From 27988801be07054db07e3b42d69d9cf96281ce7e Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Tue, 23 Jun 2026 21:36:20 +0200 Subject: [PATCH 01/31] feat(skl): flag oversized skill bodies on demand (v5.11 B7) [skip-docs] MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit New CA-SKL-003 (low): a SKILL.md body over ~5,000 tokens (~500 lines) should split reference content into supporting files / use context: fork. - measureActiveSkillListing() now returns body metrics (chars/lines/tokens); the body was already read in full, only the frontmatter was parsed before. - Honest framing: BODY_CALIBRATION_NOTE marks this as ON-DEMAND cost (loads only when the skill is invoked, NOT every turn like the always-loaded listing) and an estimate — hence low severity. - 5 new tests; full suite 1262 green; snapshots byte-stable (default branch untouched; new finding fires only on bodies >5k tok, none in fixtures). Co-Authored-By: Claude Opus 4.8 (1M context) --- scanners/lib/skill-listing-budget.mjs | 24 ++++- scanners/skill-listing-scanner.mjs | 35 +++++++ tests/scanners/skill-listing-scanner.test.mjs | 91 +++++++++++++++++++ 3 files changed, 149 insertions(+), 1 deletion(-) diff --git a/scanners/lib/skill-listing-budget.mjs b/scanners/lib/skill-listing-budget.mjs index 4afed8d..d68682e 100644 --- a/scanners/lib/skill-listing-budget.mjs +++ b/scanners/lib/skill-listing-budget.mjs @@ -48,6 +48,19 @@ export const BUDGET_CALIBRATION_NOTE = `window; at ${withCommas(LARGE_CONTEXT_WINDOW)} context the budget is ~${withCommas(LARGE_CONTEXT_BUDGET_TOKENS)} ` + 'tok and you are likely within it. this is an estimate, not measured telemetry'; +// Skill-body size guidance (CA-SKL-003). A SKILL.md body over ~5,000 tokens +// (~500 lines / ~20k chars) should split reference content into supporting files +// (Claude Code skill-authoring guidance). Unlike the listing budget above, the +// body is an ON-DEMAND cost: it loads only when the skill is invoked, not every +// turn — so this is a LOW-severity efficiency signal, not an always-loaded bill. +export const BODY_TOKEN_THRESHOLD = 5000; + +// Honest framing for the body-size finding: distinguishes on-demand from +// always-loaded cost and flags the figure as an estimate. Appended to evidence. +export const BODY_CALIBRATION_NOTE = + 'this is the skill BODY (SKILL.md below the frontmatter), which loads ON DEMAND only when the ' + + 'skill is invoked - NOT every turn like the always-loaded listing. estimate (chars/4), not measured telemetry'; + /** * @typedef {object} BudgetAssessment * @property {number} scanned - number of descriptions assessed @@ -91,6 +104,9 @@ export function assessSkillListingBudget(descLengths) { * @property {string|null} pluginName * @property {string} path * @property {number} descLength + * @property {number} bodyChars - SKILL.md body length below the frontmatter (on-demand cost) + * @property {number} bodyLines - body line count + * @property {number} bodyTokens - estimateTokens(bodyChars, 'markdown') */ /** @@ -110,14 +126,20 @@ export async function measureActiveSkillListing() { if (!skill || typeof skill.path !== 'string') continue; const content = await readTextFile(skill.path); if (!content) continue; - const fm = parseFrontmatter(content)?.frontmatter || null; + const parsed = parseFrontmatter(content); + const fm = parsed?.frontmatter || null; const desc = (fm && typeof fm.description === 'string') ? fm.description : ''; + const body = (parsed && typeof parsed.body === 'string') ? parsed.body : ''; + const bodyChars = body.length; skills.push({ name: skill.name, source: skill.source, pluginName: skill.pluginName, path: skill.path, descLength: desc.length, + bodyChars, + bodyLines: bodyChars === 0 ? 0 : body.split('\n').length, + bodyTokens: estimateTokens(bodyChars, 'markdown'), }); } diff --git a/scanners/skill-listing-scanner.mjs b/scanners/skill-listing-scanner.mjs index 838253a..cbbf16e 100644 --- a/scanners/skill-listing-scanner.mjs +++ b/scanners/skill-listing-scanner.mjs @@ -40,6 +40,8 @@ import { DESCRIPTION_CAP, AGGREGATE_BUDGET_TOKENS, BUDGET_CALIBRATION_NOTE, + BODY_TOKEN_THRESHOLD, + BODY_CALIBRATION_NOTE, measureActiveSkillListing, } from './lib/skill-listing-budget.mjs'; @@ -116,5 +118,38 @@ export async function scan(_targetPath, _discovery) { })); } + // CA-SKL-003 (oversized body). Emitted last so the common single-issue cases + // read cleanly. Unlike the listing budget, this is an ON-DEMAND cost — the body + // loads only when the skill is invoked, not every turn — hence low severity and + // an explicit on-demand calibration note. + for (const skill of skills) { + if (skill.bodyTokens <= BODY_TOKEN_THRESHOLD) continue; + + const sourceLabel = skill.source === 'plugin' + ? `plugin:${skill.pluginName}` + : 'user'; + + findings.push(finding({ + scanner: SCANNER, + severity: SEVERITY.low, + title: 'Skill body is large (loads on demand when the skill runs)', + description: + `Skill "${skill.name}" (${sourceLabel}) has a body of about ${skill.bodyTokens} tokens ` + + `(${skill.bodyLines} lines), over the ~${BODY_TOKEN_THRESHOLD}-token guidance for a skill body. ` + + 'The body is not in the always-loaded listing — it loads only when the skill is invoked — but ' + + 'once loaded a large body consumes context for the rest of that session. Claude Code skill ' + + 'guidance is to keep the body lean and move heavy reference material into supporting files.', + file: skill.path, + evidence: + `body_tokens~${skill.bodyTokens}; body_lines=${skill.bodyLines}; body_chars=${skill.bodyChars}; ` + + `threshold=${BODY_TOKEN_THRESHOLD} tok; skill="${skill.name}"; source=${sourceLabel} - ${BODY_CALIBRATION_NOTE}`, + recommendation: + 'Move reference content into supporting files the skill loads only when needed, and consider ' + + '`context: fork` in the skill frontmatter for heavy skills so the body runs in a forked context ' + + 'instead of consuming the main thread.', + category: 'token-efficiency', + })); + } + return scannerResult(SCANNER, 'ok', findings, aggregate.scanned, Date.now() - start); } diff --git a/tests/scanners/skill-listing-scanner.test.mjs b/tests/scanners/skill-listing-scanner.test.mjs index aa5f31f..92d7b97 100644 --- a/tests/scanners/skill-listing-scanner.test.mjs +++ b/tests/scanners/skill-listing-scanner.test.mjs @@ -61,6 +61,22 @@ async function homeWithNUserSkills(count, descLen, prefix = 'agg') { return home; } +/** + * Write one user skill whose SKILL.md *body* (below the frontmatter) is about + * `bodyChars` chars, spread across multiple lines (81 chars incl. newline). + * The description stays tiny so body-size tests stay isolated from the cap/aggregate checks. + */ +async function addUserSkillWithBody(home, name, bodyChars) { + const dir = join(home, '.claude', 'skills', name); + await mkdir(dir, { recursive: true }); + const line = `${'x'.repeat(80)}\n`; + const body = line.repeat(Math.ceil(bodyChars / line.length)); + await writeFile( + join(dir, 'SKILL.md'), + `---\nname: ${name}\ndescription: short.\n---\n${body}`, + ); +} + // Aggregate listing budget: 2% (CC 2.1.32) of the conservative 200k anchor. const AGGREGATE_BUDGET_TOKENS = 4000; // 0.02 * 200_000 // Token heuristic mirrors estimateTokens('markdown'): ceil(chars / 4). @@ -303,6 +319,81 @@ describe('SKL scanner — aggregate listing budget (CA-SKL-002)', () => { }); }); +describe('SKL scanner — oversized skill body (B7, on-demand cost)', () => { + const findBody = (findings) => findings.find((f) => /body is large/i.test(f.title || '')); + + it('flags a skill whose body exceeds ~5,000 tokens', async () => { + const home = uniqueDir('bigbody'); + await addUserSkillWithBody(home, 'heavy', 20_400); // ~5,100 tok body + try { + const result = await runScannerWithHome(home); + const f = findBody(result.findings); + assert.ok(f, 'expected an oversized-body finding for a >5k-token skill body'); + assert.equal(f.severity, 'low', 'body size is on-demand cost -> low severity'); + assert.match(String(f.file), /heavy[\\/]SKILL\.md$/); + } finally { + await rm(home, { recursive: true, force: true }); + } + }); + + it('does NOT flag a skill whose body is under the threshold', async () => { + const home = uniqueDir('smallbody'); + await addUserSkillWithBody(home, 'light', 8_000); // ~2,000 tok body + try { + const result = await runScannerWithHome(home); + assert.equal(findBody(result.findings), undefined, 'a small body must not fire'); + } finally { + await rm(home, { recursive: true, force: true }); + } + }); + + it('evidence reports body tokens + lines and an honest on-demand calibration note', async () => { + const home = uniqueDir('bodyev'); + await addUserSkillWithBody(home, 'heavy', 20_400); + try { + const result = await runScannerWithHome(home); + const f = findBody(result.findings); + assert.ok(f); + const ev = String(f.evidence); + assert.match(ev, /body_tokens~\d+/, 'evidence states estimated body tokens'); + assert.match(ev, /body_lines=\d+/, 'evidence states the body line count'); + assert.match(ev, /on demand/i, 'evidence discloses on-demand (not always-loaded) cost'); + assert.match(ev, /not every turn/i, 'evidence contrasts with the always-loaded listing'); + assert.match(ev, /estimate/i, 'evidence flags the figure as an estimate, not telemetry'); + } finally { + await rm(home, { recursive: true, force: true }); + } + }); + + it('recommends context:fork and moving reference content into supporting files', async () => { + const home = uniqueDir('bodyrec'); + await addUserSkillWithBody(home, 'heavy', 20_400); + try { + const result = await runScannerWithHome(home); + const f = findBody(result.findings); + assert.ok(f); + const rec = String(f.recommendation); + assert.match(rec, /context.?\s*fork/i, 'recommendation should mention context: fork'); + assert.match(rec, /supporting file/i, 'recommendation should mention supporting files'); + } finally { + await rm(home, { recursive: true, force: true }); + } + }); + + it('a large body alone does NOT trip the per-description cap or aggregate findings', async () => { + const home = uniqueDir('bodyonly'); + await addUserSkillWithBody(home, 'heavy', 20_400); // big body, tiny description + try { + const result = await runScannerWithHome(home); + assert.equal(findCaps(result.findings).length, 0, 'body size is independent of the 1,536-char description cap'); + assert.equal(findAggregate(result.findings), undefined, 'one tiny description stays under the aggregate budget'); + assert.ok(findBody(result.findings), 'only the body finding should fire'); + } finally { + await rm(home, { recursive: true, force: true }); + } + }); +}); + describe('SKL scanner — suppression compatibility', () => { it('CA-SKL-001 is NOT matched by a CA-TOK-* glob suppression', async () => { const { applySuppressions } = await import('../../scanners/lib/suppression.mjs'); From 2082b7d112c0f75db41f37db819282094cfefca7 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Tue, 23 Jun 2026 21:44:52 +0200 Subject: [PATCH 02/31] feat(skl,cml): --context-window calibration, advisory when unknown (v5.11 B8) [skip-docs] MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SKL-002 (skill-listing budget) and CML char-budget now calibrate to a resolved context window instead of always anchoring at 200k: - resolveContextWindow(): --context-window calibrates; 'auto' keeps the conservative 200k anchor but marks advisory (model→window probing deferred to B8b); no flag → 200k anchor, byte-identical to pre-B8 default. - scaleForWindow(): linear off the 200k anchor (identity at the anchor). - SKL + CML each keep an untouched default branch (window===200k && !advisory) for byte-stability and a calibrated branch; advisory downgrades the budget finding from a breach (low/medium) to info. - Flag wired through scan-orchestrator + posture; runAllScanners resolves once and threads { contextWindow } to scanners (others ignore the 3rd arg). - CPS intentionally excluded: it has no window-anchored budget (fixed 150-line volatility heuristic), so there is nothing to calibrate. 15 new tests; e2e CLI verified (1M suppresses SKL-002, auto → info, default unchanged); full suite 1279 green; snapshots byte-stable. Co-Authored-By: Claude Opus 4.8 (1M context) --- scanners/claude-md-linter.mjs | 59 +++++++++--- scanners/lib/context-window.mjs | 49 ++++++++++ scanners/lib/skill-listing-budget.mjs | 17 ++-- scanners/posture.mjs | 4 + scanners/scan-orchestrator.mjs | 12 ++- scanners/skill-listing-scanner.mjs | 92 ++++++++++++++----- tests/lib/context-window.test.mjs | 76 +++++++++++++++ tests/lib/skill-listing-budget.test.mjs | 14 +++ tests/scanners/claude-md-linter.test.mjs | 32 +++++++ tests/scanners/skill-listing-scanner.test.mjs | 54 +++++++++++ 10 files changed, 364 insertions(+), 45 deletions(-) create mode 100644 tests/lib/context-window.test.mjs diff --git a/scanners/claude-md-linter.mjs b/scanners/claude-md-linter.mjs index 316f702..8878416 100644 --- a/scanners/claude-md-linter.mjs +++ b/scanners/claude-md-linter.mjs @@ -9,13 +9,18 @@ import { finding, scannerResult, resetCounter } from './lib/output.mjs'; import { SEVERITY } from './lib/severity.mjs'; import { parseFrontmatter, extractSections, findImports } from './lib/yaml-parser.mjs'; import { lineCount, truncate } from './lib/string-utils.mjs'; -import { LARGE_CONTEXT_WINDOW, LARGE_CONTEXT_SCALE, withCommas } from './lib/context-window.mjs'; +import { CONTEXT_WINDOW_ANCHOR, LARGE_CONTEXT_WINDOW, LARGE_CONTEXT_SCALE, scaleForWindow, withCommas } from './lib/context-window.mjs'; import { dirname } from 'node:path'; const SCANNER = 'CML'; const MAX_RECOMMENDED_LINES = 200; const MAX_ABSOLUTE_LINES = 500; +// Shared remediation for the char-budget finding (byte-identical across the +// default and the B8 window-calibrated branches). +const CHAR_BUDGET_RECOMMENDATION = + 'Split detail into @imports and .claude/rules/ files so only the relevant rules load, and keep the top of CLAUDE.md byte-stable for cache hits.'; + // Claude Code's own startup warning ("Large CLAUDE.md will impact performance // (X chars > 40.0k)") fires once a CLAUDE.md passes ~40.0k chars on a // 200k-context model. CC 2.1.169 made that threshold scale with the model's @@ -39,10 +44,20 @@ const RECOMMENDED_SECTIONS = [ * @param {{ files: import('./lib/file-discovery.mjs').ConfigFile[] }} discovery * @returns {Promise} */ -export async function scan(targetPath, discovery) { +export async function scan(targetPath, discovery, opts = {}) { const start = Date.now(); const claudeFiles = discovery.files.filter(f => f.type === 'claude-md'); + // B8 — calibrate the char-budget threshold to the resolved context window. The + // default (no opts) is the conservative 200k anchor (40k chars) at full + // severity — byte-identical to the pre-B8 finding. An unknown (advisory) window + // keeps the anchor but downgrades the finding to info instead of a breach. + const cw = opts.contextWindow; + const window = (cw && typeof cw.window === 'number') ? cw.window : CONTEXT_WINDOW_ANCHOR; + const advisory = !!(cw && cw.advisory); + const isDefaultWindow = window === CONTEXT_WINDOW_ANCHOR && !advisory; + const charThreshold = scaleForWindow(CLAUDE_MD_CHAR_WARN_ANCHOR, window); + if (claudeFiles.length === 0) { return scannerResult(SCANNER, 'ok', [ finding({ @@ -122,17 +137,35 @@ export async function scan(targetPath, discovery) { // this budget (short lines), or short by lines yet over it (long lines), so // this is complementary to the line-count checks above. const chars = content.length; - if (chars > CLAUDE_MD_CHAR_WARN_ANCHOR) { - findings.push(finding({ - scanner: SCANNER, - severity: SEVERITY.medium, - title: 'CLAUDE.md exceeds Claude Code\'s performance-warning threshold', - description: `${file.relPath} is ${withCommas(chars)} chars. Claude Code shows a startup warning ("Large CLAUDE.md will impact performance ... chars > 40.0k") once a CLAUDE.md passes ~40.0k chars on a 200k-context model — it loads in full on every turn. CC 2.1.169 scales that threshold with the context window, so on a ${withCommas(LARGE_CONTEXT_WINDOW)}-token model it relaxes to ~${withCommas(CLAUDE_MD_CHAR_WARN_LARGE)} chars and you are likely within it.`, - file: file.absPath, - evidence: `${withCommas(chars)} chars > 40.0k (200k-context anchor; ~${withCommas(CLAUDE_MD_CHAR_WARN_LARGE)} at ${withCommas(LARGE_CONTEXT_WINDOW)} context). This is an estimate, not measured telemetry.`, - recommendation: 'Split detail into @imports and .claude/rules/ files so only the relevant rules load, and keep the top of CLAUDE.md byte-stable for cache hits.', - autoFixable: false, - })); + if (chars > charThreshold) { + if (isDefaultWindow) { + // Conservative 200k anchor — byte-identical to the pre-B8 finding. + findings.push(finding({ + scanner: SCANNER, + severity: SEVERITY.medium, + title: 'CLAUDE.md exceeds Claude Code\'s performance-warning threshold', + description: `${file.relPath} is ${withCommas(chars)} chars. Claude Code shows a startup warning ("Large CLAUDE.md will impact performance ... chars > 40.0k") once a CLAUDE.md passes ~40.0k chars on a 200k-context model — it loads in full on every turn. CC 2.1.169 scales that threshold with the context window, so on a ${withCommas(LARGE_CONTEXT_WINDOW)}-token model it relaxes to ~${withCommas(CLAUDE_MD_CHAR_WARN_LARGE)} chars and you are likely within it.`, + file: file.absPath, + evidence: `${withCommas(chars)} chars > 40.0k (200k-context anchor; ~${withCommas(CLAUDE_MD_CHAR_WARN_LARGE)} at ${withCommas(LARGE_CONTEXT_WINDOW)} context). This is an estimate, not measured telemetry.`, + recommendation: CHAR_BUDGET_RECOMMENDATION, + autoFixable: false, + })); + } else { + // B8 — window-calibrated. Advisory (unknown window) downgrades to info. + const winLabel = withCommas(window); + const threshLabel = withCommas(charThreshold); + findings.push(finding({ + scanner: SCANNER, + severity: advisory ? SEVERITY.info : SEVERITY.medium, + title: 'CLAUDE.md exceeds Claude Code\'s performance-warning threshold', + description: `${file.relPath} is ${withCommas(chars)} chars, over the ~${threshLabel}-char performance-warning threshold Claude Code applies at a ${winLabel}-token context window (it scales the ~40.0k-char @ 200k warning by the context window, CC 2.1.169) — it loads in full on every turn.` + + (advisory ? ' Your context window is unknown, so this anchors on the conservative 200k window — advisory.' : ''), + file: file.absPath, + evidence: `${withCommas(chars)} chars > ${threshLabel} (calibrated to a ${winLabel}-token context window). This is an estimate, not measured telemetry.`, + recommendation: CHAR_BUDGET_RECOMMENDATION, + autoFixable: false, + })); + } } // --- Empty file --- diff --git a/scanners/lib/context-window.mjs b/scanners/lib/context-window.mjs index de33374..15c914a 100644 --- a/scanners/lib/context-window.mjs +++ b/scanners/lib/context-window.mjs @@ -26,3 +26,52 @@ export const LARGE_CONTEXT_SCALE = LARGE_CONTEXT_WINDOW / CONTEXT_WINDOW_ANCHOR; // Dependency-free thousands separator (repo invariant: zero external deps). export const withCommas = (n) => String(n).replace(/\B(?=(\d{3})+(?!\d))/g, ','); + +/** + * @typedef {object} ResolvedContextWindow + * @property {number} window - the context window budgets calibrate against + * @property {boolean} advisory - true when the window is unknown: keep the anchor + * but downgrade budget findings to info instead of + * firing them as a breach + * @property {'default'|'explicit'|'auto-unresolved'} source + */ + +/** + * Resolve the raw `--context-window` CLI value into a window + advisory flag. + * + * Design (B8): the DEFAULT (no flag) is byte-identical to the pre-B8 behavior — + * the conservative 200k anchor at full severity. Only an explicit value changes + * calibration. `auto` asks the tool to figure out the window; until model→window + * probing ships (B8b) it cannot, so it keeps the conservative anchor but marks the + * result advisory so SKL/CML downgrade their budget findings to info rather than + * "crying wolf" with a breach on a window we cannot confirm. + * + * @param {string|number|null|undefined} arg + * @returns {ResolvedContextWindow} + */ +export function resolveContextWindow(arg) { + if (arg == null) { + return { window: CONTEXT_WINDOW_ANCHOR, advisory: false, source: 'default' }; + } + if (String(arg).trim().toLowerCase() === 'auto') { + return { window: CONTEXT_WINDOW_ANCHOR, advisory: true, source: 'auto-unresolved' }; + } + const n = typeof arg === 'number' ? arg : parseInt(String(arg).trim(), 10); + if (Number.isFinite(n) && n > 0) { + return { window: n, advisory: false, source: 'explicit' }; + } + // Unparseable / non-positive: fall back to the conservative default (no advisory). + return { window: CONTEXT_WINDOW_ANCHOR, advisory: false, source: 'default' }; +} + +/** + * Scale a 200k-anchored budget to a given context window. Linear in the window, + * so it is the identity at the anchor (keeps the default byte-stable). + * + * @param {number} anchorValue - the budget/threshold defined at the 200k anchor + * @param {number} window - the target context window + * @returns {number} + */ +export function scaleForWindow(anchorValue, window) { + return Math.round(anchorValue * (window / CONTEXT_WINDOW_ANCHOR)); +} diff --git a/scanners/lib/skill-listing-budget.mjs b/scanners/lib/skill-listing-budget.mjs index d68682e..ff8886b 100644 --- a/scanners/lib/skill-listing-budget.mjs +++ b/scanners/lib/skill-listing-budget.mjs @@ -77,23 +77,26 @@ export const BODY_CALIBRATION_NOTE = * flags it — so the aggregate does not double-count it). * * @param {number[]} descLengths - one entry per active skill (description char count) + * @param {number} [budgetTokens=AGGREGATE_BUDGET_TOKENS] - the listing budget to + * measure against. Defaults to the 200k-anchored 4,000 tok; B8 passes a + * window-calibrated budget. Defaulting keeps existing callers byte-stable. * @returns {BudgetAssessment} */ -export function assessSkillListingBudget(descLengths) { +export function assessSkillListingBudget(descLengths, budgetTokens = AGGREGATE_BUDGET_TOKENS) { let aggregateChars = 0; for (const len of descLengths) { const safe = (typeof len === 'number' && Number.isFinite(len) && len > 0) ? len : 0; aggregateChars += Math.min(safe, DESCRIPTION_CAP); } const aggregateTokens = estimateTokens(aggregateChars, 'markdown'); - const overBudget = aggregateTokens > AGGREGATE_BUDGET_TOKENS; + const overBudget = aggregateTokens > budgetTokens; return { scanned: descLengths.length, aggregateChars, aggregateTokens, - budgetTokens: AGGREGATE_BUDGET_TOKENS, + budgetTokens, overBudget, - overBy: overBudget ? aggregateTokens - AGGREGATE_BUDGET_TOKENS : 0, + overBy: overBudget ? aggregateTokens - budgetTokens : 0, }; } @@ -115,9 +118,11 @@ export function assessSkillListingBudget(descLengths) { * enumerateSkills). Callers that run under test MUST override HOME (see the * hermetic-home helper / runScannerWithHome pattern). * + * @param {number} [budgetTokens=AGGREGATE_BUDGET_TOKENS] - listing budget for the + * aggregate assessment (B8 window-calibration); defaults keep callers byte-stable. * @returns {Promise<{ skills: ActiveSkillEntry[], aggregate: BudgetAssessment }>} */ -export async function measureActiveSkillListing() { +export async function measureActiveSkillListing(budgetTokens = AGGREGATE_BUDGET_TOKENS) { const plugins = await enumeratePlugins(); const allSkills = await enumerateSkills(plugins); @@ -143,7 +148,7 @@ export async function measureActiveSkillListing() { }); } - const aggregate = assessSkillListingBudget(skills.map((s) => s.descLength)); + const aggregate = assessSkillListingBudget(skills.map((s) => s.descLength), budgetTokens); return { skills, aggregate }; } diff --git a/scanners/posture.mjs b/scanners/posture.mjs index 4a480e5..db12564 100644 --- a/scanners/posture.mjs +++ b/scanners/posture.mjs @@ -63,10 +63,13 @@ async function main() { let rawMode = false; let includeGlobal = false; let fullMachine = false; + let contextWindow = null; for (let i = 0; i < args.length; i++) { if (args[i] === '--output-file' && args[i + 1]) { outputFile = args[++i]; + } else if (args[i] === '--context-window' && args[i + 1]) { + contextWindow = args[++i]; } else if (args[i] === '--json') { jsonMode = true; } else if (args[i] === '--raw') { @@ -89,6 +92,7 @@ async function main() { fullMachine, filterFixtures, humanizedProgress, + contextWindow, }); // stdout JSON path: --json and --raw both write the v5.0.0-shape result diff --git a/scanners/scan-orchestrator.mjs b/scanners/scan-orchestrator.mjs index 096eb12..71864ea 100644 --- a/scanners/scan-orchestrator.mjs +++ b/scanners/scan-orchestrator.mjs @@ -14,6 +14,7 @@ import { envelope } from './lib/output.mjs'; import { discoverConfigFiles, discoverConfigFilesMulti, discoverFullMachinePaths } from './lib/file-discovery.mjs'; import { loadSuppressions, applySuppressions, formatSuppressionSummary } from './lib/suppression.mjs'; import { humanizeEnvelope } from './lib/humanizer.mjs'; +import { resolveContextWindow } from './lib/context-window.mjs'; // Scanner registry — import order determines execution order import { scan as scanClaudeMd } from './claude-md-linter.mjs'; @@ -94,6 +95,11 @@ export async function runAllScanners(targetPath, opts = {}) { // and CNF duplicate-hook findings with config that loads on zero turns. (B3) const excludeCache = opts.excludeCache !== false; + // B8 — resolve the context window once and thread it to budget-aware scanners + // (SKL, CML). Undefined opts.contextWindow → conservative 200k anchor, which is + // byte-identical to the pre-B8 default; other scanners ignore the third arg. + const contextWindow = resolveContextWindow(opts.contextWindow); + // Shared file discovery — scanners reuse this let discovery; if (opts.fullMachine) { @@ -112,7 +118,7 @@ export async function runAllScanners(targetPath, opts = {}) { resetCounter(); const scanStart = Date.now(); try { - const result = await scanner.fn(resolvedPath, discovery); + const result = await scanner.fn(resolvedPath, discovery, { contextWindow }); results.push(result); const count = result.findings.length; const label = opts.humanizedProgress @@ -206,10 +212,13 @@ async function main() { let outputFile = null; let saveBaseline = false; let baselinePath = null; + let contextWindow = null; for (let i = 0; i < args.length; i++) { if (args[i] === '--output-file' && args[i + 1]) { outputFile = args[++i]; + } else if (args[i] === '--context-window' && args[i + 1]) { + contextWindow = args[++i]; } else if (args[i] === '--save-baseline') { saveBaseline = true; } else if (args[i] === '--baseline' && args[i + 1]) { @@ -254,6 +263,7 @@ async function main() { filterFixtures, excludeCache, humanizedProgress, + contextWindow, }); // Default mode runs the humanizer; --json and --raw bypass for v5.0.0 byte-equal output. diff --git a/scanners/skill-listing-scanner.mjs b/scanners/skill-listing-scanner.mjs index cbbf16e..30ceb08 100644 --- a/scanners/skill-listing-scanner.mjs +++ b/scanners/skill-listing-scanner.mjs @@ -44,6 +44,15 @@ import { BODY_CALIBRATION_NOTE, measureActiveSkillListing, } from './lib/skill-listing-budget.mjs'; +import { CONTEXT_WINDOW_ANCHOR, scaleForWindow, withCommas } from './lib/context-window.mjs'; + +// Shared remediation for the aggregate-budget finding (byte-identical across the +// default and the B8 window-calibrated branches). +const AGGREGATE_RECOMMENDATION = + 'Reclaim skill-listing budget: set `disableBundledSkills: true` to drop bundled skills you ' + + 'do not use from the listing, use `skillOverrides` (`name-only` collapses a description, ' + + '`off` removes a skill) on the heaviest entries, and trim long descriptions toward their ' + + 'trigger phrases.'; const SCANNER = 'SKL'; @@ -53,11 +62,21 @@ const SCANNER = 'SKL'; * @param {string} _targetPath unused (skill listing is HOME-scoped) * @param {object} _discovery unused (ignores project discovery) */ -export async function scan(_targetPath, _discovery) { +export async function scan(_targetPath, _discovery, opts = {}) { const start = Date.now(); const findings = []; - const { skills, aggregate } = await measureActiveSkillListing(); + // B8 — calibrate the aggregate budget to the resolved context window. The + // default (no opts) is the conservative 200k anchor at full severity, which is + // byte-identical to the pre-B8 behavior. An unknown (advisory) window keeps the + // anchor but downgrades the finding to info instead of firing it as a breach. + const cw = opts.contextWindow; + const window = (cw && typeof cw.window === 'number') ? cw.window : CONTEXT_WINDOW_ANCHOR; + const advisory = !!