attempts=$((retry_max + 1))
+while true; do
+  if [[ "$attempt" -gt 1 ]]; then
+    echo "Supabase CLI retry stage ${attempt}/${max_attempts}..."
+  fi
+
+  if run_supabase_cli "$([[ "$attempt" -gt 1 ]] && echo true || echo false)"; then
+    rm -f "$RUN_OUTPUT_FILE"
+    break
+  fi
+
+  rc=$?
+  if ! is_network_error "$RUN_OUTPUT_FILE"; then
+    rm -f "$RUN_OUTPUT_FILE"
+    exit $rc
+  fi
+
+  rm -f "$RUN_OUTPUT_FILE"
+
+  if [[ "$attempt" -ge "$max_attempts" ]]; then
+    echo "Supabase CLI failed after ${attempt} attempt(s) due to network error."
+    exit $rc
+  fi
+
+  backoff_index=$((attempt - 1))
+  if [[ "${#retry_backoff_list[@]}" -gt 0 ]]; then
+    if [[ "$backoff_index" -ge "${#retry_backoff_list[@]}" ]]; then
+      backoff_seconds="${retry_backoff_list[-1]}"
+    else
+      backoff_seconds="${retry_backoff_list[$backoff_index]}"
+    fi
+  else
+    backoff_seconds=5
+  fi
+
+  if [[ ! "$backoff_seconds" =~ ^[0-9]+$ ]]; then
+    backoff_seconds=5
+  fi
+
+  echo "Network error detected. Retrying in ${backoff_seconds}s with extended wait."
+  sleep "$backoff_seconds"
+  attempt=$((attempt + 1))
+done
+
+should_run_hooks=false
+ARGS_TEXT=" ${SUPABASE_ARGS[*]:-} "
+hook_list="${SHIM_HOOK_COMMANDS:-functions,db,migration}"
+if matches_command_list "$hook_list" "$ARGS_TEXT"; then
+  should_run_hooks=true
+fi
+
+resolve_hook_script() {
+  local env_var="$1"
+  local name="$2"
+  local script=""
+  script="${!env_var:-}"
+  if [[ -n "$script" ]]; then
+    if [[ "$script" != /* ]]; then
+      script="$PROJECT_ROOT/$script"
+    fi
+    echo "$script"
+    return
+  fi
+  if [[ -f "$PROJECT_ROOT/scripts/$name" ]]; then
+    echo "$PROJECT_ROOT/scripts/$name"
+    return
+  fi
+  if [[ -f "$WRAPPER_DIR/scripts/$name" ]]; then
+    echo "$WRAPPER_DIR/scripts/$name"
+    return
+  fi
+  echo ""
+}
+
+if [[ "$RUN_HOOKS" = true ]] && [[ "$should_run_hooks" = true ]]; then
+  PING_SCRIPT="$(resolve_hook_script SHIM_PING_SCRIPT ping-edge-health.sh)"
+  LOG_SCRIPT="$(resolve_hook_script SHIM_LOG_SCRIPT fetch-edge-logs.sh)"
+
+  if [[ -n "$PING_SCRIPT" ]]; then
+    SHIM_PROJECT_ROOT="$PROJECT_ROOT" bash "$PING_SCRIPT" "${SUPABASE_ARGS[@]}" || true
+  fi
+  if [[ -n "$LOG_SCRIPT" ]]; then
+    SHIM_PROJECT_ROOT="$PROJECT_ROOT" bash "$LOG_SCRIPT" "${SUPABASE_ARGS[@]}" || true
+  fi
+fi
+
+if [[ "$RUN_PUSH" = true ]] && command -v git >/dev/null 2>&1; then
+  if git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
+    if git rev-parse --abbrev-ref --symbolic-full-name @{u} >/dev/null 2>&1; then
+      ahead=$(git rev-list --count @{u}..HEAD)
+      if [[ "${ahead:-0}" -gt 0 ]]; then
+        echo "Pushing commits to remote..."
+        git push
+      else
+        echo "No commits to push."
+      fi
+    else
+      echo "No upstream configured; skipping git push."
+    fi
+  fi
+fi

package/templates/ai-code-review.sh

@@ -0,0 +1,217 @@
+#!/usr/bin/env bash
+# AI code review: Codex only (Cursor disabled). Called from run-checks.sh.
