Commit Graph

46 Commits

  • Merge pull request #846 from pythonstrup/feat/desktop-notify-hook
    feat: add macOS desktop notification Stop hook
  • fix: add spawnSync error logging and restore 5s timeout
    - Check spawnSync result and log warning on failure via stderr
    - Restore osascript timeout to 5000ms, increase hook deadline to 10s
      for sufficient headroom
  • feat: add macOS desktop notification Stop hook
    Add a new Stop hook that sends a native macOS notification with the
    task summary (first line of last_assistant_message) when Claude finishes
    responding. Uses osascript via spawnSync for shell injection safety.
    Supports run-with-flags fast require() path. Only active on standard
    and strict profiles; silently skips on non-macOS platforms.
  • perf(hooks): move post-edit-format and post-edit-typecheck to strict-only (#757)
    * perf(hooks): move post-edit-format and post-edit-typecheck to strict-only
    
    These hooks fire synchronously on every Edit call with 15-30s timeouts
    each. During multi-file refactors this adds 5-10 minutes of overhead.
    
    Moving them from standard,strict to strict-only means they won't fire
    in the default profile but are still available for users who want the
    extra validation.
    
    Fixes #735
    
    * Also update OpenCode plugin to strict-only for format/typecheck
    
    The OpenCode plugin had the same standard,strict profile for
    post:edit:format and post:edit:typecheck, so OpenCode users on the
    default profile would still get the per-edit overhead.
  • feat(hooks): add config protection hook to block linter config manipulation (#758)
    * feat(hooks): add config protection hook to block linter config manipulation
    
    Agents frequently modify linter/formatter configs (.eslintrc, biome.json,
    .prettierrc, .ruff.toml, etc.) to make checks pass instead of fixing
    the actual code.
    
    This PreToolUse hook intercepts Write/Edit/MultiEdit calls targeting
    known config files and blocks them with a steering message that directs
    the agent to fix the source code instead.
    
    Covers: ESLint, Prettier, Biome, Ruff, ShellCheck, Stylelint, and
    Markdownlint configs.
    
    Fixes #733
    
    * Address review: fix dead code, add missing configs, export run()
    
    - Removed pyproject.toml from PROTECTED_FILES (was dead code since
      it was also in PARTIAL_CONFIG_FILES). Added comment explaining why
      it's intentionally excluded.
    - Removed PARTIAL_CONFIG_FILES entirely (no longer needed).
    - Added missing ESLint v9 TypeScript flat configs: eslint.config.ts,
      eslint.config.mts, eslint.config.cts
    - Added missing Prettier ESM config: prettier.config.mjs
    - Exported run() function for in-process execution via run-with-flags,
      avoiding the spawnSync overhead (~50-100ms per call).
    
    * Handle stdin truncation gracefully, log warning instead of fail-open
    
    If stdin exceeds 1MB, the JSON would be malformed and the catch
    block would silently pass through. Now we detect truncation and
    log a warning. The in-process run() path is not affected.
  • feat: add block-no-verify hook for Claude Code and Cursor (#649)
    Adds npx block-no-verify@1.1.2 as a PreToolUse Bash hook in hooks/hooks.json
    and a beforeShellExecution hook in .cursor/hooks.json to prevent AI agents
    from bypassing git hooks via the hook-bypass flag.
    
    This closes the last enforcement gap in the ECC security stack — the bypass
    flag silently skips pre-commit, commit-msg, and pre-push hooks.
    
    Closes #648
    
    Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
  • feat: agent compression, inspection logic, governance hooks (#491, #485, #482) (#688)
    Implements three roadmap features:
    
    - Agent description compression (#491): New `agent-compress` module with
      catalog/summary/full compression modes and lazy-loading. Reduces ~26k
      token agent descriptions to ~2-3k catalog entries for context efficiency.
    
    - Inspection logic (#485): New `inspection` module that detects recurring
      failure patterns in skill_runs. Groups by skill + normalized failure
      reason, generates structured reports with suggested remediation actions.
      Configurable threshold (default: 3 failures).
    
    - Governance event capture hook (#482): PreToolUse/PostToolUse hook that
      detects secrets, policy violations, approval-required commands, and
      elevated privilege usage. Gated behind ECC_GOVERNANCE_CAPTURE=1 flag.
      Writes to governance_events table via JSON-line stderr output.
    