(cw && cw.advisory); + const isDefault = window === CONTEXT_WINDOW_ANCHOR && !advisory; + const budgetTokens = scaleForWindow(AGGREGATE_BUDGET_TOKENS, window); + + const { skills, aggregate } = await measureActiveSkillListing(budgetTokens); for (const skill of skills) { if (skill.descLength <= DESCRIPTION_CAP) continue; @@ -93,29 +112,52 @@ export async function scan(_targetPath, _discovery) { // CA-SKL-002 (aggregate). Emitted after the per-skill findings so the common // "one oversized skill + aggregate" case reads 001=cap, 002=aggregate. if (aggregate.overBudget) { - findings.push(finding({ - scanner: SCANNER, - severity: SEVERITY.low, - title: 'Aggregate skill descriptions may exceed the listing budget', - description: - `The ${aggregate.scanned} active skills carry about ${aggregate.aggregateTokens} tokens of description text ` + - `(each description counted up to the ${DESCRIPTION_CAP}-char listing cap), above the ` + - `${AGGREGATE_BUDGET_TOKENS}-token budget Claude Code allots the skill listing on a 200k ` + - 'context window (about 2% of context, CC 2.1.32). When the listing overflows that budget ' + - 'Claude Code drops descriptions, so the model may stop seeing some skills entirely. This ' + - 'is an estimate — the budget scales with your actual context window (see evidence).', - evidence: - `active_skills_scanned=${aggregate.scanned}; description_chars=${aggregate.aggregateChars} (each capped at ` + - `${DESCRIPTION_CAP}); description_tokens~${aggregate.aggregateTokens}; budget@200k=` + - `${AGGREGATE_BUDGET_TOKENS} tok (skill listing ~2% of context, CC 2.1.32); over_by~` + - `${aggregate.overBy} tok - ${BUDGET_CALIBRATION_NOTE}`, - recommendation: - 'Reclaim skill-listing budget: set `disableBundledSkills: true` to drop bundled skills you ' + - 'do not use from the listing, use `skillOverrides` (`name-only` collapses a description, ' + - '`off` removes a skill) on the heaviest entries, and trim long descriptions toward their ' + - 'trigger phrases.', - category: 'token-efficiency', - })); + if (isDefault) { + // Conservative 200k anchor — byte-identical to the pre-B8 finding. + findings.push(finding({ + scanner: SCANNER, + severity: SEVERITY.low, + title: 'Aggregate skill descriptions may exceed the listing budget', + description: + `The ${aggregate.scanned} active skills carry about ${aggregate.aggregateTokens} tokens of description text ` + + `(each description counted up to the ${DESCRIPTION_CAP}-char listing cap), above the ` + + `${AGGREGATE_BUDGET_TOKENS}-token budget Claude Code allots the skill listing on a 200k ` + + 'context window (about 2% of context, CC 2.1.32). When the listing overflows that budget ' + + 'Claude Code drops descriptions, so the model may stop seeing some skills entirely. This ' + + 'is an estimate — the budget scales with your actual context window (see evidence).', + evidence: + `active_skills_scanned=${aggregate.scanned}; description_chars=${aggregate.aggregateChars} (each capped at ` + + `${DESCRIPTION_CAP}); description_tokens~${aggregate.aggregateTokens}; budget@200k=` + + `${AGGREGATE_BUDGET_TOKENS} tok (skill listing ~2% of context, CC 2.1.32); over_by~` + + `${aggregate.overBy} tok - ${BUDGET_CALIBRATION_NOTE}`, + recommendation: AGGREGATE_RECOMMENDATION, + category: 'token-efficiency', + })); + } else { + // B8 — window-calibrated. Advisory (unknown window) downgrades to info. + const winLabel = withCommas(window); + findings.push(finding({ + scanner: SCANNER, + severity: advisory ? SEVERITY.info : SEVERITY.low, + title: 'Aggregate skill descriptions may exceed the listing budget', + description: + `The ${aggregate.scanned} active skills carry about ${aggregate.aggregateTokens} tokens of description text ` + + `(each description counted up to the ${DESCRIPTION_CAP}-char listing cap), above the ` + + `${budgetTokens}-token budget Claude Code allots the skill listing at a ${winLabel}-token ` + + 'context window (about 2% of context, CC 2.1.32). When the listing overflows that budget ' + + 'Claude Code drops descriptions, so the model may stop seeing some skills entirely.' + + (advisory + ? ' Your context window is unknown, so this is advisory: it anchors on the conservative 200k window.' + : ''), + evidence: + `active_skills_scanned=${aggregate.scanned}; description_chars=${aggregate.aggregateChars} (each capped at ` + + `${DESCRIPTION_CAP}); description_tokens~${aggregate.aggregateTokens}; budget@${winLabel}=` + + `${budgetTokens} tok (skill listing ~2% of context, CC 2.1.32); over_by~${aggregate.overBy} tok` + + (advisory ? ` - ${BUDGET_CALIBRATION_NOTE}` : ' - this is an estimate, not measured telemetry'), + recommendation: AGGREGATE_RECOMMENDATION, + category: 'token-efficiency', + })); + } } // CA-SKL-003 (oversized body). Emitted last so the common single-issue cases diff --git a/tests/lib/context-window.test.mjs b/tests/lib/context-window.test.mjs new file mode 100644 index 0000000..4557d80 --- /dev/null +++ b/tests/lib/context-window.test.mjs @@ -0,0 +1,76 @@ +import { describe, it } from 'node:test'; +import assert from 'node:assert/strict'; +import { + CONTEXT_WINDOW_ANCHOR, + LARGE_CONTEXT_WINDOW, + resolveContextWindow, + scaleForWindow, +} from '../../scanners/lib/context-window.mjs'; + +// B8 — context-window calibration. resolveContextWindow turns the raw +// --context-window CLI value into { window, advisory } that SKL/CML calibrate +// their budgets with. The DEFAULT (no flag) must be byte-identical to the +// pre-B8 behavior: the conservative 200k anchor at full severity (advisory=false). + +describe('resolveContextWindow — default (no flag) is the conservative anchor', () => { + it('undefined resolves to the 200k anchor, not advisory (byte-stable default)', () => { + const r = resolveContextWindow(undefined); + assert.equal(r.window, CONTEXT_WINDOW_ANCHOR); + assert.equal(r.advisory, false); + assert.equal(r.source, 'default'); + }); + + it('null resolves to the conservative default', () => { + const r = resolveContextWindow(null); + assert.equal(r.window, CONTEXT_WINDOW_ANCHOR); + assert.equal(r.advisory, false); + }); +}); + +describe('resolveContextWindow — explicit window', () => { + it('a numeric string calibrates to that window, not advisory', () => { + const r = resolveContextWindow('1000000'); + assert.equal(r.window, 1_000_000); + assert.equal(r.advisory, false); + assert.equal(r.source, 'explicit'); + }); + + it('a plain number is accepted', () => { + const r = resolveContextWindow(1_000_000); + assert.equal(r.window, 1_000_000); + assert.equal(r.advisory, false); + }); +}); + +describe('resolveContextWindow — auto / unknown downgrades to advisory', () => { + it('"auto" keeps the conservative anchor but flags advisory (no model probe yet)', () => { + const r = resolveContextWindow('auto'); + assert.equal(r.window, CONTEXT_WINDOW_ANCHOR, 'window stays the conservative anchor'); + assert.equal(r.advisory, true, 'unknown window -> advisory, not a budget breach'); + assert.equal(r.source, 'auto-unresolved'); + }); + + it('"AUTO" is case-insensitive', () => { + assert.equal(resolveContextWindow('AUTO').advisory, true); + }); + + it('an invalid value falls back to the conservative default (not advisory)', () => { + for (const bad of ['banana', '0', '-5', '']) { + const r = resolveContextWindow(bad); + assert.equal(r.window, CONTEXT_WINDOW_ANCHOR, `"${bad}" -> anchor`); + assert.equal(r.advisory, false, `"${bad}" -> not advisory`); + } + }); +}); + +describe('scaleForWindow — linear scaling off the 200k anchor', () => { + it('is the identity at the 200k anchor (byte-stable default)', () => { + assert.equal(scaleForWindow(4000, CONTEXT_WINDOW_ANCHOR), 4000); + assert.equal(scaleForWindow(40_000, CONTEXT_WINDOW_ANCHOR), 40_000); + }); + + it('scales 5x at the 1M window', () => { + assert.equal(scaleForWindow(4000, LARGE_CONTEXT_WINDOW), 20_000); + assert.equal(scaleForWindow(40_000, LARGE_CONTEXT_WINDOW), 200_000); + }); +}); diff --git a/tests/lib/skill-listing-budget.test.mjs b/tests/lib/skill-listing-budget.test.mjs index 8c4c826..a20b43a 100644 --- a/tests/lib/skill-listing-budget.test.mjs +++ b/tests/lib/skill-listing-budget.test.mjs @@ -102,6 +102,20 @@ describe('assessSkillListingBudget — aggregate math', () => { assert.equal(r.aggregateChars, 100); assert.equal(r.scanned, 3); }); + + it('accepts a calibrated budget (B8): 17×1000 chars is within a 20,000-tok 1M budget', () => { + const r = assessSkillListingBudget(Array(17).fill(1000), 20_000); + assert.equal(r.aggregateTokens, 4250); + assert.equal(r.budgetTokens, 20_000, 'reports the calibrated budget, not the 200k default'); + assert.equal(r.overBudget, false, 'within the relaxed 1M budget'); + assert.equal(r.overBy, 0); + }); + + it('the budget argument defaults to the 200k anchor (byte-stable for existing callers)', () => { + const r = assessSkillListingBudget(Array(17).fill(1000)); + assert.equal(r.budgetTokens, AGGREGATE_BUDGET_TOKENS); + assert.equal(r.overBudget, true); + }); }); describe('envFlag', () => { diff --git a/tests/scanners/claude-md-linter.test.mjs b/tests/scanners/claude-md-linter.test.mjs index f720dbc..5e4dd23 100644 --- a/tests/scanners/claude-md-linter.test.mjs +++ b/tests/scanners/claude-md-linter.test.mjs @@ -172,6 +172,38 @@ describe('CML scanner — char budget mirrors CC startup warning (CC 2.1.169)', }); }); +describe('CML scanner — context-window calibration (B8)', () => { + const FIXTURE = resolve(FIXTURES, 'large-claude-chars'); // 48,531 chars + const charFinding = (r) => + r.findings.find((f) => /performance-warning threshold/i.test(f.title || '')); + + async function scanWithCtx(contextWindow) { + resetCounter(); + const discovery = await discoverConfigFiles(FIXTURE); + return scan(FIXTURE, discovery, { contextWindow }); + } + + it('--context-window 1000000 relaxes the 40k char threshold so a 48k-char file does NOT fire', async () => { + const at1m = await scanWithCtx({ window: 1_000_000, advisory: false }); + assert.equal(charFinding(at1m), undefined, + '48,531 chars is under the ~200,000-char threshold at a 1M window'); + }); + + it('an unknown (advisory) window keeps the 40k anchor but downgrades to info', async () => { + const advisory = await scanWithCtx({ window: 200_000, advisory: true }); + const f = charFinding(advisory); + assert.ok(f, 'still surfaces the measurement at the conservative anchor'); + assert.equal(f.severity, 'info', 'advisory downgrades it from medium to info'); + }); + + it('no opts (default) is unchanged: fires medium at the 40k anchor', async () => { + resetCounter(); + const discovery = await discoverConfigFiles(FIXTURE); + const result = await scan(FIXTURE, discovery); + assert.equal(charFinding(result)?.severity, 'medium', 'default must stay byte-stable: medium'); + }); +}); + describe('CML scanner — large-by-lines but under the char budget (no false char finding)', () => { // large-cascade/CLAUDE.md is 1024 lines but only 37,393 chars (short lines): // under CC's 40.0k char threshold, so the char-budget finding must NOT fire — diff --git a/tests/scanners/skill-listing-scanner.test.mjs b/tests/scanners/skill-listing-scanner.test.mjs index 92d7b97..e50ff59 100644 --- a/tests/scanners/skill-listing-scanner.test.mjs +++ b/tests/scanners/skill-listing-scanner.test.mjs @@ -28,6 +28,18 @@ async function runScannerWithHome(home) { } } +/** Like runScannerWithHome but threads a resolved { window, advisory } (B8 calibration). */ +async function runScannerWithCtx(home, contextWindow) { + resetCounter(); + const original = process.env.HOME; + process.env.HOME = home; + try { + return await scan('/unused', { files: [] }, { contextWindow }); + } finally { + process.env.HOME = original; + } +} + /** Build a fake HOME with one user skill whose description has `len` chars. */ async function homeWithUserSkill(name, descLen) { const home = uniqueDir(name); @@ -319,6 +331,48 @@ describe('SKL scanner — aggregate listing budget (CA-SKL-002)', () => { }); }); +describe('SKL scanner — context-window calibration (B8)', () => { + it('--context-window 1000000 relaxes the aggregate budget so an over-200k listing does NOT fire', async () => { + // 50 skills * 400 chars = 20,000 chars -> 5,000 tok. Over the 4,000-tok 200k + // budget, under the 20,000-tok 1M budget — the acceptance case. + const home = await homeWithNUserSkills(50, 400, 'cw'); + try { + const at200k = await runScannerWithCtx(home, { window: 200_000, advisory: false }); + assert.ok(findAggregate(at200k.findings), 'control: fires at the 200k anchor'); + + const at1m = await runScannerWithCtx(home, { window: 1_000_000, advisory: false }); + assert.equal(findAggregate(at1m.findings), undefined, + 'at a 1M context window the listing is within budget and must not fire'); + } finally { + await rm(home, { recursive: true, force: true }); + } + }); + + it('an unknown (advisory) window keeps the anchor but downgrades the finding to info', async () => { + const home = await homeWithNUserSkills(17, 1000, 'cwadv'); + try { + const advisory = await runScannerWithCtx(home, { window: 200_000, advisory: true }); + const agg = findAggregate(advisory.findings); + assert.ok(agg, 'still surfaces the measurement (conservative anchor)'); + assert.equal(agg.severity, 'info', 'advisory downgrades it from a budget breach (low) to info'); + } finally { + await rm(home, { recursive: true, force: true }); + } + }); + + it('no opts (default) is unchanged: fires low at the 200k anchor', async () => { + const home = await homeWithNUserSkills(17, 1000, 'cwdef'); + try { + const result = await runScannerWithHome(home); + const agg = findAggregate(result.findings); + assert.ok(agg); + assert.equal(agg.severity, 'low', 'default behavior must be byte-stable: low severity'); + } finally { + await rm(home, { recursive: true, force: true }); + } + }); +}); + describe('SKL scanner — oversized skill body (B7, on-demand cost)', () => { const findBody = (findings) => findings.find((f) => /body is large/i.test(f.title || '')); From ad1eceb76a42780ef5478b5a1bd04cb5db808e72 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Tue, 23 Jun 2026 21:49:32 +0200 Subject: [PATCH 03/31] =?UTF-8?q?release:=20v5.11.0=20=E2=80=94=20"Precisi?= =?UTF-8?q?on=20polish"=20(B7+B8)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Version-sync: plugin.json 5.10.0→5.11.0; README version badge + tests badge 1257+→1279+ + new version-history row; CLAUDE.md test counts 1257/71→1279/72 (22→23 lib test files); CHANGELOG [5.11.0]; README SKL row documents CA-SKL-003 + the --context-window flag. B7 (CA-SKL-003) and B8 (--context-window calibration) shipped as feat commits 2798880 + 2082b7d. Scanner/agent/command counts unchanged (16/7/21); --json/--raw byte-stable; frozen v5.0.0 + SC-5 snapshots untouched. Suite 1279 green. self-audit --check-readme: PASS (badges == filesystem). Co-Authored-By: Claude Opus 4.8 (1M context) --- .claude-plugin/plugin.json | 2 +- CHANGELOG.md | 35 +++++++++++++++++++++++++++++++++++ CLAUDE.md | 2 +- README.md | 7 ++++--- 4 files changed, 41 insertions(+), 5 deletions(-) diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json index c886b5b..adac250 100644 --- a/.claude-plugin/plugin.json +++ b/.claude-plugin/plugin.json @@ -1,7 +1,7 @@ { "name": "config-audit", "description": "Multi-agent workflow for analyzing, reporting, and optimizing Claude Code configuration across your entire machine", - "version": "5.10.0", + "version": "5.11.0", "author": { "name": "Kjell Tore Guttormsen" }, diff --git a/CHANGELOG.md b/CHANGELOG.md index 5b428a2..bd89d95 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,41 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [5.11.0] - 2026-06-23 + +### Summary +"Precision polish" — the two LOW-priority calibration gaps from the hardening plan, both additive. +**B7** flags an oversized SKILL.md body (`CA-SKL-003`), honestly framed as an on-demand cost. **B8** +lets `CA-SKL-002` and the CML char-budget calibrate to a real context window via `--context-window`, +and downgrade to advisory when the window is unknown — so the 200k anchor stops crying wolf on a 1M +host. Scanner count stays **16** (both extend the existing SKL/CML scanners), agents **7**, commands +**21**; `--json`/`--raw` stay byte-stable and the frozen v5.0.0 + SC-5 snapshots are untouched. **1279** tests. + +### Added +- **B7 — oversized skill body (`CA-SKL-003`, low).** `measureActiveSkillListing()` now measures the + SKILL.md **body** below the frontmatter (the file was already read in full; only the frontmatter was + parsed). A body over ~5,000 tokens (`BODY_TOKEN_THRESHOLD`) fires `CA-SKL-003`, recommending a + supporting-file split and `context: fork` for heavy skills. + - **Honest framing (Verifiseringsplikt):** `BODY_CALIBRATION_NOTE` marks this as an **on-demand** + cost — the body loads only when the skill is invoked, **not** every turn like the always-loaded + listing — and an estimate (chars/4), hence low severity. Distinct from the always-loaded + listing-budget findings. +- **B8 — context-window calibration (`--context-window`).** `CA-SKL-002` (skill-listing budget) and + the CML char-budget threshold now calibrate to a resolved context window instead of always + anchoring at 200k. `lib/context-window.mjs` gains `resolveContextWindow()` and `scaleForWindow()`: + - `--context-window ` calibrates the budget to `n` (e.g. `1000000` relaxes the SKL listing budget + to ~20,000 tok, so an over-200k listing is within budget and does not fire). + - `--context-window auto` keeps the conservative 200k anchor but marks the result **advisory** — + SKL/CML emit the finding at **info** rather than as a budget breach (model→window auto-probing is + deferred to a later B8b). + - No flag → the conservative 200k anchor at full severity, **byte-identical** to the pre-B8 default. + - Both SKL and CML keep an untouched default branch (`window === 200k && !advisory`) for + byte-stability plus a calibrated branch. The flag is wired through `scan-orchestrator` and + `posture`; `runAllScanners` resolves it once and threads `{ contextWindow }` to the scanners + (others ignore the third arg). + - **CPS intentionally excluded:** it has no window-anchored budget (a fixed 150-line volatility + heuristic), so there is nothing to calibrate. + ## [5.10.0] - 2026-06-23 ### Summary diff --git a/CLAUDE.md b/CLAUDE.md index 8c8c0ef..97054c1 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -123,7 +123,7 @@ Coding style: scanners are zero-dependency Node ESM; new findings use the `CA-{S node --test 'tests/**/*.test.mjs' ``` -1257 tests across 71 test files (22 lib + 39 scanner + 1 hook + 1 agent + 3 commands + 1 knowledge + 4 top-level). Test fixtures in `tests/fixtures/`. Top-level humanizer tests: `json-backcompat.test.mjs`, `raw-backcompat.test.mjs`, `scenario-read-test.test.mjs`, `snapshot-default-output.test.mjs`. +1279 tests across 72 test files (23 lib + 39 scanner + 1 hook + 1 agent + 3 commands + 1 knowledge + 4 top-level). Test fixtures in `tests/fixtures/`. Top-level humanizer tests: `json-backcompat.test.mjs`, `raw-backcompat.test.mjs`, `scenario-read-test.test.mjs`, `snapshot-default-output.test.mjs`. Per-scanner and per-build-block implementation notes (design rationale, primary-source verification, byte-stability lessons) live in `docs/scanner-internals.md` → **Implementation notes**. diff --git a/README.md b/README.md index 1951ec4..a930847 100644 --- a/README.md +++ b/README.md @@ -6,13 +6,13 @@ *AI-generated: all code produced by Claude Code through dialog-driven development. [Full disclosure →](../../README.md#ai-generated-code-disclosure)* -![Version](https://img.shields.io/badge/version-5.10.0-blue) +![Version](https://img.shields.io/badge/version-5.11.0-blue) ![Platform](https://img.shields.io/badge/platform-Claude_Code_Plugin-purple) ![Scanners](https://img.shields.io/badge/scanners-16-cyan) ![Commands](https://img.shields.io/badge/commands-21-green) ![Agents](https://img.shields.io/badge/agents-7-orange) ![Hooks](https://img.shields.io/badge/hooks-4-red) -![Tests](https://img.shields.io/badge/tests-1257+-brightgreen) +![Tests](https://img.shields.io/badge/tests-1279+-brightgreen) ![License](https://img.shields.io/badge/license-MIT-lightgrey) A Claude Code plugin that checks configuration health, suggests context-aware improvements, and auto-fixes issues — `CLAUDE.md`, `settings.json`, hooks, rules, MCP servers, `@imports`, and plugins. 16 deterministic scanners across 10 quality areas, context-aware feature recommendations, auto-fix with backup/rollback, a prompt-cache-aware Token Hotspots scanner with optional API-calibrated `--accurate-tokens` mode, plus cache-prefix stability, dead-tool, cross-plugin collision, output-style, and always-loaded agent-listing-budget detection. Zero external dependencies. @@ -326,7 +326,7 @@ By default, `/config-audit` auto-detects scope from your git context. Override w | `cache-prefix-scanner.mjs` | CPS | Volatile content in lines 31–150 of the CLAUDE.md cascade — beyond Pattern A's top-30 window but still re-loaded every turn — **plus** volatile content inside `@import`-ed files (inlined into the cached prefix, one hop, otherwise invisible to per-file scans) | | `disabled-in-schema-scanner.mjs` | DIS | Dead/ineffective permission entries: (1) tools in BOTH `permissions.deny` and `permissions.allow` — deny wins (incl. the `Tool(*)` deny-all glob, equivalent to a bare deny); (2) unanchored allow wildcards (`*`, `B*`, `mcp__*`) that Claude Code silently skips — valid only as `mcp____*`; (3) `Tool(param:value)` rules whose key is the tool's own canonicalizing field (`command`/`file_path`/`path`/`notebook_path`/`url`) — CC ignores these and emits a startup warning | | `collision-scanner.mjs` | COL | Cross-plugin skill name collisions; user-vs-plugin overlaps | -| `skill-listing-scanner.mjs` | SKL | Skill-listing token budget: a single skill description over the ~1,536-char listing cap Claude Code truncates (`CA-SKL-001`), and the summed active-skill descriptions exceeding the ~2%-of-context listing budget (`CA-SKL-002`) | +| `skill-listing-scanner.mjs` | SKL | Skill-listing token budget: a single skill description over the ~1,536-char listing cap Claude Code truncates (`CA-SKL-001`), the summed active-skill descriptions exceeding the ~2%-of-context listing budget (`CA-SKL-002`), and an oversized SKILL.md **body** over ~5,000 tokens (`CA-SKL-003`, low — on-demand cost: the body loads only when the skill runs, not every turn; recommends supporting-file split + `context: fork`). The `CA-SKL-002` (and CML char-budget) findings accept `--context-window ` to calibrate to your real window instead of the conservative 200k anchor (`--context-window auto` keeps the anchor but downgrades to advisory) | | `output-style-scanner.mjs` | OST | Output-style validation: a custom (user/project) style missing `keep-coding-instructions: true` that silently strips built-in software-engineering instructions (`CA-OST-001`), a plugin style with `force-for-plugin: true` overriding the user's selected `outputStyle` (`CA-OST-002`), and a settings `outputStyle` resolving to no built-in or custom style — dead config (`CA-OST-003`) | | `optimization-lens-scanner.mjs` | OPT | Optimization lens (mechanism-fit): a multi-step procedure in CLAUDE.md that would fit better as a skill (`CA-OPT-001`) — reads the machine-readable best-practices register, framed as an opportunity, not a failure. The deterministic half of the lens; prose-judgment cases (lifecycle→hook, unscoped path→rule, "never"→permission) are judged by the opus `optimization-lens-agent` via `/config-audit optimize` | | `agent-listing-scanner.mjs` | AGT | Always-loaded agent-listing budget: a per-agent description over the soft bloat cap (`CA-AGT-001`, advisory) and the summed active-agent name+description listing — re-sent every turn — exceeding the listing budget (`CA-AGT-002`). Both LOW and explicitly **inferred / upper-bound**: the agent-listing mechanism is undocumented, so the evidence discloses the estimate and heuristic budget rather than overstating certainty | @@ -662,6 +662,7 @@ This plugin is cautious by design — configuration files are important, and a b | Version | Date | Highlights | |---------|------|-----------| +| **5.11.0** | 2026-06-23 | "Precision polish" — the two LOW-priority calibration gaps, both additive (scanner count stays **16**, agents **7**, commands **21**; `--json`/`--raw` byte-stable, frozen v5.0.0 + SC-5 untouched). **B7 — oversized skill body (`CA-SKL-003`, low):** the SKL scanner now measures the SKILL.md **body** (it already read the file in full) and flags bodies over ~5,000 tokens, recommending a supporting-file split + `context: fork`. Honestly framed as an **on-demand** cost — the body loads only when the skill is invoked, **not** every turn like the always-loaded listing — hence low severity. **B8 — context-window calibration (`--context-window`):** `CA-SKL-002` (skill-listing budget) and the CML char-budget now calibrate to a real context window via `--context-window ` (e.g. `1000000` stops the 200k anchor crying wolf on a 1M host) instead of always anchoring at 200k; `--context-window auto` keeps the conservative anchor but **downgrades budget findings to info/advisory** rather than firing a breach (model→window auto-probing deferred to a later B8b). No flag → byte-identical to the pre-B8 200k default. CPS is intentionally excluded (no window-anchored budget to calibrate). 1279 tests | | **5.10.0** | 2026-06-23 | "Deferral & injection hygiene" — three additive hardening levers that extend existing scanners toward a tighter always-loaded prefix (scanner count stays **16**, agents **7**, commands **21**; `--json`/`--raw` byte-stable, frozen v5.0.0 + SC-5 untouched). **B4 — MCP tool-schema deferral (`CA-TOK-006`; tokens patterns 7→8):** Claude Code defers MCP tool schemas (names-only, ~120 tok; full schemas load on demand) by default, so `CA-TOK-006` detects config-file signals that force the FULL schemas into the always-loaded prefix every turn — `env.ENABLE_TOOL_SEARCH="false"` (high), a `"ToolSearch"` deny (high), a configured Haiku model (medium), or per-server `alwaysLoad:true` (CC v2.1.121+, high); severity scales with the aggregate forced-upfront tokens. New pure engine `lib/mcp-deferral.mjs` shared by TOK + GAP, plus a feature-gap **CLI-over-MCP** companion lever (prefer `gh`/`aws`/`gcloud`). Triggers on config files ONLY — Vertex / custom `ANTHROPIC_BASE_URL` / a runtime `/model` switch are launch state and are disclosed, never triggered; the prefix-cache-invalidation claim was NOT-CONFIRMED in docs and is not asserted. **B5 — hook `additionalContext` advisory + filter-before lever:** HKV emits an info advisory when a hook injects unfiltered output into `additionalContext`, with a feature-gap **filter-before-Claude-reads** companion citing the documented `filter-test-output.sh` pattern. **B6 — CPS `@import` volatile scan:** the cache-prefix scanner now follows `@import`s (one hop) and flags volatile content in the imported file that breaks the cached prefix — a new medium finding, keyed on the resolved file. 1257 tests | | **5.9.0** | 2026-06-23 | "Machine-wide token lens" — the three highest-impact hardening gaps toward whole-machine token tuning. **B1 — agent-listing budget (new orchestrated scanner AGT, count 15→16):** the always-loaded agent listing (name+description re-sent every turn) is now measured — `CA-AGT-001` per-agent description bloat (advisory), `CA-AGT-002` aggregate listing over budget; both LOW and explicitly **inferred / upper-bound** (the mechanism is undocumented — the evidence discloses it rather than overstating). **B2 — machine-wide always-loaded token roll-up:** the campaign ledger now carries a token bill — `campaign refresh-tokens` does a live cross-repo sweep that counts the **shared global always-loaded layer once** + per-repo deltas, with a ranked "most expensive repos" table (the `whats-active` double-count, avoided by construction). **B3 — cache-aware filtering (folds in B0):** `~/.claude/plugins/cache` holds *both* active and stale plugin versions (installPaths point INTO it), so token-hotspots + CNF are now **version-aware** — `--exclude-cache` (default ON) keeps each plugin's active version and drops only stale ones (`installed_plugins.json`-driven), so stale versions stop polluting the hotspot ranking and inflating duplicate-hook conflicts; stale versions surface as a separate **Dead config** disk-cleanup finding (zero live-context impact). `--json`/`--raw` byte-stable; frozen v5.0.0 + SC-5 snapshots untouched. 1215 tests | | **5.8.0** | 2026-06-23 | "Campaign motor" — a durable, machine-wide audit **campaign** that sits ABOVE individual sessions (one repo = one session; a fleet of repos = a campaign). **Ledger:** `~/.claude/config-audit/campaign-ledger.json` (outside the plugin dir → survives uninstall/upgrade) tracks a repo list + per-repo lifecycle (pending→audited→planned→implemented) + a machine-wide roll-up by status & severity; pure transforms with injected `now`. **`/config-audit campaign` (commands 20→21):** read-only report (`campaign-cli`) + human-approved writes (`campaign-write-cli`: init / add / set-status) — reports first, mutates only on explicit approval, never hand-edits the ledger. **Cross-repo backlog:** one severity-weighted prioritized pick-list (`buildBacklog`, `critical:1000/high:100/medium:10/low:1`). **Plan export + execution-by-reuse:** `campaign-export-cli --write` drops a planned repo's plan verbatim into its own `docs/`; execution reuses the existing `/config-audit implement` + `rollback` (no new execution machinery). All campaign code is `-cli`/lib → scanner count stays **15**, agents **7**, byte-stable. Plus pre-release cleanup: `knowledge-refresh` wired into the router + help; CLAUDE.md trimmed 540→134 lines (impl notes → `docs/scanner-internals.md`, config grade B→A). 1168 tests | From cf75249b5ecf0cca6cf049c03016744f219c0465 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Tue, 23 Jun 2026 22:29:12 +0200 Subject: [PATCH 04/31] =?UTF-8?q?feat(skl,cml):=20--context-window=20auto?= =?UTF-8?q?=20model=E2=86=92window=20probe=20(v5.12=20B8b)=20[skip-docs]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Completes the deferred B8 half. `--context-window auto` now probes the configured model and calibrates SKL/CML budgets to its real window instead of always falling back to the conservative advisory anchor. - lib/context-window.mjs: pure modelToContextWindow() maps known 1M-tier model IDs (Fable 5, Opus 4.8/4.7/4.6, Sonnet 4.6 — verified June 2026 — plus the explicit [1m] tier tag, dated/provider-prefixed IDs, and the opus/sonnet/fable aliases) to the 1M window; unknown/unconfirmed -> null (caller keeps the conservative anchor). resolveContextWindow() auto branch now probes opts.model: recognized -> auto-probed (not advisory); unknown or unpinned -> auto-unresolved (advisory, pre-B8b behavior). - lib/active-model.mjs (new): resolveActiveModel() reads the model the way Claude Code resolves it — shell ANTHROPIC_MODEL override, then settings cascade local > project > user. Injectable env, hermetic under test HOME. - scan-orchestrator: resolves the active model only when the flag is `auto` and threads it into resolveContextWindow; posture inherits via runAllScanners. Default (no flag) and explicit --context-window paths ignore the model and stay byte-stable; frozen v5.0.0 + SC-5 snapshots untouched. TDD: 17 new tests (context-window mapping/probe + active-model cascade). Suite 1296 green. Co-Authored-By: Claude Opus 4.8 (1M context) --- scanners/lib/active-model.mjs | 51 ++++++++++++++++ scanners/lib/context-window.mjs | 67 +++++++++++++++++++-- scanners/scan-orchestrator.mjs | 9 ++- tests/lib/active-model.test.mjs | 96 +++++++++++++++++++++++++++++++ tests/lib/context-window.test.mjs | 93 +++++++++++++++++++++++++++++- 5 files changed, 308 insertions(+), 8 deletions(-) create mode 100644 scanners/lib/active-model.mjs create mode 100644 tests/lib/active-model.test.mjs diff --git a/scanners/lib/active-model.mjs b/scanners/lib/active-model.mjs new file mode 100644 index 0000000..0ccbc76 --- /dev/null +++ b/scanners/lib/active-model.mjs @@ -0,0 +1,51 @@ +/** + * Active-model resolution for the `--context-window auto` probe (B8b). + * + * Reads the configured model the way Claude Code itself resolves it, so the + * window probe (context-window.mjs `modelToContextWindow`) sees the real model: + * 1. the shell `ANTHROPIC_MODEL` override (applies to the launched session); + * 2. otherwise the settings cascade `model` field — user `~/.claude`, then + * project `.claude`, then project-local `.claude` (local > project > user). + * + * Reads the cascade files directly (like isBundledSkillsDisabled) rather than via + * config-discovery classification, and takes an injectable `env` so it is + * deterministic and hermetic under the test HOME. Returns null when no model is + * pinned anywhere — the honest signal that `auto` must fall back to advisory. + * + * Zero external dependencies (repo invariant). + */ + +import { join } from 'node:path'; +import { readTextFile } from './file-discovery.mjs'; +import { parseJson } from './yaml-parser.mjs'; + +/** + * @param {string|null|undefined} projectPath - project root, to also read project + local settings + * @param {{ env?: Record }} [opts] + * @returns {Promise} the resolved model id/alias, or null if unset + */ +export async function resolveActiveModel(projectPath, { env = process.env } = {}) { + // 1. Shell ANTHROPIC_MODEL overrides settings (CC: applies to the session). + const envModel = typeof env?.ANTHROPIC_MODEL === 'string' ? env.ANTHROPIC_MODEL.trim() : ''; + if (envModel) return envModel; + + // 2. Settings cascade: user -> project -> project-local, later wins. + const home = (env && (env.HOME || env.USERPROFILE)) || ''; + const candidates = []; + if (home) candidates.push(join(home, '.claude', 'settings.json')); + if (projectPath) { + candidates.push(join(projectPath, '.claude', 'settings.json')); + candidates.push(join(projectPath, '.claude', 'settings.local.json')); + } + + let model = null; + for (const p of candidates) { + const content = await readTextFile(p); + if (!content) continue; + const parsed = parseJson(content); + if (parsed && typeof parsed.model === 'string' && parsed.model.trim()) { + model = parsed.model.trim(); + } + } + return model; +} diff --git a/scanners/lib/context-window.mjs b/scanners/lib/context-window.mjs index 15c914a..596d846 100644 --- a/scanners/lib/context-window.mjs +++ b/scanners/lib/context-window.mjs @@ -27,13 +27,58 @@ export const LARGE_CONTEXT_SCALE = LARGE_CONTEXT_WINDOW / CONTEXT_WINDOW_ANCHOR; // Dependency-free thousands separator (repo invariant: zero external deps). export const withCommas = (n) => String(n).replace(/\B(?=(\d{3})+(?!\d))/g, ','); +// Model families whose context window is the large (1M) tier. Verified June 2026 +// (platform.claude.com models overview): Fable 5, Opus 4.8/4.7/4.6 and Sonnet 4.6 +// all run a 1M context window. Matched by substring so dated IDs +// (claude-opus-4-8-20260528) and provider-prefixed IDs +// (us.anthropic.claude-opus-4-8) resolve too. Models we cannot confirm (e.g. +// Haiku, older 200k-era IDs) are deliberately left out: the caller then keeps the +// conservative anchor rather than guess a relaxed budget. +export const LARGE_CONTEXT_MODEL_IDS = [ + 'claude-fable-5', + 'claude-opus-4-8', + 'claude-opus-4-7', + 'claude-opus-4-6', + 'claude-sonnet-4-6', +]; + +// Short aliases Claude Code accepts in the `model` setting / ANTHROPIC_MODEL that +// currently resolve to a 1M-tier model (`opusplan` plans on an Opus-tier model). +export const LARGE_CONTEXT_MODEL_ALIASES = new Set(['opus', 'sonnet', 'fable', 'opusplan']); + +/** + * Map a configured model id/alias to its context window, or null when we cannot + * confirm it. Pure: no IO. Used by the `--context-window auto` probe (B8b) so + * known 1M-tier models calibrate budgets instead of falling back to the + * conservative advisory anchor. + * + * @param {string} modelId - e.g. "claude-opus-4-8[1m]", "claude-sonnet-4-6", "opus" + * @returns {number|null} the context window, or null if unrecognized + */ +export function modelToContextWindow(modelId) { + if (typeof modelId !== 'string') return null; + const id = modelId.trim().toLowerCase(); + if (!id) return null; + // Explicit tier tag wins — the running session model surfaces as e.g. + // "claude-opus-4-8[1m]". This is the strongest, most future-proof signal. + if (id.includes('[1m]')) return LARGE_CONTEXT_WINDOW; + // Known 1M-tier families (substring → tolerant of date/provider-prefix variants). + for (const fam of LARGE_CONTEXT_MODEL_IDS) { + if (id.includes(fam)) return LARGE_CONTEXT_WINDOW; + } + // Short aliases. + if (LARGE_CONTEXT_MODEL_ALIASES.has(id)) return LARGE_CONTEXT_WINDOW; + // Unknown: cannot confirm the window — keep the conservative anchor (null). + return null; +} + /** * @typedef {object} ResolvedContextWindow * @property {number} window - the context window budgets calibrate against * @property {boolean} advisory - true when the window is unknown: keep the anchor * but downgrade budget findings to info instead of * firing them as a breach - * @property {'default'|'explicit'|'auto-unresolved'} source + * @property {'default'|'explicit'|'auto-probed'|'auto-unresolved'} source */ /** @@ -41,19 +86,29 @@ export const withCommas = (n) => String(n).replace(/\B(?=(\d{3})+(?!