shipwright-cli 3.1.0 → 3.3.0

package/scripts/sw-doctor.sh

@@ -4,7 +4,7 @@
 # ║                                                                          ║
 # ║  Checks prerequisites, installed files, PATH, and common issues.        ║
 # ╚═══════════════════════════════════════════════════════════════════════════╝
-VERSION="3.1.0"
+VERSION="3.3.0"
 set -euo pipefail
 trap 'echo "ERROR: $BASH_SOURCE:$LINENO exited with status $?" >&2' ERR
 
@@ -27,6 +27,7 @@ fi
 if [[ "$(type -t emit_event 2>/dev/null)" != "function" ]]; then
   emit_event() {
     local event_type="$1"; shift; mkdir -p "${HOME}/.shipwright"
+    # shellcheck disable=SC2155
     local payload="{\"ts\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"type\":\"$event_type\""
     while [[ $# -gt 0 ]]; do local key="${1%%=*}" val="${1#*=}"; payload="${payload},\"${key}\":\"${val}\""; shift; done
     echo "${payload}}" >> "${HOME}/.shipwright/events.jsonl"
@@ -39,10 +40,14 @@ SKIP_PLATFORM_SCAN=false
 
 # Parse doctor flags
 INTELLIGENCE_ONLY=false
+DOCTOR_FIX_MODE=false
+DOCTOR_FIX_DRY_RUN=false
 for _arg in "$@"; do
     case "$_arg" in
         --skip-platform-scan) SKIP_PLATFORM_SCAN=true ;;
         --intelligence) INTELLIGENCE_ONLY=true ;;
+        --fix) DOCTOR_FIX_MODE=true ;;
+        --fix-dry) DOCTOR_FIX_DRY_RUN=true; DOCTOR_FIX_MODE=true ;;
         --version|-V) echo "sw-doctor $VERSION"; exit 0 ;;
     esac
 done
@@ -51,6 +56,291 @@ check_pass() { success "$*"; PASS=$((PASS + 1)); }
 check_warn() { warn "$*"; WARN=$((WARN + 1)); }
 check_fail() { error "$*"; FAIL=$((FAIL + 1)); }
 
