Removes 9×20 LOC duplication of KEI_DISABLED_HOOKS gate logic
from each hook into hooks/_lib/gate.sh. Next CVE in gate path
fixes in ONE file, not 9.
hooks/_lib/gate.sh (new, 57 LOC) — POSIX sh library, single
kei_hook_gate() function. Exact-token tokenize on comma OR
space (RED-1 fix preserved). Minimal-profile whitelist baked
in: no-hand-edit-agents, assemble-validate, agent-fork-logger,
session-end-dump. Idempotent re-source guard.
hooks/_lib/test-gate.sh (new, 47 LOC) — 11 test cases covering
empty/comma/space/whitespace/substring-NOT-match/literal 'all'/
minimal-profile included+excluded/minimal+disabled combo.
Per-hook shim (exactly 2 LOC, same in all 9):
_KEI_LIB="$(dirname "$0")/_lib/gate.sh"
if [ -r "$_KEI_LIB" ]; then . "$_KEI_LIB"; kei_hook_gate "<name>" || exit 0; fi
Net LOC delta: −171 (hooks) +104 (lib new) +15 (installer) = −52.
Gate semantics bit-identical to v0.15.1 hotfix on the 6
enumerated behaviors; off/advisory-off profile values dropped
per spec (only 'minimal' recognized, any other = full).
Fail-open on missing lib — if _lib/gate.sh absent (old install
pre-v0.17), hook falls through to normal operation.
install.sh — +15 LOC copies hooks/_lib/*.sh to
$HOOKS_DIR/_lib/, preserving relative path the shim expects.
Note: v0.16 split this file; A1 worktree was based on pre-split
main — merge into current main required resolving conflict so
_lib-copy logic moved to install/lib-hooks.sh.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- M1 (RULE 0.4): replace fabricated URLs 'https://example.invalid/PROJECT-D'
and 'https://…/PROJECT-D' with plain text ('user's personal CLI predecessor').
- M2: tomd-preread cache key = basename + mtime + 8-char shasum of full path,
so two files with the same basename+mtime at different paths no longer
collide. Portable shasum shim; falls back to 'nohash' if shasum absent.
- M3: install.sh --with-bridges gated on ROLLED_BACK=0 so bridges are NOT
emitted into $PWD after an ERR-trap rollback.
- M4: rollback() guards rm -rf "$orig" behind an existence check.
- M5: skills/research/SKILL.md front-matter note — role tags like
'web-researcher' / 'meta-critic' are ad-hoc prompt labels for the generic
kei-researcher subagent, NOT separate manifests. Prevents fruitless
grep in _manifests/.
- M6: README adds a 'Frontend-stack coverage gap' callout listing the
planned-but-not-shipped frameworks (React-Vite, Vue-Nuxt, SvelteKit,
Astro, Angular, plain-web).
- M7: no-hand-edit-agents.sh documents at case block that the GENERATED
marker is the SOLE source of truth — legacy unmarked .md files pass
silently by design; re-run the assembler to adopt them.