+# Prompt: senior-dev, decades-of-expertise, best-code bar.
+# Codex: codex in PATH; use session after codex login (ChatGPT account, no API key in terminal).
+# Diff: staged + unstaged; if clean (e.g. pre-push), uses diff of commits being pushed (@{u}...HEAD or HEAD~1...HEAD).
+# Runs codex exec --json to get token usage from turn.completed; prints Token usage for agent to report.
+# Diff limited to ~50KB head + tail. Timeout 180s when timeout(1) available.
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+cd "$ROOT_DIR"
+
+DIFF_FILE=""
+cleanup() {
+  [[ -n "$DIFF_FILE" ]] && [[ -f "$DIFF_FILE" ]] && rm -f "$DIFF_FILE"
+}
+trap cleanup EXIT
+
+DIFF_FILE="$(mktemp)"
+git diff --no-color >> "$DIFF_FILE" 2>/dev/null || true
+git diff --cached --no-color >> "$DIFF_FILE" 2>/dev/null || true
+
+# If working tree is clean (e.g. pre-push after commit), use diff of commits being pushed.
+if [[ ! -s "$DIFF_FILE" ]] && command -v git >/dev/null 2>&1; then
+  RANGE=""
+  if git rev-parse --abbrev-ref --symbolic-full-name @{u} >/dev/null 2>&1; then
+    RANGE="@{u}...HEAD"
+  elif git rev-parse --verify HEAD~1 >/dev/null 2>&1; then
+    RANGE="HEAD~1...HEAD"
+  fi
+  if [[ -n "$RANGE" ]]; then
+    git diff --no-color "$RANGE" >> "$DIFF_FILE" 2>/dev/null || true
+  fi
+fi
+
+if [[ ! -s "$DIFF_FILE" ]]; then
+  echo "Skipping AI review: no staged, unstaged, or pushed changes." >&2
+  exit 0
+fi
+
+# Limit diff to first and last ~50KB to avoid token limits and timeouts
+LIMIT_BYTES=51200
+DIFF_LIMITED=""
+if [[ $(wc -c < "$DIFF_FILE") -le $((LIMIT_BYTES * 2)) ]]; then
+  DIFF_LIMITED="$(cat "$DIFF_FILE")"
+else
+  DIFF_LIMITED="$(head -c $LIMIT_BYTES "$DIFF_FILE")
+...[truncated]...
+$(tail -c $LIMIT_BYTES "$DIFF_FILE")"
+fi
+
+# Senior-dev review prompt: structured output with rating (1-100), positive, warnings, errors, recommendations.
+# PASS only if rating >= 95 and no warnings and no errors.
+PROMPT="You are a senior software engineer with decades of code review experience. Your goal is to ensure the highest possible code quality: production-ready, secure, maintainable, and aligned with project standards.
+
+Review the following code diff with the rigor of a principal engineer. Evaluate:
+
+1. Correctness and bugs: logic errors, edge cases, race conditions, off-by-one, null/undefined handling.
+2. Security: injection, XSS, sensitive data exposure, auth/authz, input validation, dependency risks.
+3. Performance: unnecessary work, N+1, memory leaks, blocking calls, inefficient algorithms or data structures.
+4. Maintainability: clarity, naming, single responsibility, DRY, testability, documentation where needed.
+5. Project compliance: AGENTS.md rules, existing patterns, lint/type discipline, error handling and logging.
+6. Robustness: error paths, timeouts, retries, backward compatibility, defensive checks.
+
+Reply with exactly the following structure (one label per line, use None when there are no warnings or errors). Do not modify any files or suggest edits in the response.
+
+RATING: <1-100> (integer)
+POSITIVE: <short points on what is good>
+WARNINGS: <points or None>
+ERRORS: <points or None>
+RECOMMENDATIONS: <short recommendations>
+VERDICT: PASS or VERDICT: FAIL
+
+Rule: VERDICT must be PASS only if rating >= 95 and there are no warnings and no errors; otherwise VERDICT must be FAIL.
