start-vibing 3.0.7 → 3.0.8

package/template/.claude/hooks/run-hook.ts

@@ -1,230 +0,0 @@
-#!/usr/bin/env node
-/**
- * Universal Hook Runner
- *
- * Runs hooks with multiple runtime fallbacks:
- * 1. bun (primary - fastest TypeScript execution)
- * 2. npx tsx (TypeScript fallback)
- * 3. python3 (Python fallback)
- * 4. python (Python fallback)
- *
- * IMPORTANT: TypeScript files are the source of truth.
- * Python files are only for environments without Node.js/Bun.
- *
- * Usage: npx tsx run-hook.ts <hook-name>
- * The hook-name should be without extension (e.g., "stop-validator")
- */
-
-import { spawnSync } from 'child_process';
-import { existsSync, unlinkSync } from 'fs';
-import { join, dirname } from 'path';
-import { fileURLToPath } from 'url';
-
-// Get hooks directory - handle both ESM and CJS contexts
-const getHooksDir = (): string => {
-	try {
-		if (typeof import.meta.url !== 'undefined') {
-			return dirname(fileURLToPath(import.meta.url));
-		}
-	} catch {
-		// Fallback for environments where import.meta is not available
-	}
-	return process.cwd();
-};
-
-const HOOKS_DIR = getHooksDir();
-
-/**
- * Remove deprecated settings.local.json if it exists.
- * This file was previously tracked but should not be used anymore.
- * All hooks should use the universal runner via settings.json.
- */
-function cleanupDeprecatedFiles(): void {
-	const claudeDir = join(HOOKS_DIR, '..');
-	const settingsLocalPath = join(claudeDir, 'settings.local.json');
-
-	if (existsSync(settingsLocalPath)) {
-		try {
-			unlinkSync(settingsLocalPath);
-			console.error('[run-hook] Removed deprecated settings.local.json');
-		} catch {
-			// Ignore errors - file may be locked or read-only
-		}
-	}
-}
-
-function checkRuntime(cmd: string): boolean {
-	try {
-		const result = spawnSync(cmd, ['--version'], {
-			stdio: 'pipe',
-			shell: true,
-			timeout: 5000,
-			windowsHide: true,
-		});
-		return result.status === 0;
-	} catch {
-		return false;
-	}
-}
-
-interface RuntimeResult {
-	exitCode: number;
-	output: string;
-	error?: string;
-}
-
-function runWithRuntime(
-	cmd: string,
-	args: string[],
-	input: string
-): RuntimeResult {
-	try {
-		const result = spawnSync(cmd, args, {
-			input,
-			shell: true,
-			stdio: ['pipe', 'pipe', 'pipe'],
-			timeout: 30000,
-			windowsHide: true,
-			encoding: 'utf8',
-		});
-
-		return {
-			exitCode: result.status ?? 1,
-			output: result.stdout?.toString() || '',
-			error: result.stderr?.toString() || undefined,
-		};
-	} catch (err) {
-		return {
-			exitCode: 1,
-			output: '',
-			error: err instanceof Error ? err.message : 'Unknown error',
-		};
-	}
-}
-
-async function runHook(hookName: string, stdinData: string): Promise<void> {
-	const tsPath = join(HOOKS_DIR, `${hookName}.ts`);
-
-	// Runtime detection order - TypeScript ONLY (source of truth)
-	// Python files are deprecated and should be removed
-	const runtimes: Array<{ name: string; cmd: string }> = [
-		{ name: 'bun', cmd: 'bun' },
-		{ name: 'npx-tsx', cmd: 'npx tsx' },
-	];
-
-	for (const runtime of runtimes) {
-		if (!existsSync(tsPath)) {
-			continue;
-		}
-
-		if (!checkRuntime(runtime.cmd.split(' ')[0])) {
-			continue;
-		}
-
-		const result = runWithRuntime(runtime.cmd, [tsPath], stdinData);
-
-		// Handle exit codes according to Claude Code hook specification:
-		// - Exit code 0: Success (stdout in transcript)
-		// - Exit code 2: Blocking error (stderr feeds back to Claude)
-		// - Other: Non-blocking error
-
-		if (result.exitCode === 0) {
-			// Success - output stdout
-			process.stdout.write(result.output);
-			process.exit(0);
-		} else if (result.exitCode === 2) {
-			// Blocking error - for Stop hooks, JSON is in stdout
-			// Pass through both stdout (JSON response) and stderr (debug logs)
-			process.stdout.write(result.output);
-			if (result.error) {
-				process.stderr.write(result.error);
-			}
-			process.exit(2);
-		} else {
-			// Non-blocking error or runtime not found
-			if (result.error?.includes('not found')) {
