Commit Graph

76 Commits

  • fix(hooks): extract doc-warning hook to external script to fix CI
    The inline JS in the Write PreToolUse hook had a multi-layer escaping
    bug: the regex [\\/\\] collapsed to [\/\] after the validator's
    unescape chain, producing an invalid regex (Unmatched ')').
    
    Fix: move the doc-file-warning hook to scripts/hooks/pre-write-doc-warn.js,
    eliminating the inline escaping problem entirely. All 992 tests now pass.
    
    Closes the 991/992 CI failure on main.
  • Merge pull request #233 from andydiaz122/nano_claw_v1
    LGTM — NanoClaw agent REPL. Safe, uses only local Claude CLI, good input validation, includes tests.
  • Merge pull request #252 from pythonstrup/feat/auto-detect-formatter
    LGTM — Auto-detect formatter hook. Safe, well-structured.
  • fix: address CodeRabbit review — deduplicate prompt, fix skill count
    - Swap loadHistory/appendTurn order to prevent user message appearing
      twice in the prompt (once in history, once as USER MESSAGE)
    - Calculate actual loaded skill count via fs.existsSync instead of
      counting requested skill names (banner now reflects reality)
    - Add err.stack to test harness error output for better debugging
  • feat: auto-detect formatter in post-edit hook (Biome/Prettier)
    The post-edit-format hook was hardcoded to use Prettier. Projects using
    Biome had their code reformatted with Prettier defaults (e.g. double
    quotes overwriting single quotes).
    
    Now the hook walks up from the edited file to find the project root,
    then checks for config files:
    - biome.json / biome.jsonc → runs Biome
    - .prettierrc / prettier.config.* → runs Prettier
    - Neither found → skips formatting silently
  • feat: add NanoClaw agent REPL — persistent session-aware CLI for ECC
    Implements a barebones agent loop that delegates to `claude -p` with
    markdown-as-database session persistence and ECC skill context loading.
    Zero external dependencies, ~264 lines of pure Node.js CommonJS.
    
    - scripts/claw.js: core module (storage, context, delegation, REPL)
    - commands/claw.md: slash command definition with usage docs
    - tests/scripts/claw.test.js: 14 unit tests covering all modules
    - package.json: add claw script and files entry
    - tests/run-all.js: register claw tests in test manifest
  • fix: use nullish coalescing for confidence default + add 3 tests (round 85)
    Fix confidence=0 showing 80% instead of 0% in patterns() (|| → ??).
    Test evaluate-session.js config parse error catch, getSessionIdShort
    fallback at root CWD, and precise confidence=0 assertion.
  • fix: collapse newlines in user messages to prevent markdown list breaks in session-end
    User messages containing newline characters were being added as-is to
    markdown list items in buildSummarySection(), breaking the list format.
    Now newlines are replaced with spaces before backtick escaping.
  • fix: make saveAliases atomic on Unix by skipping unnecessary unlink before rename
    On Unix/macOS, rename(2) atomically replaces the destination file.
    The previous code ran unlinkSync before renameSync on all platforms,
    creating an unnecessary non-atomic window where a crash could lose
    data. Now the delete-before-rename is gated behind process.platform
    === 'win32', where rename cannot overwrite an existing file.
  • fix: correct box() off-by-one width calculation in skill-create-output
    The box() helper produced lines that were width+1 characters instead of
    the requested width. Adjusted all three formulas (top border, middle
    content, bottom border) by -1 each. Added 4 tests verifying box width
    accuracy across instincts(), analysisResults(), and nextSteps() output.
  • fix: header subtitle width mismatch in skill-create-output; add 9 tests (Round 34)
    - Fix subtitle padding 55→59 so line 94 matches 64-char border width
    - Add 4 header width alignment tests (skill-create-output)
    - Add 3 getExecCommand non-string args tests (package-manager)
    - Add 2 detectFromPackageJson non-string type tests (package-manager)
  • fix: reject flags passed as package manager names in setup-package-manager CLI
    When --global or --project was followed by another flag (e.g., --global --project),
    the flag was treated as a package manager name. Added pmName.startsWith('-') check
    to both handlers. Added 20 tests across 4 test files covering argument validation,
    ensureDir error propagation, runCommand stderr handling, and saveAliases failure paths.
  • fix: use local-time Date constructor in session-manager to prevent timezone day shift
    new Date('YYYY-MM-DD') creates UTC midnight, which in negative UTC offset
    timezones (e.g., Hawaii) causes getDate() to return the previous day.
    Replaced with new Date(year, month - 1, day) for correct local-time behavior.
    
