fix(ci): ruff format 4 files + add pre-commit-ruff hook for CI parity

The prior push (3bf4416) landed with ruff format drift in 4 files, which
CI Lint caught. This commit:

1. Applies `ruff format` to the 4 drift files:
   - .claude/hooks/pre-tool-secret-shield.py
   - mcp_server/hooks/agent_briefing.py
   - mcp_server/shared/domain_mapping.py
   - scripts/test-agent-briefing.py

2. Adds .claude/hooks/pre-commit-ruff.sh — a local pre-commit gate that
   runs the SAME two checks CI runs (`ruff format --check .` and
   `ruff check .`) and blocks the commit with exit 2 + a plain-English
   reason on stderr if either fails. Mirrors zetetic's pre-commit-zetetic.sh
   pattern so drift can't reach origin without a loud local signal.

3. Wires the ruff hook into .claude/hooks/hooks.json as the FIRST
   PreToolUse entry on `command contains 'git commit'`, executing
   before the existing pre-commit-zetetic.sh.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: cdeust

.claude/hooks/hooks.json

@@ -14,6 +14,10 @@
         "matcher": "Bash",
         "when": "command contains 'git commit'",
         "hooks": [
+          {
+            "type": "command",
+            "command": "${CLAUDE_PLUGIN_ROOT}/hooks/pre-commit-ruff.sh"
+          },
           {
             "type": "command",
             "command": "${CLAUDE_PLUGIN_ROOT}/hooks/pre-commit-zetetic.sh"

.claude/hooks/pre-commit-ruff.sh

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+# pre-commit-ruff.sh — block commits with ruff format or check failures.
+#
+# Runs the SAME two checks CI runs (ruff format --check . and ruff check .),
+# so failures surface locally before push instead of in GitHub Actions.
+#
+# Install: referenced from .claude/hooks/hooks.json as a PreToolUse entry on
+# Bash commits (matcher: Bash, when: command contains 'git commit'). The
+# Claude Code harness runs this script before executing the commit.
+#
+# Exit codes:
+#   0 — all ruff checks pass; commit proceeds
+#   2 — ruff format drift OR ruff check violations; commit blocked with a
+#       plain-English reason on stderr that Claude sees
+#
+# Source: mirrors Cortex's .github/workflows/ci.yml Lint job (ruff format
+# --check . + ruff check .) so local and CI results agree.
+
+set -uo pipefail
+
+REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd)"
+cd "$REPO_ROOT"
+
+if ! command -v ruff >/dev/null 2>&1; then
+  echo "[pre-commit-ruff] ruff not installed — skipping (install: pip install ruff)" >&2
+  exit 0
+fi
+
+fmt_out=$(ruff format --check . 2>&1)
+fmt_rc=$?
+chk_out=$(ruff check . 2>&1)
+chk_rc=$?
+
+if (( fmt_rc != 0 )) || (( chk_rc != 0 )); then
+  echo "[pre-commit-ruff] BLOCKED — ruff CI-parity checks failed" >&2
+  if (( fmt_rc != 0 )); then
+    echo "" >&2
+    echo "[pre-commit-ruff] ruff format --check . said:" >&2
+    echo "$fmt_out" | tail -20 >&2
+    echo "" >&2
+    echo "[pre-commit-ruff] Fix with: ruff format ." >&2
+  fi
+  if (( chk_rc != 0 )); then
+    echo "" >&2
+    echo "[pre-commit-ruff] ruff check . said:" >&2
+    echo "$chk_out" | tail -30 >&2
+    echo "" >&2
+    echo "[pre-commit-ruff] Fix with: ruff check --fix ." >&2
+  fi
+  exit 2
+fi
+
+exit 0

.claude/hooks/pre-tool-secret-shield.py

@@ -131,8 +131,7 @@ def bash_blocked(cmd: str) -> tuple[bool, str | None]:
         is_b, pattern = is_blocked_path(candidate)
         if is_b:
             return True, (
-                f"read of credential-bearing path '{candidate}' "
-                f"(pattern '{pattern}')"
+                f"read of credential-bearing path '{candidate}' (pattern '{pattern}')"
             )
     m = BLOCKED_PATTERNS_EMBEDDED.search(cmd)
     if m:
@@ -156,21 +155,24 @@ def main() -> int:
         path = tin.get("file_path", "")
         is_blocked, pattern = is_blocked_path(path)
         if is_blocked:
-            blocked_reason = f"Read blocked: {path} matches credential pattern '{pattern}'"
+            blocked_reason = (
+                f"Read blocked: {path} matches credential pattern '{pattern}'"
+            )
     elif tool == "Bash":
         cmd = tin.get("command", "")
         is_blocked, reason = bash_blocked(cmd)
         if is_blocked:
-            blocked_reason = (
-                f"Bash blocked: {reason}. Command: {cmd[:160]}"
-                + ("…" if len(cmd) > 160 else "")
+            blocked_reason = f"Bash blocked: {reason}. Command: {cmd[:160]}" + (
+                "…" if len(cmd) > 160 else ""
             )
     elif tool == "Grep":
         for key in ("path", "include"):
             v = tin.get(key, "")
             is_blocked, pattern = is_blocked_path(v) if v else (False, None)
             if is_blocked:
-                blocked_reason = f"Grep blocked: {key}={v} matches credential pattern '{pattern}'"
+                blocked_reason = (
+                    f"Grep blocked: {key}={v} matches credential pattern '{pattern}'"
+                )
                 break
     elif tool in ("Edit", "Write", "NotebookEdit"):
         path = tin.get("file_path", "")

mcp_server/hooks/agent_briefing.py

@@ -89,10 +89,20 @@
 _MIN_HEAT = 0.2
 
 # Fallback set used when ~/.claude/agents/ is missing (e.g., CI without install).
-_FALLBACK_AGENTS: frozenset[str] = frozenset({
-    "engineer", "tester", "reviewer", "architect", "dba", "devops",
-    "frontend", "security", "researcher", "ux",
-})
+_FALLBACK_AGENTS: frozenset[str] = frozenset(
+    {
+        "engineer",
+        "tester",
+        "reviewer",
+        "architect",
+        "dba",
+        "devops",
+        "frontend",
+        "security",
+        "researcher",
+        "ux",
+    }
+)
 
