Removes 9×20 LOC duplication of KEI_DISABLED_HOOKS gate logic
from each hook into hooks/_lib/gate.sh. Next CVE in gate path
fixes in ONE file, not 9.
hooks/_lib/gate.sh (new, 57 LOC) — POSIX sh library, single
kei_hook_gate() function. Exact-token tokenize on comma OR
space (RED-1 fix preserved). Minimal-profile whitelist baked
in: no-hand-edit-agents, assemble-validate, agent-fork-logger,
session-end-dump. Idempotent re-source guard.
hooks/_lib/test-gate.sh (new, 47 LOC) — 11 test cases covering
empty/comma/space/whitespace/substring-NOT-match/literal 'all'/
minimal-profile included+excluded/minimal+disabled combo.
Per-hook shim (exactly 2 LOC, same in all 9):
_KEI_LIB="$(dirname "$0")/_lib/gate.sh"
if [ -r "$_KEI_LIB" ]; then . "$_KEI_LIB"; kei_hook_gate "<name>" || exit 0; fi
Net LOC delta: −171 (hooks) +104 (lib new) +15 (installer) = −52.
Gate semantics bit-identical to v0.15.1 hotfix on the 6
enumerated behaviors; off/advisory-off profile values dropped
per spec (only 'minimal' recognized, any other = full).
Fail-open on missing lib — if _lib/gate.sh absent (old install
pre-v0.17), hook falls through to normal operation.
install.sh — +15 LOC copies hooks/_lib/*.sh to
$HOOKS_DIR/_lib/, preserving relative path the shim expects.
Note: v0.16 split this file; A1 worktree was based on pre-split
main — merge into current main required resolving conflict so
_lib-copy logic moved to install/lib-hooks.sh.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
All three hooks changed shebang from bash to sh. No bashisms were in use
(no [[, no local, no arrays) so only the interpreter line moved. Verified
with sh -n, and dash smoke-run with a sample tool_input JSON.
All three hooks used `set -eu` + `cat | jq …`. Without jq installed, jq
would fail and `-e` would abort the hook → non-zero exit → Claude Code
refuses Edit/Write/Bash system-wide. Now each hook probes for jq BEFORE
`set -eu` and exits 0 silently if absent. Also dropped the useless `cat |`
pipe — `jq -r` reads stdin directly.
Companion: install.sh jq check upgraded from warn to hard `exit 1` because
without jq the hooks are dead weight; message states jq is required on
any machine that will activate the hooks.
