slash-do 1.1.0 → 1.2.0

package/bin/cli.js

@@ -208,7 +208,11 @@ async function main() {
   }
 }
 
-main().catch(err => {
-  console.error('Error:', err.message);
-  process.exit(1);
-});
+if (require.main === module) {
+  main().catch(err => {
+    console.error('Error:', err.message);
+    process.exit(1);
+  });
+}
+
+module.exports = { parseArgs };

package/commands/do/better.md

@@ -47,13 +47,7 @@ When the resolved model is `opus`, **omit** the `model` parameter on the Agent/T
 
 ### Model Profile Rationale
 
-**Why Opus for audit in Quality?** Audit agents make judgment calls — distinguishing real bugs from false positives across 30+ lines of context. Opus reduces false positive noise, meaning less wasted remediation work downstream.
-
-**Why Sonnet for audit in Balanced?** Sonnet handles code analysis well when given explicit checklists (which each audit agent has). The 30-line context requirement provides enough signal. Good cost/quality tradeoff with 7 parallel agents.
-
-**Why Haiku for audit in Budget?** Surface-level pattern matching is Haiku's strength. May produce more false positives, but the remediation agents (still Sonnet) will validate findings before fixing. Best for large codebases where you want a fast first pass.
-
-**Why never Haiku for remediation?** Remediation agents write code, run builds, and commit. Code generation quality matters — Haiku may produce fixes that don't compile or introduce subtle regressions. Sonnet is the floor for code-writing agents.
+Opus reduces false positives in audit (judgment-heavy). Sonnet is the floor for code-writing agents (remediation). Haiku works for fast first-pass pattern scanning but may produce more false positives — remediation agents (Sonnet+) validate before fixing.
 
 ## Phase 0: Discovery & Setup
 
@@ -83,7 +77,7 @@ Derive build and test commands from the project type:
 - Rust: `cargo build`, `cargo test`
 - Python: `pytest`, `python -m pytest`
 - Go: `go build ./...`, `go test ./...`
-- If ambiguous, check CLAUDE.md for documented commands
+- If ambiguous, check project conventions already in context for documented commands
 
 Record as `BUILD_CMD` and `TEST_CMD`.
 
@@ -106,7 +100,7 @@ This ensures the browser is ready before we need it in Phase 6, avoiding interru
 
 ## Phase 1: Unified Audit
 
-Read the project's CLAUDE.md files first to understand conventions. Pass relevant conventions to each agent.
+Project conventions are already in your context. Pass relevant conventions to each agent.
 
 Launch 7 Explore agents in two batches. Each agent must report findings in this format:
 ```
@@ -477,7 +471,6 @@ If `BROWSER_AUTHENTICATED` is not true (e.g., Phase 0e was skipped or failed):
 1. Navigate to the first PR URL using `browser_navigate`
 2. Check for user avatar/menu
 3. If not logged in: navigate to `https://github.com/login`, inform the user **"Please log in to GitHub in the browser. I'll wait for you to confirm."**, and use `AskUserQuestion` to wait
-4. Do NOT close the browser at any point during this phase
 
 ### 6.1: Request Copilot reviews on all PRs
 
@@ -496,17 +489,16 @@ If this returns 422 ("not a collaborator"), **fall back to Playwright** for each
 
 ### 6.2: Poll for review completion
 
-For each PR, poll every 15 seconds, max 3 minutes (12 polls):
-```bash
-gh api repos/{OWNER}/{REPO}/pulls/{PR_NUMBER}/reviews --jq '.[] | "\(.user.login): \(.state)"'
-```
+**Dynamic poll timing**: Before your first poll, check how long the most recent Copilot review on this PR took by comparing consecutive Copilot review `submittedAt` timestamps (or PR creation time for the first review). Use that duration as your expected wait. If no prior review exists, default to 5 minutes. Set poll interval to 60 seconds and max wait to **2x the expected duration** (minimum 5 minutes, maximum 20 minutes). Copilot reviews can take **10-15 minutes** for large diffs — do NOT give up early.
 
-Also check for inline comments:
+For each PR, poll using GraphQL to check for a new Copilot review:
 ```bash
-gh api repos/{OWNER}/{REPO}/pulls/{PR_NUMBER}/comments --jq '.[] | "\(.user.login) [\(.path):\(.line)]: \(.body[:120])"'
+echo '{"query":"{ repository(owner: \"OWNER\", name: \"REPO\") { pullRequest(number: PR_NUM) { reviews(last: 5) { nodes { state body author { login } submittedAt } } reviewThreads(first: 100) { nodes { id isResolved comments(first: 3) { nodes { body path line author { login } } } } } } } }"}' | gh api graphql --input -
 ```
 
-The review is complete when a `copilot[bot]` or `copilot-pull-request-reviewer[bot]` review appears.
+The review is complete when a new `copilot-pull-request-reviewer[bot]` review appears with a `submittedAt` after your request. If no review appears after max wait, **ask the user** whether to continue waiting, re-request, or skip.
+
+**Error detection**: After a review appears, check its `body` for error text such as "Copilot encountered an error" or "unable to review this pull request". If found, this is NOT a successful review — log a warning, re-request the review (step 6.1), and resume polling from 6.2. Allow up to 3 error retries per PR before asking the user whether to continue or skip.
 
 ### 6.3: Check for unresolved threads
 
@@ -610,7 +602,6 @@ If merge fails (e.g., branch protection, merge conflicts from a prior PR):
 - **Copilot timeout** (review not received within 3 min): inform user, offer to merge without review approval or wait longer
 - **Copilot review loop exceeds 5 iterations per PR**: stop iterating on that PR, inform user, proceed to merge
 - **Existing worktree found at startup**: ask user — resume (reuse worktree) or cleanup (remove and start fresh)
-- **`gh auth status` / `glab auth status` failure**: halt and tell user to authenticate first
 - **No findings above LOW**: skip Phases 3-7, print "No actionable findings" with the LOW summary
 - **Browser not authenticated**: use `AskUserQuestion` to ask the user to log in — never skip this or close the browser
 - **Merge conflict after prior PR merged**: rebase the branch onto the updated default branch, push with `--force-with-lease`, re-run CI
@@ -626,8 +617,5 @@ If merge fails (e.g., branch protection, merge conflicts from a prior PR):
 - When extracting modules, always add backward-compatible re-exports in the original module to prevent cross-PR breakage
 - Version bump happens exactly once on the first category branch based on aggregate commit analysis
 - Only CRITICAL, HIGH, and MEDIUM findings are auto-remediated; LOW and Test Coverage remain tracked in PLAN.md
-- Do not include co-author or generated-by info in any commits, PRs, or output
 - GitLab projects skip the Copilot review loop entirely (Phase 6) and stop after MR creation
-- Always run `gh auth status` (or `glab auth status`) before any authenticated operation
-- The Playwright browser should be opened early (Phase 0e) and kept open throughout — never close it prematurely
 - CI must pass on each PR before requesting Copilot review or merging

package/commands/do/fpr.md

@@ -94,14 +94,10 @@ gh pr create \
 
 - Write a clear title and rich description
 - If a PR template was found, follow its structure
-- Do NOT include co-author or "generated with" messages
 - Print the resulting PR URL so the user can review it
 
 ## Important
 
-- Never stage files you didn't edit
-- Never use `git add -A` or `git add .`
-- Do NOT bump versions or update changelogs — upstream maintainers control those
 - Do NOT merge the PR — upstream maintainers handle that
 - Do NOT run Copilot review loops — you don't control the upstream repo's review settings
 - If the fork is significantly behind upstream, warn the user about potential merge conflicts

package/commands/do/pr.md

@@ -32,7 +32,7 @@ Before creating the PR, perform a thorough self-review. Read each changed file
 ## Open the PR
 
 - Create a PR from `{current_branch}` to `{default_branch}`
-- Create a rich PR description — no co-author or "generated with" messages
+- Create a rich PR description
 
 **IMPORTANT**: During each fix cycle in the Copilot review loop below, after fixing all review comments and before pushing, also bump the patch version (`npm version patch --no-git-tag-version` or equivalent) and commit the version bump.
