xtrm-tools 2.4.3 → 2.4.6

package/hooks/beads-gate-core.mjs

@@ -10,10 +10,12 @@
 import { readFileSync } from 'node:fs';
 import {
   resolveCwd,
+  resolveSessionId,
   isBeadsProject,
   getSessionClaim,
   getTotalWork,
   getInProgress,
+  isIssueInProgress,
 } from './beads-gate-utils.mjs';
 
 // ── Input parsing ────────────────────────────────────────────────────────────
@@ -41,7 +43,7 @@ export function resolveSessionContext(input) {
   if (!cwd) return null;
   return {
     cwd,
-    sessionId: input.session_id ?? null,
+    sessionId: resolveSessionId(input),
     isBeadsProject: isBeadsProject(cwd),
   };
 }
@@ -68,6 +70,7 @@ export function resolveClaimAndWorkState(ctx) {
     return {
       claimed: !!claimId,
       claimId: claimId || null,
+      claimInProgress: claimId ? isIssueInProgress(claimId, ctx.cwd) : false,
       totalWork,
       inProgress,
     };
@@ -77,6 +80,7 @@ export function resolveClaimAndWorkState(ctx) {
   return {
     claimed: false,
     claimId: null,
+    claimInProgress: false,
     totalWork,
     inProgress,
   };
@@ -154,16 +158,16 @@ export function decideCommitGate(ctx, state) {
     return { allow: true };
   }
 
-  // Has claim but no in_progress issues → allow (stale/already-closed claim)
-  if (!state.inProgress || state.inProgress.count === 0) {
+  // Claimed issue is no longer in_progress → allow (closed or transferred to another agent)
+  if (!state.claimInProgress) {
     return { allow: true };
   }
 
-  // Has claim + in_progress issues → block (need to close first)
+  // Session's own claimed issue is still in_progress → block (need to close first)
   return {
     allow: false,
     reason: 'unclosed_claim',
-    summary: state.inProgress.summary,
+    summary: `  Claimed: ${state.claimId} (still in_progress)`,
     claimed: state.claimId,
   };
 }
@@ -196,16 +200,16 @@ export function decideStopGate(ctx, state) {
     return { allow: true };
   }
 
-  // Has claim but no in_progress issues → allow (stale claim)
-  if (!state.inProgress || state.inProgress.count === 0) {
+  // Claimed issue is no longer in_progress → allow (stale claim)
+  if (!state.claimInProgress) {
     return { allow: true };
   }
 
-  // Has claim + in_progress issues → block
+  // Session's own claimed issue is still in_progress → block
   return {
     allow: false,
     reason: 'unclosed_claim',
-    summary: state.inProgress.summary,
+    summary: `  Claimed: ${state.claimId} (still in_progress)`,
     claimed: state.claimId,
   };
 }

package/hooks/beads-gate-messages.mjs

@@ -68,34 +68,16 @@ export function stopBlockMessage(summary, claimed) {
   );
 }
 
-export function stopBlockWaitingMergeMessage(state) {
-  const pr = state.prNumber != null ? `#${state.prNumber}` : '(PR pending)';
-  const prUrl = state.prUrl ? `\nPR: ${state.prUrl}` : '';
-  return (
-    `🚫 PR ${pr} not yet merged. Run: xtrm finish\n` +
-    `${prUrl}\n` +
-    `Worktree: ${state.worktreePath}\n`
-  );
-}
-
-export function stopBlockConflictingMessage(state) {
-  const conflicts = Array.isArray(state.conflictFiles) && state.conflictFiles.length > 0
-    ? state.conflictFiles.join(', ')
-    : 'unknown files';
-  return (
-    `🚫 Merge conflicts in: ${conflicts}. Resolve, push, then: xtrm finish\n` +
-    `Worktree: ${state.worktreePath}\n`
-  );
-}
+// ── Memory gate messages ─────────────────────────────────────────
 
-export function stopWarnActiveWorktreeMessage(state) {
+export function memoryGatePendingMessage() {
   return (
-    `⚠ Session has an active worktree at ${state.worktreePath}. Consider running: xtrm finish\n`
+    '🧠 Memory gate pending — evaluate insights before continuing.\n' +
+    '  YES → bd remember "<insight>"   NO → note "nothing to persist"\n' +
+    '  Then acknowledge: touch .beads/.memory-gate-done\n'
   );
 }
 
