Stats
Actions
Tags
From Heimdall
{"riskFlags": {"touchesBash": true, "matchAllTools": false, "touchesFileWrites": true}, "typeStats": {"command": 9}, "eventStats": {"PreToolUse": 4, "SessionEnd": 1, "PostToolUse": 2, "SessionStart": 1, "UserPromptSubmit": 1}, "originCounts": {"absolutePaths": 0, "pluginScripts": 0, "projectScripts": 0}, "timeoutStats": {"commandsWithoutTimeout": 9}}
5 events · 9 hooks
Safety signals detected in this hook configuration
Where this hook configuration is defined
Defined in hooks/hooks.json
Event handlers and matchers — expand Raw Configuration for the full JSON
BashINPUT=$(cat); CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty'); PLUGIN="${CLAUDE_PLUGIN_ROOT:-$(git rev-parse --show-toplevel 2>/dev/null || pwd)}"; SCAN="$PLUGIN/bin/secret-scan"; if echo "$CMD" | grep -qE '(^|[;&|]\s*)git\s+commit'; then if [ -x "$SCAN" ]; then if ! OUT=$("$SCAN" 2>&1); then ESC=$(printf '%s' "$OUT" | jq -Rsa . | sed -e 's/^"//' -e 's/"$//'); printf '{"error": "BLOCKED: secret detected in staged changes by gitleaks. A credential must never enter history. Remove it from the staged diff before committing. --- %s"}' "$ESC"; exit 2; else printf '%s\n' "$OUT" >&2; fi; fi; fi; if echo "$CMD" | grep -qE '^git\s+push'; then heimdall-state check-quality-gates; if [ -x "$SCAN" ]; then if ! OUT=$(SECRET_SCAN_REQUIRE=1 "$SCAN" --require 2>&1); then ESC=$(printf '%s' "$OUT" | jq -Rsa . | sed -e 's/^"//' -e 's/"$//'); printf '{"error": "BLOCKED: pre-push secret gate failed (gitleaks). A secret in the push range or a missing scanner blocks the push — gitleaks must be present and the range clean. --- %s"}' "$ESC"; exit 2; else printf '%s\n' "$OUT" >&2; fi; fi; SELFSCAN="$PLUGIN/bin/heimdall-selfscan"; if [ -x "$SELFSCAN" ]; then if ! OUT=$("$SELFSCAN" 2>&1); then ESC=$(printf '%s' "$OUT" | jq -Rsa . | sed -e 's/^"//' -e 's/"$//'); printf '{"error": "BLOCKED: pre-push self-scan failed (gitleaks over Heimdall OWN full history). A secret anywhere in this repo history, or a missing scanner, blocks the push. Agents commit --no-verify (bypassing the pre-commit gate), so this full-history self-scan is the backstop. Scrub the secret from history (git filter-repo) or install gitleaks. --- %s"}' "$ESC"; exit 2; else printf '%s\n' "$OUT" >&2; fi; fi; FALSIFY="$PLUGIN/bin/falsify"; ORACLES="$PLUGIN/evals/oracles"; if [ -x "$FALSIFY" ] && [ -d "$ORACLES" ]; then for D in "$ORACLES"/*/; do DOM=$(basename "$D"); if [ -d "$D/fixtures/mutants" ]; then APPLIES=0; if [ -f .planning/detected-stack.json ] && grep -q "$DOM" .planning/detected-stack.json 2>/dev/null; then APPLIES=1; fi; if [ -d "evals/oracles/$DOM" ]; then APPLIES=1; fi; if [ "$APPLIES" = 1 ]; then if ! "$FALSIFY" "$DOM" --assert-score 1.0 >&2; then STAMP="$PLUGIN/bin/heimdall-stamp"; REP="evals/oracles/$DOM/report.json"; if [ -x "$STAMP" ]; then if [ -f "$REP" ]; then "$STAMP" --report "$REP" --branch "heimdall/blocked/$DOM" >&2 2>/dev/null || true; else "$STAMP" --violation "oracle gate $DOM is not falsifiable (score < 1.0)" --branch "heimdall/blocked/$DOM" >&2 2>/dev/null || true; fi; fi; printf '{"error": "BLOCKED: oracle gate %s is not falsifiable (score < 1.0). A green test suite over a non-falsifiable gate must not pass push. Harden the gate until bin/falsify reports 1.0."