85a61d7253
Hook chain repairs (Group A):
- alignment-check.sh: read .prompt (was .user_prompt) — hook was dead
- block-dangerous.sh: jq instead of inline interpreter (RULE 0.2 + fail-open fix)
- destructive-guard.sh: explicit INPUT=cat + jq guard + exit 0 — was silent no-op
- numeric-claims-guard.sh: exit 1 -> exit 2 (Claude Code spec — was non-blocking)
comments updated 0.17 -> 0.18 (env var name kept)
- no-downgrade.sh: removed (?i) PCRE syntax — POSIX ERE matched literal text
- task-timer.sh: jq -nc instead of bare printf — JSON injection on quotes/backslashes
in description was corrupting RULE 0.18 evidence journal
- check-error-patterns.sh: replaced with no-op stub — had hardcoded /Users/denis/...
PATH LEAK in public kit, plus inline interpreter use
- post-commit-audit.sh: added trailing exit 0 — grep return code was hook exit code
- citation-verify.sh: ALLOW_REGEX accepts HOOK-BYPASS marker — bypass was documented
but never matched
- settings-snippet.json: agent-stub-scan moved PreToolUse:Agent -> PostToolUse:Agent
(RULE 0.16 enforcement was firing before transcript existed)
- check-error-patterns hook removed from settings-snippet.json
New defensive hooks (Group H):
- no-github-push.sh: PreToolUse:Bash hard deny on github.com push/create/sync/remote-add
(RULE 0.1 — patent IP protection; was missing from public kit)
- secrets-pre-guard.sh: PreToolUse:Edit|Write — token-pattern scan with allowlist (RULE 0.8)
- chat-numeric-prewarn.sh: UserPromptSubmit reminder when prompt mentions time/cost
(RULE 0.18 chat extension)
- chat-numeric-postflag.sh: Stop event scans last assistant message for naked numerics
without REAL/FROM-JOURNAL/ESTIMATE-HTC markers
Source: full Sonnet test-retest audit 2026-05-02 (3 parallel waves of 6 agents each)
identified hook chain bugs as HIGH severity in all 3 runs independently.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
60 lines
2.9 KiB
Bash
Executable file
60 lines
2.9 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
# RULE -1 NO DOWNGRADE / CONSTRUCTIVE ONLY (2026-04-15 LOCK) enforcement.
|
|
#
|
|
# Detects downgrade-style phrases in Write/Edit content without accompanying
|
|
# constructive rescue (3 solution paths). Warn-level — not a hard block.
|
|
#
|
|
# Trigger: PreToolUse matcher = "Write|Edit"
|
|
# Severity: warn (exit 0 + stderr message). Upgrade to enforce (exit 2) on
|
|
# second recurrence per RULE 0.10 escalation ladder.
|
|
#
|
|
# Bypass: export RULE_M1_BYPASS=1 (visible, per-invocation).
|
|
|
|
set -u
|
|
|
|
# Bypass
|
|
[[ "${RULE_M1_BYPASS:-0}" == "1" ]] && exit 0
|
|
|
|
PAYLOAD=$(cat)
|
|
|
|
TOOL_NAME=$(echo "$PAYLOAD" | jq -r '.tool_name // ""' 2>/dev/null)
|
|
[[ "$TOOL_NAME" != "Write" && "$TOOL_NAME" != "Edit" ]] && exit 0
|
|
|
|
# Extract content being written (Write: content; Edit: new_string)
|
|
CONTENT=$(echo "$PAYLOAD" | jq -r '.tool_input.content // .tool_input.new_string // ""' 2>/dev/null)
|
|
[[ -z "$CONTENT" ]] && exit 0
|
|
|
|
FILE_PATH=$(echo "$PAYLOAD" | jq -r '.tool_input.file_path // ""' 2>/dev/null)
|
|
|
|
# Only check docs/memos/chatlogs — skip source code where "failed" is a legit token
|
|
# (tests, error enums, status fields, etc.). Path heuristic:
|
|
case "$FILE_PATH" in
|
|
*.md|*.txt|*.rst) ;; # docs — do check
|
|
*chatlogs*|*memory*|*report*) ;; # memo paths — do check
|
|
*) exit 0 ;; # source code / configs — skip
|
|
esac
|
|
|
|
# Downgrade triggers (case-insensitive, word-boundary where possible)
|
|
# derived: incident catalog from 2026-04-14 chatlogs + 2026-04-24 live session
|
|
TRIGGERS='\b(failed|refuted|doesn.?t work|downgrade|accept as limitation|не работает|не сработало|провалился|не удалось|tautolog(y|ical)|rejected?|dismiss|give up|отказываемся|отступаем|неудача|провал|это (всё\s+)?что мы)\b'
|
|
|
|
# Constructive rescue markers — if ANY of these present, downgrade is OK
|
|
# because the agent provided solution paths (RULE -1 compliance).
|
|
RESCUE='(three paths|3 paths|variant A|option A|вариант[аы]?\s+решения|solution paths?|constructive|recommend [AB]|три пути|можем попробовать|proposed fix|root cause.*fix|альтернативный путь|next step|решения\s*:)'
|
|
|
|
HAS_TRIGGER=$(echo "$CONTENT" | grep -ciE "$TRIGGERS" || true)
|
|
HAS_RESCUE=$(echo "$CONTENT" | grep -ciE "$RESCUE" || true)
|
|
|
|
if [[ "$HAS_TRIGGER" -gt 0 && "$HAS_RESCUE" -eq 0 ]]; then
|
|
# Find one concrete offending line for diagnostics
|
|
OFFENDING=$(echo "$CONTENT" | grep -iE "$TRIGGERS" | head -1 | cut -c1-120)
|
|
cat >&2 <<EOF
|
|
[RULE -1 WARN] downgrade-style phrase detected without constructive follow-up.
|
|
file: ${FILE_PATH:-<stdin>}
|
|
offending: ${OFFENDING}
|
|
required: present ≥2 solution paths + recommendation (see ~/.claude/rules/no-downgrade-constructive.md).
|
|
bypass: RULE_M1_BYPASS=1 (if the phrase is a legitimate data label, not a conclusion).
|
|
EOF
|
|
fi
|
|
|
|
exit 0
|