feat(hooks): pre-push stale-branch detection + review-open-prs extension

Adds a proactive warning when force-pushing a branch that is >5 commits
behind its base. Also extends the review-open-prs skill report with a
new "Stale Branches (Drift Risk)" section that flags PRs likely failing
CI because the base moved (e.g., file renames in merged PRs).

Motivating incident: 2026-05-20 — DOJ-4134 atomic migration moved
src/components/agent/ChatWidget.tsx. PRs #2105, #2107, #1713 in dojo-os
each spent ~10 min diagnosing the same ENOENT failure that a 30-second
rebase resolved. This package surfaces the pattern proactively.

- hooks/pre-bash-stale-push.sh (new, warn-only)
- hooks/pre-bash.sh (wire new hook before rule loop, after kill-switch)
- skills/review-open-prs/SKILL.md (new section + Action 2a rebase batch)
- hooks/test-hooks.sh (6 new hermetic tests; 216/216 pass, was 210/210)
- package.json + plugin.json + marketplace.json + README + CHANGELOG
  bumped 1.15.0 → 1.16.0

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: lapc506

.claude-plugin/marketplace.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://anthropic.com/claude-code/marketplace.schema.json",
   "name": "make-no-mistakes",
-  "version": "1.17.0",
+  "version": "1.18.0",
   "description": "The disciplined dev lifecycle — implement issues, review PRs, sync releases, test E2E, manage sessions, and stash secrets via OS-native prompts. One plugin to make no mistakes.",
   "owner": {
     "name": "Luis Andres Pena Castillo",
@@ -11,7 +11,7 @@
     {
       "name": "make-no-mistakes",
       "description": "Dev lifecycle orchestrator: disciplined Linear issue execution with worktree isolation, PR review with Greptile gating, team release sync, E2E test generation and execution, test suite previewer, security pentesting, MoSCoW + RICE prioritization, cross-platform secret stash via OS-native GUI prompts (zenity / kdialog / osascript / Get-Credential), and session management. 18 commands, 6 auto-activating skills, 2 specialized agents.",
-      "version": "1.17.0",
+      "version": "1.18.0",
       "author": {
         "name": "Luis Andres Pena Castillo",
         "email": "lapc506@users.noreply.github.com"

.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "make-no-mistakes",
-  "version": "1.17.0",
+  "version": "1.18.0",
   "description": "The disciplined dev lifecycle — implement issues, review PRs, sync releases, test E2E, manage sessions, stash secrets, and enforce manifest-driven tool-call hooks. One plugin to make no mistakes.",
   "author": {
     "name": "Luis Andres Pena Castillo",

CHANGELOG.md

@@ -18,6 +18,42 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.18.0] - 2026-05-26
+
+### Added
+- New hook: `hooks/pre-bash-stale-push.sh` (warn-only). Fires when a Bash
+  tool call is a force-push (`git push --force-with-lease`, `--force`, or
+  `-f`) AND the current `HEAD` is more than 5 commits behind the resolved
+  base (preferring `origin/HEAD`, falling back to `develop` → `main` →
+  `master`). Emits a multi-line stderr warning with a copy-pasteable
+  three-line rebase recipe. Never blocks — the hook always exits 0.
+  Threshold tunable via `MAKE_NO_MISTAKES_STALE_THRESHOLD` env var. Wired
+  into `hooks/pre-bash.sh` after the kill-switch check so
+  `CLAUDE_DISABLE_PLUGIN_HOOKS=1` disables it alongside everything else.
+- New section in `skills/review-open-prs/SKILL.md`: **My PRs — Stale
+  Branches (Drift Risk)**. Surfaces PRs that are >5 commits behind base
+  AND have failing CI checks, separately from real CI bugs. Includes a
+  matching **Action 2a** in the report's Suggested Course of Action that
+  proposes a batched rebase before drilling into the failures —
+  drift-induced failures often resolve themselves on rebase, and isolating
+  them up front prevents wasted investigation cycles.
+- 6 new hook tests in `hooks/test-hooks.sh` covering the stale-push hook
+  (non-push silent, in-threshold silent, stale warns, --dry-run skipped,
+  -f short form detected, non-force-push silent). Tests are hermetic —
+  each spins up a throwaway upstream + local clone in `mktemp -d`.
+
+### Motivation
+- **2026-05-20 incident**: DOJ-4134 atomic migration moved
+  `src/components/agent/ChatWidget.tsx` → `src/components/agent/organisms/ChatWidget.tsx`
+  and updated a Vitest fixture in the same atomic merge. PRs in `dojo-os`
+  that were cut from `develop` BEFORE that merge (#2105 DOJ-4135 accordion,
+  #2107 VerificationBanner /home suppression, #1713 welcome flow) each kept
+  the old test path, so their next CI run failed with
+  `ENOENT: src/components/agent/ChatWidget.tsx`. Diagnosis took ~10 minutes
+  per PR. Fix was always the same 30-second rebase + force-push-with-lease.
+  This release surfaces that drift proactively (hook) and retroactively
+  (skill section) so the pattern never has to be diagnosed again.
+
 ## [1.17.0] - 2026-05-25
 
