start-vibing 1.1.1

package/template/.claude/hooks/security-check.js

@@ -0,0 +1,202 @@
+/**
+ * Hook de Seguranca Pre-Tool
+ *
+ * Este hook e executado ANTES de qualquer ferramenta ser chamada.
+ * Sua funcao e bloquear acoes potencialmente perigosas.
+ *
+ * Baseado em: OpenSSF Security Guide for AI Code Assistants
+ * https://best.openssf.org/Security-Focused-Guide-for-AI-Code-Assistant-Instructions
+ */
+
+// Padroes perigosos que devem ser bloqueados
+const DANGEROUS_PATTERNS = {
+	// Comandos destrutivos
+	commands: [
+		/rm\s+-rf\s+[\/~]/i, // rm -rf com path perigoso
+		/rm\s+-rf\s+\*/i, // rm -rf *
+		/sudo\s+rm/i, // sudo rm
+		/mkfs/i, // formatar disco
+		/dd\s+if=/i, // dd (pode destruir dados)
+		/>\s*\/dev\//i, // escrever em devices
+		/chmod\s+777/i, // permissoes muito abertas
+		/curl.*\|\s*(ba)?sh/i, // curl pipe to shell
+		/wget.*\|\s*(ba)?sh/i, // wget pipe to shell
+	],
+
+	// Padroes de codigo inseguro
+	code: [
+		/eval\s*\(/i, // eval()
+		/new\s+Function\s*\(/i, // new Function()
+		/innerHTML\s*=/i, // innerHTML assignment (XSS)
+		/document\.write\s*\(/i, // document.write (XSS)
+		/dangerouslySetInnerHTML/i, // React dangerous prop
+		/\$\{.*\}\s*\)/i, // Template injection em queries
+	],
+
+	// Exposicao de dados sensiveis
+	sensitive: [
+		/password\s*[:=]/i, // Senha hardcoded
+		/api[_-]?key\s*[:=]/i, // API key hardcoded
+		/secret\s*[:=]/i, // Secret hardcoded
+		/private[_-]?key/i, // Private key
+		/BEGIN\s+(RSA|DSA|EC)\s+PRIVATE/i, // Chave privada PEM
+	],
+
+	// Patterns especificos do projeto
+	project: [
+		/userId.*req\.body/i, // userId do request body
+		/userId.*input\./i, // userId do input tRPC
+		/findById\(.*input/i, // Query sem validacao de owner
+		/z\.any\(\)/i, // Zod any (sem validacao)
+	],
+};
+
+// Arquivos que nao devem ser modificados
+const PROTECTED_FILES = ['.env', '.env.local', '.env.production', '.env.development', 'bun.lockb'];
+
+// Diretorios que nao devem ser acessados
+const PROTECTED_DIRS = ['/etc', '/var', '/usr', '/root', '/home', 'node_modules', '.git/objects'];
+
+/**
+ * Verifica se um comando/codigo contem padroes perigosos
+ * @param {string} content - Conteudo a verificar
+ * @param {string} category - Categoria de padroes
+ * @returns {Object} - { blocked: boolean, reason: string }
+ */
+function checkDangerousPatterns(content, category) {
+	const patterns = DANGEROUS_PATTERNS[category] || [];
+
+	for (const pattern of patterns) {
+		if (pattern.test(content)) {
+			return {
+				blocked: true,
+				reason: `Padrao perigoso detectado: ${pattern.toString()}`,
+				category,
+			};
+		}
+	}
+
+	return { blocked: false };
+}
+
+/**
+ * Verifica se um arquivo e protegido
+ * @param {string} filePath - Caminho do arquivo
+ * @returns {boolean}
+ */
+function isProtectedFile(filePath) {
+	return PROTECTED_FILES.some(
+		(protected) => filePath.endsWith(protected) || filePath.includes(protected)
+	);
+}
+
+/**
+ * Verifica se um diretorio e protegido
