SocketDev
diff --git a/‎.claude/hooks/_shared/bash-quote-mask.mts‎
Lines changed: 149 additions & 0 deletions b/‎.claude/hooks/_shared/bash-quote-mask.mts‎
Lines changed: 149 additions & 0 deletions
diff --git a/‎.claude/hooks/_shared/test/bash-quote-mask.test.mts‎
Lines changed: 159 additions & 0 deletions b/‎.claude/hooks/_shared/test/bash-quote-mask.test.mts‎
Lines changed: 159 additions & 0 deletions
diff --git a/‎.claude/hooks/check-new-deps/index.mts‎
Lines changed: 1 addition & 7 deletions b/‎.claude/hooks/check-new-deps/index.mts‎
Lines changed: 1 addition & 7 deletions
diff --git a/‎.claude/hooks/excuse-detector/README.md‎
Lines changed: 44 additions & 0 deletions b/‎.claude/hooks/excuse-detector/README.md‎
Lines changed: 44 additions & 0 deletions
@@ -0,0 +1,149 @@
+/**
+ * @fileoverview Shared helper for Bash-tool PreToolUse hooks.
+ *
+ * Hooks that inspect tool_input.command for a forbidden substring
+ * (e.g. a destructive verb, a stale flag, a secret pattern) all face
+ * the same false-positive risk: the match might fall inside a quoted
+ * string body (`echo "tip: drop --bad-flag from your script"`) or
+ * inside a heredoc that the shell will pass as literal text rather
+ * than execute. This module centralizes the parsing so each hook can
+ * reason in terms of "did the forbidden token appear as a real
+ * argument" rather than "does the string contain this text."
+ *
+ * Two-level API:
+ *
+ *   buildQuoteMask(s) — per-character boolean array; mask[i] === true
+ *     when the character at index i sits inside a single- or
+ *     double-quoted string. Use this when you need to check a regex
+ *     match's index against quote state.
+ *
+ *   matchOutsideQuotes(s, re) — convenience: run a regex against `s`
+ *     and return the first match whose index sits OUTSIDE all quotes
+ *     and outside any heredoc body. Returns undefined when every
+ *     match is inside quoted/heredoc text. Use this for the common
+ *     "does the live command contain this flag" check.
+ *
+ * Limitations:
+ *
+ *   - Not a full POSIX shell parser. Quote nesting (`$"..."`,
+ *     `$'...'` ANSI-C) and `$(...)` command substitution are not
+ *     tracked precisely; they fall through to the simple quote
+ *     state. In practice this is fine for the use cases here, which
+ *     all match a literal flag/verb that wouldn't appear inside
+ *     parameter expansion.
+ *
+ *   - Heredoc detection looks for `<<DELIM ... \nDELIM\b` patterns.
+ *     The delimiter is captured from the opening line and matched on
+ *     a later line at column 0. Both `<<EOF` and `<<-EOF` (tab-stripped)
+ *     forms are recognized; quoted delimiters (`<<'EOF'`) are also
+ *     accepted.
+ */
+
+/**
+ * Per-character mask: true at positions inside a single- or double-
+ * quoted string. The opening and closing quote characters themselves
+ * are marked true (so they're treated as "inside" — handy for code
+ * that wants to skip both the quotes and the body).
+ */
+export function buildQuoteMask(s: string): boolean[] {
+  const mask = new Array<boolean>(s.length).fill(false)
+  let inSingle = false
+  let inDouble = false
+  for (let i = 0; i < s.length; i += 1) {
+    const c = s[i]
+    if (!inSingle && !inDouble && c === "'") {
+      inSingle = true
+      mask[i] = true
+      continue
+    }
+    if (inSingle && c === "'") {
+      inSingle = false
+      mask[i] = true
+      continue
+    }
+    if (!inSingle && !inDouble && c === '"') {
+      inDouble = true
+      mask[i] = true
+      continue
+    }
+    if (inDouble && c === '"') {
+      inDouble = false
+      mask[i] = true
+      continue
+    }
+    // Backslash escape inside double quotes: skip the escaped char.
