PreToolUse hooks route through kei-capability check when orchestrator
registers a capability via KEI_CAPABILITY_NAME env var on agent spawn.
hooks/agent-capability-check.sh (22 LOC):
- Pass-through (exit 0) when KEI_CAPABILITY_NAME unset — no-op by default
- Fail-open (exit 0) when kei-capability binary missing — kit convention
- Sources _lib/gate.sh for KEI_DISABLED_HOOKS / KEI_HOOK_PROFILE respect
- exec kei-capability check "$CAP_NAME" when active
hooks/agent-capability-verify.sh (24 LOC):
- Orchestrator-driven, NOT a Claude Code native hook
- Carries env: AGENT_ID, TASK_TOML, WORKTREE_PATH, MAIN_REPO, RUN_MODE
- exec kei-capability verify "$CAP_NAME"
Registered in hooks/hooks.json + settings-snippet.json under both
PreToolUse:Bash and PreToolUse:Edit|Write matchers. Internal NotApplicable
returns exit 0 so non-matching tool calls cost nothing.
install.sh unchanged — hooks/*.sh glob picks up both new files.
tests/hook_wiring_integration.sh (64 LOC) — 3 contract assertions:
(1) pass-through on unset KEI_CAPABILITY_NAME
(2) deny+exit 2 on git-op pattern
(3) allow+exit 0 on cargo-check pattern
Multi-capability routing (for phase 5): KEI_CAPABILITY_NAME currently
holds ONE name. When a role requires N capabilities, orchestrator will
either iterate or kei-capability gains a compose subcommand. Design
note left for phase 5.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hooks/*.sh: take shim from A1 (gate logic lives in _lib/gate.sh)
install.sh: take dispatcher from v0.16 install-split; ported A1's
_lib-copy logic into install/lib-hooks.sh::install_hooks (since
A1 worktree was based on pre-v0.16-split main and couldn't see
the cube structure).
Gate semantics preserved — tokenized KEI_DISABLED_HOOKS, minimal
profile whitelist. Net: −171 (hooks) +104 (_lib new) +15 (lib-hooks)
= −52 LOC across kit.
Removes 9×20 LOC duplication of KEI_DISABLED_HOOKS gate logic
from each hook into hooks/_lib/gate.sh. Next CVE in gate path
fixes in ONE file, not 9.
hooks/_lib/gate.sh (new, 57 LOC) — POSIX sh library, single
kei_hook_gate() function. Exact-token tokenize on comma OR
space (RED-1 fix preserved). Minimal-profile whitelist baked
in: no-hand-edit-agents, assemble-validate, agent-fork-logger,
session-end-dump. Idempotent re-source guard.
hooks/_lib/test-gate.sh (new, 47 LOC) — 11 test cases covering
empty/comma/space/whitespace/substring-NOT-match/literal 'all'/
minimal-profile included+excluded/minimal+disabled combo.
Per-hook shim (exactly 2 LOC, same in all 9):
_KEI_LIB="$(dirname "$0")/_lib/gate.sh"
if [ -r "$_KEI_LIB" ]; then . "$_KEI_LIB"; kei_hook_gate "<name>" || exit 0; fi
Net LOC delta: −171 (hooks) +104 (lib new) +15 (installer) = −52.
Gate semantics bit-identical to v0.15.1 hotfix on the 6
enumerated behaviors; off/advisory-off profile values dropped
per spec (only 'minimal' recognized, any other = full).
Fail-open on missing lib — if _lib/gate.sh absent (old install
pre-v0.17), hook falls through to normal operation.
install.sh — +15 LOC copies hooks/_lib/*.sh to
$HOOKS_DIR/_lib/, preserving relative path the shim expects.
Note: v0.16 split this file; A1 worktree was based on pre-split
main — merge into current main required resolving conflict so
_lib-copy logic moved to install/lib-hooks.sh.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Makes KeiSeiKit installable both as classic kit AND as an
Anthropic Claude Code plugin.