 # Matches `name: <slug>` or `name: "<slug>"` in agent-file YAML frontmatter.
 _YAML_NAME_RE = re.compile(r"^name:\s*['\"]?([A-Za-z0-9_.-]+)['\"]?\s*$", re.MULTILINE)

mcp_server/shared/domain_mapping.py

@@ -336,7 +336,7 @@ def resolve_domain(input_str: str) -> str:
             "-users-cdeust-",
         ):
             if stripped.startswith(prefix):
-                stripped = stripped[len(prefix):]
+                stripped = stripped[len(prefix) :]
                 break
         # Strip worktree suffixes that survived (no slug match found above).
         if "-worktrees-" in stripped:

scripts/test-agent-briefing.py

@@ -31,6 +31,7 @@
 # Stub psycopg so agent_briefing imports cleanly without a live PG connection.
 # ---------------------------------------------------------------------------
 
+
 def _make_psycopg_stub(stub_rows: list[dict]) -> types.ModuleType:
     """Build a minimal psycopg stub returning stub_rows on any execute().
 
@@ -57,6 +58,7 @@ def _make_psycopg_stub(stub_rows: list[dict]) -> types.ModuleType:
 # Helpers
 # ---------------------------------------------------------------------------
 
+
 def _run_process_event(event: dict, stub_rows: list[dict]) -> tuple[str, str, int]:
     """Run process_event() in isolation, capturing stdout/stderr and exit code.
 
@@ -71,7 +73,9 @@ def _run_process_event(event: dict, stub_rows: list[dict]) -> tuple[str, str, in
 
     exit_code = 0
 
-    with patch.dict(sys.modules, {"psycopg": psycopg_stub, "psycopg.rows": psycopg_stub.rows}):
+    with patch.dict(
+        sys.modules, {"psycopg": psycopg_stub, "psycopg.rows": psycopg_stub.rows}
+    ):
         # Force re-import so patched psycopg is visible inside _fetch_agent_context.
         if "mcp_server.hooks.agent_briefing" in sys.modules:
             del sys.modules["mcp_server.hooks.agent_briefing"]
@@ -90,16 +94,20 @@ def _run_process_event(event: dict, stub_rows: list[dict]) -> tuple[str, str, in
 # Test cases
 # ---------------------------------------------------------------------------
 
-class TestAgentBriefing(unittest.TestCase):
 
+class TestAgentBriefing(unittest.TestCase):
     def test_feynman_with_matching_memory_produces_briefing(self) -> None:
         """Genius agent feynman + matching memory → stdout contains Cortex Briefing.
 
         Pre-condition: feynman exists in ~/.claude/agents/genius/ (dynamic load).
         Post-condition: exit 0, stdout contains '## Cortex Briefing'.
         """
         stub_rows = [
-            {"content": "feynman past lesson: always verify sources", "heat": 0.8, "agent_context": "feynman"},
+            {
+                "content": "feynman past lesson: always verify sources",
+                "heat": 0.8,
+                "agent_context": "feynman",
+            },
         ]
         event = {
             "session_id": "test-session-001",
@@ -110,7 +118,11 @@ def test_feynman_with_matching_memory_produces_briefing(self) -> None:
         }
         stdout, stderr, code = _run_process_event(event, stub_rows)
         self.assertEqual(code, 0, f"Expected exit 0, got {code}. stderr: {stderr}")
-        self.assertIn("Cortex Briefing", stdout, f"Expected 'Cortex Briefing' in stdout.\nstdout: {stdout!r}\nstderr: {stderr!r}")
+        self.assertIn(
+            "Cortex Briefing",
+            stdout,
+            f"Expected 'Cortex Briefing' in stdout.\nstdout: {stdout!r}\nstderr: {stderr!r}",
+        )
 
     def test_nonexistent_agent_skips_gracefully(self) -> None:
         """Unknown agent name → exit 0 with skip log, no briefing emitted.
@@ -128,7 +140,9 @@ def test_nonexistent_agent_skips_gracefully(self) -> None:
         stdout, stderr, code = _run_process_event(event, [])
         self.assertEqual(code, 0, f"Expected exit 0, got {code}. stderr: {stderr}")
         self.assertEqual(stdout.strip(), "", f"Expected empty stdout, got: {stdout!r}")
-        self.assertIn("skip", stderr.lower(), f"Expected 'skip' in stderr. stderr: {stderr!r}")
+        self.assertIn(
+            "skip", stderr.lower(), f"Expected 'skip' in stderr. stderr: {stderr!r}"
+        )
 
 
 # ---------------------------------------------------------------------------
@@ -144,5 +158,7 @@ def test_nonexistent_agent_skips_gracefully(self) -> None:
         print("\nPASS: all agent-briefing tests passed.")
         sys.exit(0)
     else:
-        print(f"\nFAIL: {len(result.failures)} failure(s), {len(result.errors)} error(s).")
+        print(
+            f"\nFAIL: {len(result.failures)} failure(s), {len(result.errors)} error(s)."
+        )
         sys.exit(1)