\d))/g, ',') * * Design (B8): the DEFAULT (no flag) is byte-identical to the pre-B8 behavior — * the conservative 200k anchor at full severity. Only an explicit value changes - * calibration. `auto` asks the tool to figure out the window; until model→window - * probing ships (B8b) it cannot, so it keeps the conservative anchor but marks the - * result advisory so SKL/CML downgrade their budget findings to info rather than - * "crying wolf" with a breach on a window we cannot confirm. + * calibration. `auto` asks the tool to figure out the window. + * + * B8b: `auto` now probes the configured model (`opts.model`, resolved from the + * settings cascade / ANTHROPIC_MODEL by the orchestrator). A recognized 1M-tier + * model calibrates to its window (source `auto-probed`, not advisory). When the + * model is unknown or unpinned, it keeps the conservative anchor but marks the + * result advisory (source `auto-unresolved`) so SKL/CML downgrade their budget + * findings to info rather than "crying wolf" on a window we cannot confirm. * * @param {string|number|null|undefined} arg + * @param {{ model?: string|null }} [opts] - probe input for `auto` (ignored on the + * default/explicit paths, which stay byte-stable). * @returns {ResolvedContextWindow} */ -export function resolveContextWindow(arg) { +export function resolveContextWindow(arg, opts = {}) { if (arg == null) { return { window: CONTEXT_WINDOW_ANCHOR, advisory: false, source: 'default' }; } if (String(arg).trim().toLowerCase() === 'auto') { + const probed = modelToContextWindow(opts.model); + if (probed) { + return { window: probed, advisory: false, source: 'auto-probed' }; + } return { window: CONTEXT_WINDOW_ANCHOR, advisory: true, source: 'auto-unresolved' }; } const n = typeof arg === 'number' ? arg : parseInt(String(arg).trim(), 10); diff --git a/scanners/scan-orchestrator.mjs b/scanners/scan-orchestrator.mjs index 71864ea..6beed16 100644 --- a/scanners/scan-orchestrator.mjs +++ b/scanners/scan-orchestrator.mjs @@ -15,6 +15,7 @@ import { discoverConfigFiles, discoverConfigFilesMulti, discoverFullMachinePaths import { loadSuppressions, applySuppressions, formatSuppressionSummary } from './lib/suppression.mjs'; import { humanizeEnvelope } from './lib/humanizer.mjs'; import { resolveContextWindow } from './lib/context-window.mjs'; +import { resolveActiveModel } from './lib/active-model.mjs'; // Scanner registry — import order determines execution order import { scan as scanClaudeMd } from './claude-md-linter.mjs'; @@ -98,7 +99,13 @@ export async function runAllScanners(targetPath, opts = {}) { // B8 — resolve the context window once and thread it to budget-aware scanners // (SKL, CML). Undefined opts.contextWindow → conservative 200k anchor, which is // byte-identical to the pre-B8 default; other scanners ignore the third arg. - const contextWindow = resolveContextWindow(opts.contextWindow); + // B8b — `--context-window auto` probes the configured model (settings cascade / + // ANTHROPIC_MODEL) so a 1M-tier host self-calibrates; unknown/unpinned → advisory. + let probedModel = null; + if (String(opts.contextWindow ?? '').trim().toLowerCase() === 'auto') { + probedModel = await resolveActiveModel(resolvedPath, { env: process.env }); + } + const contextWindow = resolveContextWindow(opts.contextWindow, { model: probedModel }); // Shared file discovery — scanners reuse this let discovery; diff --git a/tests/lib/active-model.test.mjs b/tests/lib/active-model.test.mjs new file mode 100644 index 0000000..1ae1dd3 --- /dev/null +++ b/tests/lib/active-model.test.mjs @@ -0,0 +1,96 @@ +import { describe, it } from 'node:test'; +import assert from 'node:assert/strict'; +import { mkdtemp, mkdir, writeFile, rm } from 'node:fs/promises'; +import { tmpdir } from 'node:os'; +import { join } from 'node:path'; +import { resolveActiveModel } from '../../scanners/lib/active-model.mjs'; + +// B8b — resolveActiveModel reads the configured model so `--context-window auto` +// can probe it. Source precedence mirrors Claude Code's own resolution: the shell +// ANTHROPIC_MODEL override wins, otherwise the settings cascade (local > project > +// user). Fully file/env-injectable so it is hermetic under the test HOME. + +async function withTempHome(fn) { + const home = await mkdtemp(join(tmpdir(), 'config-audit-model-home-')); + try { + return await fn(home); + } finally { + await rm(home, { recursive: true, force: true }); + } +} + +async function withTempProject(fn) { + const project = await mkdtemp(join(tmpdir(), 'config-audit-model-proj-')); + try { + return await fn(project); + } finally { + await rm(project, { recursive: true, force: true }); + } +} + +async function writeSettings(dir, file, obj) { + await mkdir(dir, { recursive: true }); + await writeFile(join(dir, file), JSON.stringify(obj)); +} + +describe('resolveActiveModel — env override (ANTHROPIC_MODEL)', () => { + it('returns the shell ANTHROPIC_MODEL when set, ignoring settings', async () => { + await withTempHome(async (home) => { + await writeSettings(join(home, '.claude'), 'settings.json', { model: 'claude-sonnet-4-6' }); + const env = { HOME: home, ANTHROPIC_MODEL: 'claude-opus-4-8[1m]' }; + assert.equal(await resolveActiveModel(null, { env }), 'claude-opus-4-8[1m]'); + }); + }); + + it('an empty ANTHROPIC_MODEL is treated as unset (falls through to the cascade)', async () => { + await withTempHome(async (home) => { + await writeSettings(join(home, '.claude'), 'settings.json', { model: 'claude-sonnet-4-6' }); + const env = { HOME: home, ANTHROPIC_MODEL: ' ' }; + assert.equal(await resolveActiveModel(null, { env }), 'claude-sonnet-4-6'); + }); + }); +}); + +describe('resolveActiveModel — settings cascade (local > project > user)', () => { + it('reads the model from user ~/.claude/settings.json', async () => { + await withTempHome(async (home) => { + await writeSettings(join(home, '.claude'), 'settings.json', { model: 'claude-opus-4-8' }); + assert.equal(await resolveActiveModel(null, { env: { HOME: home } }), 'claude-opus-4-8'); + }); + }); + + it('project settings.json overrides user settings', async () => { + await withTempHome(async (home) => { + await writeSettings(join(home, '.claude'), 'settings.json', { model: 'claude-opus-4-8' }); + await withTempProject(async (project) => { + await writeSettings(join(project, '.claude'), 'settings.json', { model: 'claude-sonnet-4-6' }); + assert.equal(await resolveActiveModel(project, { env: { HOME: home } }), 'claude-sonnet-4-6'); + }); + }); + }); + + it('settings.local.json overrides project settings (local wins)', async () => { + await withTempHome(async (home) => { + await withTempProject(async (project) => { + await writeSettings(join(project, '.claude'), 'settings.json', { model: 'claude-sonnet-4-6' }); + await writeSettings(join(project, '.claude'), 'settings.local.json', { model: 'claude-opus-4-8[1m]' }); + assert.equal(await resolveActiveModel(project, { env: { HOME: home } }), 'claude-opus-4-8[1m]'); + }); + }); + }); +}); + +describe('resolveActiveModel — nothing configured', () => { + it('returns null on a clean HOME with no model anywhere (honest advisory fallback)', async () => { + await withTempHome(async (home) => { + assert.equal(await resolveActiveModel(null, { env: { HOME: home } }), null); + }); + }); + + it('ignores a non-string model field', async () => { + await withTempHome(async (home) => { + await writeSettings(join(home, '.claude'), 'settings.json', { model: 123 }); + assert.equal(await resolveActiveModel(null, { env: { HOME: home } }), null); + }); + }); +}); diff --git a/tests/lib/context-window.test.mjs b/tests/lib/context-window.test.mjs index 4557d80..0c003e4 100644 --- a/tests/lib/context-window.test.mjs +++ b/tests/lib/context-window.test.mjs @@ -3,6 +3,7 @@ import assert from 'node:assert/strict'; import { CONTEXT_WINDOW_ANCHOR, LARGE_CONTEXT_WINDOW, + modelToContextWindow, resolveContextWindow, scaleForWindow, } from '../../scanners/lib/context-window.mjs'; @@ -43,13 +44,20 @@ describe('resolveContextWindow — explicit window', () => { }); describe('resolveContextWindow — auto / unknown downgrades to advisory', () => { - it('"auto" keeps the conservative anchor but flags advisory (no model probe yet)', () => { + it('"auto" with no model keeps the conservative anchor but flags advisory', () => { const r = resolveContextWindow('auto'); assert.equal(r.window, CONTEXT_WINDOW_ANCHOR, 'window stays the conservative anchor'); assert.equal(r.advisory, true, 'unknown window -> advisory, not a budget breach'); assert.equal(r.source, 'auto-unresolved'); }); + it('"auto" with an unrecognized model also stays advisory', () => { + const r = resolveContextWindow('auto', { model: 'totally-made-up-model' }); + assert.equal(r.window, CONTEXT_WINDOW_ANCHOR); + assert.equal(r.advisory, true); + assert.equal(r.source, 'auto-unresolved'); + }); + it('"AUTO" is case-insensitive', () => { assert.equal(resolveContextWindow('AUTO').advisory, true); }); @@ -74,3 +82,86 @@ describe('scaleForWindow — linear scaling off the 200k anchor', () => { assert.equal(scaleForWindow(40_000, LARGE_CONTEXT_WINDOW), 200_000); }); }); + +// B8b — model -> context-window mapping. `--context-window auto` probes the +// configured model and maps known 1M-tier model IDs to the large window so SKL/CML +// self-calibrate instead of falling back to the conservative advisory anchor. +// Verified June 2026 (platform.claude.com models overview): Fable 5, Opus +// 4.8/4.7/4.6 and Sonnet 4.6 run a 1M context window. + +describe('modelToContextWindow — known 1M-tier models map to the large window', () => { + it('the explicit [1m] tier tag wins (the running session model surfaces this way)', () => { + assert.equal(modelToContextWindow('claude-opus-4-8[1m]'), LARGE_CONTEXT_WINDOW); + // Suffix wins even for a base ID we do not otherwise enumerate. + assert.equal(modelToContextWindow('claude-future-9[1m]'), LARGE_CONTEXT_WINDOW); + }); + + it('known 1M base IDs map to 1M', () => { + for (const id of [ + 'claude-fable-5', + 'claude-opus-4-8', + 'claude-opus-4-7', + 'claude-opus-4-6', + 'claude-sonnet-4-6', + ]) { + assert.equal(modelToContextWindow(id), LARGE_CONTEXT_WINDOW, id); + } + }); + + it('tolerates dated suffixes and provider prefixes (substring match)', () => { + assert.equal(modelToContextWindow('claude-opus-4-8-20260528'), LARGE_CONTEXT_WINDOW); + assert.equal(modelToContextWindow('us.anthropic.claude-sonnet-4-6'), LARGE_CONTEXT_WINDOW); + assert.equal(modelToContextWindow('CLAUDE-OPUS-4-8'), LARGE_CONTEXT_WINDOW); // case-insensitive + }); + + it('short aliases that resolve to a 1M-tier model map to 1M', () => { + for (const alias of ['opus', 'sonnet', 'fable', 'opusplan']) { + assert.equal(modelToContextWindow(alias), LARGE_CONTEXT_WINDOW, alias); + } + }); +}); + +describe('modelToContextWindow — unknown / unconfirmed models return null (conservative)', () => { + it('returns null for models whose window we do not confirm', () => { + // Haiku is intentionally NOT enumerated: keep the conservative anchor rather + // than guess. null -> caller keeps the advisory 200k anchor. + assert.equal(modelToContextWindow('claude-haiku-4-5-20251001'), null); + assert.equal(modelToContextWindow('haiku'), null); + assert.equal(modelToContextWindow('some-unknown-model'), null); + assert.equal(modelToContextWindow('default'), null); + }); + + it('returns null for non-string / empty input', () => { + assert.equal(modelToContextWindow(undefined), null); + assert.equal(modelToContextWindow(null), null); + assert.equal(modelToContextWindow(''), null); + assert.equal(modelToContextWindow(' '), null); + assert.equal(modelToContextWindow(42), null); + }); +}); + +describe('resolveContextWindow — auto probes the model (B8b)', () => { + it('"auto" + a recognized 1M model calibrates to 1M, not advisory', () => { + const r = resolveContextWindow('auto', { model: 'claude-opus-4-8[1m]' }); + assert.equal(r.window, LARGE_CONTEXT_WINDOW); + assert.equal(r.advisory, false, 'a confirmed window is not advisory'); + assert.equal(r.source, 'auto-probed'); + }); + + it('"auto" + a recognized base ID (no tag) also calibrates', () => { + const r = resolveContextWindow('auto', { model: 'claude-sonnet-4-6' }); + assert.equal(r.window, LARGE_CONTEXT_WINDOW); + assert.equal(r.source, 'auto-probed'); + }); + + it('the model is ignored on the explicit and default paths (byte-stable)', () => { + const explicit = resolveContextWindow('1000000', { model: 'claude-opus-4-8' }); + assert.equal(explicit.source, 'explicit'); + assert.equal(explicit.window, 1_000_000); + + const def = resolveContextWindow(undefined, { model: 'claude-opus-4-8[1m]' }); + assert.equal(def.source, 'default'); + assert.equal(def.window, CONTEXT_WINDOW_ANCHOR); + assert.equal(def.advisory, false); + }); +}); From 6bb08cc84d8db36943750cab7320bd77e50e48ad Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Tue, 23 Jun 2026 22:29:21 +0200 Subject: [PATCH 05/31] =?UTF-8?q?release:=20v5.12.0=20=E2=80=94=20"Auto-ca?= =?UTF-8?q?libration"=20(B8b)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Version-sync for the B8b model→window auto-probe shipped in cf75249: - plugin.json 5.11.0 -> 5.12.0 - README version badge + version-history row (1296 tests) - CHANGELOG [5.12.0] entry Scanner count stays 16, agents 7, commands 21. No new finding ID or scanner. Co-Authored-By: Claude Opus 4.8 (1M context) --- .claude-plugin/plugin.json | 2 +- CHANGELOG.md | 36 ++++++++++++++++++++++++++++++++++++ README.md | 3 ++- 3 files changed, 39 insertions(+), 2 deletions(-) diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json index adac250..b788502 100644 --- a/.claude-plugin/plugin.json +++ b/.claude-plugin/plugin.json @@ -1,7 +1,7 @@ { "name": "config-audit", "description": "Multi-agent workflow for analyzing, reporting, and optimizing Claude Code configuration across your entire machine", - "version": "5.11.0", + "version": "5.12.0", "author": { "name": "Kjell Tore Guttormsen" }, diff --git a/CHANGELOG.md b/CHANGELOG.md index bd89d95..76fa697 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,42 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [5.12.0] - 2026-06-23 + +### Summary +"Auto-calibration" — completes the deferred half of B8. `--context-window auto` now **probes the +configured model** and calibrates SKL/CML budgets to its real context window, instead of always +falling back to the conservative advisory anchor. A 1M-tier host self-calibrates without the manual +`--context-window 1000000`. No new finding ID or scanner (count stays **16**, agents **7**, commands +**21**); the default and explicit `--context-window` paths are unchanged, so `--json`/`--raw` stay +byte-stable and the frozen v5.0.0 + SC-5 snapshots are untouched. **1296** tests. + +### Added +- **B8b — model→window auto-probe.** `lib/context-window.mjs` gains a pure `modelToContextWindow()` + that maps a configured model id/alias to its context window: + - the explicit `[1m]` tier tag wins (the running session model surfaces as e.g. + `claude-opus-4-8[1m]`); + - known 1M-tier families `LARGE_CONTEXT_MODEL_IDS` (`claude-fable-5`, `claude-opus-4-8`, + `claude-opus-4-7`, `claude-opus-4-6`, `claude-sonnet-4-6` — verified June 2026 against the + platform.claude.com models overview) match by substring, so dated (`-20260528`) and + provider-prefixed (`us.anthropic.…`) IDs resolve too; + - the short aliases `opus` / `sonnet` / `fable` / `opusplan` resolve to 1M. + - Models we cannot confirm (Haiku, older 200k-era IDs, unknown) return `null` — the caller then + keeps the conservative anchor rather than guess a relaxed budget. +- **New IO helper `lib/active-model.mjs` `resolveActiveModel()`** reads the configured model the way + Claude Code resolves it: the shell `ANTHROPIC_MODEL` override first, otherwise the settings cascade + `model` field (user `~/.claude` → project `.claude` → project-local, local wins). Reads the cascade + files directly (like `isBundledSkillsDisabled`) and takes an injectable `env`, so it stays + deterministic and hermetic under the test HOME. Returns `null` when no model is pinned anywhere. + +### Changed +- **`resolveContextWindow(arg, opts)` — the `auto` branch now probes.** It maps `opts.model` via + `modelToContextWindow()`: a recognized 1M-tier model calibrates to its window (source `auto-probed`, + **not** advisory); an unknown or unpinned model keeps the conservative 200k anchor and stays advisory + (source `auto-unresolved`, the pre-B8b `auto` behavior). `scan-orchestrator` resolves the active + model (only when the flag is `auto`) and threads it in; `posture` inherits this via `runAllScanners`. + The default (no flag) and explicit `--context-window ` paths ignore `opts.model` and are unchanged. + ## [5.11.0] - 2026-06-23 ### Summary diff --git a/README.md b/README.md index a930847..4db637a 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ *AI-generated: all code produced by Claude Code through dialog-driven development. [Full disclosure →](../../README.md#ai-generated-code-disclosure)* -![Version](https://img.shields.io/badge/version-5.11.0-blue) +![Version](https://img.shields.io/badge/version-5.12.0-blue) ![Platform](https://img.shields.io/badge/platform-Claude_Code_Plugin-purple) ![Scanners](https://img.shields.io/badge/scanners-16-cyan) ![Commands](https://img.shields.io/badge/commands-21-green) @@ -662,6 +662,7 @@ This plugin is cautious by design — configuration files are important, and a b | Version | Date | Highlights | |---------|------|-----------| +| **5.12.0** | 2026-06-23 | "Auto-calibration" — completes the deferred B8 half (**B8b**): `--context-window auto` now **probes the configured model** instead of always falling back to advisory. New pure `modelToContextWindow()` maps known 1M-tier model IDs (Fable 5, Opus 4.8/4.7/4.6, Sonnet 4.6 — verified June 2026 — plus the explicit `[1m]` tier tag, dated/provider-prefixed IDs, and the `opus`/`sonnet`/`fable` aliases) to the 1M window; new IO helper `lib/active-model.mjs` `resolveActiveModel()` reads the model the way Claude Code resolves it (shell `ANTHROPIC_MODEL` override, then the settings cascade local > project > user). When `auto` resolves a recognized model the budget calibrates to its window (`auto-probed`, not advisory); when no model is pinned or it is unrecognized it keeps the conservative anchor and stays advisory (`auto-unresolved`) — the honest fallback. No new finding ID or scanner (count stays **16**, agents **7**, commands **21**); the default and explicit `--context-window` paths are unchanged, so `--json`/`--raw` stay byte-stable and the frozen v5.0.0 + SC-5 snapshots are untouched. **1296** tests. | | **5.11.0** | 2026-06-23 | "Precision polish" — the two LOW-priority calibration gaps, both additive (scanner count stays **16**, agents **7**, commands **21**; `--json`/`--raw` byte-stable, frozen v5.0.0 + SC-5 untouched). **B7 — oversized skill body (`CA-SKL-003`, low):** the SKL scanner now measures the SKILL.md **body** (it already read the file in full) and flags bodies over ~5,000 tokens, recommending a supporting-file split + `context: fork`. Honestly framed as an **on-demand** cost — the body loads only when the skill is invoked, **not** every turn like the always-loaded listing — hence low severity. **B8 — context-window calibration (`--context-window`):** `CA-SKL-002` (skill-listing budget) and the CML char-budget now calibrate to a real context window via `--context-window ` (e.g. `1000000` stops the 200k anchor crying wolf on a 1M host) instead of always anchoring at 200k; `--context-window auto` keeps the conservative anchor but **downgrades budget findings to info/advisory** rather than firing a breach (model→window auto-probing deferred to a later B8b). No flag → byte-identical to the pre-B8 200k default. CPS is intentionally excluded (no window-anchored budget to calibrate). 1279 tests | | **5.10.0** | 2026-06-23 | "Deferral & injection hygiene" — three additive hardening levers that extend existing scanners toward a tighter always-loaded prefix (scanner count stays **16**, agents **7**, commands **21**; `--json`/`--raw` byte-stable, frozen v5.0.0 + SC-5 untouched). **B4 — MCP tool-schema deferral (`CA-TOK-006`; tokens patterns 7→8):** Claude Code defers MCP tool schemas (names-only, ~120 tok; full schemas load on demand) by default, so `CA-TOK-006` detects config-file signals that force the FULL schemas into the always-loaded prefix every turn — `env.ENABLE_TOOL_SEARCH="false"` (high), a `"ToolSearch"` deny (high), a configured Haiku model (medium), or per-server `alwaysLoad:true` (CC v2.1.121+, high); severity scales with the aggregate forced-upfront tokens. New pure engine `lib/mcp-deferral.mjs` shared by TOK + GAP, plus a feature-gap **CLI-over-MCP** companion lever (prefer `gh`/`aws`/`gcloud`). Triggers on config files ONLY — Vertex / custom `ANTHROPIC_BASE_URL` / a runtime `/model` switch are launch state and are disclosed, never triggered; the prefix-cache-invalidation claim was NOT-CONFIRMED in docs and is not asserted. **B5 — hook `additionalContext` advisory + filter-before lever:** HKV emits an info advisory when a hook injects unfiltered output into `additionalContext`, with a feature-gap **filter-before-Claude-reads** companion citing the documented `filter-test-output.sh` pattern. **B6 — CPS `@import` volatile scan:** the cache-prefix scanner now follows `@import`s (one hop) and flags volatile content in the imported file that breaks the cached prefix — a new medium finding, keyed on the resolved file. 1257 tests | | **5.9.0** | 2026-06-23 | "Machine-wide token lens" — the three highest-impact hardening gaps toward whole-machine token tuning. **B1 — agent-listing budget (new orchestrated scanner AGT, count 15→16):** the always-loaded agent listing (name+description re-sent every turn) is now measured — `CA-AGT-001` per-agent description bloat (advisory), `CA-AGT-002` aggregate listing over budget; both LOW and explicitly **inferred / upper-bound** (the mechanism is undocumented — the evidence discloses it rather than overstating). **B2 — machine-wide always-loaded token roll-up:** the campaign ledger now carries a token bill — `campaign refresh-tokens` does a live cross-repo sweep that counts the **shared global always-loaded layer once** + per-repo deltas, with a ranked "most expensive repos" table (the `whats-active` double-count, avoided by construction). **B3 — cache-aware filtering (folds in B0):** `~/.claude/plugins/cache` holds *both* active and stale plugin versions (installPaths point INTO it), so token-hotspots + CNF are now **version-aware** — `--exclude-cache` (default ON) keeps each plugin's active version and drops only stale ones (`installed_plugins.json`-driven), so stale versions stop polluting the hotspot ranking and inflating duplicate-hook conflicts; stale versions surface as a separate **Dead config** disk-cleanup finding (zero live-context impact). `--json`/`--raw` byte-stable; frozen v5.0.0 + SC-5 snapshots untouched. 1215 tests | From 45efed3dbfd8c36c23ef7297cc7319dae45876ad Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Wed, 24 Jun 2026 10:04:47 +0200 Subject: [PATCH 06/31] fix(tok): live-session caveat in Pattern H stale-cache recommendation Pattern H ("Stale plugin-cache versions") recommended deleting stale version dirs under ~/.claude/plugins/cache with no warning that a currently-running session may still hold one of those versions for its whole lifetime. "Stale" is judged against installed_plugins.json (what NEW sessions load), so the recommendation could reproduce the exact footgun that broke a live session during C4: deleting the dir pulls the files out from under the running session, which then breaks and must /exit + restart. Extend the recommendation text with the live-session caveat. No new finding ID/scanner, no token counts changed (recommendation string only) -> --json/--raw stay byte-stable, frozen v5.0.0 + SC-5 + default-output snapshots untouched. +1 test (1297). Co-Authored-By: Claude Opus 4.8 (1M context) --- scanners/token-hotspots.mjs | 9 +++++++-- tests/scanners/token-hotspots.test.mjs | 10 ++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/scanners/token-hotspots.mjs b/scanners/token-hotspots.mjs index 1dc9eae..87efcbe 100644 --- a/scanners/token-hotspots.mjs +++ b/scanners/token-hotspots.mjs @@ -579,8 +579,13 @@ export async function scan(targetPath, discovery) { '(installed_plugins.json points at newer versions)', recommendation: 'Delete the listed stale version directories under ~/.claude/plugins/cache to reclaim ' + - 'disk (reinstall/prune via the plugin manager, or remove the dirs directly). Re-run ' + - 'with --no-exclude-cache to include cached versions in the token/conflict scan.', + 'disk (reinstall/prune via the plugin manager, or remove the dirs directly). ' + + 'Caution: do NOT delete a version a running session is still using — "stale" is judged ' + + 'against installed_plugins.json (what NEW sessions load), but an already-running session ' + + 'can hold an older version for its whole lifetime. Removing it mid-session pulls the files ' + + 'out from under that session, which then breaks and must /exit + restart to pick up the ' + + 'active version. Run with --no-exclude-cache to include cached versions in the ' + + 'token/conflict scan.', category: 'plugin-cache-hygiene', })); } diff --git a/tests/scanners/token-hotspots.test.mjs b/tests/scanners/token-hotspots.test.mjs index 039103b..bb42ed9 100644 --- a/tests/scanners/token-hotspots.test.mjs +++ b/tests/scanners/token-hotspots.test.mjs @@ -383,6 +383,16 @@ describe('TOK scanner — H stale plugin-cache versions (v5.9 B3)', () => { assert.match(f.evidence, /mkt\/config-audit\/5\.6\.0/); }); + it('warns against deleting a version a running session still uses (/exit caveat)', async () => { + resetCounter(); + const result = await withHermeticHome(() => scan('/tmp/x', staleDiscovery)); + const f = result.findings.find(x => /stale plugin-cache/i.test(x.title || '')); + assert.match(f.recommendation, /running session|active session/i, + 'recommendation must caution about sessions still using a version'); + assert.match(f.recommendation, /\/exit/, + 'recommendation must tell affected sessions to /exit + restart'); + }); + it('does NOT fire when there are no stale versions', async () => { resetCounter(); const result = await withHermeticHome(() => scan('/tmp/x', { files: [], staleCacheVersions: [] })); From 0f9e319c8572c3f1ad3e46fda733e855fe8ffb81 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Wed, 24 Jun 2026 10:15:54 +0200 Subject: [PATCH 07/31] =?UTF-8?q?release:=20v5.12.1=20=E2=80=94=20"Footgun?= =?UTF-8?q?=20guard"=20(Pattern=20H=20live-session=20caveat)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Version-sync for the Pattern H recommendation fix shipped in 45efed3: - plugin.json 5.12.0 -> 5.12.1 - README version badge + version-history row (1297 tests) - CHANGELOG [5.12.1] entry Recommendation string only — no new finding ID or scanner (count stays 16, agents 7, commands 21), no token figures changed, so --json/--raw stay byte-stable and frozen v5.0.0 + SC-5 + default-output snapshots are untouched. Co-Authored-By: Claude Opus 4.8 (1M context) --- .claude-plugin/plugin.json | 2 +- CHANGELOG.md | 18 ++++++++++++++++++ README.md | 3 ++- 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json index b788502..cd197a2 100644 --- a/.claude-plugin/plugin.json +++ b/.claude-plugin/plugin.json @@ -1,7 +1,7 @@ { "name": "config-audit", "description": "Multi-agent workflow for analyzing, reporting, and optimizing Claude Code configuration across your entire machine", - "version": "5.12.0", + "version": "5.12.1", "author": { "name": "Kjell Tore Guttormsen" }, diff --git a/CHANGELOG.md b/CHANGELOG.md index 76fa697..99e88cc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,24 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [5.12.1] - 2026-06-24 + +### Summary +"Footgun guard" — Pattern H (stale plugin-cache versions, `token-hotspots`) recommended deleting +stale version directories without warning that a currently-running session may still hold one of +those versions for its whole lifetime. "Stale" is judged against `installed_plugins.json` (what NEW +sessions load), so the recommendation could reproduce the exact failure that broke a live session: +deleting the directory pulls the files out from under the running session, which then breaks and +must `/exit` + restart. Recommendation text only — no new finding ID or scanner (count stays **16**, +agents **7**, commands **21**), no token figures changed, so `--json`/`--raw` stay byte-stable and +the frozen v5.0.0 + SC-5 + default-output snapshots are untouched. **1297** tests. + +### Fixed +- **Pattern H live-session caveat (`token-hotspots`, `plugin-cache-hygiene`).** The stale-cache + cleanup recommendation now cautions against deleting a version a running session still uses, and + tells affected sessions to `/exit` + restart to pick up the active version — closing the footgun + that broke a live session during the C4 cache cleanup. + ## [5.12.0] - 2026-06-23 ### Summary diff --git a/README.md b/README.md index 4db637a..0e45a67 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ *AI-generated: all code produced by Claude Code through dialog-driven development. [Full disclosure →](../../README.md#ai-generated-code-disclosure)* -![Version](https://img.shields.io/badge/version-5.12.0-blue) +![Version](https://img.shields.io/badge/version-5.12.1-blue) ![Platform](https://img.shields.io/badge/platform-Claude_Code_Plugin-purple) ![Scanners](https://img.shields.io/badge/scanners-16-cyan) ![Commands](https://img.shields.io/badge/commands-21-green) @@ -662,6 +662,7 @@ This plugin is cautious by design — configuration files are important, and a b | Version | Date | Highlights | |---------|------|-----------| +| **5.12.1** | 2026-06-24 | "Footgun guard" — Pattern H (stale plugin-cache versions, `token-hotspots`) recommended deleting stale version dirs with **no warning** that a currently-running session may still hold one of those versions for its whole lifetime. "Stale" is judged against `installed_plugins.json` (what NEW sessions load), so the recommendation could reproduce the exact failure that breaks a live session: deleting the dir pulls the files out from under the running session, which then must `/exit` + restart. The `plugin-cache-hygiene` recommendation now carries the live-session caveat. **Recommendation string only** — no new finding ID or scanner (count stays **16**, agents **7**, commands **21**), no token figures changed, so `--json`/`--raw` stay byte-stable and the frozen v5.0.0 + SC-5 + default-output snapshots are untouched. **1297** tests. | | **5.12.0** | 2026-06-23 | "Auto-calibration" — completes the deferred B8 half (**B8b**): `--context-window auto` now **probes the configured model** instead of always falling back to advisory. New pure `modelToContextWindow()` maps known 1M-tier model IDs (Fable 5, Opus 4.8/4.7/4.6, Sonnet 4.6 — verified June 2026 — plus the explicit `[1m]` tier tag, dated/provider-prefixed IDs, and the `opus`/`sonnet`/`fable` aliases) to the 1M window; new IO helper `lib/active-model.mjs` `resolveActiveModel()` reads the model the way Claude Code resolves it (shell `ANTHROPIC_MODEL` override, then the settings cascade local > project > user). When `auto` resolves a recognized model the budget calibrates to its window (`auto-probed`, not advisory); when no model is pinned or it is unrecognized it keeps the conservative anchor and stays advisory (`auto-unresolved`) — the honest fallback. No new finding ID or scanner (count stays **16**, agents **7**, commands **21**); the default and explicit `--context-window` paths are unchanged, so `--json`/`--raw` stay byte-stable and the frozen v5.0.0 + SC-5 snapshots are untouched. **1296** tests. | | **5.11.0** | 2026-06-23 | "Precision polish" — the two LOW-priority calibration gaps, both additive (scanner count stays **16**, agents **7**, commands **21**; `--json`/`--raw` byte-stable, frozen v5.0.0 + SC-5 untouched). **B7 — oversized skill body (`CA-SKL-003`, low):** the SKL scanner now measures the SKILL.md **body** (it already read the file in full) and flags bodies over ~5,000 tokens, recommending a supporting-file split + `context: fork`. Honestly framed as an **on-demand** cost — the body loads only when the skill is invoked, **not** every turn like the always-loaded listing — hence low severity. **B8 — context-window calibration (`--context-window`):** `CA-SKL-002` (skill-listing budget) and the CML char-budget now calibrate to a real context window via `--context-window ` (e.g. `1000000` stops the 200k anchor crying wolf on a 1M host) instead of always anchoring at 200k; `--context-window auto` keeps the conservative anchor but **downgrades budget findings to info/advisory** rather than firing a breach (model→window auto-probing deferred to a later B8b). No flag → byte-identical to the pre-B8 200k default. CPS is intentionally excluded (no window-anchored budget to calibrate). 