}' "$DOM"; exit 2; fi; fi; fi; done; fi; CORPUS="$PLUGIN/bin/corpus"; if [ -f evals/corpus/INDEX.json ] && [ -x "$CORPUS" ]; then if ! "$CORPUS" run >&2; then STAMP="$PLUGIN/bin/heimdall-stamp"; [ -x "$STAMP" ] && "$STAMP" --violation "corpus regression — a case the gates once caught is no longer caught" --branch "heimdall/blocked/corpus" >&2 2>/dev/null || true; printf '{"error": "BLOCKED: corpus regression — bin/corpus run is nonzero. A case the gates once caught is no longer caught (CI inversion, H-8). The gates are regression-tested by the failures they once caught; restore 100%% catch before push."}'; exit 2; fi; fi; fi; "${CLAUDE_PLUGIN_ROOT:-$(git rev-parse --show-toplevel 2>/dev/null || pwd)}/bin/parallelism-tracker" check Bash 2>&1 || trueRead|Grep|GlobINPUT=$(cat); TOOL=$(printf '%s' "$INPUT" | jq -r '.tool_name // "unknown"' 2>/dev/null || echo unknown); "${CLAUDE_PLUGIN_ROOT:-$(git rev-parse --show-toplevel 2>/dev/null || pwd)}/bin/parallelism-tracker" check "$TOOL" 2>&1 || trueAgent"${CLAUDE_PLUGIN_ROOT:-$(git rev-parse --show-toplevel 2>/dev/null || pwd)}/bin/parallelism-tracker" check Agent 2>&1 || trueWrite|EditINPUT=$(cat); CONTENT=$(printf '%s' "$INPUT" | jq -r '.tool_input.content // .tool_input.new_string // empty' 2>/dev/null); TOOL=$(printf '%s' "$INPUT" | jq -r '.tool_name // "unknown"' 2>/dev/null || echo unknown); "${CLAUDE_PLUGIN_ROOT:-$(git rev-parse --show-toplevel 2>/dev/null || pwd)}/bin/parallelism-tracker" check "$TOOL" 2>&1 || true; if [ -z "$CONTENT" ]; then exit 0; fi; if echo "$CONTENT" | grep -qiE '(//\s*TODO|#\s*TODO|FIXME|XXX|NotImplementedError|unimplemented!\(\)|todo!\(\)|placeholder|\bstub\b|\bshim\b)'; then echo '{"error": "BLOCKED: stub/placeholder code detected. Write real implementation or explain why you cannot."}'; exit 2; fi; if echo "$CONTENT" | grep -qE 'throw new Error\(["'"'"'"]not implemented["'"'"'"]\)'; then echo '{"error": "BLOCKED: stub/placeholder code detected. Write real implementation or explain why you cannot."}'; exit 2; fi; if echo "$CONTENT" | grep -qE '^\s*pass\s*$'; then echo '{"error": "BLOCKED: stub/placeholder code detected. Write real implementation or explain why you cannot."}'; exit 2; fi; if echo "$CONTENT" | grep -qE '\(\)\s*=>\s*\{\s*\}|function\s*\(\)\s*\{\s*\}'; then echo '{"error": "BLOCKED: stub/placeholder code detected. Write real implementation or explain why you cannot."}'; exit 2; fiPLUGIN="${CLAUDE_PLUGIN_ROOT:-$(git rev-parse --show-toplevel 2>/dev/null || pwd)}"; "$PLUGIN/bin/parallelism-tracker" grade 2>&1 || true; "$PLUGIN/bin/verify-edits" --quick 2>&1 || true; if [ -x "$PLUGIN/bin/heimdall-reel" ] && { [ -d .planning ] || [ -f heimdall-state.json ] || [ -f superx-state.json ]; }; then "$PLUGIN/bin/heimdall-reel" record . --name "run-$(date +%Y%m%d-%H%M%S 2>/dev/null || echo run)" 2>/dev/null || true; fi; "$PLUGIN/bin/summary-card" . 