-// ── Memory gate messages ─────────────────────────────────────────
-
 export function memoryPromptMessage() {
   return (
     '🧠 Memory gate: for each closed issue, worth persisting?\n' +

package/hooks/beads-gate-utils.mjs

@@ -13,6 +13,14 @@ export function resolveCwd(input) {
   return input.cwd ?? process.env.CLAUDE_PROJECT_DIR ?? process.cwd();
 }
 
+/**
+ * Resolve a stable session key for beads hooks.
+ * Priority: explicit hook session id -> cwd fallback.
+ */
+export function resolveSessionId(input) {
+  return input?.session_id ?? input?.sessionId ?? resolveCwd(input);
+}
+
 /** Return true if the directory contains a .beads project. */
 export function isBeadsProject(cwd) {
   return existsSync(join(cwd, '.beads'));
@@ -71,6 +79,23 @@ export function getInProgress(cwd) {
   }
 }
 
+/**
+ * Return true if a specific issue ID is currently in in_progress status.
+ * Used by commit/stop gates to scope the check to the session's own claimed issue.
+ * Returns false (fail open) if bd is unavailable.
+ */
+export function isIssueInProgress(issueId, cwd) {
+  if (!issueId) return false;
+  try {
+    const output = execSync('bd list --status=in_progress', {
+      encoding: 'utf8', cwd, stdio: ['pipe', 'pipe', 'pipe'], timeout: 8000,
+    });
+    return output.includes(issueId);
+  } catch {
+    return false;
+  }
+}
+
 /**
  * Count total trackable work (open + in_progress issues) using a single bd list call.
  * Returns the count, or null if bd is unavailable.
@@ -90,6 +115,42 @@ export function getTotalWork(cwd) {
   }
 }
 
+/**
+ * Get the closed-this-session issue ID for a session from bd kv.
+ * Returns: issue ID string if set, '' if not set, null if bd kv unavailable.
+ */
+export function getClosedThisSession(sessionId, cwd) {
+  try {
+    return execSync(`bd kv get "closed-this-session:${sessionId}"`, {
+      encoding: 'utf8',
+      cwd,
+      stdio: ['pipe', 'pipe', 'pipe'],
+      timeout: 5000,
+    }).trim();
+  } catch (err) {
+    if (err.status === 1) return ''; // key not found
+    return null;                     // bd kv unavailable
+  }
+}
+
+/**
+ * Return true if the memory gate is pending acknowledgment for this session.
+ * Pending = closed-this-session kv is set AND .beads/.memory-gate-done marker is absent.
+ */
+export function isMemoryGatePending(sessionId, cwd) {
+  if (existsSync(join(cwd, '.beads', '.memory-gate-done'))) return false;
+  const closed = getClosedThisSession(sessionId, cwd);
+  return !!closed; // null (unavailable) is falsy → fail open
+}
+
+/**
+ * Return true if a Bash command is a memory-gate acknowledgment command.
+ * These commands are allowed even while the memory gate is pending.
+ */
+export function isMemoryAckCommand(command) {
+  return /\bbd\s+remember\b/.test(command) || /\btouch\s+\.beads\/\.memory-gate-done\b/.test(command);
+}
+
 /**
  * Clear the session claim key from bd kv. Non-fatal — best-effort cleanup.
  */
@@ -115,7 +176,10 @@ export function clearSessionClaim(sessionId, cwd) {
 export function withSafeBdContext(fn) {
   try {
     fn();
-  } catch {
+  } catch (err) {
+    if (err instanceof TypeError || err instanceof ReferenceError || err instanceof SyntaxError) {
+      throw err;
+    }
     process.exit(0);
   }
 }

package/hooks/beads-memory-gate.mjs

@@ -11,7 +11,7 @@ import { execSync } from 'node:child_process';
 import { existsSync, unlinkSync } from 'node:fs';
 import { join } from 'node:path';
 import { readHookInput } from './beads-gate-core.mjs';
-import { resolveCwd, isBeadsProject, getSessionClaim, clearSessionClaim } from './beads-gate-utils.mjs';
+import { resolveCwd, resolveSessionId, isBeadsProject, getSessionClaim, clearSessionClaim } from './beads-gate-utils.mjs';
 import { memoryPromptMessage } from './beads-gate-messages.mjs';
 
 const input = readHookInput();
@@ -20,8 +20,7 @@ if (!input) process.exit(0);
 const cwd = resolveCwd(input);
 if (!cwd || !isBeadsProject(cwd)) process.exit(0);
 
