timsquad 3.4.0 → 3.6.0

package/templates/platforms/claude-code/scripts/completion-guard.sh

@@ -1,13 +1,22 @@
 #!/bin/bash
 # Completion Guard — Stop Hook
-# Warns when stopping without test execution during implementation phase.
-# First version: warn only (not block), to avoid disrupting workflow.
+# 1. Implementation phase에서 테스트 미실행 시 블로킹 (decision: block)
+# 2. 세션 노트 컨텍스트를 systemMessage로 주입 (컨텍스트 생존 메모)
+# 3. 컨텍스트 윈도우 85% 경고
 #
 # Input: JSON via stdin (Claude Code hook protocol)
-# Output: JSON with systemMessage (warning if applicable)
+# Output: JSON with decision (block) or systemMessage
 
 set -e
 
+# ── 0. Stop hook loop prevention ──
+INPUT=$(cat 2>/dev/null || echo "")
+STOP_HOOK_ACTIVE=$(echo "$INPUT" | jq -r '.stop_hook_active // false' 2>/dev/null || echo "false")
+if [ "$STOP_HOOK_ACTIVE" = "true" ]; then
+  echo '{}'
+  exit 0
+fi
+
 # Find project root
 PROJECT_ROOT="$(pwd)"
 while [ "$PROJECT_ROOT" != "/" ]; do
@@ -23,35 +32,124 @@ if [ ! -d "$PROJECT_ROOT/.timsquad" ]; then
   exit 0
 fi
 
-# Read current phase
+BLOCK_REASON=""
+
+# ── 1. Test execution gate ──
+# 변경된 소스 파일에 대한 테스트 실행 여부 확인
+# implementation phase에서만 block, 그 외에는 warning
 PHASE_FILE="$PROJECT_ROOT/.timsquad/state/current-phase.json"
-if [ ! -f "$PHASE_FILE" ]; then
-  echo '{}'
-  exit 0
+PHASE="unknown"
+if [ -f "$PHASE_FILE" ]; then
+  PHASE=$(jq -r '.current // .current_phase // .phase // "unknown"' "$PHASE_FILE" 2>/dev/null || echo "unknown")
 fi
 
-PHASE=$(jq -r '.phase // "unknown"' "$PHASE_FILE" 2>/dev/null)
+TEST_WARNING=""
+SESSION_STATE="$PROJECT_ROOT/.timsquad/.daemon/session-state.json"
+if [ -f "$SESSION_STATE" ]; then
+  # Check if any bash commands were executed (tests run via bash)
+  BASH_COMMANDS=$(jq -r '.metrics.bashCommands // 0' "$SESSION_STATE" 2>/dev/null || echo "0")
 
-# Only check during implementation phase
-if [ "$PHASE" != "implementation" ]; then
-  echo '{}'
-  exit 0
+  if [ "$BASH_COMMANDS" -eq 0 ] 2>/dev/null; then
+    # No tests or bash at all — check for changed source files
+    CHANGED_SRC=$(cd "$PROJECT_ROOT" && git diff --name-only --diff-filter=ACMR HEAD 2>/dev/null | grep -E '\.(ts|tsx|js|jsx)$' | grep -vE '\.(test|spec)\.' | head -5)
+    if [ -n "$CHANGED_SRC" ]; then
+      # List related test files that should have been run
+      RELATED_TESTS=""
+      while IFS= read -r SRC_FILE; do
+        [ -z "$SRC_FILE" ] && continue
+        BASE_NAME=$(basename "$SRC_FILE" | sed 's/\.[^.]*$//')
+        POTENTIAL=$(cd "$PROJECT_ROOT" && find . -name "${BASE_NAME}.test.*" -o -name "${BASE_NAME}.spec.*" 2>/dev/null | head -1)
+        if [ -n "$POTENTIAL" ]; then
+          RELATED_TESTS="$RELATED_TESTS $POTENTIAL"
+        fi
+      done <<< "$CHANGED_SRC"
+
+      if [ -n "$RELATED_TESTS" ]; then
+        TEST_WARNING="[Test Gate] 변경된 파일에 대한 테스트가 실행되지 않았습니다. 관련 테스트:$RELATED_TESTS"
+      else
+        TEST_WARNING="[Test Gate] 변경된 소스 파일이 있으나 테스트가 실행되지 않았습니다."
+      fi
+
+      if [ "$PHASE" = "implementation" ]; then
+        BLOCK_REASON="$TEST_WARNING 테스트를 실행한 후 완료하세요."
+      fi
+    fi
+  fi
 fi
 