    Added 15 tests: session-manager datetime verification and edge cases (7),
    package-manager getCommandPattern special characters (4), and
    validators model/skill-reference validation (4). Tests: 651 → 666.
  • fix: add cwd to prettier hook, consistent process.exit(0), and stdout pass-through
    - post-edit-format.js: add cwd based on file directory so npx resolves
      correct local prettier binary
    - post-edit-typecheck.js, post-edit-format.js: replace console.log(data)
      with process.stdout.write(data) to avoid trailing newline corruption
    - Add process.exit(0) to 4 hooks for consistent termination
      (check-console-log, post-edit-console-warn, post-edit-format,
      post-edit-typecheck)
    - run-all.js: switch from execSync to spawnSync so stderr is visible
      on the success path (hook warnings were silently discarded)
    - Add 21 tests: cwd verification, process.exit(0) checks, exact
      stdout pass-through, extension edge cases, exclusion pattern
      matching, threshold boundary values (630 → 651)
  • fix: exact byte pass-through in post-edit-console-warn, add 7 tests
    Replace console.log(data) with process.stdout.write(data) in both
    pass-through paths to prevent appending a trailing newline that
    corrupts the hook output. Add 7 tests covering exact byte fidelity,
    malformed JSON, missing file_path, non-existent files, exclusion
    patterns in check-console-log, non-git repo handling, and empty stdin.
  • fix: consistent periodic interval spacing in suggest-compact, add 10 tests
    - suggest-compact.js: count % 25 → (count - threshold) % 25 for consistent
      spacing regardless of threshold value
    - Update existing periodic interval test to match corrected behavior
    - 10 new tests: interval fix regression (non-25-divisible threshold, false
      suggestion prevention), corrupted counter file, 1M boundary, malformed
      JSON pass-through, non-TS extension pass-through, empty sessions dir,
      blank template skip
  • fix: nullish coalescing in evaluate-session config, narrow pre-compact glob, add 11 tests
    - evaluate-session.js: || 10 → ?? 10 for min_session_length (0 is valid)
    - pre-compact.js: *.tmp → *-session.tmp to match only session files
    - 11 new tests: config loading (min=0, null, custom path, invalid JSON),
      session-end update path (timestamp, template replace, preserve content),
      pre-compact glob specificity, extractSessionSummary edge cases
  • fix: reject empty/invalid array commands in hooks validator, add 19 tests
    validate-hooks.js: Empty arrays [] and arrays with non-string elements
    (e.g., [123, null]) passed command validation due to JS truthiness of
    empty arrays (![] === false). Added explicit length and element type
    checks.
    
    19 new tests covering: non-array event type values, null/string matcher
    entries, string/number top-level data, empty string/array commands,
    non-string array elements, non-string type field, non-number timeout,
    timeout boundary (0), unwrapped hooks format, legacy format error paths,
    empty agent directory, whitespace-only command files, valid skill refs,
    mixed valid/invalid rules and skills.
  • fix: sanitize getExecCommand args, escape regex in getCommandPattern, clean up readStdinJson timeout, add 10 tests
    Validate args parameter in getExecCommand() against SAFE_ARGS_REGEX to
    prevent command injection when returned string is passed to a shell.
    Escape regex metacharacters in getCommandPattern() generic action branch
    to prevent malformed patterns and unintended matching. Clean up stdin
    listeners in readStdinJson() timeout path to prevent process hanging.
  • fix: eliminate command injection in hooks, fix pass-through newline corruption, add 8 tests
    Replace shell: true with npx.cmd on Windows in post-edit-format.js and
    post-edit-typecheck.js to prevent command injection via crafted file paths.
    Replace console.log(data) with process.stdout.write(data) in
    check-console-log.js to avoid appending extra newlines to pass-through data.
  • fix: clamp getAllSessions pagination params, add cleanupAliases success field, add 10 tests
    - session-manager: clamp offset/limit to safe non-negative integers to
      prevent negative offset counting from end and NaN returning empty results
    - session-aliases: add success field to cleanupAliases return value for
      API contract consistency with setAlias/deleteAlias/renameAlias
  • fix: reject whitespace-only command/field values in CI validators, add 10 tests
    validate-hooks.js: whitespace-only command strings now fail validation
    validate-agents.js: whitespace-only model/tools values now fail validation
  • fix: clamp progressBar to prevent RangeError on overflow, add 10 tests
    progressBar() in skill-create-output.js could crash with RangeError when
    percent > 100 because repeat() received a negative count. Fixed by
    clamping filled to [0, width].
    
