truecourse 0.5.1 → 0.5.3

package/README.md

@@ -90,12 +90,26 @@ truecourse rules llm --disable                 # Disable LLM rules
 
 ### Git Hooks
 
-TrueCourse can install a pre-commit hook that blocks commits with critical violations:
+TrueCourse can install a pre-commit hook that blocks commits introducing new violations at or above a configured severity:
 
 ```bash
 truecourse hooks install              # Install pre-commit hook
 truecourse hooks uninstall            # Remove pre-commit hook
-truecourse hooks status               # Show hook installation status
+truecourse hooks status               # Show hook status + config
+```
+
+On every commit the hook runs `truecourse analyze --diff` against the repo's last full analysis and blocks if any newly-introduced violation matches the configured block severities. **Commits will take as long as a full diff analysis** — on large repos that can be tens of seconds per commit. `truecourse hooks install` warns you and requires confirmation before writing the hook.
+
+**First-time setup:** run `truecourse analyze` once to establish a baseline. Without it the hook can't diff.
+
+**Bypass:** `git commit --no-verify` (standard git).
+
+**Configuration** — `hooks install` seeds `<repo>/.truecourse/hooks.yaml` with starter defaults; commit the file so your team shares one policy. The hook reads only from this file — if you delete it, the hook warns and passes every commit (no hidden code-level defaults). Current shape:
+
+```yaml
+pre-commit:
+  block-on: [critical, high]   # severities. Valid: info|low|medium|high|critical
+  llm: false                   # run LLM rules on every commit (tokens per commit)
 ```
 
 ### Telemetry
@@ -131,13 +145,14 @@ TrueCourse ships with **1,200+ deterministic rules** and **100 LLM rules** acros
 
 TrueCourse includes [Claude Code skills](https://docs.anthropic.com/en/docs/claude-code/skills) for conversational analysis from within Claude Code.
 
-Run `truecourse add` to install skills to `.claude/skills/truecourse/` in your project.
+The first `truecourse analyze` (or `truecourse add`) in a fresh repo asks whether to install skills into `.claude/skills/truecourse/`. Re-runs skip the prompt if skills are already present. Pass `--install-skills` / `--no-skills` to bypass the prompt explicitly.
 
 | Skill | What it does |
 |---|---|
 | `/truecourse-analyze` | Runs analysis or diff check, summarizes results |
 | `/truecourse-list` | Shows full violation details |
 | `/truecourse-fix` | Lists fixable violations, applies changes |
+| `/truecourse-hooks` | Installs, configures, or removes the pre-commit hook |
 
 ## Language Support
 
@@ -172,6 +187,10 @@ pnpm build              # Build all packages
 
 TrueCourse collects anonymous usage data (event type, language, file count range, OS). No source code, file paths, or violation details are collected. Opt out with `truecourse telemetry disable` or `TRUECOURSE_TELEMETRY=0`.
 
+## Contact
+
+Questions, feedback, or security reports: **Mushegh Gevorgyan** — [mushegh@truecourse.dev](mailto:mushegh@truecourse.dev).
+
 ## License
 
