Various bug fixes and hooks

.claude/hooks/pre-bash-backslash.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+input=$(cat)
+command=$(echo "$input" | grep -oP '"command"\s*:\s*"\K[^"]*' | head -1)
+
+if echo "$command" | grep -qP '[A-Za-z]:\\\\'; then
+  cat <<'EOF'
+{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny",
+"permissionDecisionReason":"Windows backslash paths are mangled by Git Bash. Use forward slashes instead (e.g. C:/github/LeLab/scratchpad/foo.ps1). PowerShell handles forward slashes fine on Windows."}}
+EOF
+  exit 0
+fi
+
+exit 0

.claude/hooks/pre-bash-pwsh-script.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+input=$(cat)
+command=$(echo "$input" | grep -oP '"command"\s*:\s*"\K[^"]*' | head -1)
+
+# Block powershell.exe entirely
+if echo "$command" | grep -qiP '\bpowershell(\.exe)?\b'; then
+  cat <<'EOF'
+{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny",
+"permissionDecisionReason":"Do not use powershell.exe (Windows PowerShell 5.1). Write a .ps1 file and run: pwsh -NoProfile -File <script.ps1>"}}
+EOF
+  exit 0
+fi
+
+# Block pwsh -Command / pwsh -c
+if echo "$command" | grep -qiP 'pwsh(\s+-\w+)*\s+-(c|Command)\b'; then
+  cat <<'EOF'
+{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny",
+"permissionDecisionReason":"Do not run inline PowerShell via pwsh -Command. Write the script to scratchpad/<name>.ps1 first, then execute with: pwsh -NoProfile -File scratchpad/<name>.ps1"}}
+EOF
+  exit 0
+fi
+
+exit 0

.claude/hooks/prevent-destructive-git.sh

@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+input=$(cat)
+command=$(echo "$input" | grep -oP '"command"\s*:\s*"\K[^"]*' | head -1)
+
+# Block git push --force and variants (-f, --force-with-lease, --force-if-includes)
+if echo "$command" | grep -qiP 'git\s+push\s+.*(-f|--force)\b'; then
+  cat <<'EOF'
+{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny",
+"permissionDecisionReason":"Force push is blocked. Use regular git push instead. If you need to force push, ask the user to do it manually."}}
+EOF
+  exit 0
+fi
+
+# Block git reset --hard
+if echo "$command" | grep -qiP 'git\s+reset\s+.*--hard\b'; then
+  cat <<'EOF'
+{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny",
+"permissionDecisionReason":"git reset --hard is blocked because it discards uncommitted changes. Use git stash or git checkout -- <file> instead."}}
+EOF
+  exit 0
+fi
+
+# Block git clean -f (force delete untracked files)
+if echo "$command" | grep -qiP 'git\s+clean\s+.*-[a-zA-Z]*f'; then
+  cat <<'EOF'
+{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny",
+"permissionDecisionReason":"git clean -f is blocked because it permanently deletes untracked files. Ask the user to run it manually if needed."}}
+EOF
+  exit 0
+fi
+
+# Block git checkout with --force/-f on branches (not file restores)
+if echo "$command" | grep -qiP 'git\s+checkout\s+(-f|--force)\b'; then
+  cat <<'EOF'
+{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny",
+"permissionDecisionReason":"git checkout --force is blocked because it discards local changes. Use git stash first, then checkout."}}
+EOF
+  exit 0
+fi
+
+# Block git branch -D (force delete)
+if echo "$command" | grep -qiP 'git\s+branch\s+.*-D\b'; then
+  cat <<'EOF'
+{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny",
+"permissionDecisionReason":"git branch -D (force delete) is blocked. Use git branch -d for safe deletion, or ask the user to force-delete manually."}}
+EOF
+  exit 0
+fi
+
+# Block git rebase on shared/remote branches (rebase with upstream refs)
+if echo "$command" | grep -qiP 'git\s+rebase\s+.*(origin|upstream)\b'; then
+  cat <<'EOF'
+{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny",
+"permissionDecisionReason":"Rebasing against remote branches is blocked to prevent history rewrites. Ask the user before rebasing."}}
+EOF
+  exit 0
+fi
+
+# Block amending commits (could rewrite published history)
+if echo "$command" | grep -qiP 'git\s+commit\s+.*--amend\b'; then
+  cat <<'EOF'
+{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny",
+"permissionDecisionReason":"git commit --amend is blocked because it rewrites commit history. Create a new commit instead, or ask the user to amend manually."}}
+EOF
+  exit 0
+fi
+
+exit 0