 ### Added

README.md

@@ -1,6 +1,6 @@
 # make-no-mistakes
 
-**Version: 1.17.0** · [CHANGELOG](./CHANGELOG.md) · [Marketplace](https://github.com/DojoCodingLabs/make-no-mistakes-toolkit)
+**Version: 1.18.0** · [CHANGELOG](./CHANGELOG.md) · [Marketplace](https://github.com/DojoCodingLabs/make-no-mistakes-toolkit)
 
 The disciplined dev lifecycle — implement issues, review PRs, sync releases, test E2E, and manage sessions. One plugin to make no mistakes.
 

hooks/pre-bash-stale-push.sh

@@ -0,0 +1,113 @@
+#!/usr/bin/env bash
+# =============================================================================
+# pre-bash-stale-push.sh — Warn when force-pushing a branch that is far behind
+# its base (likely to fail CI because the base moved).
+#
+# Reads the Bash tool's tool_input JSON from stdin (same convention as
+# pre-bash.sh), extracts .command, and if it looks like a force push,
+# computes how many commits the local HEAD is behind the resolved base
+# (origin/HEAD → develop → main → master). If the gap exceeds the threshold,
+# emits a multi-line warning to stderr and exits 0.
+#
+# This hook is WARN-ONLY by design — it never blocks. Force-pushing a stale
+# branch is sometimes the correct action (e.g. intentionally diverging fork).
+# The hook surfaces the risk; the human decides.
+#
+# Motivating incident: 2026-05-20 — DOJ-4134 atomic migration moved
+# src/components/agent/ChatWidget.tsx. PRs #2105, #2107, #1713 in dojo-os
+# each spent ~10 min diagnosing the same ENOENT failure that a 30-second
+# rebase resolved.
+# =============================================================================
+set -uo pipefail
+
+# Threshold: behind > N triggers the warning. Override with env var if you
+# want to tune sensitivity per-developer; 5 is conservative enough that the
+# noise floor is low while still catching real drift windows.
+THRESHOLD="${MAKE_NO_MISTAKES_STALE_THRESHOLD:-5}"
+
+# Capture stdin (the Bash tool_input JSON).
+INPUT_RAW="$(cat)"
+
+# If jq is missing, we can't parse the command — fail open silently. The
+# user shouldn't be blocked by our installation issues.
+if ! command -v jq >/dev/null 2>&1; then
+  exit 0
+fi
+
+COMMAND="$(printf '%s' "$INPUT_RAW" | jq -r '.tool_input.command // empty' 2>/dev/null || true)"
+if [ -z "$COMMAND" ]; then
+  exit 0
+fi
+
+# Detect force-push variants:
+#   git push ... --force-with-lease (any form, with or without =refname)
+#   git push ... --force
+#   git push ... -f (short form, word-boundary so -fwd-style flags don't match)
+# Skip --dry-run since the user is explicitly previewing, not pushing.
+if printf '%s' "$COMMAND" | grep -qE '(^|[[:space:]])--dry-run([[:space:]]|$|=)'; then
+  exit 0
+fi
+
+if ! printf '%s' "$COMMAND" | grep -qE '(^|[[:space:]])git[[:space:]]+push\b'; then
