From cbfc6277af994a39ca435dcb18fd0d03a074ce65 Mon Sep 17 00:00:00 2001 From: Kurt Overmier Date: Tue, 7 Apr 2026 07:29:41 -0500 Subject: [PATCH 1/2] docs: add OSS policy reference to CLAUDE.md Co-Authored-By: Claude Opus 4.6 (1M context) --- CLAUDE.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/CLAUDE.md b/CLAUDE.md index 14a98c2..9794353 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -22,3 +22,16 @@ Autonomous task queue for Claude Code with safety hooks, branch isolation, and P - All paths relative to script directory - Tasks use JSON format with id, title, repo, prompt, status fields - Completion signal: TASK_COMPLETE or TASK_BLOCKED + +## OSS Policy + +This is a **public infrastructure package** governed by the Stackbilt OSS Infrastructure Package Update Policy. + +Rules: +1. **Additive only** — never remove or rename public API without a major version bump +2. **No product logic** — framework patterns and generic utilities only. If a competitor could reconstruct Stackbilt product architecture from this code, it doesn't belong here. +3. **Strict semver** — patch for fixes, minor for new features, major for breaking changes +4. **Tests travel with code** — every public export must have test coverage +5. **Validate at boundaries** — all external API responses validated before returning to consumers + +Full policy: `stackbilt_llc/policies/oss-infrastructure-update-policy.md` From 6b2ea7f6a61c85142b6daaf7a52bfbb60b089f16 Mon Sep 17 00:00:00 2001 From: Kurt Overmier Date: Tue, 7 Apr 2026 07:29:46 -0500 Subject: [PATCH 2/2] auto: uncommitted changes from task aeb8236c Task: Add OSS policy reference to cc-taskrunner CLAUDE.md --- hooks/block-interactive.sh | 34 +++++------ hooks/safety-gate.sh | 96 +++++++++++++++--------------- hooks/syntax-check.sh | 84 +++++++++++++------------- plugin/safety/block-interactive.sh | 34 +++++------ plugin/safety/safety-gate.sh | 96 +++++++++++++++--------------- plugin/safety/syntax-check.sh | 84 +++++++++++++------------- 6 files changed, 214 insertions(+), 214 deletions(-) diff --git a/hooks/block-interactive.sh b/hooks/block-interactive.sh index d45b2cd..d071523 100644 --- a/hooks/block-interactive.sh +++ b/hooks/block-interactive.sh @@ -1,17 +1,17 @@ -#!/usr/bin/env bash -# block-interactive.sh — Blocks AskUserQuestion in unattended sessions -# -# PreToolUse hook: exits 2 to block, 0 to allow. -# When Claude tries to ask a question, this forces it to decide instead. -# -# Copyright 2026 Stackbilt LLC — Apache 2.0 - -INPUT=$(cat) -TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null) - -if [[ "$TOOL" == "AskUserQuestion" ]]; then - echo "BLOCKED: Autonomous mode — do not ask questions. Make a reasonable decision and document your reasoning." >&2 - exit 2 -fi - -exit 0 +#!/usr/bin/env bash +# block-interactive.sh — Blocks AskUserQuestion in unattended sessions +# +# PreToolUse hook: exits 2 to block, 0 to allow. +# When Claude tries to ask a question, this forces it to decide instead. +# +# Copyright 2026 Stackbilt LLC — Apache 2.0 + +INPUT=$(cat) +TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null) + +if [[ "$TOOL" == "AskUserQuestion" ]]; then + echo "BLOCKED: Autonomous mode — do not ask questions. Make a reasonable decision and document your reasoning." >&2 + exit 2 +fi + +exit 0 diff --git a/hooks/safety-gate.sh b/hooks/safety-gate.sh index 05abffb..eec3417 100644 --- a/hooks/safety-gate.sh +++ b/hooks/safety-gate.sh @@ -1,48 +1,48 @@ -#!