+ * @param {string} dirPath - Caminho do diretorio
+ * @returns {boolean}
+ */
+function isProtectedDir(dirPath) {
+	return PROTECTED_DIRS.some(
+		(protected) => dirPath.startsWith(protected) || dirPath.includes(protected)
+	);
+}
+
+/**
+ * Hook principal - executado antes de cada tool call
+ * @param {Object} toolCall - Dados da chamada de ferramenta
+ * @returns {Object} - { allowed: boolean, reason?: string }
+ */
+function preToolHook(toolCall) {
+	const { name, args } = toolCall;
+
+	// Verificar comandos bash
+	if (name === 'bash' && args.command) {
+		const result = checkDangerousPatterns(args.command, 'commands');
+		if (result.blocked) {
+			return {
+				allowed: false,
+				reason: `Comando bloqueado: ${result.reason}`,
+			};
+		}
+	}
+
+	// Verificar escrita de arquivos
+	if (['file_write', 'file_edit'].includes(name)) {
+		// Verificar arquivo protegido
+		if (args.path && isProtectedFile(args.path)) {
+			return {
+				allowed: false,
+				reason: `Arquivo protegido: ${args.path}`,
+			};
+		}
+
+		// Verificar conteudo perigoso
+		if (args.content) {
+			const codeResult = checkDangerousPatterns(args.content, 'code');
+			if (codeResult.blocked) {
+				return {
+					allowed: false,
+					reason: `Codigo inseguro: ${codeResult.reason}`,
+				};
+			}
+
+			const sensitiveResult = checkDangerousPatterns(args.content, 'sensitive');
+			if (sensitiveResult.blocked) {
+				return {
+					allowed: false,
+					reason: `Dados sensiveis detectados: ${sensitiveResult.reason}`,
+				};
+			}
+
+			const projectResult = checkDangerousPatterns(args.content, 'project');
+			if (projectResult.blocked) {
+				return {
+					allowed: false,
+					reason: `Violacao de regra do projeto: ${projectResult.reason}`,
+				};
+			}
+		}
+	}
+
+	// Verificar leitura de diretorios protegidos
+	if (name === 'file_read' && args.path) {
+		if (isProtectedDir(args.path)) {
+			return {
+				allowed: false,
+				reason: `Diretorio protegido: ${args.path}`,
+			};
+		}
+	}
+
+	// Permitir por padrao
+	return { allowed: true };
+}
+
+/**
+ * Log de seguranca para auditoria
+ * @param {string} action - Acao tomada
+ * @param {Object} details - Detalhes
+ */
+function logSecurityEvent(action, details) {
+	const timestamp = new Date().toISOString();
+	const logEntry = {
+		timestamp,
+		action,
+		...details,
+	};
+
+	// Em producao, enviar para sistema de logging
+	console.log('[SECURITY]', JSON.stringify(logEntry));
+}
+
+// Exportar para uso pelo SDK
+module.exports = {
+	preToolHook,
+	checkDangerousPatterns,
+	isProtectedFile,
+	isProtectedDir,
+	logSecurityEvent,
+	DANGEROUS_PATTERNS,
+	PROTECTED_FILES,
+	PROTECTED_DIRS,
+};

package/template/.claude/hooks/stop-validation.py

@@ -0,0 +1,155 @@
+#!/usr/bin/env python3
+"""
+Stop Hook - Workflow Validation Before Stopping
+
+This hook validates that the workflow was properly executed before
+allowing Claude to stop. If validation fails, Claude is forced to continue.