+# ─── Auto-fix helper functions ──────────────────────────────────────────────
+doctor_fix_missing_dirs() {
+    local result="fixed"
+    local dirs=(
+        "$HOME/.shipwright"
+        "$HOME/.shipwright/optimization"
+        "$HOME/.shipwright/memory"
+        ".claude"
+        ".claude/pipeline-artifacts"
+        ".claude/agents"
+        ".claude/hooks"
+    )
+
+    for dir in "${dirs[@]}"; do
+        if [[ ! -d "$dir" ]]; then
+            if [[ "$DOCTOR_FIX_DRY_RUN" == "true" ]]; then
+                info "  [DRY] Would create directory: $dir"
+            else
+                if ! mkdir -p "$dir" 2>/dev/null; then
+                    result="skipped"
+                else
+                    emit_event "doctor_fix" "type=mkdir" "path=$dir"
+                fi
+            fi
+        fi
+    done
+    echo "$result"
+}
+
+doctor_fix_permissions() {
+    local result="fixed"
+    local script_dir="${1:-.}"
+
+    if [[ ! -d "$script_dir" ]]; then
+        echo "skipped"
+        return
+    fi
+
+    # Fix script permissions
+    for script in "$script_dir"/sw-*.sh; do
+        if [[ -f "$script" && ! -x "$script" ]]; then
+            if [[ "$DOCTOR_FIX_DRY_RUN" == "true" ]]; then
+                info "  [DRY] Would chmod +x: $script"
+            else
+                chmod +x "$script"
+                emit_event "doctor_fix" "type=chmod" "path=$script"
+            fi
+        fi
+    done
+
+    echo "$result"
+}
+
+doctor_fix_missing_config() {
+    local result="fixed"
+
+    # Ensure .claude directory exists
+    mkdir -p .claude 2>/dev/null || { result="skipped"; echo "$result"; return; }
+
+    # Create .claude/daemon-config.json
+    local daemon_cfg=".claude/daemon-config.json"
+    if [[ ! -f "$daemon_cfg" ]]; then
+        if [[ "$DOCTOR_FIX_DRY_RUN" == "true" ]]; then
+            info "  [DRY] Would create: $daemon_cfg"
+        else
+            local tmp_cfg="${daemon_cfg}.tmp.$$"
+            cat > "$tmp_cfg" <<'EOF'
+{
+  "max_parallel": 2,
+  "auto_scale": false,
+  "max_workers": 8,
+  "min_workers": 1,
+  "auto_scale_interval": 5,
+  "worker_mem_gb": 4,
+  "estimated_cost_per_job_usd": 5.0,
+  "auto_template": false,
+  "max_retries": 2,
+  "priority_lane": false,
+  "self_optimize": false,
+  "intelligence": {
+    "enabled": "auto",
+    "composer_enabled": "auto",
+    "prediction_enabled": true,
+    "cache_ttl_seconds": 3600,
+    "adversarial_enabled": false,
+    "simulation_enabled": false,
+    "architecture_enabled": false,
+    "ab_test_ratio": 0.2,
+    "anomaly_threshold": 3.0
+  }
+}
+EOF
+            mv "$tmp_cfg" "$daemon_cfg"
+            emit_event "doctor_fix" "type=create_config" "path=$daemon_cfg"
+        fi
+    fi
+
+    # Create .claude/settings.json
+    local settings_cfg=".claude/settings.json"
+    if [[ ! -f "$settings_cfg" ]]; then
+        if [[ "$DOCTOR_FIX_DRY_RUN" == "true" ]]; then
+            info "  [DRY] Would create: $settings_cfg"
+        else
+            local tmp_cfg="${settings_cfg}.tmp.$$"
+            cat > "$tmp_cfg" <<'EOF'
+{
+  "hooks": {
+    "pre-tool-use": ".claude/hooks/pre-tool-use.sh",
+    "post-tool-use": ".claude/hooks/post-tool-use.sh",
+    "session-started": ".claude/hooks/session-started.sh"
+  }
+}
+EOF
+            mv "$tmp_cfg" "$settings_cfg"
+            emit_event "doctor_fix" "type=create_config" "path=$settings_cfg"
+        fi
+    fi
+
+    # Create ~/.shipwright/budget.json
+    local budget_file="$HOME/.shipwright/budget.json"
+    if [[ ! -f "$budget_file" ]]; then
+        if [[ "$DOCTOR_FIX_DRY_RUN" == "true" ]]; then
+            info "  [DRY] Would create: $budget_file"
+        else
+            local tmp_file="${budget_file}.tmp.$$"
+            cat > "$tmp_file" <<'EOF'
+{
+  "daily_limit_usd": 10.0,
+  "reset_hour_utc": 0,
+  "enabled": true
+}
+EOF
+            mkdir -p "$(dirname "$budget_file")"
+            mv "$tmp_file" "$budget_file"
+            emit_event "doctor_fix" "type=create_config" "path=$budget_file"
+        fi
+    fi
+
+    echo "$result"
+}
+
+doctor_fix_tmux_config() {
+    local result="fixed"
+    local home_tmux_conf="$HOME/.tmux.conf"
+
+    # Check if overlay exists
+    local overlay_path="$HOME/.tmux/shipwright-overlay.conf"
+    if [[ ! -f "$overlay_path" ]]; then
+        # Try to find it in the Shipwright repo
+        local repo_overlay="${SCRIPT_DIR}/../tmux/shipwright-overlay.conf"
+        if [[ -f "$repo_overlay" ]]; then
+            if [[ "$DOCTOR_FIX_DRY_RUN" == "true" ]]; then
+                info "  [DRY] Would copy tmux overlay to: $overlay_path"