    59 new tests (16 + 16 + 27), all passing.
  • fix: address cubic-dev-ai review — 3 issues
    P1: Log non-ENOENT spawn errors (timeout, signal kill) to stderr
    instead of silently exiting 0. Separate handling for result.error
    and null result.status so users know when the security monitor
    failed to run.
    
    P1: Remove "async": true from hooks.json — async hooks run in the
    background and cannot block tool execution. The security hook needs
    to be synchronous so exit(2) actually prevents credential exposure
    and other critical findings from proceeding.
    
    P2: Remove dead tool_response/tool_result code from extract_content.
    In a PreToolUse hook the tool hasn't executed yet, so tool_response
    is never populated. Removed the variable and the unreachable branch
    that appended its content.
    
    Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
  • fix: address CodeRabbit review — convert to PreToolUse, add type annotations, logging
    Critical fixes:
    - Convert hook from PostToolUse to PreToolUse so exit(2) blocking works
    - Change all python references to python3 for cross-platform compat
    - Add insaits-security-wrapper.js to bridge run-with-flags.js to Python
    
    Standard fixes:
    - Wrap hook with run-with-flags.js so users can disable via
      ECC_DISABLED_HOOKS="pre:insaits-security"
    - Add "async": true to hooks.json entry
    - Add type annotations to all function signatures (Dict, List, Tuple, Any)
    - Replace all print() statements with logging module (stderr)
    - Fix silent OSError swallow in write_audit — now logs warning
    - Remove os.environ.setdefault('INSAITS_DEV_MODE') — pass dev_mode=True
      through monitor constructor instead
    - Update hooks/README.md: moved to PreToolUse table, "detects" not
      "catches", clarify blocking vs non-blocking behavior
    
    Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
  • feat: add InsAIts PostToolUse security monitoring hook
    - Add insaits-security-monitor.py: real-time AI security monitoring
      hook that catches credential exposure, prompt injection,
      hallucinations, and 20+ other anomaly types
    - Update hooks.json with InsAIts PostToolUse entry
    - Update hooks/README.md with InsAIts in PostToolUse table
    - Add InsAIts MCP server entry to mcp-configs/mcp-servers.json
    
    InsAIts (https://github.com/Nomadu27/InsAIts) is an open-source
    runtime security layer for multi-agent AI. It runs 100% locally
    and writes tamper-evident audit logs to .insaits_audit_session.jsonl.
    
    Install: pip install insa-its
    
    Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
  • fix: auto-start dev servers in tmux instead of blocking (#344)
    * fix: auto-start development servers in tmux instead of blocking
    
    Replace blocking PreToolUse hook that used process.exit(2) with an auto-transform hook that:
    - Detects development server commands
    - Wraps them in tmux with directory-based session names
    - Runs server detached so Claude Code is not blocked
    - Provides confirmation message with log viewing instructions
    
    Benefits:
    - Development servers no longer block Claude Code execution
    - Each project gets its own tmux session (allows multiple projects)
    - Logs remain accessible via 'tmux capture-pane -t <session>'
    - Non-blocking: if tmux unavailable, command still runs (graceful fallback)
    
    Implementation:
    - Created scripts/hooks/auto-tmux-dev.js with transform logic
    - Updated hooks.json to reference the script instead of inline node command
    - Applied same fix to cached plugin version (1.4.1) for immediate effect
    
    * fix: resolve PR #344 code review issues in auto-tmux-dev.js
    
    Critical fixes:
    - Fix variable scope: declare 'input' before try block, not inside
    - Fix shell injection: sanitize sessionName and escape cmd for shell
    - Replace unused execFileSync import with spawnSync
    
    Improvements:
    - Add real Windows support using cmd /k window launcher
    - Add tmux availability check with graceful fallback
    - Update header comment to accurately describe platform support
    
    Test coverage:
    - Valid JSON input: transforms command for respective platform
    - Invalid JSON: passes through raw data unchanged
    - Unsupported tools: gracefully falls back to original command
    - Shell metacharacters: sanitized in sessionName, escaped in cmd
    
