chore: scripts/sync_all.py — additive batch sync across all registered projects

Companion to scripts/audit_all.py. Walks registry, applies additive-only sync:

- Adds missing template/hooks/*.sh files (preserves project-local hook changes)
- Adds missing stack rules per detected stack from .forge-manifest.json
- Refreshes manifest version + synced_at + per-file hashes
- NEVER touches settings.json, CLAUDE.md, or .claude/rules/domain/
  (those need human review — use the interactive /forge sync skill per-project)

Today's batch run touched 12 projects:
- 41 hooks added (mostly tool-latency.sh, permission-denied.sh, warn-missing-test.sh
  from v3.4.0 follow-up work — these were missing from older project syncs)
- 4 stack rules added: trading/backtesting-adr-gate.md to TRADINGBOT;
  swift-swiftui/ios.md + supabase/database.md to InviSight-iOS;
  docker-deploy/infra.md to SOMA2

Also propagated to dotforge itself (its own .claude/hooks/ was missing
permission-denied.sh and tool-latency.sh).

Audit re-run: scores stable (avg 9.12, 9/12 perfect ≥9.0).

Use:
  python3 scripts/sync_all.py            # apply
  python3 scripts/sync_all.py --dry-run  # preview

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: luiseiman

.claude/hooks/permission-denied.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+# Permission Denied hook - logs denied operations for audit trail
+# Event: PermissionDenied
+# Reads: $TOOL_INPUT (JSON with tool_name, arguments, reason)
+# Output: .claude/session/permission-denials.log
+
+set -e
+
+LOG_DIR=".claude/session"
+LOG_FILE="$LOG_DIR/permission-denials.log"
+
+# Create log directory if needed
+mkdir -p "$LOG_DIR"
+
+# Parse input (tool_name, arguments, reason from environment or stdin)
+TOOL_INPUT="${TOOL_INPUT:-}"
+if [ -z "$TOOL_INPUT" ]; then
+  TOOL_INPUT="$(cat)"
+fi
+
+# Extract fields from JSON (portable awk-based parsing)
+TOOL_NAME=$(printf '%s' "$TOOL_INPUT" | grep -o '"tool_name":"[^"]*"' | cut -d'"' -f4 || echo "unknown")
+ARGUMENTS=$(printf '%s' "$TOOL_INPUT" | grep -o '"arguments":"[^"]*"' | cut -d'"' -f4 || echo "")
+REASON=$(printf '%s' "$TOOL_INPUT" | grep -o '"reason":"[^"]*"' | cut -d'"' -f4 || echo "")
+
+# Truncate arguments to 100 chars
+ARGUMENTS_TRUNC="${ARGUMENTS:0:100}"
+[ "${#ARGUMENTS}" -gt 100 ] && ARGUMENTS_TRUNC="${ARGUMENTS_TRUNC}..."
+
+# ISO timestamp
+TIMESTAMP=$(date -u '+%Y-%m-%dT%H:%M:%SZ')
+
+# Log entry: ISO timestamp | tool | args (truncated) | reason
+printf '%s | %s | %s | %s\n' "$TIMESTAMP" "$TOOL_NAME" "$ARGUMENTS_TRUNC" "$REASON" >> "$LOG_FILE"
+
+exit 0