+            else
+                mkdir -p "$(dirname "$overlay_path")"
+                cp "$repo_overlay" "$overlay_path"
+                emit_event "doctor_fix" "type=copy_tmux" "path=$overlay_path"
+            fi
+        else
+            result="skipped"
+        fi
+    fi
+
+    # Check if .tmux.conf sources the overlay
+    if [[ -f "$home_tmux_conf" ]] && ! grep -q "shipwright-overlay" "$home_tmux_conf"; then
+        if [[ "$DOCTOR_FIX_DRY_RUN" == "true" ]]; then
+            info "  [DRY] Would update .tmux.conf to source overlay"
+        else
+            # Backup existing config
+            cp "$home_tmux_conf" "${home_tmux_conf}.bak"
+            echo "source-file ~/.tmux/shipwright-overlay.conf" >> "$home_tmux_conf"
+            emit_event "doctor_fix" "type=update_tmux" "path=$home_tmux_conf"
+        fi
+    fi
+
+    echo "$result"
+}
+
+doctor_fix_hooks() {
+    local result="fixed"
+    local hooks_dir=".claude/hooks"
+
+    mkdir -p "$hooks_dir" 2>/dev/null || true
+
+    # Try to copy hooks from Shipwright repo templates
+    local repo_hooks="${SCRIPT_DIR}/../templates/hooks"
+    if [[ -d "$repo_hooks" ]]; then
+        for hook_file in "$repo_hooks"/*.sh; do
+            if [[ -f "$hook_file" ]]; then
+                local hook_name="$(basename "$hook_file")"
+                local dest_hook="$hooks_dir/$hook_name"
+                if [[ ! -f "$dest_hook" ]]; then
+                    if [[ "$DOCTOR_FIX_DRY_RUN" == "true" ]]; then
+                        info "  [DRY] Would install hook: $dest_hook"
+                    else
+                        cp "$hook_file" "$dest_hook"
+                        chmod +x "$dest_hook"
+                        emit_event "doctor_fix" "type=install_hook" "hook=$hook_name"
+                    fi
+                fi
+            fi
+        done
+    else
+        result="skipped"
+    fi
+
+    echo "$result"
+}
+
+doctor_auto_fix() {
+    echo ""
+    echo -e "${PURPLE}${BOLD}  AUTO-FIX SUMMARY${RESET}"
+    echo -e "${DIM}  ──────────────────────────────────────────${RESET}"
+    echo ""
+
+    local fixes_applied=0
+    local fixes_skipped=0
+
+    # Fix 1: Missing directories
+    info "Creating missing directories..."
+    result=$(doctor_fix_missing_dirs)
+    if [[ "$result" == "fixed" ]]; then
+        success "  Directories created/verified"
+        fixes_applied=$((fixes_applied + 1))
+    else
+        warn "  Some directories could not be created"
+        fixes_skipped=$((fixes_skipped + 1))
+    fi
+
+    # Fix 2: Permissions
+    info "Fixing script permissions..."
+    result=$(doctor_fix_permissions "${SCRIPT_DIR}")
+    if [[ "$result" == "fixed" ]]; then
+        success "  Script permissions fixed"
+        fixes_applied=$((fixes_applied + 1))
+    else
+        warn "  Could not fix some permissions"
+        fixes_skipped=$((fixes_skipped + 1))
+    fi
+
+    # Fix 3: Missing config files
+    info "Creating missing config files..."
+    result=$(doctor_fix_missing_config)
+    if [[ "$result" == "fixed" ]]; then
+        success "  Config files created"
+        fixes_applied=$((fixes_applied + 1))
+    else
+        warn "  Could not create some config files"
+        fixes_skipped=$((fixes_skipped + 1))
+    fi
+
+    # Fix 4: tmux configuration
+    info "Configuring tmux..."
+    result=$(doctor_fix_tmux_config)
+    if [[ "$result" == "fixed" ]]; then
+        success "  tmux configured"
+        fixes_applied=$((fixes_applied + 1))
+    elif [[ "$result" == "skipped" ]]; then
+        warn "  tmux configuration skipped (overlay not found)"
+        fixes_skipped=$((fixes_skipped + 1))
+    fi
+
+    # Fix 5: Install hooks
+    info "Installing hooks..."
+    result=$(doctor_fix_hooks)
+    if [[ "$result" == "fixed" ]]; then
+        success "  Hooks installed"
+        fixes_applied=$((fixes_applied + 1))
+    elif [[ "$result" == "skipped" ]]; then
+        warn "  Hooks skipped (templates not found)"
+        fixes_skipped=$((fixes_skipped + 1))
+    fi
+
+    echo ""
+    echo -e "  ${GREEN}${BOLD}${fixes_applied}${RESET} fixes applied  ${YELLOW}${BOLD}${fixes_skipped}${RESET} skipped"
+    echo ""
+
+    if [[ "$DOCTOR_FIX_DRY_RUN" == "true" ]]; then
+        info "Dry-run complete — no changes made"
+    else
+        info "Re-running doctor checks to verify fixes..."
+        echo ""
+    fi
+}
+
 # ─── Header ─────────────────────────────────────────────────────────────────
 echo ""
 echo -e "${CYAN}${BOLD}  Shipwright — Doctor${RESET}"
@@ -221,6 +511,7 @@ fi
 