    New tests:
    - progressBar edge cases: 0%, 100%, and >100% confidence
    - Empty patterns/instincts arrays
    - post-edit-format: null tool_input, missing file_path, prettier failure
    - setup-package-manager: --detect output completeness, current marker
  • fix: clamp suggest-compact counter overflow, add 9 boundary tests
    Counter file could contain huge values (e.g. 999999999999) that pass
    Number.isFinite() but cause unbounded growth. Added range clamp to
    reject values outside [1, 1000000].
    
    New tests cover:
    - Counter overflow reset (huge number, negative number)
    - COMPACT_THRESHOLD zero fallback
    - session-end empty sections (no tools/files omits headers)
    - session-end slice boundaries (10 messages, 20 tools, 30 files)
    - post-edit-console-warn 5-match limit
    - post-edit-console-warn ignores console.warn/error/debug
  • fix: greedy regex in validate-commands captures all refs per line, add 18 tests
    The command cross-reference regex /^.*`\/(...)`.*$/gm only captured the
    LAST command ref per line due to greedy .* consuming earlier refs.
    Replaced with line-by-line processing using non-anchored regex to
    capture ALL command references.
    
    New tests:
    - 4 validate-commands multi-ref-per-line tests (regression)
    - 8 evaluate-session threshold boundary tests (new file)
    - 6 session-aliases edge case tests (cleanup, rename, path matching)
  • fix: calendar-accurate date validation in parseSessionFilename, add 22 tests
    - Fix parseSessionFilename to reject impossible dates (Feb 31, Apr 31,
      Feb 29 non-leap) using Date constructor month/day roundtrip check
    - Add 6 session-manager tests for calendar date validation edge cases
    - Add 3 session-manager tests for code blocks/special chars in getSessionStats
    - Add 10 package-manager tests for PM-specific command formats (getRunCommand
      and getExecCommand for pnpm, yarn, bun, npm)
    - Add 3 integration tests for session-end transcript parsing (mixed JSONL
      formats, malformed lines, nested user messages)
  • fix: typecheck hook false positives, add 11 session-manager tests
    - Fix post-edit-typecheck.js error filtering: use relative/absolute path
      matching instead of basename, preventing false positives when multiple
      files share the same name (e.g., src/utils.ts vs tests/utils.ts)
    - Add writeSessionContent tests (create, overwrite, invalid path)
    - Add appendSessionContent test (append to existing file)
    - Add deleteSession tests (delete existing, non-existent)
    - Add sessionExists tests (file, non-existent, directory)
    - Add getSessionStats empty content edge case
    - Add post-edit-typecheck stdout passthrough test
    - Total: 391 → 402 tests, all passing
  • fix: add missing ReplaceInFileOptions to utils.d.ts type declaration
    The replaceInFile function in utils.js accepts an optional `options`
    parameter with `{ all?: boolean }` for replacing all occurrences, but
    the .d.ts type declaration was missing this parameter entirely.
  • fix: grepFile global regex lastIndex bug, add 12 tests
    Fix grepFile() silently skipping matches when called with /g flag regex.
    The global flag makes .test() stateful, causing alternating match/miss
    on consecutive matching lines. Strip g flag since per-line testing
    doesn't need global state.
    