.claude/hooks/redirect-glob.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+input=$(cat)
+tool=$(echo "$input" | grep -oP '"tool_name"\s*:\s*"\K[^"]*' | head -1)
+
+if [ "$tool" != "Glob" ]; then
+  exit 0
+fi
+
+pattern=$(echo "$input" | grep -oP '"pattern"\s*:\s*"\K[^"]*' | head -1)
+path=$(echo "$input" | grep -oP '"path"\s*:\s*"\K[^"]*' | head -1)
+
+search_in=""
+if [ -n "$path" ]; then
+  search_in=" \"$path\""
+fi
+
+cat >&2 <<EOF
+BLOCKED: Glob tool is unreliable on Windows (timeouts, silent failures).
+Use fd via Bash instead. fd respects .gitignore and is much faster.
+
+Your pattern was: $pattern
+Equivalent fd commands:
+  /c/ProgramData/chocolatey/bin/fd.exe --type f --glob '$pattern'$search_in
+  /c/ProgramData/chocolatey/bin/fd.exe --type f --extension ps1$search_in
+  /c/ProgramData/chocolatey/bin/fd.exe --type f 'keyword'$search_in
+EOF
+exit 2

.claude/hooks/stop-todo-report.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+# stop-todo-report.sh - Scan changed files for TODO/FIXME and report with header
+# Runs at Stop to surface any incomplete work left in the code.
+
+INPUT=$(cat)
+
+# Prevent re-entry if stop hook is already active
+STOP_ACTIVE=$(echo "$INPUT" | jq -r '.stop_hook_active // false')
+if [[ "$STOP_ACTIVE" == "true" ]]; then
+    exit 0
+fi
+
+# Get all modified/added files from git (staged + unstaged + untracked)
+CHANGED_FILES=$(git diff --name-only HEAD 2>/dev/null; git diff --cached --name-only 2>/dev/null; git ls-files --others --exclude-standard 2>/dev/null)
+CHANGED_FILES=$(echo "$CHANGED_FILES" | sort -u | grep -E '\.(ps1|psm1|psd1|cs|sql|js|ts|html|go|py|sh)$')
+
+if [[ -z "$CHANGED_FILES" ]]; then
+    exit 0
+fi
+
+# Scan for TODO/FIXME/HACK/XXX/WORKAROUND in changed files
+TODO_REPORT=""
+while IFS= read -r file; do
+    [[ -f "$file" ]] || continue
+    HITS=$(grep -n -i -E '\b(TODO|FIXME|HACK|XXX|WORKAROUND)\b' "$file" 2>/dev/null)
+    if [[ -n "$HITS" ]]; then
+        TODO_REPORT+="### $file\n"
+        while IFS= read -r line; do
+            TODO_REPORT+="  $line\n"
+        done <<< "$HITS"
+        TODO_REPORT+="\n"
+    fi
+done <<< "$CHANGED_FILES"
+
+if [[ -n "$TODO_REPORT" ]]; then
+    # Escape for JSON
+    ESCAPED=$(echo -e "$TODO_REPORT" | jq -Rs .)
+    jq -n --argjson report "$ESCAPED" '{
+        decision: "block",
+        reason: ("⚠️  UNFINISHED WORK DETECTED — do not stop until resolved.\n\nThe following TODO/FIXME/HACK items were found in changed files.\nFor each one you MUST either:\n\n  1. Resolve it now (implement the missing code), OR\n\n  2. If you cannot finish due to context window size or complexity, write a self-contained prompt to docs/prompts/ that a fresh Claude session can run to complete the work. The prompt MUST:\n       - Describe exactly what each TODO requires\n       - Include all relevant file paths and line numbers\n       - Use the Agent tool with specialized subagents where appropriate (e.g. psu-developer, hugo-frontend, csharp-engineer)\n       - End with an instruction to commit the completed work using conventional commits\n     Then tell the user: \"I wrote a completion prompt to docs/prompts/<filename>.md — run it in a new session to finish.\"\n\n  3. As a last resort only: explicitly tell the user what remains and why it cannot be done at all.\n\nDo NOT silently leave TODOs behind. Go finish them.\n\n" + $report + "\n--- End of TODO Report ---")
+    }'
+fi
+
+exit 0