+
+Exit codes:
+- 0: Allow stop (or output JSON to block)
+"""
+
+import json
+import sys
+import os
+from pathlib import Path
+
+PROJECT_DIR = os.environ.get('CLAUDE_PROJECT_DIR', os.getcwd())
+WORKFLOW_STATE_PATH = Path(PROJECT_DIR) / '.claude' / 'workflow-state.json'
+
+
+def load_workflow_state():
+    """Load current workflow state"""
+    if not WORKFLOW_STATE_PATH.exists():
+        return None
+    try:
+        with open(WORKFLOW_STATE_PATH) as f:
+            return json.load(f)
+    except (json.JSONDecodeError, IOError):
+        return None
+
+
+def validate_workflow(state: dict) -> tuple[bool, list[str]]:
+    """Validate workflow completion"""
+    issues = []
+
+    if not state or not state.get('currentTask'):
+        # No task, allow stop
+        return True, []
+
+    task = state['currentTask']
+    task_type = task.get('type', 'feature')
+    agents = task.get('agents', {})
+    modified_files = task.get('modifiedFiles', [])
+
+    # Skip validation for research/config tasks
+    if task_type in ['research', 'config']:
+        return True, []
+
+    # Check required agents executed
+    required_agents = {
+        'feature': ['orchestrator', 'analyzer', 'research', 'tester', 'securityAuditor', 'qualityChecker', 'finalValidator', 'domainUpdater'],
+        'fix': ['analyzer', 'research', 'tester', 'securityAuditor', 'qualityChecker', 'finalValidator', 'domainUpdater'],
+        'refactor': ['analyzer', 'tester', 'qualityChecker', 'finalValidator', 'domainUpdater'],
+    }
+
+    for agent in required_agents.get(task_type, []):
+        agent_status = agents.get(agent, {})
+        if not agent_status.get('executed'):
+            issues.append(f"Agent '{agent}' has not executed")
+        elif agent_status.get('result') == 'vetoed':
+            issues.append(f"Agent '{agent}' VETOED - must resolve before stopping")
+
+    # Check if files were modified without tests
+    if modified_files and task_type in ['feature', 'fix']:
+        tests_created = task.get('testsCreated', [])
+        # Exclude: tests, specs, docs, markdown, and .claude config files
+        source_files = [m for m in modified_files if not any(
+            p in m['path'].lower() for p in ['test', 'spec', '.md', 'docs/', '.claude/']
+        )]
+
+        if source_files and not tests_created:
+            issues.append(f"Modified {len(source_files)} source file(s) but no tests created")
+
+    # Check documentation (skip for .claude config files)
+    if modified_files and task_type == 'feature':
+        non_config_files = [m for m in modified_files if '.claude/' not in m['path']]
+        if non_config_files:
+            docs_updated = task.get('docsUpdated', [])
+            if not docs_updated:
+                issues.append("No documentation updated for feature")
+
+    # Check quality gates
+    quality = task.get('qualityGates', {})
+    for gate in ['typecheck', 'lint', 'build']:
+        gate_result = quality.get(gate, {})
+        if gate_result and not gate_result.get('passed'):
+            issues.append(f"Quality gate '{gate}' failed")
+
+    # Check security audit
+    security = task.get('securityAudit', {})
+    if security.get('result') == 'vetoed':
+        issues.append("Security audit VETOED - must resolve vulnerabilities")
+
+    # Check final validation
+    final = task.get('finalValidation', {})
+    if final.get('executed') and not final.get('readyToCommit'):
+        issues.append("Final validation not approved for commit")
+
+    # Check domain-updater (critical for knowledge retention)
+    domain_updater = agents.get('domainUpdater', {})
+    if modified_files and not domain_updater.get('executed'):
+        issues.append("Domain updater has not run - domains must be updated with session learnings")
+
+    # Check commit-manager (critical for persisting changes - FINAL step)
+    commit_manager = agents.get('commitManager', {})
+    if domain_updater.get('executed') and not commit_manager.get('executed'):
+        issues.append("Commit-manager has not run - changes must be committed before session ends")
+
+    return len(issues) == 0, issues
+
+
+def main():
+    # Read hook input
+    try:
+        hook_input = json.load(sys.stdin)
+    except json.JSONDecodeError:
+        sys.exit(0)
+
+    # Load state
+    state = load_workflow_state()
+
+    # Validate
+    is_valid, issues = validate_workflow(state)
+
+    if is_valid:
+        # Allow stop
+        sys.exit(0)
+    else:
+        # Block stop and force continuation
+        output = {
+            "decision": "block",
+            "reason": f"""WORKFLOW INCOMPLETE - Cannot stop yet.
