chore(claude-hooks): add PreToolUse Bash hooks for git flow protection#26
Merged
chore(claude-hooks): add PreToolUse Bash hooks for git flow protection#26
Conversation
Adds .claude/settings.json + .claude/hooks/ scripts with 3 PreToolUse Bash hooks that protect main/develop in local sessions before the remote branch protection has to reject: 1. block-protected-commit.sh — aborta `git commit` cuando current branch es main/develop. 2. block-protected-push.sh — aborta `git push` desde main/develop o cuyo destino sea main/develop (cubre `origin main`, `HEAD:main`, `:main`, `dev:main`, `main:develop`, push implicito desde main). 3. typecheck-on-commit.sh — corre `npm run typecheck` en code/ cuando hay cambios staged en code/src/ (zero overhead en commits docs-only). Razon: Phase-12 (HANDOFF §6.17 D-1209) registro 2 commits a main por error que la branch protection del remote ataja en push pero no en commit local. D-1210 propuso configurar este setup; este PR lo cierra. El hook UserPromptSubmit anti-worktree (CLAUDE.md regla #1) se preserva intacto. Validado: - Pipe-test: Hook 1 10/10, Hook 2 16/16, Hook 3 6/6 casos. - End-to-end: Hook 2 demostrado bloqueando `git push ... main`; Hooks 1+3 demostrados via sentinel files tras `git commit --dry-run`. - Esquema: jq -e contra .hooks.PreToolUse[].hooks[] OK. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
3 tasks
h2devx
added a commit
that referenced
this pull request
May 2, 2026
…e tooling (#28) ## Summary Closes the documentation gap left after Phase-13 (PRs #26 and #27) merged to develop without updating HANDOFF.md. Updates **§0** (10 stale rows: Fecha del handoff, Fase actual, Lineas de codigo, Lineas de docs, SonarQube, Tests 2519→2553, Vulns npm audit, Paquete npm, Estado del release, Issues abiertos 1→0, Memoria propia, Repositorio GitHub, Proximo paso, Workflow Claude hooks PENDIENTE→CONFIGURADO) and adds new **§6.18 Phase-13** documenting the cycle. ## Phase-13 highlights | | Entrega | |---|---| | **PR [#26](#26 | claude-hooks-setup — 3 PreToolUse Bash hooks per-repo (block commit on main/develop, block push to main/develop, typecheck on commit when code/src/ touched). Mergeado `94f0fcf`. | | **PR [#27](#27 | B-MCP-7 fix — typed error union (`EmbedderUnavailableError` vs `EmbedFailedError`) + worker exponential back-off + `recall reset-queue` CLI command. +31 archivos / +1929 LOC. Tests +34. Mergeado `5903fb4`. | | **SonarQube tooling** | Admin password recovery via DB UPDATE (SonarSource-documented hash fails on SQ Community 26.x), CI token rotated to Project Analysis Token, User Token persistido en `~/.netzi-secrets/sonar.env`. | ## 8 durable lessons recorded in §6.18 1. SonarSource-documented BCRYPT hash for "admin" does NOT verify on SQ 26.x — generate fresh with `htpasswd`. 2. Multi-layer shell escaping (bash → ssh → docker → psql) silently eats `$N` references. 3. SonarQube quality gates fail on code smells even with 100% coverage on new code. 4. Cognitive complexity S3776 trivially exceeded when adding typed-error discrimination — extract method early. 5. S7735 negated conditions easy to flip to positive. 6. Persist SonarQube tokens between sessions; never regenerate per-session. 7. Harness needs specific authorization phrases for production actions. 8. GitHub Actions secret values are irrecoverable post-set; rotate from source. ## Test plan - [x] No code changes; doc-only PR. - [x] CI runs lint/typecheck/tests/build/SonarQube same as code PRs. - [x] §6.18 references match the actual PR numbers + commit SHAs (5903fb4, 94f0fcf, 9429bbd). ## Next step (after this merge) Cortar `release/0.1.2-beta.4` desde develop. The §6.18 closing section ("Siguiente accion concreta") spells out the exact bumps + release notes + README/SECURITY updates needed. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
5 tasks
h2devx
added a commit
that referenced