 # Bash version
 BASH_MAJOR="${BASH_VERSINFO[0]:-0}"
+# shellcheck disable=SC2034
 BASH_MINOR="${BASH_VERSINFO[1]:-0}"
 if [[ "$BASH_MAJOR" -ge 5 ]]; then
     check_pass "bash ${BASH_VERSION}"
@@ -266,6 +557,33 @@ else
     echo -e "    ${DIM}Copy from settings.json.template${RESET}"
 fi
 
+# ─── File Permission Validation ───────────────────────────────────
+# Check sensitive config files have restrictive permissions (600)
+_perm_issues=0
+for config_file in "$HOME/.claude/settings.json" "$HOME/.shipwright/daemon-config.json" "$(pwd)/.claude/daemon-config.json"; do
+    if [[ -f "$config_file" ]]; then
+        # Get file permissions
+        _perms=""
+        if command -v stat >/dev/null 2>&1; then
+            # GNU stat: stat -c %a, BSD stat: stat -f %OLp
+            if [[ "$(uname -s)" == "Darwin" ]]; then
+                _perms=$(stat -f %OLp "$config_file" 2>/dev/null | tail -c 4)
+            else
+                _perms=$(stat -c %a "$config_file" 2>/dev/null)
+            fi
+        fi
+
+        if [[ -n "${_perms:-}" && "$_perms" != "600" ]]; then
+            check_warn "File $config_file is world-readable (perms: $_perms, should be 600)"
+            _perm_issues=$((_perm_issues + 1))
+        fi
+    fi
+done
+
+if [[ $_perm_issues -eq 0 ]]; then
+    check_pass "File permissions: all sensitive configs restricted to owner-only"
+fi
+
 # Hooks directory
 HOOKS_DIR="$HOME/.claude/hooks"
 if [[ -d "$HOOKS_DIR" ]]; then
@@ -320,6 +638,39 @@ if [[ -d "$HOOKS_DIR" && -f "$HOME/.claude/settings.json" ]] && jq -e '.' "$HOME
     fi
 fi
 