 MIT

package/cli.mjs

@@ -4080,7 +4080,7 @@ __export(helpers_exports, {
   writeConfig: () => writeConfig
 });
 import { exec as exec2 } from "node:child_process";
-import { cpSync, existsSync } from "node:fs";
+import { cpSync, existsSync, mkdirSync, readdirSync } from "node:fs";
 import fs3 from "node:fs";
 import os2 from "node:os";
 import path3 from "node:path";
@@ -4319,12 +4319,6 @@ function openInBrowser(url) {
   const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
   exec2(`${cmd} ${url}`);
 }
-function skillDestPath(repoPath) {
-  return resolve(repoPath, ".claude", "skills", "truecourse");
-}
-function hasInstalledSkills(repoPath) {
-  return existsSync(skillDestPath(repoPath));
-}
 function isInteractive() {
   return !!process.stdin.isTTY;
 }
@@ -4336,35 +4330,61 @@ Running non-interactively with no answer. ${flagGuidance}`
   );
   process.exit(1);
 }
-function copySkillsInto(repoPath) {
+function resolveSkillsSrcDir() {
   const __dirname4 = dirname(fileURLToPath(import.meta.url));
-  const srcPath = resolve(__dirname4, "..", "..", "skills", "truecourse");
-  const distPath = resolve(__dirname4, "skills", "truecourse");
-  const skillsSrc = existsSync(srcPath) ? srcPath : distPath;
-  if (!existsSync(skillsSrc)) {
+  const candidate = resolve(__dirname4, "skills", "truecourse");
+  return existsSync(candidate) ? candidate : null;
+}
+function skillDestDir(repoPath) {
+  return resolve(repoPath, ".claude", "skills", "truecourse");
+}
+function listSkillDirs(root) {
+  if (!existsSync(root)) return [];
+  return readdirSync(root, { withFileTypes: true }).filter((e) => e.isDirectory()).map((e) => e.name).sort();
+}
+function computeMissingSkills(repoPath) {
+  const src = resolveSkillsSrcDir();
+  if (!src) return [];
+  const shipped = new Set(listSkillDirs(src));
+  const installed = new Set(listSkillDirs(skillDestDir(repoPath)));
+  return [...shipped].filter((name) => !installed.has(name));
+}
+function hasInstalledSkills(repoPath) {
+  return computeMissingSkills(repoPath).length === 0;
+}
+function copySkills(repoPath, skillNames) {
+  const src = resolveSkillsSrcDir();
+  if (!src) {
     O2.warn("Skills directory not found in package \u2014 skipping.");
     return;
   }
-  const skillsDest = resolve(repoPath, ".claude", "skills");
-  cpSync(skillsSrc, skillsDest, { recursive: true });
-  O2.success("Installed Claude Code skills:");
-  O2.message("  - truecourse-analyze  (run analysis)");
-  O2.message("  - truecourse-list     (list violations)");
-  O2.message("  - truecourse-fix      (apply fixes)");
+  const destParent = skillDestDir(repoPath);
+  mkdirSync(destParent, { recursive: true });
+  for (const name of skillNames) {
+    const skillSrc = resolve(src, name);
+    const skillDest = resolve(destParent, name);
+    if (existsSync(skillDest)) continue;
+    cpSync(skillSrc, skillDest, { recursive: true });
+  }
+  O2.success(
+    `Installed ${skillNames.length} Claude Code skill${skillNames.length === 1 ? "" : "s"}:`
+  );
+  for (const name of skillNames) O2.message(`  - ${name}`);
 }
 async function promptInstallSkills(repoPath, { install } = {}) {
-  if (hasInstalledSkills(repoPath)) return;
+  const missing = computeMissingSkills(repoPath);
+  if (missing.length === 0) return;
   if (install === true) {
-    copySkillsInto(repoPath);
+    copySkills(repoPath, missing);
     return;
   }
   if (install === false) return;
   if (!isInteractive()) return;
-  const answer = await ot2({
-    message: "Would you like to install Claude Code skills?"
-  });
+  const isUpgrade = existsSync(skillDestDir(repoPath));
+  const message = isUpgrade ? `New Claude Code skill${missing.length === 1 ? "" : "s"} available: ${missing.join(", ")}. Install?` : "Would you like to install Claude Code skills?";
+  const answer = await ot2({ message });
   if (q(answer) || !answer) return;
-  copySkillsInto(repoPath);
+  copySkills(repoPath, missing);
 }
 var DEFAULT_PORT, DEFAULT_CONFIG;
 var init_helpers = __esm({
@@ -10563,7 +10583,7 @@ var init_language_config = __esm({
 });
 
 // packages/analyzer/dist/file-discovery.js
-import { existsSync as existsSync2, readFileSync, readdirSync, statSync } from "fs";
+import { existsSync as existsSync2, readFileSync, readdirSync as readdirSync2, statSync } from "fs";
 import { join, relative, resolve as resolve2 } from "path";
 function findAllGitignores(startDir) {
   const gitignores = [];
@@ -10606,7 +10626,7 @@ function discoverFiles(dir) {
   const { ig, rootDir } = loadIgnorePatterns(dir);
   function traverse(currentPath) {
     try {
-      const entries = readdirSync(currentPath).sort();
+      const entries = readdirSync2(currentPath).sort();
       for (const entry of entries) {
         const fullPath = join(currentPath, entry);
         const relativePath = relative(rootDir, fullPath);
@@ -10894,7 +10914,7 @@ var init_service_patterns = __esm({
 // packages/analyzer/dist/ts-compiler.js
 import * as ts from "typescript";
 import { dirname as dirname2, join as join2 } from "path";
-import { existsSync as existsSync3, readdirSync as readdirSync2, statSync as statSync2 } from "fs";
+import { existsSync as existsSync3, readdirSync as readdirSync3, statSync as statSync2 } from "fs";
 function buildScopedCompilerOptions(rootPath) {
   const result = [];
   const candidates = [join2(rootPath, "tsconfig.json")];
@@ -10903,7 +10923,7 @@ function buildScopedCompilerOptions(rootPath) {
     if (!existsSync3(dirPath) || !statSync2(dirPath).isDirectory())
       continue;
     try {
-      for (const entry of readdirSync2(dirPath).sort()) {
+      for (const entry of readdirSync3(dirPath).sort()) {
         candidates.push(join2(dirPath, entry, "tsconfig.json"));
       }
     } catch {
@@ -13533,7 +13553,7 @@ var init_registry2 = __esm({
 