1279 tests | | **5.10.0** | 2026-06-23 | "Deferral & injection hygiene" — three additive hardening levers that extend existing scanners toward a tighter always-loaded prefix (scanner count stays **16**, agents **7**, commands **21**; `--json`/`--raw` byte-stable, frozen v5.0.0 + SC-5 untouched). **B4 — MCP tool-schema deferral (`CA-TOK-006`; tokens patterns 7→8):** Claude Code defers MCP tool schemas (names-only, ~120 tok; full schemas load on demand) by default, so `CA-TOK-006` detects config-file signals that force the FULL schemas into the always-loaded prefix every turn — `env.ENABLE_TOOL_SEARCH="false"` (high), a `"ToolSearch"` deny (high), a configured Haiku model (medium), or per-server `alwaysLoad:true` (CC v2.1.121+, high); severity scales with the aggregate forced-upfront tokens. New pure engine `lib/mcp-deferral.mjs` shared by TOK + GAP, plus a feature-gap **CLI-over-MCP** companion lever (prefer `gh`/`aws`/`gcloud`). Triggers on config files ONLY — Vertex / custom `ANTHROPIC_BASE_URL` / a runtime `/model` switch are launch state and are disclosed, never triggered; the prefix-cache-invalidation claim was NOT-CONFIRMED in docs and is not asserted. **B5 — hook `additionalContext` advisory + filter-before lever:** HKV emits an info advisory when a hook injects unfiltered output into `additionalContext`, with a feature-gap **filter-before-Claude-reads** companion citing the documented `filter-test-output.sh` pattern. **B6 — CPS `@import` volatile scan:** the cache-prefix scanner now follows `@import`s (one hop) and flags volatile content in the imported file that breaks the cached prefix — a new medium finding, keyed on the resolved file. 1257 tests | From be1056aac069278795bccadc6b20fa2a0d05647a Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Wed, 24 Jun 2026 10:50:28 +0200 Subject: [PATCH 08/31] fix(acr): enumeratePlugins honors enabledPlugins + polyrepo cache installPaths (M-BUG-1) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit active-config-reader walked ~/.claude/plugins/marketplaces and ignored both the enabledPlugins toggle and the polyrepo cache layout. On a polyrepo machine it counted disabled/uninstalled marketplaces plugins as "active" while MISSING the actually-enabled plugins installed under plugins/cache. This corrupted the agent listing and every pluginList consumer (manifest, AGT, whats-active, hooks, rules). Now: when installed_plugins.json is present, inject only plugins that are in the manifest AND enabledPlugins[key]===true, each resolved to its active installPath (incl. cache/). When the manifest is absent (fixtures/pre-v2 installs), fall back to the historic marketplaces walk rather than silently dropping config — mirrors file-discovery.mjs's "trust installed_plugins.json" contract. Verified on real machine: agent listing 114->104, ghost plugins (newsletter, content-machine, harness, kiur, ...) gone, voyage/linkedin/ms-ai/okr now correctly counted. Full suite 1301/0; byte-stable snapshots untouched (hermetic empty HOME). Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01CrTb8ktf1XZWEVwgz5MTTo --- scanners/lib/active-config-reader.mjs | 115 +++++++++++++++++++++-- tests/lib/active-config-reader.test.mjs | 119 ++++++++++++++++++++++++ 2 files changed, 227 insertions(+), 7 deletions(-) diff --git a/scanners/lib/active-config-reader.mjs b/scanners/lib/active-config-reader.mjs index 5fa017e..a5a46e1 100644 --- a/scanners/lib/active-config-reader.mjs +++ b/scanners/lib/active-config-reader.mjs @@ -327,19 +327,120 @@ export async function readClaudeJsonProjectSlice(repoPath) { // ───────────────────────────────────────────────────────────────────────── /** - * Enumerate all plugins installed under ~/.claude/plugins/marketplaces. - * For each plugin: counts commands, agents, skills, hooks, rules; reads version from plugin.json. + * Enumerate the plugins Claude Code actually injects for a repo. * + * Authoritative source is `~/.claude/plugins/installed_plugins.json` (the install + * manifest) gated by the `enabledPlugins` toggle map. Only plugins that are both + * installed AND `enabledPlugins[key] === true` are injected, so only those are + * counted — each resolved to its ACTIVE `installPath`, which for polyrepo plugins + * lives under `plugins/cache` (never under `plugins/marketplaces`, so the historic + * marketplaces walk missed them entirely while also counting disabled/uninstalled + * marketplaces plugins). Mirrors file-discovery.mjs's "trust installed_plugins.json" + * contract: when the manifest is absent (test fixtures, pre-v2 installs) we cannot + * tell enabled from installed, so we fall back to discovering everything under + * `plugins/marketplaces` rather than silently dropping config. (M-BUG-1) + * + * @param {string} [repoPath] - when given, project/local-scoped installs and + * project-level `enabledPlugins` overrides are resolved relative to it; omit for + * HOME/global scope (only user-scope installs + user `enabledPlugins`). * @returns {Promise>} */ -export async function enumeratePlugins() { +export async function enumeratePlugins(repoPath) { const home = process.env.HOME || process.env.USERPROFILE || ''; if (!home) return []; - const marketplacesRoot = join(home, '.claude', 'plugins', 'marketplaces'); - const pluginRoots = await discoverAllPluginsUnder(marketplacesRoot); + const installed = await readInstalledPluginsManifest(home); - // Dedupe via realpath (symlinks are common) + let pluginRoots; + if (installed) { + // Manifest present → inject only ENABLED plugins, from their active installPath. + const enabled = await readEnabledPluginsMap(home, repoPath); + pluginRoots = []; + for (const [key, recs] of Object.entries(installed)) { + if (enabled[key] !== true) continue; // not explicitly enabled → not injected + const rec = pickActivePluginRecord(recs, repoPath); + if (!rec || !rec.installPath) continue; + try { + await stat(rec.installPath); // skip enabled-but-missing installPaths + pluginRoots.push(rec.installPath); + } catch { /* installPath gone → not loadable */ } + } + } else { + // No manifest → cannot tell enabled from installed → discover all on disk. + pluginRoots = await discoverAllPluginsUnder(join(home, '.claude', 'plugins', 'marketplaces')); + } + + return buildPluginRecords(pluginRoots); +} + +/** + * Read the install manifest's `plugins` map ({ "name@marketplace": [record, …] }). + * Returns null when absent/unparseable so callers fall back to disk discovery. + */ +async function readInstalledPluginsManifest(home) { + const p = join(home, '.claude', 'plugins', 'installed_plugins.json'); + let raw; + try { raw = await readFile(p, 'utf-8'); } catch { return null; } + const parsed = parseJson(raw); + if (!parsed || !parsed.plugins || typeof parsed.plugins !== 'object') return null; + return parsed.plugins; +} + +/** + * Merge the `enabledPlugins` toggle map across the scopes Claude Code reads: + * user settings.json, then (when repoPath given) project settings + local + the + * ~/.claude.json project slice. Later scopes override earlier ones. + */ +async function readEnabledPluginsMap(home, repoPath) { + const merged = {}; + const sources = [join(home, '.claude', 'settings.json')]; + if (repoPath) { + sources.push(join(repoPath, '.claude', 'settings.json')); + sources.push(join(repoPath, '.claude', 'settings.local.json')); + } + for (const s of sources) { + try { + const parsed = parseJson(await readFile(s, 'utf-8')); + if (parsed && parsed.enabledPlugins && typeof parsed.enabledPlugins === 'object') { + Object.assign(merged, parsed.enabledPlugins); + } + } catch { /* missing/unreadable scope */ } + } + if (repoPath) { + try { + const slice = await readClaudeJsonProjectSlice(repoPath); + if (slice && slice.enabledPlugins && typeof slice.enabledPlugins === 'object') { + Object.assign(merged, slice.enabledPlugins); + } + } catch { /* ignore */ } + } + return merged; +} + +/** + * Pick the applicable install record for a plugin. User-scope records apply + * everywhere; project/local-scope records only when repoPath is within their + * projectPath (so a project-scoped plugin never leaks into HOME/global scope). + */ +function pickActivePluginRecord(recs, repoPath) { + if (!Array.isArray(recs) || recs.length === 0) return null; + const applicable = recs.filter((r) => { + if (!r || !r.installPath) return false; + const scope = r.scope || 'user'; + if (scope === 'user') return true; + if (!repoPath || !r.projectPath) return false; + const target = normalizePath(resolve(repoPath)); + const pp = normalizePath(resolve(r.projectPath)); + return target === pp || target.startsWith(pp + sep); + }); + return applicable.find((r) => (r.scope || 'user') === 'user') || applicable[0] || null; +} + +/** + * Build plugin records from a list of plugin root paths: dedupe via realpath, + * count items, read plugin.json name/version. + */ +async function buildPluginRecords(pluginRoots) { const seen = new Set(); const results = []; for (const root of pluginRoots) { @@ -1017,7 +1118,7 @@ export async function readActiveConfig(repoPath, opts = {}) { detectGitRoot(absRepoPath), walkClaudeMdCascade(absRepoPath), readClaudeJsonProjectSlice(absRepoPath), - enumeratePlugins(), + enumeratePlugins(absRepoPath), readSettingsCascade(absRepoPath), ]); diff --git a/tests/lib/active-config-reader.test.mjs b/tests/lib/active-config-reader.test.mjs index 61fd5ec..0576727 100644 --- a/tests/lib/active-config-reader.test.mjs +++ b/tests/lib/active-config-reader.test.mjs @@ -415,6 +415,125 @@ describe('enumeratePlugins', () => { }); }); +// ───────────────────────────────────────────────────────────────────────── +// enumeratePlugins — enabledPlugins + installed_plugins.json (M-BUG-1) +// ───────────────────────────────────────────────────────────────────────── + +/** + * Build a fake HOME that mirrors a real machine: an installed_plugins.json + * manifest (polyrepo plugins live under plugins/cache, monorepo ones under + * plugins/marketplaces) + an enabledPlugins toggle map in settings.json. + * + * The enumerator must inject ONLY enabled plugins, resolving each to its ACTIVE + * installPath — including cache/ paths the marketplaces walk never sees — and + * must NOT count disabled plugins, plugins absent from enabledPlugins, or + * marketplaces plugins absent from the manifest entirely (the real M-BUG-1). + */ +async function buildManifestHome(home) { + const cacheRoot = join(home, '.claude', 'plugins', 'cache', 'mp'); + const mpRoot = join(home, '.claude', 'plugins', 'marketplaces', 'mp', 'plugins'); + + async function makePlugin(root, name, version) { + await mkdir(join(root, '.claude-plugin'), { recursive: true }); + await writeFile( + join(root, '.claude-plugin', 'plugin.json'), + JSON.stringify({ name, description: name, version }, null, 2), + ); + await mkdir(join(root, 'agents'), { recursive: true }); + await writeFile( + join(root, 'agents', `${name}-agent.md`), + `---\nname: ${name}-agent\ndescription: ${name} agent\n---\nbody\n`, + ); + } + + const enabledCachePath = join(cacheRoot, 'enabled-cache', '1.0.0'); + const disabledCachePath = join(cacheRoot, 'disabled-cache', '1.0.0'); + const enabledMpPath = join(mpRoot, 'enabled-mp'); + const notToggledMpPath = join(mpRoot, 'not-toggled-mp'); + const ghostMpPath = join(mpRoot, 'ghost-mp'); // on disk, absent from manifest + + await makePlugin(enabledCachePath, 'enabled-cache', '1.0.0'); + await makePlugin(disabledCachePath, 'disabled-cache', '1.0.0'); + await makePlugin(enabledMpPath, 'enabled-mp', '0.1.0'); + await makePlugin(notToggledMpPath, 'not-toggled-mp', '0.1.0'); + await makePlugin(ghostMpPath, 'ghost-mp', '0.1.0'); + + await mkdir(join(home, '.claude', 'plugins'), { recursive: true }); + await writeFile( + join(home, '.claude', 'plugins', 'installed_plugins.json'), + JSON.stringify({ + version: 2, + plugins: { + 'enabled-cache@mp': [{ scope: 'user', installPath: enabledCachePath, version: '1.0.0' }], + 'disabled-cache@mp': [{ scope: 'user', installPath: disabledCachePath, version: '1.0.0' }], + 'enabled-mp@mp': [{ scope: 'user', installPath: enabledMpPath, version: '0.1.0' }], + 'not-toggled-mp@mp': [{ scope: 'user', installPath: notToggledMpPath, version: '0.1.0' }], + // ghost-mp deliberately absent from the manifest + }, + }, null, 2), + ); + + await writeFile( + join(home, '.claude', 'settings.json'), + JSON.stringify({ + enabledPlugins: { + 'enabled-cache@mp': true, + 'disabled-cache@mp': false, + 'enabled-mp@mp': true, + // not-toggled-mp@mp deliberately absent (treated as not enabled) + }, + }, null, 2), + ); +} + +describe('enumeratePlugins — enabledPlugins + installed_plugins.json (M-BUG-1)', () => { + let home, originalHome; + beforeEach(async () => { + home = uniqueDir('manifest-home'); + await mkdir(home, { recursive: true }); + originalHome = process.env.HOME; + process.env.HOME = home; + }); + afterEach(async () => { + process.env.HOME = originalHome; + await rm(home, { recursive: true, force: true }); + }); + + it('injects only ENABLED plugins (honors enabledPlugins toggle)', async () => { + await buildManifestHome(home); + const names = (await enumeratePlugins()).map(p => p.name).sort(); + assert.deepEqual(names, ['enabled-cache', 'enabled-mp']); + }); + + it('excludes disabled, not-toggled, and manifest-absent (ghost) plugins', async () => { + await buildManifestHome(home); + const names = (await enumeratePlugins()).map(p => p.name); + assert.ok(!names.includes('disabled-cache'), 'disabled plugin must not be injected'); + assert.ok(!names.includes('not-toggled-mp'), 'plugin absent from enabledPlugins must not be injected'); + assert.ok(!names.includes('ghost-mp'), 'marketplaces plugin absent from manifest must not be injected'); + }); + + it('resolves an enabled plugin from plugins/cache (polyrepo installPath)', async () => { + await buildManifestHome(home); + const cached = (await enumeratePlugins()).find(p => p.name === 'enabled-cache'); + assert.ok(cached, 'cache-installed enabled plugin must be discovered'); + assert.ok(cached.path.includes(join('plugins', 'cache')), `expected a cache/ path, got ${cached.path}`); + assert.equal(cached.agents, 1); + }); + + it('falls back to the marketplaces walk when installed_plugins.json is absent', async () => { + // No manifest → cannot tell enabled from installed → discover all on disk. + const legacyRoot = join(home, '.claude', 'plugins', 'marketplaces', 'mp', 'plugins', 'legacy'); + await mkdir(join(legacyRoot, '.claude-plugin'), { recursive: true }); + await writeFile( + join(legacyRoot, '.claude-plugin', 'plugin.json'), + JSON.stringify({ name: 'legacy', version: '9.9.9' }, null, 2), + ); + const plugins = await enumeratePlugins(); + assert.ok(plugins.find(p => p.name === 'legacy'), 'legacy marketplaces plugin discovered via fallback'); + }); +}); + // ───────────────────────────────────────────────────────────────────────── // enumerateSkills // ───────────────────────────────────────────────────────────────────────── From a1e786ba4f91275b9cbb9ed6677777e695e79976 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Wed, 24 Jun 2026 14:59:43 +0200 Subject: [PATCH 09/31] =?UTF-8?q?release:=20v5.12.2=20=E2=80=94=20"Honest?= =?UTF-8?q?=20census"=20(M-BUG-1:=20honest=20plugin=20enumeration)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit enumeratePlugins now honors enabledPlugins (disabled plugins no longer contribute phantom agents/skills/commands) and enumerates polyrepo plugins from their active installPath in installed_plugins.json, not only marketplaces//plugins/. Fixes manifest/whats-active/AGT/token-hotspots for any user with disabled plugins or a polyrepo marketplace. No count change (scanners 16, agents 7, commands 21); --json/--raw byte-stable, frozen v5.0.0 + SC-5 + default-output snapshots untouched. 1301 tests. Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01XYFipiVaRtbimkDjDnnKvY --- .claude-plugin/plugin.json | 2 +- CHANGELOG.md | 23 +++++++++++++++++++++++ README.md | 5 +++-- 3 files changed, 27 insertions(+), 3 deletions(-) diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json index cd197a2..afa83f2 100644 --- a/.claude-plugin/plugin.json +++ b/.claude-plugin/plugin.json @@ -1,7 +1,7 @@ { "name": "config-audit", "description": "Multi-agent workflow for analyzing, reporting, and optimizing Claude Code configuration across your entire machine", - "version": "5.12.1", + "version": "5.12.2", "author": { "name": "Kjell Tore Guttormsen" }, diff --git a/CHANGELOG.md b/CHANGELOG.md index 99e88cc..21ee440 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,29 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [5.12.2] - 2026-06-24 + +### Summary +"Honest census" — fixes a plugin-enumeration bug (`M-BUG-1`, dogfooding find) that made the +always-loaded inventory untrustworthy on two common setups: machines with **disabled plugins** and +**polyrepo marketplaces**. `enumeratePlugins` walked `~/.claude/plugins/marketplaces//plugins/` +and ignored both enable-state and the polyrepo cache layout, so it **over-counted phantom agents** +from disabled/unenabled plugins while **missing the entire enabled polyrepo set** (whose plugins +live under `cache/`, not `marketplaces//plugins/`). It now gates on `installed_plugins.json` + +`enabledPlugins` and enumerates each plugin from its active `installPath`, with the marketplaces +walk as fallback. Affects `manifest`, `whats-active`, the agent-listing (AGT) and `token-hotspots` +for every such user. No new finding ID or scanner (count stays **16**, agents **7**, commands +**21**); `--json`/`--raw` stay byte-stable and the frozen v5.0.0 + SC-5 + default-output snapshots +are untouched. **1301** tests (+4). + +### Fixed +- **`active-config-reader` plugin enumeration (`M-BUG-1`).** `enumeratePlugins(repoPath)` now honors + `enabledPlugins` (disabled plugins no longer contribute phantom agents/skills/commands) and + enumerates polyrepo plugins from their active `installPath` in `installed_plugins.json` (not only + `marketplaces//plugins/`). Real-machine verify: the always-loaded agent listing dropped from + 114 to 104 with the phantom ghosts gone and the true enabled set present. TDD: 4 failing tests → + fix → full suite 1301/0, snapshots untouched. + ## [5.12.1] - 2026-06-24 ### Summary diff --git a/README.md b/README.md index 0e45a67..eabf02d 100644 --- a/README.md +++ b/README.md @@ -6,13 +6,13 @@ *AI-generated: all code produced by Claude Code through dialog-driven development. [Full disclosure →](../../README.md#ai-generated-code-disclosure)* -![Version](https://img.shields.io/badge/version-5.12.1-blue) +![Version](https://img.shields.io/badge/version-5.12.2-blue) ![Platform](https://img.shields.io/badge/platform-Claude_Code_Plugin-purple) ![Scanners](https://img.shields.io/badge/scanners-16-cyan) ![Commands](https://img.shields.io/badge/commands-21-green) ![Agents](https://img.shields.io/badge/agents-7-orange) ![Hooks](https://img.shields.io/badge/hooks-4-red) -![Tests](https://img.shields.io/badge/tests-1279+-brightgreen) +![Tests](https://img.shields.io/badge/tests-1301-brightgreen) ![License](https://img.shields.io/badge/license-MIT-lightgrey) A Claude Code plugin that checks configuration health, suggests context-aware improvements, and auto-fixes issues — `CLAUDE.md`, `settings.json`, hooks, rules, MCP servers, `@imports`, and plugins. 16 deterministic scanners across 10 quality areas, context-aware feature recommendations, auto-fix with backup/rollback, a prompt-cache-aware Token Hotspots scanner with optional API-calibrated `--accurate-tokens` mode, plus cache-prefix stability, dead-tool, cross-plugin collision, output-style, and always-loaded agent-listing-budget detection. Zero external dependencies. @@ -662,6 +662,7 @@ This plugin is cautious by design — configuration files are important, and a b | Version | Date | Highlights | |---------|------|-----------| +| **5.12.2** | 2026-06-24 | "Honest census" — fixes `M-BUG-1` (dogfooding find): `enumeratePlugins` walked `~/.claude/plugins/marketplaces//plugins/` and ignored both enable-state and the polyrepo cache layout, so it **over-counted phantom agents** from disabled plugins while **missing the entire enabled polyrepo set** (whose plugins live under `cache/`). It now gates on `installed_plugins.json` + `enabledPlugins` and enumerates each plugin from its active `installPath`, with the marketplaces walk as fallback. Fixes `manifest`/`whats-active`/AGT/`token-hotspots` for any user with disabled plugins or a polyrepo marketplace. No count change (scanners **16**, agents **7**, commands **21**); `--json`/`--raw` byte-stable, frozen v5.0.0 + SC-5 + default-output snapshots untouched. Real-machine verify: agent listing 114→104, ghosts gone. **1301** tests. | | **5.12.1** | 2026-06-24 | "Footgun guard" — Pattern H (stale plugin-cache versions, `token-hotspots`) recommended deleting stale version dirs with **no warning** that a currently-running session may still hold one of those versions for its whole lifetime. "Stale" is judged against `installed_plugins.json` (what NEW sessions load), so the recommendation could reproduce the exact failure that breaks a live session: deleting the dir pulls the files out from under the running session, which then must `/exit` + restart. The `plugin-cache-hygiene` recommendation now carries the live-session caveat. **Recommendation string only** — no new finding ID or scanner (count stays **16**, agents **7**, commands **21**), no token figures changed, so `--json`/`--raw` stay byte-stable and the frozen v5.0.0 + SC-5 + default-output snapshots are untouched. **1297** tests. | | **5.12.0** | 2026-06-23 | "Auto-calibration" — completes the deferred B8 half (**B8b**): `--context-window auto` now **probes the configured model** instead of always falling back to advisory. New pure `modelToContextWindow()` maps known 1M-tier model IDs (Fable 5, Opus 4.8/4.7/4.6, Sonnet 4.6 — verified June 2026 — plus the explicit `[1m]` tier tag, dated/provider-prefixed IDs, and the `opus`/`sonnet`/`fable` aliases) to the 1M window; new IO helper `lib/active-model.mjs` `resolveActiveModel()` reads the model the way Claude Code resolves it (shell `ANTHROPIC_MODEL` override, then the settings cascade local > project > user). When `auto` resolves a recognized model the budget calibrates to its window (`auto-probed`, not advisory); when no model is pinned or it is unrecognized it keeps the conservative anchor and stays advisory (`auto-unresolved`) — the honest fallback. No new finding ID or scanner (count stays **16**, agents **7**, commands **21**); the default and explicit `--context-window` paths are unchanged, so `--json`/`--raw` stay byte-stable and the frozen v5.0.0 + SC-5 snapshots are untouched. **1296** tests. | | **5.11.0** | 2026-06-23 | "Precision polish" — the two LOW-priority calibration gaps, both additive (scanner count stays **16**, agents **7**, commands **21**; `--json`/`--raw` byte-stable, frozen v5.0.0 + SC-5 untouched). **B7 — oversized skill body (`CA-SKL-003`, low):** the SKL scanner now measures the SKILL.md **body** (it already read the file in full) and flags bodies over ~5,000 tokens, recommending a supporting-file split + `context: fork`. Honestly framed as an **on-demand** cost — the body loads only when the skill is invoked, **not** every turn like the always-loaded listing — hence low severity. **B8 — context-window calibration (`--context-window`):** `CA-SKL-002` (skill-listing budget) and the CML char-budget now calibrate to a real context window via `--context-window ` (e.g. `1000000` stops the 200k anchor crying wolf on a 1M host) instead of always anchoring at 200k; `--context-window auto` keeps the conservative anchor but **downgrades budget findings to info/advisory** rather than firing a breach (model→window auto-probing deferred to a later B8b). No flag → byte-identical to the pre-B8 200k default. CPS is intentionally excluded (no window-anchored budget to calibrate). 1279 tests | From 7f097d524f5e48239015d1975b7be4398cb8d8fb Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Fri, 26 Jun 2026 00:19:27 +0200 Subject: [PATCH 10/31] =?UTF-8?q?fix(acr):=20enumerateAgents=20counts=20on?= =?UTF-8?q?ly=20CC-registered=20agents=20=E2=80=94=20recurse=20+=20frontma?= =?UTF-8?q?tter=20filter=20+=20HOME=20dedup=20(M-BUG-3/4/5)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit enumerateAgents previously counted every .md in an agents dir as an always-loaded agent. Per the official CC subagents docs, CC registers a subagent only when its frontmatter declares both name and description, scans agents dirs recursively, and (at a HOME self-scan) must not count ~/.claude/agents twice. - M-BUG-5: require valid name+description frontmatter; frontmatter-less files are registration no-ops costing 0 always-loaded tokens. Fixes the user-agent over-count (this machine: 13 -> 0). - M-BUG-3: listMarkdownFiles gains opt-in recursion; enumerateAgents recurses so agents in subfolders (agents/review/x.md) are counted, matching CC. - M-BUG-4: configDirs dedupes project==user paths, so a `manifest --global` self-scan (repoPath===$HOME) counts ~/.claude once (user scope), killing the spurious "project 13" double-count. Benefits rules/agents/output-styles. TDD: 4 failing tests -> green. Full suite 1305/0; --json/--raw byte-stable, frozen v5.0.0 + SC-5 + default-output snapshots untouched (no snapshot records agent enumeration rows). Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01EnUvKEqyEa1m9gy6Aqhdqq --- scanners/lib/active-config-reader.mjs | 38 +++++++++++++-- tests/lib/active-config-reader.test.mjs | 64 +++++++++++++++++++++++++ 2 files changed, 97 insertions(+), 5 deletions(-) diff --git a/scanners/lib/active-config-reader.mjs b/scanners/lib/active-config-reader.mjs index a5a46e1..fc31ee5 100644 --- a/scanners/lib/active-config-reader.mjs +++ b/scanners/lib/active-config-reader.mjs @@ -572,14 +572,20 @@ async function countPluginItems(pluginRoot) { return counts; } -async function listMarkdownFiles(dir) { +async function listMarkdownFiles(dir, recursive = false) { const out = []; let entries; try { entries = await readdir(dir, { withFileTypes: true }); } catch { return out; } for (const e of entries) { + const full = join(dir, e.name); + if (e.isDirectory()) { + // Opt-in recursion (M-BUG-3): CC scans agents dirs recursively, so agents + // organized into subfolders must be enumerated too. Other callers stay flat. + if (recursive) out.push(...await listMarkdownFiles(full, true)); + continue; + } if (!e.isFile()) continue; if (!e.name.endsWith('.md')) continue; - const full = join(dir, e.name); try { const s = await stat(full); out.push({ path: full, size: s.size }); @@ -662,6 +668,11 @@ export async function enumerateSkills(pluginList = []) { // Rules, agents, output styles (v5.6 Foundation enumeration) // ───────────────────────────────────────────────────────────────────────── +/** True when `v` is a non-empty, non-whitespace string (a usable frontmatter field). */ +function hasText(v) { + return typeof v === 'string' && v.trim().length > 0; +} + /** * Build the project/user/plugin directory list for a per-kind enumerator. * Project + user dirs live under `.claude/`; plugins under each of the @@ -669,8 +680,16 @@ export async function enumerateSkills(pluginList = []) { */ function configDirs(repoPath, pluginList, subdir, pluginSubdirs = [subdir]) { const home = process.env.HOME || process.env.USERPROFILE || ''; - const dirs = [{ dir: join(repoPath, '.claude', subdir), source: 'project', pluginName: null }]; - if (home) dirs.push({ dir: join(home, '.claude', subdir), source: 'user', pluginName: null }); + const projectDir = join(repoPath, '.claude', subdir); + const userDir = home ? join(home, '.claude', subdir) : null; + const dirs = []; + // M-BUG-4: when repoPath === $HOME (the `manifest --global` self-scan), the + // project dir resolves to the same path as the user dir. Count it once, as + // user scope, instead of enumerating the same directory twice. + if (!(userDir && userDir === projectDir)) { + dirs.push({ dir: projectDir, source: 'project', pluginName: null }); + } + if (userDir) dirs.push({ dir: userDir, source: 'user', pluginName: null }); for (const p of pluginList) { for (const sub of pluginSubdirs) { dirs.push({ dir: join(p.path, sub), source: 'plugin', pluginName: p.name }); @@ -730,8 +749,17 @@ export async function enumerateAgents(repoPath, pluginList = []) { const lp = deriveLoadPattern('agent'); const dirs = configDirs(repoPath, pluginList, 'agents'); for (const { dir, source, pluginName } of dirs) { - const files = await listMarkdownFiles(dir); + const files = await listMarkdownFiles(dir, true); // M-BUG-3: CC scans agents dirs recursively for (const f of files) { + // M-BUG-5: CC registers a subagent only when its frontmatter declares both + // `name` and `description` (docs: identity comes only from `name`; both are + // required). Frontmatter-less / incomplete files are registration no-ops + // that cost zero always-loaded tokens — don't count them as agents. + let frontmatter; + try { + ({ frontmatter } = parseFrontmatter(await readFile(f.path, 'utf-8'))); + } catch { continue; } + if (!hasText(frontmatter && frontmatter.name) || !hasText(frontmatter && frontmatter.description)) continue; out.push({ name: basename(f.path).replace(/\.md$/, ''), source, diff --git a/tests/lib/active-config-reader.test.mjs b/tests/lib/active-config-reader.test.mjs index 0576727..10c1874 100644 --- a/tests/lib/active-config-reader.test.mjs +++ b/tests/lib/active-config-reader.test.mjs @@ -952,6 +952,70 @@ describe('enumerateAgents (v5.6)', () => { await mkdir(root, { recursive: true }); assert.deepEqual(await enumerateAgents(root, []), []); }); + + // M-BUG-5: CC registers a subagent only when its frontmatter declares both + // `name` and `description` (docs: identity comes only from `name`; both are + // required). Frontmatter-less / incomplete files are registration no-ops that + // cost zero always-loaded tokens — they must NOT be counted as agents. + it('M-BUG-5: skips files with no frontmatter at all', async () => { + const dir = join(root, '.claude', 'agents'); + await mkdir(dir, { recursive: true }); + await writeFile(join(dir, 'reviewer.md'), '---\nname: reviewer\ndescription: reviews code\n---\nbody\n'); + await writeFile(join(dir, 'not-an-agent.md'), '# Not An Agent\n\nJust a markdown doc, no frontmatter.\n'); + const agents = await enumerateAgents(root, []); + assert.deepEqual(agents.map(a => a.name).sort(), ['reviewer']); + }); + + it('M-BUG-5: skips files missing name or description', async () => { + const dir = join(root, '.claude', 'agents'); + await mkdir(dir, { recursive: true }); + await writeFile(join(dir, 'reviewer.md'), '---\nname: reviewer\ndescription: reviews code\n---\nbody\n'); + await writeFile(join(dir, 'name-only.md'), '---\nname: name-only\n---\nbody\n'); + await writeFile(join(dir, 'desc-only.md'), '---\ndescription: has no name\n---\nbody\n'); + await writeFile(join(dir, 'empty-name.md'), '---\nname:\ndescription: blank name\n---\nbody\n'); + const agents = await enumerateAgents(root, []); + assert.deepEqual(agents.map(a => a.name).sort(), ['reviewer']); + }); + + // M-BUG-3: CC scans agents dirs recursively, so a valid agent in a subfolder + // (e.g. agents/review/security.md) is registered and must be counted. + it('M-BUG-3: recurses into agent subdirectories', async () => { + const sub = join(root, '.claude', 'agents', 'review'); + await mkdir(sub, { recursive: true }); + await writeFile(join(sub, 'security.md'), '---\nname: security\ndescription: security review\n---\nbody\n'); + const agents = await enumerateAgents(root, []); + const a = agents.find(x => x.name === 'security'); + assert.ok(a, 'agent in subdir should be counted'); + assert.equal(a.source, 'project'); + }); +}); + +// M-BUG-4: when repoPath === $HOME (the `manifest --global` self-scan), the +// project agents dir resolves to the SAME path as the user agents dir. The +// shared configDirs helper must count it once (as user scope), not twice. +describe('enumerateAgents — HOME self-scan dedup (M-BUG-4)', () => { + let home, originalHome; + beforeEach(async () => { + home = uniqueDir('agents-home-selfscan'); + await mkdir(join(home, '.claude', 'agents'), { recursive: true }); + originalHome = process.env.HOME; + process.env.HOME = home; + }); + afterEach(async () => { + process.env.HOME = originalHome; + await rm(home, { recursive: true, force: true }); + }); + + it('does not double-count user agents when repoPath === HOME', async () => { + await writeFile( + join(home, '.claude', 'agents', 'solo.md'), + '---\nname: solo\ndescription: only one of me\n---\nbody\n', + ); + const agents = await enumerateAgents(home, []); + const solos = agents.filter(a => a.name === 'solo'); + assert.equal(solos.length, 1, 'agent at HOME must be counted once, not twice'); + assert.equal(solos[0].source, 'user', 'HOME self-scan agents are user scope'); + }); }); describe('enumerateOutputStyles (v5.6)', () => { From 4ad1875b31852155ffe55a8db7b0920597753118 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Fri, 26 Jun 2026 00:37:40 +0200 Subject: [PATCH 11/31] =?UTF-8?q?release:=20v5.12.3=20=E2=80=94=20"Phantom?= =?UTF-8?q?=20agents"=20(M-BUG-3/4/5:=20enumerateAgents=20counts=20only=20?= =?UTF-8?q?CC-registered=20agents)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Releases commit 7f097d5. enumerateAgents now counts only the agents Claude Code actually registers: recurse into agent subdirs (M-BUG-3), dedupe project==user path when the scope root is $HOME (M-BUG-4, root cause — also fixed rules and output-styles), and require valid name+description frontmatter before counting a file (M-BUG-5). Real-machine verify: user-agent count 13->0 (all 12 user agents plus REMEMBER.md are frontmatter-less, so CC registers none), HOME project-dup 13->0; corrected always-loaded baseline is ~53, not 66. No count change (scanners 16, agents 7, commands 21); agent enumeration is machine-dependent and absent from the frozen snapshots, so v5.0.0 + SC-5 + default-output stay byte-stable. 1305 tests. Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01EnUvKEqyEa1m9gy6Aqhdqq --- .claude-plugin/plugin.json | 2 +- CHANGELOG.md | 30 ++++++++++++++++++++++++++++++ README.md | 5 +++-- 3 files changed, 34 insertions(+), 3 deletions(-) diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json index afa83f2..cb42360 100644 --- a/.claude-plugin/plugin.json +++ b/.claude-plugin/plugin.json @@ -1,7 +1,7 @@ { "name": "config-audit", "description": "Multi-agent workflow for analyzing, reporting, and optimizing Claude Code configuration across your entire machine", - "version": "5.12.2", + "version": "5.12.3", "author": { "name": "Kjell Tore Guttormsen" }, diff --git a/CHANGELOG.md b/CHANGELOG.md index 21ee440..8b70746 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,36 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [5.12.3] - 2026-06-26 + +### Summary +"Phantom agents" — fixes `M-BUG-3/4/5` (dogfooding finds) in `scanners/lib/active-config-reader.mjs` +so that `enumerateAgents` counts only the agents Claude Code actually **registers**. Per the official +subagents documentation, an agent file must carry valid `name`+`description` frontmatter, and CC +scans the agents directory **recursively** while silently skipping frontmatter-less files. The reader +violated all three rules: it counted every `.md` regardless of frontmatter (`M-BUG-5`), never recursed +into agent subdirectories (`M-BUG-3`), and double-counted entries when the project directory equals the +user directory — the case when the scope root is `$HOME` (`M-BUG-4`, the root cause, which also affected +rules and output-styles). Real-machine verify: the user-agent count dropped **13→0** (all 12 user +agents plus `REMEMBER.md` are frontmatter-less, so CC registers none of them) and the HOME `project` +duplicate dropped **13→0**; the corrected always-loaded baseline is ≈ **53**, not 66. Agent enumeration +is machine-dependent and therefore absent from the frozen snapshots, so the v5.0.0 + SC-5 + +default-output snapshots stay byte-stable; no count change (scanners **16**, agents **7**, commands +**21**). **1305** tests (+4). + +### Fixed +- **`active-config-reader` agent enumeration (`M-BUG-3/4/5`).** Three surgical fixes: + - `listMarkdownFiles` gains an opt-in `recursive` flag so agent enumeration descends into + subdirectories the way Claude Code does (`M-BUG-3`). + - `configDirs` now de-duplicates the project and user paths when they resolve to the same directory + (the case when the scope root is `$HOME`), the root cause that also double-counted rules and + output-styles (`M-BUG-4`). + - `enumerateAgents` requires a valid `name`+`description` frontmatter block before counting a file, + matching CC's actual registration rule — frontmatter-less files are silently skipped (`M-BUG-5`). + - Added a `hasText` frontmatter helper. TDD: 4 failing tests (one per bug) → fix → full suite + 1305/0, frozen v5.0.0 + SC-5 + default-output snapshots untouched (agent enumeration is + machine-dependent and never seeded into a snapshot). + ## [5.12.2] - 2026-06-24 ### Summary diff --git a/README.md b/README.md index eabf02d..275281d 100644 --- a/README.md +++ b/README.md @@ -6,13 +6,13 @@ *AI-generated: all code produced by Claude Code through dialog-driven development. [Full disclosure →](../../README.md#ai-generated-code-disclosure)* -![Version](https://img.shields.io/badge/version-5.12.2-blue) +![Version](https://img.shields.io/badge/version-5.12.3-blue) ![Platform](https://img.shields.io/badge/platform-Claude_Code_Plugin-purple) ![Scanners](https://img.shields.io/badge/scanners-16-cyan) ![Commands](https://img.shields.io/badge/commands-21-green) ![Agents](https://img.shields.io/badge/agents-7-orange) ![Hooks](https://img.shields.io/badge/hooks-4-red) -![Tests](https://img.shields.io/badge/tests-1301-brightgreen) +![Tests](https://img.shields.io/badge/tests-1305-brightgreen) ![License](https://img.shields.io/badge/license-MIT-lightgrey) A Claude Code plugin that checks configuration health, suggests context-aware improvements, and auto-fixes issues — `CLAUDE.md`, `settings.json`, hooks, rules, MCP servers, `@imports`, and plugins. 16 deterministic scanners across 10 quality areas, context-aware feature recommendations, auto-fix with backup/rollback, a prompt-cache-aware Token Hotspots scanner with optional API-calibrated `--accurate-tokens` mode, plus cache-prefix stability, dead-tool, cross-plugin collision, output-style, and always-loaded agent-listing-budget detection. Zero external dependencies. @@ -662,6 +662,7 @@ This plugin is cautious by design — configuration files are important, and a b | Version | Date | Highlights | |---------|------|-----------| +| **5.12.3** | 2026-06-26 | "Phantom agents" — fixes `M-BUG-3/4/5` (dogfooding finds) in `scanners/lib/active-config-reader.mjs`: `enumerateAgents` now counts only the agents Claude Code actually **registers**. Per the official subagents doc, an agent needs valid `name`+`description` frontmatter, and CC scans recursively and silently skips frontmatter-less files. The reader previously (`M-BUG-5`) counted every `.md` regardless of frontmatter, (`M-BUG-3`) never recursed into agent subdirs, and (`M-BUG-4`) double-counted when the project dir equals the user dir (scanning `$HOME` — root cause, also affecting rules/output-styles). Real-machine verify: user-agent count **13→0** (all 12 user agents + `REMEMBER.md` are frontmatter-less → CC registers none), HOME `project`-dup **13→0**; corrected always-loaded baseline ≈ **53** (was 66). Agent enumeration is machine-dependent and absent from the frozen snapshots, so the v5.0.0 + SC-5 + default-output snapshots stay byte-stable; no count change (scanners **16**, agents **7**, commands **21**). **1305** tests. | | **5.12.2** | 2026-06-24 | "Honest census" — fixes `M-BUG-1` (dogfooding find): `enumeratePlugins` walked `~/.claude/plugins/marketplaces//plugins/` and ignored both enable-state and the polyrepo cache layout, so it **over-counted phantom agents** from disabled plugins while **missing the entire enabled polyrepo set** (whose plugins live under `cache/`). It now gates on `installed_plugins.json` + `enabledPlugins` and enumerates each plugin from its active `installPath`, with the marketplaces walk as fallback. Fixes `manifest`/`whats-active`/AGT/`token-hotspots` for any user with disabled plugins or a polyrepo marketplace. No count change (scanners **16**, agents **7**, commands **21**); `--json`/`--raw` byte-stable, frozen v5.0.0 + SC-5 + default-output snapshots untouched. Real-machine verify: agent listing 114→104, ghosts gone. **1301** tests. | | **5.12.1** | 2026-06-24 | "Footgun guard" — Pattern H (stale plugin-cache versions, `token-hotspots`) recommended deleting stale version dirs with **no warning** that a currently-running session may still hold one of those versions for its whole lifetime. "Stale" is judged against `installed_plugins.json` (what NEW sessions load), so the recommendation could reproduce the exact failure that breaks a live session: deleting the dir pulls the files out from under the running session, which then must `/exit` + restart. The `plugin-cache-hygiene` recommendation now carries the live-session caveat. **Recommendation string only** — no new finding ID or scanner (count stays **16**, agents **7**, commands **21**), no token figures changed, so `--json`/`--raw` stay byte-stable and the frozen v5.0.0 + SC-5 + default-output snapshots are untouched. **1297** tests. | | **5.12.0** | 2026-06-23 | "Auto-calibration" — completes the deferred B8 half (**B8b**): `--context-window auto` now **probes the configured model** instead of always falling back to advisory. New pure `modelToContextWindow()` maps known 1M-tier model IDs (Fable 5, Opus 4.8/4.7/4.6, Sonnet 4.6 — verified June 2026 — plus the explicit `[1m]` tier tag, dated/provider-prefixed IDs, and the `opus`/`sonnet`/`fable` aliases) to the 1M window; new IO helper `lib/active-model.mjs` `resolveActiveModel()` reads the model the way Claude Code resolves it (shell `ANTHROPIC_MODEL` override, then the settings cascade local > project > user). When `auto` resolves a recognized model the budget calibrates to its window (`auto-probed`, not advisory); when no model is pinned or it is unrecognized it keeps the conservative anchor and stays advisory (`auto-unresolved`) — the honest fallback. No new finding ID or scanner (count stays **16**, agents **7**, commands **21**); the default and explicit `--context-window` paths are unchanged, so `--json`/`--raw` stay byte-stable and the frozen v5.0.0 + SC-5 snapshots are untouched. **1296** tests. | From 18af5a24e92554a4505326cf3dc79a23d59dba6e Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Fri, 26 Jun 2026 10:56:39 +0200 Subject: [PATCH 12/31] fix(acr): RUL resolves rule glob against the rule's own project root, not the scan root (M-BUG-9) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A rule's paths:/globs: pattern scopes relative to the directory containing the rule's .claude/, not the outer scan target. countGlobMatches globbed against the scan root and collectProjectFiles' depth>4 cutoff never reached deep matching files, so a live rule in a nested repo (e.g. a marketplace checkout under ~/.claude) was wrongly flagged "matches no files / never activates" (high) — a false F-grade for any user with rules in a nested repo. Same scope-conflation family as M-BUG-1/2/8. - deriveProjectRoot(ruleAbsPath): parent of the rule's .claude segment. - collect + glob per project root (cached), relative to that root — so a nested repo's rule resolves against its own tree, where its files live. - user-global rules (root === HOME) skip the no-match check: they scope against whatever project is active at runtime, not a fixed tree, so "matches 0 files here" is not a dead-rule signal (and avoids a HOME walk). TDD: 2 failing tests (nested-repo false-positive + HOME guard) -> green. Full suite 1307/0; frozen v5.0.0 + default-output snapshots unchanged (RUL appears in none; the fix is a no-op when projectRoot === targetPath, i.e. the common single-repo scan). Dogfooding C6: clears the 2 ktg-privat false positives on the real machine and surfaces a previously-hidden genuine dead rule (false negative) in the bundled optimal-setup example. Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01EnUvKEqyEa1m9gy6Aqhdqq --- scanners/rules-validator.mjs | 66 +++++++++++++----- tests/scanners/rules-validator.test.mjs | 91 +++++++++++++++++++++++++ 2 files changed, 139 insertions(+), 18 deletions(-) diff --git a/scanners/rules-validator.mjs b/scanners/rules-validator.mjs index 3bd358f..e277132 100644 --- a/scanners/rules-validator.mjs +++ b/scanners/rules-validator.mjs @@ -10,7 +10,7 @@ import { SEVERITY } from './lib/severity.mjs'; import { parseFrontmatter } from './lib/yaml-parser.mjs'; import { lineCount, truncate } from './lib/string-utils.mjs'; import { readdir, stat } from 'node:fs/promises'; -import { join, resolve, relative } from 'node:path'; +import { join, resolve, relative, sep } from 'node:path'; const SCANNER = 'RUL'; @@ -30,8 +30,16 @@ export async function scan(targetPath, discovery) { return scannerResult(SCANNER, 'skipped', [], 0, Date.now() - start); } - // Collect all real files in the project for glob matching - const projectFiles = await collectProjectFiles(targetPath); + // Rule path patterns scope relative to the rule's OWN project root (the dir + // containing its .claude/), not the outer scan root. Resolve + cache per root. + const home = process.env.HOME || process.env.USERPROFILE || ''; + const projectFilesByRoot = new Map(); + async function projectFilesFor(root) { + if (!projectFilesByRoot.has(root)) { + projectFilesByRoot.set(root, await collectProjectFiles(root)); + } + return projectFilesByRoot.get(root); + } for (const file of ruleFiles) { const content = await readTextFile(file.absPath); @@ -74,22 +82,32 @@ export async function scan(targetPath, discovery) { if (paths) { const patterns = Array.isArray(paths) ? paths : [paths]; - for (const pattern of patterns) { - if (typeof pattern !== 'string') continue; + // A rule scopes relative to its own project root (parent of its .claude/), + // not the scan root. User-global rules (root === HOME) match against the + // active project at runtime, so "matches no files here" is not meaningful. + const projectRoot = deriveProjectRoot(file.absPath) || targetPath; + const isUserGlobal = home && projectRoot === home; - // Check if pattern matches any real files - const matchCount = countGlobMatches(pattern, projectFiles, targetPath); - if (matchCount === 0) { - findings.push(finding({ - scanner: SCANNER, - severity: SEVERITY.high, - title: 'Rule path pattern matches no files', - description: `${file.relPath}: pattern "${pattern}" matches 0 files. This rule will never activate.`, - file: file.absPath, - evidence: `paths: "${pattern}"`, - recommendation: 'Check the glob pattern. Common issues: wrong directory name, missing **, incorrect extension.', - autoFixable: false, - })); + if (!isUserGlobal) { + const projectFiles = await projectFilesFor(projectRoot); + + for (const pattern of patterns) { + if (typeof pattern !== 'string') continue; + + // Check if pattern matches any real files (relative to the rule's root) + const matchCount = countGlobMatches(pattern, projectFiles, projectRoot); + if (matchCount === 0) { + findings.push(finding({ + scanner: SCANNER, + severity: SEVERITY.high, + title: 'Rule path pattern matches no files', + description: `${file.relPath}: pattern "${pattern}" matches 0 files. This rule will never activate.`, + file: file.absPath, + evidence: `paths: "${pattern}"`, + recommendation: 'Check the glob pattern. Common issues: wrong directory name, missing **, incorrect extension.', + autoFixable: false, + })); + } } } } @@ -195,6 +213,18 @@ async function collectProjectFiles(targetPath, depth = 0) { * @param {string} basePath * @returns {number} */ +/** + * Resolve the project root a rule scopes against: the directory containing the + * `.claude/` dir the rule lives under. `/a/b/.claude/rules/x.md` → `/a/b`. + * Returns null if the path has no `.claude` segment. + */ +function deriveProjectRoot(ruleAbsPath) { + const parts = ruleAbsPath.split(sep); + const idx = parts.lastIndexOf('.claude'); + if (idx <= 0) return null; + return parts.slice(0, idx).join(sep); +} + function countGlobMatches(pattern, files, basePath) { try { const regex = globToRegex(pattern); diff --git a/tests/scanners/rules-validator.test.mjs b/tests/scanners/rules-validator.test.mjs index c3fedab..4cf9390 100644 --- a/tests/scanners/rules-validator.test.mjs +++ b/tests/scanners/rules-validator.test.mjs @@ -200,3 +200,94 @@ describe('RUL — block-sequence-scoped rule is correctly scoped (parser regress assert.equal(f.severity, 'low'); }); }); + +describe('RUL — nested-repo rule glob resolves to its own project root (M-BUG-9)', () => { + // A rule living in a NESTED repo's .claude/rules/ scopes its paths: pattern + // relative to that nested repo's root — NOT relative to the outer scan root. + // Before the fix, countGlobMatches globbed against the scan root and + // collectProjectFiles' depth>4 cutoff never reached the deep matching files, + // so a live rule was wrongly flagged "matches no files / never activates". + // (Real-machine surface: ~/.claude/plugins/marketplaces/ktg-privat/.claude/rules/.) + let tmpRoot; + let result; + + async function writeNestedRepo(scanRoot) { + // Nested repo sits 3 dirs below the scan root → its matching files land + // past the old depth>4 cutoff when walked from the scan root. + const nested = join(scanRoot, 'level1', 'level2', 'nested-repo'); + await mkdir(join(nested, '.claude', 'rules'), { recursive: true }); + await mkdir(join(nested, 'plugins', 'app'), { recursive: true }); + await mkdir(join(nested, 'plugins', 'app', 'hooks'), { recursive: true }); + // Files that the rule patterns match — relative to the NESTED repo root. + await writeFile(join(nested, 'plugins', 'app', 'CLAUDE.md'), '# App\n', 'utf8'); + await writeFile(join(nested, 'plugins', 'app', 'hooks', 'hooks.json'), '{}\n', 'utf8'); + // Two rules mirroring the real ktg-privat ones. + await writeFile( + join(nested, '.claude', 'rules', 'plugin-convention.md'), + '---\npaths: "plugins/*/CLAUDE.md"\n---\n\n# Convention\nbody\n', + 'utf8', + ); + await writeFile( + join(nested, '.claude', 'rules', 'hook-format.md'), + '---\npaths: "**/hooks/hooks.json"\n---\n\n# Hook format\nbody\n', + 'utf8', + ); + } + + beforeEach(async () => { + resetCounter(); + tmpRoot = await mkdtemp(join(tmpdir(), 'ca-rul-nested-')); + await writeNestedRepo(tmpRoot); + const discovery = await discoverConfigFiles(tmpRoot); + result = await scan(tmpRoot, discovery); + }); + + afterEach(async () => { + if (tmpRoot) await rm(tmpRoot, { recursive: true, force: true }); + }); + + it('does NOT flag the nested rules as "matches no files"', () => { + const dead = result.findings.filter(f => f.title.includes('matches no files')); + assert.equal( + dead.length, + 0, + `nested-repo rules matched real files but were flagged dead: ${dead.map(f => f.evidence).join(' | ')}`, + ); + }); +}); + +describe('RUL — user-global rule is not flagged "matches no files" (M-BUG-9 guard)', () => { + // A user-global ~/.claude/rules/ rule scopes against whatever project is + // active at runtime, not a fixed tree — so "matches 0 files here" is not a + // meaningful dead-rule signal and must not be flagged (and must not trigger a + // HOME-wide file walk). + let tmpHome; + let savedHome; + let result; + + beforeEach(async () => { + resetCounter(); + tmpHome = await mkdtemp(join(tmpdir(), 'ca-rul-home-')); + savedHome = process.env.HOME; + process.env.HOME = tmpHome; + await mkdir(join(tmpHome, '.claude', 'rules'), { recursive: true }); + await writeFile( + join(tmpHome, '.claude', 'rules', 'global.md'), + '---\npaths: "src/**/*.rs"\n---\n\n# Global rust rule\nbody\n', + 'utf8', + ); + // Scan from HOME so the rule is discovered AND its derived project root === HOME. + const discovery = await discoverConfigFiles(tmpHome); + result = await scan(tmpHome, discovery); + }); + + afterEach(async () => { + process.env.HOME = savedHome; + if (tmpHome) await rm(tmpHome, { recursive: true, force: true }); + }); + + it('does NOT flag a user-global rule as "matches no files"', () => { + const dead = result.findings.filter(f => f.title.includes('matches no files')); + assert.equal(dead.length, 0, `user-global rule wrongly flagged dead: ${dead.map(f => f.evidence).join(' | ')}`); + }); +}); From 346dfac6fad023d3e30271eff9c95a87f50ce9ef Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Fri, 26 Jun 2026 11:04:30 +0200 Subject: [PATCH 13/31] =?UTF-8?q?release:=20v5.12.4=20=E2=80=94=20"Rooted?= =?UTF-8?q?=20rules"=20(M-BUG-9:=20RUL=20resolves=20rule=20glob=20against?= =?UTF-8?q?=20the=20rule's=20own=20project=20root)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Version-sync for the M-BUG-9 fix (code already in 18af5a2): - plugin.json 5.12.3 -> 5.12.4 - README version badge -> 5.12.4, tests badge 1305 -> 1307, new version-history row - CHANGELOG [5.12.4] section checkReadmeBadges: passed:true (tests 1307, scanners 16, commands 21, agents 7, hooks 4 — all match filesystem). Full suite 1307/0. Frozen v5.0.0 + default-output snapshots byte-stable (the fix is a no-op when projectRoot === targetPath; RUL appears in no snapshot). Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01EnUvKEqyEa1m9gy6Aqhdqq --- .claude-plugin/plugin.json | 2 +- CHANGELOG.md | 30 ++++++++++++++++++++++++++++++ README.md | 5 +++-- 3 files changed, 34 insertions(+), 3 deletions(-) diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json index cb42360..589062b 100644 --- a/.claude-plugin/plugin.json +++ b/.claude-plugin/plugin.json @@ -1,7 +1,7 @@ { "name": "config-audit", "description": "Multi-agent workflow for analyzing, reporting, and optimizing Claude Code configuration across your entire machine", - "version": "5.12.3", + "version": "5.12.4", "author": { "name": "Kjell Tore Guttormsen" }, diff --git a/CHANGELOG.md b/CHANGELOG.md index 8b70746..28dc95d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,36 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [5.12.4] - 2026-06-26 + +### Summary +"Rooted rules" — fixes `M-BUG-9` (dogfooding find) in `scanners/rules-validator.mjs`. The RUL +"Rule path pattern matches no files" check resolved a rule's `paths:`/`globs:` glob against the +outer **scan root** instead of the rule's **own project root** (the directory containing its +`.claude/`), and `collectProjectFiles` carried a `depth>4` cutoff that never reached deep matching +files. As a result, a live rule in a **nested repo** — e.g. a marketplace checkout under +`~/.claude/plugins/marketplaces//.claude/rules/` — was wrongly flagged "never activates" (high +severity), a false F-grade for any user with rules in a nested repo. Same scope-conflation family as +`M-BUG-1/2` (the scanner treats a nested repo's config as scoped to the outer scan root). The fix is a +no-op for the common single-repo scan (`projectRoot === targetPath`), so the frozen v5.0.0 + +default-output snapshots stay byte-stable; no count change (scanners **16**, agents **7**, commands +**21**). **1307** tests (+2). + +### Fixed +- **`rules-validator` glob base (`M-BUG-9`).** The dead-rule check now resolves each rule against its + own project root: + - `deriveProjectRoot(ruleAbsPath)` returns the parent of the rule's `.claude` segment. + - Project files are collected and globbed **per project root** (cached), relative to that root, so a + nested repo's rule matches against its own tree where its files live. This also sidesteps the old + `depth>4` cutoff, because the walk now starts at the nearby project root. + - User-global rules (`projectRoot === $HOME`, i.e. `~/.claude/rules/`) skip the no-match check: they + scope against whatever project is active at runtime, not a fixed tree, so "matches 0 files here" is + not a dead-rule signal (and this avoids a `$HOME`-wide file walk). + - TDD: 2 failing tests (nested-repo false-positive + HOME guard) → fix → full suite 1307/0, frozen + v5.0.0 + default-output snapshots untouched (RUL findings appear in none). Real-machine verify: the + two `ktg-privat` false positives clear and a previously-hidden genuine dead rule (a false negative) + surfaces in the bundled `optimal-setup` example; zero new false positives. + ## [5.12.3] - 2026-06-26 ### Summary diff --git a/README.md b/README.md index 275281d..e6e98e9 100644 --- a/README.md +++ b/README.md @@ -6,13 +6,13 @@ *AI-generated: all code produced by Claude Code through dialog-driven development. [Full disclosure →](../../README.md#ai-generated-code-disclosure)* -![Version](https://img.shields.io/badge/version-5.12.3-blue) +![Version](https://img.shields.io/badge/version-5.12.4-blue) ![Platform](https://img.shields.io/badge/platform-Claude_Code_Plugin-purple) ![Scanners](https://img.shields.io/badge/scanners-16-cyan) ![Commands](https://img.shields.io/badge/commands-21-green) ![Agents](https://img.shields.io/badge/agents-7-orange) ![Hooks](https://img.shields.io/badge/hooks-4-red) -![Tests](https://img.shields.io/badge/tests-1305-brightgreen) +![Tests](https://img.shields.io/badge/tests-1307-brightgreen) ![License](https://img.shields.io/badge/license-MIT-lightgrey) A Claude Code plugin that checks configuration health, suggests context-aware improvements, and auto-fixes issues — `CLAUDE.md`, `settings.json`, hooks, rules, MCP servers, `@imports`, and plugins. 16 deterministic scanners across 10 quality areas, context-aware feature recommendations, auto-fix with backup/rollback, a prompt-cache-aware Token Hotspots scanner with optional API-calibrated `--accurate-tokens` mode, plus cache-prefix stability, dead-tool, cross-plugin collision, output-style, and always-loaded agent-listing-budget detection. Zero external dependencies. @@ -662,6 +662,7 @@ This plugin is cautious by design — configuration files are important, and a b | Version | Date | Highlights | |---------|------|-----------| +| **5.12.4** | 2026-06-26 | "Rooted rules" — fixes `M-BUG-9` (dogfooding find) in `scanners/rules-validator.mjs`: the RUL "Rule path pattern matches no files" check now resolves a rule's `paths:`/`globs:` pattern against the rule's **own project root** (the dir containing its `.claude/`), not the outer scan root. Previously `countGlobMatches` globbed against the scan target and `collectProjectFiles`' `depth>4` cutoff never reached deep matching files, so a live rule in a **nested repo** (e.g. a marketplace checkout under `~/.claude`) was wrongly flagged "never activates" (high) — a false F-grade for anyone with rules in a nested repo. The fix derives each rule's project root, collects+globs per root (cached), and skips the check for user-global rules (`root === $HOME`), which scope against the active project at runtime. Same scope-conflation family as `M-BUG-1/2`. No count change (scanners **16**, agents **7**, commands **21**); the fix is a no-op when `projectRoot === targetPath` (the common single-repo scan), so frozen v5.0.0 + default-output snapshots stay byte-stable. **1307** tests (+2 TDD: nested-repo false-positive + HOME guard). | | **5.12.3** | 2026-06-26 | "Phantom agents" — fixes `M-BUG-3/4/5` (dogfooding finds) in `scanners/lib/active-config-reader.mjs`: `enumerateAgents` now counts only the agents Claude Code actually **registers**. Per the official subagents doc, an agent needs valid `name`+`description` frontmatter, and CC scans recursively and silently skips frontmatter-less files. The reader previously (`M-BUG-5`) counted every `.md` regardless of frontmatter, (`M-BUG-3`) never recursed into agent subdirs, and (`M-BUG-4`) double-counted when the project dir equals the user dir (scanning `$HOME` — root cause, also affecting rules/output-styles). Real-machine verify: user-agent count **13→0** (all 12 user agents + `REMEMBER.md` are frontmatter-less → CC registers none), HOME `project`-dup **13→0**; corrected always-loaded baseline ≈ **53** (was 66). Agent enumeration is machine-dependent and absent from the frozen snapshots, so the v5.0.0 + SC-5 + default-output snapshots stay byte-stable; no count change (scanners **16**, agents **7**, commands **21**). **1305** tests. | | **5.12.2** | 2026-06-24 | "Honest census" — fixes `M-BUG-1` (dogfooding find): `enumeratePlugins` walked `~/.claude/plugins/marketplaces//plugins/` and ignored both enable-state and the polyrepo cache layout, so it **over-counted phantom agents** from disabled plugins while **missing the entire enabled polyrepo set** (whose plugins live under `cache/`). It now gates on `installed_plugins.json` + `enabledPlugins` and enumerates each plugin from its active `installPath`, with the marketplaces walk as fallback. Fixes `manifest`/`whats-active`/AGT/`token-hotspots` for any user with disabled plugins or a polyrepo marketplace. No count change (scanners **16**, agents **7**, commands **21**); `--json`/`--raw` byte-stable, frozen v5.0.0 + SC-5 + default-output snapshots untouched. Real-machine verify: agent listing 114→104, ghosts gone. **1301** tests. | | **5.12.1** | 2026-06-24 | "Footgun guard" — Pattern H (stale plugin-cache versions, `token-hotspots`) recommended deleting stale version dirs with **no warning** that a currently-running session may still hold one of those versions for its whole lifetime. "Stale" is judged against `installed_plugins.json` (what NEW sessions load), so the recommendation could reproduce the exact failure that breaks a live session: deleting the dir pulls the files out from under the running session, which then must `/exit` + restart. The `plugin-cache-hygiene` recommendation now carries the live-session caveat. **Recommendation string only** — no new finding ID or scanner (count stays **16**, agents **7**, commands **21**), no token figures changed, so `--json`/`--raw` stay byte-stable and the frozen v5.0.0 + SC-5 + default-output snapshots are untouched. **1297** tests. | From bfd577aeee88ada7e6955b0851a722fa676af74a Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Fri, 26 Jun 2026 12:23:43 +0200 Subject: [PATCH 14/31] =?UTF-8?q?fix(acr):=20file-discovery=20skips=20back?= =?UTF-8?q?ups/=20dirs=20=E2=80=94=20never=20live=20config=20(M-BUG-8)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A directory named `backups` holds backup COPIES, not live config, so walking it during a config audit produces stale findings. config-audit's own session backups (~/.claude/config-audit/backups//files/.../CLAUDE.md) were the canonical case: a ~/.claude-scope audit walked 36 frozen config copies as if live, polluting CPS (C3) and HKV/RUL (C6) results. Same non-live-noise family as M-BUG-2. - Add `backups` to SKIP_DIRS (broad, name-based — consistent with vendor/dist/ .cache): the rule is general, a backups/ dir is never live config. TDD: 2 failing tests (no config under backups/ discovered + backups/ counted as skipped) -> green; a third asserts live config beside the backups tree is still discovered. Full suite 1310/0 (+3). Byte-stable: no fixture is named `backups` and `backups` appears in zero frozen snapshots, so v5.0.0 + SC-5 + default-output outputs are unchanged. Dogfooding ~/.claude: files under /backups/ drop from 36 -> 0; 717 live config files retained. Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01EnUvKEqyEa1m9gy6Aqhdqq --- scanners/lib/file-discovery.mjs | 5 ++++ tests/lib/file-discovery.test.mjs | 48 ++++++++++++++++++++++++++++++- 2 files changed, 52 insertions(+), 1 deletion(-) diff --git a/scanners/lib/file-discovery.mjs b/scanners/lib/file-discovery.mjs index 7f32bad..eb6e832 100644 --- a/scanners/lib/file-discovery.mjs +++ b/scanners/lib/file-discovery.mjs @@ -11,6 +11,11 @@ const SKIP_DIRS = new Set([ 'node_modules', '.git', 'dist', 'build', 'coverage', '__pycache__', '.next', '.nuxt', '.output', '.cache', '.turbo', '.parcel-cache', 'vendor', 'venv', '.venv', '.tox', + // A `backups` dir holds backup COPIES, not live config — auditing it as if + // live produces stale findings. config-audit's own session backups + // (~/.claude/config-audit/backups//files/.../CLAUDE.md) are the canonical + // case (M-BUG-8), but the rule is general: backups are never live config. + 'backups', ]); // Path marker for the plugin install cache (~/.claude/plugins/cache). diff --git a/tests/lib/file-discovery.test.mjs b/tests/lib/file-discovery.test.mjs index 036fe4f..3a4a09f 100644 --- a/tests/lib/file-discovery.test.mjs +++ b/tests/lib/file-discovery.test.mjs @@ -1,6 +1,6 @@ import { describe, it, before, after } from 'node:test'; import assert from 'node:assert/strict'; -import { join } from 'node:path'; +import { join, sep } from 'node:path'; import { mkdir, writeFile, rm, stat } from 'node:fs/promises'; import { tmpdir } from 'node:os'; import { @@ -509,3 +509,49 @@ describe('discoverConfigFiles — cache-aware filtering', () => { assert.ok(!keys.has(STALE1) && !keys.has(STALE2), 'stale dropped via Multi'); }); }); + +// ─────────────────────────────────────────────────────────────── +// Group 8: backups/ skip (M-BUG-8) — a directory named `backups` +// holds backup COPIES, not live config. config-audit's own session +// backups (~/.claude/config-audit/backups//files/plugins/*/CLAUDE.md) +// were walked as if live, producing stale findings on a ~/.claude audit. +// ─────────────────────────────────────────────────────────────── + +describe('discoverConfigFiles — skips backups/ (M-BUG-8)', () => { + let dir; + + before(async () => { + dir = tempDir('backups'); + // A live CLAUDE.md at the root (must still be discovered). + await mkdir(dir, { recursive: true }); + await writeFile(join(dir, 'CLAUDE.md'), '# Live config'); + // config-audit's own backup tree — frozen copies, NOT live config. + const backupClaude = join(dir, 'config-audit', 'backups', '20260518_103233', 'files', 'plugins', 'voyage'); + await mkdir(backupClaude, { recursive: true }); + await writeFile(join(backupClaude, 'CLAUDE.md'), '# Frozen backup copy'); + const backupSettings = join(dir, 'config-audit', 'backups', '20260518_103233', 'files', '.claude'); + await mkdir(backupSettings, { recursive: true }); + await writeFile(join(backupSettings, 'settings.json'), '{}'); + }); + + after(async () => { + await rm(dir, { recursive: true, force: true }); + }); + + it('discovers the live CLAUDE.md', async () => { + const { files } = await discoverConfigFiles(dir); + const live = files.find(f => f.relPath === 'CLAUDE.md'); + assert.ok(live, 'live CLAUDE.md at root should be discovered'); + }); + + it('does NOT discover config files under a backups/ directory', async () => { + const { files } = await discoverConfigFiles(dir); + const inBackups = files.filter(f => f.absPath.includes(`backups${sep}`)); + assert.equal(inBackups.length, 0, 'no files under backups/ should be discovered'); + }); + + it('counts backups/ as a skipped directory', async () => { + const { skipped } = await discoverConfigFiles(dir); + assert.ok(skipped >= 1, 'backups/ should be counted as skipped'); + }); +}); From dd9db60fc9886c11d6a9b4192c3d05a3c277a132 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Fri, 26 Jun 2026 12:45:14 +0200 Subject: [PATCH 15/31] fix(acr): CPS ignores fenced/inline code + CC-stable path vars (M-BUG-7) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CPS flagged ${CLAUDE_PLUGIN_ROOT}/${CLAUDE_PROJECT_DIR} (CC-provided stable paths) and {date}/timestamp tokens shown in documentation as cache-busters. Fix: skip fenced code blocks, strip inline-code spans, and whitelist CC-stable vars before pattern-matching. Suppress-only — frozen v5.0.0 snapshots untouched (CPS yields findings:[] there), no re-seed. Suite 1316/0 (+6). Dogfood ~/.claude 5->2 (3 doc false-positives suppressed; 2 remaining = own volatile test fixtures). --- scanners/cache-prefix-scanner.mjs | 60 +++++++++++++++---- .../cps-fenced/inside-fence/CLAUDE.md | 46 ++++++++++++++ tests/fixtures/cps-fenced/mixed/CLAUDE.md | 55 +++++++++++++++++ .../fixtures/cps-inline-code/mixed/CLAUDE.md | 55 +++++++++++++++++ tests/fixtures/cps-inline-code/pure/CLAUDE.md | 46 ++++++++++++++ .../cps-stable-vars/non-whitelisted/CLAUDE.md | 46 ++++++++++++++ .../cps-stable-vars/whitelisted/CLAUDE.md | 46 ++++++++++++++ tests/scanners/cache-prefix.test.mjs | 60 +++++++++++++++++++ 8 files changed, 403 insertions(+), 11 deletions(-) create mode 100644 tests/fixtures/cps-fenced/inside-fence/CLAUDE.md create mode 100644 tests/fixtures/cps-fenced/mixed/CLAUDE.md create mode 100644 tests/fixtures/cps-inline-code/mixed/CLAUDE.md create mode 100644 tests/fixtures/cps-inline-code/pure/CLAUDE.md create mode 100644 tests/fixtures/cps-stable-vars/non-whitelisted/CLAUDE.md create mode 100644 tests/fixtures/cps-stable-vars/whitelisted/CLAUDE.md diff --git a/scanners/cache-prefix-scanner.mjs b/scanners/cache-prefix-scanner.mjs index 62895ea..0e41822 100644 --- a/scanners/cache-prefix-scanner.mjs +++ b/scanners/cache-prefix-scanner.mjs @@ -30,7 +30,28 @@ const SCANNER = 'CPS'; // hits per turn, not to chase every inline date in a long backlog file. const CACHED_PREFIX_LINES = 150; -// Volatile-pattern set (extends token-hotspots.mjs Pattern A). +// CC-provided substitution variables that resolve to a stable per-install or +// per-project path (e.g. "${CLAUDE_PLUGIN_ROOT}/hooks/x.mjs"). CC expands them +// to the same value every turn, so they never break the prompt cache — unlike a +// runtime ${TIMESTAMP}. Excluded from the ${VAR} volatile flag (M-BUG-7). +const STABLE_CC_VARS = new Set(['CLAUDE_PLUGIN_ROOT', 'CLAUDE_PROJECT_DIR']); + +// Matches every ${VAR} occurrence on a line so a line carrying only stable CC +// vars is not mistaken for a runtime cache-buster. +const VAR_RX = /\$\{([A-Z_][A-Z0-9_]*)\}/g; + +/** True when a line contains at least one non-CC-stable ${VAR} substitution. */ +function hasVolatileVar(line) { + VAR_RX.lastIndex = 0; + let m; + while ((m = VAR_RX.exec(line)) !