.claude/hooks/stop-verify.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+# stop-verify.sh - Comprehensive quality gate when Claude finishes responding
+# Incorporates: doublecheck, simplify, review, verify, and completeness checks.
+# Injects a reminder to self-verify. Does NOT hard-block (no infinite loops).
+# Guards against re-entry via stop_hook_active flag.
+
+INPUT=$(cat)
+
+# Prevent infinite loops: if stop hook is already active, exit immediately
+STOP_ACTIVE=$(echo "$INPUT" | jq -r '.stop_hook_active // false')
+if [[ "$STOP_ACTIVE" == "true" ]]; then
+    exit 0
+fi
+
+jq -n '{
+    hookSpecificOutput: {
+        hookEventName: "Stop",
+        additionalContext: "QUALITY GATE — If you wrote or modified code in this response, perform ALL checks below before finishing. If you only answered a question or did research, skip this.\n\n## 1. VERIFY (does it work?)\n- Check for syntax errors in changed files\n- Run tests if applicable (Pester for PS, dotnet test for C#)\n- Confirm imports, dependencies, and module loading work\n- Report what works and what does not\n\n## 2. REVIEW (is it safe and correct?)\n- Logic errors and edge cases\n- Security: credential handling, injection vulnerabilities (SQL, XSS)\n- Missing validation on user input\n- Error responses must not expose stack traces\n- Destructive operations need confirmation\n- API naming contract (plural URLs, kebab-case)\n- PSU endpoints use New-ProtectedEndpoint\n\n## 3. SIMPLIFY (is it clean?)\n- Remove unnecessary complexity\n- Consolidate duplicate logic\n- Use idiomatic patterns (PowerShell best practices for .ps1)\n- Remove dead code, unused variables, unused imports\n- Do not add features or change functionality — only simplify\n\n## 4. DOUBLECHECK (final verification)\nCreate a table:\n| Claim/Item | Verified? | Notes |\n|------------|-----------|-------|\nInclude: primary functionality, tests passing, security, naming conventions.\nBe thorough and honest about what you could not verify.\n\n## 5. COMPLETENESS\n- Were ALL requested changes made?\n- Any TODO/FIXME left behind that should be resolved?\n- Files over 400 lines that need splitting?\n- OBSERVABILITY IN ACTION: If you built or modified a page displaying fleet data, does it include action capabilities (Fix Now / Schedule / Execute buttons)? Display-only pages are not acceptable unless purely audit/history.\n\nIf anything fails, fix it before finishing."
+    }
+}'
+
+exit 0