+
+Issues found:
+{chr(10).join(f'  ❌ {issue}' for issue in issues)}
+
+You must complete these steps before stopping:
+1. Execute all required agents
+2. Resolve any VETOs
+3. Create tests for modified files
+4. Update documentation
+5. Pass all quality gates
+6. Get final validation approval
+7. Run domain-updater to update domains with session learnings
+8. Run commit-manager to commit changes (FINAL step)
+
+Resume the workflow to address these issues."""
+        }
+
+        print(json.dumps(output))
+        sys.exit(0)
+
+
+if __name__ == '__main__':
+    main()

package/template/.claude/hooks/user-prompt-submit.py

@@ -0,0 +1,277 @@
+#!/usr/bin/env python3
+"""
+UserPromptSubmit Hook - Agent Selection Enforcement
+
+This hook runs BEFORE Claude processes any user prompt and:
+1. Lists all available agents
+2. Analyzes the prompt to suggest the best agent
+3. Reminds Claude to follow the workflow strictly
+4. Prevents over-engineering and redundant file creation
+
+Output is sent to Claude as context before processing the user's request.
+
+Based on official Claude Code documentation:
+https://code.claude.com/docs/en/hooks.md
+"""
+
+import json
+import sys
+import os
+import re
+from pathlib import Path
+
+PROJECT_DIR = os.environ.get('CLAUDE_PROJECT_DIR', os.getcwd())
+WORKFLOW_STATE_PATH = Path(PROJECT_DIR) / '.claude' / 'workflow-state.json'
+SETTINGS_PATH = Path(PROJECT_DIR) / '.claude' / 'settings.json'
+
+# Agent definitions with triggers
+AGENTS = {
+    'orchestrator': {
+        'description': 'Coordinates entire development flow',
+        'triggers': ['implement feature', 'build', 'create', 'fix and test', 'full workflow', 'multi-step'],
+        'priority': 1,
+        'when': 'Task requires >2 agents or touches >3 files'
+    },
+    'analyzer': {
+        'description': 'Analyzes impact before code modification',
+        'triggers': ['implement', 'add feature', 'fix bug', 'refactor', 'change', 'modify', 'update code'],
+        'priority': 2,
+        'when': 'BEFORE any Edit/Write to source files'
+    },
+    'research': {
+        'description': 'Researches best practices and recent solutions (2024-2025)',
+        'triggers': ['research', 'investigate', 'study', 'best practice', 'how to', 'pattern'],
+        'priority': 3,
+        'when': 'AFTER analyzer - finds best practices before implementation'
+    },
+    'ui-ux-reviewer': {
+        'description': 'Reviews UI/UX and researches competitors',
+        'triggers': ['ui', 'component', 'page', 'design', 'layout', 'style', 'responsive', 'frontend'],
+        'priority': 3,
+        'when': 'Files in components/, app/, or .tsx with JSX'
+    },
+    'documenter': {
+        'description': 'Creates and maintains documentation',
+        'triggers': ['document', 'readme', 'docs', 'explain'],
+        'priority': 4,
+        'when': 'After code implementation completes'
+    },
+    'tester': {
+        'description': 'Creates unit tests (Vitest) and E2E tests (Playwright)',
+        'triggers': ['test', 'coverage', 'spec', 'e2e'],
+        'priority': 5,
+        'when': 'After any code implementation'
+    },
+    'security-auditor': {
+        'description': 'Audits security (CAN VETO)',
+        'triggers': ['auth', 'session', 'password', 'token', 'api', 'database', 'user data', 'security'],
+        'priority': 6,
+        'when': 'Code touches auth/, api/, server/, or sensitive data',
+        'can_veto': True
+    },
+    'quality-checker': {
+        'description': 'Runs typecheck, lint, test, build',
+        'triggers': ['check', 'verify', 'validate', 'run tests', 'quality'],
+        'priority': 7,
+        'when': 'After implementation and tests complete'
+    },
+    'final-validator': {
+        'description': 'Final validation before commit (CAN VETO)',
+        'triggers': ['final', 'commit ready', 'approve'],
+        'priority': 8,
+        'when': 'Before any commit operation',