-const sessionId = input.session_id ?? null;
-if (!sessionId) process.exit(0);
+const sessionId = resolveSessionId(input);
 
 // Agent signals evaluation complete by touching this marker, then stops again
 const marker = join(cwd, '.beads', '.memory-gate-done');

package/hooks/beads-stop-gate.mjs

@@ -11,52 +11,11 @@ import {
   decideStopGate,
 } from './beads-gate-core.mjs';
 import { withSafeBdContext } from './beads-gate-utils.mjs';
-import {
-  stopBlockMessage,
-  stopBlockWaitingMergeMessage,
-  stopBlockConflictingMessage,
-  stopWarnActiveWorktreeMessage,
-} from './beads-gate-messages.mjs';
-import { readSessionState } from './session-state.mjs';
+import { stopBlockMessage } from './beads-gate-messages.mjs';
 
 const input = readHookInput();
 if (!input) process.exit(0);
 
-function evaluateSessionState(cwd) {
-  const state = readSessionState(cwd);
-  if (!state) return { allow: true };
-
-  if (state.phase === 'cleanup-done' || state.phase === 'merged') {
-    return { allow: true, state };
-  }
-
-  if (state.phase === 'waiting-merge' || state.phase === 'pending-cleanup') {
-    return {
-      allow: false,
-      state,
-      message: stopBlockWaitingMergeMessage(state),
-    };
-  }
-
-  if (state.phase === 'conflicting') {
-    return {
-      allow: false,
-      state,
-      message: stopBlockConflictingMessage(state),
-    };
-  }
-
-  if (state.phase === 'claimed' || state.phase === 'phase1-done') {
-    return {
-      allow: true,
-      state,
-      warning: stopWarnActiveWorktreeMessage(state),
-    };
-  }
-
-  return { allow: true, state };
-}
-
 withSafeBdContext(() => {
   const ctx = resolveSessionContext(input);
   if (!ctx || !ctx.isBeadsProject) process.exit(0);
@@ -69,15 +28,5 @@ withSafeBdContext(() => {
     process.exit(2);
   }
 
-  const sessionDecision = evaluateSessionState(ctx.cwd);
-  if (!sessionDecision.allow) {
-    process.stderr.write(sessionDecision.message);
-    process.exit(2);
-  }
-
-  if (sessionDecision.warning) {
-    process.stderr.write(sessionDecision.warning);
-  }
-
   process.exit(0);
 });

package/hooks/branch-state.mjs

@@ -5,8 +5,7 @@
 // Output: { hookSpecificOutput: { additionalSystemPrompt } }
 
 import { execSync } from 'node:child_process';
-import { readFileSync, existsSync } from 'node:fs';
-import { join } from 'node:path';
+import { readFileSync } from 'node:fs';
 
 function readInput() {
   try { return JSON.parse(readFileSync(0, 'utf-8')); } catch { return null; }
@@ -16,36 +15,25 @@ function getBranch(cwd) {
   try {
     return execSync('git branch --show-current', {
       encoding: 'utf8', cwd,
-      stdio: ['pipe', 'pipe', 'pipe'], timeout: 3000,
+      stdio: ['pipe', 'pipe', 'pipe'], timeout: 2000,
     }).trim() || null;
   } catch { return null; }
 }
 
-function getSessionClaim(sessionId, cwd) {
-  try {
-    const out = execSync(`bd kv get "claimed:${sessionId}"`, {
-      encoding: 'utf8', cwd,
-      stdio: ['pipe', 'pipe', 'pipe'], timeout: 3000,
-    }).trim();
-    return out || null;
-  } catch { return null; }
-}
+try {
+  const input = readInput();
+  if (!input) process.exit(0);
 