 // packages/analyzer/dist/dependency-graph.js
 import { resolve as resolve4, dirname as dirname4, join as join3 } from "path";
-import { existsSync as existsSync4, readFileSync as readFileSync2, readdirSync as readdirSync3, realpathSync, statSync as statSync3 } from "fs";
+import { existsSync as existsSync4, readFileSync as readFileSync2, readdirSync as readdirSync4, realpathSync, statSync as statSync3 } from "fs";
 function resolveRelativeFallback(importSource, containingFile, analyzedFiles, extensions, indexFiles) {
   const fromDir = dirname4(containingFile);
   const basePath = resolve4(fromDir, importSource);
@@ -13561,7 +13581,7 @@ function buildWorkspacePackageMap(rootPath) {
     if (!existsSync4(dirPath) || !statSync3(dirPath).isDirectory())
       continue;
     try {
-      for (const entry of readdirSync3(dirPath).sort()) {
+      for (const entry of readdirSync4(dirPath).sort()) {
         const pkgDir = join3(dirPath, entry);
         const pkgJsonPath = join3(pkgDir, "package.json");
         if (!existsSync4(pkgJsonPath))
@@ -16249,7 +16269,7 @@ var init_registry3 = __esm({
 });
 
 // packages/analyzer/dist/service-detector.js
-import { existsSync as existsSync7, readFileSync as readFileSync5, readdirSync as readdirSync4, statSync as statSync4 } from "fs";
+import { existsSync as existsSync7, readFileSync as readFileSync5, readdirSync as readdirSync5, statSync as statSync4 } from "fs";
 import { join as join6, basename, dirname as dirname5 } from "path";
 function detectServices(rootPath, allFiles) {
   const monorepoServices = detectMonorepoServices(rootPath, allFiles);
@@ -16294,7 +16314,7 @@ function detectMonorepoServices(rootPath, allFiles) {
     if (!existsSync7(dirPath))
       continue;
     try {
-      const entries = readdirSync4(dirPath).sort();
+      const entries = readdirSync5(dirPath).sort();
       for (const entry of entries) {
         const servicePath = join6(dirPath, entry);
         const stats = statSync4(servicePath);
@@ -17050,7 +17070,7 @@ var init_registry4 = __esm({
 });
 
 // packages/analyzer/dist/database-detector.js
-import { existsSync as existsSync8, readFileSync as readFileSync6, readdirSync as readdirSync5 } from "fs";
+import { existsSync as existsSync8, readFileSync as readFileSync6, readdirSync as readdirSync6 } from "fs";
 import { join as join7, resolve as resolve5 } from "path";
 function detectDatabases(rootPath, analyses, services) {
   const detections = [];
@@ -17219,7 +17239,7 @@ function parseDockerCompose(rootPath) {
 function findFiles(dir, fileName, ignoreDirs) {
   const results = [];
   try {
-    const entries = readdirSync5(dir, { withFileTypes: true }).sort((a, b) => a.name.localeCompare(b.name));
+    const entries = readdirSync6(dir, { withFileTypes: true }).sort((a, b) => a.name.localeCompare(b.name));
     for (const entry of entries) {
       if (ignoreDirs.includes(entry.name))
         continue;
@@ -123658,7 +123678,7 @@ var init_schemas2 = __esm({
 
 // apps/server/dist/services/llm/cli-provider.js
 import { spawn as spawn3 } from "node:child_process";
-import { mkdirSync, writeFileSync } from "node:fs";
+import { mkdirSync as mkdirSync2, writeFileSync } from "node:fs";
 import { join as join8 } from "node:path";
 import { tmpdir } from "node:os";
 import { randomUUID as randomUUID3 } from "node:crypto";
@@ -123721,7 +123741,7 @@ var init_cli_provider = __esm({
       constructor() {
         if (process.env.TRUECOURSE_CLI_DEBUG) {
           this.debugDir = join8(tmpdir(), "truecourse-cli-debug");
-          mkdirSync(this.debugDir, { recursive: true });
+          mkdirSync2(this.debugDir, { recursive: true });
           log.info(`[CLI] Debug output: ${this.debugDir}`);
         }
       }
@@ -130434,6 +130454,11 @@ var jsYaml = {
 };
 