/usr/bin/env bash -# safety-gate.sh — Blocks destructive commands in unattended sessions -# -# PreToolUse hook for Bash tool: checks command for dangerous patterns. -# Blocks: rm -rf, git push --force, DROP TABLE, deploys, secret access. -# -# Copyright 2026 Stackbilt LLC — Apache 2.0 - -INPUT=$(cat) -TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null) - -if [[ "$TOOL" != "Bash" ]]; then - exit 0 -fi - -CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null) - -# Destructive filesystem operations -if echo "$CMD" | grep -qiE '(rm\s+-rf|rm\s+-r\s+/|>\s*/dev/)'; then - echo "BLOCKED: Destructive filesystem operation not allowed in autonomous mode" >&2 - exit 2 -fi - -# Destructive git operations -if echo "$CMD" | grep -qiE '(git\s+reset\s+--hard|git\s+push\s+--force|git\s+push\s+-f|git\s+clean\s+-f)'; then - echo "BLOCKED: Destructive git operation not allowed in autonomous mode" >&2 - exit 2 -fi - -# Database destruction -if echo "$CMD" | grep -qiE '(DROP\s+TABLE|TRUNCATE\s+TABLE|DELETE\s+FROM\s+\w+\s*$)'; then - echo "BLOCKED: Destructive database operation not allowed in autonomous mode" >&2 - exit 2 -fi - -# Production deploys (require human approval) -if echo "$CMD" | grep -qiE '(wrangler\s+deploy|wrangler\s+publish|npm\s+run\s+deploy|kubectl\s+apply|terraform\s+apply)'; then - echo "BLOCKED: Production deploys require human approval. Commit your work and stop." >&2 - exit 2 -fi - -# Secret management -if echo "$CMD" | grep -qiE '(wrangler\s+secret|echo\s+.*API_KEY|echo\s+.*TOKEN|echo\s+.*SECRET)'; then - echo "BLOCKED: Secret management not allowed in autonomous mode" >&2 - exit 2 -fi - -exit 0 +#!/usr/bin/env bash +# safety-gate.sh — Blocks destructive commands in unattended sessions +# +# PreToolUse hook for Bash tool: checks command for dangerous patterns. +# Blocks: rm -rf, git push --force, DROP TABLE, deploys, secret access. +# +# Copyright 2026 Stackbilt LLC — Apache 2.0 + +INPUT=$(cat) +TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null) + +if [[ "$TOOL" != "Bash" ]]; then + exit 0 +fi + +CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null) + +# Destructive filesystem operations +if echo "$CMD" | grep -qiE '(rm\s+-rf|rm\s+-r\s+/|>\s*/dev/)'; then + echo "BLOCKED: Destructive filesystem operation not allowed in autonomous mode" >&2 + exit 2 +fi + +# Destructive git operations +if echo "$CMD" | grep -qiE '(git\s+reset\s+--hard|git\s+push\s+--force|git\s+push\s+-f|git\s+clean\s+-f)'; then + echo "BLOCKED: Destructive git operation not allowed in autonomous mode" >&2 + exit 2 +fi + +# Database destruction +if echo "$CMD" | grep -qiE '(DROP\s+TABLE|TRUNCATE\s+TABLE|DELETE\s+FROM\s+\w+\s*$)'; then + echo "BLOCKED: Destructive database operation not allowed in autonomous mode" >&2 + exit 2 +fi + +# Production deploys (require human approval) +if echo "$CMD" | grep -qiE '(wrangler\s+deploy|wrangler\s+publish|npm\s+run\s+deploy|kubectl\s+apply|terraform\s+apply)'; then + echo "BLOCKED: Production deploys require human approval. Commit your work and stop." >&2 + exit 2 +fi + +# Secret management +if echo "$CMD" | grep -qiE '(wrangler\s+secret|echo\s+.