.claude/hooks/validate-style.ps1

@@ -0,0 +1,150 @@
+#!/usr/bin/env pwsh
+# PreToolUse hook: Consolidated style validation for dbatools
+# Runs all style checks in a single PowerShell process for performance
+
+$ErrorActionPreference = "Stop"
+
+try {
+    $inputJson = $input | Out-String | ConvertFrom-Json
+} catch {
+    exit 0
+}
+
+$toolInput = $inputJson.tool_input
+$filePath = $toolInput.file_path
+if (-not $filePath) { exit 0 }
+if ($filePath -notlike "*.ps1") { exit 0 }
+
+$content = if ($toolInput.new_string) { $toolInput.new_string } else { $toolInput.content }
+if (-not $content) { exit 0 }
+
+$violations = @()
+$lines = $content -split "`n"
+
+# Track state for multi-line constructs
+$inHereStringSingle = $false
+$inHereStringDouble = $false
+$inHashtable = $false
+$hashtableLines = @()
+$hashtableStart = 0
+$misalignedHashtables = @()
+
+# Patterns (using double quotes with escaping)
+$patternComment = "^\s*#"
+$patternHereStringSingleStart = "@'"
+$patternHereStringDoubleStart = "@`""
+$patternHereStringSingleEnd = "^'@"
+$patternHereStringDoubleEnd = "^`"@"
+$patternBacktick = "``\s*$"
+$patternBoolAttribute = "\[\s*(Parameter|CmdletBinding|OutputType|ValidateSet)\s*\([^]]*=\s*\`$(true|false)"
+$patternStaticNew = "::new\s*\("
+$patternSingleQuote = "(?<![@])'.+'"
+$patternPlainSplat = "\`$splat\s*="
+$patternNamedSplat = "\`$splat[A-Z][a-zA-Z0-9]*\s*="
+$patternArrayList = "ArrayList"
+$patternGenericList = "Generic\.List"
+$patternStandaloneBrace = "^\s*\{\s*$"
+$patternPrevLineEnd = "\)\s*$"
+$patternControlKeyword = "(if|else|elseif|foreach|for|while|switch|try|catch|finally)\s*$"
+$patternHashtableStart = "@\{"
+$patternHashtableEnd = "^\s*\}"
+$patternTrailingSpace = "\s+$"
+
+for ($i = 0; $i -lt $lines.Count; $i++) {
+    $line = $lines[$i].TrimEnd("`r")
+    $lineNum = $i + 1
+    $isComment = $line -match $patternComment
+
+    # Track here-string state
+    if ($line -match $patternHereStringSingleStart) { $inHereStringSingle = $true }
+    if ($line -match $patternHereStringDoubleStart) { $inHereStringDouble = $true }
+    if ($line -match $patternHereStringSingleEnd) { $inHereStringSingle = $false; continue }
+    if ($line -match $patternHereStringDoubleEnd) { $inHereStringDouble = $false; continue }
+    if ($inHereStringSingle -or $inHereStringDouble) { continue }
+
+    # Skip comments for most checks
+    if (-not $isComment) {
+        # 1. No backticks for line continuation
+        if ($line -match $patternBacktick) {
+            $violations += "Line ${lineNum}: Backtick line continuation. Use splatting instead."
+        }
+
+        # 2. No = $true in parameter attributes
+        if ($line -match $patternBoolAttribute) {
+            $violations += "Line ${lineNum}: Use [Parameter(Mandatory)] not = `$true syntax."
+        }
+
+        # 3. No static new method (PowerShell v3 compatibility)
+        if ($line -match $patternStaticNew) {
+            $violations += "Line ${lineNum}: Use New-Object for PS v3 compatibility."
+        }
+
+        # 4. No single quotes (except here-strings already handled above)
+        if ($line -match $patternSingleQuote) {
+            $violations += "Line ${lineNum}: Use double quotes instead of single quotes."
+        }
+
+        # 5. No plain $splat variable names
+        if ($line -match $patternPlainSplat -and $line -notmatch $patternNamedSplat) {
+            $violations += "Line ${lineNum}: Use `$splat<Purpose> naming (e.g., `$splatConnection)."
+        }
+
+        # 6. No ArrayList or Generic.List collection
+        if ($line -match $patternArrayList) {
+            $violations += "Line ${lineNum}: Output directly to pipeline, not ArrayList."
+        }
+        if ($line -match $patternGenericList) {
+            $violations += "Line ${lineNum}: Output directly to pipeline, not Generic.List."
+        }
+
+        # 7. OTBS - no standalone opening brace (Allman style)
+        if ($line -match $patternStandaloneBrace -and $i -gt 0) {
+            $prevLine = $lines[$i - 1].TrimEnd("`r")
+            if ($prevLine -match $patternPrevLineEnd -or $prevLine -match $patternControlKeyword) {
+                $violations += "Line ${lineNum}: Use OTBS - opening brace on same line as statement."
+            }
+        }
+
+        # 8. Track hashtables for alignment check
+        if ($line -match $patternHashtableStart) {
+            $inHashtable = $true
+            $hashtableLines = @()
+            $hashtableStart = $lineNum
+            # Don't add this line to hashtableLines - it's the opening, not an entry
+        } elseif ($inHashtable) {
+            if ($line -match $patternHashtableEnd) {
+                if ($hashtableLines.Count -ge 2) {
+                    $equalsPositions = $hashtableLines | ForEach-Object {
+                        $pos = $_.IndexOf("=")
+                        if ($pos -ge 0) { $pos }
+                    } | Where-Object { $null -ne $_ } | Select-Object -Unique
+                    if ($equalsPositions.Count -gt 1) {
+                        $misalignedHashtables += "Lines $hashtableStart-$lineNum"
+                    }
+                }
+                $inHashtable = $false
+            } elseif ($line -match "=" -and $line.Trim() -ne "") {
+                $hashtableLines += $line
+            }
+        }
+    }
+
+    # 9. No trailing spaces (check even in comments)
+    if ($line -match $patternTrailingSpace) {
+        $violations += "Line ${lineNum}: Trailing whitespace."
+    }
+}
+
+# Add hashtable alignment violations
+foreach ($ht in $misalignedHashtables) {
+    $violations += "${ht}: Hashtable = signs must be vertically aligned."
+}
+
+if ($violations.Count -gt 0) {
+    $summary = ($violations | Select-Object -First 5) -join "`n"
+    $more = if ($violations.Count -gt 5) { "`n... and $($violations.Count - 5) more violations" } else { "" }
+    [Console]::Error.WriteLine("BLOCKED: dbatools style violations:`n$summary$more")
+    exit 2
+}
+
+exit 0

.claude/settings.json

@@ -0,0 +1,24 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Edit|Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "pwsh -NoProfile -File .claude/hooks/validate-style.ps1"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash .claude/hooks/prevent-destructive-git.sh"
+          }
+        ]
+      }
+    ]
+  }
+}

.gitignore

@@ -57,11 +57,12 @@ allcommands.ps1
 /.aitools/.aitools/.aider
 /.aitools
 .aider*
-/.shadowgit.git
-/.claude
-publish.ps1
+/.shadowgit.git
+publish.ps1
 
 PR_BODY.md
 
 PR_DESCRIPTION.md
-nul
+nul
+.claude/settings.local.json
+/scripts