this pull request
May 2, 2026
## Summary Cuts `v0.1.2-beta.4` from develop (`0c18625`). This release closes [B-MCP-7](#24) — the embedding worker now tolerates the fastembed cold-start without burning per-item retry budget — on top of the four Phase-9 dogfood defects already shipped in `v0.1.2-beta.3`. ## What's in this release - **PR [#27](#27 — B-MCP-7 fix (typed error union `EmbedderUnavailableError` vs `EmbedFailedError`, worker exponential back-off, new `recall reset-queue` CLI command for recovery on workspaces poisoned by the pre-fix worker). - **PR [#26](#26 — Workflow Claude pre-commit hooks (`.claude/settings.json` + 3 scripts in `.claude/hooks/`). - **PR [#28](#28 — HANDOFF Phase-13 closing doc. Plus this release branch: - `code/package.json` + `code/sonar-project.properties` bumped to `0.1.2-beta.4`. - `docs/RELEASE-NOTES-v0.1.2-beta.4.md` (new file). - README.md banner + code/README.md install command updated. - SECURITY.md supported-versions table updated (beta.4 active, beta.3 superseded). ## Engineering metrics - 5+1/5+1 EXIT=0 locally (`typecheck`, `lint`, `lint:tests`, `validate:modules`, tests **2553/2553**, build). - SonarQube quality gate `MCP Memoria Strict` PASSED on PR #27 final push (Reliability A, Security A, Maintainability A, 0 bugs / 0 vulns / 0 blockers / 0 critical, **coverage on new code 99.8%**, overall 96.4%). - 0 issues GitHub abiertos antes de este release. ## Recovery instructions for users on `<= v0.1.2-beta.3` If your workspace has `embedding_queue` rows stuck at `attempts=5`: ```bash recall reset-queue --workspace /path/to/your/repo # Cola de embeddings restablecida. # Filas restablecidas: <N> # Umbral aplicado (attempts >=): 5 # El worker re-intentara estas entradas en su proximo drain. ``` Then start `recall-server` normally — the worker will drain the queue. ## Test plan - [x] CI ya green via PR #27 con typed-error union + extract-method refactor. - [x] All 5+1 quality gates EXIT=0 locally on this release branch. - [ ] CI corre el quality gate aqui también (espera tras push). - [ ] Tras merge: tag `v0.1.2-beta.4` + GitHub pre-release + `npm publish --tag beta`. - [ ] Post-publish smoke contra DB del dogfood (con `recall reset-queue` primero) validando worker drena cola + semantic recall recovers con queries paraphrased. ## Path to v0.1.2 stable If the smoke against the dogfood shows the worker draining the queue and semantic recall recovering, we promote `0.1.2` to `latest` dist-tag and hard-deprecate `0.1.1`. Otherwise, new bugs go into individual issues + PRs and ship as `v0.1.2-beta.5+`. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds 3
PreToolUse > Bashhooks to.claude/settings.jsonthat protectmain/developin local Claude sessions, plus the typecheck gate forcode/src/changes:git commitcuando current branch esmain/develop.git pushdesdemain/developo cuyo destino seamain/develop(origin main,HEAD:main,:main,dev:main,main:develop, push implicito).npm run typecheckencode/cuando hay cambios staged encode/src/(cero overhead en commits docs-only).El hook
UserPromptSubmitanti-worktree (CLAUDE.md regla #1) se preserva intacto.Why
HANDOFF §6.17 D-1209 registra 2 commits a
mainpor error en Phase-12 que la branch protection del remote rechazo en push pero no en commit local. D-1210 propuso configurar este setup; este PR lo cierra.iffilters (Bash(git commit*),Bash(git push*)) evitan spawn para Bash que no sea git → cero overhead enls,npm,recall, etc.Test plan
git commit-tree,git log | grep commit,--amenden branch protegida).dev:main,main:dev,:main, push implicito desde main,feat/main-fixno falso-positivo).git push file:///nonexistent main(harness reportaPreToolUse:Bash hook error: BLOCKED:...).git commit --dry-run.jq -e .hooks.PreToolUse[].hooks[]retorna las 3 entries.Performance
Notes
UserPromptSubmitexistente).code/src/).🤖 Generated with Claude Code