+    // (Single quotes don't honor backslash in POSIX, so we only
+    // handle the double-quote case.)
+    if (inDouble && c === '\\' && i + 1 < s.length) {
+      mask[i] = true
+      mask[i + 1] = true
+      i += 1
+      continue
+    }
+    mask[i] = inSingle || inDouble
+  }
+  return mask
+}
+
+/**
+ * Replace heredoc bodies with empty strings of equivalent length so
+ * the surrounding indices stay valid. Recognizes:
+ *   <<EOF ... \nEOF
+ *   <<-EOF ... \nEOF       (tab-stripped form)
+ *   <<'EOF' ... \nEOF      (quoted delimiter, no interpolation)
+ *   <<"EOF" ... \nEOF
+ *
+ * The closing delimiter must appear at column 0 (POSIX), but we
+ * accept any leading whitespace as a small concession to the
+ * tab-stripped `<<-` form.
+ */
+export function stripHeredocBodies(s: string): string {
+  return s.replace(
+    /<<-?\s*['"]?(\w+)['"]?([\s\S]*?)\n\s*\1\b/g,
+    (full, _delim, body) => {
+      // Replace the body with spaces so indices in the outer string
+      // stay aligned. The opening line + delimiter line are kept so
+      // callers can still see the `<<EOF` token if they care.
+      return full.replace(body, ' '.repeat(body.length))
+    },
+  )
+}
+
+/**
+ * Search `s` for the first regex match whose index falls outside
+ * every single-/double-quoted string AND outside every heredoc body.
+ * Returns the match, or undefined if every match was inside quoted
+ * or heredoc text.
+ *
+ * The regex is run with the `g` flag implicitly — pass a non-global
+ * regex and we'll create a global clone so `.exec()` can iterate.
+ */
+export function matchOutsideQuotes(
+  s: string,
+  pattern: RegExp,
+): RegExpExecArray | undefined {
+  const stripped = stripHeredocBodies(s)
+  const mask = buildQuoteMask(stripped)
+  const re = pattern.global
+    ? pattern
+    : new RegExp(pattern.source, pattern.flags + 'g')
+  re.lastIndex = 0
+  let match: RegExpExecArray | null
+  while ((match = re.exec(stripped)) !== null) {
+    if (!mask[match.index]) {
+      return match
+    }
+    if (match.index === re.lastIndex) {
+      re.lastIndex += 1
+    }
+  }
+  return undefined
+}
+
+/**
+ * Convenience predicate: true when `pattern` matches `s` at an
+ * unquoted, non-heredoc position. Wraps matchOutsideQuotes.
+ */
+export function containsOutsideQuotes(s: string, pattern: RegExp): boolean {
+  return matchOutsideQuotes(s, pattern) !== undefined
+}
@@ -0,0 +1,159 @@
+// node --test specs for the shared bash-quote-mask helper.
+//
+// Run from this dir:
+//   node --test test/*.test.mts
+
+import test from 'node:test'
+import assert from 'node:assert/strict'
+
+import {
+  buildQuoteMask,
+  containsOutsideQuotes,
+  matchOutsideQuotes,
+  stripHeredocBodies,
+} from '../bash-quote-mask.mts'
+
+test('buildQuoteMask: empty string', () => {
+  assert.deepEqual(buildQuoteMask(''), [])
+})
+
+test("buildQuoteMask: plain text is all false", () => {
+  const mask = buildQuoteMask('git status --short')
+  assert.ok(mask.every(b => b === false))
+})
+
+test('buildQuoteMask: single-quoted region is true', () => {
+  const s = "echo 'hi'"
+  const mask = buildQuoteMask(s)
+  // 'echo ' → 5 false
+  for (let i = 0; i < 5; i += 1) {
+    assert.strictEqual(mask[i], false)
+  }
+  // "'hi'" → 4 true (open quote, h, i, close quote)
+  for (let i = 5; i < 9; i += 1) {
+    assert.strictEqual(mask[i], true)
+  }
+})
+
+test('buildQuoteMask: double-quoted region is true', () => {
+  const s = 'echo "hi"'
+  const mask = buildQuoteMask(s)
+  assert.strictEqual(mask[5], true) // "
+  assert.strictEqual(mask[6], true) // h
+  assert.strictEqual(mask[7], true) // i
+  assert.strictEqual(mask[8], true) // "
+})
+
+test('buildQuoteMask: escaped double quote inside double quotes', () => {
+  const s = 'echo "a\\"b"'
+  const mask = buildQuoteMask(s)
+  // 'a' is at index 6, the \\ at 7-8 should be marked, then "b" at 9, " at 10.