-# Check session metrics for test execution
-SESSION_STATE="$PROJECT_ROOT/.timsquad/.daemon/session-state.json"
-if [ ! -f "$SESSION_STATE" ]; then
-  echo '{"systemMessage":"[Completion Guard] 세션 메트릭을 확인할 수 없습니다. 테스트 실행 여부를 확인해주세요."}'
-  exit 0
+# ── 2. Session notes context injection ──
+SESSION_CTX=""
+NOTES_FILE="$PROJECT_ROOT/.timsquad/.daemon/session-notes.jsonl"
+if [ -f "$NOTES_FILE" ]; then
+  LAST_LINE=$(tail -1 "$NOTES_FILE" 2>/dev/null || echo "")
+  if [ -n "$LAST_LINE" ]; then
+    TURN=$(echo "$LAST_LINE" | jq -r '.turn // 0' 2>/dev/null)
+    TOOLS=$(echo "$LAST_LINE" | jq -r '.metrics.tools // 0' 2>/dev/null)
+    FAILS=$(echo "$LAST_LINE" | jq -r '.metrics.fails // 0' 2>/dev/null)
+    AGENTS=$(echo "$LAST_LINE" | jq -r '(.activeAgents // []) | join(", ")' 2>/dev/null)
+    FILES=$(echo "$LAST_LINE" | jq -r '(.recentFiles // [])[:5] | map(split("/") | last) | join(", ")' 2>/dev/null)
+
+    CTX_PCT=$(echo "$LAST_LINE" | jq -r '.contextPct // 0' 2>/dev/null)
+
+    SESSION_CTX="[Session] Turn $TURN | Tools: $TOOLS"
+    [ "$FAILS" != "0" ] && [ "$FAILS" != "null" ] && SESSION_CTX="$SESSION_CTX (Fail: $FAILS)"
+    [ -n "$AGENTS" ] && [ "$AGENTS" != "null" ] && SESSION_CTX="$SESSION_CTX | Active: $AGENTS"
+    [ -n "$FILES" ] && [ "$FILES" != "null" ] && SESSION_CTX="$SESSION_CTX | Files: $FILES"
+
+    # ── 3. Context window monitor (85% threshold) ──
+    if [ "$CTX_PCT" -ge 85 ] 2>/dev/null; then
+      SESSION_CTX="$SESSION_CTX\\n⚠ [Context ${CTX_PCT}%] 컨텍스트 윈도우 85% 이상 사용. 중요 정보를 session-notes에 기록하고, 현재 태스크를 정리한 뒤 완료하세요."
+    elif [ "$CTX_PCT" -ge 70 ] 2>/dev/null; then
+      SESSION_CTX="$SESSION_CTX | Ctx: ${CTX_PCT}%"
+    fi
+  fi
 fi
 
-# Check if any bash commands included test execution
-BASH_COMMANDS=$(jq -r '.metrics.bashCommands // 0' "$SESSION_STATE" 2>/dev/null)
+# ── 4. Skill Verification reminder (max 3 skills) ──
+VERIFICATION=""
+SKILLS_DIR="$PROJECT_ROOT/.claude/skills"
+if [ -d "$SKILLS_DIR" ]; then
+  SKILL_COUNT=0
+  for SKILL_DIR in "$SKILLS_DIR"/*/; do
+    [ "$SKILL_COUNT" -ge 3 ] && break
+    SKILL_FILE="$SKILL_DIR/SKILL.md"
+    [ ! -f "$SKILL_FILE" ] && continue
 