+
+--- DIFF ---
+$DIFF_LIMITED"
+
+CODEX_JSON_FILE="$(mktemp)"
+CODEX_LAST_MSG_FILE="$(mktemp)"
+cleanup() {
+  [[ -n "$DIFF_FILE" ]] && [[ -f "$DIFF_FILE" ]] && rm -f "$DIFF_FILE"
+  [[ -n "$CODEX_JSON_FILE" ]] && [[ -f "$CODEX_JSON_FILE" ]] && rm -f "$CODEX_JSON_FILE"
+  [[ -n "$CODEX_LAST_MSG_FILE" ]] && [[ -f "$CODEX_LAST_MSG_FILE" ]] && rm -f "$CODEX_LAST_MSG_FILE"
+}
+trap cleanup EXIT
+
+if ! command -v codex >/dev/null 2>&1; then
+  echo "Skipping AI review: Codex CLI not available (run codex login or install codex in PATH)." >&2
+  exit 0
+fi
+
+TIMEOUT_SEC=180
+echo "Running Codex AI review..." >&2
+
+# Run with --json to get turn.completed (token usage) and item.completed (assistant message). Use -o to get final message for PASS/FAIL.
+CODEX_RC=0
+if command -v timeout >/dev/null 2>&1; then
+  timeout "$TIMEOUT_SEC" codex exec --json -o "$CODEX_LAST_MSG_FILE" "$PROMPT" 2>/dev/null > "$CODEX_JSON_FILE" || CODEX_RC=$?
+else
+  codex exec --json -o "$CODEX_LAST_MSG_FILE" "$PROMPT" 2>/dev/null > "$CODEX_JSON_FILE" || CODEX_RC=$?
+fi
+
+if [[ $CODEX_RC -eq 124 ]] || [[ $CODEX_RC -eq 142 ]]; then
+  echo "Codex AI review timed out after ${TIMEOUT_SEC}s." >&2
+  exit 1
+fi
+
+if [[ $CODEX_RC -ne 0 ]]; then
+  echo "Codex AI review command failed (exit $CODEX_RC)." >&2
+  cat "$CODEX_JSON_FILE" 2>/dev/null | head -50 >&2
+  exit 1
+fi
+
+# Parse JSONL: turn.completed has usage (input_tokens, output_tokens); last assistant_message is in item.completed.
+INPUT_T=""
+OUTPUT_T=""
+RESULT_TEXT=""
+if command -v jq >/dev/null 2>&1; then
+  while IFS= read -r line; do
+    [[ -z "$line" ]] && continue
+    type="$(echo "$line" | jq -r '.type // empty')"
+    if [[ "$type" == "turn.completed" ]]; then
+      INPUT_T="$(echo "$line" | jq -r '.usage.input_tokens // empty')"
+      OUTPUT_T="$(echo "$line" | jq -r '.usage.output_tokens // empty')"
+    fi
+    if [[ "$type" == "item.completed" ]]; then
+      item_type="$(echo "$line" | jq -r '.item.item_type // empty')"
+      if [[ "$item_type" == "assistant_message" ]]; then
+        RESULT_TEXT="$(echo "$line" | jq -r '.item.text // empty')"
+      fi
+    fi
+  done < "$CODEX_JSON_FILE"
+fi
+
+# Fallback: use --output-last-message file for PASS/FAIL if we didn't get assistant_message from JSONL
+if [[ -z "$RESULT_TEXT" ]] && [[ -s "$CODEX_LAST_MSG_FILE" ]]; then
+  RESULT_TEXT="$(cat "$CODEX_LAST_MSG_FILE")"
+fi
+
+# Parse structured review: RATING, POSITIVE, WARNINGS, ERRORS, RECOMMENDATIONS. Fallback: rating=0, has_warnings/errors=1.