+  exit 0
+fi
+
+if ! printf '%s' "$COMMAND" | grep -qE '(--force-with-lease|--force|(^|[[:space:]])-f([[:space:]]|$))'; then
+  exit 0
+fi
+
+# Resolve base branch. Prefer origin's HEAD symbolic ref; fall back to a
+# fixed candidate list. If none exist, exit 0 — we can't help.
+BASE=""
+
+if SYMREF="$(git symbolic-ref refs/remotes/origin/HEAD --short 2>/dev/null)"; then
+  # SYMREF is like "origin/develop"; strip "origin/" prefix.
+  BASE="${SYMREF#origin/}"
+fi
+
+if [ -z "$BASE" ]; then
+  # Fall back to first existing remote ref. Order matters — develop wins
+  # over main when both exist (most active repos in this org use develop).
+  for candidate in develop main master; do
+    if git show-ref --verify --quiet "refs/remotes/origin/${candidate}"; then
+      BASE="$candidate"
+      break
+    fi
+  done
+fi
+
+if [ -z "$BASE" ]; then
+  exit 0
+fi
+
+# Compute behind count. If git fails (not in a repo, no fetch yet, etc.),
+# silently exit 0 — we never want this hook to be noisy on unrelated repos.
+BEHIND="$(git rev-list --count "HEAD..origin/${BASE}" 2>/dev/null || true)"
+
+# Guard against empty / non-numeric results from git (e.g. "fatal: ...").
+case "$BEHIND" in
+  ''|*[!0-9]*) exit 0 ;;
+esac
+
+if [ "$BEHIND" -le "$THRESHOLD" ]; then
+  exit 0
+fi
+
+# Fired. Multi-line warning to stderr; exit 0 (warn-only, never blocks).
+{
+  echo ""
+  echo "[make-no-mistakes:stale-push] WARNING"
+  echo "You're force-pushing a branch that is ${BEHIND} commits behind origin/${BASE}."
+  echo ""
+  echo "CI failures on this push are likely if any of those ${BEHIND} commits touched"
+  echo "files your branch also touches (test paths moved, exports renamed, etc.)."
+  echo ""
+  echo "Suggested: cancel this push, then run:"
+  echo "  git fetch origin ${BASE}"
+  echo "  git rebase origin/${BASE}"
+  echo "  git push --force-with-lease"
+  echo ""
+  echo "Or push as-is and accept the risk. This is a warning, not a block."
+} >&2
+
+exit 0

hooks/pre-bash.sh

@@ -33,6 +33,14 @@ fi
 # Capture stdin once. Each rule invocation re-pipes this same payload.
 INPUT_RAW="$(cat)"
 
+# Stale-push warning hook — runs alongside the manifest rule loop and shares
+# the same stdin payload. It is warn-only by contract (never exits non-zero
+# in a way that should abort the dispatcher), but we also guard with `|| true`
+# so a future bug in that script cannot turn into a hard block here.
+if [ -x "$HOOKS_DIR/pre-bash-stale-push.sh" ]; then
+  printf '%s' "$INPUT_RAW" | "$HOOKS_DIR/pre-bash-stale-push.sh" || true
+fi
+
 EXIT_CODE=0
 while IFS= read -r RULE_ID; do
   [ -z "$RULE_ID" ] && continue

hooks/test-hooks.sh

@@ -87,6 +87,114 @@ while IFS=$'\t' read -r RULE_ID TEST_IDX; do
   rm -f "$STDERR_FILE"
 done <<< "$PAIRS"
 