-if [ "$BASH_COMMANDS" -eq 0 ]; then
-  echo '{"systemMessage":"[Completion Guard] 이번 세션에서 테스트가 실행되지 않았습니다. 완료 전 테스트 실행을 권장합니다."}'
-  exit 0
+    SKILL_NAME=$(basename "$SKILL_DIR")
+    # Skip non-active/template skills
+    case "$SKILL_NAME" in _template|tsq-cli|main-session-constraints) continue ;; esac
+
+    # Extract Verification section (2 lines max)
+    CHECKS=$(awk '/^## Verification/{capture=1; next} /^## /{capture=0} capture && /\|.*\|.*\|/ && !/Check.*Command/' "$SKILL_FILE" 2>/dev/null | head -2)
+    if [ -n "$CHECKS" ]; then
+      VERIFICATION="$VERIFICATION
+[Skill Verification] $SKILL_NAME: $CHECKS"
+      SKILL_COUNT=$((SKILL_COUNT + 1))
+    fi
+  done
 fi
 
-# Allow
-echo '{}'
+# ── 5. Combine and output ──
+# BLOCK_REASON이 있으면 decision:block으로 강제 속행 (세션 컨텍스트 포함)
+if [ -n "$BLOCK_REASON" ]; then
+  FULL_REASON="$BLOCK_REASON"
+  [ -n "$SESSION_CTX" ] && FULL_REASON="$FULL_REASON
+$SESSION_CTX"
+  [ -n "$VERIFICATION" ] && FULL_REASON="$FULL_REASON
+$VERIFICATION"
+  jq -n --arg reason "$FULL_REASON" '{"decision": "block", "reason": $reason}'
+elif [ -n "$SESSION_CTX" ] || [ -n "$VERIFICATION" ] || [ -n "$TEST_WARNING" ]; then
+  FULL_MSG=""
+  [ -n "$SESSION_CTX" ] && FULL_MSG="$SESSION_CTX"
+  if [ -n "$TEST_WARNING" ]; then
+    [ -n "$FULL_MSG" ] && FULL_MSG="$FULL_MSG
+$TEST_WARNING" || FULL_MSG="$TEST_WARNING"
+  fi
+  if [ -n "$VERIFICATION" ]; then
+    [ -n "$FULL_MSG" ] && FULL_MSG="$FULL_MSG
+$VERIFICATION" || FULL_MSG="$VERIFICATION"
+  fi
+  jq -n --arg msg "$FULL_MSG" '{"systemMessage": $msg}'
+else
+  echo '{}'
+fi

package/templates/platforms/claude-code/scripts/context-restore.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+# Context Restore — SessionStart (compact) Hook
+# 컴팩션 후 핵심 컨텍스트를 재주입하여 에이전트 맥락 유실을 방지한다.
+#
+# Input: JSON via stdin (Claude Code hook protocol)
+# Output: JSON with systemMessage (컨텍스트 재주입)
+
+set -e
+
+# Find project root
+PROJECT_ROOT="$(pwd)"
+while [ "$PROJECT_ROOT" != "/" ]; do
+  if [ -d "$PROJECT_ROOT/.timsquad" ]; then
+    break
+  fi
+  PROJECT_ROOT="$(dirname "$PROJECT_ROOT")"
+done
+
+if [ ! -d "$PROJECT_ROOT/.timsquad" ]; then
+  exit 0
+fi
+
+# Build context summary
+CONTEXT=""
+
+# 1. Project name from config
+PROJECT_NAME=""
+CONFIG_FILE="$PROJECT_ROOT/.timsquad/config.yaml"
+if [ -f "$CONFIG_FILE" ]; then
+  PROJECT_NAME=$(grep -m1 'name:' "$CONFIG_FILE" 2>/dev/null | awk '{print $2}' || echo "")
+fi
+
+if [ -n "$PROJECT_NAME" ]; then
+  CONTEXT="[Context Restore] Project: $PROJECT_NAME"
+else
+  CONTEXT="[Context Restore] TimSquad project"
+fi
+
+# 2. Current phase from workflow
+WORKFLOW_FILE="$PROJECT_ROOT/.timsquad/workflow.json"
+if [ -f "$WORKFLOW_FILE" ]; then
+  CURRENT_PHASE=$(jq -r '.currentPhase // "unknown"' "$WORKFLOW_FILE" 2>/dev/null || echo "unknown")
+  CONTEXT="$CONTEXT | Phase: $CURRENT_PHASE"
+fi
+
+# 3. Read compact summary if exists (saved by pre-compact.sh)
+COMPACT_SUMMARY="$PROJECT_ROOT/.timsquad/.daemon/compact-summary.md"
+if [ -f "$COMPACT_SUMMARY" ]; then
+  SUMMARY_CONTENT=$(head -10 "$COMPACT_SUMMARY" 2>/dev/null || echo "")
+  if [ -n "$SUMMARY_CONTENT" ]; then
+    CONTEXT="$CONTEXT
+$SUMMARY_CONTENT"
+  fi
+fi
+
+# 4. Key constraints (3 lines max)
+CONTEXT="$CONTEXT
+[Key Constraints] TSQ CLI 사용 필수 (tsq log/feedback/commit). 직접 파일 조작 금지. 구현 전 검증 기준 명시."
+
+# Output as systemMessage
+jq -n --arg msg "$CONTEXT" '{
+  hookSpecificOutput: {
+    hookEventName: "SessionStart",
+    systemMessage: $msg
+  }
+}'
+
+exit 0

