diff --git a/.claude/commands/bump-version.md b/.claude/commands/bump-version.md index 63d9885a..47213c73 100644 --- a/.claude/commands/bump-version.md +++ b/.claude/commands/bump-version.md @@ -24,6 +24,7 @@ Files that need updating: | `pyproject.toml` | `version = "X.Y.Z"` | ~7 | | `rust/Cargo.toml` | `version = "X.Y.Z"` | ~3 | | `CHANGELOG.md` | Section header + comparison link | Top + bottom | +| `docs/llms-full.txt` | `- Version: X.Y.Z` | ~5 | ## Instructions @@ -79,6 +80,9 @@ Files that need updating: Replace `version = "OLD_VERSION"` (the first version line under [package]) with `version = "NEW_VERSION"` Note: Rust version may differ from Python version; always sync to the new version + - `docs/llms-full.txt`: + Replace `- Version: OLD_VERSION` with `- Version: NEW_VERSION` + 6. **Update CHANGELOG comparison links**: - Run `git remote get-url origin` to determine the repository's GitHub URL (strip `.git` suffix, convert SSH format to HTTPS if needed) @@ -97,6 +101,7 @@ Files that need updating: - diff_diff/__init__.py: __version__ = "NEW_VERSION" - pyproject.toml: version = "NEW_VERSION" - rust/Cargo.toml: version = "NEW_VERSION" + - docs/llms-full.txt: Version: NEW_VERSION - CHANGELOG.md: Added/verified [NEW_VERSION] entry Next steps: diff --git a/.claude/commands/pre-merge-check.md b/.claude/commands/pre-merge-check.md index 0454d83a..aec8f435 100644 --- a/.claude/commands/pre-merge-check.md +++ b/.claude/commands/pre-merge-check.md @@ -29,6 +29,8 @@ Categorize files into: #### 2.1 Inference & Parameter Pattern Checks (for methodology files) +> **Canonical definitions** — This section is referenced by `/submit-pr` and `/push-pr-update`. Keep it as the single source of truth for methodology pattern checks. + If any methodology files changed, run these pattern checks on the **changed methodology files only**: **Check A — Inline inference computation**: @@ -121,6 +123,22 @@ by TODO.md." This is a WARNING, not a blocker — not every methodology change involves a deviation. +#### 2.6 Secret Scanning Patterns (Canonical Definitions) + +> These patterns are referenced by `/submit-pr` and `/push-pr-update`. + +**Content pattern** (use with `-G` flag, `--name-only` to avoid leaking secrets): +```bash +-G "(AKIA[A-Z0-9]{16}|ghp_[a-zA-Z0-9]{36}|sk-[a-zA-Z0-9]{48}|gho_[a-zA-Z0-9]{36}|[Aa][Pp][Ii][_-]?[Kk][Ee][Yy][[:space:]]*[=:]|[Ss][Ee][Cc][Rr][Ee][Tt][_-]?[Kk][Ee][Yy][[:space:]]*[=:]|[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd][[:space:]]*[=:]|[Pp][Rr][Ii][Vv][Aa][Tt][Ee][_-]?[Kk][Ee][Yy]|[Bb][Ee][Aa][Rr][Ee][Rr][[:space:]]+[a-zA-Z0-9_-]+|[Tt][Oo][Kk][Ee][Nn][[:space:]]*[=:])" +``` + +**Sensitive filename pattern**: +```bash +grep -iE "(\.env|credentials|secret|\.pem|\.key|\.p12|\.pfx|id_rsa|id_ed25519)$" +``` + +**Usage**: Apply content pattern to `--cached` for staged changes, or `..HEAD` for already-committed changes. Always use `--name-only` and `|| true`. + ### 3. Display Context-Specific Checklist Based on what changed, display the appropriate checklist items: diff --git a/.claude/commands/push-pr-update.md b/.claude/commands/push-pr-update.md index eebb35a6..b0656871 100644 --- a/.claude/commands/push-pr-update.md +++ b/.claude/commands/push-pr-update.md @@ -69,7 +69,7 @@ Parse `$ARGUMENTS` to extract: - If ahead count > 0: - **Scan for secrets in commits to push** (see Section 3a below) - Compute ``: `git diff --name-only ..HEAD | wc -l` - - Skip to Section 4 (Push to Remote) — will push with `-u` to set upstream + - Proceed to Section 3a (secret scan), then 3b (methodology checks), then Section 4 (Push to Remote) — will push with `-u` to set upstream - If ahead count = 0: Abort (new branch with nothing to push): ``` No changes detected. Working directory is clean and branch has no commits ahead of . @@ -80,7 +80,7 @@ Parse `$ARGUMENTS` to extract: - If ahead count > 0: - **Scan for secrets in commits to push** (see Section 3a below) - Compute ``: `git diff --name-only @{u}..HEAD | wc -l` - - Skip to Section 4 (Push to Remote) — there are committed changes to push + - Proceed to Section 3a (secret scan), then 3b (methodology checks), then Section 4 (Push to Remote) — there are committed changes to push - If ahead count = 0: Abort: ``` No changes detected. Working directory is clean and branch is up to date. @@ -93,17 +93,14 @@ When the working tree is clean but commits are ahead, scan for secrets in the co 1. **Get diff range**: Use `..HEAD` (from Section 2.4 — either `@{u}`, ``, or `origin/`) -2. **Run pattern check** (file names only, no content leaked): +2. **Run pattern check** using the canonical patterns from `/pre-merge-check` Section 2.6: ```bash - secret_files=$(git diff ..HEAD -G "(AKIA[A-Z0-9]{16}|ghp_[a-zA-Z0-9]{36}|sk-[a-zA-Z0-9]{48}|gho_[a-zA-Z0-9]{36}|[Aa][Pp][Ii][_-]?[Kk][Ee][Yy][[:space:]]*[=:]|[Ss][Ee][Cc][Rr][Ee][Tt][_-]?[Kk][Ee][Yy][[:space:]]*[=:]|[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd][[:space:]]*[=:]|[Pp][Rr][Ii][Vv][Aa][Tt][Ee][_-]?[Kk][Ee][Yy]|[Bb][Ee][Aa][Rr][Ee][Rr][[:space:]]+[a-zA-Z0-9_-]+|[Tt][Oo][Kk][Ee][Nn][[:space:]]*[=:])" --name-only 2>/dev/null || true) + secret_files=$(git diff ..HEAD -G "" --name-only 2>/dev/null || true) + sensitive_files=$(git diff --name-only ..HEAD | grep -iE "" || true) ``` + Read the actual regex values from `/pre-merge-check` Section 2.6 at execution time. Uses `-G` to search diff content but `--name-only` to output only file names. -3. **Check for sensitive file names**: - ```bash - sensitive_files=$(git diff --name-only ..HEAD | grep -iE "(\.env|credentials|secret|\.pem|\.key|\.p12|\.pfx|id_rsa|id_ed25519)$" || true) - ``` - -4. **If patterns detected**, warn with AskUserQuestion: +3. **If patterns detected** (i.e., `secret_files` or `sensitive_files` is non-empty), warn with AskUserQuestion: ``` Warning: Potential secrets detected in committed changes: - @@ -114,6 +111,34 @@ When the working tree is clean but commits are ahead, scan for secrets in the co ``` Note: Unlike Section 3, we cannot simply unstage these changes since they are already committed. +### 3b. Methodology Checks for Already-Committed Changes (when skipping Section 3) + +When the working tree is clean but commits are ahead, check for methodology issues before pushing: + +1. **Detect methodology files in committed changes**: + ```bash + git diff --name-only ..HEAD | grep "^diff_diff/.*\.py$" | grep -v "__init__" + ``` + +2. If methodology files are present: + 1. Read `/pre-merge-check` Section 2.1 for pattern check definitions. + 2. Run **all four pattern checks (A through D)** on those methodology files. + **Check C override**: The canonical Check C uses `git diff HEAD` which is empty on a clean working tree. For already-committed changes, substitute `git diff ..HEAD -- ` to extract new `self.X` assignments from the committed diff range. + 3. For any matches, display the file:line and flag message from that section. + + If warnings are found, display them as warnings (non-blocking) since changes are already committed. + +3. **REGISTRY.md check**: Check whether `docs/methodology/REGISTRY.md` is also in the committed changes (`git diff --name-only ..HEAD`). + If methodology files changed but REGISTRY.md was NOT modified, warn: + "Methodology files changed but `docs/methodology/REGISTRY.md` was not updated. + If your changes deviate from reference implementations, document them using a + reviewer-recognized label (`**Note:**`, `**Deviation from R:**`, or + `**Note (deviation from R):**`) — undocumented deviations are flagged as P1 + by the AI reviewer." + This is a WARNING, not a blocker. + +Note: Section 3b checks are informational warnings only — no AskUserQuestion prompt, since changes are already committed and cannot be unstaged. This differs from the staged-changes path (Section 3) which offers a "fix vs continue" choice. + ### 3. Stage and Commit Changes 1. **Stage all changes**: @@ -126,9 +151,10 @@ When the working tree is clean but commits are ahead, scan for secrets in the co git diff --cached --name-only | grep "^diff_diff/.