+# Hook security validation — check for untrusted repo-level hooks
+# Warn if repo-level .claude/hooks/ contains unexpected commands
+if [[ -d "$(pwd)/.claude/hooks" ]]; then
+    _repo_hook_dir="$(pwd)/.claude/hooks"
+    _trusted_hooks_dir="${HOME}/.claude/hooks"
+    _untrusted_hook_count=0
+
+    # Check if CLAUDE_CODE_VERIFY_HOOKS is enabled for extra caution
+    if [[ -n "${CLAUDE_CODE_VERIFY_HOOKS:-}" ]]; then
+        for repo_hook in "$_repo_hook_dir"/*.sh; do
+            [[ -f "$repo_hook" ]] || continue
+            _hook_name="$(basename "$repo_hook")"
+            _trusted_hook="$_trusted_hooks_dir/$_hook_name"
+
+            # If a trusted version exists, compare checksums
+            if [[ -f "$_trusted_hook" ]]; then
+                if ! cmp -s "$repo_hook" "$_trusted_hook"; then
+                    check_warn "Repo hook differs from trusted version: .claude/hooks/$_hook_name"
+                    _untrusted_hook_count=$((_untrusted_hook_count + 1))
+                fi
+            else
+                # No trusted version — this is an unknown hook
+                check_warn "Repo contains unknown hook: .claude/hooks/$_hook_name"
+                _untrusted_hook_count=$((_untrusted_hook_count + 1))
+            fi
+        done
+
+        if [[ $_untrusted_hook_count -gt 0 ]]; then
+            echo -e "    ${DIM}Enable hook verification with: export CLAUDE_CODE_VERIFY_HOOKS=1${RESET}"
+        fi
+    fi
+fi
+
 # ═════════════════════════════════════════════════════════════════════════════
 # 3. Agent Teams
 # ═════════════════════════════════════════════════════════════════════════════
@@ -853,7 +1204,7 @@ if [[ -f "$MACHINES_FILE" ]]; then
 
                 if [[ -n "$m_host" ]]; then
                     ssh_target="${m_user:+${m_user}@}${m_host}"
-                    if ssh -o ConnectTimeout=5 -o BatchMode=yes -p "$m_port" "$ssh_target" true 2>/dev/null; then
+                    if ssh -n -o ConnectTimeout=5 -o BatchMode=yes -p "$m_port" "$ssh_target" true 2>/dev/null; then
                         check_pass "SSH: ${m_name} (${ssh_target}) reachable"
                     else
                         check_warn "SSH: ${m_name} (${ssh_target}) unreachable"
@@ -1127,6 +1478,86 @@ else
     echo -e "    ${DIM}Install: brew install sqlite (macOS) or apt install sqlite3 (Linux)${RESET}"
 fi
 