 

package/commands/do/push.md

@@ -10,6 +10,7 @@ Commit and push all work from this session, updating documentation as needed.
 
 1. **Identify changes to commit**:
    - Run `git status` and `git diff --stat` to see what changed
+   - If there are no changes to commit, inform the user and stop
    - If you edited files in this session, commit only those files
    - If invoked without prior edit context, review all uncommitted changes
    - if there are files that should be added to the .gitignore that are not yet there, ensure we have proper .gitignore coverage
@@ -47,11 +48,3 @@ Commit and push all work from this session, updating documentation as needed.
 
 5. **Push the changes**:
    - Use `git pull --rebase --autostash && git push` to push safely
-
-## Important
-
-- Never stage files you didn't edit
-- Never use `git add -A` or `git add .`
-- Keep commit messages focused on the "why" not just the "what"
-- If there are no changes to commit, inform the user
-- Do NOT bump the version in package.json — `/release` handles versioning

package/commands/do/release.md

@@ -6,22 +6,30 @@ description: Create a release PR using the project's documented release workflow
 
 Before doing anything, determine the project's source and target branches for releases. Do NOT hardcode branch names. Instead, discover them:
 
-1. **Source branch** — run `gh repo view --json defaultBranchRef -q '.defaultBranchRef.name'` to get the repo's default branch
+1. **Source branch** — run `gh repo view --json defaultBranchRef -q '.defaultBranchRef.name'` to get the repo's default branch (typically `main`)
 2. **Target branch** — determine by reading (in priority order):
    - **GitHub Actions workflows** — check `.github/workflows/release.yml` (or similar) for `on: push: branches:` to find the branch that triggers the release pipeline
-   - **Project CLAUDE.md** — look for git workflow sections, branch descriptions, or release instructions
+   - **Project conventions** (already in context) — look for git workflow sections, branch descriptions, or release instructions
    - **Versioning docs** — check `docs/VERSIONING.md`, `CONTRIBUTING.md`, or `RELEASING.md`
    - **Branch convention** — if a `release` branch exists, the target is `release`; otherwise ask the user
+3. **Ensure the target branch exists** — if not, create it from the last release tag:
+   ```bash
+   git branch release $(git describe --tags --abbrev=0)
+   git push -u origin release
+   ```
+   This ensures the PR diff shows ALL changes since the last release, not just the version bump.
 
 Print the detected workflow: `Detected release flow: {source} → {target}`
 
 If ambiguous, ask the user to confirm before proceeding.
 
+**Important**: The PR direction is `{source}` → `{target}` (e.g., `main` → `release`). This gives Copilot the full diff of all changes since the last release for review. Do NOT create a branch from source and PR back into it — that only shows the version bump commit.
+
 ## Pre-Release Checks
 
 1. **Ensure you're on the source branch** — checkout if needed
 2. **Pull latest** — `git pull --rebase --autostash`
-3. **Run tests** — execute the project's test suite (check CLAUDE.md or package.json for the command)
+3. **Run tests** — execute the project's test suite (per project conventions already in context, or check package.json)
 4. **Run build** — execute the project's build command if one exists
 
 ## Determine Version and Finalize Changelog
@@ -63,8 +71,11 @@ Perform a thorough self-review. Read each changed file — not just the diff —
 
 ## Open the Release PR
 
-- Push the source branch to remote
-- Create a PR from `{source}` to `{target}`
+- Push the source branch to remote (it should already be up to date with the release commit)
+- Create a PR from `{source}` → `{target}` (e.g., `main` → `release`)
+  ```bash
+  gh pr create --title "Release v{version}" --base {target} --head {source} --body "..."
+  ```
 - Title: `Release v{version}` (read version from package.json or equivalent)
 - Body: include the changelog content for this version if available, otherwise summarize commits since last release
 - Keep the description clean — no co-author or "generated with" messages
@@ -91,6 +102,12 @@ Perform a thorough self-review. Read each changed file — not just the diff —
 
 ## Post-Merge
 
-- Report the final status including version, PR URL, and merge state
-- Remind the user to check for the GitHub release once CI completes (if the project uses automated releases)
-- Switch back to the source branch locally: `git checkout {source} && git pull --rebase --autostash`
+1. **Tag the release** on the target branch to trigger the publish workflow:
+   ```bash
+   git fetch origin {target}
+   git tag v{version} origin/{target}
+   git push origin v{version}
+   ```
+2. **Switch back to the source branch** locally: `git checkout {source} && git pull --rebase --autostash`
+3. **Report the final status** including version, PR URL, tag, and merge state
+4. Remind the user to check for the GitHub release once CI completes (if the project uses automated releases)

package/commands/do/review.md

@@ -13,19 +13,54 @@ argument-hint: "[base-branch]"
 
 If there are no changes, inform the user and stop.
 
-## Read Project Conventions
+## Apply Project Conventions
 
-Read the project's CLAUDE.md (if it exists) to understand:
-- Code style rules, error handling patterns, logging conventions
-- Custom error classes, validation patterns, framework-specific rules
-- Any explicit security model or scope exclusions
-
-These conventions override generic best practices. For example, if CLAUDE.md says "no auth needed — internal tool", do not flag missing authentication.
+CLAUDE.md is already loaded into your context. Use its rules (code style, error handling, logging, security model, scope exclusions) as overrides to generic best practices throughout this review. For example, if CLAUDE.md says "no auth needed — internal tool", do not flag missing authentication.
 
 ## Deep File Review
 
 For **each changed file** in the diff, read the **entire file** (not just diff hunks). Reviewing only the diff misses context bugs where new code interacts incorrectly with existing code.
 
+### Understand the Code Flow
+
+Before checking individual files against the checklist, **map the flow of changed code across all files**. This means:
+
+1. **Trace call chains** — for each new or modified function/method, identify every caller and callee across the changed files. Read those files too if needed. You cannot evaluate whether code is duplicated or well-structured without knowing how it connects.
+2. **Identify shared data paths** — trace data from entry point (route handler, event listener, CLI arg) through transforms, storage, and output. Understand what each layer is responsible for.
+3. **Map responsibilities** — for each changed module/file, state its single responsibility in one sentence. If you can't, it may be doing too much.
+
+### Evaluate Software Engineering Principles
+
+With the flow understood, evaluate the changed code against these principles:
+
+**DRY (Don't Repeat Yourself)**
+- Look for logic duplicated across changed files or between changed and existing code. Grep for similar function signatures, repeated conditional blocks, or copy-pasted patterns with minor variations.
+- If two functions do nearly the same thing with small differences, they should likely share a common implementation with the differences parameterized.
+- Duplicated validation, error formatting, or data transformation are common violations.
+
+**YAGNI (You Ain't Gonna Need It)**
+- Flag abstractions, config options, parameters, or extension points that serve no current use case. Code should solve the problem at hand, not hypothetical future problems.
+- Unnecessary wrapper functions, premature generalization (e.g., a factory that produces one type), and unused feature flags are common violations.
+
+**SOLID Principles**
+- **Single Responsibility** — each module/function should have one reason to change. If a function handles both business logic and I/O formatting, flag it.
+- **Open/Closed** — new behavior should be addable without modifying existing working code where practical (e.g., strategy patterns, plugin hooks).
+- **Liskov Substitution** — if subclasses or interface implementations exist, verify they are fully substitutable without breaking callers.
+- **Interface Segregation** — callers should not depend on methods they don't use. Large config objects or option bags passed through many layers are a smell.
+- **Dependency Inversion** — high-level modules should not import low-level implementation details directly when an abstraction boundary would be cleaner.
+
+**Separation of Concerns**
+- Business logic should not be tangled with transport (HTTP, WebSocket), storage (SQL, file I/O), or presentation (HTML, JSON formatting).
+- If a route handler contains business rules beyond simple delegation, flag it.
+
+**Naming & Readability**
+- Function and variable names should communicate intent. If you need to read the implementation to understand what a name means, it's poorly named.
+- Boolean variables/params should read as predicates (`isReady`, `hasAccess`), not ambiguous nouns.
+
+Only flag principle violations that are **concrete and actionable** in the changed code. Do not flag pre-existing design issues in untouched code unless the changes make them worse.