== null) { + if (!STABLE_CC_VARS.has(m[1])) return true; + } + return false; +} + +// Volatile-pattern set (extends token-hotspots.mjs Pattern A). The ${VAR} entry +// is `varAware` — flagged via hasVolatileVar() so CC-stable vars are excluded. const VOLATILE_PATTERNS = [ { rx: /\{timestamp\}/i, label: '{timestamp} placeholder' }, { rx: /\{uuid\}/i, label: '{uuid} placeholder' }, @@ -41,7 +62,7 @@ const VOLATILE_PATTERNS = [ { rx: /^\s*\[\d{4}-\d{2}-\d{2}/, label: 'dated log line [YYYY-MM-DD ...]' }, // v5 N3 extensions: { rx: /^\s*!/, label: 'shell-exec line (! prefix)' }, - { rx: /\$\{[A-Z_][A-Z0-9_]*\}/, label: '${VAR} substitution' }, + { rx: /\$\{[A-Z_][A-Z0-9_]*\}/, label: '${VAR} substitution', varAware: true }, ]; /** @@ -68,16 +89,33 @@ function findVolatileLines(content) { const out = []; if (!content) return out; const lines = content.split('\n').slice(0, CACHED_PREFIX_LINES); + let inFence = false; for (let i = 0; i < lines.length; i++) { - for (const { rx, label } of VOLATILE_PATTERNS) { - if (rx.test(lines[i])) { - out.push({ - line: i + 1, - label, - snippet: lines[i].length > 120 ? lines[i].slice(0, 117) + '...' : lines[i], - }); - break; - } + const line = lines[i]; + // Fenced code blocks (``` or ~~~) hold illustrative, byte-stable literal + // text — a ${VAR} or timestamp shown inside one is documentation, not a + // runtime cache-buster — so the fence delimiters and their content are + // skipped (M-BUG-7). + if (/^\s*(```|~~~)/.test(line)) { + inFence = !inFence; + continue; + } + if (inFence) continue; + // Strip `inline code` spans before pattern-testing: a {date} or ${VAR} + // shown inside backticks is literal documentation text, byte-stable, not a + // runtime cache-buster (M-BUG-7). The original line is still reported as the + // snippet so context is preserved. + const probe = line.replace(/`[^`]*`/g, ''); + for (const { rx, label, varAware } of VOLATILE_PATTERNS) { + // The ${VAR} pattern flags only non-CC-stable substitutions; every other + // pattern keeps its plain line test. + if (varAware ? !hasVolatileVar(probe) : !rx.test(probe)) continue; + out.push({ + line: i + 1, + label, + snippet: line.length > 120 ? line.slice(0, 117) + '...' : line, + }); + break; } } return out; diff --git a/tests/fixtures/cps-fenced/inside-fence/CLAUDE.md b/tests/fixtures/cps-fenced/inside-fence/CLAUDE.md new file mode 100644 index 0000000..5ccb2b6 --- /dev/null +++ b/tests/fixtures/cps-fenced/inside-fence/CLAUDE.md @@ -0,0 +1,46 @@ +# Fenced Documentation Project + +Stable preamble. All volatility below is illustrative, inside a code fence. +Body line 4. +Body line 5. +Body line 6. +Body line 7. +Body line 8. +Body line 9. +Body line 10. +Body line 11. +Body line 12. +Body line 13. +Body line 14. +Body line 15. +Body line 16. +Body line 17. +Body line 18. +Body line 19. +Body line 20. +Body line 21. +Body line 22. +Body line 23. +Body line 24. +Body line 25. +Body line 26. +Body line 27. +Body line 28. +Body line 29. +Body line 30. +Body line 31. +Body line 32. +Body line 33. +Body line 34. +```bash +export STAMP=${TIMESTAMP} +!deploy.sh --at 2026-06-26T10:00:00 +echo {date} > /tmp/log +[2026-06-26 12:00] starting +``` +Body line 41. +Body line 42. +Body line 43. +Body line 44. +Body line 45. +Body line 46. diff --git a/tests/fixtures/cps-fenced/mixed/CLAUDE.md b/tests/fixtures/cps-fenced/mixed/CLAUDE.md new file mode 100644 index 0000000..cd55d8a --- /dev/null +++ b/tests/fixtures/cps-fenced/mixed/CLAUDE.md @@ -0,0 +1,55 @@ +# Fenced Plus Prose Project + +Stable preamble. A fence below, plus one genuine volatile prose line. +Body line 4. +Body line 5. +Body line 6. +Body line 7. +Body line 8. +Body line 9. +Body line 10. +Body line 11. +Body line 12. +Body line 13. +Body line 14. +Body line 15. +Body line 16. +Body line 17. +Body line 18. +Body line 19. +Body line 20. +Body line 21. +Body line 22. +Body line 23. +Body line 24. +Body line 25. +Body line 26. +Body line 27. +Body line 28. +Body line 29. +Body line 30. +Body line 31. +Body line 32. +Body line 33. +Body line 34. +```bash +export STAMP=${TIMESTAMP} # documented, not live +``` +Body line 38. +Body line 39. +Body line 40. +Body line 41. +Body line 42. +Body line 43. +Body line 44. +Body line 45. +Body line 46. +Body line 47. +Body line 48. +Body line 49. +!git log -1 # genuine shell-exec in live prose at line 50 +Body line 51. +Body line 52. +Body line 53. +Body line 54. +Body line 55. diff --git a/tests/fixtures/cps-inline-code/mixed/CLAUDE.md b/tests/fixtures/cps-inline-code/mixed/CLAUDE.md new file mode 100644 index 0000000..c39f00e --- /dev/null +++ b/tests/fixtures/cps-inline-code/mixed/CLAUDE.md @@ -0,0 +1,55 @@ +# Inline Code Mixed Project + +Stable preamble. Backticked template plus a live var in prose. +Body line 4. +Body line 5. +Body line 6. +Body line 7. +Body line 8. +Body line 9. +Body line 10. +Body line 11. +Body line 12. +Body line 13. +Body line 14. +Body line 15. +Body line 16. +Body line 17. +Body line 18. +Body line 19. +Body line 20. +Body line 21. +Body line 22. +Body line 23. +Body line 24. +Body line 25. +Body line 26. +Body line 27. +Body line 28. +Body line 29. +Body line 30. +Body line 31. +Body line 32. +Body line 33. +Body line 34. +Body line 35. +Body line 36. +Body line 37. +Body line 38. +Body line 39. +Output template is `run-{date}.md` (documented). +Body line 41. +Body line 42. +Body line 43. +Body line 44. +Body line 45. +Body line 46. +Body line 47. +Body line 48. +Body line 49. +Deployed at ${RELEASE_STAMP} on every push. +Body line 51. +Body line 52. +Body line 53. +Body line 54. +Body line 55. diff --git a/tests/fixtures/cps-inline-code/pure/CLAUDE.md b/tests/fixtures/cps-inline-code/pure/CLAUDE.md new file mode 100644 index 0000000..241c303 --- /dev/null +++ b/tests/fixtures/cps-inline-code/pure/CLAUDE.md @@ -0,0 +1,46 @@ +# Inline Code Doc Project + +Stable preamble. A filename template is documented in backticks below. +Body line 4. +Body line 5. +Body line 6. +Body line 7. +Body line 8. +Body line 9. +Body line 10. +Body line 11. +Body line 12. +Body line 13. +Body line 14. +Body line 15. +Body line 16. +Body line 17. +Body line 18. +Body line 19. +Body line 20. +Body line 21. +Body line 22. +Body line 23. +Body line 24. +Body line 25. +Body line 26. +Body line 27. +Body line 28. +Body line 29. +Body line 30. +Body line 31. +Body line 32. +Body line 33. +Body line 34. +Body line 35. +Body line 36. +Body line 37. +Body line 38. +Body line 39. +| `--brief ` | writes to `.claude/plans/run-{date}-{slug}.md` | +Body line 41. +Body line 42. +Body line 43. +Body line 44. +Body line 45. +Body line 46. diff --git a/tests/fixtures/cps-stable-vars/non-whitelisted/CLAUDE.md b/tests/fixtures/cps-stable-vars/non-whitelisted/CLAUDE.md new file mode 100644 index 0000000..dd1ffe9 --- /dev/null +++ b/tests/fixtures/cps-stable-vars/non-whitelisted/CLAUDE.md @@ -0,0 +1,46 @@ +# Non-Whitelisted Var Project + +Stable preamble with a genuine runtime substitution below. +Body line 4. +Body line 5. +Body line 6. +Body line 7. +Body line 8. +Body line 9. +Body line 10. +Body line 11. +Body line 12. +Body line 13. +Body line 14. +Body line 15. +Body line 16. +Body line 17. +Body line 18. +Body line 19. +Body line 20. +Body line 21. +Body line 22. +Body line 23. +Body line 24. +Body line 25. +Body line 26. +Body line 27. +Body line 28. +Body line 29. +Body line 30. +Body line 31. +Body line 32. +Body line 33. +Body line 34. +Body line 35. +Body line 36. +Body line 37. +Body line 38. +Body line 39. +Deployed build tag: ${DEPLOY_TIMESTAMP} (changes every release). +Body line 41. +Body line 42. +Body line 43. +Body line 44. +Body line 45. +Body line 46. diff --git a/tests/fixtures/cps-stable-vars/whitelisted/CLAUDE.md b/tests/fixtures/cps-stable-vars/whitelisted/CLAUDE.md new file mode 100644 index 0000000..3fb0961 --- /dev/null +++ b/tests/fixtures/cps-stable-vars/whitelisted/CLAUDE.md @@ -0,0 +1,46 @@ +# Stable CC Vars Project + +Stable preamble — only CC-provided path vars appear below. +Body line 4. +Body line 5. +Body line 6. +Body line 7. +Body line 8. +Body line 9. +Body line 10. +Body line 11. +Body line 12. +Body line 13. +Body line 14. +Body line 15. +Body line 16. +Body line 17. +Body line 18. +Body line 19. +Body line 20. +Body line 21. +Body line 22. +Body line 23. +Body line 24. +Body line 25. +Body line 26. +Body line 27. +Body line 28. +Body line 29. +Body line 30. +Body line 31. +Body line 32. +Body line 33. +Body line 34. +Body line 35. +Body line 36. +Body line 37. +Body line 38. +Body line 39. +Hooks resolve under ${CLAUDE_PLUGIN_ROOT}/hooks and project root is ${CLAUDE_PROJECT_DIR}. +Body line 41. +Body line 42. +Body line 43. +Body line 44. +Body line 45. +Body line 46. diff --git a/tests/scanners/cache-prefix.test.mjs b/tests/scanners/cache-prefix.test.mjs index aecea00..e4f3d00 100644 --- a/tests/scanners/cache-prefix.test.mjs +++ b/tests/scanners/cache-prefix.test.mjs @@ -86,6 +86,66 @@ describe('CPS scanner — volatile content in @imported files (v5.10 B6)', () => }); }); +describe('CPS scanner — CC-stable vars are not cache-busters (M-BUG-7)', () => { + it('does NOT flag ${CLAUDE_PLUGIN_ROOT} / ${CLAUDE_PROJECT_DIR} in prose', async () => { + // These are CC-provided path substitutions that resolve to a stable value + // every turn — referencing them in CLAUDE.md prose is not a cache-buster. + const result = await runScanner('cps-stable-vars/whitelisted'); + const f = result.findings.find(x => /volatile content inside cached prefix/i.test(x.title || '')); + assert.equal(f, undefined, + `CC-stable path vars must not trip CPS; got: ${f?.evidence}`); + }); + + it('STILL flags a genuine non-CC ${VAR} substitution (whitelist is selective)', async () => { + const result = await runScanner('cps-stable-vars/non-whitelisted'); + const f = result.findings.find(x => /volatile content inside cached prefix/i.test(x.title || '')); + assert.ok(f, `expected a finding for a genuine runtime var; got none`); + assert.match(String(f.evidence || ''), /line 40/); + assert.match(String(f.evidence || ''), /\$\{VAR\} substitution/i); + }); +}); + +describe('CPS scanner — volatility inside fenced code blocks is documentation (M-BUG-7)', () => { + it('does NOT flag volatile-looking lines inside a ```fence```', async () => { + // Content inside a fenced code block is illustrative, byte-stable literal + // text — not runtime volatility — so it must not break the cached prefix. + const result = await runScanner('cps-fenced/inside-fence'); + const f = result.findings.find(x => /volatile content inside cached prefix/i.test(x.title || '')); + assert.equal(f, undefined, + `fenced code content must not trip CPS; got: ${f?.evidence}`); + }); + + it('STILL flags genuine volatility in live prose outside the fence', async () => { + const result = await runScanner('cps-fenced/mixed'); + const f = result.findings.find(x => /volatile content inside cached prefix/i.test(x.title || '')); + assert.ok(f, `expected a finding for the out-of-fence volatile line; got none`); + assert.match(String(f.evidence || ''), /line 50/); + assert.match(String(f.evidence || ''), /shell-exec/i); + assert.doesNotMatch(String(f.evidence || ''), /line 3[567]/, + 'fenced lines 35–37 must not appear in the evidence'); + }); +}); + +describe('CPS scanner — volatility inside inline code is documentation (M-BUG-7)', () => { + it('does NOT flag a {date} placeholder shown inside `inline code`', async () => { + // A filename template like `.claude/plans/run-{date}.md` in backticks is + // literal documentation text — byte-stable, not a runtime substitution. + const result = await runScanner('cps-inline-code/pure'); + const f = result.findings.find(x => /volatile content inside cached prefix/i.test(x.title || '')); + assert.equal(f, undefined, + `inline-code documentation must not trip CPS; got: ${f?.evidence}`); + }); + + it('STILL flags a live ${VAR} that sits outside backticks', async () => { + const result = await runScanner('cps-inline-code/mixed'); + const f = result.findings.find(x => /volatile content inside cached prefix/i.test(x.title || '')); + assert.ok(f, `expected a finding for the out-of-backtick volatile line; got none`); + assert.match(String(f.evidence || ''), /line 50/); + assert.doesNotMatch(String(f.evidence || ''), /line 40/, + 'the backticked {date} on line 40 must not appear in the evidence'); + }); +}); + describe('CPS scanner — orchestrator wiring', () => { it('CPS appears in scan-orchestrator scanner list', async () => { const orch = await import('../../scanners/scan-orchestrator.mjs'); From 7e949105665958f508e144db4834506207c395f6 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Fri, 26 Jun 2026 14:29:24 +0200 Subject: [PATCH 16/31] fix(acr): token estimator discounts block-level HTML comments (M-BUG-6) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CLAUDE.md token estimates counted block-level HTML comments toward always-loaded tokens, but CC strips them before injection (preserved only inside code fences, per code.claude.com/docs/en/memory). Fix: new stripInjectedHtmlComments + effectiveMemoryBytes in active-config-reader; the CML cascade (walkClaudeMdCascade) and token-hotspots now size CLAUDE.md from effective (stripped) bytes, while raw byte figures stay honest. Block-level only — inline comments retained (conservative, verified scope). Suite 1329/0 (+13). Frozen v5.0.0 snapshots untouched (no fixture has `) that lie OUTSIDE fenced code + * blocks. Claude Code strips these before injecting a CLAUDE.md / memory file + * into context (code.claude.com/docs/en/memory: "block-level HTML comments are + * stripped before the content is injected"), preserving them only inside fenced + * code blocks (``` / ~~~). A byte-accurate token estimate must therefore discount + * them. (M-BUG-6) + * + * Conservative scope — only *block-level* comments are removed (a comment that + * occupies its own line(s)); inline comments sharing a line with other text are + * retained, since the verified CC behavior covers block-level stripping only. + * + * @param {string} content + * @returns {string} content with out-of-fence block comments removed + */ +export function stripInjectedHtmlComments(content) { + if (typeof content !== 'string' || content === '') return ''; + const lines = content.split('\n'); + const out = []; + let inFence = false; + let inComment = false; + for (const line of lines) { + if (inComment) { + // Inside a multi-line block comment: drop lines until the closing `-->`, + // keeping any real content that trails the close on the same line. + const end = line.indexOf('-->'); + if (end !== -1) { + inComment = false; + const rest = line.slice(end + 3); + if (rest.trim() !== '') out.push(rest); + } + continue; + } + // Fence delimiters (``` / ~~~) toggle a preserve-verbatim region. + if (/^\s*(```|~~~)/.test(line)) { + inFence = !inFence; + out.push(line); + continue; + } + if (inFence) { + out.push(line); + continue; + } + // Whole line is a single self-contained block comment → CC strips it. + if (/^\s*\s*$/.test(line)) continue; + // Block comment opening with nothing but whitespace before it and no close + // on this line → runs onto following lines. + const openIdx = line.indexOf('', openIdx) === -1 && line.slice(0, openIdx).trim() === '') { + inComment = true; + continue; + } + out.push(line); + } + return out.join('\n'); +} + +/** + * Effective injected byte length of a CLAUDE.md / memory source: raw UTF-8 bytes + * minus the block-level HTML comments CC strips before injection. Used wherever a + * CLAUDE.md token estimate must reflect what actually enters context. (M-BUG-6) + * + * @param {string} content + * @returns {number} + */ +export function effectiveMemoryBytes(content) { + if (typeof content !== 'string') return 0; + return Buffer.byteLength(stripInjectedHtmlComments(content), 'utf8'); +} + // ───────────────────────────────────────────────────────────────────────── // Load-pattern model (v5.6 Foundation) // ───────────────────────────────────────────────────────────────────────── @@ -202,7 +272,11 @@ export async function walkClaudeMdCascade(repoPath) { const totalBytes = files.reduce((sum, f) => sum + f.bytes, 0); const totalLines = files.reduce((sum, f) => sum + f.lines, 0); - const estimatedTokens = estimateTokens(totalBytes, 'markdown'); + // Token estimate is computed from the *effective* (injected) byte count — CC + // strips block-level HTML comments before injection — while totalBytes stays + // the honest on-disk figure. (M-BUG-6) + const effectiveBytes = files.reduce((sum, f) => sum + (f.effectiveBytes ?? f.bytes), 0); + const estimatedTokens = estimateTokens(effectiveBytes, 'markdown'); return { files, totalBytes, totalLines, estimatedTokens }; } @@ -217,6 +291,7 @@ async function tryAddClaudeMd(absPath, scope, parent, files, seen) { path: absPath, scope, bytes: s.size, + effectiveBytes: effectiveMemoryBytes(content), lines: lineCount(content), parent, }; diff --git a/scanners/token-hotspots.mjs b/scanners/token-hotspots.mjs index 87efcbe..f0f3e6c 100644 --- a/scanners/token-hotspots.mjs +++ b/scanners/token-hotspots.mjs @@ -22,12 +22,12 @@ */ import { resolve, dirname, isAbsolute } from 'node:path'; -import { stat } from 'node:fs/promises'; +import { stat, readFile } from 'node:fs/promises'; import { readTextFile } from './lib/file-discovery.mjs'; import { finding, scannerResult } from './lib/output.mjs'; import { SEVERITY } from './lib/severity.mjs'; import { findImports, parseJson, parseFrontmatter } from './lib/yaml-parser.mjs'; -import { estimateTokens, readActiveConfig, deriveLoadPattern } from './lib/active-config-reader.mjs'; +import { estimateTokens, effectiveMemoryBytes, readActiveConfig, deriveLoadPattern } from './lib/active-config-reader.mjs'; import { assessMcpDeferralForRepo, severityForForcedSchemas, @@ -261,6 +261,26 @@ function detectRedundantPermissions(settings) { return issues; } +/** + * Byte count to feed the token estimator for a discovered file. CLAUDE.md / + * memory files are sized from their *effective* (injected) content — CC strips + * block-level HTML comments before injection — so a raw byte read over-counts + * them. Every other source uses the raw on-disk size. (M-BUG-6) + * + * @param {{type:string, absPath?:string, size:number}} f + * @returns {Promise} + */ +async function tokenBytesFor(f) { + if (f.type === 'claude-md' && f.absPath) { + try { + return effectiveMemoryBytes(await readFile(f.absPath, 'utf-8')); + } catch { + return f.size; + } + } + return f.size; +} + /** * Build the ranked hotspots array. * @@ -272,7 +292,7 @@ async function buildHotspots(discovery, targetPath, activeConfig) { const ranked = []; for (const f of discovery.files) { const kind = tokenKind(f.type); - const tokens = estimateTokens(f.size, kind); + const tokens = estimateTokens(await tokenBytesFor(f), kind); if (tokens <= 0) continue; ranked.push({ absPath: f.absPath, @@ -651,7 +671,7 @@ export async function scan(targetPath, discovery) { // ── Total estimated tokens (sum of every discovered source + activeConfig MCP) ── let totalTokens = 0; for (const f of discovery.files) { - totalTokens += estimateTokens(f.size, tokenKind(f.type)); + totalTokens += estimateTokens(await tokenBytesFor(f), tokenKind(f.type)); } if (activeConfig && Array.isArray(activeConfig.mcpServers)) { for (const m of activeConfig.mcpServers) { diff --git a/tests/lib/active-config-reader.test.mjs b/tests/lib/active-config-reader.test.mjs index 10c1874..7753022 100644 --- a/tests/lib/active-config-reader.test.mjs +++ b/tests/lib/active-config-reader.test.mjs @@ -5,6 +5,8 @@ import { mkdir, writeFile, rm, readFile } from 'node:fs/promises'; import { tmpdir } from 'node:os'; import { estimateTokens, + stripInjectedHtmlComments, + effectiveMemoryBytes, detectGitRoot, walkClaudeMdCascade, readClaudeJsonProjectSlice, @@ -196,6 +198,85 @@ describe('estimateTokens', () => { }); }); +// ───────────────────────────────────────────────────────────────────────── +// stripInjectedHtmlComments / effectiveMemoryBytes (M-BUG-6) +// Claude Code strips block-level HTML comments from a CLAUDE.md/memory file +// before injecting it into context (code.claude.com/docs/en/memory), preserving +// them only inside fenced code blocks. A byte-accurate token estimate must +// discount them. Inline comments (text on the same line) are conservatively +// retained — only block-level stripping is verified behavior. +// ───────────────────────────────────────────────────────────────────────── + +describe('stripInjectedHtmlComments (M-BUG-6)', () => { + it('strips a single-line block-level comment outside code fences', () => { + const src = '# Title\n\n\n\nBody text.\n'; + const out = stripInjectedHtmlComments(src); + assert.ok(!out.includes('maintainer note'), 'comment text should be removed'); + assert.ok(out.includes('# Title') && out.includes('Body text.'), 'surrounding content preserved'); + }); + + it('strips a multi-line block comment outside fences', () => { + const src = 'A\n\nB\n'; + const out = stripInjectedHtmlComments(src); + assert.ok(!out.includes('line one') && !out.includes('line two'), 'all comment lines removed'); + assert.ok(out.includes('A') && out.includes('B'), 'surrounding content preserved'); + }); + + it('preserves an HTML comment inside a ``` fenced code block', () => { + const src = '# Title\n\n```html\n\n```\n'; + const out = stripInjectedHtmlComments(src); + assert.ok(out.includes('kept: this is example code'), 'fenced comment must be preserved (CC keeps it)'); + }); + + it('preserves an HTML comment inside a ~~~ fenced code block', () => { + const src = '~~~\n\n~~~\n'; + const out = stripInjectedHtmlComments(src); + assert.ok(out.includes('kept tilde'), 'tilde-fenced comment must be preserved'); + }); + + it('keeps inline comments (only block-level stripping is verified)', () => { + // Text on the same line as the comment → conservatively retained; the + // verified CC behavior covers block-level comments only (Verifiseringsplikt). + const src = 'Visible tail\n'; + assert.equal(stripInjectedHtmlComments(src), src); + }); + + it('returns content unchanged when there are no comments', () => { + const src = '# Plain\n\nNo comments here.\n'; + assert.equal(stripInjectedHtmlComments(src), src); + }); + + it('handles empty and non-string input', () => { + assert.equal(stripInjectedHtmlComments(''), ''); + assert.equal(stripInjectedHtmlComments(undefined), ''); + assert.equal(stripInjectedHtmlComments(null), ''); + }); +}); + +describe('effectiveMemoryBytes (M-BUG-6)', () => { + it('discounts out-of-fence block comments from the byte count', () => { + const src = '# Title\n\n\n\nBody.\n'; + const raw = Buffer.byteLength(src, 'utf8'); + const eff = effectiveMemoryBytes(src); + assert.ok(eff < raw, `effective (${eff}) should be below raw (${raw})`); + }); + + it('counts comments inside fences (CC keeps them)', () => { + const src = '```\n\n```\n'; + assert.equal(effectiveMemoryBytes(src), Buffer.byteLength(src, 'utf8')); + }); + + it('equals raw bytes when no comments are present', () => { + const src = '# Plain markdown\n\nbody\n'; + assert.equal(effectiveMemoryBytes(src), Buffer.byteLength(src, 'utf8')); + }); + + it('returns 0 for non-string input', () => { + assert.equal(effectiveMemoryBytes(undefined), 0); + assert.equal(effectiveMemoryBytes(null), 0); + }); +}); + // ───────────────────────────────────────────────────────────────────────── // detectGitRoot // ───────────────────────────────────────────────────────────────────────── @@ -291,6 +372,23 @@ describe('walkClaudeMdCascade', () => { assert.equal(result.estimatedTokens, Math.ceil(result.totalBytes / 4)); }); + it('discounts block-level HTML comments from estimatedTokens (M-BUG-6)', async () => { + // CC strips block-level HTML comments before injection, so a CLAUDE.md + // padded with a maintainer-note comment must estimate FEWER tokens than its + // raw byte size would imply — totalBytes stays the honest on-disk figure. + const comment = ``; + await writeFile( + join(fixture.root, 'CLAUDE.md'), + `# Project Instructions\n\n${comment}\n\nBuild with care.\n`, + ); + const result = await walkClaudeMdCascade(fixture.root); + assert.ok( + result.estimatedTokens < Math.ceil(result.totalBytes / 4), + `expected discounted tokens (${result.estimatedTokens}) below raw heuristic ` + + `(${Math.ceil(result.totalBytes / 4)})`, + ); + }); + it('handles missing user CLAUDE.md gracefully', async () => { // Remove user CLAUDE.md await rm(join(fixture.fakeHome, '.claude', 'CLAUDE.md')); diff --git a/tests/scanners/token-hotspots.test.mjs b/tests/scanners/token-hotspots.test.mjs index bb42ed9..7ade2c6 100644 --- a/tests/scanners/token-hotspots.test.mjs +++ b/tests/scanners/token-hotspots.test.mjs @@ -1,7 +1,9 @@ import { describe, it, beforeEach } from 'node:test'; import assert from 'node:assert/strict'; -import { resolve } from 'node:path'; +import { resolve, join } from 'node:path'; import { fileURLToPath } from 'node:url'; +import { mkdir, writeFile, rm } from 'node:fs/promises'; +import { tmpdir } from 'node:os'; import { resetCounter } from '../../scanners/lib/output.mjs'; import { scan } from '../../scanners/token-hotspots.mjs'; import { discoverConfigFiles } from '../../scanners/lib/file-discovery.mjs'; @@ -405,3 +407,36 @@ describe('TOK scanner — H stale plugin-cache versions (v5.9 B3)', () => { assert.ok(!result.findings.some(x => /stale plugin-cache/i.test(x.title || ''))); }); }); + +describe('TOK scanner — CLAUDE.md HTML-comment token discount (M-BUG-6)', () => { + it('estimates a comment-padded CLAUDE.md below its raw byte heuristic', async () => { + const dir = join( + tmpdir(), + `config-audit-tok-mbug6-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`, + ); + await mkdir(dir, { recursive: true }); + try { + // Big block-level comment CC strips before injection — the hotspot's + // estimated_tokens must reflect the stripped size, not the raw on-disk byte + // count. (Hotspot output exposes `path` + `estimated_tokens`, not `size`.) + const comment = ``; + const content = `# Root\n\n${comment}\n\nReal instruction body.\n`; + const rawBytes = Buffer.byteLength(content, 'utf8'); + await writeFile(join(dir, 'CLAUDE.md'), content); + resetCounter(); + const discovery = await discoverConfigFiles(dir); + const result = await withHermeticHome(() => scan(dir, discovery)); + const hs = result.hotspots.find( + h => typeof h.path === 'string' && h.path.endsWith('CLAUDE.md'), + ); + assert.ok(hs, 'expected a CLAUDE.md hotspot for the fixture'); + assert.ok( + hs.estimated_tokens < Math.ceil(rawBytes / 4), + `expected discounted tokens (${hs.estimated_tokens}) below raw heuristic ` + + `(${Math.ceil(rawBytes / 4)}) for ${rawBytes} raw bytes`, + ); + } finally { + await rm(dir, { recursive: true, force: true }); + } + }); +}); From 3cf5c714a212ac220262a7858aab7d7f92d296f0 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Fri, 26 Jun 2026 15:15:14 +0200 Subject: [PATCH 17/31] fix(acr): SET typo-gates unknown-key false positives (M-BUG-10) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The CC settings schema is passthrough (verified against the 2.1.193 binary): it forwards unrecognized keys unchanged rather than rejecting them, so an arbitrary unknown key is valid/forward-compatible, not an error — the finding's "silently ignored" claim was factually wrong. The only real risk is a TYPO of a real key (the intended setting then silently has no effect). Fix: flag an unknown key only when it closely matches a known key (new levenshtein helper; edit distance <= 2, both keys >= 4 chars); severity medium -> low; honest passthrough framing in the scanner + humanizer. Also refreshed KNOWN_KEYS with 6 binary-verified keys (agentPushNotifEnabled, remoteControlAtStartup, skipAutoPermissionPrompt, skipDangerousModePermissionPrompt, skipWorkflowUsageWarning, tui). Suite 1341/0 (+12). Frozen v5.0.0 snapshots untouched (0 CA-SET findings there), no re-seed. Dogfood ~/.claude/settings.json 6->0 (all 6 keys above were false unknown-key findings; 0 typo flags introduced across 167 walked files). --- scanners/lib/humanizer-data.mjs | 8 +-- scanners/lib/string-utils.mjs | 35 ++++++++++++ scanners/settings-validator.mjs | 44 ++++++++++++--- tests/lib/string-utils.test.mjs | 38 ++++++++++++- tests/scanners/settings-validator.test.mjs | 65 +++++++++++++++++++++- 5 files changed, 174 insertions(+), 16 deletions(-) diff --git a/scanners/lib/humanizer-data.mjs b/scanners/lib/humanizer-data.mjs index 2356547..adf6802 100644 --- a/scanners/lib/humanizer-data.mjs +++ b/scanners/lib/humanizer-data.mjs @@ -96,10 +96,10 @@ export const TRANSLATIONS = { // ───────────────────────────────────────────────────────────── SET: { static: { - 'Unknown settings key': { - title: 'A settings key isn\'t recognized', - description: 'A key in your settings file isn\'t one Claude Code understands. It will be ignored.', - recommendation: 'Check the key name for typos, or remove the key if it\'s no longer in use.', + 'Possible typo in settings key': { + title: 'A settings key looks like a typo', + description: 'A key in your settings file isn\'t recognized, but it\'s very close to a real one — likely a typo. Claude Code forwards unrecognized keys unchanged rather than rejecting them, so a misspelled key silently has no effect.', + recommendation: 'Check the suggested key name. Fix the spelling, or keep the key if it\'s intentional (e.g. a newer key this audit doesn\'t know yet).', }, 'Deprecated settings key': { title: 'A settings key is no longer supported', diff --git a/scanners/lib/string-utils.mjs b/scanners/lib/string-utils.mjs index e0e14cf..0f27bf1 100644 --- a/scanners/lib/string-utils.mjs +++ b/scanners/lib/string-utils.mjs @@ -43,6 +43,41 @@ export function isSimilar(a, b, threshold = 0.8) { return similarity >= threshold; } +/** + * Levenshtein edit distance between two strings (insertions, deletions, + * substitutions; a transposition counts as 2). Used for typo detection on + * settings keys. Zero external dependencies, O(a*b) with two rolling rows. + * @param {string} a + * @param {string} b + * @returns {number} + */ +export function levenshtein(a, b) { + if (a === b) return 0; + const al = a.length; + const bl = b.length; + if (al === 0) return bl; + if (bl === 0) return al; + let prev = new Array(bl + 1); + let curr = new Array(bl + 1); + for (let j = 0; j <= bl; j++) prev[j] = j; + for (let i = 1; i <= al; i++) { + curr[0] = i; + const ac = a.charCodeAt(i - 1); + for (let j = 1; j <= bl; j++) { + const cost = ac === b.charCodeAt(j - 1) ? 