+        'can_veto': True
+    },
+    'commit-manager': {
+        'description': 'Creates conventional commits and completes workflow',
+        'triggers': ['commit', 'save changes', 'push', 'finalize', 'git'],
+        'priority': 10,
+        'when': 'FINAL step - after domain-updater, runs complete-task'
+    },
+    'domain-updater': {
+        'description': 'Updates domain knowledge with session learnings',
+        'triggers': ['update domain', 'document learnings', 'session end'],
+        'priority': 9,
+        'when': 'BEFORE commit-manager - updates domains so git stays clean'
+    }
+}
+
+# Workflow sequences (research after analyzer, domain-updater BEFORE commit-manager for clean git)
+WORKFLOWS = {
+    'feature': ['analyzer', 'research', 'ui-ux-reviewer', 'documenter', 'tester', 'security-auditor', 'quality-checker', 'final-validator', 'domain-updater', 'commit-manager'],
+    'fix': ['analyzer', 'research', 'tester', 'security-auditor', 'quality-checker', 'final-validator', 'domain-updater', 'commit-manager'],
+    'refactor': ['analyzer', 'tester', 'quality-checker', 'final-validator', 'domain-updater', 'commit-manager'],
+    'config': ['quality-checker', 'domain-updater', 'commit-manager']
+}
+
+
+def load_workflow_state():
+    """Load current workflow state"""
+    if not WORKFLOW_STATE_PATH.exists():
+        return None
+    try:
+        with open(WORKFLOW_STATE_PATH) as f:
+            return json.load(f)
+    except (json.JSONDecodeError, IOError):
+        return None
+
+
+def detect_task_type(prompt: str) -> str:
+    """Detect task type from prompt"""
+    prompt_lower = prompt.lower()
+
+    if any(word in prompt_lower for word in ['bug', 'fix', 'error', 'broken', 'not working', 'issue']):
+        return 'fix'
+    elif any(word in prompt_lower for word in ['refactor', 'restructure', 'reorganize', 'clean up']):
+        return 'refactor'
+    elif any(word in prompt_lower for word in ['config', 'setting', 'env', 'package.json', 'tsconfig']):
+        return 'config'
+    else:
+        return 'feature'
+
+
+def detect_best_agent(prompt: str) -> tuple[str, str]:
+    """Detect best agent for the task"""
+    prompt_lower = prompt.lower()
+
+    # Check for multi-step tasks first
+    multi_step_indicators = ['and then', 'after that', 'also', 'implement', 'build', 'create feature']
+    if any(indicator in prompt_lower for indicator in multi_step_indicators):
+        return 'orchestrator', 'Multi-step task detected - orchestrator will coordinate all agents'
+
+    # Check each agent's triggers
+    matches = []
+    for agent_name, agent_info in AGENTS.items():
+        for trigger in agent_info['triggers']:
+            if trigger in prompt_lower:
+                matches.append((agent_name, agent_info['priority'], trigger))
+
+    if matches:
+        # Sort by priority (lower is better)
+        matches.sort(key=lambda x: x[1])
+        best = matches[0]
+        return best[0], f"Matched trigger '{best[2]}'"
+
+    # Default to orchestrator for unknown tasks
+    return 'orchestrator', 'No specific trigger matched - orchestrator will analyze'
+
+
+def format_agent_list() -> str:
+    """Format agent list for display"""
+    lines = []
+    for name, info in sorted(AGENTS.items(), key=lambda x: x[1]['priority']):
+        veto = ' [CAN VETO]' if info.get('can_veto') else ''
+        lines.append(f"  - {name}: {info['description']}{veto}")
+    return '\n'.join(lines)
+
+
+def format_workflow_status(state: dict) -> str:
+    """Format current workflow status"""
+    if not state or not state.get('currentTask'):
+        return "STATUS: No active task. Start with orchestrator or workflow-manager.py start-task"
+
+    task = state['currentTask']
+    agents = task.get('agents', {})
+
+    executed = [name for name, status in agents.items() if status.get('executed')]
+    pending = [name for name, status in agents.items() if not status.get('executed')]