.claude-plugin/plugin.json — plugin manifest (name, version,
description, author OBJECT per schema, repository, license)
.claude-plugin/marketplace.json — own marketplace declaration
(owner OBJECT per schema, plugins[].source OBJECT)
.claude-plugin/mcp-template.json — template for .mcp.json (actual
.mcp.json write is blocked by hook; user copies template manually)
PLUGIN.md — dual-install docs (plugin vs classic)
hooks/hooks.json — uses ${CLAUDE_PLUGIN_ROOT} (per Anthropic
schema, NOT ${PLUGIN_ROOT}); wraps hooks under top-level
"hooks": {...} key
Schema corrections caught during agent validation:
- marketplace.json owner MUST be object (not string)
- hooks.json requires "hooks": {...} top-level wrapper
- env var is ${CLAUDE_PLUGIN_ROOT} not ${PLUGIN_ROOT}
Companion edits in install-split bundle: install/lib-args.sh
gains an 8-line plugin-first banner in print_help() directing
users toward the plugin install path as recommended default.
Dual-install strategy: users can pick
- `claude plugin marketplace add <url>` then install — latest
and iteration-friendly (this PR enables it)
- classic ./install.sh — legacy kit path, full 37-primitive
control
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Advisory hook (RULE 0.12). Reads Agent tool_input JSON from stdin, hashes
the prompt (SHA-256 first 16), derives agent id and branch per isolation
mode, emits kei-ledger fork row.
NEVER blocks: every exit path is exit 0. Missing jq / kei-ledger / git
= silent no-op. Advisory because isolation=false trivial agents are
expected to slip through (RULE 0.12 Exceptions 1-2).
Constructor Pattern: 51 LOC, POSIX sh, chmod +x.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- M1 (RULE 0.4): replace fabricated URLs 'https://example.invalid/PROJECT-D'
and 'https://…/PROJECT-D' with plain text ('user's personal CLI predecessor').
- M2: tomd-preread cache key = basename + mtime + 8-char shasum of full path,
so two files with the same basename+mtime at different paths no longer
collide. Portable shasum shim; falls back to 'nohash' if shasum absent.
- M3: install.sh --with-bridges gated on ROLLED_BACK=0 so bridges are NOT
emitted into $PWD after an ERR-trap rollback.
- M4: rollback() guards rm -rf "$orig" behind an existence check.
- M5: skills/research/SKILL.md front-matter note — role tags like
'web-researcher' / 'meta-critic' are ad-hoc prompt labels for the generic
kei-researcher subagent, NOT separate manifests. Prevents fruitless
grep in _manifests/.
- M6: README adds a 'Frontend-stack coverage gap' callout listing the
planned-but-not-shipped frameworks (React-Vite, Vue-Nuxt, SvelteKit,
Astro, Angular, plain-web).
- M7: no-hand-edit-agents.sh documents at case block that the GENERATED
marker is the SOLE source of truth — legacy unmarked .md files pass
silently by design; re-run the assembler to adopt them.
Previous block-rebuild path piped through head -40, so a FAIL on line 50
was invisible. Now FAIL/ERROR lines are always printed first; OK lines
are still truncated. Written in POSIX sh per Fix 4.
All three hooks changed shebang from bash to sh. No bashisms were in use
(no [[, no local, no arrays) so only the interpreter line moved. Verified
with sh -n, and dash smoke-run with a sample tool_input JSON.
All three hooks used `set -eu` + `cat | jq …`. Without jq installed, jq
would fail and `-e` would abort the hook → non-zero exit → Claude Code
refuses Edit/Write/Bash system-wide. Now each hook probes for jq BEFORE
`set -eu` and exits 0 silently if absent. Also dropped the useless `cat |`
pipe — `jq -r` reads stdin directly.
Companion: install.sh jq check upgraded from warn to hard `exit 1` because
without jq the hooks are dead weight; message states jq is required on
any machine that will activate the hooks.