+
+### Per-File Checklist
+
 Check every file against this checklist:
 
 !`cat ~/.claude/lib/code-review-checklist.md`
@@ -50,7 +85,7 @@ For each issue found:
 1. Classify severity: **CRITICAL** (runtime crash, data leak, security) vs **IMPROVEMENT** (consistency, robustness, conventions)
 2. Fix all CRITICAL issues immediately
 3. For IMPROVEMENT issues, fix them too — the goal is to eliminate Copilot review round-trips
-4. After fixes, run the project's test suite and build command (check CLAUDE.md for commands)
+4. After fixes, run the project's test suite and build command (per project conventions already in context)
 5. Commit fixes: `refactor: address code review findings`
 
 ## Report

package/commands/do/rpr.md

@@ -4,7 +4,7 @@ description: Resolve PR review feedback with parallel agents
 
 # Resolve PR Review Feedback
 
-Address the latest code review feedback on the current branch's pull request using a team-based approach.
+Address the latest code review feedback on the current branch's pull request using parallel sub-agents.
 
 ## Steps
 
@@ -18,23 +18,21 @@ Address the latest code review feedback on the current branch's pull request usi
    ```
    Save results to `/tmp/pr_threads.json` for parsing.
 
-4. **Spawn a team to address feedback in parallel**:
-   - Create a team with `TeamCreate`
-   - Create a task for each unresolved review thread using `TaskCreate`
-   - Create an additional task for an **independent code quality review** of all files changed in the PR (`gh pr diff --name-only`)
-   - Spawn sub-agents (general-purpose type) as teammates to handle each task in parallel:
-     - One agent per review thread (or group closely related threads on the same file)
-     - One dedicated agent for the code quality review
-   - Each agent should:
+4. **Spawn parallel sub-agents to address feedback**:
+   - For small PRs (1-3 unresolved threads), handle fixes inline instead of spawning agents
+   - For larger PRs, spawn one `Agent` call (general-purpose type) per review thread (or group closely related threads on the same file into one agent)
+   - Spawn one additional `Agent` call for an **independent code quality review** of all files changed in the PR (`gh pr diff --name-only`)
+   - Launch all Agent calls **in parallel** (multiple tool calls in a single response) and wait for all to return
+   - Each thread-fixing agent should:
      - Read the file and understand the context of the feedback
      - Make the requested code changes if they are accurate and warranted
      - Look for further opportunities to DRY up affected code
-     - Report back what was changed and the thread ID that was addressed
+     - Return what was changed and the thread ID that was addressed
    - The code quality reviewer should:
      - Read all changed files in the PR
      - Check for: style violations, missing error handling, dead code, DRY violations, security issues
-     - Apply fixes directly and report what was changed
-   - Wait for all agents to complete, then review their changes
+     - Apply fixes directly and return what was changed
+   - After all agents return, review their changes for conflicts or overlapping edits
 
 5. **Run tests**: Run the project's test suite to verify all changes pass. Do not proceed if tests fail — fix issues first.
 
@@ -68,18 +66,19 @@ Verify the request was accepted by checking that `Copilot` appears in the respon
 
 ### Poll for review completion
 
-Poll every 30 seconds using GraphQL to check for a new review with a `submittedAt` timestamp after the request:
+Poll using GraphQL to check for a new review with a `submittedAt` timestamp after the request:
 ```bash
 gh api graphql -f query='{ repository(owner: "OWNER", name: "REPO") { pullRequest(number: PR_NUM) { reviews(last: 3) { nodes { state body author { login } submittedAt } } reviewThreads(first: 100) { nodes { id isResolved comments(first: 3) { nodes { body path line author { login } } } } } } } }'
 ```
 
-Copilot reviews typically take 60-120 seconds. The review is complete when a new `copilot-pull-request-reviewer` review node appears.
+**Dynamic poll timing**: Before your first poll, check how long the most recent Copilot review on this PR took by comparing consecutive Copilot review `submittedAt` timestamps (or PR creation time for the first review). Use that duration as your expected wait. If no prior review exists, default to 5 minutes. Set poll interval to 60 seconds and max wait to **2x the expected duration** (minimum 5 minutes, maximum 20 minutes). Copilot reviews can take **10-15 minutes** for large diffs — do NOT give up early.
+
+The review is complete when a new `copilot-pull-request-reviewer` review node appears. If no review appears after max wait, **ask the user** whether to continue waiting, re-request, or skip.
+
+**Error detection**: After a review appears, check its `body` for error text such as "Copilot encountered an error" or "unable to review this pull request". If found, this is NOT a successful review — log a warning, re-request the review (same API call above), and resume polling. Allow up to 3 error retries before asking the user whether to continue or skip.
 
 ## Notes
 
 - Only resolve threads where you've actually addressed the feedback
 - If feedback is unclear or incorrect, leave a reply comment instead of resolving
-- Do not include co-author info in commits
-- For small PRs (1-3 threads), sub-agents may be overkill — use judgment on whether to spawn a team or handle inline
 - Always run tests before committing — never push code with known failures
-- Shut down the team after all work is complete

package/hooks/slashdo-check-update.js

@@ -0,0 +1,73 @@
+#!/usr/bin/env node
+// Check for slashdo updates in background, write result to cache
+// Called by SessionStart hook - runs once per session
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const { spawn } = require('child_process');
+
+const homeDir = os.homedir();
+const cacheDir = path.join(homeDir, '.claude', 'cache');
+const cacheFile = path.join(cacheDir, 'slashdo-update-check.json');
+const versionFile = path.join(homeDir, '.claude', '.slashdo-version');
+
+// Best-effort: silently exit on any setup failure (permissions, read-only FS, etc.)
+try {
+  if (!fs.existsSync(cacheDir)) {
+    fs.mkdirSync(cacheDir, { recursive: true });
+  }
+
+  // Spawn background process so we don't block session start
+  const child = spawn(process.execPath, ['-e', `
+    const fs = require('fs');
+    const { execSync } = require('child_process');
+
+    const cacheFile = ${JSON.stringify(cacheFile)};
+    const versionFile = ${JSON.stringify(versionFile)};
+
+    let installed = '0.0.0';
+    try {
+      if (fs.existsSync(versionFile)) {
+        installed = fs.readFileSync(versionFile, 'utf8').trim();
+      }
+    } catch (e) {}
+
+    // No version file means slashdo isn't installed — skip silently
+    if (installed === '0.0.0') {
+      process.exit(0);
+    }
+
+    let latest = null;
+    try {
+      latest = execSync('npm view slash-do version', { encoding: 'utf8', timeout: 5000, windowsHide: true }).trim();
+    } catch (e) {}
+
+    // Simple semver comparison: only flag update when latest > installed
+    let updateAvailable = false;
+    if (latest && latest !== installed) {
+      const parse = v => (v || '').replace(/^v/, '').replace(/-.+$/, '').split('.').map(Number);
+      const [iM, im, ip] = parse(installed);
+      const [lM, lm, lp] = parse(latest);
+      if ([iM, im, ip, lM, lm, lp].some(isNaN)) { updateAvailable = installed !== latest; }
+      else { updateAvailable = lM > iM || (lM === iM && (lm > im || (lm === im && lp > ip))); }
+    }
+
+    const result = {
+      update_available: updateAvailable,
+      installed,
+      latest: latest || 'unknown',
+      checked: Math.floor(Date.now() / 1000)
+    };
+
+    fs.writeFileSync(cacheFile, JSON.stringify(result));
+  `], {
+    stdio: 'ignore',
+    windowsHide: true,
+    detached: true
+  });
+
+  child.unref();
+} catch (e) {
+  // Hook is best-effort — never break SessionStart
+}

package/hooks/slashdo-statusline.js

@@ -0,0 +1,123 @@
