feat: add copilot cli plugin detection to doctor command

AGENTS.md

@@ -18,7 +18,7 @@ A Claude Code / OpenCode plugin that blocks destructive git and filesystem comma
 | AST rules | `bun run sg:scan` |
 | Doctor | `bun src/bin/cc-safety-net.ts doctor` |
 
-**`bun run check`** runs: biome check → typecheck → knip → ast-grep scan → bun test
+**Always use `bun run check` to verify changes.** This runs typecheck, knip, biome lint, and tests together. Do not run these separately.
 
 ## Pre-commit Hooks
 
@@ -69,23 +69,6 @@ export const myInternalFn = () => { ... };
 - Exit codes: `0` = success, `1` = error
 - Block commands: exit 0 with JSON `permissionDecision: "deny"`
 
-## Architecture
-
-```
-src/
-├── index.ts                   # OpenCode plugin export (main entry)
-├── types.ts                   # Shared types and constants
-├── bin/
-│   └── cc-safety-net.ts       # Claude Code CLI wrapper
-└── core/
-    ├── analyze.ts             # Main analysis logic
-    ├── config.ts              # Config loading (.safety-net.json)
-    ├── shell.ts               # Shell parsing (uses shell-quote)
-    ├── rules-git.ts           # Git subcommand analysis
-    ├── rules-rm.ts            # rm command analysis
-    └── rules-custom.ts        # Custom rule evaluation
-```
-
 ## Testing
 
 Use Bun's built-in test runner with test helpers:

CLAUDE.md

@@ -19,6 +19,8 @@ A Claude Code and OpenCode plugin that blocks destructive git and filesystem com
 - **Build**: `bun run build`
 - **Doctor**: `bun src/bin/cc-safety-net.ts doctor` (diagnostics)
 
+**Always use `bun run check` to verify changes.** This runs typecheck, knip, biome lint, and tests together. Do not run these separately.
+
 ## Pre-commit Hooks
 
 Runs on commit: `knip` → `lint-staged` (biome check --write, ast-grep scan)

dist/bin/cc-safety-net.js

@@ -3731,6 +3731,7 @@ function analyzeCommand(command, options = {}) {
 }
 
 // src/bin/doctor/hooks.ts
+var COPILOT_PLUGIN_CONFIG_PATH = "copilot-plugin";
 var SELF_TEST_CASES = [
   { command: "git reset --hard", description: "git reset --hard", expectBlocked: true },
   { command: "rm -rf /", description: "rm -rf /", expectBlocked: true },
@@ -4178,13 +4179,15 @@ function detectAllHooks(cwd, options) {
         errors: errors.length > 0 ? errors : undefined
       };
     }
-    if (hooksCheck.activeConfigPaths.length > 0) {
+    if (options?.copilotPluginInstalled === true || hooksCheck.activeConfigPaths.length > 0) {
+      const viaPlugin = options?.copilotPluginInstalled === true;
+      const primaryConfigPath = hooksCheck.activeConfigPaths[0];
       return {
         platform: "copilot-cli",
         status: "configured",
-        method: "hook config",
-        configPath: hooksCheck.activeConfigPaths[0],
-        configPaths: hooksCheck.activeConfigPaths,
+        method: viaPlugin ? "plugin list" : "hook config",
+        configPath: primaryConfigPath ?? (viaPlugin ? COPILOT_PLUGIN_CONFIG_PATH : undefined),
+        configPaths: hooksCheck.activeConfigPaths.length > 0 ? hooksCheck.activeConfigPaths : undefined,
         selfTest: runSelfTest(),
         errors: errors.length > 0 ? errors : undefined
       };
@@ -4210,6 +4213,7 @@ var VERSION_FETCH_TIMEOUT_MS = 2000;
 function getPackageVersion() {
   return CURRENT_VERSION;
 }
+var COPILOT_PLUGIN_ID = "copilot-safety-net";
 var defaultVersionFetcher = async (args) => {
   const [cmd, ...rest] = args;
   if (!cmd)
@@ -4260,6 +4264,12 @@ function parseVersion(output) {
 `)[0]?.trim();
   return firstLine || null;
 }
+function hasCopilotSafetyNetPlugin(output) {
+  if (!output)
+    return false;
+  const pluginPattern = new RegExp(`(^|[^a-z0-9-])${COPILOT_PLUGIN_ID}([^a-z0-9-]|$)`, "m");
+  return pluginPattern.test(output);
+}
 async function getSystemInfo(fetcher = defaultVersionFetcher) {
   const fetchCopilotVersion = async () => {
     const binaryVersionPromise = fetcher(["copilot", "--binary-version"]);
@@ -4270,14 +4280,15 @@ async function getSystemInfo(fetcher = defaultVersionFetcher) {
     }
     return fallbackVersionPromise;
   };
-  const [claudeRaw, openCodeRaw, geminiRaw, copilotRaw, nodeRaw, npmRaw, bunRaw] = await Promise.all([
+  const [claudeRaw, openCodeRaw, geminiRaw, copilotRaw, nodeRaw, npmRaw, bunRaw, pluginListRaw] = await Promise.all([
     fetcher(["claude", "--version"]),
     fetcher(["opencode", "--version"]),
     fetcher(["gemini", "--version"]),
     fetchCopilotVersion(),
     fetcher(["node", "--version"]),
     fetcher(["npm", "--version"]),
-    fetcher(["bun", "--version"])
+    fetcher(["bun", "--version"]),
+    fetcher(["copilot", "plugin", "list"])
   ]);
   return {
     version: CURRENT_VERSION,
@@ -4288,6 +4299,7 @@ async function getSystemInfo(fetcher = defaultVersionFetcher) {
     nodeVersion: parseVersion(nodeRaw),
     npmVersion: parseVersion(npmRaw),
     bunVersion: parseVersion(bunRaw),
+    copilotPluginInstalled: hasCopilotSafetyNetPlugin(pluginListRaw),
     platform: `${process.platform} ${process.arch}`
   };
 }
@@ -4353,7 +4365,10 @@ function parseDoctorFlags(args) {
 async function runDoctor(options = {}) {
   const cwd = options.cwd ?? process.cwd();
   const system = await getSystemInfo();
-  const hooks = detectAllHooks(cwd, { copilotCliVersion: system.copilotCliVersion });
+  const hooks = detectAllHooks(cwd, {
+    copilotCliVersion: system.copilotCliVersion,
+    copilotPluginInstalled: system.copilotPluginInstalled
+  });
   const configInfo = getConfigInfo(cwd);
   const environment = getEnvironmentInfo();
   const activity = getActivitySummary(7);