+REVIEW_RATING=0
+REVIEW_POSITIVE=""
+REVIEW_WARNINGS=""
+REVIEW_ERRORS=""
+REVIEW_RECOMMENDATIONS=""
+HAS_WARNINGS=1
+HAS_ERRORS=1
+
+if [[ -n "$RESULT_TEXT" ]]; then
+  REVIEW_RATING=$(echo "$RESULT_TEXT" | grep -iE '^RATING:[[:space:]]*[0-9]+' | head -1 | sed 's/.*:[[:space:]]*//' | tr -d '\r' | grep -oE '[0-9]+' | head -1)
+  [[ -z "$REVIEW_RATING" ]] && REVIEW_RATING=0
+  [[ "$REVIEW_RATING" -lt 0 ]] 2>/dev/null && REVIEW_RATING=0
+  [[ "$REVIEW_RATING" -gt 100 ]] 2>/dev/null && REVIEW_RATING=100
+
+  # Sections: content from label line (after colon) until next label (sed '$d' = drop last line, macOS-compatible)
+  REVIEW_POSITIVE=$(echo "$RESULT_TEXT" | sed -n '/^POSITIVE:/,/^WARNINGS:/p' | tail -n +1 | sed '$d' | sed 's/^POSITIVE:[[:space:]]*//' | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+  REVIEW_WARNINGS=$(echo "$RESULT_TEXT" | sed -n '/^WARNINGS:/,/^ERRORS:/p' | tail -n +1 | sed '$d' | sed 's/^WARNINGS:[[:space:]]*//' | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+  REVIEW_ERRORS=$(echo "$RESULT_TEXT" | sed -n '/^ERRORS:/,/^RECOMMENDATIONS:/p' | tail -n +1 | sed '$d' | sed 's/^ERRORS:[[:space:]]*//' | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+  REVIEW_RECOMMENDATIONS=$(echo "$RESULT_TEXT" | sed -n '/^RECOMMENDATIONS:/,/^VERDICT:/p' | tail -n +1 | sed '$d' | sed 's/^RECOMMENDATIONS:[[:space:]]*//' | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+
+  # has_warnings/has_errors: 0 only if content is empty or "None" (case-insensitive)
+  WNORM=$(echo "$REVIEW_WARNINGS" | tr -d '\r' | tr '[:upper:]' '[:lower:]' | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+  ENORM=$(echo "$REVIEW_ERRORS" | tr -d '\r' | tr '[:upper:]' '[:lower:]' | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+  [[ -z "$WNORM" || "$WNORM" == "none" ]] && HAS_WARNINGS=0 || HAS_WARNINGS=1
+  [[ -z "$ENORM" || "$ENORM" == "none" ]] && HAS_ERRORS=0 || HAS_ERRORS=1
+fi
+
+# Pass only if rating >= 95 and no warnings and no errors
+PASS=0
+if [[ "$REVIEW_RATING" -ge 95 ]] && [[ "$HAS_WARNINGS" -eq 0 ]] && [[ "$HAS_ERRORS" -eq 0 ]]; then
+  PASS=1
+fi
+
+# Always print token usage
+if [[ -n "$INPUT_T" && -n "$OUTPUT_T" ]]; then
+  TOTAL=$((INPUT_T + OUTPUT_T))
+  echo "Token usage: ${INPUT_T} input, ${OUTPUT_T} output (total ${TOTAL})" >&2
+else
+  echo "Token usage: not reported by Codex CLI" >&2
+fi
+
+# Save review to .shimwrapper/reviews/ as markdown (always, pass or fail)
+REVIEWS_DIR="$ROOT_DIR/.shimwrapper/reviews"
+mkdir -p "$REVIEWS_DIR"
+REVIEW_FILE="$REVIEWS_DIR/review-$(date +%Y%m%d-%H%M%S).md"
+BRANCH=""
+[[ -n "${GIT_BRANCH:-}" ]] && BRANCH="$GIT_BRANCH" || BRANCH="$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "unknown")"
+{
+  echo "# AI Code Review — $(date -Iseconds 2>/dev/null || date '+%Y-%m-%dT%H:%M:%S%z')"
+  echo ""
+  echo "- **Branch:** $BRANCH"
+  echo "- **Verdict:** $([ "$PASS" -eq 1 ] && echo "PASS" || echo "FAIL")"
+  echo "- **Rating:** ${REVIEW_RATING}%"
+  echo "- **Tokens:** ${INPUT_T:-?} input, ${OUTPUT_T:-?} output"
+  echo ""
+  echo "## Structured review"
+  echo ""
+  echo '```'
+  [[ -n "$RESULT_TEXT" ]] && echo "$RESULT_TEXT" || echo "(no review text)"
+  echo '```'
+} >> "$REVIEW_FILE"
+echo "Review saved: $REVIEW_FILE" >&2
+
+# Always print review result and full structured review
+if [[ $PASS -eq 1 ]]; then