+#!/usr/bin/env node
+// slashdo statusline for Claude Code
+// Shows: model | current task | directory | context usage | update notifications
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+// Read JSON from stdin
+let input = '';
+process.stdin.setEncoding('utf8');
+process.stdin.on('data', chunk => input += chunk);
+process.stdin.on('end', () => {
+  try {
+    const data = JSON.parse(input);
+    const model = data.model?.display_name || 'Claude';
+    const dir = data.workspace?.current_dir || process.cwd();
+    const session = data.session_id || '';
+    const remaining = data.context_window?.remaining_percentage;
+
+    // Context window display (shows USED percentage scaled to 80% limit)
+    // Claude Code enforces an 80% context limit, so we scale to show 100% at that point
+    let ctx = '';
+    if (remaining != null) {
+      const rem = Math.round(remaining);
+      const rawUsed = Math.max(0, Math.min(100, 100 - rem));
+      // Scale: 80% real usage = 100% displayed
+      const used = Math.min(100, Math.round((rawUsed / 80) * 100));
+
+      // Write context metrics to bridge file for context-monitor hooks
+      if (session) {
+        try {
+          const safeSession = session.replace(/[^a-zA-Z0-9_-]/g, '');
+          const bridgePath = path.join(os.tmpdir(), `claude-ctx-${safeSession}.json`);
+          const bridgeData = JSON.stringify({
+            session_id: session,
+            remaining_percentage: remaining,
+            used_pct: used,
+            timestamp: Math.floor(Date.now() / 1000)
+          });
+          fs.writeFileSync(bridgePath, bridgeData);
+        } catch (e) {
+          // Silent fail -- bridge is best-effort, don't break statusline
+        }
+      }
+
+      // Build progress bar (10 segments)
+      const filled = Math.floor(used / 10);
+      const bar = '█'.repeat(filled) + '░'.repeat(10 - filled);
+
+      // Color based on scaled usage
+      if (used < 63) {
+        ctx = ` \x1b[32m${bar} ${used}%\x1b[0m`;
+      } else if (used < 81) {
+        ctx = ` \x1b[33m${bar} ${used}%\x1b[0m`;
+      } else if (used < 95) {
+        ctx = ` \x1b[38;5;208m${bar} ${used}%\x1b[0m`;
+      } else {
+        ctx = ` \x1b[5;31m💀 ${bar} ${used}%\x1b[0m`;
+      }
+    }
+
+    // Current task from todos
+    let task = '';
+    const homeDir = os.homedir();
+    const todosDir = path.join(homeDir, '.claude', 'todos');
+    if (session && fs.existsSync(todosDir)) {
+      try {
+        const entries = fs.readdirSync(todosDir);
+        let latestFile = null;
+        let latestMtime = 0;
+        for (const f of entries) {
+          if (!f.startsWith(session) || !f.includes('-agent-') || !f.endsWith('.json')) continue;
+          try {
+            const mt = fs.statSync(path.join(todosDir, f)).mtimeMs;
+            if (mt > latestMtime) { latestMtime = mt; latestFile = f; }
+          } catch (e) {}
+        }
+
+        if (latestFile) {
+          try {
+            const todos = JSON.parse(fs.readFileSync(path.join(todosDir, latestFile), 'utf8'));
+            const inProgress = todos.find(t => t.status === 'in_progress');
+            if (inProgress) task = inProgress.activeForm || '';
+          } catch (e) {}
+        }
+      } catch (e) {
+        // Silently fail on file system errors - don't break statusline
+      }
+    }
+
+    // Update notifications (GSD + slashdo)
+    let updates = '';
+    const gsdCacheFile = path.join(homeDir, '.claude', 'cache', 'gsd-update-check.json');
+    if (fs.existsSync(gsdCacheFile)) {
+      try {
+        const cache = JSON.parse(fs.readFileSync(gsdCacheFile, 'utf8'));
+        if (cache.update_available) {
+          updates += '\x1b[33m⬆ /gsd:update\x1b[0m │ ';
+        }
+      } catch (e) {}
+    }
+    const slashdoCacheFile = path.join(homeDir, '.claude', 'cache', 'slashdo-update-check.json');
+    if (fs.existsSync(slashdoCacheFile)) {
+      try {
+        const cache = JSON.parse(fs.readFileSync(slashdoCacheFile, 'utf8'));
+        if (cache.update_available) {
+          updates += '\x1b[33m⬆ /do:update\x1b[0m │ ';
+        }
+      } catch (e) {}
+    }
+
+    // Output
+    const dirname = path.basename(dir);
+    if (task) {
+      process.stdout.write(`${updates}\x1b[2m${model}\x1b[0m │ \x1b[1m${task}\x1b[0m │ \x1b[2m${dirname}\x1b[0m${ctx}`);
+    } else {
+      process.stdout.write(`${updates}\x1b[2m${model}\x1b[0m │ \x1b[2m${dirname}\x1b[0m${ctx}`);
+    }
+  } catch (e) {
+    // Silent fail - don't break statusline on parse errors
+  }
+});

package/install.sh

@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
 # slashdo — curl-based installer (no npm required)
 # Usage: curl -fsSL https://raw.githubusercontent.com/atomantic/slashdo/main/install.sh | bash
+# shellcheck disable=SC2059,SC2207
 set -euo pipefail
 
 REPO="atomantic/slashdo"
@@ -36,6 +37,10 @@ LIBS=(
   code-review-checklist copilot-review-loop graphql-escaping
 )
 
+HOOKS=(slashdo-check-update slashdo-statusline)
+
+OLD_HOOKS=(update-check)
+
 detect_envs() {
   local envs=()
   [ -d "$HOME/.claude" ] && envs+=(claude)
@@ -48,7 +53,8 @@ detect_envs() {
 install_claude() {
   local target_cmd="$HOME/.claude/commands/do"
   local target_lib="$HOME/.claude/lib"
-  mkdir -p "$target_cmd" "$target_lib"
+  local target_hooks="$HOME/.claude/hooks"
+  mkdir -p "$target_cmd" "$target_lib" "$target_hooks"
 
   printf "  Installing to ${GREEN}Claude Code${RESET}...\n"
 
@@ -70,12 +76,107 @@ install_claude() {
     fi
   done
 
+  for hook in "${HOOKS[@]}"; do
+    printf "    hook/%-19s" "$hook.js"
+    if curl -fsSL "$BASE_URL/hooks/$hook.js" -o "$target_hooks/$hook.js" 2>/dev/null; then
+      printf "${GREEN}ok${RESET}\n"
+    else
+      printf "failed\n"
+    fi
+  done
+
   for old in "${OLD_COMMANDS[@]}"; do
     if [ -f "$target_cmd/$old.md" ]; then
       rm -f "$target_cmd/$old.md"
       printf "    migrated: /do:%-14s${GREEN}ok${RESET}\n" "$old"
     fi
   done
+
+  for old in "${OLD_HOOKS[@]}"; do
+    if [ -f "$target_hooks/$old.md" ]; then
+      rm -f "$target_hooks/$old.md"
+      printf "    removed:  hook/%-13s${GREEN}ok${RESET}\n" "$old.md"
+    fi
+  done
+
+  # Register hooks in settings.json (requires Node.js and successful hook downloads)
+  if command -v node &>/dev/null && [ -f "$target_hooks/slashdo-check-update.js" ]; then
+    printf "    settings.json:          "
+    local node_result
+    if ! node_result=$(node -e '
+      const fs = require("fs");
+      const path = require("path");
+      const home = require("os").homedir();
+      const settingsPath = path.join(home, ".claude", "settings.json");
+      const hooksDir = path.join(home, ".claude", "hooks");
+
+      let settings = {};
+      if (fs.existsSync(settingsPath)) {
+        try { settings = JSON.parse(fs.readFileSync(settingsPath, "utf8")); } catch (e) {
+          process.stdout.write("skipped (settings.json parse error)");
+          process.exit(0);
+        }
+      }
+
+      let modified = false;
+
+      // SessionStart hook (only if hook file exists)
+      const updateHookPath = path.join(hooksDir, "slashdo-check-update.js");
+      if (!settings.hooks || typeof settings.hooks !== "object" || Array.isArray(settings.hooks)) settings.hooks = {};
+      if (typeof settings.hooks.SessionStart === "undefined") {
+        settings.hooks.SessionStart = [];
+      } else if (!Array.isArray(settings.hooks.SessionStart)) {
+        process.stdout.write("skipped (settings.hooks.SessionStart has unexpected shape)");
+        process.exit(0);
+      }
+
+      const hookCmd = "node \"" + updateHookPath + "\"";
+      const alreadyRegistered = settings.hooks.SessionStart.some(function(g) {
+        return g && typeof g === "object" && Array.isArray(g.hooks) && g.hooks.some(function(h) {
+          return h && typeof h === "object" && typeof h.command === "string" && h.command.indexOf("slashdo-check-update") !== -1;
+        });
+      });
+
+      if (!alreadyRegistered) {
+        if (settings.hooks.SessionStart.length > 0) {
+          var firstGroup = settings.hooks.SessionStart[0];
+          if (!firstGroup || typeof firstGroup !== "object") {