*API_KEY|echo\s+.*TOKEN|echo\s+.*SECRET)'; then + echo "BLOCKED: Secret management not allowed in autonomous mode" >&2 + exit 2 +fi + +exit 0 diff --git a/hooks/syntax-check.sh b/hooks/syntax-check.sh index f5c023d..3df35bd 100644 --- a/hooks/syntax-check.sh +++ b/hooks/syntax-check.sh @@ -1,42 +1,42 @@ -#!/usr/bin/env bash -# syntax-check.sh — PostToolUse hook for Edit/Write -# -# After editing TypeScript/JavaScript files, runs a quick syntax check -# so errors are caught immediately rather than 50 tool calls later. -# -# Copyright 2026 Stackbilt LLC — Apache 2.0 - -INPUT=$(cat) -TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null) - -if [[ "$TOOL" != "Edit" && "$TOOL" != "Write" ]]; then - exit 0 -fi - -FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null) - -# Only check TypeScript/JavaScript files -case "$FILE" in - *.ts|*.tsx|*.js|*.jsx) - # Find nearest tsconfig - DIR=$(dirname "$FILE") - TSCONFIG="" - while [[ "$DIR" != "/" && "$DIR" != "." ]]; do - if [[ -f "${DIR}/tsconfig.json" ]]; then - TSCONFIG="${DIR}/tsconfig.json" - break - fi - DIR=$(dirname "$DIR") - done - - if [[ -n "$TSCONFIG" ]]; then - ERRORS=$(cd "$(dirname "$TSCONFIG")" && npx tsc --noEmit --pretty false 2>&1 | grep -c "error TS" || true) - if [[ "$ERRORS" -gt 0 ]]; then - echo "WARNING: ${ERRORS} TypeScript error(s) detected after editing ${FILE}. Run typecheck to see details." >&2 - fi - fi - ;; -esac - -# Never block — advisory only -exit 0 +#!/usr/bin/env bash +# syntax-check.sh — PostToolUse hook for Edit/Write +# +# After editing TypeScript/JavaScript files, runs a quick syntax check +# so errors are caught immediately rather than 50 tool calls later. +# +# Copyright 2026 Stackbilt LLC — Apache 2.0 + +INPUT=$(cat) +TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null) + +if [[ "$TOOL" != "Edit" && "$TOOL" != "Write" ]]; then + exit 0 +fi + +FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null) + +# Only check TypeScript/JavaScript files +case "$FILE" in + *.ts|*.tsx|*.js|*.jsx) + # Find nearest tsconfig + DIR=$(dirname "$FILE") + TSCONFIG="" + while [[ "$DIR" != "/" && "$DIR" != "." ]]; do + if [[ -f "${DIR}/tsconfig.json" ]]; then + TSCONFIG="${DIR}/tsconfig.json" + break + fi + DIR=$(dirname "$DIR") + done + + if [[ -n "$TSCONFIG" ]]; then + ERRORS=$(cd "$(dirname "$TSCONFIG")" && npx tsc --noEmit --pretty false 2>&1 | grep -c "error TS" || true) + if [[ "$ERRORS" -gt 0 ]]; then + echo "WARNING: ${ERRORS} TypeScript error(s) detected after editing ${FILE}. Run typecheck to see details." >&2 + fi + fi + ;; +esac + +# Never block — advisory only +exit 0 diff --git a/plugin/safety/block-interactive.sh b/plugin/safety/block-interactive.sh index d45b2cd..d071523 100644 --- a/plugin/safety/block-interactive.sh +++ b/plugin/safety/block-interactive.sh @@ -1,17 +1,17 @@ -#!/usr/bin/env bash -# block-interactive.sh — Blocks AskUserQuestion in unattended sessions -# -# PreToolUse hook: exits 2 to block, 0 to allow. -# When Claude tries to ask a question, this forces it to decide instead. -# -# Copyright 2026 Stackbilt LLC — Apache 2.0 - -INPUT=$(cat) -TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null) - -if [[ "$TOOL" == "AskUserQuestion" ]]; then - echo "BLOCKED: Autonomous mode — do not ask questions. Make a reasonable decision and document your reasoning." >&2 - exit 2 -fi - -exit 0 +#!