+  echo "Codex AI review: PASS" >&2
+else
+  echo "Codex AI review: FAIL" >&2
+fi
+echo "Rating: ${REVIEW_RATING}%" >&2
+echo "Positive: ${REVIEW_POSITIVE:-"(none)"}" >&2
+echo "Warnings: ${REVIEW_WARNINGS:-"(none)"}" >&2
+echo "Errors: ${REVIEW_ERRORS:-"(none)"}" >&2
+echo "Recommendations: ${REVIEW_RECOMMENDATIONS:-"(none)"}" >&2
+
+[[ $PASS -eq 1 ]] && exit 0 || exit 1

package/templates/git-pre-push

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+
+if git rev-parse --abbrev-ref --symbolic-full-name @{u} >/dev/null 2>&1; then
+  RANGE="@{u}...HEAD"
+  CHANGED_FILES=$(git diff --name-only --diff-filter=ACMR "$RANGE")
+else
+  if git rev-parse --verify HEAD~1 >/dev/null 2>&1; then
+    CHANGED_FILES=$(git diff --name-only --diff-filter=ACMR HEAD~1...HEAD)
+  else
+    CHANGED_FILES=$(git diff --name-only --diff-filter=ACMR --root HEAD)
+  fi
+fi
+
+if [[ -z "$CHANGED_FILES" ]]; then
+  exit 0
+fi
+
+run_frontend=false
+run_backend=false
+
+printf "%s\n" "$CHANGED_FILES" | grep -q '^src/' && run_frontend=true
+printf "%s\n" "$CHANGED_FILES" | grep -q '^supabase/functions/' && run_backend=true
+
+if [[ "$run_frontend" = false ]] && [[ "$run_backend" = false ]]; then
+  exit 0
+fi
+
+CHECK_ARGS=()
+[[ "$run_frontend" = true ]] && CHECK_ARGS+=(--frontend)
+[[ "$run_backend" = true ]] && CHECK_ARGS+=(--backend)
+[[ -n "${SKIP_AI_REVIEW:-}" ]] && CHECK_ARGS+=(--no-ai-review)
+
+if [[ -x "$ROOT_DIR/scripts/run-checks.sh" ]]; then
+  bash "$ROOT_DIR/scripts/run-checks.sh" "${CHECK_ARGS[@]}"
+else
+  echo "run-checks.sh not found. Create scripts/run-checks.sh or update this hook." >&2
+  exit 1
+fi

package/templates/husky-pre-push

@@ -0,0 +1,46 @@
+#!/usr/bin/env sh
+# Same checks as supabase-checked wrapper (scripts/run-checks.sh).
+# Runs on every git push to GitHub so checks are always enforced.
+set -e
+
+if git rev-parse --abbrev-ref --symbolic-full-name @{u} >/dev/null 2>&1; then
+  RANGE="@{u}...HEAD"
+  CHANGED_FILES=$(git diff --name-only --diff-filter=ACMR "$RANGE")
+else
+  if git rev-parse --verify HEAD~1 >/dev/null 2>&1; then
+    CHANGED_FILES=$(git diff --name-only --diff-filter=ACMR HEAD~1...HEAD)
+  else
+    CHANGED_FILES=$(git diff --name-only --diff-filter=ACMR --root HEAD)
+  fi
+fi
+
+if [ -z "$CHANGED_FILES" ]; then
+  exit 0
+fi
+
+run_frontend=false
+run_backend=false
+
+printf "%s\n" "$CHANGED_FILES" | grep -q '^src/' && run_frontend=true
+printf "%s\n" "$CHANGED_FILES" | grep -q '^supabase/functions/' && run_backend=true
+
+if [ "$run_frontend" = false ] && [ "$run_backend" = false ]; then
+  exit 0
+fi
+
+# On push: AI review is mandatory (PASS only if rating >= 95% and no warnings/errors). Do not allow skip.
+CHECK_ARGS=""
+[ "$run_frontend" = true ] && CHECK_ARGS="--frontend"
+[ "$run_backend" = true ] && CHECK_ARGS="${CHECK_ARGS:+$CHECK_ARGS }--backend"
+# Unset so run-checks.sh always runs the AI review; push is only allowed when review passes (95%+).
+unset SKIP_AI_REVIEW
+bash scripts/run-checks.sh $CHECK_ARGS
+
+# Update README (e.g. "Last updated" line) so it stays in sync on push
+if [ -f scripts/update-readme-on-push.sh ]; then
+  bash scripts/update-readme-on-push.sh
+  if ! git diff --quiet README.md 2>/dev/null; then
+    git add README.md
+    git commit -m "docs: update README (auto on push)"
+  fi
+fi