    Add first-ever tests for evaluate-session.js (5 tests: short session,
    long session, missing transcript, malformed stdin, env var fallback)
    and suggest-compact.js (5 tests: counter increment, threshold trigger,
    periodic suggestions, below-threshold silence, invalid threshold).
  • fix: add missing validation in renameAlias, add 6 tests
    renameAlias was missing length (>128), reserved name, and empty string
    validation that setAlias enforced. This inconsistency allowed renaming
    aliases to reserved names like 'list' or 'delete'.
    
    Also adds tests for:
    - renameAlias empty string, reserved name, and length limit
    - validate-skills whitespace-only SKILL.md rejection
    - validate-rules whitespace-only file and recursive subdirectory scan
  • fix: Windows compatibility for hook scripts (execFileSync + tmux) (#215)
    * fix: Windows compatibility for hook scripts
    
    - post-edit-format.js: add `shell: process.platform === 'win32'` to
      execFileSync options so npx.cmd is resolved via cmd.exe on Windows
    - post-edit-typecheck.js: same fix for tsc invocation via npx
    - hooks.json: skip tmux-dependent hooks on Windows where tmux is
      unavailable (dev-server blocker and long-running command reminder)
    
    On Windows, execFileSync('npx', ...) without shell:true fails with
    ENOENT because Node.js cannot directly execute .cmd files. These
    hooks silently fail on all Windows installations.
    
    The tmux hooks unconditionally block dev server commands (exit 2) or
    warn about tmux on Windows where tmux is not available.
    
    Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
    
    * fix: parse Claude Code JSONL transcript format correctly
    
    The session-end hook expected user messages at entry.content, but
    Claude Code's actual JSONL format nests them at entry.message.content.
    This caused all session files to be blank templates (0 user messages
    despite 136+ actual entries).
    
    - Check entry.message?.content in addition to entry.content
    - Extract tool_use blocks from assistant message.content arrays
    
    Verified with Claude Code v2.1.41 JSONL transcripts.
    
    Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
    
    ---------
    
    Co-authored-by: ddungan <sckim@mococo.co.kr>
    Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
  • fix: add input validation, date range checks, and security hardening
    - validate-agents.js: reject invalid model names in agent frontmatter
    - package-manager.js: validate script/binary names against shell injection
    - session-manager.js: reject impossible month/day values in filenames
    - utils.js: support options.all for replaceInFile string patterns
    - strategic-compact/SKILL.md: fix hook matcher syntax and script reference
    - install.sh: warn when overwriting existing rule customizations
    - Add 24 new tests covering all validation and edge cases
  • fix: box() off-by-one alignment, add 5 tests for readStdinJson and box alignment
    - skill-create-output.js: fix top border being 1 char narrower than
      middle/bottom lines (width - title - 5 → width - title - 4)
    - Add box alignment regression test verifying all lines have equal width
    - Add 4 readStdinJson tests via subprocess (valid JSON, invalid JSON,
      empty stdin, nested objects) — last untested exported utility function
    - All 338 tests passing
  • fix: add word boundary to dev server hook regex, fix box() crash, add 27 tests
    - hooks.json: add \b word boundary anchors to dev server blocking regex
      to prevent false positives matching "npm run develop", "npm run devtools" etc.
    - skill-create-output.js: guard box() horizontal repeat with Math.max(0, ...)
      to prevent RangeError when title exceeds container width
    - Add 13 tests for setup-package-manager.js CLI argument parsing
    - Add 14 tests for skill-create-output.js SkillCreateOutput class
    - All 333 tests passing
  • fix: capture stderr in typecheck hook, add 13 tests for session-end and utils
    - post-edit-typecheck.js: capture both stdout and stderr from tsc
    - hooks.test.js: 7 extractSessionSummary tests (JSONL parsing, array content,
      malformed lines, empty transcript, long message truncation, env var fallback)
    - utils.test.js: 6 tests (replaceInFile g-flag behavior, string replace,
      capture groups, writeFile overwrite, unicode content)
    