+            firstGroup = {};
+            settings.hooks.SessionStart[0] = firstGroup;
+          }
+          if (!Array.isArray(firstGroup.hooks)) firstGroup.hooks = [];
+          firstGroup.hooks.push({ type: "command", command: hookCmd });
+        } else {
+          settings.hooks.SessionStart.push({ hooks: [{ type: "command", command: hookCmd }] });
+        }
+        modified = true;
+      }
+
+      // Statusline (only if none exists and hook file was downloaded)
+      const statuslineHookPath = path.join(hooksDir, "slashdo-statusline.js");
+      if (!settings.statusLine && fs.existsSync(statuslineHookPath)) {
+        const slCmd = "node \"" + statuslineHookPath + "\"";
+        settings.statusLine = { type: "command", command: slCmd };
+        modified = true;
+      }
+
+      if (modified) {
+        fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + "\n");
+      }
+
+      process.stdout.write(modified ? "updated" : "already configured");
+    ' 2>/dev/null); then
+      printf " %sfailed%s\n" "$YELLOW" "$RESET"
+    elif echo "$node_result" | grep -q "^skipped"; then
+      printf "%s%s%s\n" "$YELLOW" "$node_result" "$RESET"
+    else
+      printf "%s %sok%s\n" "$node_result" "$GREEN" "$RESET"
+    fi
+  elif command -v node &>/dev/null; then
+    printf "    ${DIM}settings.json: skipped (hook files not found)${RESET}\n"
+  else
+    printf "    ${DIM}settings.json: skipped (node not found — hooks installed but not registered)${RESET}\n"
+  fi
 }
 
 install_opencode() {

package/lib/code-review-checklist.md

@@ -1,5 +1,5 @@
    **Hygiene**
-   - Leftover debug code (console.log without emoji prefix, debugger, TODO/FIXME/HACK)
+   - Leftover debug code (`console.log`, `debugger`, TODO/FIXME/HACK comments)
    - Hardcoded secrets, API keys, or credentials
    - Files that shouldn't be committed (.env, node_modules, build artifacts)
    - Overly broad changes that should be split into separate PRs
@@ -9,16 +9,20 @@
    - No unused imports introduced by the changes
 
    **Runtime correctness**
-   - State/variables that are declared but never updated or only partially wired up (e.g. a state setter that's never called with `true`)
+   - State/variables that are declared but never updated or only partially wired up (e.g. a state setter that's never called)
    - Side effects during React render (setState, navigation, mutations outside useEffect)
    - Off-by-one errors, null/undefined access without guards
+   - `JSON.parse` on user-editable files (config, settings, cache) without error handling — corrupted files will crash the process
+   - Accessing properties/methods on parsed JSON objects without verifying expected structure (e.g., `obj.arr.push()` when `arr` might not be an array)
+   - Iterating arrays from external/user-editable sources without guarding each element — a `null` or wrong-type entry throws `TypeError` when treated as an object
+   - Version/string comparisons using `!==` when semantic ordering matters — use proper semver comparison for version checks
 
    **Resource management**
    - Event listeners, socket handlers, subscriptions, and timers are cleaned up on unmount/teardown
    - useEffect cleanup functions remove everything the effect sets up
 
    **HTTP status codes & error classification**
-   - Service functions that throw generic `Error` for client-caused conditions (not found, invalid input) — these bubble as 500 when they should be 400/404. Use the project's error class (e.g., `ServerError`, `HttpError`, `createError`) with explicit status codes
+   - Service functions that throw generic `Error` for client-caused conditions (not found, invalid input) — these bubble as 500 when they should be 400/404. Use typed error classes with explicit status codes
    - Consistent error responses across similar endpoints — if one validates, all should
 
    **API & URL safety**
@@ -31,29 +35,69 @@
 
    **Input handling**
    - Trimming values where whitespace is significant (API keys, tokens, passwords, base64) — only trim identifiers/names, not secret values
-   - Swallowed errors (empty `.catch(() => {})`) that hide failures from users — at minimum show a toast/notification on failure
+   - Swallowed errors (empty `.catch(() => {})`) that hide failures from users — at minimum surface a notification on failure
 
    **Validation & consistency**
    - New endpoints/schemas match validation standards of similar existing endpoints (check for field limits, required fields, types)
    - New API routes have the same error handling patterns as existing routes
    - If validation exists on one endpoint for a param, the same param on other endpoints needs the same validation
-   - Schema fields that accept values the rest of the system can't handle (e.g., managedSecrets accepting any string when the sync endpoint requires `[A-Z0-9_]`)
+   - Schema fields that accept values the rest of the system can't handle (e.g., a field accepts any string but downstream code requires a specific format)
+   - Numeric query params (`limit`, `offset`, `page`) parsed from strings without lower-bound clamping — `parseInt` can produce 0, negative, or `NaN` values that cause SQL errors or unexpected behavior. Always clamp to safe bounds (e.g., `Math.max(1, ...)`)
+   - Summary counters/accumulators that miss edge cases — if an item is removed, is the count updated? Are all branches counted?
+   - Silent operations in verbose sequences — when a series of operations each prints a status line, ensure all branches print consistent output
+   - Labels, comments, or status messages that describe behavior the code doesn't implement — e.g., a map named "renamed" that only deletes, or an action labeled "migrated" that never creates the target
+   - Registering references (config entries, settings pointers) to files or resources without verifying the resource actually exists — a failed download or missing file leaves dangling references that break later operations
+   - Error/catch handlers that exit cleanly (`exit 0`, `return`) without any user-visible output — makes failures look like successes; always print a skip/warning message explaining why the operation was skipped
 
    **Concurrency & data integrity**
-   - Shared mutable state (files, in-memory caches) accessed by concurrent requests without locking or atomic writes — if two requests can hit the same resource, consider a mutex or write-to-tmp-then-rename pattern
-   - Multi-step read-modify-write cycles on JSON files or databases that can interleave with other requests
+   - Shared mutable state (files, in-memory caches) accessed by concurrent requests without locking or atomic writes
+   - Multi-step read-modify-write cycles on files or databases that can interleave with other requests
+   - Multi-table writes (e.g., parent row + relationship/link rows) without a transaction — FK violations or errors after the first insert leave partial state. Wrap all related writes in a single transaction
+   - Functions with early returns for "no primary fields to update" that silently skip secondary operations (relationship updates, link table writes) — ensure early-return guards don't bypass logic that should run independently of primary field changes
+
+   **Search & navigation**
+   - Search results that link to generic list pages instead of deep-linking to the specific record — include the record type and ID in the URL
+   - Search or query code that hardcodes one backend's implementation when the system supports multiple backends — use the active backend's capabilities so results aren't stale after a backend switch
+
+   **Sync & replication**
+   - Upsert/`ON CONFLICT UPDATE` clauses that only update a subset of the fields exported by the corresponding "get changes" query — omitted fields cause replicas to diverge. Deliberately omit only fields that should stay local (e.g., access stats), and document the decision
+   - Pagination using `COUNT(*)` to compute `hasMore` — this forces a full table scan on large tables. Use the `limit + 1` pattern: fetch one extra row to detect more pages, return only `limit` rows
+