    * fix: correct cmd.exe escape sequence for double quotes on Windows
    
    Use double-quote doubling ('""') instead of backslash-escape ('\\\") for cmd.exe syntax.
    Backslash escaping is Unix convention and not recognized by cmd.exe. This fixes quoted
    arguments in dev server commands on Windows (e.g., 'npm run dev --filter="my-app"').
  • fix: resolve CI failures on main — lint, hooks validator, and test alignment
    - Fix MD012 trailing blank lines in commands/projects.md and commands/promote.md
    - Fix MD050 strong-style in continuous-learning-v2 (escape __tests__ as inline code)
    - Extract doc-file-warning hook to standalone script to fix hooks validator regex parsing
    - Update session-end test to match #317 behavior (always update summary content)
    - Allow shell script hooks in integration test format validation
    
    All 992 tests passing.
  • feat: project-scoped instinct isolation
    * feat: add project-scoped instinct isolation
    
    * fix(continuous-learning-v2): harden instinct loading and promotion safety; sync v2.1 command docs
    
    * fix(ci): make copilot-setup-steps a valid GitHub Actions workflow
    
    * fix(hooks): stabilize docs warning inline JS regex parsing
  • fix(hooks): extract doc-warning hook to external script to fix CI
    The inline JS in the Write PreToolUse hook had a multi-layer escaping
    bug: the regex [\\/\\] collapsed to [\/\] after the validator's
    unescape chain, producing an invalid regex (Unmatched ')').
    
    Fix: move the doc-file-warning hook to scripts/hooks/pre-write-doc-warn.js,
    eliminating the inline escaping problem entirely. All 992 tests now pass.
    
    Closes the 991/992 CI failure on main.
  • Merge pull request #276 from pangerlkr/patch-7
    LGTM — Doc hook refinement from blocker to warning. Clean, well-scoped.
  • docs(hooks/README): update Doc file blocker to reflect warning-only behavior
    Updated the Doc file blocker to a warning for non-standard files and improved path handling.
  • Refine hooks for documentation file management
    Updated command hooks to improve documentation file handling and added warnings for non-standard documentation files.
  • feat(ecc): prune plugin 43→12 items, promote 7 rules to .claude/rules/ (#245)
    ECC community plugin pruning: removed 530+ non-essential files
    (.cursor/, .opencode/, docs/ja-JP, docs/zh-CN, docs/zh-TW,
    language-specific skills/agents/rules). Retained 4 agents,
    3 commands, 5 skills. Promoted 13 rule files (8 common + 5
    typescript) to .claude/rules/ for CC native loading. Extracted
    reusable patterns to EXTRACTED-PATTERNS.md.
  • feat: auto-detect formatter in post-edit hook (Biome/Prettier)
    The post-edit-format hook was hardcoded to use Prettier. Projects using
    Biome had their code reformatted with Prettier defaults (e.g. double
    quotes overwriting single quotes).
    
    Now the hook walks up from the edited file to find the project root,
    then checks for config files:
    - biome.json / biome.jsonc → runs Biome
    - .prettierrc / prettier.config.* → runs Prettier
    - Neither found → skips formatting silently
  • fix: whitelist .claude/plans/ in doc file creation hook
    The PreToolUse Write hook blocks creation of .md files to prevent
    unnecessary documentation sprawl. However, it also blocks Claude Code's
    built-in plan mode from writing plan files to .claude/plans/*.md,
    causing "BLOCKED: Unnecessary documentation file creation" errors
    every time a plan is created or updated.
    
    Add .claude/plans/ path to the whitelist so plan files are not blocked.
  • fix: Windows compatibility for hook scripts (execFileSync + tmux) (#215)
    * fix: Windows compatibility for hook scripts
    
    - post-edit-format.js: add `shell: process.platform === 'win32'` to
      execFileSync options so npx.cmd is resolved via cmd.exe on Windows
    - post-edit-typecheck.js: same fix for tsc invocation via npx
    - hooks.json: skip tmux-dependent hooks on Windows where tmux is
      unavailable (dev-server blocker and long-running command reminder)
    
    On Windows, execFileSync('npx', ...) without shell:true fails with
    ENOENT because Node.js cannot directly execute .cmd files. These
    hooks silently fail on all Windows installations.
    
    The tmux hooks unconditionally block dev server commands (exit 2) or
    warn about tmux on Windows where tmux is not available.
    
    Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
    
    * fix: parse Claude Code JSONL transcript format correctly
    
    The session-end hook expected user messages at entry.content, but
    Claude Code's actual JSONL format nests them at entry.message.content.
    This caused all session files to be blank templates (0 user messages
    despite 136+ actual entries).
    
    - Check entry.message?.content in addition to entry.content
    - Extract tool_use blocks from assistant message.content arrays
    
    Verified with Claude Code v2.1.41 JSONL transcripts.
    
    Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
    
    ---------
    
    Co-authored-by: ddungan <sckim@mococo.co.kr>
    Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
  • fix: add word boundary to dev server hook regex, fix box() crash, add 27 tests
    - hooks.json: add \b word boundary anchors to dev server blocking regex
      to prevent false positives matching "npm run develop", "npm run devtools" etc.
    - skill-create-output.js: guard box() horizontal repeat with Math.max(0, ...)
      to prevent RangeError when title exceeds container width
    - Add 13 tests for setup-package-manager.js CLI argument parsing
    - Add 14 tests for skill-create-output.js SkillCreateOutput class
    - All 333 tests passing
  • fix: add try-catch to inline hooks, fix schema drift
    - Wrap JSON.parse in try-catch for all 6 inline hooks in hooks.json
      (dev-server blocker, tmux reminder, git-push reminder, doc blocker,
      PR create logger, build analysis) — previously unguarded JSON.parse
      would crash on empty/malformed stdin, preventing data passthrough
    - Add config parse error logging to evaluate-session.js
    - Fix plugin.schema.json: author can be string or {name,url} object,
      add version (semver pattern), homepage, keywords, skills, agents
    - Fix package-manager.schema.json: add setAt (date-time) field and
      make packageManager required to match actual code behavior
  • docs: add hooks guide, expand planner agent, add Django example
    - Add hooks/README.md: comprehensive hook documentation with input schema,
      customization guide, 4 ready-to-use hook recipes, and cross-platform notes
    - Expand planner agent with full worked example (Stripe subscriptions plan)
      and sizing/phasing guidance (119 → 212 lines)
    - Add Django REST API example config (DRF + Celery + pytest + Factory Boy)
    - Update README directory tree with new files
  • refactor: extract inline PostToolUse hooks into external scripts
    Move three complex inline hooks from hooks.json into proper external
    scripts in scripts/hooks/:
    
    - post-edit-format.js: Prettier auto-formatting (was 1 minified line)
    - post-edit-typecheck.js: TypeScript check (was 1 minified line with
      unbounded directory traversal, now capped at 20 levels)
    - post-edit-console-warn.js: console.log warnings (was 1 minified line)
    
    Benefits:
    - Readable, documented, and properly error-handled
    - Testable independently via stdin
    - Consistent with other hooks (all use external scripts now)
    - Adds timeouts to Prettier (15s) and tsc (30s) to prevent hangs
  • fix: resolve multiple reported issues (#205, #182, #188, #172, #173) (#207)
    * fix: resolve multiple reported issues (#205, #182, #188, #172, #173)
    
    - fix(observe.sh): replace triple-quote JSON parsing with stdin pipe to
      prevent ~49% parse failures on payloads with quotes/backslashes/unicode
    - fix(hooks.json): correct matcher syntax to use simple tool name regexes
      instead of unsupported logical expressions; move command/path filtering
      into hook scripts; use exit code 2 for blocking hooks
    - fix(skills): quote YAML descriptions containing colons in 3 skill files
      and add missing frontmatter to 2 skill files for Codex CLI compatibility
    - feat(rules): add paths: filters to all 15 language-specific rule files
      so they only load when working on matching file types
    - fix(agents): align model fields with CONTRIBUTING.md recommendations
      (opus for planner/architect, sonnet for reviewers/workers, haiku for
      doc-updater)
    
    * ci: use AgentShield GitHub Action instead of npx
    
    Switch from npx ecc-agentshield to uses: affaan-m/agentshield@v1
    for proper GitHub Action demo and marketplace visibility.
  • fix: prevent command injection in Prettier hook (#102)
    Security fix: Prevent command injection in Prettier hook by using execFileSync with array arguments instead of execSync with string concatenation.
  • Fix: Move Stop hook inline code to separate script file
    Fixes #78
    
    ## Problem
    The Stop hook used inline JavaScript code with `node -e`, which caused
    shell syntax errors on macOS/zsh due to special characters (parentheses,
    braces, arrow functions) being misinterpreted by the shell.
    