-				// Runtime not available, try next
-				continue;
-			}
-			// Hook failed but not blocking
-			process.stdout.write(result.output);
-			if (result.error) {
-				process.stderr.write(result.error);
-			}
-			process.exit(result.exitCode);
-		}
-	}
-
-	// No runtime available - return safe default
-	console.error(`[run-hook] No runtime available to run hook: ${hookName}`);
-	console.error('[run-hook] Please install bun or Node.js (for npx tsx)');
-	const safeDefault = JSON.stringify({
-		decision: 'approve',
-		continue: true,
-		reason: 'Hook runtime not available, allowing by default',
-	});
-	process.stdout.write(safeDefault);
-	process.exit(0);
-}
-
-async function readStdinWithTimeout(timeoutMs: number): Promise<string> {
-	return new Promise((resolve) => {
-		const timeout = setTimeout(() => {
-			process.stdin.destroy();
-			resolve('{}');
-		}, timeoutMs);
-
-		let data = '';
-		process.stdin.setEncoding('utf8');
-		process.stdin.on('data', (chunk: string) => {
-			data += chunk;
-		});
-		process.stdin.on('end', () => {
-			clearTimeout(timeout);
-			resolve(data || '{}');
-		});
-		process.stdin.on('error', () => {
-			clearTimeout(timeout);
-			resolve('{}');
-		});
-
-		// Handle case where stdin is empty/closed immediately
-		if (process.stdin.readableEnded) {
-			clearTimeout(timeout);
-			resolve('{}');
-		}
-	});
-}
-
-// Main
-async function main(): Promise<void> {
-	// Log hook invocation for debugging (writes to stderr so it doesn't affect JSON output)
-	const hookName = process.argv[2];
-	const timestamp = new Date().toISOString();
-	console.error(`[run-hook] ${timestamp} - Hook invoked: ${hookName || 'none'}`);
-
-	// Clean up deprecated files on every hook run
-	cleanupDeprecatedFiles();
-
-	if (!hookName) {
-		console.error('[run-hook] Usage: bun run-hook.ts <hook-name>');
-		process.exit(1);
-	}
-
-	// Read stdin with timeout to avoid hanging
-	const stdinData = await readStdinWithTimeout(2000);
-	console.error(`[run-hook] ${hookName} - stdin received, length: ${stdinData.length}`);
-	await runHook(hookName, stdinData);
-}
-
-main().catch((err) => {
-	console.error('[run-hook] Fatal error:', err);
-	// Return safe default on error
-	const safeDefault = JSON.stringify({
-		decision: 'approve',
-		continue: true,
-		reason: 'Hook runner error, allowing by default',
-	});
-	process.stdout.write(safeDefault);
-	process.exit(0);
-});

package/template/.claude/hooks/security-check.js

@@ -1,202 +0,0 @@
-/**
- * Hook de Seguranca Pre-Tool
- *
- * Este hook e executado ANTES de qualquer ferramenta ser chamada.
- * Sua funcao e bloquear acoes potencialmente perigosas.
- *
- * Baseado em: OpenSSF Security Guide for AI Code Assistants
- * https://best.openssf.org/Security-Focused-Guide-for-AI-Code-Assistant-Instructions
- */
-
-// Padroes perigosos que devem ser bloqueados
-const DANGEROUS_PATTERNS = {
-	// Comandos destrutivos
-	commands: [
-		/rm\s+-rf\s+[\/~]/i, // rm -rf com path perigoso
-		/rm\s+-rf\s+\*/i, // rm -rf *
-		/sudo\s+rm/i, // sudo rm
-		/mkfs/i, // formatar disco
-		/dd\s+if=/i, // dd (pode destruir dados)
-		/>\s*\/dev\//i, // escrever em devices
-		/chmod\s+777/i, // permissoes muito abertas
-		/curl.*\|\s*(ba)?sh/i, // curl pipe to shell
-		/wget.*\|\s*(ba)?sh/i, // wget pipe to shell
-	],
-
-	// Padroes de codigo inseguro
-	code: [
-		/eval\s*\(/i, // eval()
-		/new\s+Function\s*\(/i, // new Function()
-		/innerHTML\s*=/i, // innerHTML assignment (XSS)
-		/document\.write\s*\(/i, // document.write (XSS)
-		/dangerouslySetInnerHTML/i, // React dangerous prop
-		/\$\{.*\}\s*\)/i, // Template injection em queries
-	],
-
-	// Exposicao de dados sensiveis
-	sensitive: [
-		/password\s*[:=]/i, // Senha hardcoded
-		/api[_-]?key\s*[:=]/i, // API key hardcoded
-		/secret\s*[:=]/i, // Secret hardcoded
-		/private[_-]?key/i, // Private key
-		/BEGIN\s+(RSA|DSA|EC)\s+PRIVATE/i, // Chave privada PEM
-	],
-
-	// Patterns especificos do projeto
-	project: [
-		/userId.*req\.body/i, // userId do request body