*\.py$" | grep -v "__init__" ``` - If methodology files are present, run Checks A and B from `/pre-merge-check` Section 2.1 on those files: - - **Check A**: `grep -n "t_stat[[:space:]]*=[[:space:]]*[^#]*/ *se" | grep -v "safe_inference"` - - **Check B**: `grep -En "if.*(se|SE).*>.*0.*else[[:space:]]+(0\.0|0)" ` + If methodology files are present: + 1. Read `/pre-merge-check` Section 2.1 for pattern check definitions. + 2. Run **all four pattern checks (A through D)** on the staged methodology files. + 3. For any matches, display the file:line and flag message from that section. If warnings are found: ``` @@ -141,6 +167,16 @@ When the working tree is clean but commits are ahead, scan for secrets in the co ``` Use AskUserQuestion. If user chooses to fix, abort the commit flow. + **REGISTRY.md check** (if methodology files are staged): + Check whether `docs/methodology/REGISTRY.md` is also in the staged file set. + If methodology files changed but REGISTRY.md was NOT staged, warn: + "Methodology files changed but `docs/methodology/REGISTRY.md` was not updated. + If your changes deviate from reference implementations, document them using a + reviewer-recognized label (`**Note:**`, `**Deviation from R:**`, or + `**Note (deviation from R):**`) — undocumented deviations are flagged as P1 + by the AI reviewer." + This is a WARNING, not a blocker. + 3. **Capture file count for reporting**: ```bash git diff --cached --name-only | wc -l @@ -148,15 +184,12 @@ When the working tree is clean but commits are ahead, scan for secrets in the co Store as `` for use in final report. 4. **Secret scanning check** (same as submit-pr): - - **Run deterministic pattern check** (file names only, no content leaked): - ```bash - secret_files=$(git diff --cached -G "(AKIA[A-Z0-9]{16}|ghp_[a-zA-Z0-9]{36}|sk-[a-zA-Z0-9]{48}|gho_[a-zA-Z0-9]{36}|[Aa][Pp][Ii][_-]?[Kk][Ee][Yy][[:space:]]*[=:]|[Ss][Ee][Cc][Rr][Ee][Tt][_-]?[Kk][Ee][Yy][[:space:]]*[=:]|[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd][[:space:]]*[=:]|[Pp][Rr][Ii][Vv][Aa][Tt][Ee][_-]?[Kk][Ee][Yy]|[Bb][Ee][Aa][Rr][Ee][Rr][[:space:]]+[a-zA-Z0-9_-]+|[Tt][Oo][Kk][Ee][Nn][[:space:]]*[=:])" --name-only 2>/dev/null || true) - ``` - Note: Uses `-G` to search diff content but `--name-only` to output only file names, preventing secret values from appearing in logs. The `|| true` prevents exit status 1 when patterns match from aborting strict runners. - - **Check for sensitive file names**: + - **Run deterministic pattern check** using the canonical patterns from `/pre-merge-check` Section 2.6: ```bash - sensitive_files=$(git diff --cached --name-only | grep -iE "(\.env|credentials|secret|\.pem|\.key|\.p12|\.pfx|id_rsa|id_ed25519)$" || true) + secret_files=$(git diff --cached -G "" --name-only 2>/dev/null || true) + sensitive_files=$(git diff --cached --name-only | grep -iE "" || true) ``` + Read the actual regex values from `/pre-merge-check` Section 2.6 at execution time. Uses `-G` to search diff content but `--name-only` to output only file names. - **If patterns detected** (i.e., `secret_files` or `sensitive_files` is non-empty), **unstage and warn**: ```bash git reset HEAD diff --git a/.claude/commands/review-plan.md b/.claude/commands/review-plan.md index 57556d1a..ba904f14 100644 --- a/.claude/commands/review-plan.md +++ b/.claude/commands/review-plan.md @@ -297,8 +297,8 @@ Only evaluate this dimension when `--pr` was provided and a non-empty comment wa Use judgment, not just substring matching — the plan may use different words to describe the same fix. -**Verdict impact:** -- Unaddressed P0/P1/Critical items -> automatic "Needs revision" +**Assessment impact:** +- Unaddressed P0/P1/Critical items -> results in "Significant issues found" - Unaddressed P2/Medium items count as Medium issues - Unaddressed P3/Low items count as Low issues @@ -325,7 +325,7 @@ Present the review in the following format. Number each issue sequentially withi ``` ## Overall Assessment -[2-3 sentences: what the plan does, whether it's ready for implementation, and the biggest concern if any] +[2-3 sentences: what the plan does, the reviewer's key observations, and the biggest concern if any] --- @@ -426,11 +426,11 @@ The `--pr` URL must be the same across the initial review and the `--updated` re | PR feedback gaps | [count of Not Addressed + Partially Addressed] (only if `--pr`) | | Questions | [count] | -**Verdict**: [Ready / Ready with minor fixes / Needs revision] +**Assessment**: [No critical issues found / Minor issues to address / Significant issues found] -- **Ready**: No critical issues, few or no medium issues -- **Ready with minor fixes**: No critical issues, some medium issues that are straightforward to address -- **Needs revision**: Has critical issues or many medium issues that require rethinking the approach +- **No critical issues found**: No critical issues, few or no medium issues +- **Minor issues to address**: No critical issues, some medium issues that are straightforward to address +- **Significant issues found**: Has critical issues or many medium issues that require rethinking the approach ``` ### Step 6: Save Review to File @@ -455,7 +455,7 @@ After displaying the review in the conversation (Step 5), persist it to a file a --- plan: ~/.claude/plans/foo.md reviewed_at: "2026-02-15T14:30:00Z" - verdict: "Needs revision" + assessment: "Significant issues found" critical_count: 2 medium_count: 3 low_count: 1 diff --git a/.claude/commands/revise-plan.md b/.claude/commands/revise-plan.md index 14da23c8..7ba0fe85 100644 --- a/.claude/commands/revise-plan.md +++ b/.claude/commands/revise-plan.md @@ -86,7 +86,7 @@ If "Skip review" is chosen: --- plan: reviewed_at: - verdict: "Skipped" + assessment: "Skipped" critical_count: 0 medium_count: 0 low_count: 0 @@ -140,12 +140,12 @@ Extract from the review content: - Issues by severity: CRITICAL #N, MEDIUM #N, LOW #N - Checklist gaps - Questions for Author -- Verdict +- Assessment Display a summary: ``` Found: N CRITICAL, N MEDIUM, N LOW issues, N checklist gaps, N questions -Verdict: +Assessment: ``` ### Step 6: Collect User Input diff --git a/.claude/commands/submit-pr.md b/.claude/commands/submit-pr.md index 9866bf51..040778b5 100644 --- a/.claude/commands/submit-pr.md +++ b/.claude/commands/submit-pr.md @@ -138,9 +138,10 @@ Determine if this is a fork-based workflow: git diff --cached --name-only | grep "^diff_diff/.*\.py$" | grep -v "__init__" ``` - If methodology files are present, run Checks A and B from `/pre-merge-check` Section 2.1 on those files: - - **Check A**: `grep -n "t_stat[[:space:]]*=[[:space:]]*[^#]*/ *se" | grep -v "safe_inference"` - - **Check B**: `grep -En "if.*(se|SE).*>.*0.