 // tools/cli/src/commands/hooks.ts
+init_dist4();
+init_paths();
+init_registry();
+init_analysis_store();
+init_diff_in_process();
 init_helpers();
 var HOOK_IDENTIFIER = "# TrueCourse pre-commit hook";
 var HOOK_SCRIPT = `#!/bin/sh
@@ -130441,29 +130466,35 @@ ${HOOK_IDENTIFIER}
 # Installed by: truecourse hooks install
 # Bypass with: git commit --no-verify
 
-exec truecourse hooks run
+exec npx -y truecourse hooks run
+`;
+var SEVERITIES2 = ["info", "low", "medium", "high", "critical"];
+var HOOKS_YAML_TEMPLATE = `# TrueCourse pre-commit hook config.
+# Commit this file \u2014 it's the team-shared policy for what blocks a commit.
+# Check the live values with \`truecourse hooks status\`.
+pre-commit:
+  # Severities that block a commit when the diff surfaces NEW violations
+  # at that level. Valid: info, low, medium, high, critical.
+  block-on:
+    - critical
+    - high
+
+  # Run LLM-powered rules on every commit? Off by default (no tokens per
+  # commit). Set to true for deeper semantic checks at the commit gate \u2014
+  # each commit will then cost tokens.
+  llm: false
 `;
-var DEFAULT_BLOCK_ON = [
-  "security/deterministic/hardcoded-secret",
-  { severity: "critical" }
-];
-var DEFAULT_TIMEOUT_MS = 3e4;
 function findGitDir(from) {
   let dir = from;
   while (true) {
     const gitPath = path21.join(dir, ".git");
     if (fs16.existsSync(gitPath)) {
       const stat = fs16.statSync(gitPath);
-      if (stat.isDirectory()) {
-        return gitPath;
-      }
+      if (stat.isDirectory()) return gitPath;
       if (stat.isFile()) {
         const content = fs16.readFileSync(gitPath, "utf-8").trim();
         const match2 = content.match(/^gitdir:\s*(.+)$/);
-        if (match2) {
-          const resolved = path21.resolve(dir, match2[1]);
-          return resolved;
-        }
+        if (match2) return path21.resolve(dir, match2[1]);
       }
     }
     const parent = path21.dirname(dir);
@@ -130474,46 +130505,68 @@ function findGitDir(from) {
 function findProjectRoot(from) {
   let dir = from;
   while (true) {
-    if (fs16.existsSync(path21.join(dir, ".git"))) {
-      return dir;
-    }
+    if (fs16.existsSync(path21.join(dir, ".git"))) return dir;
     const parent = path21.dirname(dir);
     if (parent === dir) return null;
     dir = parent;
   }
 }
-function parseTimeout(value) {
-  const match2 = value.match(/^(\d+)\s*(s|ms|m)?$/);
-  if (!match2) return DEFAULT_TIMEOUT_MS;
-  const num = parseInt(match2[1], 10);
-  const unit = match2[2] || "s";
-  if (unit === "ms") return num;
-  if (unit === "m") return num * 6e4;
-  return num * 1e3;
-}
 function loadConfig(projectRoot) {
   const configPath = path21.join(projectRoot, ".truecourse", "hooks.yaml");
-  if (!fs16.existsSync(configPath)) return {};
+  if (!fs16.existsSync(configPath)) return null;
+  let parsed;
   try {
     const raw = fs16.readFileSync(configPath, "utf-8");
-    return jsYaml.load(raw) || {};
-  } catch {
-    return {};
+    parsed = jsYaml.load(raw) || {};
+  } catch (err) {
+    console.error(`Error parsing ${configPath}: ${err.message}`);
+    process.exit(1);
   }
+  const preCommit = parsed["pre-commit"] ?? {};
+  const rawBlockOn = preCommit["block-on"];
+  if (!Array.isArray(rawBlockOn)) {
+    console.error(
+      `Invalid ${configPath}: \`pre-commit.block-on\` must be an array of severity names.`
+    );
+    console.error(`  Valid severities: ${SEVERITIES2.join(", ")}`);
+    process.exit(1);
+  }
+  const invalid = rawBlockOn.filter(
+    (s) => typeof s !== "string" || !SEVERITIES2.includes(s)
+  );
+  if (invalid.length > 0) {
+    console.error(
+      `Invalid ${configPath}: unknown value(s) in \`pre-commit.block-on\`: ${invalid.map((v) => JSON.stringify(v)).join(", ")}`
+    );
+    console.error(`  Valid severities: ${SEVERITIES2.join(", ")}`);
+    process.exit(1);
+  }
+  return {
+    blockOn: rawBlockOn,
+    llm: preCommit.llm === true,
+    configPath
+  };
 }
-function getBlockRules(config2) {
-  return config2["pre-commit"]?.["block-on"] ?? DEFAULT_BLOCK_ON;
-}
-function getTimeoutMs(config2) {
-  const raw = config2["pre-commit"]?.timeout;
-  return raw ? parseTimeout(raw) : DEFAULT_TIMEOUT_MS;
-}
-function runHooksInstall() {