    Error message:
    /bin/sh: -c: line 0: syntax error near unexpected token \`('
    
    ## Solution
    - Created scripts/hooks/check-console-log.js with the hook logic
    - Updated hooks/hooks.json to reference the external script
    - This follows the same pattern as other hooks in the plugin
    
    ## Benefits
    - Fixes shell compatibility issues across different environments
    - Improves code maintainability (separate, well-documented script)
    - Follows plugin's own best practices
    - Makes the code easier to test and debug
    
    ## Testing
    Tested on macOS with zsh - no more syntax errors.
    The hook still functions correctly to detect console.log statements.
  • feat: v1.1.0 release - session ID tracking, async hooks, new skills
    - Add session ID to session filenames (Issue #62)
    - Add getSessionIdShort() helper for unique per-session tracking
    - Add async hooks documentation with example
    - Create iterative-retrieval skill for progressive context refinement
    - Add continuous-learning-v2 skill with instinct-based learning
    - Add ecc.tools ecosystem section to README
    - Update skills list in README
    
    All 67 tests passing.
  • fix: remove unnecessary .sh hooks (#41)
    Cleanup: removes old .sh hooks since we now use the JS versions in scripts/hooks/
  • feat: cross-platform support with Node.js scripts
    - Rewrite all bash hooks to Node.js for Windows/macOS/Linux compatibility
    - Add package manager auto-detection (npm, pnpm, yarn, bun)
    - Add scripts/lib/ with cross-platform utilities
    - Add /setup-pm command for package manager configuration
    - Add comprehensive test suite (62 tests)
    
    Co-authored-by: zerx-lab
  • fix: move session-end hooks from Stop to SessionEnd
    Stop hook fires after every response, SessionEnd fires only when
    session actually terminates. This was causing session-end.sh and
    evaluate-session.sh to run on every response instead of at session end.
    
    Fixes issue reported by user about hooks triggering every response.
  • fix: use ${CLAUDE_PLUGIN_ROOT} for hook script paths
    Relative paths like ./hooks/... fail when the plugin is installed
    because hooks run in the project directory, not the plugin directory.
    Using ${CLAUDE_PLUGIN_ROOT} ensures scripts are found regardless of
    where the plugin is installed.
    
    Fixed paths:
    - hooks/strategic-compact/suggest-compact.sh
    - hooks/memory-persistence/pre-compact.sh
    - hooks/memory-persistence/session-start.sh
    - hooks/memory-persistence/session-end.sh
    - skills/continuous-learning/evaluate-session.sh
  • feat: package as Claude Code plugin with marketplace distribution
    - Add .claude-plugin/plugin.json manifest for direct installation
    - Add .claude-plugin/marketplace.json for marketplace distribution
    - Reorganize skills to proper skill-name/SKILL.md format
    - Update hooks.json with relative paths for portability
    - Add new skills: continuous-learning, strategic-compact, eval-harness, verification-loop
    - Add new commands: checkpoint, eval, orchestrate, verify
    - Update README with plugin installation instructions
    
    Install via:
      /plugin marketplace add affaan-m/everything-claude-code
      /plugin install everything-claude-code@everything-claude-code
  • Initial release: Complete Claude Code configuration collection
    Battle-tested configs from 10+ months of daily Claude Code usage.
    Won Anthropic x Forum Ventures hackathon building zenith.chat.
    
    Includes:
    - 9 specialized agents (planner, architect, tdd-guide, code-reviewer, etc.)
    - 9 slash commands (tdd, plan, e2e, code-review, etc.)
    - 8 rule files (security, coding-style, testing, git-workflow, etc.)
    - 7 skills (coding-standards, backend-patterns, frontend-patterns, etc.)
    - Hooks configuration (PreToolUse, PostToolUse, Stop)
    - MCP server configurations (15 servers)
    - Plugin/marketplace documentation
    - Example configs (project CLAUDE.md, user CLAUDE.md, statusline)
    
    Read the full guide: https://x.com/affaanmustafa/status/2012378465664745795