package/templates/platforms/claude-code/scripts/e2e-commit-gate.sh

@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+# e2e-commit-gate.sh — Pre-commit hook: validates E2E marker before allowing commit
+# Checks: JSON marker exists, valid format, source_hash matches, not expired
+#
+# Exit 0 = allow commit, Exit 1 = block commit
+
+set -euo pipefail
+
+MARKER_FILE=".e2e-passed"
+
+# No marker = no E2E tests configured, allow
+if [ ! -f "$MARKER_FILE" ]; then
+  exit 0
+fi
+
+# Try to parse as JSON; if not JSON, treat as bare touch (legacy fallback)
+if ! command -v jq >/dev/null 2>&1; then
+  echo "Warning: jq not installed, skipping E2E marker validation"
+  exit 0
+fi
+
+# Attempt JSON parse
+if ! jq empty "$MARKER_FILE" 2>/dev/null; then
+  # Bare touch file (legacy) — allow with warning
+  echo "Warning: .e2e-passed is not JSON format. Consider running E2E tests with e2e-marker.sh"
+  exit 0
+fi
+
+# Validate required fields
+EXIT_CODE=$(jq -r '.exit_code // empty' "$MARKER_FILE")
+SOURCE_HASH=$(jq -r '.source_hash // empty' "$MARKER_FILE")
+EXPIRES_AT=$(jq -r '.expires_at // empty' "$MARKER_FILE")
+
+# exit_code must be 0
+if [ -n "$EXIT_CODE" ] && [ "$EXIT_CODE" -ne 0 ]; then
+  echo "E2E commit gate: BLOCKED — marker shows exit_code=$EXIT_CODE (tests failed)"
+  exit 1
+fi
+
+# source_hash check
+if [ -n "$SOURCE_HASH" ] && [ "$SOURCE_HASH" != "unknown" ]; then
+  CURRENT_HASH=$(git rev-parse --short HEAD 2>/dev/null || echo "unknown")
+  if [ "$SOURCE_HASH" != "$CURRENT_HASH" ]; then
+    echo "E2E commit gate: WARNING — marker source_hash ($SOURCE_HASH) != current HEAD ($CURRENT_HASH)"
+    echo "  E2E tests may be stale. Consider re-running."
+  fi
+fi
+
+# Expiry check
+if [ -n "$EXPIRES_AT" ]; then
+  EXPIRES_EPOCH=$(date -u -j -f "%Y-%m-%dT%H:%M:%SZ" "$EXPIRES_AT" +%s 2>/dev/null || \
+                  date -u -d "$EXPIRES_AT" +%s 2>/dev/null || echo "0")
+  NOW_EPOCH=$(date -u +%s)
+  if [ "$EXPIRES_EPOCH" -gt 0 ] && [ "$NOW_EPOCH" -gt "$EXPIRES_EPOCH" ]; then
+    echo "E2E commit gate: BLOCKED — marker expired at $EXPIRES_AT"
+    echo "  Re-run E2E tests to refresh the marker."
+    exit 1
+  fi
+fi
+
+# All checks passed
+PASSED=$(jq -r '.passed // 0' "$MARKER_FILE")
+FLAKY=$(jq -r '.flaky // 0' "$MARKER_FILE")
+if [ "$FLAKY" -gt 0 ]; then
+  echo "E2E commit gate: PASSED ($PASSED tests, $FLAKY flaky — investigate flaky tests)"
+else
+  echo "E2E commit gate: PASSED ($PASSED tests)"
+fi
+
+exit 0