+  assert.strictEqual(mask[5], true) // opening "
+  assert.strictEqual(mask[6], true) // a
+  assert.strictEqual(mask[7], true) // backslash (escape)
+  assert.strictEqual(mask[8], true) // escaped "
+  assert.strictEqual(mask[9], true) // b
+  assert.strictEqual(mask[10], true) // closing "
+})
+
+test('buildQuoteMask: single quotes do not honor backslash', () => {
+  // POSIX single quotes: backslash is literal. The runtime string is
+  // `echo 'a\b'` (10 chars): e c h o ␠ ' a \ b '
+  const s = "echo 'a\\b'"
+  const mask = buildQuoteMask(s)
+  assert.strictEqual(s.length, 10)
+  // Opening quote through closing quote (indices 5..9) are all masked.
+  for (let i = 5; i < 10; i += 1) {
+    assert.strictEqual(mask[i], true, `index ${i} should be masked`)
+  }
+})
+
+test('buildQuoteMask: single quotes nested inside double quotes are text', () => {
+  // Inside a double-quoted string, ' is just a literal apostrophe.
+  const s = 'echo "it\'s ok"'
+  const mask = buildQuoteMask(s)
+  // Every char from index 5 to end is inside the double-quoted region.
+  for (let i = 5; i < s.length; i += 1) {
+    assert.strictEqual(mask[i], true)
+  }
+})
+
+test('stripHeredocBodies: replaces body with spaces, preserves length', () => {
+  const s = "cat <<EOF\nhello\nworld\nEOF\nrest"
+  const stripped = stripHeredocBodies(s)
+  assert.strictEqual(stripped.length, s.length)
+  // The word `hello` should be blanked out.
+  assert.ok(!stripped.includes('hello'))
+  // The opening `<<EOF` and closing `EOF` remain.
+  assert.ok(stripped.includes('<<EOF'))
+  // `rest` after the heredoc is untouched.
+  assert.ok(stripped.endsWith('rest'))
+})
+
+test('stripHeredocBodies: handles quoted delimiter', () => {
+  const s = "cat <<'EOF'\nbody\nEOF"
+  const stripped = stripHeredocBodies(s)
+  assert.ok(!stripped.includes('body'))
+})
+
+test('stripHeredocBodies: handles tab-stripped form', () => {
+  const s = "cat <<-EOF\n\tbody\n\tEOF"
+  const stripped = stripHeredocBodies(s)
+  assert.ok(!stripped.includes('body'))
+})
+
+test('containsOutsideQuotes: matches free text', () => {
+  assert.ok(containsOutsideQuotes('node --bad-flag foo', /--bad-flag/))
+})
+
+test('containsOutsideQuotes: does not match inside single quotes', () => {
+  assert.ok(
+    !containsOutsideQuotes(
+      "echo 'reminder: --bad-flag is gone'",
+      /--bad-flag/,
+    ),
+  )
+})
+
+test('containsOutsideQuotes: does not match inside double quotes', () => {
+  assert.ok(
+    !containsOutsideQuotes(
+      'echo "reminder: --bad-flag is gone"',
+      /--bad-flag/,
+    ),
+  )
+})
+
+test('containsOutsideQuotes: does not match inside heredoc body', () => {
+  assert.ok(
+    !containsOutsideQuotes(
+      "git commit -m \"$(cat <<'EOF'\nmention --bad-flag here\nEOF\n)\"",
+      /--bad-flag/,
+    ),
+  )
+})
+
+test('containsOutsideQuotes: matches when both quoted + unquoted occurrences exist', () => {
+  assert.ok(
+    containsOutsideQuotes(
+      "echo 'tip: --bad-flag' && node --bad-flag foo",
+      /--bad-flag/,
+    ),
+  )
+})
+
+test('matchOutsideQuotes: returns the unquoted match', () => {
+  const m = matchOutsideQuotes(
+    "echo 'noise --x' && node --x foo",
+    /--x/,
+  )
+  assert.ok(m)
+  // The unquoted occurrence sits at the end, well past the quoted one.
