Merge pull request #314 from neongreen/copilot/add-aihook-stop-hook

Add aihook tool with PreToolUse hook for validating cd commands in Bash

Author: neongreen

README.md

@@ -21,6 +21,7 @@ This repository contains multiple independent projects.
 | [jj-run](jj-run/) | alpha | Jujutsu subcommand to execute shell commands against multiple revisions. |
 | [jj-run-py](jj-run-py/) | deprecated | Old version of jj-run written in Python. |
 | [tk-vscode](tk-vscode/) | alpha | VS Code extension that lists tk tasks by running `tk ls --json`. |
+| [aihook](aihook/) | alpha | Claude Code hook validator that enforces shell scripting best practices. |
 
 ## Libraries
 

aihook/AGENTS.md

@@ -0,0 +1,114 @@
+# Agent Guidelines for aihook
+
+## Project Overview
+
+`aihook` is a validator for Claude Code hooks that enforces shell scripting best practices. The primary use case is validating that `cd` commands are always executed within subshells.
+
+## Project Structure
+
+```
+aihook/
+├── main.go                      # CLI entry point (Cobra setup)
+├── pkg/
+│   └── validator/
+│       ├── validator.go         # Core validation logic
+│       └── validator_test.go    # Comprehensive unit tests
+├── README.md                    # User documentation
+└── AGENTS.md                    # This file
+```
+
+**Separation of concerns:**
+- `main.go`: Cobra CLI setup, flag handling, output formatting
+- `pkg/validator`: Pure validation logic (AST walking, cd detection)
+- Tests are in the validator package, testing the pure logic
+
+## Development Guidelines
+
+### Building and Testing
+
+Always run tests and build from the repository root:
+
+```bash
+# Run tests
+go test ./aihook/...
+
+# Build
+go build ./aihook
+
+# Run
+./aihook stop < script.sh
+```
+
+### Code Structure
+
+- `main.go` (86 lines) - CLI entry point with Cobra framework
+  - Command definitions and flag handling
+  - Output formatting (regular and --claude JSON)
+  - Calls into validator package for logic
+
+- `pkg/validator/validator.go` (106 lines) - Core validation logic
+  - `Validator` type with `ValidateScript()` method
+  - AST walking to detect cd commands
+  - Tracks subshell context (both `(...)` and `$(...)`)
+  - `FormatViolations()` for user-friendly error messages
+
+- `pkg/validator/validator_test.go` (330 lines) - Comprehensive tests
+  - 41 test scenarios covering all edge cases
+  - Tests the validator package directly
+
+### Key Implementation Details
+
+1. **Shell Parsing**: Uses `mvdan.cc/sh/v3/syntax` for accurate shell script parsing
+2. **AST Walking**: Traverses the syntax tree to find `cd` commands and track subshell context
+3. **Subshell Detection**: Handles both explicit subshells `(...)` and command substitutions `$(...)`
+4. **Output Formats**: Supports both human-readable and Claude Code JSON formats
+
+### Testing Philosophy
+
+Tests cover:
+- Basic cd detection (inside and outside subshells)
+- Complex nesting scenarios
+- Command substitution
+- Edge cases (loops, conditionals, functions)
+- Invalid shell syntax
+- Multiple cd commands in one script
+
+All tests must pass before any changes are committed.
+
+### Common Pitfalls
+
+1. **Arithmetic Expansion**: `$((...))` is NOT a subshell, it's arithmetic expansion
+2. **Command Substitution**: `$(...)` IS a subshell and cd is allowed inside
+3. **Here Documents**: Content inside here-docs should not be parsed as commands
+
+### Claude Code Hook Format
+
+When `--claude` flag is used, output must be JSON with:
+- `exit_code`: Integer (0 for success, 2 for violations, 1 for errors)
+- `message`: String containing the human-readable message
+
+Example:
+```json
+{
+  "exit_code": 2,
+  "message": "Found cd commands outside subshells:\n  Line 1: 'cd' command found outside subshell\n\nAll 'cd' commands must be in a subshell. Example:\n  # Bad:  cd /tmp && ls\n  # Good: (cd /tmp && ls)\n"
+}
+```
+
+## Adding New Hook Types
+
+When adding new hook types in the future:
+
+1. Add a new subcommand in `main.go`
+2. Create a new validator in `pkg/validator` if needed
+3. Add comprehensive unit tests in the validator package
+4. Update README.md with usage examples
+5. Update this AGENTS.md with implementation notes
+
+## Dependencies
+
+- `github.com/spf13/cobra` - CLI framework
+- `mvdan.cc/sh/v3/syntax` - Shell script parser
+- `github.com/neongreen/mono/lib/version` - Shared version command
+
+All dependencies are managed via the repository's root go.mod file.