package/templates/platforms/claude-code/scripts/e2e-marker.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+# e2e-marker.sh — E2E 테스트 결과를 JSON 마커로 기록
+# 용도: PostToolUse 훅에서 E2E 테스트 완료 후 호출
+# 출력: .e2e-passed (JSON)
+
+set -euo pipefail
+
+MARKER_FILE=".e2e-passed"
+EXPIRY_HOURS="${E2E_MARKER_EXPIRY_HOURS:-24}"
+
+# 인자: exit_code passed failed flaky
+EXIT_CODE="${1:-0}"
+PASSED="${2:-0}"
+FAILED="${3:-0}"
+FLAKY="${4:-0}"
+
+# exit_code != 0 이면 마커 미생성
+if [ "$EXIT_CODE" -ne 0 ]; then
+  rm -f "$MARKER_FILE"
+  echo "E2E failed (exit_code=$EXIT_CODE) — marker removed"
+  exit 0
+fi
+
+# source_hash: 현재 소스의 git short hash
+SOURCE_HASH=""
+if command -v git >/dev/null 2>&1; then
+  SOURCE_HASH=$(git rev-parse --short HEAD 2>/dev/null || echo "unknown")
+fi
+
+# timestamp & expiry
+TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+if [[ "$OSTYPE" == "darwin"* ]]; then
+  EXPIRES_AT=$(date -u -v+"${EXPIRY_HOURS}"H +"%Y-%m-%dT%H:%M:%SZ")
+else
+  EXPIRES_AT=$(date -u -d "+${EXPIRY_HOURS} hours" +"%Y-%m-%dT%H:%M:%SZ")
+fi
+
+# JSON 마커 생성
+cat > "$MARKER_FILE" <<MARKER
+{
+  "timestamp": "$TIMESTAMP",
+  "exit_code": $EXIT_CODE,
+  "passed": $PASSED,
+  "failed": $FAILED,
+  "flaky": $FLAKY,
+  "source_hash": "$SOURCE_HASH",
+  "expires_at": "$EXPIRES_AT"
+}
+MARKER
+
+echo "E2E marker created: $PASSED passed, $FAILED failed, $FLAKY flaky"

package/templates/platforms/claude-code/scripts/phase-guard.sh

@@ -22,7 +22,7 @@ if [ -z "$INPUT" ]; then
 fi
 
 # Extract file path from tool input
-FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.filePath // ""' 2>/dev/null)
+FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.filePath // ""' 2>/dev/null || echo "")
 
 # If no file path, allow (not a file operation)
 if [ -z "$FILE_PATH" ] || [ "$FILE_PATH" = "null" ]; then
@@ -52,24 +52,24 @@ if [ ! -f "$PHASE_FILE" ]; then
   exit 0
 fi
 
-PHASE=$(jq -r '.phase // "unknown"' "$PHASE_FILE" 2>/dev/null)
+PHASE=$(jq -r '.current // .current_phase // .phase // "unknown"' "$PHASE_FILE" 2>/dev/null)
 
 # Normalize file path (make relative to project root)
-REL_PATH="${FILE_PATH#$PROJECT_ROOT/}"
+REL_PATH="${FILE_PATH#"$PROJECT_ROOT"/}"
 
