* fix(hooks): make hook scripts compatible with Windows Git Bash and use stdin JSON protocol
- Replace `grep -P` (Perl regex) with `sed` for JSON field extraction,
as Windows Git Bash does not support `grep -P`
- Replace positional arg (`$1`) with stdin JSON parsing to match the
actual Claude Code hook protocol (hooks receive data via stdin, not args)
- Fix JSON double-quote escaping in grep patterns that silently fails
on Windows Git Bash
- Remove python3 dependency for JSON parsing, making scripts portable
- Add Windows Git Bash to compatibility notes in script headers
Affected scripts: security-scan.sh, validate-prompt.sh, log-bash.sh, format-code.sh
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(hooks): address review issues in Windows Git Bash compatibility scripts
- security-scan.sh: wrap output in hookSpecificOutput format required by
PostToolUse protocol; restore secret/token detection pattern that was
dropped; escape file path and issues for safe JSON construction
- validate-prompt.sh: extract "user_prompt" field first (Claude Code
UserPromptSubmit protocol), falling back to "prompt"
- log-bash.sh: document sed truncation limitation for commands with
double-quoted strings
- format-code.sh: fix misleading comment about updatedInput output
* fix(hooks): produce valid JSON from security-scan.sh
- Use \\n (JSON newline escape) when building ISSUES, not real newlines,
so the value passes safely through printf into the JSON string
- Remove the real-newline-to-\\n sed pass (no longer needed)
- Output is now verifiably valid JSON per python3 json.loads
* fix(hooks): fix grep -E POSIX compat and semgrep/trufflehog stdout mixing
- Replace \s with [[:space:]] in grep -E patterns (security-scan.sh lines
34,44): \s is a Perl extension, silently fails on macOS BSD grep and
BusyBox — password/secret detection was a no-op on macOS
- Suppress stdout of semgrep/trufflehog (>/dev/null) to prevent their
output mixing with hookSpecificOutput JSON, which would produce invalid
JSON and cause the additionalContext to fail parsing
- Fix format-code.sh hook comment: PreToolUse → PostToolUse (matches
README example and actual hook behavior)
---------
Co-authored-by: Bruce <binyuli1993@foxmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat: add performance-optimizer subagent and dependency-check hook
Agent-Logs-Url: https://github.com/khanhnkq/claude-howto/sessions/ef3fb01c-a9c0-466e-9ad2-f255f306add2
Co-authored-by: khanhnkq <180888435+khanhnkq@users.noreply.github.com>
* fix(hooks): use basename for manifest matching in dependency-check.sh
FILE=$1 receives an absolute path (e.g. /home/user/project/package.json).
The case statement and all [[ "$FILE" == ... ]] guards matched bare filenames,
so every invocation would hit the *) exit 0 branch and skip all vuln scans.
Extract BASENAME=$(basename "$FILE") and use it for all pattern matching.
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Luong NGUYEN <luongnv89@gmail.com>
* feat: add missing pre-tool-check.sh hook to 06-hooks
The LEARNING-ROADMAP.md (Milestone 2A) referenced this file in an
exercise that copies it to ~/.claude/hooks/, but the file did not exist.
This caused confusion for learners following the guide.
The new pre-tool-check.sh is a PreToolUse hook for the Bash matcher that:
- Blocks unconditionally destructive commands (rm -rf /, dd, fork bomb, etc.)
- Warns on high-risk commands (rm -rf, git push --force, DROP TABLE, etc.)
- Reads tool input JSON from stdin (matching Claude Code hook protocol)
- Requires no external dependencies (pure bash + grep)
Fixes#32
* fix(hooks): correct exit code, remove set -e, use portable sed in pre-tool-check.sh
- Change `exit 1` to `exit 2` so Claude Code actually blocks the command
(exit 1 is treated as a non-blocking error; exit 2 is required to block)
- Remove `set -euo pipefail`: `set -e` caused the script to exit on the
first non-matching grep result, skipping all remaining pattern checks
- Replace non-portable `grep -o '"command"\s*:\s*"[^"]*"'` with
`sed -n 's/.*"command"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p'`
which works on both macOS (BSD) and Linux without GNU grep extensions
Closes#32
---------
Co-authored-by: Luong NGUYEN <luongnv89@gmail.com>
- Replace `grep -P` (Perl regex) with `sed` for JSON field extraction,
as Windows Git Bash does not support `grep -P`
- Replace positional arg (`$1`) with stdin JSON parsing to match the
actual Claude Code hook protocol (hooks receive data via stdin, not args)
- Fix JSON double-quote escaping in grep patterns that silently fails
on Windows Git Bash
- Remove python3 dependency for JSON parsing, making scripts portable
- Add Windows Git Bash to compatibility notes in script headers
Affected scripts: security-scan.sh, validate-prompt.sh, log-bash.sh, format-code.sh
Co-authored-by: Bruce <binyuli1993@foxmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Remove the auto-adapt-mode PostToolUse hook (no more dynamic permission
learning). Replace with a standalone setup script that seeds ~67 safe
auto-mode-equivalent permission rules into settings.json in one shot.
Move the script to 09-advanced-features/ alongside the Auto Mode docs.
Adds a PostToolUse hook that automatically generalizes approved tool
invocations into reusable permission rules in settings.json. Seeds
auto-mode-equivalent baseline permissions on first run. Dangerous
commands (rm -rf, force-push, DROP TABLE, sudo, etc.) are never remembered.
Update 23 files across all 10 tutorial directories and 7 reference
documents to match the latest Claude Code v2.1+ features and correct
outdated content including model names (4.5→4.6), permission modes,
hook events, CLI syntax, MCP config paths, plugin manifest format,
checkpoint commands, session management, and URLs. Add documentation
for new features: Auto Memory, Remote Control, Web Sessions, Desktop
App, Agent Teams, MCP OAuth, Task List, Sandboxing, and more.
- Update all main markdown files (INDEX.md, LEARNING-ROADMAP.md, QUICK_REFERENCE.md, CONTRIBUTING.md, claude_concepts_guide.md, resources.md) with new responsive picture element
- Add logo to all subdirectory README files in feature folders (01-10) and plugins
- Replace old markdown image syntax with HTML picture element for dark/light mode adaptation
- Logo automatically displays dark mode version when system prefers dark mode
- Maintain correct relative paths for all nesting levels (../, ../../, etc.)
- Update README.md with new logo syntax
All markdown files now use the new V2.0 starburst logo design with professional dark/light mode support.
- Replace simple Stop-only context-usage hook with hook pair pattern
- Add UserPromptSubmit + Stop hook combination for tracking delta
- Include both char-estimation and tiktoken versions as separate files
- Show how to use session_id for isolated state tracking
The hook was converting total_chars to string before calculating tokens,
resulting in ~0 tokens reported. Fixed to calculate directly from char count.
- Remove unused estimate_tokens() function
- Calculate tokens as total_chars // 4 directly
- Archive fix-context-usage-hook change
Add Example 6 showing how to create a hook that reports context/token
usage after each Claude response:
- Python script reads transcript_path to access conversation history
- Estimates tokens using ~4 chars/token heuristic
- Outputs one-line report: "Context: ~45k/200k tokens (77% remaining)"
- Documents both Stop and UserPromptSubmit hook configurations
- Explains limitations (estimate vs exact /context command)