tlc-claude-code 2.4.8 → 2.4.10

package/.claude/commands/tlc/audit.md

@@ -57,6 +57,11 @@ Run `auditProject(projectPath)` which executes:
 | **Secrets in Responses** | Response objects containing fields named `apiKey`, `secret`, `token`, `password` | error |
 | **Manual Instantiation** | `new .*Provider(` or `new .*Service(` in application code | warning |
 | **Missing Ownership Check** | Controller methods with `@Param('id')` but no ownership/authorization guard | warning |
+| **Empty Catch Blocks** | `catch (e) {}` or `catch { }` with no logging or rethrow | error |
+| **Silent Error Returns** | `catch (e) { return null/undefined/false }` without logging | error |
+| **Missing Error Handling** | External calls (HTTP, DB, Docker, file I/O, spawn) without try/catch | error |
+| **No Connection Logging** | DB/Redis/WebSocket/Docker connections without connect/disconnect/error logging | warning |
+| **Bare console.log Errors** | `console.log(error)` instead of structured logging with context | warning |
 
 ### Step 3: Generate Report
 

package/.claude/commands/tlc/build.md

@@ -210,19 +210,25 @@ function processOrder(order) {
 - **JSDoc for public API**: Parameters, returns, throws, examples.
 - **No obvious comments**: `// increment i` before `i++` is noise.
 
-### Error Handling
+### Error Handling (Zero Silent Failures)
+- **Every catch block must be visible**: Log with context OR rethrow. No exceptions.
 - **Specific error types**: `UserNotFoundError` not generic `Error`.
-- **Actionable messages**: "User 'abc123' not found" not "Not found".
-- **Don't swallow errors**: Log or rethrow, never empty catch blocks.
+- **Actionable messages**: "User 'abc123' not found in database 'users'" not "Not found".
+- **Don't swallow errors**: Log or rethrow, never empty catch blocks. This is the #1 cause of production bugs.
 - **Error boundaries**: Catch at appropriate level, not everywhere.
 - **User vs developer errors**: Different messages for each audience.
-
-### Logging Standards
-- **Structured logging**: JSON format with consistent fields.
-- **Log levels**: ERROR (failures), WARN (concerning), INFO (business events), DEBUG (troubleshooting).
-- **Context**: Include request ID, user ID, relevant entity IDs.
+- **External calls MUST have error handling**: HTTP, DB, Docker, file I/O, CLI spawn — every one gets try/catch with logging.
+
+### Observability (CRITICAL — silent failures are unacceptable)
+- **No empty catch blocks**: Every `catch` must log with context OR rethrow. `catch (e) {}` is never acceptable.
+- **No silent returns**: `catch (e) { return null }` without logging is a bug. Log first, then return.
+- **Structured logging**: JSON format: `{ level, message, context, error, timestamp }`.
+- **Log levels**: ERROR (failures needing attention), WARN (degraded but working), INFO (business events), DEBUG (troubleshooting).
+- **Context in every log**: Include what operation failed, what inputs caused it, what the caller should know.
+- **Connection state logging**: Every external connection (DB, Redis, Docker, WebSocket, HTTP client, queue) must log: connect, disconnect, reconnect, and failure. Connection state changes are INFO level, not DEBUG.
+- **Startup health**: Log the state of every dependency on startup. "Connected to Postgres", "Docker socket accessible", "Redis: connection refused". Never start silently.
 - **No sensitive data**: Never log passwords, tokens, PII.
-- **Performance**: Don't log in tight loops.
+- **Performance**: Don't log in tight loops. Do log every error, even in loops.
 
 ### Performance Awareness
 - **O(n) thinking**: Know the complexity of your algorithms. Avoid nested loops on large datasets.
@@ -868,20 +874,22 @@ git diff --name-status main...HEAD
 