-const input = readInput();
-if (!input) process.exit(0);
+  const cwd = input.cwd || process.cwd();
+  const branch = getBranch(cwd);
 
-const cwd = input.cwd || process.cwd();
-const sessionId = input.session_id ?? input.sessionId;
-const branch = getBranch(cwd);
-const isBeads = existsSync(join(cwd, '.beads'));
-const claim = isBeads && sessionId ? getSessionClaim(sessionId, cwd) : null;
+  if (!branch) process.exit(0);
 
-if (!branch && !claim) process.exit(0);
-
-const context = `[Context: branch=${branch ?? 'unknown'}${claim ? ', claim=' + claim : ''}]`;
-
-process.stdout.write(JSON.stringify({
-  hookSpecificOutput: { additionalSystemPrompt: context },
-}));
-process.stdout.write('\n');
-process.exit(0);
+  process.stdout.write(JSON.stringify({
+    hookSpecificOutput: { additionalSystemPrompt: `[Context: branch=${branch}]` },
+  }));
+  process.stdout.write('\n');
+  process.exit(0);
+} catch {
+  process.exit(0);
+}

package/hooks/guard-rules.mjs

@@ -65,6 +65,7 @@ export const SAFE_BASH_PREFIXES = [
   'gh',
   'bd',
   'npx gitnexus',
+  'xtrm finish',
   // Read-only filesystem
   'cat',
   'ls',

package/hooks/hooks.json

@@ -1,48 +1,6 @@
 {
   "hooks": {
-    "PreToolUse": [
-      {
-        "matcher": "Edit|Write|MultiEdit|NotebookEdit|mcp__serena__rename_symbol|mcp__serena__replace_symbol_body|mcp__serena__insert_after_symbol|mcp__serena__insert_before_symbol",
-        "hooks": [
-          {
-            "type": "command",
-            "command": "node ${CLAUDE_PLUGIN_ROOT}/hooks/main-guard.mjs",
-            "timeout": 5000
-          },
-          {
-            "type": "command",
-            "command": "node ${CLAUDE_PLUGIN_ROOT}/hooks/beads-edit-gate.mjs",
-            "timeout": 5000
-          }
-        ]
-      },
-      {
-        "matcher": "Bash",
-        "hooks": [
-          {
-            "type": "command",
-            "command": "node ${CLAUDE_PLUGIN_ROOT}/hooks/main-guard.mjs",
-            "timeout": 5000
-          },
-          {
-            "type": "command",
-            "command": "node ${CLAUDE_PLUGIN_ROOT}/hooks/beads-commit-gate.mjs",
-            "timeout": 5000
-          }
-        ]
-      }
-    ],
     "PostToolUse": [
-      {
-        "matcher": "Bash",
-        "hooks": [
-          {
-            "type": "command",
-            "command": "node ${CLAUDE_PLUGIN_ROOT}/hooks/main-guard-post-push.mjs",
-            "timeout": 5000
-          }
-        ]
-      },
       {
         "matcher": "Bash|execute_shell_command|bash",
         "hooks": [
@@ -110,6 +68,28 @@
         ]
       }
     ],
+    "PreToolUse": [
+      {
+        "matcher": "Edit|Write|MultiEdit|NotebookEdit|mcp__serena__rename_symbol|mcp__serena__replace_symbol_body|mcp__serena__insert_after_symbol|mcp__serena__insert_before_symbol",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node ${CLAUDE_PLUGIN_ROOT}/hooks/beads-edit-gate.mjs",
+            "timeout": 5000
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node ${CLAUDE_PLUGIN_ROOT}/hooks/beads-commit-gate.mjs",
+            "timeout": 5000
+          }
+        ]
+      }
+    ],
     "PreCompact": [
       {
         "hooks": [

package/hooks/main-guard.mjs

@@ -17,12 +17,10 @@ try {
   }).trim();
 } catch {}
 
-// Determine protected branches — env var override for tests and custom setups
 const protectedBranches = process.env.MAIN_GUARD_PROTECTED_BRANCHES
   ? process.env.MAIN_GUARD_PROTECTED_BRANCHES.split(',').map(b => b.trim()).filter(Boolean)
   : ['main', 'master'];
 