.claude/hooks/tool-latency.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+# PostToolUse hook: capture per-tool duration_ms (v2.1.119+) for session-report.
+# Matcher: "" (all tools).
+# Output: appends "tool_name|duration_ms" lines to /tmp/claude-tool-latency-<hash>.
+# Silent (exit 0) — telemetry only, never blocks.
+#
+# Back-compat: if duration_ms is absent or non-numeric (older Claude Code),
+# this hook is a no-op. session-report.sh handles a missing counter file.
+
+# --- Project hash (must match session-report.sh) ---
+_hash() {
+  printf '%s' "$1" | md5sum 2>/dev/null | cut -c1-8 || \
+  printf '%s' "$1" | md5 -q 2>/dev/null | cut -c1-8 || \
+  printf '%s' "$1" | cksum | cut -d' ' -f1
+}
+PROJECT_HASH=$(_hash "$PWD")
+COUNTER="/tmp/claude-tool-latency-${PROJECT_HASH}"
+
+# --- Read stdin JSON (PostToolUse payload) ---
+PAYLOAD=$(cat)
+[[ -z "$PAYLOAD" ]] && exit 0
+
+# --- Parse fields (jq required; degrade silently if absent) ---
+command -v jq >/dev/null 2>&1 || exit 0
+
+TOOL_NAME=$(printf '%s' "$PAYLOAD" | jq -r '.tool_name // empty' 2>/dev/null)
+DURATION=$(printf '%s' "$PAYLOAD" | jq -r '.duration_ms // empty' 2>/dev/null)
+
+# Sanitize: tool_name without pipes; duration must be a non-negative integer
+[[ -z "$TOOL_NAME" || -z "$DURATION" ]] && exit 0
+TOOL_NAME=${TOOL_NAME//|/_}
+DURATION=${DURATION//[!0-9]/}
+[[ -z "$DURATION" ]] && exit 0
+
+printf '%s|%s\n' "$TOOL_NAME" "$DURATION" >> "$COUNTER" 2>/dev/null || true
+exit 0