+var INSTALL_WARNING = "The pre-commit hook runs `truecourse analyze --diff` on every commit.\nCommits will take as long as a full diff analysis of this repo \u2014\non large repos that can be tens of seconds per commit.";
+async function runHooksInstall() {
   const gitDir = findGitDir(process.cwd());
   if (!gitDir) {
     console.error("Error: Not a git repository.");
     process.exit(1);
   }
+  if (isInteractive()) {
+    O2.warn(INSTALL_WARNING);
+    const proceed = await ot2({
+      message: "Install the pre-commit hook?",
+      initialValue: false
+    });
+    if (q(proceed) || !proceed) {
+      pt("Install cancelled.");
+      process.exit(0);
+    }
+  } else {
+    console.log(INSTALL_WARNING);
+  }
   const hooksDir = path21.join(gitDir, "hooks");
   fs16.mkdirSync(hooksDir, { recursive: true });
   const hookPath = path21.join(hooksDir, "pre-commit");
@@ -130531,6 +130584,16 @@ function runHooksInstall() {
   fs16.writeFileSync(hookPath, HOOK_SCRIPT, { mode: 493 });
   console.log("TrueCourse pre-commit hook installed.");
   console.log(`  ${hookPath}`);
+  const projectRoot = findProjectRoot(process.cwd());
+  if (projectRoot) {
+    const cfgDir = path21.join(projectRoot, ".truecourse");
+    const cfgPath = path21.join(cfgDir, "hooks.yaml");
+    if (!fs16.existsSync(cfgPath)) {
+      fs16.mkdirSync(cfgDir, { recursive: true });
+      fs16.writeFileSync(cfgPath, HOOKS_YAML_TEMPLATE);
+      console.log(`  ${cfgPath} (starter config \u2014 edit to customize, commit to share with the team)`);
+    }
+  }
 }
 function runHooksUninstall() {
   const gitDir = findGitDir(process.cwd());
@@ -130568,125 +130631,97 @@ function runHooksStatus() {
   }
   const projectRoot = findProjectRoot(process.cwd());
   if (projectRoot) {
-    const configPath = path21.join(projectRoot, ".truecourse", "hooks.yaml");
-    if (fs16.existsSync(configPath)) {
-      console.log(`
-Config: ${configPath}`);
-      const config2 = loadConfig(projectRoot);
-      const blockRules = getBlockRules(config2);
-      console.log("Block on:");
-      for (const rule of blockRules) {
-        if (typeof rule === "string") {
-          console.log(`  - ${rule}`);
-        } else {
-          console.log(`  - severity: ${rule.severity}`);
-        }
-      }
-      const timeoutMs = getTimeoutMs(config2);
-      console.log(`Timeout: ${timeoutMs / 1e3}s`);
+    const cfg = loadConfig(projectRoot);
+    if (!cfg) {
+      console.log(
+        "\nNo `.truecourse/hooks.yaml` \u2014 hook has no policy. Run `truecourse hooks install` to generate one."
+      );
     } else {
-      console.log("\nNo config file. Using defaults (block on: security/deterministic/hardcoded-secret, severity: critical).");
-    }
-  }
-}
-function shouldBlock(violation, blockRules) {
-  for (const rule of blockRules) {
-    if (typeof rule === "string") {
-      if (violation.ruleKey === rule || violation.ruleKey.endsWith(`/${rule}`)) {
-        return true;
-      }
-    } else if (rule.severity) {
-      if (violation.severity.toLowerCase() === rule.severity.toLowerCase()) {
-        return true;
-      }
+      console.log(`
+Config: ${cfg.configPath}`);
+      console.log(`Block on severities: ${cfg.blockOn.join(", ")}`);
+      console.log(`LLM rules on commit: ${cfg.llm ? "enabled (tokens per commit)" : "disabled"}`);
     }
   }
-  return false;
 }
 async function runHooksRun() {
-  const startTime = Date.now();
   process.stdout.write("TrueCourse pre-commit check...");
   const projectRoot = findProjectRoot(process.cwd());
   if (!projectRoot) {
     console.log(" skipped (not a git repository)");
     process.exit(0);
   }
-  const config2 = loadConfig(projectRoot);
-  const blockRules = getBlockRules(config2);
-  const timeoutMs = getTimeoutMs(config2);
-  let stagedFiles;
+  let hasStaged = false;
   try {
     const output = execSync5("git diff --cached --name-only --diff-filter=ACM", {
       encoding: "utf-8",
       cwd: projectRoot
     }).trim();
-    stagedFiles = output ? output.split("\n") : [];
+    hasStaged = output.length > 0;
   } catch {
     console.log(" skipped (git error)");
     process.exit(0);
   }
-  if (stagedFiles.length === 0) {
+  if (!hasStaged) {
     console.log(" \u2714 passed (no staged files)");