dist/bin/doctor/hooks.d.ts

@@ -6,6 +6,7 @@ import type { LoadConfigOptions } from '@/core/config';
 interface HookDetectOptions extends LoadConfigOptions {
     homeDir?: string;
     copilotCliVersion?: string | null;
+    copilotPluginInstalled?: boolean;
 }
 /**
  * Strip JSONC-style comments and trailing commas from a string.

dist/bin/doctor/types.d.ts

@@ -105,6 +105,8 @@ export interface SystemInfo {
     npmVersion: string | null;
     /** Bun version (from `bun --version`) */
     bunVersion: string | null;
+    /** Whether the copilot-safety-net plugin is installed (from `copilot plugin list`) */
+    copilotPluginInstalled: boolean;
     /** Platform (e.g., "darwin arm64") */
     platform: string;
 }

src/bin/doctor/hooks.ts

@@ -13,6 +13,7 @@ import type { Config } from '@/types';
 interface HookDetectOptions extends LoadConfigOptions {
   homeDir?: string;
   copilotCliVersion?: string | null;
+  copilotPluginInstalled?: boolean;
 }
 
 interface CopilotHookEntry {
@@ -39,6 +40,8 @@ interface CopilotDetectionState {
   disabledBy?: string;
 }
 
+const COPILOT_PLUGIN_CONFIG_PATH = 'copilot-plugin';
+
 /** Self-test cases for validating the analyzer */
 const SELF_TEST_CASES: SelfTestCase[] = [
   // Git destructive commands
@@ -684,13 +687,16 @@ export function detectAllHooks(cwd: string, options?: HookDetectOptions): HookSt
       };
     }
 
-    if (hooksCheck.activeConfigPaths.length > 0) {
+    if (options?.copilotPluginInstalled === true || hooksCheck.activeConfigPaths.length > 0) {
+      const viaPlugin = options?.copilotPluginInstalled === true;
+      const primaryConfigPath = hooksCheck.activeConfigPaths[0];
       return {
         platform: 'copilot-cli',
         status: 'configured',
-        method: 'hook config',
-        configPath: hooksCheck.activeConfigPaths[0],
-        configPaths: hooksCheck.activeConfigPaths,
+        method: viaPlugin ? 'plugin list' : 'hook config',
+        configPath: primaryConfigPath ?? (viaPlugin ? COPILOT_PLUGIN_CONFIG_PATH : undefined),
+        configPaths:
+          hooksCheck.activeConfigPaths.length > 0 ? hooksCheck.activeConfigPaths : undefined,
         selfTest: runSelfTest(),
         errors: errors.length > 0 ? errors : undefined,
       };

src/bin/doctor/index.ts

@@ -27,7 +27,10 @@ export async function runDoctor(options: DoctorOptions = {}): Promise<number> {
 