*else[[:space:]]+(0\.0|0)" ` + If methodology files are present: + 1. Read `/pre-merge-check` Section 2.1 for pattern check definitions. + 2. Run **all four pattern checks (A through D)** on the staged methodology files. + 3. For any matches, display the file:line and flag message from that section. If warnings are found: ``` @@ -153,18 +154,25 @@ Determine if this is a fork-based workflow: ``` Use AskUserQuestion. If user chooses to fix, abort the commit flow and let them address the issues. +3. **REGISTRY.md check** (if methodology files are staged): + Check whether `docs/methodology/REGISTRY.md` is also in the staged file set (`git diff --cached --name-only`). + If methodology files changed but REGISTRY.md was NOT staged, warn: + "Methodology files changed but `docs/methodology/REGISTRY.md` was not updated. + If your changes deviate from reference implementations, document them using a + reviewer-recognized label (`**Note:**`, `**Deviation from R:**`, or + `**Note (deviation from R):**`) — undocumented deviations are flagged as P1 + by the AI reviewer." + This is a WARNING, not a blocker. + ### 6. Commit Changes 1. **Secret scanning check** (files already staged from 5b): - - **Run deterministic pattern check** (file names only, no content leaked): - ```bash - secret_files=$(git diff --cached -G "(AKIA[A-Z0-9]{16}|ghp_[a-zA-Z0-9]{36}|sk-[a-zA-Z0-9]{48}|gho_[a-zA-Z0-9]{36}|[Aa][Pp][Ii][_-]?[Kk][Ee][Yy][[:space:]]*[=:]|[Ss][Ee][Cc][Rr][Ee][Tt][_-]?[Kk][Ee][Yy][[:space:]]*[=:]|[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd][[:space:]]*[=:]|[Pp][Rr][Ii][Vv][Aa][Tt][Ee][_-]?[Kk][Ee][Yy]|[Bb][Ee][Aa][Rr][Ee][Rr][[:space:]]+[a-zA-Z0-9_-]+|[Tt][Oo][Kk][Ee][Nn][[:space:]]*[=:])" --name-only 2>/dev/null || true) - ``` - Note: Uses `-G` to search diff content but `--name-only` to output only file names, preventing secret values from appearing in logs. The `|| true` prevents exit status 1 when patterns match from aborting strict runners. - - **Check for sensitive file names** (case-insensitive): + - **Run deterministic pattern check** using the canonical patterns from `/pre-merge-check` Section 2.6: ```bash - git diff --cached --name-only | grep -iE "(\.env|credentials|secret|\.pem|\.key|\.p12|\.pfx|id_rsa|id_ed25519)$" || true + secret_files=$(git diff --cached -G "" --name-only 2>/dev/null || true) + sensitive_files=$(git diff --cached --name-only | grep -iE "" || true) ``` + Read the actual regex values from `/pre-merge-check` Section 2.6 at execution time. Uses `-G` to search diff content but `--name-only` to output only file names, preventing secret values from appearing in logs. - **Optional**: For more thorough scanning, use dedicated tools if available: ```bash # gitleaks detect --staged --no-git # If gitleaks installed @@ -174,7 +182,7 @@ Determine if this is a fork-based workflow: ```bash git diff --cached --name-only --diff-filter=A ``` - - **If patterns detected** (i.e., `secret_files` or sensitive file names non-empty), **unstage and warn**: + - **If patterns detected** (i.e., `secret_files` or `sensitive_files` is non-empty), **unstage and warn**: ```bash git reset HEAD # Unstage all files ``` diff --git a/.claude/hooks/test-check-plan-review.sh b/.claude/hooks/test-check-plan-review.sh index 1f20f3cb..f3e0fce4 100644 --- a/.claude/hooks/test-check-plan-review.sh +++ b/.claude/hooks/test-check-plan-review.sh @@ -44,7 +44,7 @@ create_review() { --- plan: $plan_path reviewed_at: 2026-01-01T00:00:00Z -verdict: "Approved" +assessment: "No critical issues found" critical_count: 0 medium_count: 0 low_count: 0 @@ -167,7 +167,7 @@ touch -t 202601010001 "$PLAN" cat > "$REVIEW" <.review.md` with YAML frontmatter (plan path, -timestamp, verdict, issue counts). Update sentinel. Collect feedback and revise if needed. +timestamp, assessment, issue counts). Update sentinel. Collect feedback and revise if needed. Touch review file after revision to avoid staleness check failure. **If skipped**: Write a minimal review marker to `~/.claude/plans/.review.md`: @@ -171,7 +171,7 @@ Touch review file after revision to avoid staleness check failure. --- plan: reviewed_at: -verdict: "Skipped" +assessment: "Skipped" critical_count: 0 medium_count: 0 low_count: 0