    Total test count: 294 → 307
  • fix: add event type enum to hooks schema and avoid shared RegExp state
    - hooks.schema.json: add enum constraint for hook event types
      (PreToolUse, PostToolUse, PreCompact, SessionStart, SessionEnd,
      Stop, Notification, SubagentStop) — enables IDE autocompletion
      and compile-time validation
    - utils.js countInFile: always create fresh RegExp to avoid shared
      lastIndex state when reusing global regex instances
    - README: update AgentShield stats (751 tests, 73 rules)
  • fix: broken cross-references, version sync, and enhanced command validator
    - Fix /build-and-fix → /build-fix in tdd.md, plan.md (+ cursor, zh-CN)
    - Fix non-existent explorer agent → planner in orchestrate.md (+ cursor, zh-CN, zh-TW)
    - Fix /python-test → /tdd in python-review.md (+ cursor, zh-CN)
    - Sync package.json version from 1.0.0 to 1.4.1 to match plugin.json
    - Enhance validate-commands.js with cross-reference checking:
      command refs, agent path refs, skill dir refs, workflow diagrams
    - Strip fenced code blocks before scanning to avoid false positives
    - Skip hypothetical "Creates:" lines in evolve.md examples
    - Add 46 new tests (suggest-compact, session-manager, utils, hooks)
  • fix: skip code blocks in command cross-reference validation
    The validator was matching example/template content inside fenced code
    blocks as real cross-references, causing false positives for evolve.md
    (example /new-table command and debugger agent).
    
    - Strip ``` blocks before running cross-reference checks
    - Change evolve.md examples to use bold instead of backtick formatting
      for hypothetical outputs
    
    All 261 tests pass.
  • fix: 3 bugs fixed, stdin encoding hardened, 37 CI validator tests added
    Bug fixes:
    - utils.js: glob-to-regex conversion now escapes all regex special chars
      (+, ^, $, |, (), {}, [], \) before converting * and ? wildcards
    - validate-hooks.js: escape sequence processing order corrected —
      \\\\ now processed before \\n and \\t to prevent double-processing
    - 6 hooks: added process.stdin.setEncoding('utf8') to prevent
      multi-byte UTF-8 character corruption at chunk boundaries
      (check-console-log, post-edit-format, post-edit-typecheck,
      post-edit-console-warn, session-end, evaluate-session)
    
    New tests (37):
    - CI validator test suite (tests/ci/validators.test.js):
      - validate-agents: 9 tests (real project, frontmatter parsing,
        BOM/CRLF, colons in values, missing fields, non-md skip)
      - validate-hooks: 13 tests (real project, invalid JSON, invalid
        event types, missing fields, async/timeout validation, inline JS
        syntax, array commands, legacy format)
      - validate-skills: 6 tests (real project, missing SKILL.md, empty
        files, non-directory entries)
      - validate-commands: 5 tests (real project, empty files, non-md skip)
      - validate-rules: 4 tests (real project, empty files)
    
    Total test count: 228 (up from 191)
  • fix: 2 bugs fixed, 17 tests added for hook scripts
    Bug fixes:
    - evaluate-session.js: whitespace-tolerant regex for counting user
      messages in JSONL transcripts (/"type":"user"/ → /"type"\s*:\s*"user"/)
    - session-end.js: guard against null elements in content arrays
      (c.text → (c && c.text) to prevent TypeError)
    
    New tests (17):
    - evaluate-session: whitespace JSON regression test
    - session-end: null content array elements regression test
    - post-edit-console-warn: 5 tests (warn, skip non-JS, clean files,
      missing file, stdout passthrough)
    - post-edit-format: 3 tests (empty stdin, non-JS skip, invalid JSON)
    - post-edit-typecheck: 4 tests (empty stdin, non-TS skip, missing file,
      no tsconfig)
    
    Total test count: 191 (up from 164)
  • fix: add async/timeout to hooks schema and validate in CI
    - hooks.schema.json: add async (boolean) and timeout (number) properties
      to hookItem definition, matching fields used in hooks.json
    - validate-hooks.js: validate async and timeout types when present
    - hooks.test.js: add SessionEnd to required event types check
  • fix: Windows path support, error handling, and dedup in validators
    - session-manager.js: fix getSessionStats path detection to handle
      Windows paths (C:\...) in addition to Unix paths (/)
    - package-manager.js: add try-catch to setPreferredPackageManager for
      consistent error handling with setProjectPackageManager
    - validate-hooks.js: extract duplicated hook entry validation into
      reusable validateHookEntry() helper
    - Update .d.ts JSDoc for both fixes