arete-cc-stack
ARETE's Claude Code automation stack, packaged for portability.
Single-file reference for the underlying design lives at
~/projects/notes/topics/claude-code-automation.md in ARETE's knowledge base.
What's in the box
8 security & audit hooks
| Event | Matcher | Hook | Purpose |
|---|
| PreToolUse | Bash | audit-bash.sh | Log + block dangerous bash (destructive removes, fork bombs, reverse shells) |
| PreToolUse | Bash | no-force-push.sh | Block git push --force to main/master/production/release |
| PreToolUse | Bash | detect-secrets.py | Block bash commands with embedded credentials |
| PreToolUse | Write|Edit | protected-paths.sh | Block writes to .git/, env files, .ssh/, .gnupg/, password-store |
| PreToolUse | Write|Edit | validate-files.py | Block writes to protected files (path-component matching, not substring) |
| PreToolUse | Write|Edit | detect-secrets.py | Block file writes containing credentials |
| PostToolUse | * | tool-logger.sh | Log tool invocations; rotates at 10 MiB, keeps 3 backups |
| SessionStart/End | — | session-logger.sh | Audit trail for session boundaries |
| UserPromptSubmit | — | detect-secrets.py | Block prompts with critical secrets |
| UserPromptSubmit | — | wrap-it-up.sh | Inject /session-end context when user says "wrap it up" |
6 custom slash commands
/fleet-status [filter] — audit 30+ project portfolio (git state, unpushed, test deltas)/tiaid-check [area] — TIAID consulting pipeline status/hackathon-triage [project] — rank active hackathon submissions by urgency/animus-sync [--dry-run] — manually trigger Animus ChromaDB sync/wrap — alias for /session-end/doctor — sanity-check the entire automation stack (hooks, commands, agents, MCP, permissions)
3 domain subagents
fleet-auditor — portfolio-wide git/test/CI audit, read-onlyeve-frontier-researcher — EVE Frontier (Stillness testnet) Sui GraphQL, package IDs, API quirkstiaid-content-analyst — Human Stack article review, voice scoring, pipeline discipline
Custom statusline
<project> | git:<branch>[*] | shift:<Nh>Nm | FREEZE-CHECK
Swing-shift aware (4PM–2:30AM window).
Global permission allowlist
6 read-only Bash allow rules so common audit commands (ruff check, anchormd audit, flyctl logs/status, npm audit/ls) don't prompt.
Installation
Option A — git submodule (recommended, lets you pull updates)
mkdir -p ~/.claude/plugins
cd ~/.claude/plugins
git clone https://github.com/AreteDriver/arete-cc-plugin arete-cc-stack
Option B — direct clone
git clone https://github.com/AreteDriver/arete-cc-plugin.git /tmp/arete-cc-stack
mkdir -p ~/.claude/plugins
mv /tmp/arete-cc-stack ~/.claude/plugins/arete-cc-stack
Option C — symlink a development copy
ln -s /path/to/arete-cc-plugin ~/.claude/plugins/arete-cc-stack
After install, open /plugin in Claude Code and enable arete-cc-stack, then restart Claude Code or run /hooks to pick up the hook config.
2-Minute Demo
# from repo root
jq -r '.name + " v" + .version' .claude-plugin/plugin.json
find hooks -maxdepth 1 -type f | wc -l
ls commands | wc -l
Expected output:
arete-cc-stack v0.2.0
11
6
Feedback Loop
If this repo saved you time:
- Star it so others can find it.
- Open a
use-case issue with your workflow; I use those to drive the roadmap.
- If setup fails, open
setup-blocker and include OS + command output.
Requirements
- Claude Code v2.1.0 or later
jq installed and on PATH (hooks use jq to parse event JSON)python3 for detect-secrets.py and validate-files.pygit for most commands and hooks- Unix-like environment (Linux / macOS). Not tested on Windows/WSL.
Optional integrations the slash commands reference:
anchormd CLI (for /fleet-status checks and the anchormd audit permission rule)flyctl (for Fly.io log/status permission rules and TIAID-side infra checks)ruff (for the ruff check permission rule)- Animus repo at
~/projects/animus/ for /animus-sync
- ARETE notes repo at
~/projects/notes/ for session logging + memory index
Slash commands will degrade gracefully if a referenced project path is missing — they report NEEDS ATTENTION: rather than crashing.
Portability notes
${CLAUDE_PLUGIN_ROOT}
All hook paths in plugin.json use the ${CLAUDE_PLUGIN_ROOT} variable. Claude Code expands this to the plugin's install directory at hook registration time, so the plugin works regardless of where it's cloned.
Project-specific subagents