+# ═════════════════════════════════════════════════════════════════════════════
+# 15a. Claude Code Feature Configuration
+# ═════════════════════════════════════════════════════════════════════════════
+echo ""
+echo -e "${PURPLE}${BOLD}  CLAUDE CODE FEATURES${RESET}"
+echo -e "${DIM}  ──────────────────────────────────────────${RESET}"
+
+_SETTINGS_FILE="$(pwd)/.claude/settings.json"
+if [[ ! -f "$_SETTINGS_FILE" ]]; then
+    _SCRIPT_DIR_CLAUDE="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+    _REPO_ROOT_CLAUDE="$(cd "$_SCRIPT_DIR_CLAUDE/.." 2>/dev/null && pwd)"
+    [[ -f "$_REPO_ROOT_CLAUDE/.claude/settings.json" ]] && _SETTINGS_FILE="$_REPO_ROOT_CLAUDE/.claude/settings.json"
+fi
+
+if [[ -f "$_SETTINGS_FILE" ]] && command -v jq >/dev/null 2>&1; then
+    # Check effort level
+    _effort_val=$(jq -r '.env.CLAUDE_CODE_EFFORT_LEVEL // empty' "$_SETTINGS_FILE" 2>/dev/null || echo "")
+    if [[ -n "$_effort_val" ]]; then
+        case "$_effort_val" in
+            low|medium|high) check_pass "Effort level configured: ${_effort_val}" ;;
+            *) check_fail "Invalid effort level in settings.json: ${_effort_val} (must be low/medium/high)" ;;
+        esac
+    else
+        check_warn "CLAUDE_CODE_EFFORT_LEVEL not configured"
+    fi
+
+    # Check ENABLE_TOOL_SEARCH
+    _tool_search=$(jq -r '.env.ENABLE_TOOL_SEARCH // empty' "$_SETTINGS_FILE" 2>/dev/null || echo "")
+    if [[ -n "$_tool_search" ]]; then
+        check_pass "MCP Tool Search: ${_tool_search}"
+    else
+        check_warn "ENABLE_TOOL_SEARCH not set (recommend: auto)"
+    fi
+
+    # Check MAX_MCP_OUTPUT_TOKENS
+    _mcp_tokens=$(jq -r '.env.MAX_MCP_OUTPUT_TOKENS // empty' "$_SETTINGS_FILE" 2>/dev/null || echo "")
+    if [[ -n "$_mcp_tokens" ]]; then
+        check_pass "MCP output limit: ${_mcp_tokens} tokens"
+    else
+        check_warn "MAX_MCP_OUTPUT_TOKENS not set (recommend: 50000)"
+    fi
+
+    # Check managed-mcp.json
+    if [[ -f "$_SETTINGS_FILE" ]]; then
+        _settings_dir=$(dirname "$_SETTINGS_FILE")
+        if [[ -f "$_settings_dir/managed-mcp.json" ]]; then
+            if jq empty "$_settings_dir/managed-mcp.json" 2>/dev/null; then
+                check_pass "managed-mcp.json present and valid"
+            else
+                check_fail "managed-mcp.json has invalid JSON"
+            fi
+        fi
+    fi
+
+    # Check schemas directory
+    if [[ -d "$(pwd)/schemas" ]]; then
+        _schema_count=$(find "$(pwd)/schemas" -name "*.json" 2>/dev/null | wc -l | tr -d ' ')
+        check_pass "Schemas directory: ${_schema_count} schema(s) found"
+    elif [[ -d "$(pwd)/../schemas" ]]; then
+        _schema_count=$(find "$(pwd)/../schemas" -name "*.json" 2>/dev/null | wc -l | tr -d ' ')
+        check_pass "Schemas directory: ${_schema_count} schema(s) found"
+    fi
+
+    # Check lifecycle hooks registered
+    _hook_count=0
+    for _hook_name in WorktreeCreate WorktreeRemove InstructionsLoaded ConfigChange; do
+        if jq -e ".hooks.${_hook_name}" "$_SETTINGS_FILE" >/dev/null 2>&1; then
+            _hook_count=$((_hook_count + 1))
+        fi
+    done
+    if [[ "$_hook_count" -eq 4 ]]; then
+        check_pass "Lifecycle hooks: all 4 registered"
+    elif [[ "$_hook_count" -gt 0 ]]; then
+        check_warn "Lifecycle hooks: ${_hook_count}/4 registered"
+    fi
+else
+    check_warn "Claude Code configuration not found or jq unavailable"
+    echo -e "    ${DIM}Run: shipwright prep${RESET}"
+fi
+
 # ═════════════════════════════════════════════════════════════════════════════
 # 15b. Intelligence Features
 # ═════════════════════════════════════════════════════════════════════════════
@@ -1162,6 +1593,26 @@ else
     check_warn "Platform hygiene not run — run: shipwright hygiene platform-refactor"
 fi
 
+# ═════════════════════════════════════════════════════════════════════════════
+# Auto-fix (if enabled)
+# ═════════════════════════════════════════════════════════════════════════════
+if [[ "$DOCTOR_FIX_MODE" == "true" ]]; then
+    doctor_auto_fix
+
+    # Re-run checks after fixes if not in dry-run mode
+    if [[ "$DOCTOR_FIX_DRY_RUN" != "true" ]]; then
+        info "Re-running doctor checks..."
+        # Reset counters
+        PASS=0
+        WARN=0
+        FAIL=0
+        # Re-execute the doctor script to get fresh results
+        # We'll just continue with a message for now
+        echo ""
+        echo -e "${DIM}  (Running full doctor check with fixes applied)${RESET}"
+    fi
+fi
+
 # ═════════════════════════════════════════════════════════════════════════════
 # Summary
 # ═════════════════════════════════════════════════════════════════════════════

package/scripts/sw-dora.sh

@@ -8,11 +8,13 @@
 set -euo pipefail
 trap 'echo "ERROR: $BASH_SOURCE:$LINENO exited with status $?" >&2' ERR
 