+   **SQL & database**
+   - Parameterized query placeholder indices (`$1`, `$2`, ...) must match the actual parameter array positions — especially when multiple queries share a param builder or when the index is computed dynamically
+   - Database triggers (e.g., `BEFORE UPDATE` setting `updated_at = NOW()`) that clobber explicitly-provided values — verify triggers don't interfere with replication/sync that sets fields to remote timestamps
+   - Auto-incrementing columns (`BIGSERIAL`, `SERIAL`) only auto-increment on INSERT, not UPDATE — if change-tracking relies on a sequence column, the UPDATE path must explicitly call `nextval()` to bump it
+   - Database functions that require specific extensions or minimum versions — verify the deployment target supports them and the init script enables the extension
+   - Full-text search with strict query parsers (`to_tsquery`) directly on user input — punctuation, quotes, and operators cause SQL errors. Use `websearch_to_tsquery` or `plainto_tsquery` for user-facing search
+   - Query results assigned to variables but never read — remove dead queries to avoid unnecessary database load
+   - N+1 query patterns inside transactions (SELECT + INSERT/UPDATE per row) — use batched upserts (`INSERT ... ON CONFLICT ... DO UPDATE`) to reduce round-trips and lock time
+
+   **Lazy initialization & module loading**
+   - Cached state getters that return `null`/`undefined` before the module is initialized — code that checks the cached value before triggering initialization will get incorrect results. Provide an async initializer or ensure-style function
+   - Re-exporting constants from heavy modules defeats lazy loading — define shared constants in a lightweight module or inline them
+
+   **Data format portability**
+   - Values that cross serialization boundaries (JSON API → database, peer sync) may change format — e.g., arrays in JSON vs specialized string literals in the database. Convert consistently before writing to the target
+
+   **Shell script safety**
+   - Subprocess calls in shell scripts under `set -e` — if the subprocess fails, the script aborts. Check exit status and handle gracefully
+   - When the same data structure is manipulated in both application code and shell-inline scripts, apply identical guards in both places
+
+   **Cross-platform compatibility**
+   - Shell-specific commands (e.g., `sleep`) in Node.js setup/build scripts — use language-native alternatives for portability
 
    **Test coverage**
    - New validation schemas, service functions, or business logic added without corresponding tests — especially when the project already has a test suite covering similar existing code
    - New error paths (404, 400) that are untestable because the service throws generic errors instead of typed/status-coded ones
 
    **Accessibility**
-   - Interactive elements (buttons, toggles, custom controls) missing accessible names, roles, or ARIA states — screen readers can't interpret unnamed buttons or div-based toggles
-   - Custom toggle/switch UI built from `<button>` or `<div>` instead of native `<input type="checkbox">` with appropriate labeling
+   - Interactive elements (buttons, toggles, custom controls) missing accessible names, roles, or ARIA states
+   - Custom toggle/switch UI built from `<button>` or `<div>` instead of native inputs with appropriate labeling
 
    **Configuration & hardcoding**
-   - Hardcoded values (usernames, org names, limits) when a config field or env var already exists for that purpose — use the existing config
+   - Hardcoded values (usernames, org names, limits) when a config field or env var already exists for that purpose
    - Dead config fields that nothing reads — either wire them up or remove them
+   - Duplicated config/constants across modules — extract to a single shared module to prevent drift (watch for circular imports when choosing the shared location)
 
    **Style & conventions**
    - Naming and patterns consistent with the rest of the codebase

package/lib/copilot-review-loop.md

@@ -17,14 +17,16 @@ After the PR is created, run the Copilot review-and-fix loop:
      gh api graphql -f query='{ repository(owner: "OWNER", name: "REPO") { pullRequest(number: PR_NUM) { reviews(last: 3) { nodes { state body author { login } submittedAt } } reviewThreads(first: 100) { nodes { id isResolved comments(first: 3) { nodes { body path line author { login } } } } } } } }'
      ```
    - The review is complete when a new Copilot review node appears with a `submittedAt` after your latest push
+   - **Error detection**: After a review appears, check the review `body` for error text such as "Copilot encountered an error" or "unable to review this pull request". If the review body contains this error, it is NOT a successful review — re-request the review (step 1) and resume polling. Log a warning so the user knows a retry occurred. Apply a maximum of 3 error retries before asking the user whether to continue waiting or skip.
    - **Do NOT proceed until the re-requested review has actually posted** — "Awaiting requested review" means it is still in progress
-   - Poll every 60 seconds; Copilot reviews can take **10-15 minutes** for large diffs — do NOT give up early
-   - **Continue polling for at least 15 minutes** before concluding the review won't arrive
-   - If no review appears after 15 minutes, **ask the user** whether to continue waiting, re-request the review, or skip — **never proceed without user approval when the review loop fails**
+   - **Dynamic poll timing**: Before your first poll, check how long the most recent Copilot review on this PR took by comparing its `submittedAt` to the previous review's `submittedAt` (or to the PR creation time if it was the first review). Use that duration as your expected wait time. If no prior review exists, default to 5 minutes. Set poll interval to 60 seconds and max wait to **2x the expected duration** (minimum 5 minutes, maximum 20 minutes).
+   - Copilot reviews can take **10-15 minutes** for large diffs — do NOT give up early
+   - If no review appears after the max wait time, **ask the user** whether to continue waiting, re-request the review, or skip — **never proceed without user approval when the review loop fails**
    - If the review request silently disappears (reviewRequests becomes empty without a review being posted), re-request the review once and resume polling
 
 3. **Check for unresolved comments**
    - Filter review threads for `isResolved: false`
+   - **First, verify the review was successful**: check that the latest Copilot review body does NOT contain "Copilot encountered an error" or "unable to review". If it does, this is an error response — go back to step 1 (re-request) instead of proceeding. This check is critical because error reviews have no comments and no unresolved threads, making them look identical to a clean review.
    - Also count the total comments in the latest review (check the review body for "generated N comments")
    - If the latest review has **zero comments** (body says "generated 0 comments" or no unresolved threads exist): the PR is clean — exit the loop
    - If **there are unresolved comments**: proceed to fix them (step 4)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "slash-do",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Curated slash commands for AI coding assistants — Claude Code, OpenCode, Gemini CLI, and Codex",
   "author": "Adam Eivy <adam@eivy.com>",
   "license": "MIT",
@@ -35,7 +35,10 @@
     "install.sh",
     "uninstall.sh"
   ],
+  "scripts": {
+    "test": "node --test test/*.test.js"
+  },
   "engines": {
-    "node": ">=16.7.0"
+    "node": ">=18.0.0"
   }
 }

package/src/environments.js

@@ -12,6 +12,7 @@ const ENVIRONMENTS = {
     commandsDir: path.join(HOME, '.claude', 'commands'),
     libDir: path.join(HOME, '.claude', 'lib'),
     hooksDir: path.join(HOME, '.claude', 'hooks'),
+    settingsFile: path.join(HOME, '.claude', 'settings.json'),
     versionFile: path.join(HOME, '.claude', '.slashdo-version'),
     format: 'yaml-frontmatter',
     ext: '.md',
@@ -19,6 +20,7 @@ const ENVIRONMENTS = {