 # Phase enforcement rules
 case "$PHASE" in
   planning|design)
     # Block source code modifications during planning/design
     if echo "$REL_PATH" | grep -qE '^src/|^lib/|^app/|^pages/|^components/'; then
-      echo "{\"hookSpecificOutput\":{\"permissionDecision\":\"deny\"},\"systemMessage\":\"[Phase Guard] $PHASE phase에서 코드 수정이 금지됩니다. SSOT 문서 작성을 먼저 완료하세요.\"}"
+      jq -n --arg phase "$PHASE" '{hookSpecificOutput:{permissionDecision:"deny"},systemMessage:("[Phase Guard] " + $phase + " phase에서 코드 수정이 금지됩니다. SSOT 문서 작성을 먼저 완료하세요.")}'
       exit 0
     fi
     ;;
   implementation)
     # Block SSOT modifications during implementation (prevent drift)
     if echo "$REL_PATH" | grep -qE '^\.timsquad/ssot/'; then
-      echo "{\"hookSpecificOutput\":{\"permissionDecision\":\"deny\"},\"systemMessage\":\"[Phase Guard] implementation phase에서 SSOT 직접 수정이 금지됩니다. 변경이 필요하면 PM에게 L2 피드백을 보고하세요.\"}"
+      echo '{"hookSpecificOutput":{"permissionDecision":"deny"},"systemMessage":"[Phase Guard] implementation phase에서 SSOT 직접 수정이 금지됩니다. 변경이 필요하면 PM에게 L2 피드백을 보고하세요."}'
       exit 0
     fi
     ;;

package/templates/platforms/claude-code/scripts/pre-compact.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+# Pre-Compact — PreCompact Hook
+# 컴팩션 직전 현재 상태 요약을 compact-summary.md에 저장한다.
+# context-restore.sh가 이 파일을 읽어 compact 후 재주입.
+#
+# Input: JSON via stdin (Claude Code hook protocol)
+# Output: none (파일 생성만)
+
+set -e
+
+# Find project root
+PROJECT_ROOT="$(pwd)"
+while [ "$PROJECT_ROOT" != "/" ]; do
+  if [ -d "$PROJECT_ROOT/.timsquad" ]; then
+    break
+  fi
+  PROJECT_ROOT="$(dirname "$PROJECT_ROOT")"
+done
+
+if [ ! -d "$PROJECT_ROOT/.timsquad" ]; then
+  exit 0
+fi
+
+DAEMON_DIR="$PROJECT_ROOT/.timsquad/.daemon"
+mkdir -p "$DAEMON_DIR"
+
+SUMMARY_FILE="$DAEMON_DIR/compact-summary.md"
+
+# Collect summary data
+SUMMARY="# Compact Summary (auto-generated)"
+SUMMARY="$SUMMARY
+Generated: $(date -u +%Y-%m-%dT%H:%M:%SZ)"
+
+# Current phase
+WORKFLOW_FILE="$PROJECT_ROOT/.timsquad/workflow.json"
+if [ -f "$WORKFLOW_FILE" ]; then
+  PHASE=$(jq -r '.currentPhase // "unknown"' "$WORKFLOW_FILE" 2>/dev/null || echo "unknown")
+  SUMMARY="$SUMMARY
+Phase: $PHASE"
+fi
+
+# Recent changed files (top 5)
+RECENT_FILES=$(git -C "$PROJECT_ROOT" diff --name-only HEAD 2>/dev/null | head -5 || echo "")
+if [ -n "$RECENT_FILES" ]; then
+  SUMMARY="$SUMMARY
+Recent changes: $RECENT_FILES"
+fi
+
+# Active tasks from session state
+SESSION_STATE="$DAEMON_DIR/session-state.json"
+if [ -f "$SESSION_STATE" ]; then
+  TASK_INFO=$(jq -r '.currentTask // "none"' "$SESSION_STATE" 2>/dev/null || echo "none")
+  SUMMARY="$SUMMARY
+Active task: $TASK_INFO"
+fi
+
+# Session notes (last entry)
+NOTES_FILE="$DAEMON_DIR/session-notes.jsonl"
+if [ -f "$NOTES_FILE" ]; then
+  LAST_NOTE=$(tail -1 "$NOTES_FILE" 2>/dev/null | jq -r '.summary // ""' 2>/dev/null || echo "")
+  if [ -n "$LAST_NOTE" ] && [ "$LAST_NOTE" != "null" ]; then
+    SUMMARY="$SUMMARY
+Last note: $LAST_NOTE"
+  fi
+fi
+
+# Write summary (fail-open: if write fails, don't block compact)
+echo "$SUMMARY" > "$SUMMARY_FILE" 2>/dev/null || true
+
+exit 0