+
+    return f"""STATUS: Task active
+  ID: {task.get('id', 'unknown')}
+  Type: {task.get('type', 'unknown')}
+  Description: {task.get('description', 'unknown')}
+  Executed: {', '.join(executed) if executed else 'none'}
+  Pending: {', '.join(pending) if pending else 'none'}
+  Approved files: {len(task.get('approvedFiles', []))}"""
+
+
+def main():
+    # Read hook input from stdin
+    try:
+        hook_input = json.load(sys.stdin)
+    except json.JSONDecodeError:
+        hook_input = {}
+
+    # Get user prompt (may not be available in all hook contexts)
+    prompt = hook_input.get('user_prompt', hook_input.get('prompt', ''))
+
+    # Load current state
+    state = load_workflow_state()
+
+    # Detect task type and best agent
+    task_type = detect_task_type(prompt) if prompt else 'unknown'
+    best_agent, reason = detect_best_agent(prompt) if prompt else ('orchestrator', 'Default')
+
+    # Build output message
+    output = f"""
+================================================================================
+WORKFLOW ENFORCEMENT - UserPromptSubmit Hook
+================================================================================
+
+AVAILABLE AGENTS:
+{format_agent_list()}
+
+TASK ANALYSIS:
+  Detected type: {task_type}
+  Recommended agent: {best_agent}
+  Reason: {reason}
+  Workflow sequence: {' -> '.join(WORKFLOWS.get(task_type, WORKFLOWS['feature']))}
+
+{format_workflow_status(state)}
+
+================================================================================
+CRITICAL: INVOKE AGENTS VIA TASK TOOL - NOT MANUALLY
+================================================================================
+
+You MUST use the Task tool with subagent_type to invoke agents.
+DO NOT execute agent logic manually - INVOKE the agent properly.
+
+AGENTS THAT CAN BE INVOKED VIA TASK TOOL:
+  - commit-manager: Use Task(subagent_type="commit-manager", prompt="...")
+  - analyzer: Use Task(subagent_type="analyzer", prompt="...")
+  - tester: Use Task(subagent_type="tester", prompt="...")
+  - security-auditor: Use Task(subagent_type="security-auditor", prompt="...")
+  - quality-checker: Use Task(subagent_type="quality-checker", prompt="...")
+  - final-validator: Use Task(subagent_type="final-validator", prompt="...")
+  - documenter: Use Task(subagent_type="documenter", prompt="...")
+  - ui-ux-reviewer: Use Task(subagent_type="ui-ux-reviewer", prompt="...")
+  - orchestrator: Use Task(subagent_type="orchestrator", prompt="...")
+
+WRONG (manual execution):
+  "Let me create the commit..." then git commands directly
+
+CORRECT (agent invocation):
+  Use Task tool with subagent_type="commit-manager"
+
+================================================================================
+MANDATORY RULES:
+================================================================================
+
+1. I WILL use Task tool to invoke agent: {best_agent}
+2. I WILL NOT execute agent logic manually - ALWAYS invoke via Task tool
+3. I WILL NOT create redundant files
+4. I WILL NOT over-engineer - keep solutions simple and focused
+5. I WILL follow the workflow sequence strictly
+6. I MUST run analyzer BEFORE any Edit/Write to source files
+7. I MUST run commit-manager via Task tool for ALL commits
+8. After commit, I MUST update domains and run complete-task
+
+WORKFLOW COMMANDS (for tracking, not replacement for agents):
+  Start task: python .claude/hooks/workflow-manager.py start-task --type {task_type} --description "..."
+  Approve files: python .claude/hooks/workflow-manager.py approve-files --files "path/to/file"
+
+================================================================================
+"""
+
+    # Return as JSON with decision to continue
+    result = {
+        "continue": True,
+        "systemMessage": output
+    }
+
+    print(json.dumps(result))
+    sys.exit(0)
+
+
+if __name__ == '__main__':
+    main()