     process.exit(0);
   }
-  let parseCode2;
-  let detectLanguage2;
-  let checkCodeRules2;
-  let CODE_RULES2;
-  try {
-    const analyzer = await Promise.resolve().then(() => (init_dist6(), dist_exports2));
-    parseCode2 = analyzer.parseCode;
-    detectLanguage2 = analyzer.detectLanguage;
-    checkCodeRules2 = analyzer.checkCodeRules;
-    CODE_RULES2 = analyzer.CODE_RULES;
-    await analyzer.initParsers();
-  } catch {
-    console.log(" skipped (analyzer not available)");
+  const cfg = loadConfig(projectRoot);
+  if (!cfg) {
+    console.log(" skipped");
+    console.error(
+      "No `.truecourse/hooks.yaml` found. The pre-commit hook has no policy to\nenforce \u2014 run `truecourse hooks install` to generate one."
+    );
     process.exit(0);
   }
-  const supportedFiles = stagedFiles.filter((f) => detectLanguage2(f) !== null);
-  if (supportedFiles.length === 0) {
-    console.log(" \u2714 passed");
-    process.exit(0);
+  const repoDir = resolveRepoDir(process.cwd());
+  const project = repoDir ? getProjectByPath(repoDir) ?? registerProject(repoDir) : null;
+  if (!project || !readLatest(project.path)) {
+    console.log("");
+    console.error(
+      "No baseline analysis yet. Run `truecourse analyze` once in this repo before\nthe pre-commit hook can block new violations. Or bypass this commit with\n`git commit --no-verify`."
+    );
+    process.exit(1);
   }
-  const allViolations = [];
-  for (const filePath of supportedFiles) {
-    if (Date.now() - startTime > timeoutMs) {
-      console.log("\n  Warning: timeout reached, skipping remaining files.");
-      break;
-    }
-    const language = detectLanguage2(filePath);
-    if (!language) continue;
-    let content;
-    try {
-      content = execSync5(`git show ":${filePath}"`, {
-        encoding: "utf-8",
-        cwd: projectRoot,
-        maxBuffer: 5 * 1024 * 1024
-        // 5MB
-      });
-    } catch {
-      continue;
-    }
-    try {
-      const tree = parseCode2(content, language);
-      const violations = checkCodeRules2(tree, filePath, content, CODE_RULES2, language);
-      allViolations.push(...violations);
-    } catch {
-      continue;
+  const abortController = new AbortController();
+  const onSigint = () => abortController.abort();
+  process.on("SIGINT", onSigint);
+  process.stdout.write(" running analysis...");
+  let newViolations;
+  try {
+    const { diff } = await diffInProcess(project, {
+      signal: abortController.signal,
+      enableLlmRulesOverride: cfg.llm,
+      // Pre-approved: the user opted into LLM-in-hook by setting llm: true
+      // in hooks.yaml, so we don't re-prompt for the token cost estimate.
+      onLlmEstimate: async () => true
+    });
+    newViolations = diff.newViolations;
+  } catch (err) {
+    console.log("");
+    if (err instanceof DOMException && err.name === "AbortError") {
+      console.error("Pre-commit check cancelled.");
+      process.exit(130);
     }
+    console.error(`Pre-commit check failed: ${err instanceof Error ? err.message : String(err)}`);
+    process.exit(1);
+  } finally {
+    process.removeListener("SIGINT", onSigint);
   }
-  const blocking = allViolations.filter((v) => shouldBlock(v, blockRules));
+  const blockSet = new Set(cfg.blockOn);
+  const blocking = newViolations.filter((v) => blockSet.has(v.severity.toLowerCase()));
   if (blocking.length === 0) {
-    console.log(" \u2714 passed");
+    console.log(` \u2714 passed (${newViolations.length} new violations, none at or above ${cfg.blockOn.join("/")})`);
     process.exit(0);
   }
   console.log("\n");
   for (const v of blocking) {
     const icon = severityIcon(v.severity);
     const color = severityColor(v.severity);
+    const location = v.filePath ? `${v.filePath}${v.lineStart ? `:${v.lineStart}` : ""}` : "(no file)";
     console.log(` ${color(`${icon} BLOCKED`)}: ${v.title}`);
-    console.log(`   ${v.filePath}:${v.lineStart} \u2014 ${v.content}`);
+    console.log(`   ${location} \u2014 ${v.content}`);
+    if (v.fixPrompt) console.log(`   Fix: ${v.fixPrompt}`);
     console.log("");
   }
   console.log("Commit blocked. Fix the issue or bypass with --no-verify.");
@@ -130695,7 +130730,7 @@ async function runHooksRun() {
 