-VERSION="3.1.0"
+# shellcheck disable=SC2034
+VERSION="3.3.0"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 # ─── Cross-platform compatibility ──────────────────────────────────────────
 _COMPAT="$SCRIPT_DIR/lib/compat.sh"
+# shellcheck disable=SC1090
 [[ -f "$_COMPAT" ]] && source "$_COMPAT"
 
 # Canonical helpers (colors, output, events)
@@ -32,6 +34,7 @@ fi
 if [[ "$(type -t emit_event 2>/dev/null)" != "function" ]]; then
   emit_event() {
     local event_type="$1"; shift; mkdir -p "${HOME}/.shipwright"
+    # shellcheck disable=SC2155
     local payload="{\"ts\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"type\":\"$event_type\""
     while [[ $# -gt 0 ]]; do local key="${1%%=*}" val="${1#*=}"; payload="${payload},\"${key}\":\"${val}\""; shift; done
     echo "${payload}}" >> "${HOME}/.shipwright/events.jsonl"

package/scripts/sw-durable.sh

@@ -7,7 +7,7 @@
 set -euo pipefail
 trap 'echo "ERROR: $BASH_SOURCE:$LINENO exited with status $?" >&2' ERR
 
-VERSION="3.1.0"
+VERSION="3.3.0"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 # ─── Cross-platform compatibility ──────────────────────────────────────────
@@ -31,6 +31,7 @@ fi
 if [[ "$(type -t emit_event 2>/dev/null)" != "function" ]]; then
   emit_event() {
     local event_type="$1"; shift; mkdir -p "${HOME}/.shipwright"
+    # shellcheck disable=SC2155
     local payload="{\"ts\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"type\":\"$event_type\""
     while [[ $# -gt 0 ]]; do local key="${1%%=*}" val="${1#*=}"; payload="${payload},\"${key}\":\"${val}\""; shift; done
     echo "${payload}}" >> "${HOME}/.shipwright/events.jsonl"
@@ -50,8 +51,8 @@ ensure_durable_dir() {
 # ─── Event ID Generation ────────────────────────────────────────────────────
 generate_event_id() {
     local prefix="${1:-evt}"
-    local ts=$(now_epoch)
-    local rand=$(od -An -N4 -tu4 /dev/urandom | tr -d ' ')
+    local ts; ts=$(now_epoch)
+    local rand; rand=$(od -An -N4 -tu4 /dev/urandom | tr -d ' ')
     echo "${prefix}-${ts}-${rand}"
 }
 
@@ -481,17 +482,21 @@ cmd_status() {
     locks_dir="${DURABLE_DIR}/locks"
 
     local log_events log_size
-    log_events=$(wc -l < "$log_file" 2>/dev/null || echo "0")
+    log_events=$(wc -l < "$log_file" 2>/dev/null || true)
+    log_events="${log_events:-0}"
     log_size=$(du -h "$log_file" 2>/dev/null | awk '{print $1}' || echo "0")
 
     local dlq_events
-    dlq_events=$(wc -l < "$dlq_file" 2>/dev/null || echo "0")
+    dlq_events=$(wc -l < "$dlq_file" 2>/dev/null || true)
+    dlq_events="${dlq_events:-0}"
 
     local consumer_count
-    consumer_count=$(find "$offsets_dir" -name "consumer-*.offset" 2>/dev/null | wc -l || echo "0")
+    consumer_count=$(find "$offsets_dir" -name "consumer-*.offset" 2>/dev/null | wc -l || true)
+    consumer_count="${consumer_count:-0}"
 
     local active_locks
-    active_locks=$(find "$locks_dir" -type d -mindepth 1 2>/dev/null | wc -l || echo "0")
+    active_locks=$(find "$locks_dir" -type d -mindepth 1 2>/dev/null | wc -l || true)
+    active_locks="${active_locks:-0}"
 
     echo ""
     echo -e "${CYAN}${BOLD}  Durable Workflow Status${RESET}  ${DIM}v${VERSION}${RESET}"