-// Not in a git repo or not on a protected branch — allow
 if (!branch || !protectedBranches.includes(branch)) {
   process.exit(0);
 }
@@ -35,19 +33,14 @@ try {
 }
 
 const tool = input.tool_name ?? '';
-const hookEventName = input.hook_event_name ?? 'PreToolUse';
 const cwd = input.cwd || process.cwd();
 
 function deny(reason) {
-  process.stdout.write(JSON.stringify({
-    decision: 'block',
-    reason,
-  }));
+  process.stdout.write(JSON.stringify({ decision: 'block', reason }));
   process.stdout.write('\n');
   process.exit(0);
 }
 
-// Check for existing worktree/session state
 function getSessionState(cwd) {
   const statePath = join(cwd, '.xtrm-session-state.json');
   if (!existsSync(statePath)) return null;
@@ -58,64 +51,52 @@ function getSessionState(cwd) {
   }
 }
 
+function normalizeGitCCommand(cmd) {
+  const match = cmd.match(/^git\s+-C\s+(?:"[^"]+"|'[^']+'|\S+)\s+(.+)$/);
+  if (match?.[1]) return `git ${match[1]}`;
+  return cmd;
+}
+
 if (WRITE_TOOLS.includes(tool)) {
-  const state = getSessionState(cwd);
-  if (state?.worktreePath) {
-    deny(`⛔ On '${branch}' — worktree already created.\n`
-      + `  cd ${state.worktreePath}\n`);
-  }
   deny(`⛔ On '${branch}' — start on a feature branch and claim an issue.\n`
-    + '  git checkout -b feature/<name>\n'
+    + '  git checkout -b feature/<name>  (or: git switch -c feature/<name>)\n'
     + '  bd update <id> --claim\n');
 }
 
-const WORKFLOW =
-  '  1. git checkout -b feature/<name>\n'
-  + '  2. bd create + bd update in_progress\n'
-  + '  3. bd close <id> && git add && git commit\n'
-  + '  4. git push -u origin feature/<name>\n'
-  + '  5. gh pr create --fill && gh pr merge --squash\n';
-
 if (tool === 'Bash') {
   const cmd = (input.tool_input?.command ?? '').trim().replace(/\s+/g, ' ');
+  const normalizedCmd = normalizeGitCCommand(cmd);
+  const state = getSessionState(cwd);
 
-  // Emergency override — escape hatch for power users
   if (process.env.MAIN_GUARD_ALLOW_BASH === '1') {
     process.exit(0);
   }
 
-  // Enforce squash-only PR merges for linear history
-  // Must check BEFORE the gh allowlist pattern
   if (/^gh\s+pr\s+merge\b/.test(cmd)) {
     if (!/--squash\b/.test(cmd)) {
       deny('⛔ Squash only: gh pr merge --squash\n'
         + '  (override: MAIN_GUARD_ALLOW_BASH=1 gh pr merge --merge)\n');
     }
-    // --squash present — allow
     process.exit(0);
   }
 
-  // Safe allowlist — non-mutating commands + explicit branch-exit paths.
-  // Important: do not allow generic checkout/switch forms, which include
-  // mutating variants such as `git checkout -- <path>`.
   const SAFE_BASH_PATTERNS = [
     ...SAFE_BASH_PREFIXES.map(prefix => new RegExp(`^${prefix.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}\\b`)),
-    // Allow post-merge sync to protected branch only (not arbitrary origin refs)
     ...protectedBranches.map(b => new RegExp(`^git\\s+reset\\s+--hard\\s+origin/${b}\\b`)),
   ];
 
-  if (SAFE_BASH_PATTERNS.some(p => p.test(cmd))) {
+  if (SAFE_BASH_PATTERNS.some(p => p.test(cmd) || p.test(normalizedCmd))) {
     process.exit(0);
   }
 