 **Checks performed:**
 
-1. **Test Coverage** - Every implementation file has a test file
-2. **TDD Compliance** - Commits show test-first pattern (score ≥ 50%)
-3. **Security Scan** - No hardcoded secrets, eval(), innerHTML, etc.
-4. **Authorization** - Every data-access endpoint has ownership checks, not just auth guards
-5. **Secrets Exposure** - No API keys, tokens, or passwords returned in responses/HTML
-6. **Config Hygiene** - No `process.env` outside config module; config validated at startup
-7. **Output Encoding** - No unescaped `${...}` interpolation in HTML template strings
-8. **Sensitive Data** - OTPs, reset tokens, session secrets are hashed before storage
-9. **DI Compliance** - No manual `new Service()` / `new Provider()` in application code
-10. **File Size** - No file exceeds 1000 lines (warning at 500+)
-11. **Folder Size** - No folder exceeds 15 files (warning at 8+)
-12. **Strict Typing** - No `any` types in new/changed files
-13. **Return Types** - All exported functions have explicit return types
-14. **Module Structure** - Files grouped by domain entity, not by type
+1. **Silent Failure Scan (CRITICAL)** - No empty catch blocks. Every catch must log with context OR rethrow. `catch (e) {}` and `catch (e) { return null }` without logging are **auto-rejected**. Every external call (HTTP, DB, Docker, CLI, file I/O) must have error handling that produces an observable signal (log, metric, or rethrow).
+2. **Error Logging** - Every error path must use structured logging: `{ level, message, context, error }`. No bare `console.log` for errors — use a logger with level + context. No `console.error` without identifying WHAT failed and WHERE.
+3. **Test Coverage** - Every implementation file has a test file
+4. **TDD Compliance** - Commits show test-first pattern (score ≥ 50%)
+5. **Security Scan** - No hardcoded secrets, eval(), innerHTML, etc.
+6. **Authorization** - Every data-access endpoint has ownership checks, not just auth guards
+7. **Secrets Exposure** - No API keys, tokens, or passwords returned in responses/HTML
+8. **Config Hygiene** - No `process.env` outside config module; config validated at startup
+9. **Output Encoding** - No unescaped `${...}` interpolation in HTML template strings
+10. **Sensitive Data** - OTPs, reset tokens, session secrets are hashed before storage
+11. **DI Compliance** - No manual `new Service()` / `new Provider()` in application code
+12. **File Size** - No file exceeds 1000 lines (warning at 500+)
+13. **Folder Size** - No folder exceeds 15 files (warning at 8+)
+14. **Strict Typing** - No `any` types in new/changed files
+15. **Return Types** - All exported functions have explicit return types
+16. **Module Structure** - Files grouped by domain entity, not by type
 
 **Review output:**
 

package/.claude/commands/tlc/init.md

@@ -19,6 +19,42 @@ For brand new projects with no code, use `/tlc:new-project` instead.
 
 ## Process
 
+### 0. Upgrade Check (runs first, always)
+
+**Before anything else**, check if this is already a TLC project:
+
+```bash
+# Check for existing TLC markers
+if [ -f ".tlc.json" ] || [ -f "CLAUDE.md" ] || [ -d ".claude/hooks" ]; then
+  # This is an existing TLC project — run upgrade path
+fi
+```
+
+**If `.tlc.json` exists**, this is a **re-init / upgrade**. Do the following automatically:
+
+1. **Compare hook versions**: Read the installed `tlc-claude-code` version (`npm ls -g tlc-claude-code --json 2>/dev/null`). Compare against the hooks currently in `.claude/hooks/`. If the package is newer, **re-copy all hooks** from the package to `.claude/hooks/`, overwriting stale copies.
+
+2. **Update CLAUDE.md**: Re-generate the CLAUDE.md template from the latest init template. If the user has customized CLAUDE.md (check for a `<!-- TLC-MANAGED -->` marker at the top), replace only the TLC-managed sections. If no marker, append missing sections (like the memory routing rules) without overwriting user content.
+
+3. **Update `.claude/settings.json`**: Merge any new hook entries (like the memory routing enforcement) into the existing settings. Don't remove user-added permissions or hooks.
+
+4. **Report what changed**:
+   ```
+   TLC Upgrade (v2.4.5 → v2.4.8)
+   ───────────────────────────────
+   ✓ Updated 6 hooks (memory routing, review loop)
+   ✓ Updated CLAUDE.md (added memory routing rules)
+   ✓ Updated settings.json (added new hook matchers)
+   ○ .tlc.json unchanged
+   ○ PROJECT.md unchanged
+
+   All up to date. Run /tlc:progress to continue.
+   ```
+
+5. **Then stop** — do not run the full init flow. The project is already set up, we just needed to upgrade the TLC tooling.
+
+**If `.tlc.json` does NOT exist**, continue with the full init flow below.
+
 ### 1. Scan for Existing Code
 
 Check for source files:
@@ -223,6 +259,7 @@ const results = await injectStandards(projectPath);
 Create `CLAUDE.md` to enforce TLC workflow over Claude's default behaviors:
 
 ```markdown
+<!-- TLC-MANAGED: Do not remove this marker. TLC uses it to upgrade this file. -->
 # CLAUDE.md - TLC Project Instructions
 
 ## Planning System: TLC