scripts/sync_all.py

@@ -0,0 +1,191 @@
+#!/usr/bin/env python3
+"""sync_all.py — additive sync of dotforge template + stack rules into every
+registered project.
+
+Scope (additive only, by design — full merge is the interactive skill):
+- Adds missing template/hooks/*.sh files
+- Adds missing stack rules for each detected stack (per .forge-manifest.json)
+- Updates .forge-manifest.json: version + synced_at + per-file hashes
+- NEVER touches:
+    * existing hook files (preserves project-local customizations)
+    * .claude/settings.json (allow/deny merge needs human review)
+    * CLAUDE.md (custom sections risk)
+    * .claude/rules/domain/ (project-owned per sync-template skill)
+
+For full merge sync (settings.json union, CLAUDE.md sections), use the
+interactive /forge sync skill per-project.
+
+Usage:
+  python3 scripts/sync_all.py            # apply
+  python3 scripts/sync_all.py --dry-run  # preview
+"""
+from __future__ import annotations
+
+import argparse
+import hashlib
+import json
+import shutil
+import sys
+from datetime import date
+from pathlib import Path
+
+try:
+    import yaml
+except ImportError:
+    print("ERROR: pyyaml required", file=sys.stderr)
+    sys.exit(2)
+
+DOTFORGE = Path(__file__).resolve().parent.parent
+REGISTRY = DOTFORGE / "registry/projects.local.yml"
+TEMPLATE_HOOKS = DOTFORGE / "template/hooks"
+STACKS_DIR = DOTFORGE / "stacks"
+TODAY = date.today().isoformat()
+VERSION = (DOTFORGE / "VERSION").read_text().strip()
+
+
+def sha256(p: Path) -> str:
+    return "sha256:" + hashlib.sha256(p.read_bytes()).hexdigest()
+
+
+def detect_stacks_from_manifest(claude_dir: Path) -> list[str]:
+    m = claude_dir / ".forge-manifest.json"
+    if not m.exists():
+        return []
+    try:
+        return json.loads(m.read_text()).get("stacks", []) or []
+    except Exception:
+        return []
+
+
+def add_missing_hooks(claude_dir: Path, dry: bool) -> list[str]:
+    hooks_dir = claude_dir / "hooks"
+    if not hooks_dir.exists():
+        return []
+    added = []
+    for tmpl in sorted(TEMPLATE_HOOKS.glob("*.sh")):
+        target = hooks_dir / tmpl.name
+        if not target.exists():
+            if not dry:
+                shutil.copy2(tmpl, target)
+                target.chmod(0o755)
+            added.append(tmpl.name)
+    return added
+
+
+def add_missing_stack_rules(claude_dir: Path, stacks: list[str], dry: bool) -> list[str]:
+    rules_dir = claude_dir / "rules"
+    if not rules_dir.exists() or not stacks:
+        return []
+    added = []
+    for stack in stacks:
+        src_rules = STACKS_DIR / stack / "rules"
+        if not src_rules.exists():
+            continue
+        for rule in sorted(src_rules.glob("*.md")):
+            target = rules_dir / rule.name
+            if not target.exists():
+                if not dry:
+                    shutil.copy2(rule, target)
+                added.append(f"{stack}/{rule.name}")
+    return added
+
+
+def update_manifest(claude_dir: Path, stacks: list[str], dry: bool) -> bool:
+    """Refresh manifest: version + synced_at + per-file hashes for managed files."""
+    manifest_path = claude_dir / ".forge-manifest.json"
+    existing = {}
+    if manifest_path.exists():
+        try:
+            existing = json.loads(manifest_path.read_text())
+        except Exception:
+            existing = {}
+
+    files = existing.get("files", {})
+    # Hash each managed file currently in .claude/
+    for hook in (claude_dir / "hooks").glob("*.sh") if (claude_dir / "hooks").exists() else []:
+        rel = f".claude/hooks/{hook.name}"
+        files[rel] = {"hash": sha256(hook), "source": "template"}
+    for rule in (claude_dir / "rules").glob("*.md") if (claude_dir / "rules").exists() else []:
+        rel = f".claude/rules/{rule.name}"
+        existing_entry = files.get(rel)
+        if not isinstance(existing_entry, dict):
+            files[rel] = {"hash": sha256(rule), "source": "template+stacks"}
+        else:
+            existing_entry["hash"] = sha256(rule)
+
+    new_manifest = {
+        "dotforge_version": VERSION,
+        "synced_at": TODAY,
+        "stacks": stacks,
+        "files": files,
+        "sync_method": "additive",
+        "sync_note": "Settings.json + CLAUDE.md + domain/ NOT touched. Run interactive /forge sync per-project for full merge.",
+    }
+
+    if dry:
+        return True
+    manifest_path.write_text(json.dumps(new_manifest, indent=2) + "\n")
+    return True
+
+
+def main() -> int:
+    ap = argparse.ArgumentParser()
+    ap.add_argument("--dry-run", action="store_true")
+    args = ap.parse_args()
+
+    with open(REGISTRY) as f:
+        data = yaml.safe_load(f)
+
+    print(f"═══ ADDITIVE SYNC → v{VERSION} ═══")
+    print(f"Dry-run: {args.dry_run}\n")
+
+    summary = []
+    for proj in data["projects"]:
+        name = proj["name"]
+        path = Path(proj["path"])
+        if str(path) == ".":
+            path = DOTFORGE
+        if not path.exists():
+            print(f"── {name:<20} SKIP (missing path)")
+            summary.append((name, "missing", 0, 0))
+            continue
+        claude_dir = path / ".claude"
+        if not claude_dir.exists():
+            print(f"── {name:<20} SKIP (no .claude/)")
+            summary.append((name, "no .claude", 0, 0))
+            continue
+
+        stacks = detect_stacks_from_manifest(claude_dir)
+        added_hooks = add_missing_hooks(claude_dir, args.dry_run)
+        added_rules = add_missing_stack_rules(claude_dir, stacks, args.dry_run)
+        update_manifest(claude_dir, stacks, args.dry_run)
+
+        bits = []
+        if added_hooks:
+            bits.append(f"+{len(added_hooks)} hooks: {', '.join(added_hooks)}")
+        if added_rules:
+            bits.append(f"+{len(added_rules)} stack rules: {', '.join(added_rules)}")
+        if not bits:
+            bits.append("manifest refreshed only")
+
+        print(f"── {name:<20} {' | '.join(bits)}")
+        summary.append((name, "synced", len(added_hooks), len(added_rules)))
+
+    print("\n═══ SUMMARY ═══")
+    total_hooks = sum(s[2] for s in summary)
+    total_rules = sum(s[3] for s in summary)
+    synced = sum(1 for s in summary if s[1] == "synced")
+    print(f"Projects synced:         {synced}/{len(summary)}")
+    print(f"Total hooks added:       {total_hooks}")
+    print(f"Total stack rules added: {total_rules}")
+    print(f"Manifest version:        v{VERSION}")
+    if args.dry_run:
+        print("\n(dry-run: no files written)")
+    else:
+        print("\nNote: settings.json / CLAUDE.md / domain/ NOT touched. Run")
+        print("      interactive /forge sync per-project for full merge.")
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())