   // Collect all data
   const system = await getSystemInfo();
-  const hooks = detectAllHooks(cwd, { copilotCliVersion: system.copilotCliVersion });
+  const hooks = detectAllHooks(cwd, {
+    copilotCliVersion: system.copilotCliVersion,
+    copilotPluginInstalled: system.copilotPluginInstalled,
+  });
   const configInfo = getConfigInfo(cwd);
   const environment = getEnvironmentInfo();
   const activity = getActivitySummary(7);

src/bin/doctor/system-info.ts

@@ -25,6 +25,8 @@ export function getPackageVersion(): string {
  */
 export type VersionFetcher = (args: string[]) => Promise<string | null>;
 
+const COPILOT_PLUGIN_ID = 'copilot-safety-net';
+
 /**
  * Default version fetcher that runs shell commands.
  * Uses Node.js child_process.spawn for compatibility with both Node and Bun runtimes.
@@ -92,6 +94,14 @@ function parseVersion(output: string | null): string | null {
   return firstLine || null;
 }
 
+function hasCopilotSafetyNetPlugin(output: string | null): boolean {
+  if (!output) return false;
+
+  const pluginPattern = new RegExp(`(^|[^a-z0-9-])${COPILOT_PLUGIN_ID}([^a-z0-9-]|$)`, 'm');
+
+  return pluginPattern.test(output);
+}
+
 /**
  * Fetch system info with tool versions.
  * Runs all version checks in parallel for performance.
@@ -110,7 +120,7 @@ export async function getSystemInfo(
   };
 
   // Run all version fetches in parallel
-  const [claudeRaw, openCodeRaw, geminiRaw, copilotRaw, nodeRaw, npmRaw, bunRaw] =
+  const [claudeRaw, openCodeRaw, geminiRaw, copilotRaw, nodeRaw, npmRaw, bunRaw, pluginListRaw] =
     await Promise.all([
       fetcher(['claude', '--version']),
       fetcher(['opencode', '--version']),
@@ -119,6 +129,7 @@ export async function getSystemInfo(
       fetcher(['node', '--version']),
       fetcher(['npm', '--version']),
       fetcher(['bun', '--version']),
+      fetcher(['copilot', 'plugin', 'list']),
     ]);
 
   return {
@@ -130,6 +141,7 @@ export async function getSystemInfo(
     nodeVersion: parseVersion(nodeRaw),
     npmVersion: parseVersion(npmRaw),
     bunVersion: parseVersion(bunRaw),
+    copilotPluginInstalled: hasCopilotSafetyNetPlugin(pluginListRaw),
     platform: `${process.platform} ${process.arch}`,
   };
 }

src/bin/doctor/types.ts

@@ -118,6 +118,8 @@ export interface SystemInfo {
   npmVersion: string | null;
   /** Bun version (from `bun --version`) */
   bunVersion: string | null;
+  /** Whether the copilot-safety-net plugin is installed (from `copilot plugin list`) */
+  copilotPluginInstalled: boolean;
   /** Platform (e.g., "darwin arm64") */
   platform: string;
 }

tests/bin/doctor/format.test.ts

@@ -371,6 +371,7 @@ describe('formatSystemInfoSection', () => {
       nodeVersion: '22.0.0',
       npmVersion: null,
       bunVersion: '1.0.0',
+      copilotPluginInstalled: false,
       platform: 'darwin arm64',
     };
     const output = formatSystemInfoSection(sysInfo);
@@ -412,6 +413,7 @@ describe('formatConfigSection', () => {
         nodeVersion: '22.0.0',
         npmVersion: '10.0.0',
         bunVersion: '1.0.0',
+        copilotPluginInstalled: false,
         platform: 'darwin arm64',
       },
     };
@@ -463,6 +465,7 @@ describe('formatConfigSection', () => {
         nodeVersion: '22.0.0',
         npmVersion: '10.0.0',
         bunVersion: '1.0.0',
+        copilotPluginInstalled: false,
         platform: 'darwin arm64',
       },
     };
@@ -505,6 +508,7 @@ describe('formatConfigSection', () => {
         nodeVersion: '22.0.0',
         npmVersion: '10.0.0',
         bunVersion: '1.0.0',
+        copilotPluginInstalled: false,
         platform: 'darwin arm64',
       },
     };
@@ -535,6 +539,7 @@ describe('formatSummary', () => {
         nodeVersion: '22.0.0',
         npmVersion: '10.0.0',
         bunVersion: '1.0.0',
+        copilotPluginInstalled: false,
         platform: 'darwin',
       },
     };
@@ -561,6 +566,7 @@ describe('formatSummary', () => {
         nodeVersion: '22.0.0',
         npmVersion: '10.0.0',
         bunVersion: '1.0.0',
+        copilotPluginInstalled: false,
         platform: 'darwin',
       },
     };
@@ -587,6 +593,7 @@ describe('formatSummary', () => {
         nodeVersion: '22.0.0',
         npmVersion: '10.0.0',
         bunVersion: '1.0.0',
+        copilotPluginInstalled: false,
         platform: 'darwin',
       },
     };