-  // Specific messages for common blocked operations
-  if (/^git\s+commit\b/.test(cmd)) {
-    deny(`⛔ No commits on '${branch}' — use a feature branch.\n`
-      + '  git checkout -b feature/<name>\n');
+  if (/\bgit\s+commit\b/.test(normalizedCmd)) {
+    deny(`⛔ No commits on '${branch}' — use a feature branch/worktree.\n`
+      + '  git checkout -b feature/<name>\n'
+      + '  bd update <id> --claim\n');
   }
 
-  if (/^git\s+push\b/.test(cmd)) {
-    const tokens = cmd.split(' ');
+  if (/\bgit\s+push\b/.test(normalizedCmd)) {
+    const tokens = normalizedCmd.split(' ');
     const lastToken = tokens[tokens.length - 1];
     const explicitProtected = protectedBranches.some(b => lastToken === b || lastToken.endsWith(`:${b}`));
     const impliedProtected = tokens.length <= 3 && protectedBranches.includes(branch);
@@ -123,13 +104,15 @@ if (tool === 'Bash') {
       deny(`⛔ No direct push to '${branch}' — push a feature branch and open a PR.\n`
         + '  git push -u origin <feature-branch> && gh pr create --fill\n');
     }
-    // Pushing to a feature branch — allow
     process.exit(0);
   }
 
-  // Default deny — block everything else on protected branches
-  deny(`⛔ Bash restricted on '${branch}'. Allowed: git status/log/diff/pull/stash, gh, bd.\n`
-    + '  Exit: git checkout -b feature/<name>\n'
+  const handoff = state?.worktreePath
+    ? `  Active worktree session recorded: ${state.worktreePath}\n  (Current workaround) use feature branch flow until worktree bug is fixed.\n`
+    : '  Exit: git checkout -b feature/<name>  (or: git switch -c feature/<name>)\n  Then: bd update <id> --claim\n';
+
+  deny(`⛔ Bash restricted on '${branch}'. Allowed: read-only commands, gh, bd, git checkout -b, git switch -c.\n`
+    + handoff
     + '  Override: MAIN_GUARD_ALLOW_BASH=1 <cmd>\n');
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "xtrm-tools",
-  "version": "2.4.3",
+  "version": "2.4.6",
   "description": "Claude Code tools installer (skills, hooks, MCP servers)",
   "license": "MIT",
   "type": "module",

package/config/pi/extensions/main-guard-post-push.ts

@@ -1,44 +0,0 @@
-import type { ExtensionAPI, ToolResultEvent } from "@mariozechner/pi-coding-agent";
-import { isBashToolResult } from "@mariozechner/pi-coding-agent";
-import { SubprocessRunner, Logger } from "./core/lib";
-
-const logger = new Logger({ namespace: "main-guard-post-push" });
-
-export default function (pi: ExtensionAPI) {
-	const getProtectedBranches = (): string[] => {
-		const env = process.env.MAIN_GUARD_PROTECTED_BRANCHES;
-		if (env) return env.split(",").map(b => b.trim()).filter(Boolean);
-		return ["main", "master"];
-	};
-
-	pi.on("tool_result", async (event, ctx) => {
-		const cwd = ctx.cwd || process.cwd();
-		if (!isBashToolResult(event) || event.isError) return undefined;
-
-		const cmd = event.input.command.trim();
-		if (!/\bgit\s+push\b/.test(cmd)) return undefined;
-
-		// Check if we pushed to a protected branch
-		const protectedBranches = getProtectedBranches();
-		const tokens = cmd.split(/\s+/);
-		const lastToken = tokens[tokens.length - 1];
-		if (protectedBranches.some(b => lastToken === b || lastToken.endsWith(`:${b}`))) {
-			return undefined;
-		}
-
-		// Success! Suggest PR workflow
-		const reminder = "\n\n**Main-Guard**: Push successful. Next steps:\n" +
-			"  1. `gh pr create --fill` (if not already open)\n" +
-			"  2. `gh pr merge --squash` (once approved)\n" +
-			"  3. `git checkout main && git reset --hard origin/main` (sync local)";
-
-		const newContent = [...event.content];
-		newContent.push({ type: "text", text: reminder });
-
-		if (ctx.hasUI) {
-			ctx.ui.notify("Main-Guard: Suggesting PR workflow", "info");
-		}
-
-		return { content: newContent };
-	});
-}