 // tools/cli/src/index.ts
 var program2 = new Command();
-program2.name("truecourse").version("0.5.1").description("TrueCourse CLI \u2014 analyze your repository and open the dashboard");
+program2.name("truecourse").version("0.5.3").description("TrueCourse CLI \u2014 analyze your repository and open the dashboard");
 var dashboardCmd = program2.command("dashboard").description("Start the TrueCourse dashboard and open it in your browser").option("--reconfigure", "Re-prompt for console vs background service mode").option("--service", "Run as a background service (skips mode prompt)").option("--console", "Run in this terminal (skips mode prompt)").action(async (options) => {
   if (options.service && options.console) {
     console.error("error: --service and --console are mutually exclusive");
@@ -130774,8 +130809,8 @@ telemetryCmd.command("status").description("Show current telemetry status").acti
   }
 });
 var hooksCmd = program2.command("hooks").description("Manage git hooks");
-hooksCmd.command("install").description("Install pre-commit hook").action(() => {
-  runHooksInstall();
+hooksCmd.command("install").description("Install pre-commit hook").action(async () => {
+  await runHooksInstall();
 });
 hooksCmd.command("uninstall").description("Remove pre-commit hook").action(() => {
   runHooksUninstall();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "truecourse",
-  "version": "0.5.1",
+  "version": "0.5.3",
   "description": "Visualize your codebase architecture as an interactive graph",
   "type": "module",
   "bin": {
@@ -21,6 +21,10 @@
     "node-windows": "^1.0.0-beta.8"
   },
   "license": "MIT",
+  "author": {
+    "name": "Mushegh Gevorgyan",
+    "email": "mushegh@truecourse.dev"
+  },
   "repository": {
     "type": "git",
     "url": "https://github.com/truecourse-ai/truecourse"