+  assert.ok(m!.index > 20)
+})
+
+test('matchOutsideQuotes: handles non-global regex by cloning', () => {
+  const m = matchOutsideQuotes('node --x foo', /--x/)
+  assert.ok(m)
+  assert.strictEqual(m![0], '--x')
+})
@@ -28,20 +28,14 @@ import type { PackageURL } from '@socketregistry/packageurl-js'
 import {
   SOCKET_PUBLIC_API_TOKEN,
 } from '@socketsecurity/lib/constants/socket'
+import { errorMessage } from '@socketsecurity/lib/errors'
 import { getDefaultLogger } from '@socketsecurity/lib/logger'
 import {
   normalizePath,
 } from '@socketsecurity/lib/paths/normalize'
 import { SocketSdk } from '@socketsecurity/sdk'
 import type { MalwareCheckPackage } from '@socketsecurity/sdk'
 
-// Local mirror of build-infra/lib/error-utils#errorMessage. Hook runs
-// standalone (no workspace deps beyond @socketsecurity/*) so we can't import
-// the shared helper, but the contract is identical.
-function errorMessage(error: unknown): string {
-  return error instanceof Error ? error.message : String(error)
-}
-
 const logger = getDefaultLogger()
 
 // Per-request timeout (ms) to avoid blocking the hook on slow responses.
 
@@ -0,0 +1,44 @@
+# excuse-detector
+
+Claude Code `Stop` hook that scans the assistant's most recent turn for excuse-shaped phrases and warns to stderr at end-of-turn.
+
+## Why
+
+CLAUDE.md has two rules the assistant routinely tries to wriggle out of:
+
+- **No "pre-existing" excuse** — fix lint/type/test errors you see in your reading window. Don't label them "pre-existing" and walk past.
+- **Unrelated issues are critical** — an adjacent bug is exactly the bug nobody is currently looking for. Don't defer.
+
+The phrases that precede those deferrals are predictable: "pre-existing", "not related to my X", "unrelated to the task", "out of scope", "separate concern", "leave it for later", "not my issue". This hook scans the transcript for them.
+
+## What it catches
+
+| Phrase | Why it's flagged |
+|---|---|
+| `pre-existing` / `preexisting` | Bare rationalization; CLAUDE.md bans the label. |
+| `not related to my <X>` | Scoping out a fix. CLAUDE.md says fix it. |
+| `unrelated to the task` | Same. |
+| `out of scope` | Same. The genuine exception (large refactor) requires asking, not silent deferral. |
+| `separate concern` | Same. |
+| `leave it for later` | Deferral marker. CLAUDE.md "Completion" bans deferrals. |
+| `not my issue` / `not my problem` | Scoping out. |
+
+## Why it doesn't block
+
+Stop hooks fire *after* the assistant has produced its response. Blocking at that point would just truncate the message — the rationalization is already out. The warning surfaces alongside the response so the user reads both, and can push back in the next turn.
+
+The right enforcement is layered:
+
+- **CLAUDE.md rule** documents the policy.
+- **This hook** surfaces violations at end-of-turn.
+- **The user** demands the fix in the next turn.
+
+## Configuration
+
+`SOCKET_EXCUSE_DETECTOR_DISABLED=1` — turn the hook off entirely. Useful for sessions where the policy genuinely doesn't apply (e.g. running a long-form review that intentionally calls out scope boundaries).
+
+## Test
+
+```sh
+pnpm test
+```