package/templates/platforms/claude-code/scripts/safe-guard.sh

@@ -0,0 +1,83 @@
+#!/bin/bash
+# Safe Guard — PreToolUse Hook (Bash)
+# Blocks or escalates destructive shell commands.
+#
+# Input: JSON via stdin (Claude Code hook protocol)
+# Output: JSON with permissionDecision (allow/deny/ask)
+
+set -e
+
+# Read hook input from stdin (non-blocking)
+INPUT=""
+if read -t 1 -r line; then
+  INPUT="$line"
+fi
+
+# Fail-open: no input → allow
+if [ -z "$INPUT" ]; then
+  echo '{"hookSpecificOutput":{"permissionDecision":"allow"}}'
+  exit 0
+fi
+
+# Extract command from tool input
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // ""' 2>/dev/null || echo "")
+
+if [ -z "$COMMAND" ] || [ "$COMMAND" = "null" ]; then
+  echo '{"hookSpecificOutput":{"permissionDecision":"allow"}}'
+  exit 0
+fi
+
+# ── DENY: Hard block (exit 0 + permissionDecision deny) ──
+
+# Root deletion
+if echo "$COMMAND" | grep -qE 'rm\s+(-[a-zA-Z]*f[a-zA-Z]*\s+|.*--force\s+)/*$|rm\s+-rf\s+/\s'; then
+  echo '{"hookSpecificOutput":{"permissionDecision":"deny"},"systemMessage":"[Safe Guard] 루트 디렉토리 삭제 명령이 차단되었습니다."}'
+  exit 0
+fi
+
+# git push --force to main/master
+if echo "$COMMAND" | grep -qiE 'git\s+push\s+.*--force.*\s+(main|master)|git\s+push\s+-f\s+.*\s+(main|master)'; then
+  echo '{"hookSpecificOutput":{"permissionDecision":"deny"},"systemMessage":"[Safe Guard] main/master 브랜치에 force push가 차단되었습니다. 일반 push를 사용하세요."}'
+  exit 0
+fi
+
+# git reset --hard
+if echo "$COMMAND" | grep -qE 'git\s+reset\s+--hard'; then
+  echo '{"hookSpecificOutput":{"permissionDecision":"deny"},"systemMessage":"[Safe Guard] git reset --hard가 차단되었습니다. 커밋되지 않은 변경사항이 유실될 수 있습니다."}'
+  exit 0
+fi
+
+# SQL destructive operations
+if echo "$COMMAND" | grep -qiE 'DROP\s+(TABLE|DATABASE|SCHEMA)|TRUNCATE\s+TABLE'; then
+  echo '{"hookSpecificOutput":{"permissionDecision":"deny"},"systemMessage":"[Safe Guard] 파괴적 SQL 명령이 차단되었습니다. 데이터 유실 위험이 있습니다."}'
+  exit 0
+fi
+
+# chmod 777
+if echo "$COMMAND" | grep -qE 'chmod\s+777'; then
+  echo '{"hookSpecificOutput":{"permissionDecision":"deny"},"systemMessage":"[Safe Guard] chmod 777이 차단되었습니다. 최소 권한 원칙을 따르세요."}'
+  exit 0
+fi
+
+# ── ASK: Escalate to user confirmation ──
+
+# npm publish
+if echo "$COMMAND" | grep -qE 'npm\s+publish'; then
+  echo '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"ask","permissionDecisionReason":"npm publish는 패키지를 공개 배포합니다. 계속하시겠습니까?"}}'
+  exit 0
+fi
+
+# git push to main/master (non-force)
+if echo "$COMMAND" | grep -qiE 'git\s+push\s+.*\s+(main|master)|git\s+push\s+(main|master)'; then
+  echo '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"ask","permissionDecisionReason":"main/master 브랜치에 push합니다. 계속하시겠습니까?"}}'
+  exit 0
+fi
+
+# rm -rf (non-root, general)
+if echo "$COMMAND" | grep -qE 'rm\s+(-[a-zA-Z]*r[a-zA-Z]*f|.*-rf)\s'; then
+  echo '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"ask","permissionDecisionReason":"재귀적 삭제 명령입니다. 대상을 확인해주세요."}}'
+  exit 0
+fi
+
+# ── Default: allow ──
+echo '{"hookSpecificOutput":{"permissionDecision":"allow"}}'