     libPathPrefix: '~/.claude/lib/',
     supportsHooks: true,
     supportsCatInclusion: true,
+    supportsTeams: true,
   },
   opencode: {
     name: 'OpenCode',
@@ -32,6 +34,7 @@ const ENVIRONMENTS = {
     libPathPrefix: '~/.config/opencode/lib/',
     supportsHooks: false,
     supportsCatInclusion: true,
+    supportsTeams: false,
   },
   gemini: {
     name: 'Gemini CLI',
@@ -45,6 +48,7 @@ const ENVIRONMENTS = {
     libPathPrefix: '~/.gemini/lib/',
     supportsHooks: false,
     supportsCatInclusion: true,
+    supportsTeams: false,
   },
   codex: {
     name: 'Codex',
@@ -58,6 +62,7 @@ const ENVIRONMENTS = {
     libPathPrefix: null,
     supportsHooks: false,
     supportsCatInclusion: false,
+    supportsTeams: false,
   },
 };
 

package/src/installer.js

@@ -43,7 +43,7 @@ function collectHooks(hooksDir) {
   const files = [];
   const entries = fs.readdirSync(hooksDir, { withFileTypes: true });
   for (const entry of entries) {
-    if (entry.isFile() && entry.name.endsWith('.md')) {
+    if (entry.isFile() && (entry.name.endsWith('.md') || entry.name.endsWith('.js'))) {
       files.push({
         relPath: entry.name,
         absPath: path.join(hooksDir, entry.name),
@@ -68,6 +68,164 @@ const RENAMED_COMMANDS = {
   'optimize-md': 'omd',
 };
 
+// Old hooks to remove during install/uninstall (superseded or no longer needed)
+const OBSOLETE_HOOKS = [
+  'update-check.md',
+];
+
+function registerHooksInSettings(env, hookFiles, dryRun) {
+  if (!env.settingsFile) return [];
+
+  const actions = [];
+  const settingsPath = env.settingsFile;
+
+  let settings = {};
+  if (fs.existsSync(settingsPath)) {
+    try {
+      settings = JSON.parse(fs.readFileSync(settingsPath, 'utf8'));
+    } catch (e) {
+      // Corrupted settings.json — skip registration to avoid data loss
+      actions.push({ name: 'settings.json', status: 'skipped (parse error)' });
+      return actions;
+    }
+  }
+
+  let modified = false;
+
+  // Register SessionStart hook for slashdo-check-update.js
+  const updateCheckHook = hookFiles.find(h => h.name === 'slashdo-check-update.js');
+  if (updateCheckHook) {
+    const hookCommand = `node "${path.join(env.hooksDir, updateCheckHook.name)}"`;
+
+    if (!settings.hooks) {
+      settings.hooks = {};
+    } else if (typeof settings.hooks !== 'object' || Array.isArray(settings.hooks)) {
+      actions.push({ name: 'settings/hooks', status: 'skipped (unexpected shape)' });
+      return actions;
+    }
+
+    // If SessionStart exists but isn't an array, skip hook registration (but continue to statusLine)
+    if (Object.prototype.hasOwnProperty.call(settings.hooks, 'SessionStart') &&
+      !Array.isArray(settings.hooks.SessionStart)) {
+      actions.push({ name: 'settings/SessionStart hook', status: 'skipped (unexpected shape)' });
+    } else {
+      if (!Array.isArray(settings.hooks.SessionStart)) settings.hooks.SessionStart = [];
+
+      const alreadyRegistered = settings.hooks.SessionStart.some(group =>
+        group &&
+        typeof group === 'object' &&
+        Array.isArray(group.hooks) &&
+        group.hooks.some(h => typeof h?.command === 'string' && h.command.includes('slashdo-check-update'))
+      );
+
+      if (!alreadyRegistered) {
+        if (settings.hooks.SessionStart.length > 0) {
+          let firstGroup = settings.hooks.SessionStart[0];
+          if (!firstGroup || typeof firstGroup !== 'object') {
+            firstGroup = { hooks: [] };
+            settings.hooks.SessionStart[0] = firstGroup;
+          }
+          if (!Array.isArray(firstGroup.hooks)) firstGroup.hooks = [];
+          firstGroup.hooks.push({
+            type: 'command',
+            command: hookCommand,
+          });
+        } else {
+          settings.hooks.SessionStart.push({
+            hooks: [{
+              type: 'command',
+              command: hookCommand,
+            }],
+          });
+        }
+        modified = true;
+        actions.push({ name: 'settings/SessionStart hook', status: dryRun ? 'would register' : 'registered' });
+      } else {
+        actions.push({ name: 'settings/SessionStart hook', status: 'already registered' });
+      }
+    }
+  }
+
+  // Configure statusline only if none exists
+  const statuslineHook = hookFiles.find(h => h.name === 'slashdo-statusline.js');
+  if (statuslineHook && !settings.statusLine) {
+    const statuslineCommand = `node "${path.join(env.hooksDir, statuslineHook.name)}"`;
+    settings.statusLine = {
+      type: 'command',
+      command: statuslineCommand,
+    };
+    modified = true;
+    actions.push({ name: 'settings/statusLine', status: dryRun ? 'would configure' : 'configured' });
+  } else if (statuslineHook && settings.statusLine) {
+    actions.push({ name: 'settings/statusLine', status: 'existing statusline preserved' });
+  }
+
+  if (!dryRun && modified) {
+    fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + '\n', 'utf8');
+  }
+
+  return actions;
+}
+
+function deregisterHooksFromSettings(env, dryRun) {
+  if (!env.settingsFile) return [];
+
+  const settingsPath = env.settingsFile;
+  if (!fs.existsSync(settingsPath)) return [];
+
+  const actions = [];
+  let settings;
+  try {
+    settings = JSON.parse(fs.readFileSync(settingsPath, 'utf8'));
+  } catch (e) {
+    // Corrupted settings.json — skip deregistration to avoid data loss
+    actions.push({ name: 'settings.json', status: 'skipped (parse error)' });
+    return actions;
+  }
+  let modified = false;
+
+  // Remove SessionStart hook entries referencing slashdo
+  if (Array.isArray(settings.hooks?.SessionStart)) {
+    const emptiedByUs = new Set();
+    for (let i = 0; i < settings.hooks.SessionStart.length; i++) {
+      const group = settings.hooks.SessionStart[i];
+      if (!group || typeof group !== 'object') continue;
+      if (Array.isArray(group.hooks)) {
+        const before = group.hooks.length;
+        group.hooks = group.hooks.filter(h =>
+          !h || typeof h !== 'object' || typeof h.command !== 'string' || !h.command.includes('slashdo-check-update')
+        );
+        if (group.hooks.length < before) {
+          modified = true;
+          actions.push({ name: 'settings/SessionStart hook', status: dryRun ? 'would deregister' : 'deregistered' });
+          if (group.hooks.length === 0) emptiedByUs.add(i);
+        }
+      }
+    }
+    // Only remove groups that became empty as a result of removing slashdo entries
+    settings.hooks.SessionStart = settings.hooks.SessionStart.filter((_, i) => !emptiedByUs.has(i));
+    if (settings.hooks.SessionStart.length === 0) {
+      delete settings.hooks.SessionStart;
+    }
+    if (Object.keys(settings.hooks).length === 0) {
+      delete settings.hooks;
+    }
+  }
+
+  // Remove statusline if it references slashdo-statusline
+  if (settings.statusLine?.command?.includes('slashdo-statusline')) {
+    delete settings.statusLine;
+    modified = true;
+    actions.push({ name: 'settings/statusLine', status: dryRun ? 'would remove' : 'removed' });
+  }
+
+  if (!dryRun && modified) {
+    fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + '\n', 'utf8');
+  }
+
+  return actions;
+}
+
 function install({ env, packageDir, filterNames, dryRun, uninstall }) {
   const commandsDir = path.join(packageDir, 'commands');
   const libDir = path.join(packageDir, 'lib');
@@ -83,7 +241,7 @@ function install({ env, packageDir, filterNames, dryRun, uninstall }) {
   const results = { installed: 0, updated: 0, upToDate: 0, removed: 0, actions: [] };
 
   if (uninstall) {
-    return doUninstall(filtered, libFiles, hookFiles, env, results, dryRun);
+    return doUninstall(filtered, libFiles, hookFiles, env, results, dryRun, filterNames);
   }
 
   for (const cmd of filtered) {
@@ -181,8 +339,15 @@ function install({ env, packageDir, filterNames, dryRun, uninstall }) {
       if (isNew) results.installed++;
       else results.updated++;
     }
+
+    // Register hooks in settings.json (only for full installs, not filtered command installs)
+    if (!filterNames?.length) {
+      const settingsActions = registerHooksInSettings(env, hookFiles, dryRun);