package/skills/truecourse/truecourse-analyze/SKILL.md

@@ -18,7 +18,7 @@ Run architecture analysis on the current repository using TrueCourse.
 - **Full analysis** stashes any uncommitted changes, analyzes the clean working tree, then unstashes. The user's uncommitted work is preserved.
 - **Diff check** analyzes the full working tree (including uncommitted changes — it does NOT stash) and compares the result against the last full analysis baseline. The report lists violations newly introduced and violations resolved since that baseline. Prefer diff for in-progress work where the user is iterating on changes.
 - **Always invoke via `npx -y`** — without `-y`, npx will hang on the "Ok to proceed?" prompt whenever the user hasn't cached the latest `truecourse` version (which happens every time we publish a new release).
-- **LLM rules cost real money.** Never pass `--llm` without first relaying the cost estimate to the user and getting approval. See the LLM flow below.
+- **LLM rules cost tokens.** Never pass `--llm` without first relaying the token estimate to the user and getting approval. See the LLM flow below.
 
 ## Instructions
 
@@ -30,7 +30,7 @@ Ask the user whether they want a **full analysis** or a **diff check**. If they
 
 ### 2. Decide on LLM rules
 
-LLM rules add higher-value insights but cost money per run. Ask the user one question: **"Run LLM-powered rules this time?"** If the user is unsure, offer to run deterministic-only first (free, fast) and add LLM later.
+LLM rules add higher-value insights but cost tokens per run. Ask the user one question: **"Run LLM-powered rules this time?"** If the user is unsure, offer to run deterministic-only first (no tokens, fast) and add LLM later.
 
 - If **user approves LLM**: append `--llm` to the command.
 - If **user declines LLM or wants a free run**: append `--no-llm`.

package/skills/truecourse/truecourse-hooks/SKILL.md

@@ -0,0 +1,86 @@
+---
+name: truecourse-hooks
+description: Install, configure, or remove the TrueCourse pre-commit hook
+user_invocable: true
+triggers:
+  - install the pre-commit hook
+  - set up truecourse hooks
+  - enable truecourse hook
+  - check hook status
+  - remove pre-commit hook
+  - change what the hook blocks
+  - edit hook config
+---
+
+# TrueCourse Hooks
+
+Install, configure, and manage the pre-commit hook that blocks new violations before they land in git.
+
+## Important
+
+- **Always invoke via `npx -y`** — without `-y`, npx will hang on the "Ok to proceed?" prompt whenever the user hasn't cached the latest `truecourse` version.
+- **The hook makes commits slower.** Every commit runs `truecourse analyze --diff`. On large repos that can be tens of seconds per commit. Make sure the user knows before you install.
+- **Baseline required.** The hook needs a `truecourse analyze` to have run at least once in the repo — otherwise every commit is blocked with "run analyze first". If the user hasn't, suggest running `/truecourse-analyze` first (or `npx -y truecourse analyze`).
+- **`hooks.yaml` is the single source of truth.** Installation creates `<repo>/.truecourse/hooks.yaml` with defaults; edit it to change policy. The file is meant to be committed so the whole team shares one hook config.
+
+## Instructions
+
+### 1. Figure out what the user wants
+
+- "install", "set up", "enable" → **Install flow**
+- "status", "is the hook active", "what does it block" → **Status flow**
+- "uninstall", "remove", "disable" → **Uninstall flow**
+- "change what blocks", "make it stricter/looser", "add/remove severities", "enable LLM" → **Configure flow**
+
+### 2. Install flow
+
+1. Tell the user the tradeoff upfront: commits will be slower; this repo needs a `truecourse analyze` baseline; policy lives in `.truecourse/hooks.yaml` which they should commit.
+2. Run:
+   ```
+   npx -y truecourse hooks install
+   ```
+3. Relay the output. Two files get created:
+   - `.git/hooks/pre-commit` (the script git invokes)
+   - `.truecourse/hooks.yaml` (starter policy, blocks `critical` and `high` by default, LLM off)
+4. If the user hasn't run a full analysis in this repo, suggest `/truecourse-analyze` — without it, every commit will be blocked with "no baseline" until they do.
+
+### 3. Status flow
+
+Run:
+```
+npx -y truecourse hooks status
+```
+Relay the output. It reports whether the hook is installed, the config path, the block severities, and whether LLM is on.
+
+### 4. Uninstall flow
+
+Run:
+```
+npx -y truecourse hooks uninstall
+```
+Only removes the git hook script. `hooks.yaml` is preserved (it's team policy, not install state).
+
+### 5. Configure flow
+
+The config lives at `<repo>/.truecourse/hooks.yaml`. Use the Read and Edit tools — do not shell out through `truecourse` for edits.
+
+Schema:
+```yaml
+pre-commit:
+  block-on: [critical, high]   # valid: info, low, medium, high, critical
+  llm: false                   # true = LLM rules on every commit (tokens per commit)
+```
+
+Common edits the user might ask for:
+- **Stricter** ("block medium too"): `block-on: [critical, high, medium]`
+- **Permissive** ("only block criticals"): `block-on: [critical]`
+- **Enable LLM** ("run full checks on commit"): set `llm: true`. Warn the user this spends tokens on every commit — confirm before flipping it.
+
+After editing, run `npx -y truecourse hooks status` so they can verify the parsed values match their intent.
+
+### 6. When the user hits a blocked commit
+
+If a user comes to you saying "my commit got blocked" or similar:
+- The hook's stdout already listed the blocking violations (file, line, title, severity).
+- Offer to run `/truecourse-fix` to apply fix suggestions to those violations.
+- If they want to ship anyway, remind them of `git commit --no-verify` (standard git bypass).