2>/dev/null || true; if [ -f .heimdall-no-autocommit ] || [ -f .superx-no-autocommit ]; then exit 0; fi; if [ -d .git ] && [ -n "$(git status --porcelain 2>/dev/null)" ]; then count=$(git diff --name-only 2>/dev/null | wc -l | tr -d ' '); git add -A && git commit -m "heimdall: session-end checkpoint (${count} files)" --no-verify 2>/dev/null || true; fiBashPLUGIN="${CLAUDE_PLUGIN_ROOT:-$(git rev-parse --show-toplevel 2>/dev/null || pwd)}"; CAP="$PLUGIN/bin/corpus-capture"; if [ -x "$CAP" ] && [ -d evals/oracles ] && command -v jq >/dev/null 2>&1; then for R in evals/oracles/*/report.json; do [ -f "$R" ] || continue; if [ "$(jq -r '.status // empty' "$R" 2>/dev/null)" = "fail" ]; then "$CAP" --report "$R" 2>/dev/null || true; fi; done; fi; exit 0Write|EditINPUT=$(cat); TOOL=$(echo "$INPUT" | jq -r '.tool_name // "unknown"'); FPATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty'); if [ -n "$FPATH" ]; then "${CLAUDE_PLUGIN_ROOT:-$(git rev-parse --show-toplevel 2>/dev/null || pwd)}/bin/edit-tracker" log "$TOOL" "$FPATH" 2>/dev/null || true; fi; if [ -f heimdall-state.json ]; then heimdall-state mark-dirty 2>/dev/null || true; elif [ -f superx-state.json ]; then heimdall-state mark-dirty 2>/dev/null || true; fi; if [ -f .heimdall-no-autocommit ] || [ -f .superx-no-autocommit ]; then exit 0; fi; count=$(git diff --name-only 2>/dev/null | wc -l | tr -d ' '); if [ "$count" -ge 5 ] && [ -d .git ]; then git add -A && git commit -m "heimdall: auto-checkpoint (${count} files)" --no-verify 2>/dev/null || true; fiPLUGIN="${CLAUDE_PLUGIN_ROOT:-$(git rev-parse --show-toplevel 2>/dev/null || pwd)}"; TRACKER="$PLUGIN/bin/parallelism-tracker"; if [ -f "$PLUGIN/bin/parallelism-tracker.c" ] && { [ ! -x "$TRACKER" ] || ! "$TRACKER" check probe >/dev/null 2>&1; }; then "$PLUGIN/bin/build-tracker.sh" >/dev/null 2>&1 || true; fi; ETRACKER="$PLUGIN/bin/edit-tracker"; if [ -f "$PLUGIN/bin/edit-tracker.c" ] && [ ! -x "$ETRACKER" ]; then clang -O2 -Wall -Wextra -o "$ETRACKER" "$PLUGIN/bin/edit-tracker.c" 2>/dev/null || true; fi; "$ETRACKER" clear 2>/dev/null || true; if [ ! -f heimdall-state.json ] && [ ! -f superx-state.json ]; then heimdall-state init 2>/dev/null || true; fi; if [ -f heimdall-state.json ] || [ -f superx-state.json ] || [ -d .planning ]; then mkdir -p .planning 2>/dev/null && "$PLUGIN/bin/stack-pack" detect 2>/dev/null > .planning/detected-stack.json || true; fi; if [ -f .planning/CHECKPOINT.md ]; then echo "[heimdall] Checkpoint found — read .planning/CHECKPOINT.md to resume."; elif [ -f .planning/STATE.md ]; then echo "[heimdall] State found — read .planning/STATE.md for prior context."; fi"${CLAUDE_PLUGIN_ROOT:-$(git rev-parse --show-toplevel 2>/dev/null || pwd)}/bin/parallel-gate" 2>/dev/null || truenpx claudepluginhub randomittin/heimdall --plugin hmd