-		/userId.*input\./i, // userId do input tRPC
-		/findById\(.*input/i, // Query sem validacao de owner
-		/z\.any\(\)/i, // Zod any (sem validacao)
-	],
-};
-
-// Arquivos que nao devem ser modificados
-const PROTECTED_FILES = ['.env', '.env.local', '.env.production', '.env.development', 'bun.lockb'];
-
-// Diretorios que nao devem ser acessados
-const PROTECTED_DIRS = ['/etc', '/var', '/usr', '/root', '/home', 'node_modules', '.git/objects'];
-
-/**
- * Verifica se um comando/codigo contem padroes perigosos
- * @param {string} content - Conteudo a verificar
- * @param {string} category - Categoria de padroes
- * @returns {Object} - { blocked: boolean, reason: string }
- */
-function checkDangerousPatterns(content, category) {
-	const patterns = DANGEROUS_PATTERNS[category] || [];
-
-	for (const pattern of patterns) {
-		if (pattern.test(content)) {
-			return {
-				blocked: true,
-				reason: `Padrao perigoso detectado: ${pattern.toString()}`,
-				category,
-			};
-		}
-	}
-
-	return { blocked: false };
-}
-
-/**
- * Verifica se um arquivo e protegido
- * @param {string} filePath - Caminho do arquivo
- * @returns {boolean}
- */
-function isProtectedFile(filePath) {
-	return PROTECTED_FILES.some(
-		(protected) => filePath.endsWith(protected) || filePath.includes(protected)
-	);
-}
-
-/**
- * Verifica se um diretorio e protegido
- * @param {string} dirPath - Caminho do diretorio
- * @returns {boolean}
- */
-function isProtectedDir(dirPath) {
-	return PROTECTED_DIRS.some(
-		(protected) => dirPath.startsWith(protected) || dirPath.includes(protected)
-	);
-}
-
-/**
- * Hook principal - executado antes de cada tool call
- * @param {Object} toolCall - Dados da chamada de ferramenta
- * @returns {Object} - { allowed: boolean, reason?: string }
- */
-function preToolHook(toolCall) {
-	const { name, args } = toolCall;
-
-	// Verificar comandos bash
-	if (name === 'bash' && args.command) {
-		const result = checkDangerousPatterns(args.command, 'commands');
-		if (result.blocked) {
-			return {
-				allowed: false,
-				reason: `Comando bloqueado: ${result.reason}`,
-			};
-		}
-	}
-
-	// Verificar escrita de arquivos
-	if (['file_write', 'file_edit'].includes(name)) {
-		// Verificar arquivo protegido
-		if (args.path && isProtectedFile(args.path)) {
-			return {
-				allowed: false,
-				reason: `Arquivo protegido: ${args.path}`,
-			};
-		}
-
-		// Verificar conteudo perigoso
-		if (args.content) {
-			const codeResult = checkDangerousPatterns(args.content, 'code');
-			if (codeResult.blocked) {
-				return {
-					allowed: false,
-					reason: `Codigo inseguro: ${codeResult.reason}`,
-				};
-			}
-
-			const sensitiveResult = checkDangerousPatterns(args.content, 'sensitive');
-			if (sensitiveResult.blocked) {
-				return {
-					allowed: false,
-					reason: `Dados sensiveis detectados: ${sensitiveResult.reason}`,
-				};
-			}
-
-			const projectResult = checkDangerousPatterns(args.content, 'project');
-			if (projectResult.blocked) {
-				return {
-					allowed: false,
-					reason: `Violacao de regra do projeto: ${projectResult.reason}`,
-				};
-			}
-		}
-	}
-
-	// Verificar leitura de diretorios protegidos
-	if (name === 'file_read' && args.path) {
-		if (isProtectedDir(args.path)) {
-			return {
-				allowed: false,
-				reason: `Diretorio protegido: ${args.path}`,
-			};
-		}
-	}
-
-	// Permitir por padrao
-	return { allowed: true };
-}
-
-/**
- * Log de seguranca para auditoria
- * @param {string} action - Acao tomada
- * @param {Object} details - Detalhes
- */
-function logSecurityEvent(action, details) {
-	const timestamp = new Date().toISOString();
-	const logEntry = {
-		timestamp,
-		action,
-		...details,
-	};
-
-	// Em producao, enviar para sistema de logging
-	console.log('[SECURITY]', JSON.stringify(logEntry));
-}
-
-// Exportar para uso pelo SDK
-module.exports = {
-	preToolHook,
-	checkDangerousPatterns,
-	isProtectedFile,
-	isProtectedDir,
-	logSecurityEvent,
-	DANGEROUS_PATTERNS,
-	PROTECTED_FILES,
-	PROTECTED_DIRS,
-};