aihook/README.md

@@ -0,0 +1,148 @@
+# aihook
+
+A validator for Claude Code hooks that enforces shell scripting best practices.
+
+## Overview
+
+`aihook` is a command-line tool designed to validate shell scripts for use in Claude Code PreToolUse hooks. It parses shell syntax and enforces specific rules to ensure code quality and consistency.
+
+## Features
+
+- **PreToolUse Hook**: Validates Bash commands before execution to forbid `cd` invocations outside subshells
+- **Shell Parser**: Uses `mvdan.cc/sh/v3/syntax` for accurate shell script parsing
+- **Claude Code Integration**: Supports `--claude` flag for JSON output compatible with Claude Code hooks
+- **Comprehensive Validation**: Handles complex scenarios including:
+  - Nested subshells
+  - Command substitution (`$(...)`)
+  - Conditional statements
+  - Loops and functions
+  - Here documents
+
+## Installation
+
+### From Source
+
+```bash
+go install github.com/neongreen/mono/aihook@latest
+```
+
+### Local Development
+
+```bash
+go build ./aihook
+```
+
+## Usage
+
+### Stop Hook
+
+The `stop` subcommand validates shell scripts and ensures all `cd` commands are executed within subshells:
+
+```bash
+# Check a shell script from stdin
+echo 'cd /tmp' | aihook stop
+
+# With Claude Code hook format output
+echo 'cd /tmp' | aihook stop --claude
+```
+
+### Examples
+
+**Bad (will fail validation):**
+```bash
+cd /tmp && ls
+```
+
+**Good (will pass validation):**
+```bash
+(cd /tmp && ls)
+```
+
+### Exit Codes
+
+- `0`: No violations found
+- `2`: Violations detected (cd commands outside subshells)
+- `1`: Parse error or other failure
+
+### Output Formats
+
+#### Standard Output
+```
+Found cd commands outside subshells:
+  Line 1: 'cd' command found outside subshell
+
+All 'cd' commands must be in a subshell. Example:
+  # Bad:  cd /tmp && ls
+  # Good: (cd /tmp && ls)
+```
+
+#### Claude Code Hook Format (`--claude`)
+```json
+{
+  "exit_code": 2,
+  "message": "Found cd commands outside subshells:\n  Line 1: 'cd' command found outside subshell\n\nAll 'cd' commands must be in a subshell. Example:\n  # Bad:  cd /tmp && ls\n  # Good: (cd /tmp && ls)\n"
+}
+```
+
+## Claude Code Integration
+
+To use `aihook` as a Claude Code PreToolUse hook that validates Bash commands, add this to your `.claude/settings.json`:
+
+```json
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "aihook stop --claude"
+          }
+        ]
+      }
+    ]
+  }
+}
+```
+
+The hook will:
+- Match any Bash tool invocation (via the `"Bash"` matcher)
+- Receive the bash command script on stdin
+- Validate that all `cd` commands are in subshells
+- Return exit code 0 to allow, or exit code 2 to block with error message
+- Use `--claude` flag to output in the expected JSON format
+
+For more flexible matching, you can use regex patterns like `"Bash.*cd"` to only check Bash commands containing `cd`.
+
+## Why Forbid cd Outside Subshells?
+
+Using `cd` outside subshells can cause unexpected behavior in shell scripts:
+
+1. **Side Effects**: Changes the current directory for the entire script and subsequent commands
+2. **Hard to Debug**: Directory changes can happen far from where they're used
+3. **Error Prone**: Easy to forget to change back to the original directory
+4. **Not Composable**: Makes scripts harder to use in pipelines or as building blocks
+
+By requiring `cd` in subshells `(cd /path && command)`, you ensure:
+- Directory changes are localized
+- The original directory is automatically restored
+- Scripts are more predictable and safer
+
+## Development
+
+### Running Tests
+
+```bash
+go test ./aihook -v
+```
+
+### Building
+
+```bash
+go build ./aihook
+```
+
+## License
+
+See the root LICENSE file in the repository.

aihook/main.go

@@ -0,0 +1,86 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+
+	"github.com/neongreen/mono/aihook/pkg/validator"
+	"github.com/neongreen/mono/lib/version"
+)
+
+var rootCmd = &cobra.Command{
+	Use:   "aihook",
+	Short: "Claude Code hook validator",
+	Long:  `aihook validates shell commands and code patterns for Claude Code hooks.`,
+}
+
+var stopCmd = &cobra.Command{
+	Use:   "stop",
+	Short: "Stop hook that validates shell commands",
+	Long:  `Stop hook that parses shell syntax and forbids 'cd' invocations outside subshells.`,
+	RunE:  runStop,
+}
+
+var claudeFlag bool
+
+func init() {
+	rootCmd.AddCommand(stopCmd)
+	rootCmd.AddCommand(version.NewVersionCommand("aihook"))
+
+	stopCmd.Flags().BoolVar(&claudeFlag, "claude", false, "Output in Claude Code hook format")
+}
+
+func main() {
+	if err := rootCmd.Execute(); err != nil {
+		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+		os.Exit(1)
+	}
+}
+
+func runStop(cmd *cobra.Command, args []string) error {
+	v := validator.New()
+	violations, err := v.ValidateScript(os.Stdin)
+	if err != nil {
+		return formatOutput(err.Error(), 1)
+	}
+
+	if len(violations) > 0 {
+		msg := validator.FormatViolations(violations)
+		return formatOutput(msg, 2)
+	}
+
+	return formatOutput("No violations found", 0)
+}
+
+// formatOutput formats the output according to the --claude flag
+func formatOutput(message string, exitCode int) error {
+	if claudeFlag {
+		// Claude Code hook format
+		output := map[string]interface{}{
+			"message":   message,
+			"exit_code": exitCode,
+		}
+		encoder := json.NewEncoder(os.Stdout)
+		encoder.SetIndent("", "  ")
+		if err := encoder.Encode(output); err != nil {
+			return fmt.Errorf("failed to encode JSON output: %w", err)
+		}
+		if exitCode != 0 {
+			os.Exit(exitCode)
+		}
+		return nil
+	}
+
+	// Regular output
+	if exitCode == 0 {
+		fmt.Println(message)
+		return nil
+	}
+
+	fmt.Fprintln(os.Stderr, message)
+	os.Exit(exitCode)
+	return nil
+}