+# =============================================================================
+# Standalone hook tests — pre-bash-stale-push.sh
+#
+# This hook lives outside the rules manifest because its predicate is shell
+# logic (calls `git` to compute behind-by count), not a regex. Each case
+# stages an isolated git repo in a tempdir so the test is hermetic — we
+# never depend on the toolkit repo's own branch state.
+# =============================================================================
+STALE_HOOK="$HOOKS_DIR/pre-bash-stale-push.sh"
+
+if [ -x "$STALE_HOOK" ]; then
+  # Helper: spin up two work trees ("upstream" + local clone) with the local
+  # clone's HEAD `$1` commits behind origin/main.
+  # Returns the local clone path on stdout.
+  setup_stale_repo() {
+    local behind="$1"
+    local base
+    base="$(mktemp -d)"
+    (
+      # Upstream working tree — we'll push commits here to simulate develop
+      # moving forward.
+      mkdir -p "$base/upstream" "$base/local"
+      cd "$base/upstream" || exit 1
+      git init -q --initial-branch=main
+      git config user.email t@t.t
+      git config user.name t
+      git commit -q --allow-empty -m "base"
+
+      # Local clone — HEAD points at the same base commit
+      cd "$base" || exit 1
+      git clone -q upstream local >/dev/null 2>&1
+      cd "$base/local" || exit 1
+      git config user.email t@t.t
+      git config user.name t
+      git checkout -q -b feature
+      git symbolic-ref refs/remotes/origin/HEAD refs/remotes/origin/main
+
+      # Advance upstream by N commits, then fetch into local so origin/main
+      # is N ahead of our feature HEAD.
+      cd "$base/upstream" || exit 1
+      local i=0
+      while [ "$i" -lt "$behind" ]; do
+        git commit -q --allow-empty -m "upstream-$i"
+        i=$((i + 1))
+      done
+      cd "$base/local" || exit 1
+      git fetch -q origin
+    )
+    echo "$base/local"
+  }
+
+  run_stale_case() {
+    local name="$1" command="$2" behind="$3" expected_warn="$4"
+    local repo input stderr_file exit_code
+    repo="$(setup_stale_repo "$behind")"
+    input="$(jq -nc --arg c "$command" '{tool_input:{command:$c}}')"
+    stderr_file="$(mktemp)"
+    exit_code=0
+    (cd "$repo" && printf '%s' "$input" | bash "$STALE_HOOK") 2>"$stderr_file" || exit_code=$?
+
+    local status="PASS" reason=""
+    if [ "$exit_code" != "0" ]; then
+      status="FAIL"; reason="exit expected=0 actual=$exit_code"
+    elif [ "$expected_warn" = "yes" ]; then
+      if ! grep -qF "[make-no-mistakes:stale-push]" "$stderr_file"; then
+        status="FAIL"; reason="expected warning, got none"
+      fi
+    else
+      if grep -qF "[make-no-mistakes:stale-push]" "$stderr_file"; then
+        status="FAIL"; reason="expected silence, got warning"
+      fi
+    fi
+
+    if [ "$status" = "PASS" ]; then
+      PASS=$((PASS + 1))
+      echo "  PASS  stale-push / ${name}"
+    else
+      FAIL=$((FAIL + 1))
+      echo "  FAIL  stale-push / ${name}  --  ${reason}"
+      FAIL_DETAILS+=("stale-push/${name}: ${reason}")
+    fi
+
+    # setup_stale_repo returns "$base/local" — clean up the parent so we
+    # also remove the upstream sibling, not just the local clone.
+    rm -rf "$(dirname "$repo")" "$stderr_file"
+  }
+
+  # Case A: not a push command — must exit silently, no warning
+  run_stale_case "skips-non-push-command" "ls -la" 100 "no"
+
+  # Case B: force-push but branch is only 1 commit behind (≤ threshold of 5) — silent
+  run_stale_case "skips-push-within-threshold" "git push --force-with-lease" 1 "no"
+
+  # Case C: force-push and branch is 10 commits behind (> threshold) — warn
+  run_stale_case "warns-on-stale-force-push" "git push --force-with-lease" 10 "yes"
+
+  # Case D: --dry-run should always skip even when stale
+  run_stale_case "skips-dry-run" "git push --force-with-lease --dry-run" 20 "no"
+
+  # Case E: -f short form should be detected
+  run_stale_case "detects-short-form-f-flag" "git push -f origin feature" 8 "yes"
+
+  # Case F: non-force push (no --force / --force-with-lease / -f) — silent
+  run_stale_case "skips-non-force-push" "git push origin feature" 50 "no"
+else
+  echo "  SKIP  stale-push (hook not executable at $STALE_HOOK)"
+fi
+
 echo ""
 TOTAL=$((PASS + FAIL))
 echo "Results: ${PASS} / ${TOTAL} passed"