tests/bin/doctor/hooks.test.ts

@@ -441,6 +441,76 @@ describe('detectAllHooks', () => {
     }
   });
 
+  test('Copilot CLI: configured from installed plugin list without hook config', () => {
+    const tmpBase = join(tmpdir(), `doctor-copilot-${Date.now()}`);
+    const homeDir = join(tmpBase, 'home');
+    const projectDir = join(tmpBase, 'project');
+    mkdirSync(homeDir, { recursive: true });
+    mkdirSync(projectDir, { recursive: true });
+
+    try {
+      const hooks = detectAllHooks(projectDir, { homeDir, copilotPluginInstalled: true });
+      const copilot = hooks.find((hook) => hook.platform === 'copilot-cli');
+
+      expect(copilot?.status).toBe('configured');
+      expect(copilot?.method).toBe('plugin list');
+      expect(copilot?.configPath).toBe('copilot-plugin');
+      expect(copilot?.configPaths).toBeUndefined();
+      expect(copilot?.selfTest?.failed).toBe(0);
+    } finally {
+      rmSync(tmpBase, { recursive: true, force: true });
+    }
+  });
+
+  test('Copilot CLI: installed plugin list overrides legacy hook config as configured signal', () => {
+    const tmpBase = join(tmpdir(), `doctor-copilot-${Date.now()}`);
+    const homeDir = join(tmpBase, 'home');
+    const projectDir = join(tmpBase, 'project');
+    const copilotDir = join(projectDir, '.github', 'hooks');
+    mkdirSync(homeDir, { recursive: true });
+    mkdirSync(copilotDir, { recursive: true });
+    _writeCopilotHook(join(copilotDir, 'safety-net.json'));
+
+    try {
+      const hooks = detectAllHooks(projectDir, { homeDir, copilotPluginInstalled: true });
+      const copilot = hooks.find((hook) => hook.platform === 'copilot-cli');
+
+      expect(copilot?.status).toBe('configured');
+      expect(copilot?.method).toBe('plugin list');
+      expect(copilot?.configPath).toBe(join(copilotDir, 'safety-net.json'));
+      expect(copilot?.configPaths).toEqual([join(copilotDir, 'safety-net.json')]);
+      expect(copilot?.selfTest?.failed).toBe(0);
+    } finally {
+      rmSync(tmpBase, { recursive: true, force: true });
+    }
+  });
+
+  test('Copilot CLI: disableAllHooks still overrides installed plugin list', () => {
+    const tmpBase = join(tmpdir(), `doctor-copilot-${Date.now()}`);
+    const homeDir = join(tmpBase, 'home');
+    const projectDir = join(tmpBase, 'project');
+    const configDir = join(projectDir, '.github', 'copilot');
+    mkdirSync(homeDir, { recursive: true });
+    mkdirSync(configDir, { recursive: true });
+    writeFileSync(join(configDir, 'settings.json'), JSON.stringify({ disableAllHooks: true }));
+
+    try {
+      const hooks = detectAllHooks(projectDir, {
+        homeDir,
+        copilotCliVersion: '1.0.9',
+        copilotPluginInstalled: true,
+      });
+      const copilot = hooks.find((hook) => hook.platform === 'copilot-cli');
+
+      expect(copilot?.status).toBe('disabled');
+      expect(copilot?.configPath).toBe(join(configDir, 'settings.json'));
+      expect(copilot?.configPaths).toEqual([join(configDir, 'settings.json')]);
+      expect(copilot?.selfTest).toBeUndefined();
+    } finally {
+      rmSync(tmpBase, { recursive: true, force: true });
+    }
+  });
+
   test('Copilot CLI: configured from global hook config', () => {
     const tmpBase = join(tmpdir(), `doctor-copilot-${Date.now()}`);
     const homeDir = join(tmpBase, 'home');