/usr/bin/env bash +# block-interactive.sh — Blocks AskUserQuestion in unattended sessions +# +# PreToolUse hook: exits 2 to block, 0 to allow. +# When Claude tries to ask a question, this forces it to decide instead. +# +# Copyright 2026 Stackbilt LLC — Apache 2.0 + +INPUT=$(cat) +TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null) + +if [[ "$TOOL" == "AskUserQuestion" ]]; then + echo "BLOCKED: Autonomous mode — do not ask questions. Make a reasonable decision and document your reasoning." >&2 + exit 2 +fi + +exit 0 diff --git a/plugin/safety/safety-gate.sh b/plugin/safety/safety-gate.sh index 05abffb..eec3417 100644 --- a/plugin/safety/safety-gate.sh +++ b/plugin/safety/safety-gate.sh @@ -1,48 +1,48 @@ -#!/usr/bin/env bash -# safety-gate.sh — Blocks destructive commands in unattended sessions -# -# PreToolUse hook for Bash tool: checks command for dangerous patterns. -# Blocks: rm -rf, git push --force, DROP TABLE, deploys, secret access. -# -# Copyright 2026 Stackbilt LLC — Apache 2.0 - -INPUT=$(cat) -TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null) - -if [[ "$TOOL" != "Bash" ]]; then - exit 0 -fi - -CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null) - -# Destructive filesystem operations -if echo "$CMD" | grep -qiE '(rm\s+-rf|rm\s+-r\s+/|>\s*/dev/)'; then - echo "BLOCKED: Destructive filesystem operation not allowed in autonomous mode" >&2 - exit 2 -fi - -# Destructive git operations -if echo "$CMD" | grep -qiE '(git\s+reset\s+--hard|git\s+push\s+--force|git\s+push\s+-f|git\s+clean\s+-f)'; then - echo "BLOCKED: Destructive git operation not allowed in autonomous mode" >&2 - exit 2 -fi - -# Database destruction -if echo "$CMD" | grep -qiE '(DROP\s+TABLE|TRUNCATE\s+TABLE|DELETE\s+FROM\s+\w+\s*$)'; then - echo "BLOCKED: Destructive database operation not allowed in autonomous mode" >&2 - exit 2 -fi - -# Production deploys (require human approval) -if echo "$CMD" | grep -qiE '(wrangler\s+deploy|wrangler\s+publish|npm\s+run\s+deploy|kubectl\s+apply|terraform\s+apply)'; then - echo "BLOCKED: Production deploys require human approval. Commit your work and stop." >&2 - exit 2 -fi - -# Secret management -if echo "$CMD" | grep -qiE '(wrangler\s+secret|echo\s+.*API_KEY|echo\s+.*TOKEN|echo\s+.*SECRET)'; then - echo "BLOCKED: Secret management not allowed in autonomous mode" >&2 - exit 2 -fi - -exit 0 +#!/usr/bin/env bash +# safety-gate.sh — Blocks destructive commands in unattended sessions +# +# PreToolUse hook for Bash tool: checks command for dangerous patterns. +# Blocks: rm -rf, git push --force, DROP TABLE, deploys, secret access. +# +# Copyright 2026 Stackbilt LLC — Apache 2.0 + +INPUT=$(cat) +TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null) + +if [[ "$TOOL" != "Bash" ]]; then + exit 0 +fi + +CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null) + +# Destructive filesystem operations +if echo "$CMD" | grep -qiE '(rm\s+-rf|rm\s+-r\s+/|>\s*/dev/)'; then + echo "BLOCKED: Destructive filesystem operation not allowed in autonomous mode" >&2 + exit 2 +fi + +# Destructive git operations +if echo "$CMD" | grep -qiE '(git\s+reset\s+--hard|git\s+push\s+--force|git\s+push\s+-f|git\s+clean\s+-f)'; then + echo "BLOCKED: Destructive git operation not allowed in autonomous mode" >&2 + exit 2 +fi + +# Database destruction +if echo "$CMD" | grep -qiE '(DROP\s+TABLE|TRUNCATE\s+TABLE|DELETE\s+FROM\s+\w+\s*$)'; then + echo "BLOCKED: Destructive database operation not allowed in autonomous mode" >&2 + exit 2 +fi + +# Production deploys (require human approval) +if echo "$CMD" | grep -qiE '(wrangler\s+deploy|wrangler\s+publish|npm\s+run\s+deploy|kubectl\s+apply|terraform\s+apply)'; then + echo "BLOCKED: Production deploys require human approval. Commit your work and stop." >&2 + exit 2 +fi + +# Secret management +if echo "$CMD" | grep -qiE '(wrangler\s+secret|echo\s+.*API_KEY|echo\s+.*TOKEN|echo\s+.*SECRET)'; then + echo "BLOCKED: Secret management not allowed in autonomous mode" >&2 + exit 2 +fi + +exit 0 diff --git a/plugin/safety/syntax-check.sh b/plugin/safety/syntax-check.sh index f5c023d..3df35bd 100644 --- a/plugin/safety/syntax-check.sh +++ b/plugin/safety/syntax-check.sh @@ -1,42 +1,42 @@ -#!/usr/bin/env bash -# syntax-check.sh — PostToolUse hook for Edit/Write -# -# After editing TypeScript/JavaScript files, runs a quick syntax check -# so errors are caught immediately rather than 50 tool calls later. -# -# Copyright 2026 Stackbilt LLC — Apache 2.0 - -INPUT=$(cat) -TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null) - -if [[ "$TOOL" != "Edit" && "$TOOL" != "Write" ]]; then - exit 0 -fi - -FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null) - -# Only check TypeScript/JavaScript files -case "$FILE" in - *.ts|*.tsx|*.js|*.jsx) - # Find nearest tsconfig - DIR=$(dirname "$FILE") - TSCONFIG="" - while [[ "$DIR" != "/" && "$DIR" != "." ]]; do - if [[ -f "${DIR}/tsconfig.json" ]]; then - TSCONFIG="${DIR}/tsconfig.json" - break - fi - DIR=$(dirname "$DIR") - done - - if [[ -n "$TSCONFIG" ]]; then - ERRORS=$(cd "$(dirname "$TSCONFIG")" && npx tsc --noEmit --pretty false 2>&1 | grep -c "error TS" || true) - if [[ "$ERRORS" -gt 0 ]]; then - echo "WARNING: ${ERRORS} TypeScript error(s) detected after editing ${FILE}. Run typecheck to see details." >&2 - fi - fi - ;; -esac - -# Never block — advisory only -exit 0 +#!/usr/bin/env bash +# syntax-check.sh — PostToolUse hook for Edit/Write +# +# After editing TypeScript/JavaScript files, runs a quick syntax check +# so errors are caught immediately rather than 50 tool calls later. +# +# Copyright 2026 Stackbilt LLC — Apache 2.0 + +INPUT=$(cat) +TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null) + +if [[ "$TOOL" != "Edit" && "$TOOL" != "Write" ]]; then + exit 0 +fi + +FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null) + +# Only check TypeScript/JavaScript files +case "$FILE" in + *.ts|*.tsx|*.js|*.jsx) + # Find nearest tsconfig + DIR=$(dirname "$FILE") + TSCONFIG="" + while [[ "$DIR" != "/" && "$DIR" != "." ]]; do + if [[ -f "${DIR}/tsconfig.json" ]]; then + TSCONFIG="${DIR}/tsconfig.json" + break + fi + DIR=$(dirname "$DIR") + done + + if [[ -n "$TSCONFIG" ]]; then + ERRORS=$(cd "$(dirname "$TSCONFIG")" && npx tsc --noEmit --pretty false 2>&1 | grep -c "error TS" || true) + if [[ "$ERRORS" -gt 0 ]]; then + echo "WARNING: ${ERRORS} TypeScript error(s) detected after editing ${FILE}. Run typecheck to see details." >&2 + fi + fi + ;; +esac + +# Never block — advisory only +exit 0