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lapc506/make-no-mistakes",
-  "version": "1.17.0",
+  "version": "1.18.0",
   "description": "The disciplined dev lifecycle — implement issues, review PRs, sync releases, test E2E, manage sessions, stash secrets, and enforce manifest-driven tool-call hooks (no SSH+DB, no manual prod, no minified build, no secret leaks, Slack format). OpenCode + Claude Code plugin.",
   "type": "module",
   "main": "./dist/index.js",

skills/review-open-prs/SKILL.md

@@ -198,8 +198,36 @@ PR #number — Title
   URL
 ```
 
+### My PRs — Stale Branches (Drift Risk)
+PRs where the branch is >5 commits behind base AND has ANY failing CI check. These are likely failing because the base moved (e.g., a test file was moved/renamed in a merged PR but this branch still has the old path). Recommend a preventive rebase BEFORE more CI cycles burn.
+
+**Investigate this section BEFORE the "CI Failures" section below** — stale-with-CI-fail is a likely false positive that can be resolved with a 30-second rebase. Pulling apart real test bugs from drift-induced failures is much faster when you've already ruled out drift.
+
+For each candidate PR, collect the behind-by count using the GitHub Compare API (one call per PR; do this inside the per-PR loop in Step 5):
+
+```bash
+# Inside the per-PR loop in Step 5 — after fetching CI status:
+base_branch=$(gh pr view "$pr_number" --repo "$ORG/<repo>" --json baseRefName --jq '.baseRefName')
+head_sha=$(gh pr view "$pr_number" --repo "$ORG/<repo>" --json headRefOid --jq '.headRefOid')
+behind=$(gh api "repos/$ORG/<repo>/compare/${base_branch}...${head_sha}" --jq '.behind_by' 2>/dev/null)
+```
+
+A PR qualifies for this section if:
+- `behind` > 5, AND
+- At least one CI check has `conclusion=FAILURE`
+
+Format:
+```
+PR #number — Title — {behind} commits behind {base}
+  Failed checks: list of failed check names
+  Suggested: git fetch && git rebase origin/{base} && git push --force-with-lease
+  URL
+```
+
+If you can pattern-match the failing test path against files renamed in recent commits to `{base}` (e.g., `gh api repos/$ORG/<repo>/compare/${head_sha}...origin/${base_branch}` and grep `.files[].previous_filename`), call that out as "Likely cause: file renamed in merged PR #X".
+
 ### My PRs — CI Failures
-PRs with any check conclusion=FAILURE:
+PRs with any check conclusion=FAILURE that are NOT already listed under "Stale Branches" above:
 ```
 PR #number — Title
   Failed checks: list of failed check names
@@ -281,6 +309,28 @@ Rules:
 - If unsure who to CC, ask the user
 - Do NOT use unicode bullet points (no `•`, `◦`, `▪`) — use `-` at all levels
 
+### Action 2a: Rebase stale branches (drift risk)
+
+List every PR from "Stale Branches (Drift Risk)". These should be addressed BEFORE Action 3 (CI Failures) because the rebase often resolves the failures for free:
+
+```
+The following PRs are >5 commits behind base AND have failing CI. The failures
+are likely caused by the base moving (e.g., a test file was renamed in a merged
+PR). A rebase will likely make them go green:
+
+  repo#number — Title — {N} commits behind {base}
+  ...
+
+Shall I rebase them against the base branch? (yes/no/pick)
+```
+
+If the user says "yes", for each stale PR:
+1. Check out the branch locally or in a worktree
+2. `git fetch origin <base>`
+3. `git rebase origin/<base>` (auto-resolve trivial conflicts; flag manual ones)
+4. `git push --force-with-lease` (with user confirmation)
+5. Re-poll CI after a few minutes — if it's now green, the failure was drift; if it's still red, escalate to Action 3.
+
 ### Action 2: Fix merge conflicts / rebase
 
 List every PR from "Merge Conflicts / Needs Rebase":