+      results.actions.push(...settingsActions);
+    }
   }
 
+  // Clean up renamed commands
   for (const [oldName, newName] of Object.entries(RENAMED_COMMANDS)) {
     const oldRelPath = path.join('do', oldName + '.md');
     const oldTargetRel = getTargetFilename(oldRelPath, env);
@@ -198,6 +363,23 @@ function install({ env, packageDir, filterNames, dryRun, uninstall }) {
     }
   }
 
+  // Clean up obsolete hooks from prior versions
+  if (env.supportsHooks && env.hooksDir) {
+    for (const oldName of OBSOLETE_HOOKS) {
+      const oldTargetPath = path.join(env.hooksDir, oldName);
+
+      if (fs.existsSync(oldTargetPath)) {
+        if (dryRun) {
+          results.actions.push({ name: `hook/${oldName}`, status: 'would remove (obsolete)' });
+        } else {
+          fs.unlinkSync(oldTargetPath);
+          results.actions.push({ name: `hook/${oldName}`, status: 'removed (obsolete)' });
+        }
+        results.removed++;
+      }
+    }
+  }
+
   if (!dryRun && env.versionFile) {
     const pkg = JSON.parse(fs.readFileSync(path.join(packageDir, 'package.json'), 'utf8'));
     fs.writeFileSync(env.versionFile, pkg.version, 'utf8');
@@ -206,7 +388,7 @@ function install({ env, packageDir, filterNames, dryRun, uninstall }) {
   return results;
 }
 
-function doUninstall(commands, libFiles, hookFiles, env, results, dryRun) {
+function doUninstall(commands, libFiles, hookFiles, env, results, dryRun, filterNames) {
   for (const cmd of commands) {
     const targetRel = getTargetFilename(cmd.relPath, env);
     const targetPath = path.join(env.commandsDir, targetRel);
@@ -237,7 +419,7 @@ function doUninstall(commands, libFiles, hookFiles, env, results, dryRun) {
     }
   }
 
-  if (env.supportsHooks && env.hooksDir) {
+  if (env.supportsHooks && env.hooksDir && !filterNames?.length) {
     for (const hook of hookFiles) {
       const targetPath = path.join(env.hooksDir, hook.relPath);
       if (!fs.existsSync(targetPath)) continue;
@@ -250,6 +432,35 @@ function doUninstall(commands, libFiles, hookFiles, env, results, dryRun) {
       }
       results.removed++;
     }
+
+    // Clean up obsolete hooks that may have been installed by prior versions
+    for (const oldName of OBSOLETE_HOOKS) {
+      const oldPath = path.join(env.hooksDir, oldName);
+      if (fs.existsSync(oldPath)) {
+        if (dryRun) {
+          results.actions.push({ name: `hook/${oldName}`, status: 'would remove (obsolete)' });
+        } else {
+          fs.unlinkSync(oldPath);
+          results.actions.push({ name: `hook/${oldName}`, status: 'removed (obsolete)' });
+        }
+        results.removed++;
+      }
+    }
+
+    // Deregister hooks and clean up cache
+    const settingsActions = deregisterHooksFromSettings(env, dryRun);
+    results.actions.push(...settingsActions);
+
+    const cacheFile = path.join(path.dirname(env.hooksDir), 'cache', 'slashdo-update-check.json');
+    if (fs.existsSync(cacheFile)) {
+      if (dryRun) {
+        results.actions.push({ name: 'cache/slashdo-update-check.json', status: 'would remove' });
+      } else {
+        fs.unlinkSync(cacheFile);
+        results.actions.push({ name: 'cache/slashdo-update-check.json', status: 'removed' });
+      }
+      results.removed++;
+    }
   }
 
   if (!dryRun && env.versionFile && fs.existsSync(env.versionFile)) {

package/uninstall.sh

@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
 # slashdo — curl-based uninstaller
 # Usage: curl -fsSL https://raw.githubusercontent.com/atomantic/slashdo/main/uninstall.sh | bash
+# shellcheck disable=SC2059,SC2207
 set -euo pipefail
 
 CYAN='\033[0;36m'
@@ -32,9 +33,14 @@ LIBS=(
   code-review-checklist copilot-review-loop graphql-escaping
 )
 
+HOOKS=(slashdo-check-update slashdo-statusline)
+
+OLD_HOOKS=(update-check)
+
 uninstall_claude() {
   local target_cmd="$HOME/.claude/commands/do"
   local target_lib="$HOME/.claude/lib"
+  local target_hooks="$HOME/.claude/hooks"
   local count=0
 
   printf "  Uninstalling from ${GREEN}Claude Code${RESET}...\n"
@@ -55,8 +61,93 @@ uninstall_claude() {
     fi
   done
 
+  for hook in "${HOOKS[@]}"; do
+    if [ -f "$target_hooks/$hook.js" ]; then
+      rm -f "$target_hooks/$hook.js"
+      printf "    removed: hook/%-17s${GREEN}ok${RESET}\n" "$hook.js"
+      count=$((count + 1))
+    fi
+  done
+
+  for old in "${OLD_HOOKS[@]}"; do
+    if [ -f "$target_hooks/$old.md" ]; then
+      rm -f "$target_hooks/$old.md"
+      printf "    removed: hook/%-17s${GREEN}ok${RESET}\n" "$old.md"
+      count=$((count + 1))
+    fi
+  done
+
+  # Remove cache file
+  if [ -f "$HOME/.claude/cache/slashdo-update-check.json" ]; then
+    rm -f "$HOME/.claude/cache/slashdo-update-check.json"
+    printf "    removed: cache/slashdo-update-check.json ${GREEN}ok${RESET}\n"
+    count=$((count + 1))
+  fi
+
   if [ -f "$HOME/.claude/.slashdo-version" ]; then
     rm -f "$HOME/.claude/.slashdo-version"
+    printf "    removed: .slashdo-version        ${GREEN}ok${RESET}\n"
+    count=$((count + 1))
+  fi
+
+  # Deregister from settings.json (requires Node.js)
+  if command -v node &>/dev/null; then
+    if node -e '
+      const fs = require("fs");
+      const path = require("path");
+      const home = require("os").homedir();
+      const settingsPath = path.join(home, ".claude", "settings.json");
+
+      if (!fs.existsSync(settingsPath)) process.exit(0);
+
+      let settings;
+      try {
+        settings = JSON.parse(fs.readFileSync(settingsPath, "utf8"));
+      } catch (e) {
+        process.stdout.write("    skipped settings.json deregistration (parse error)\n");
+        process.exit(0);
+      }
+      let modified = false;
+
+      if (settings.hooks && Array.isArray(settings.hooks.SessionStart)) {
+        var emptiedByUs = {};
+        for (var i = 0; i < settings.hooks.SessionStart.length; i++) {
+          var group = settings.hooks.SessionStart[i];
+          if (!group || typeof group !== "object") continue;
+          if (Array.isArray(group.hooks)) {
+            var before = group.hooks.length;
+            group.hooks = group.hooks.filter(function(h) {
+              if (!h || typeof h !== "object") return true;
+              return typeof h.command !== "string" || h.command.indexOf("slashdo-check-update") === -1;
+            });
+            if (group.hooks.length < before) {
+              modified = true;
+              if (group.hooks.length === 0) emptiedByUs[i] = true;
+            }
+          }
+        }
+        settings.hooks.SessionStart = settings.hooks.SessionStart.filter(function(g, i) {
+          return !emptiedByUs[i];
+        });
+        if (settings.hooks.SessionStart.length === 0) delete settings.hooks.SessionStart;
+        if (Object.keys(settings.hooks).length === 0) delete settings.hooks;
+      }
+
+      if (settings.statusLine && settings.statusLine.command &&
+          settings.statusLine.command.indexOf("slashdo-statusline") !== -1) {
+        delete settings.statusLine;
+        modified = true;
+      }
+
+      if (modified) {
+        fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + "\n");
+        process.stdout.write("    deregistered from settings.json\n");
+      }
+    '; then
+      : # deregistration handled inside node
+    else
+      printf "    ${YELLOW}settings.json deregistration failed${RESET}\n"
+    fi
   fi
 
   if [ $count -eq 0 ]; then

package/hooks/update-check.md

@@ -1,21 +0,0 @@
----
-description: Check for slashdo updates on session start
-hooks:
-  - event: SessionStart
----
-
-# slashdo Update Check
-
-Check if a newer version of slashdo is available.
-
-## Steps
-
-1. Read the installed version from `~/.claude/.slashdo-version`
-2. If the file doesn't exist, skip silently (slashdo may not be installed)
-3. Run `npm view slash-do version` with a 3-second timeout
-4. Compare versions
-5. If the latest version is newer than the installed version, print:
-   ```
-   slashdo update available: v{installed} -> v{latest} (run /do:update)
-   ```
-6. If up to date or if the check fails (network error, timeout), do nothing — don't interrupt the user's session