0 : 1; + curr[j] = Math.min( + prev[j] + 1, // deletion + curr[j - 1] + 1, // insertion + prev[j - 1] + cost, // substitution + ); + } + const tmp = prev; + prev = curr; + curr = tmp; + } + return prev[bl]; +} + /** * Extract all key-like patterns from a settings.json or similar config. * @param {object} obj diff --git a/scanners/settings-validator.mjs b/scanners/settings-validator.mjs index 03a52ec..bf84de8 100644 --- a/scanners/settings-validator.mjs +++ b/scanners/settings-validator.mjs @@ -8,11 +8,11 @@ import { readTextFile } from './lib/file-discovery.mjs'; import { finding, scannerResult } from './lib/output.mjs'; import { SEVERITY } from './lib/severity.mjs'; import { parseJson } from './lib/yaml-parser.mjs'; -import { extractKeys } from './lib/string-utils.mjs'; +import { extractKeys, levenshtein } from './lib/string-utils.mjs'; const SCANNER = 'SET'; -/** Known top-level settings.json keys (as of CC 2.1.181 / June 2026) */ +/** Known top-level settings.json keys (as of CC 2.1.193 / June 2026) */ const KNOWN_KEYS = new Set([ 'additionalDirectories', 'agent', 'allowAllClaudeAiMcps', 'allowedChannelPlugins', 'allowedHttpHookUrls', @@ -37,6 +37,9 @@ const KNOWN_KEYS = new Set([ 'spinnerTipsOverride', 'spinnerVerbs', 'statusLine', 'strictKnownMarketplaces', 'useAutoModeDuringPlan', 'voiceEnabled', 'wheelScrollAccelerationEnabled', 'worktree', '$schema', + // CC 2.1.193 binary-verified (M-BUG-10): present as quoted string literals in the binary + 'agentPushNotifEnabled', 'remoteControlAtStartup', 'skipAutoPermissionPrompt', + 'skipDangerousModePermissionPrompt', 'skipWorkflowUsageWarning', 'tui', ]); /** Deprecated keys with migration info */ @@ -75,6 +78,16 @@ const VALID_EFFORT_LEVELS = new Set(['low', 'medium', 'high', 'xhigh', 'max']); * a project root to walks/discovery, inflating per-turn cost and confusing scope. */ const ADDITIONAL_DIRS_THRESHOLD = 2; +/** M-BUG-10: the CC settings schema is passthrough — it forwards unrecognized + * keys unchanged rather than rejecting them, so an arbitrary unknown key is + * valid/forward-compatible, not an error. The only real risk is a TYPO of a + * real key (the intended setting silently does nothing), so an unknown key is + * flagged ONLY when it closely matches a known key: edit distance within + * TYPO_MAX_DISTANCE and both keys at least TYPO_MIN_LEN chars (short keys are + * too noisy for reliable edit-distance matching). */ +const TYPO_MAX_DISTANCE = 2; +const TYPO_MIN_LEN = 4; + /** The only valid sub-keys of `autoMode`, each a prose-rule string array * (the literal "$defaults" is a valid entry). Verified against * code.claude.com/docs/en/auto-mode-config. */ @@ -115,17 +128,32 @@ export async function scan(targetPath, discovery) { continue; } - // Check for unknown keys + // Check for unknown keys — typo gate (M-BUG-10). The CC settings schema is + // passthrough, so an unrecognized key is NOT an error; only a typo of a real + // key is (the intended setting silently does nothing). Flag a key only when + // it closely matches a known key; an unknown key far from every known key is + // treated as valid/forward-compatible and emitted nothing. for (const key of Object.keys(parsed)) { - if (!KNOWN_KEYS.has(key)) { + if (KNOWN_KEYS.has(key)) continue; + let nearest = null; + let best = Infinity; + for (const known of KNOWN_KEYS) { + if (Math.min(key.length, known.length) < TYPO_MIN_LEN) continue; + const d = levenshtein(key, known); + if (d <= TYPO_MAX_DISTANCE && d < best) { + best = d; + nearest = known; + } + } + if (nearest) { findings.push(finding({ scanner: SCANNER, - severity: SEVERITY.medium, - title: 'Unknown settings key', - description: `${file.relPath}: "${key}" is not a recognized settings.json key. It will be silently ignored.`, + severity: SEVERITY.low, + title: 'Possible typo in settings key', + description: `${file.relPath}: "${key}" is not a recognized settings.json key, but it closely matches "${nearest}". Claude Code forwards unrecognized keys unchanged (it does not reject them), so if "${key}" is a typo of "${nearest}" the intended setting silently has no effect.`, file: file.absPath, evidence: key, - recommendation: 'Check spelling. See https://json.schemastore.org/claude-code-settings.json for valid keys.', + recommendation: `Did you mean "${nearest}"? Fix the spelling, or keep "${key}" if it is intentional (e.g. a newer settings key this audit does not recognize yet).`, autoFixable: false, })); } diff --git a/tests/lib/string-utils.test.mjs b/tests/lib/string-utils.test.mjs index 9855b2d..2629bff 100644 --- a/tests/lib/string-utils.test.mjs +++ b/tests/lib/string-utils.test.mjs @@ -1,6 +1,6 @@ import { describe, it } from 'node:test'; import assert from 'node:assert/strict'; -import { lineCount, truncate, isSimilar, extractKeys, normalizePath } from '../../scanners/lib/string-utils.mjs'; +import { lineCount, truncate, isSimilar, extractKeys, normalizePath, levenshtein } from '../../scanners/lib/string-utils.mjs'; describe('lineCount', () => { it('counts lines correctly', () => { @@ -90,6 +90,42 @@ describe('extractKeys', () => { }); }); +describe('levenshtein', () => { + it('returns 0 for identical strings', () => { + assert.strictEqual(levenshtein('permissions', 'permissions'), 0); + }); + + it('counts a single substitution as 1', () => { + assert.strictEqual(levenshtein('model', 'modet'), 1); + }); + + it('counts a single deletion as 1 (permisions → permissions)', () => { + assert.strictEqual(levenshtein('permisions', 'permissions'), 1); + }); + + it('counts a single insertion as 1', () => { + assert.strictEqual(levenshtein('hooks', 'hooks2'), 1); + }); + + it('counts a transposition as 2 (standard Levenshtein)', () => { + assert.strictEqual(levenshtein('import', 'improt'), 2); + }); + + it('returns the other length when one string is empty', () => { + assert.strictEqual(levenshtein('', 'abc'), 3); + assert.strictEqual(levenshtein('abc', ''), 3); + assert.strictEqual(levenshtein('', ''), 0); + }); + + it('is symmetric', () => { + assert.strictEqual(levenshtein('effortLevel', 'efortLevel'), levenshtein('efortLevel', 'effortLevel')); + }); + + it('gives a large distance for unrelated keys', () => { + assert.ok(levenshtein('unknownKey123', 'permissions') > 2); + }); +}); + describe('normalizePath', () => { it('expands ~ to HOME', () => { const home = process.env.HOME; diff --git a/tests/scanners/settings-validator.test.mjs b/tests/scanners/settings-validator.test.mjs index 5aac01a..2612e10 100644 --- a/tests/scanners/settings-validator.test.mjs +++ b/tests/scanners/settings-validator.test.mjs @@ -47,10 +47,12 @@ describe('SET scanner — broken project', () => { result = await scan(resolve(FIXTURES, 'broken-project'), discovery); }); - it('detects unknown settings key', () => { - // CA-SET-001 in broken-project, evidence='unknownKey123'. + it('does NOT flag an arbitrary unknown key (CC schema is passthrough)', () => { + // M-BUG-10: "unknownKey123" is not close to any known key, so it is a + // valid forward-compatible / passthrough key — NOT a typo. Claude Code + // forwards unrecognized keys unchanged, so flagging it is a false positive. const found = result.findings.some(f => f.scanner === 'SET' && /unknownKey123/.test(f.evidence || '')); - assert.ok(found, 'Should detect unknownKey123'); + assert.ok(!found, 'unknownKey123 is far from every known key → must not be flagged'); }); it('detects deprecated key (includeCoAuthoredBy)', () => { @@ -192,6 +194,63 @@ describe('SET scanner — CC 2.1.114→181 valid keys (Batch 1 false-positive fi }); }); +describe('SET scanner — unknown-key typo gate (M-BUG-10)', () => { + // The CC settings schema is passthrough: it forwards unrecognized keys + // unchanged rather than rejecting them, so an arbitrary unknown key is + // valid/forward-compatible and must NOT be flagged. The only real risk is a + // TYPO of a real key (the intended setting silently has no effect), so the + // scanner flags ONLY unknown keys that closely match a known key. + // Path-guard blocks committing settings.json fixtures → materialize a temp one. + let tmpRoot; + let result; + const TYPO_TITLE = 'Possible typo in settings key'; + + beforeEach(async () => { + resetCounter(); + tmpRoot = await mkdtemp(join(tmpdir(), 'ca-set-typo-')); + await mkdir(join(tmpRoot, '.claude'), { recursive: true }); + const settings = { + $schema: 'https://json.schemastore.org/claude-code-settings.json', + permisions: { deny: ['Read(./.env)'] }, // TYPO of "permissions" (edit distance 1) + someNewKey2027: true, // forward-compat / passthrough — far from every known key + permissions: { deny: ['Read(./.env)'], allow: ['Bash(npm run *)'] }, + }; + await writeFile( + join(tmpRoot, '.claude', 'settings.json'), + JSON.stringify(settings, null, 2) + '\n', + 'utf8', + ); + const discovery = await discoverConfigFiles(tmpRoot); + result = await scan(tmpRoot, discovery); + }); + + afterEach(async () => { + if (tmpRoot) await rm(tmpRoot, { recursive: true, force: true }); + }); + + it('flags a likely typo ("permisions") and suggests the nearest known key', () => { + const typo = result.findings.find(f => f.scanner === 'SET' && f.evidence === 'permisions'); + assert.ok(typo, `expected a typo finding for "permisions"; got: ${result.findings.map(f => `${f.title}:${f.evidence || ''}`).join(' | ')}`); + assert.equal(typo.title, TYPO_TITLE); + assert.match(typo.recommendation, /permissions/, 'recommendation suggests the nearest known key'); + }); + + it('marks the typo finding as low severity (passthrough → not a hard error)', () => { + const typo = result.findings.find(f => f.scanner === 'SET' && f.evidence === 'permisions'); + assert.equal(typo.severity, 'low'); + }); + + it('does NOT flag a forward-compatible key far from any known key', () => { + const fwd = result.findings.find(f => f.scanner === 'SET' && f.evidence === 'someNewKey2027'); + assert.equal(fwd, undefined, 'someNewKey2027 is far from every known key → passthrough, not flagged'); + }); + + it('emits exactly one typo finding for this file', () => { + const typos = result.findings.filter(f => f.scanner === 'SET' && f.title === TYPO_TITLE); + assert.equal(typos.length, 1, `expected exactly one typo finding; got: ${typos.map(f => f.evidence).join(', ')}`); + }); +}); + describe('SET scanner — empty project', () => { let result; beforeEach(async () => { From e8afb148d305e1c1c61791f6869397d79a2219dc Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Fri, 26 Jun 2026 17:24:08 +0200 Subject: [PATCH 18/31] fix(acr): conflict-detector segregates plugin-bundled configs (M-BUG-2) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CNF compared every discovered settings.json/hooks.json pairwise regardless of origin, so it treated installed plugins' bundled configs — each plugin's own settings.json/hooks.json plus its shipped test fixtures and examples under ~/.claude/plugins/ — as if they were the user's authored cascade. A "conflict" between two plugins' bundled test fixtures is not something a user can resolve, yet these dominated the count: 339 CNF findings on this machine (315 high-sev permission allow/deny "conflicts", 18 duplicate-hook, 6 settings-key), almost all sourced from plugin-internal fixtures. The Conflicts grade was F on pure noise. Fix: CNF excludes any file whose path is under `.claude/plugins/` from conflict analysis (new isPluginBundled predicate; absPath marker). Kept CNF-local rather than a discovery-level skip on purpose: an active plugin's contributed hooks.json/.mcp.json legitimately lives in plugins/cache and other scanners need it — only conflict analysis must ignore plugin-bundled files. Same class as M-BUG-8 (non-live config trees treated as live). Suite 1344/0 (+3: plugin-bundled exclusion, discovery-side sanity, over-exclusion guard). Frozen v5.0.0 + SC-5 snapshots untouched (marketplace-medium has no plugins/ paths), no re-seed. Dogfood ~/.claude CNF 339->0 (F-grade was 100% plugin-bundled noise; the ~3 genuine user-scope local settings have no actual conflicting keys, matching the plan C5 "real surface ~3 files" prediction). Follow-up (not in this fix): classifyScope tags plugin-bundled files by checking basePath instead of the file's own path, so scope:'plugin' is effectively dead for a ~/.claude-rooted scan. Fixing it would let every scanner trust the scope field, but that is a discovery-layer change beyond this bug's scope. --- scanners/conflict-detector.mjs | 25 +++++- tests/scanners/conflict-detector.test.mjs | 97 ++++++++++++++++++++++- 2 files changed, 117 insertions(+), 5 deletions(-) diff --git a/scanners/conflict-detector.mjs b/scanners/conflict-detector.mjs index 44038b2..fbbcb23 100644 --- a/scanners/conflict-detector.mjs +++ b/scanners/conflict-detector.mjs @@ -5,6 +5,7 @@ * Finding IDs: CA-CNF-NNN */ +import { sep } from 'node:path'; import { readTextFile } from './lib/file-discovery.mjs'; import { finding, scannerResult } from './lib/output.mjs'; import { SEVERITY } from './lib/severity.mjs'; @@ -17,6 +18,22 @@ const SCANNER = 'CNF'; // Keys checked separately or not meaningful to compare const SKIP_KEYS = new Set(['$schema', 'hooks', 'permissions']); +// Files under `.claude/plugins/` are shipped by installed plugins — the plugin's +// own settings.json/hooks.json plus bundled test fixtures and examples. They are +// not the user's authored cascade and a "conflict" between them is not something +// the user can resolve, so they must be excluded from cross-scope conflict +// analysis. (Other scanners still need active plugin config, so this exclusion is +// CNF-local, not a discovery-level skip. M-BUG-2.) +const PLUGIN_TREE_MARKER = `.claude${sep}plugins${sep}`; + +/** + * @param {import('./lib/file-discovery.mjs').ConfigFile} file + * @returns {boolean} true if the file is shipped by an installed plugin + */ +function isPluginBundled(file) { + return file.absPath.includes(PLUGIN_TREE_MARKER); +} + /** * Flatten an object's top-level keys into a simple key→value map. * Only first level — we compare top-level settings, not nested. @@ -63,10 +80,10 @@ export async function scan(targetPath, discovery) { const start = Date.now(); const findings = []; - // Collect settings files - const settingsFiles = discovery.files.filter(f => f.type === 'settings-json'); - // Collect hooks files - const hooksFiles = discovery.files.filter(f => f.type === 'hooks-json'); + // Collect settings files (excluding plugin-bundled — see PLUGIN_TREE_MARKER) + const settingsFiles = discovery.files.filter(f => f.type === 'settings-json' && !isPluginBundled(f)); + // Collect hooks files (excluding plugin-bundled) + const hooksFiles = discovery.files.filter(f => f.type === 'hooks-json' && !isPluginBundled(f)); const totalFiles = settingsFiles.length + hooksFiles.length; diff --git a/tests/scanners/conflict-detector.test.mjs b/tests/scanners/conflict-detector.test.mjs index f0c3226..cc06cc2 100644 --- a/tests/scanners/conflict-detector.test.mjs +++ b/tests/scanners/conflict-detector.test.mjs @@ -1,6 +1,6 @@ import { describe, it, beforeEach, before, after } from 'node:test'; import assert from 'node:assert/strict'; -import { resolve, join } from 'node:path'; +import { resolve, join, sep } from 'node:path'; import { fileURLToPath } from 'node:url'; import { mkdir, writeFile, rm } from 'node:fs/promises'; import { tmpdir } from 'node:os'; @@ -208,3 +208,98 @@ describe('CNF scanner — cache exclusion drops duplicate-hook count (B3)', () = `cache exclusion must drop CNF count: include=${includeCount} exclude=${excludeCount}`); }); }); + +// M-BUG-2: CNF must segregate plugin-bundled configs from the user's authored +// cascade. Installed plugins ship their OWN settings.json / hooks.json — plus +// bundled test fixtures and examples — under ~/.claude/plugins/. None of these +// are user-authored config the user can edit, and a "conflict" between two +// plugins' bundled files is not something the user can resolve. Yet CNF compared +// every settings-json/hooks-json pairwise regardless of origin, inflating the +// Conflicts grade to F with hundreds of bogus findings (339 on this machine, +// ~315 of them high-severity permission "conflicts" between plugin test +// fixtures). CNF must exclude any file whose path is under `.claude/plugins/`. +// The exclusion belongs in CNF, NOT discovery: an active plugin's contributed +// hooks.json/.mcp.json legitimately lives in plugins/cache and other scanners +// need it — only conflict analysis must ignore it. +describe('CNF scanner — excludes plugin-bundled configs (M-BUG-2)', () => { + let dir, result, discovery; + + before(async () => { + dir = join(tmpdir(), `config-audit-cnf-mbug2-${Date.now()}`); + // Live, user-authored cascade (project-scope settings). + const liveClaude = join(dir, '.claude'); + await mkdir(liveClaude, { recursive: true }); + await writeFile(join(liveClaude, 'settings.json'), JSON.stringify({ + model: 'opus', + permissions: { deny: ['Bash(curl:*)'] }, + hooks: { PreToolUse: [{ matcher: 'Edit' }] }, + })); + // An installed plugin ships its OWN settings.json + hooks.json (active version). + const p1 = join(liveClaude, 'plugins', 'cache', 'mkt', 'p1', '1.0.0'); + await mkdir(join(p1, '.claude'), { recursive: true }); + await writeFile(join(p1, '.claude', 'settings.json'), JSON.stringify({ + model: 'sonnet', + permissions: { allow: ['Bash(curl:*)'] }, + hooks: { PreToolUse: [{ matcher: 'Edit' }] }, + })); + await mkdir(join(p1, 'hooks'), { recursive: true }); + await writeFile(join(p1, 'hooks', 'hooks.json'), JSON.stringify({ + hooks: { PreToolUse: [{ matcher: 'Edit' }] }, + })); + // Another plugin ships a TEST FIXTURE settings.json — pure noise, never live. + const p2fix = join(liveClaude, 'plugins', 'cache', 'mkt', 'p2', '2.0.0', + 'tests', 'fixtures', 'proj', '.claude'); + await mkdir(p2fix, { recursive: true }); + await writeFile(join(p2fix, 'settings.json'), JSON.stringify({ + model: 'haiku', + permissions: { allow: ['Bash(rm:*)'] }, + })); + + resetCounter(); + discovery = await discoverConfigFiles(dir); + result = await scan(dir, discovery); + }); + + after(async () => { + await rm(dir, { recursive: true, force: true }); + }); + + it('discovery surfaces the plugin-bundled settings (exclusion must be CNF-side, not discovery-side)', () => { + const pluginSettings = discovery.files.filter( + f => f.type === 'settings-json' && f.absPath.includes(`.claude${sep}plugins${sep}`)); + assert.ok(pluginSettings.length >= 2, + `expected ≥2 plugin-bundled settings discovered; got ${pluginSettings.length}`); + }); + + it('does not flag any conflict sourced from plugin-bundled configs', () => { + assert.equal(result.findings.length, 0, + `expected 0 CNF findings (only noise is plugin-bundled); got ${result.findings.length}: ${result.findings.map(f => f.title).join(', ')}`); + }); +}); + +// Guard against over-exclusion: the fix must NOT silence genuine conflicts +// between the user's own authored files (user/project/local), which are not +// under `.claude/plugins/`. +describe('CNF scanner — genuine live conflict still flagged (M-BUG-2 guard)', () => { + let dir, result; + + before(async () => { + dir = join(tmpdir(), `config-audit-cnf-mbug2-guard-${Date.now()}`); + const claude = join(dir, '.claude'); + await mkdir(claude, { recursive: true }); + await writeFile(join(claude, 'settings.json'), JSON.stringify({ model: 'opus' })); + await writeFile(join(claude, 'settings.local.json'), JSON.stringify({ model: 'haiku' })); + resetCounter(); + const discovery = await discoverConfigFiles(dir); + result = await scan(dir, discovery); + }); + + after(async () => { + await rm(dir, { recursive: true, force: true }); + }); + + it('still flags the genuine cross-scope key conflict between user-authored files', () => { + assert.ok(result.findings.some(f => f.title.includes('model')), + `expected a genuine "model" conflict; got: ${result.findings.map(f => f.title).join(', ') || '(none)'}`); + }); +}); From 1bdaefc2686f767412b66df120e823e2556d2252 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Fri, 26 Jun 2026 18:04:20 +0200 Subject: [PATCH 19/31] =?UTF-8?q?release:=20v5.12.5=20=E2=80=94=20"Dogfood?= =?UTF-8?q?=20denoise"=20(M-BUG-2/6/7/8/10=20scanner=20false-positive=20ba?= =?UTF-8?q?tch)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Version-sync for the Fase-3 scanner false-positive batch (code already shipped in bfd577a / dd9db60 / 7e94910 / 3cf5c71 / e8afb14): - plugin.json 5.12.4 -> 5.12.5 - README version badge -> 5.12.5, tests badge 1307 -> 1344, new version-history row - CHANGELOG [5.12.5] section (per-bug Fixed entries) Batch theme: five scanners stop counting non-user / non-live config as the user's authored cascade (plugin-bundled config, frozen backups, doc examples, forward-compatible settings keys). checkReadmeBadges: passed:true (tests 1344, scanners 16, commands 21, agents 7, hooks 4 — all match filesystem). Full suite 1344/0. Frozen v5.0.0 + SC-5 + default-output snapshots byte-stable; no re-seed across all five fixes (each affected fixture's findings are genuinely unchanged). Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01EnUvKEqyEa1m9gy6Aqhdqq --- .claude-plugin/plugin.json | 2 +- CHANGELOG.md | 57 ++++++++++++++++++++++++++++++++++++++ README.md | 5 ++-- 3 files changed, 61 insertions(+), 3 deletions(-) diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json index 589062b..4654ec0 100644 --- a/.claude-plugin/plugin.json +++ b/.claude-plugin/plugin.json @@ -1,7 +1,7 @@ { "name": "config-audit", "description": "Multi-agent workflow for analyzing, reporting, and optimizing Claude Code configuration across your entire machine", - "version": "5.12.4", + "version": "5.12.5", "author": { "name": "Kjell Tore Guttormsen" }, diff --git a/CHANGELOG.md b/CHANGELOG.md index 28dc95d..dfd4e45 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,63 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [5.12.5] - 2026-06-26 + +### Summary +"Dogfood denoise" — a samle-release of the Fase-3 scanner false-positive batch: `M-BUG-2/6/7/8/10`, +all dogfooding finds from running config-audit on the maintainer's real `~/.claude`. The shared theme +is **non-user / non-live config wrongly counted as the user's authored cascade**: installed plugins' +bundled config, frozen backup copies, doc examples, and forward-compatible settings keys all produced +findings the user could neither act on nor was responsible for. No new scanner, command, agent, or hook +(counts stay scanners **16**, agents **7**, commands **21**, hooks **4**); all five fixes are byte-stable +— the frozen v5.0.0 + SC-5 + default-output snapshots are untouched and **no fixture was re-seeded** +(verified per bug: each affected fixture's findings are genuinely unchanged because the snapshot fixtures +contain none of the triggering paths/tokens). **1344** tests (+37). + +### Fixed +- **`conflict-detector` segregates plugin-bundled config (`M-BUG-2`).** CNF compared every discovered + `settings.json`/`hooks.json` pairwise regardless of origin, so it treated installed plugins' bundled + configs — each plugin's own settings/hooks plus its shipped fixtures and examples under + `~/.claude/plugins/` — as the user's cascade. A "conflict" between two plugins' bundled test fixtures + is not user-resolvable, yet these dominated the count (dogfood **339** findings: 315 high-sev + allow/deny, 18 duplicate-hook, 6 settings-key — Conflicts grade F on ~100% plugin noise). Fix: a new + `isPluginBundled` predicate excludes any file whose absolute path is under `.claude/plugins/` from + conflict analysis. Kept **CNF-local, not a discovery-level skip** on purpose — an active plugin's + contributed `hooks.json`/`.mcp.json` legitimately lives in `plugins/cache` and other scanners need it; + only conflict analysis must ignore plugin-bundled files. Same class as `M-BUG-8`. Dogfood **339→0** + (the ~3 genuine user-scope local settings have no actually-conflicting keys). +3 tests (plugin-bundled + exclusion, discovery-side sanity, over-exclusion guard). +- **`file-discovery` skips `backups/` (`M-BUG-8`).** A directory named `backups` holds backup COPIES, not + live config, so walking it during an audit produces stale findings. config-audit's own session backups + (`~/.claude/config-audit/backups//files/.../CLAUDE.md`) were the canonical case: a `~/.claude`-scope + audit walked 36 frozen copies as if live, polluting CPS and HKV/RUL. Fix: add `backups` to `SKIP_DIRS` + (broad, name-based — consistent with `vendor`/`dist`/`.cache`). Dogfood files-under-`/backups/` + **36→0**, 717 live config files retained. +3 tests. +- **token estimator discounts block-level HTML comments (`M-BUG-6`).** CLAUDE.md token estimates counted + block-level `` comments toward always-loaded tokens, but CC strips them before injection + (preserved only inside code fences, per `code.claude.com/docs/en/memory`). Fix: new + `stripInjectedHtmlComments` + `effectiveMemoryBytes` in `active-config-reader`; the CML cascade and + `token-hotspots` now size CLAUDE.md from effective (stripped) bytes while raw byte figures stay honest. + Block-level only — inline comments retained (conservative, verified scope). Dogfood `~/.claude` CLAUDE.md + ~3386→3301 tok (~85 tok). +13 tests. +- **`cache-prefix-stability` ignores code + CC-stable path vars (`M-BUG-7`).** CPS flagged + `${CLAUDE_PLUGIN_ROOT}`/`${CLAUDE_PROJECT_DIR}` (CC-provided stable paths) and `{date}`/timestamp tokens + shown in documentation as cache-busters. Fix: skip fenced code blocks, strip inline-code spans, and + whitelist CC-stable vars before pattern-matching. Suppress-only — frozen v5.0.0 snapshots untouched + (CPS yields `findings:[]` there). Dogfood **5→2** (3 doc false-positives suppressed; 2 remaining are + own volatile test fixtures). +6 tests. +- **`settings-validator` typo-gates unknown keys (`M-BUG-10`).** The CC settings schema is passthrough + (verified against the 2.1.193 binary): it forwards unrecognized keys unchanged rather than rejecting + them, so an arbitrary unknown key is forward-compatible, not an error — the finding's "silently ignored" + claim was factually wrong. The only real risk is a TYPO of a real key (the intended setting then + silently has no effect). Fix: flag an unknown key only when it closely matches a known key (new + `levenshtein` helper; edit distance ≤2, both keys ≥4 chars); severity medium→low; honest passthrough + framing in scanner + humanizer. Also refreshed `KNOWN_KEYS` with 6 binary-verified keys + (`agentPushNotifEnabled`, `remoteControlAtStartup`, `skipAutoPermissionPrompt`, + `skipDangerousModePermissionPrompt`, `skipWorkflowUsageWarning`, `tui`). Dogfood + `~/.claude/settings.json` **6→0** (all 6 were false unknown-key findings; 0 typo flags introduced across + 167 walked files). +12 tests. + ## [5.12.4] - 2026-06-26 ### Summary diff --git a/README.md b/README.md index e6e98e9..fd6db59 100644 --- a/README.md +++ b/README.md @@ -6,13 +6,13 @@ *AI-generated: all code produced by Claude Code through dialog-driven development. [Full disclosure →](../../README.md#ai-generated-code-disclosure)* -![Version](https://img.shields.io/badge/version-5.12.4-blue) +![Version](https://img.shields.io/badge/version-5.12.5-blue) ![Platform](https://img.shields.io/badge/platform-Claude_Code_Plugin-purple) ![Scanners](https://img.shields.io/badge/scanners-16-cyan) ![Commands](https://img.shields.io/badge/commands-21-green) ![Agents](https://img.shields.io/badge/agents-7-orange) ![Hooks](https://img.shields.io/badge/hooks-4-red) -![Tests](https://img.shields.io/badge/tests-1307-brightgreen) +![Tests](https://img.shields.io/badge/tests-1344-brightgreen) ![License](https://img.shields.io/badge/license-MIT-lightgrey) A Claude Code plugin that checks configuration health, suggests context-aware improvements, and auto-fixes issues — `CLAUDE.md`, `settings.json`, hooks, rules, MCP servers, `@imports`, and plugins. 16 deterministic scanners across 10 quality areas, context-aware feature recommendations, auto-fix with backup/rollback, a prompt-cache-aware Token Hotspots scanner with optional API-calibrated `--accurate-tokens` mode, plus cache-prefix stability, dead-tool, cross-plugin collision, output-style, and always-loaded agent-listing-budget detection. Zero external dependencies. @@ -662,6 +662,7 @@ This plugin is cautious by design — configuration files are important, and a b | Version | Date | Highlights | |---------|------|-----------| +| **5.12.5** | 2026-06-26 | "Dogfood denoise" — a samle-release of the Fase-3 scanner false-positive batch (`M-BUG-2/6/7/8/10`, all dogfooding finds on the maintainer's real machine). Five scanners stop counting non-user / non-live config as the user's: **CNF** (`M-BUG-2`) excludes files under `.claude/plugins/` from conflict analysis (`isPluginBundled`) — installed plugins' bundled settings/hooks/fixtures are not a user-resolvable cascade (dogfood **339→0**, Conflicts was an F on pure plugin noise). **file-discovery** (`M-BUG-8`) adds `backups` to `SKIP_DIRS` — a `backups/` tree holds frozen copies, never live config (dogfood files-under-`/backups/` **36→0**, 717 live retained). **token estimator** (`M-BUG-6`) strips block-level `` HTML comments from CLAUDE.md sizing — CC strips them before injection, so they were never always-loaded tokens (dogfood ~3386→3301, ~85 tok). **CPS** (`M-BUG-7`) skips fenced/inline code and whitelists CC-stable path vars (`${CLAUDE_PLUGIN_ROOT}`/`${CLAUDE_PROJECT_DIR}`) before cache-buster matching (dogfood **5→2**). **SET** (`M-BUG-10`) typo-gates the unknown-settings-key finding — the CC schema is passthrough (verified against the 2.1.193 binary), so an unknown key is forward-compatible, not an error; it now flags only a near-miss of a known key (levenshtein ≤2), severity medium→low, +6 binary-verified `KNOWN_KEYS` (dogfood **6→0**). No count change (scanners **16**, agents **7**, commands **21**, hooks **4**); all five are byte-stable — frozen v5.0.0 + SC-5 + default-output snapshots untouched, no re-seed (each fixture's findings are genuinely unchanged). **1344** tests (+37). | | **5.12.4** | 2026-06-26 | "Rooted rules" — fixes `M-BUG-9` (dogfooding find) in `scanners/rules-validator.mjs`: the RUL "Rule path pattern matches no files" check now resolves a rule's `paths:`/`globs:` pattern against the rule's **own project root** (the dir containing its `.claude/`), not the outer scan root. Previously `countGlobMatches` globbed against the scan target and `collectProjectFiles`' `depth>4` cutoff never reached deep matching files, so a live rule in a **nested repo** (e.g. a marketplace checkout under `~/.claude`) was wrongly flagged "never activates" (high) — a false F-grade for anyone with rules in a nested repo. The fix derives each rule's project root, collects+globs per root (cached), and skips the check for user-global rules (`root === $HOME`), which scope against the active project at runtime. Same scope-conflation family as `M-BUG-1/2`. No count change (scanners **16**, agents **7**, commands **21**); the fix is a no-op when `projectRoot === targetPath` (the common single-repo scan), so frozen v5.0.0 + default-output snapshots stay byte-stable. **1307** tests (+2 TDD: nested-repo false-positive + HOME guard). | | **5.12.3** | 2026-06-26 | "Phantom agents" — fixes `M-BUG-3/4/5` (dogfooding finds) in `scanners/lib/active-config-reader.mjs`: `enumerateAgents` now counts only the agents Claude Code actually **registers**. Per the official subagents doc, an agent needs valid `name`+`description` frontmatter, and CC scans recursively and silently skips frontmatter-less files. The reader previously (`M-BUG-5`) counted every `.md` regardless of frontmatter, (`M-BUG-3`) never recursed into agent subdirs, and (`M-BUG-4`) double-counted when the project dir equals the user dir (scanning `$HOME` — root cause, also affecting rules/output-styles). Real-machine verify: user-agent count **13→0** (all 12 user agents + `REMEMBER.md` are frontmatter-less → CC registers none), HOME `project`-dup **13→0**; corrected always-loaded baseline ≈ **53** (was 66). Agent enumeration is machine-dependent and absent from the frozen snapshots, so the v5.0.0 + SC-5 + default-output snapshots stay byte-stable; no count change (scanners **16**, agents **7**, commands **21**). **1305** tests. | | **5.12.2** | 2026-06-24 | "Honest census" — fixes `M-BUG-1` (dogfooding find): `enumeratePlugins` walked `~/.claude/plugins/marketplaces//plugins/` and ignored both enable-state and the polyrepo cache layout, so it **over-counted phantom agents** from disabled plugins while **missing the entire enabled polyrepo set** (whose plugins live under `cache/`). It now gates on `installed_plugins.json` + `enabledPlugins` and enumerates each plugin from its active `installPath`, with the marketplaces walk as fallback. Fixes `manifest`/`whats-active`/AGT/`token-hotspots` for any user with disabled plugins or a polyrepo marketplace. No count change (scanners **16**, agents **7**, commands **21**); `--json`/`--raw` byte-stable, frozen v5.0.0 + SC-5 + default-output snapshots untouched. Real-machine verify: agent listing 114→104, ghosts gone. **1301** tests. | From 96e32df87bb033bc8dbde60e263d8e8b43c50c11 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Mon, 29 Jun 2026 08:32:44 +0200 Subject: [PATCH 20/31] =?UTF-8?q?docs(claude-md):=20trim=20project=20CLAUD?= =?UTF-8?q?E.md=20to=20invariants=20(=E2=88=92662=20always-tok)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The plugin's own CLAUDE.md is loaded every turn while working in this repo (measured 2,178 always-loaded tokens via `manifest`, the largest slice of the 2,745-tok project delta). Much of it was reference-grade prose that duplicates README.md, `/config-audit help`, and docs/ — verbose per-command feature lists, the full plain-language-output spec, the session-dir ASCII tree — none of which is invariant for working on the plugin. Trimmed to what is invariant: command names + one-line purpose, the agent / hook tables (model/color/tools, script/event), finding-ID format, enforced .claude/rules conventions, coding style, test command, gotchas. Detail now points to README / docs/. Also dropped two stale badge-duplicate figures that had already rotted (the README badge owns them): "18 commands" (now 21) and "1279 tests / 72 files" (now 1344) — removed rather than re-pinned so they can't go stale again. Measured: CLAUDE.md 134->102 lines, 8844->6170 B, 2,178->1,516 tok (-30%); config-audit project always-delta 2,745->2,083 tok (-24%). Full suite 1344/0; frozen v5.0.0 + SC-5 + default-output snapshots byte-stable (no scanner/snapshot reads this repo's CLAUDE.md). Docs-only — no version bump, no catalog ref change. Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01683eAqVecv9VZfQzL8CQ9h --- CLAUDE.md | 92 ++++++++++++++++++------------------------------------- 1 file changed, 30 insertions(+), 62 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index 97054c1..a367750 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -1,13 +1,8 @@ # Config-Audit Plugin -Claude Code Configuration Intelligence — know if your configuration is correct, find what could improve it, fix it automatically. +Claude Code Configuration Intelligence — know if your config is correct, find what could improve it, fix it automatically. Three pillars: **Health** (deterministic scanners), **Opportunities** (context-aware recommendations), **Action** (auto-fix with backup/rollback). -## What this plugin does - -Analyzes and optimizes Claude Code configuration across three pillars: -- **Health** — Deterministic scanners verify correctness, consistency, and completeness -- **Opportunities** — Context-aware recommendations for features that could benefit your project -- **Action** — Auto-fix with backup/rollback +Per-command flags, patterns, and feature lists live in `README.md` and `/config-audit help`. This file carries what's invariant for working on the plugin. ## Commands @@ -15,15 +10,15 @@ Analyzes and optimizes Claude Code configuration across three pillars: | Command | Description | |---------|-------------| -| `/config-audit` | Full audit with auto-scope detection (no setup needed) | -| `/config-audit posture` | Quick health scorecard (A-F grades, 10 quality areas incl. Token Efficiency, Plugin Hygiene) | -| `/config-audit tokens` | prompt-cache-aware token hotspots (8 patterns: cache-breaking, redundant perms, deep imports, oversized cascade, bloated SKILL.md desc, MCP tool-schema budget, MCP tool-schema deferral, stale plugin-cache disk-cleanup), each ranked hotspot tagged with its load pattern (always / on-demand / external) — **cache-aware** (stale `~/.claude/plugins/cache` versions excluded by default; only each plugin's active version counts; `--no-exclude-cache` for the full walk), optional `--accurate-tokens` API calibration, `--with-telemetry-recipe` cache-hit recipe pointer | -| `/config-audit manifest` | Ranked table of every token source (CLAUDE.md, rules, agents, skills, output styles, MCP, hooks) sorted by estimated tokens, each tagged with its load pattern (always-loaded / on-demand / external) + an always-loaded subtotal ("tokens that enter context every turn") | -| `/config-audit feature-gap` | Context-aware feature recommendations grouped by impact (incl. a conditional `disableBundledSkills` lever when the active skill listing is over budget — remediation companion to SKL `CA-SKL-002`) | -| `/config-audit optimize` | Optimization lens (mechanism-fit) — config that works but fits a better mechanism: procedure→skill (CA-OPT-001, deterministic), lifecycle→hook / unscoped path→rule / "never"→permission (prose-judgment via opus `optimization-lens-agent`). Hybrid motor; every finding cites a best-practices-register rule. Agent-driven, **not byte-stable** | +| `/config-audit` | Full audit with auto-scope detection | +| `/config-audit posture` | A-F health scorecard (10 quality areas) | +| `/config-audit tokens` | Prompt-cache-aware token hotspots, each tagged with its load pattern; cache-aware | +| `/config-audit manifest` | Ranked table of every token source + always-loaded subtotal | +| `/config-audit feature-gap` | Context-aware feature recommendations grouped by impact | +| `/config-audit optimize` | Mechanism-fit lens (procedure→skill, lifecycle→hook, path→rule, never→permission). Agent-driven, **not byte-stable** | | `/config-audit fix` | Auto-fix deterministic issues with backup + verification | | `/config-audit rollback` | Restore configuration from backup | -| `/config-audit plan` | Create action plan from audit findings | +| `/config-audit plan` | Create action plan from findings | | `/config-audit implement` | Execute plan with backups + auto-verify | | `/config-audit help` | Show all commands | @@ -33,9 +28,9 @@ Analyzes and optimizes Claude Code configuration across three pillars: |---------|-------------| | `/config-audit drift` | Compare current config against saved baseline | | `/config-audit plugin-health` | Audit plugin structure, frontmatter, cross-plugin coherence | -| `/config-audit whats-active` | Read-only inventory of plugins, skills, MCP, hooks, CLAUDE.md active for a repo (with token estimates) | -| `/config-audit knowledge-refresh` | Keep the best-practices register fresh — deterministic stale check (sources older than ~90d) + web candidate poll (CC changelog + Anthropic blog); **human-approved writes only** (Verifiseringsplikt). The "living" half of the knowledge base. Web/judgment-driven, **not byte-stable** | -| `/config-audit campaign` | Machine-wide audit campaign — durable ledger ABOVE sessions: per-repo lifecycle (pending→audited→planned→implemented) + machine-wide roll-up by severity + **machine-wide always-loaded token bill** (`refresh-tokens` live cross-repo sweep — shared global layer counted once + per-repo deltas) + cross-repo prioritized backlog + plan **export** (drop a planned repo's plan into its own `docs/`), resumable across sessions. Read-only report (campaign-cli) + **human-approved** writes via deterministic write/export CLIs. THIN: tracks+routes state, reuses existing implement/rollback for execution. Judgment-driven, **not byte-stable** | +| `/config-audit whats-active` | Read-only inventory of active plugins/skills/MCP/hooks/CLAUDE.md (with token estimates) | +| `/config-audit knowledge-refresh` | Refresh the best-practices register (stale check + web poll). Human-approved writes; **not byte-stable** | +| `/config-audit campaign` | Machine-wide audit ledger + token bill across repos. Human-approved writes; **not byte-stable** | | `/config-audit discover` | Run discovery phase only | | `/config-audit analyze` | Run analysis phase only | | `/config-audit interview` | Gather user preferences (opt-in) | @@ -51,68 +46,43 @@ Analyzes and optimizes Claude Code configuration across three pillars: | planner-agent | Create action plan | opus | yellow | Read, Glob, Write | | implementer-agent | Execute changes | sonnet | magenta | Read, Write, Edit, Bash, Glob | | verifier-agent | Verify results | sonnet | purple | Read, Glob, Grep | -| feature-gap-agent | Context-aware feature recommendations | opus | green | Read, Glob, Grep, Write | -| optimization-lens-agent | Mechanism-fit precision gate (prose-judgment lens cases) | opus | orange | Read, Glob, Grep, Write | +| feature-gap-agent | Feature recommendations | opus | green | Read, Glob, Grep, Write | +| optimization-lens-agent | Mechanism-fit precision gate | opus | orange | Read, Glob, Grep, Write | ## Hooks | Event | Script | Purpose | |-------|--------|---------| -| PreToolUse | `auto-backup-config.mjs` | Auto-backup config files before Edit/Write | -| PostToolUse | `post-edit-verify.mjs` | Verify config files after Edit/Write, block on new critical/high | -| SessionStart | `session-start.mjs` | Checks for active (unfinished) sessions | -| Stop | `stop-session-reminder.mjs` | Reminds about current session phase | +| PreToolUse | `auto-backup-config.mjs` | Backup config files before Edit/Write | +| PostToolUse | `post-edit-verify.mjs` | Verify after Edit/Write, block on new critical/high | +| SessionStart | `session-start.mjs` | Check for active (unfinished) sessions | +| Stop | `stop-session-reminder.mjs` | Remind about current session phase | ## Reference docs (read on demand) -- **Scanner inventory, lib modules, action engines, knowledge base, per-scanner/per-block implementation notes:** `docs/scanner-internals.md` -- **Plain-language output (v5.1.0), humanizer vocabularies, output modes:** `docs/humanizer.md` +- `docs/scanner-internals.md` — scanner inventory, lib modules, action engines, knowledge base, per-scanner/per-block implementation notes (design rationale, primary-source verification, byte-stability lessons) +- `docs/humanizer.md` — plain-language output (v5.1.0), humanizer vocabularies, output modes -## Plain-Language Output (v5.1.0) — summary +## Plain-Language Output (v5.1.0) -Default output of all 18 commands routes through `humanizeEnvelope` from `lib/humanizer.mjs`. Findings get three decorated fields: - -- `userImpactCategory` — Configuration mistake / Conflict / Wasted tokens / Dead config / Missed opportunity -- `userActionLanguage` — Fix this now / Fix soon / Fix when convenient / Optional cleanup / FYI (derived from severity) -- `relevanceContext` — `affects-everyone` (default) / `affects-this-machine-only` (`*.local.*` files) / `test-fixture-no-impact` - -`--raw` bypasses the humanizer for byte-stable v5.0.0 output. `--json` is also byte-stable. Full detail and Wave 5 lessons: `docs/humanizer.md`. +Default output of all commands routes through `humanizeEnvelope` (`lib/humanizer.mjs`), decorating each finding with `userImpactCategory`, `userActionLanguage`, and `relevanceContext`. `--raw` and `--json` bypass the humanizer for byte-stable v5.0.0 output. Full detail: `docs/humanizer.md`. ## Suppressions -Create `.config-audit-ignore` at project root to suppress known findings: -``` -CA-SET-003 # Exact ID -CA-GAP-* # Glob pattern (all GAP findings) -``` -Suppressed findings tracked in envelope's `suppressed_findings` for audit trail. Disable with `--no-suppress`. +Create `.config-audit-ignore` at project root — one exact ID or glob per line (`CA-SET-003`, `CA-GAP-*`). Suppressed findings are tracked in the envelope's `suppressed_findings` for audit trail. Disable with `--no-suppress`. ## Architecture -### Workflow -``` -/config-audit → discover + analyze (auto) → plan → implement → verify -``` -Default: auto-detects scope from git context. Override with `/config-audit full|repo|home|current`. Delta mode: `--delta` (incremental). +Workflow: `/config-audit → discover + analyze (auto) → plan → implement → verify`. Auto-detects scope from git context; override with `full|repo|home|current`; `--delta` for incremental. Session state lives under `~/.claude/config-audit/sessions/{id}/` (scope.yaml, discovery.json, state.yaml, findings/, analysis-report.md, action-plan.md, backups/, implementation-log.md). -### Session Directory -``` -~/.claude/config-audit/sessions/{session-id}/ -├── scope.yaml, discovery.json, state.yaml -├── findings/, analysis-report.md, action-plan.md -├── backups/, implementation-log.md -└── interview.md (if interview run) -``` - -### Finding ID Format -`CA-{SCANNER}-{NNN}` — e.g. `CA-CML-001`, `CA-SET-003`, `CA-HKV-002`, `CA-RUL-005`, `CA-TOK-005`, `CA-CPS-001`, `CA-DIS-001`, `CA-COL-001`, `CA-SKL-001`, `CA-OST-001`, `CA-OPT-001`, `CA-AGT-001` +Finding ID format: `CA-{SCANNER}-{NNN}` — e.g. `CA-CML-001`, `CA-SET-003`, `CA-HKV-002`, `CA-RUL-005`, `CA-TOK-005`, `CA-CPS-001`, `CA-SKL-001`, `CA-OST-001`, `CA-OPT-001`, `CA-AGT-001`. ## Conventions -Enforced project conventions live in `.claude/rules/` (auto-loaded as project instructions): - -- `ux-rules.md` — output/narration/formatting rules for all commands (never dump raw JSON, narrate before each step, space-separated command suggestions) +Enforced conventions live in `.claude/rules/` (auto-loaded as project instructions): +- `ux-rules.md` — output/narration/formatting for all commands (never dump raw JSON, narrate before each step, space-separated command suggestions) - `command-development.md` — required command frontmatter + `plugin:action` naming +- `agent-development.md` — agent frontmatter + "when to use" conventions - `state-management.md` — update `state.yaml` after every workflow phase Coding style: scanners are zero-dependency Node ESM; new findings use the `CA-{SCANNER}-{NNN}` ID format; byte-stable CLIs are verified against frozen `tests/snapshots/v5.0.0/` baselines. @@ -123,12 +93,10 @@ Coding style: scanners are zero-dependency Node ESM; new findings use the `CA-{S node --test 'tests/**/*.test.mjs' ``` -1279 tests across 72 test files (23 lib + 39 scanner + 1 hook + 1 agent + 3 commands + 1 knowledge + 4 top-level). Test fixtures in `tests/fixtures/`. Top-level humanizer tests: `json-backcompat.test.mjs`, `raw-backcompat.test.mjs`, `scenario-read-test.test.mjs`, `snapshot-default-output.test.mjs`. - -Per-scanner and per-build-block implementation notes (design rationale, primary-source verification, byte-stability lessons) live in `docs/scanner-internals.md` → **Implementation notes**. +Test fixtures in `tests/fixtures/`. Per-scanner and per-build-block implementation notes (design rationale, primary-source verification, byte-stability lessons) live in `docs/scanner-internals.md` → **Implementation notes**. ## Gotchas - Session directories accumulate — use `/config-audit cleanup` to manage -- Scanners run on Node.js >= 18 (uses node:test, node:fs/promises) +- Scanners run on Node.js ≥ 18 (uses node:test, node:fs/promises) - Plugin CLAUDE.md files in node_modules should be excluded via scope From 1d634926177002d5fcaf11cc3023164acda00ce1 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Tue, 30 Jun 2026 06:44:36 +0200 Subject: [PATCH 21/31] fix(acr): optimize lens scopes out plugin-bundled CLAUDE.md + unique candidate paths (M-BUG-11) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The optimize lens CLI fed its precision-gate agent every CLAUDE.md that discovery returned, including the 256 files under ~/.claude/plugins/ — vendored plugin CLAUDE.md across every cached version (7 config-audit, 6 ms-ai-architect, 5 okr, ...) plus their bundled tests/fixtures and examples. Running `optimize --global` on this machine produced 454 candidates across 92 "files", ~250 of them sourced from plugin-internal files a user cannot act on (the plugin overwrites them on update). Same class as M-BUG-2: plugin-bundled config is not the user's cascade. Second defect: candidates were keyed by `relPath || absPath`, but relPath collides across scopes — a repo-root `CLAUDE.md` and the user-global `~/.claude/CLAUDE.md` both relPath to `CLAUDE.md`. The two files that actually matter were merged into one indistinguishable bucket (21 candidates), the agent's Read(file) would resolve the wrong one, and cache-file relPaths were not readable relative to cwd at all. Fix (lens-CLI-local, surgical): - Filter isPluginBundled (absPath under `.claude/plugins/`) from discovery for BOTH halves of the motor (candidate loop + the OPT scanner, which reads discovery.files directly). Drops vendored files regardless of active/stale version, so excludeCache is unnecessary here. - Key each candidate by absPath: unique + readable. No change to file-discovery.mjs or the OPT scanner, so their byte-stable snapshots are untouched. Suite 1348/0 (+4: candidate scoping, real-config survives, deterministic scoping, absolute-path identity). Frozen v5.0.0 + SC-5 snapshots untouched (the lens CLI has no snapshot; the command is agent-driven, not byte-stable). Dogfood ~/.claude `optimize --global`: candidates 454->45, deterministic 2->0 (both were stale plugin-cache copies), distinct files 92->11, repo vs user-global now distinct (12 + 9 = 21). Residual 45 includes config-audit's own tests/fixtures CLAUDE.md (repo-specific dogfooding artifact, not a general bug — left alone). --- scanners/optimize-lens-cli.mjs | 25 +++++- tests/scanners/optimize-lens-cli.test.mjs | 102 ++++++++++++++++++++++ 2 files changed, 124 insertions(+), 3 deletions(-) create mode 100644 tests/scanners/optimize-lens-cli.test.mjs diff --git a/scanners/optimize-lens-cli.mjs b/scanners/optimize-lens-cli.mjs index 21d0bc5..aa3b112 100644 --- a/scanners/optimize-lens-cli.mjs +++ b/scanners/optimize-lens-cli.mjs @@ -24,7 +24,7 @@ * Exit codes: 0=ok, 3=unrecoverable error. Zero external dependencies. */ -import { resolve } from 'node:path'; +import { resolve, sep } from 'node:path'; import { writeFile, readFile, stat } from 'node:fs/promises'; import { discoverConfigFiles } from './lib/file-discovery.mjs'; import { resetCounter } from './lib/output.mjs'; @@ -33,6 +33,15 @@ import { loadRegister, getEntry } from './lib/best-practices-register.mjs'; import { prefilterClaudeMd, LENS_DETECTORS } from './lib/lens-prefilter.mjs'; import { scan as optScan } from './optimization-lens-scanner.mjs'; +// Files under `.claude/plugins/` are shipped by an installed plugin — vendored +// CLAUDE.md plus its bundled tests/fixtures and examples. They are not the user's +// authored config, so a mechanism-fit suggestion against them is not actionable +// (the user can't edit a file the plugin overwrites on update). Excluded from the +// lens regardless of active/stale version. (M-BUG-11; mirrors the M-BUG-2 rule +// that keeps plugin-bundled config out of the conflict detector.) +const PLUGIN_TREE_MARKER = `.claude${sep}plugins${sep}`; +const isPluginBundled = (file) => (file.absPath || '').includes(PLUGIN_TREE_MARKER); + /** Confirmed register entry for `id`, or null. */ function confirmedEntry(register, id) { const e = getEntry(register, id); @@ -72,7 +81,13 @@ async function main() { } resetCounter(); - const discovery = await discoverConfigFiles(absPath, { includeGlobal }); + const rawDiscovery = await discoverConfigFiles(absPath, { includeGlobal }); + // Scope the lens to the user's authored config: drop plugin-bundled files for + // BOTH halves of the motor (the OPT scanner reads discovery.files directly). + const discovery = { + ...rawDiscovery, + files: (rawDiscovery.files || []).filter((f) => !isPluginBundled(f)), + }; // ── Deterministic half: the OPT scanner (CA-OPT-001) ── const opt = await optScan(absPath, discovery); @@ -94,7 +109,11 @@ async function main() { const entry = register ? confirmedEntry(register, cand.registerId) : null; if (!entry) continue; // never surface an unverifiable recommendation candidates.push({ - file: file.relPath || file.absPath, + // Absolute path: unique + readable. relPath collides across scopes + // (a repo-root `CLAUDE.md` and the user-global `~/.claude/CLAUDE.md` + // both relPath to `CLAUDE.md`), which would send the agent's Read() to + // the wrong file. (M-BUG-11) + file: file.absPath, line: bodyStartLine - 1 + cand.line, lensCheck: cand.lensCheck, mechanism: cand.mechanism, diff --git a/tests/scanners/optimize-lens-cli.test.mjs b/tests/scanners/optimize-lens-cli.test.mjs new file mode 100644 index 0000000..bb45fed --- /dev/null +++ b/tests/scanners/optimize-lens-cli.test.mjs @@ -0,0 +1,102 @@ +/** + * optimize-lens-cli tests — payload scoping + candidate identity (M-BUG-11). + * + * The lens CLI feeds the precision-gate agent. Two correctness invariants it must + * hold, both established elsewhere in the codebase but originally missing here: + * + * 1. SCOPING — plugin-bundled CLAUDE.md (anything under `.claude/plugins/`: + * vendored plugin config + its bundled tests/fixtures + examples, active or + * stale) is NOT the user's authored config. The user can't act on a + * mechanism-fit suggestion against a file a plugin ships. So the lens must + * drop them — the M-BUG-2 `isPluginBundled` rule, applied to the lens. + * + * 2. IDENTITY — a candidate's `file` must uniquely name a readable file. The + * user-global `~/.claude/CLAUDE.md` and a repo-root `CLAUDE.md` both have + * relPath `CLAUDE.md`; labelling candidates by relPath collides them, and + * the agent's `Read(file)` then resolves the wrong one. Candidates carry an + * absolute path. + * + * Hermetic: a temp target with a real CLAUDE.md and a nested plugin-bundled one. + * `.claude/plugins/` is not in SKIP_DIRS, so the normal walk discovers it — + * no ~/.claude / --global needed. + */ +import { describe, it } from 'node:test'; +import assert from 'node:assert/strict'; +import { join, isAbsolute } from 'node:path'; +import { mkdtemp, mkdir, writeFile, rm, readFile } from 'node:fs/promises'; +import { tmpdir } from 'node:os'; +import { execFile } from 'node:child_process'; +import { promisify } from 'node:util'; +import { fileURLToPath } from 'node:url'; + +const execFileP = promisify(execFile); +const CLI = fileURLToPath(new URL('../../scanners/optimize-lens-cli.mjs', import.meta.url)); + +/** Build a temp target, run the lens CLI on it, return the parsed payload. */ +async function runLens(files) { + const root = await mkdtemp(join(tmpdir(), 'ca-lens-cli-')); + try { + for (const [rel, content] of Object.entries(files)) { + const abs = join(root, rel); + await mkdir(join(abs, '..'), { recursive: true }); + await writeFile(abs, content, 'utf-8'); + } + const out = join(root, 'payload.json'); + await execFileP('node', [CLI, root, '--output-file', out]); + return JSON.parse(await readFile(out, 'utf-8')); + } finally { + await rm(root, { recursive: true, force: true }); + } +} + +const REAL = '# Project\n\nNever commit secrets to the repo.\n'; +const PLUGIN = '# Vendored plugin\n\nNever delete the plugin cache directory.\n'; + +describe('optimize-lens-cli — scoping (M-BUG-11)', () => { + it('excludes plugin-bundled CLAUDE.md from candidates', async () => { + const payload = await runLens({ + 'CLAUDE.md': REAL, + '.claude/plugins/cache/mkt/plug/1.0.0/CLAUDE.md': PLUGIN, + }); + const bundled = payload.candidates.filter( + (c) => c.file.includes(`.claude/plugins/`) || c.file.includes(`/plugins/`), + ); + assert.deepEqual( + bundled.map((c) => c.file), + [], + 'no candidate should come from a file under .claude/plugins/', + ); + }); + + it('still surfaces the user’s real CLAUDE.md', async () => { + const payload = await runLens({ + 'CLAUDE.md': REAL, + '.claude/plugins/cache/mkt/plug/1.0.0/CLAUDE.md': PLUGIN, + }); + const real = payload.candidates.filter((c) => c.file.endsWith(`${join('', 'CLAUDE.md')}`)); + assert.ok(real.length >= 1, 'the real CLAUDE.md never-instruction should survive scoping'); + }); + + it('excludes plugin-bundled CLAUDE.md from deterministic findings too', async () => { + const procedure = + '# Plugin release\n\n' + + Array.from({ length: 7 }, (_, i) => `${i + 1}. Do release step ${i + 1} and verify.`).join('\n') + + '\n'; + const payload = await runLens({ + 'CLAUDE.md': REAL, + '.claude/plugins/cache/mkt/plug/1.0.0/CLAUDE.md': procedure, + }); + const bundled = (payload.deterministic || []).filter((f) => String(f.file).includes('plugins/')); + assert.deepEqual(bundled, [], 'deterministic CA-OPT-001 must not fire on vendored plugin CLAUDE.md'); + }); +}); + +describe('optimize-lens-cli — candidate identity (M-BUG-11)', () => { + it('labels every candidate with an absolute, unique path', async () => { + const payload = await runLens({ 'CLAUDE.md': REAL }); + assert.ok(payload.candidates.length >= 1, 'expected at least one candidate'); + for (const c of payload.candidates) { + assert.ok(isAbsolute(c.file), `candidate file must be absolute, got: ${c.file}`); + } + }); +}); From b58393099a29edddb141a4e42dd2c4a990831434 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Tue, 30 Jun 2026 09:10:07 +0200 Subject: [PATCH 22/31] fix(acr): posture --output-file humanizes findings in default mode (M-BUG-12) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit feature-gap.md (Step 3-4) and posture.md (Step 3-4) read findings from `posture.mjs --output-file` and group on the humanizer fields (userActionLanguage / userImpactCategory / relevanceContext). But posture.mjs only humanized the stderr scorecard — its --output-file JSON wrote the raw v5.0.0-shape `result`, so every finding's humanizer fields were `undefined`. Both commands silently degraded to the raw tier-fallback: v5.1.0 plain-language output was dead for feature-gap and for posture's finding-level grouping. Re-derived on tests/fixtures/marketplace-medium: 17 GAP findings, all three humanizer fields undefined in the default --output-file JSON. Fix (posture-CLI-local, surgical): humanize the output-file payload in default mode, mirroring scan-orchestrator.mjs:277 — but posture nests the scanner envelope under `result.scannerEnvelope` (its `result` has no top-level `scanners` array), so humanizeEnvelope is applied to `result.scannerEnvelope`, not `result` (the latter would no-op). --json / --raw stay raw, so the explicit-v5.0.0-shape contract and snapshot byte-compat are preserved. TDD: red-first test in posture-humanizer.test.mjs default-mode block asserts GAP findings in the output file carry userActionLanguage/userImpactCategory; a --raw --output-file guard asserts the raw shape is unchanged. Suite 1350/0 (+2). Frozen v5.0.0 + SC-5/6/7 + default-output snapshots byte-stable: --json/--raw bypass the humanizer (their snapshot tests use those flags), and the default --output-file JSON is not snapshot-pinned. Committed, not released — batches with M-BUG-11 in a later hardening release. Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01683eAqVecv9VZfQzL8CQ9h --- scanners/posture.mjs | 10 +++++- tests/scanners/posture-humanizer.test.mjs | 43 ++++++++++++++++++++++- 2 files changed, 51 insertions(+), 2 deletions(-) diff --git a/scanners/posture.mjs b/scanners/posture.mjs index db12564..16a89f0 100644 --- a/scanners/posture.mjs +++ b/scanners/posture.mjs @@ -10,6 +10,7 @@ import { resolve } from 'node:path'; import { writeFile } from 'node:fs/promises'; import { runAllScanners } from './scan-orchestrator.mjs'; +import { humanizeEnvelope } from './lib/humanizer.mjs'; import { calculateUtilization, determineMaturityLevel, @@ -114,7 +115,14 @@ async function main() { } if (outputFile) { - const json = JSON.stringify(result, null, 2); + // Consumers (feature-gap.md, posture.md) read scannerEnvelope.scanners[].findings + // and group on humanizer fields. posture's result nests the envelope under + // `scannerEnvelope`, so humanize THAT (not `result`, which has no top-level + // `scanners` array — humanizeEnvelope would no-op). --json/--raw stay raw. + const fileEnv = (jsonMode || rawMode) + ? result + : { ...result, scannerEnvelope: humanizeEnvelope(result.scannerEnvelope) }; + const json = JSON.stringify(fileEnv, null, 2); await writeFile(outputFile, json, 'utf-8'); process.stderr.write(`\nResults written to ${outputFile}\n`); } diff --git a/tests/scanners/posture-humanizer.test.mjs b/tests/scanners/posture-humanizer.test.mjs index fc297f9..22c99d4 100644 --- a/tests/scanners/posture-humanizer.test.mjs +++ b/tests/scanners/posture-humanizer.test.mjs @@ -1,6 +1,7 @@ import { describe, it } from 'node:test'; import assert from 'node:assert/strict'; -import { resolve, dirname } from 'node:path'; +import { resolve, dirname, join } from 'node:path'; +import { tmpdir } from 'node:os'; import { fileURLToPath } from 'node:url'; import { execFile } from 'node:child_process'; import { promisify } from 'node:util'; @@ -141,4 +142,44 @@ describe('posture humanizer wiring (Step 6)', () => { 'humanized stderr must differ from v5.0.0 verbatim stderr'); }); }); + + // M-BUG-12: feature-gap.md/posture.md read findings from posture.mjs --output-file + // and group on humanizer fields (userActionLanguage etc.). Default-mode output-file + // must therefore humanize findings inside the nested scannerEnvelope; --raw stays raw. + describe('default mode --output-file (M-BUG-12: humanized findings)', () => { + it('writes humanized GAP findings (userActionLanguage defined) to the output file', async () => { + const tmp = join(tmpdir(), `ca-posture-outfile-${process.pid}.json`); + try { + await runPosture(['--output-file', tmp]); + const env = JSON.parse(await readFile(tmp, 'utf-8')); + const gap = env.scannerEnvelope.scanners.find(s => s.scanner === 'GAP'); + assert.ok(gap, 'GAP scanner must be present in the output file'); + assert.ok(gap.findings.length > 0, 'fixture must yield at least one GAP finding'); + for (const f of gap.findings) { + assert.notEqual(f.userActionLanguage, undefined, + `${f.id}: default-mode output-file findings must carry userActionLanguage`); + assert.notEqual(f.userImpactCategory, undefined, + `${f.id}: default-mode output-file findings must carry userImpactCategory`); + } + } finally { + await unlink(tmp).catch(() => {}); + } + }); + + it('--raw --output-file keeps v5.0.0 raw finding shape (no humanizer fields)', async () => { + const tmp = join(tmpdir(), `ca-posture-outfile-raw-${process.pid}.json`); + try { + await runPosture(['--raw', '--output-file', tmp]); + const env = JSON.parse(await readFile(tmp, 'utf-8')); + for (const s of env.scannerEnvelope.scanners) { + for (const f of s.findings) { + assert.equal(f.userActionLanguage, undefined, + `${f.id}: --raw output-file must not carry userActionLanguage`); + } + } + } finally { + await unlink(tmp).catch(() => {}); + } + }); + }); }); From f4bf3ae2cb77745ecae8631ce09b03c28f207345 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Tue, 30 Jun 2026 10:09:10 +0200 Subject: [PATCH 23/31] fix(acr): feature-gap scopes presence checks to authored config + reads settings cascade (M-BUG-13) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The GAP scanner's 25 presence checks ran over the full includeGlobal discovery, so this plugin's own examples/optimal-setup (vendored across plugin-cache versions) satisfied every tier-3 check — masking real feature gaps to GAP=0 on ANY target. And the real ~/.claude/settings.json is invisible to the settings-key checks (includeGlobal gotcha + maxFiles cap), which would flip statusLine/autoMode to false positives once the maskers were removed. - isAuthoredConfig: exclude plugin-bundled (~/.claude/plugins/) + nested examples/ and tests/fixtures/ (relPath-relative, so a fixture scanned AS the target keeps its own files) from ctx.files + parsedSettings. - readSettingsCascade: read the user->project->local settings cascade directly and merge into parsedSettings — immune to the discovery cap/gotcha. Empty target: ~0 (masked) -> 18 humanized opportunities; no statusLine/autoMode false positives. Frozen v5.0.0 snapshots + SC-5/6/7 byte-stable (marketplace-medium has no nested demo trees; hermetic-HOME cascade adds nothing). Suite 1350->1355/0. Found by dogfooding feature-gap against the machine. Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01683eAqVecv9VZfQzL8CQ9h --- docs/scanner-internals.md | 33 +++++++ scanners/feature-gap-scanner.mjs | 82 ++++++++++++++++- tests/scanners/feature-gap-scanner.test.mjs | 97 ++++++++++++++++++++- 3 files changed, 207 insertions(+), 5 deletions(-) diff --git a/docs/scanner-internals.md b/docs/scanner-internals.md index befa00d..a59e1f6 100644 --- a/docs/scanner-internals.md +++ b/docs/scanner-internals.md @@ -254,6 +254,39 @@ model-switch is a *runtime* behaviour, not static config a scanner can reliably automation. "No overstated behavioral finding ships" — so even the permitted opusplan *info*-advisory was left out; the verified @import extension is the whole of B6. +### GAP scanner — authored-config scoping + direct cascade read (M-BUG-13) + +The 25 presence checks ask "does the user's effective config have feature X?" and GAP **always** +runs `includeGlobal: true`. Two failure modes made the answer wrong on a real machine, both surfaced +by dogfooding `feature-gap`/`posture --global`: + +1. **Demo/vendored config masks real gaps.** This plugin's own `examples/optimal-setup/` is a complete + config (sets `outputStyle`/`statusLine`/`worktree`/`model`/`keybindings.json`/`.lsp.json`), and its + copies vendored under `~/.claude/plugins/cache/.../config-audit//examples/` are pulled into the + includeGlobal discovery. Because `anySettingsHas`/`files.some(...)` accept ANY discovered file, that + one demo file drove every tier-3 check to "present" → **GAP=0 on any target** (false negative). + Fix: `isAuthoredConfig` filters `ctx.files`/`parsedSettings` to the user's authored cascade — + excludes `~/.claude/plugins/` (absPath marker, mirrors CNF's M-BUG-2 exclusion) and any file whose + path **relative to the scan target** sits under `examples/` or `tests/fixtures/`. relPath (not + absPath) is deliberate: a fixture scanned AS the target keeps its own files, so the frozen v5.0.0 + snapshots (scanned from `tests/fixtures/marketplace-medium`, which has no such nested trees) are + byte-stable. + +2. **The real `~/.claude/settings.json` is invisible to the settings-key checks.** Discovery misses it + (its relPath carries no `.claude` segment when the walk root IS `~/.claude` — the gotcha) AND, when + vendored plugins flood the walk, the `maxFiles=2000` cap drops it. After (1) removed the demo + maskers, `statusLine`/`autoMode`/`permissions` (which the user HAS) would flip to false **positives**. + Fix: `readSettingsCascade` reads the four canonical cascade paths (user `settings.json`/`.local`, + project `settings.json`/`.local`) directly and merges them INTO `parsedSettings` — immune to the + cap and the gotcha. Merge (not replace) keeps non-canonical project settings and leaves the snapshot + (hermetic empty HOME → cascade adds nothing new) byte-stable. + +Net: an empty target now surfaces ~18 humanized opportunities (was masked to ~0); config-audit's own +repo still shows 0 in output via its intentional `.config-audit-ignore` `CA-GAP-*` self-suppression +(a plugin repo legitimately lacks user-project features) — suppression is an envelope-layer concern, +orthogonal to this scanner fix. Scoped GAP-local; the includeGlobal discovery gotcha itself is left +to other consumers (see auto-memory `discovery-includeglobal-user-settings-gotcha`). + ### CML scanner — context-window-scaled char budget Beyond the line-count checks (200/500 lines, both MEDIUM), the CML scanner mirrors diff --git a/scanners/feature-gap-scanner.mjs b/scanners/feature-gap-scanner.mjs index 00a5c23..0a68c6f 100644 --- a/scanners/feature-gap-scanner.mjs +++ b/scanners/feature-gap-scanner.mjs @@ -7,7 +7,7 @@ * Finding IDs: CA-GAP-NNN */ -import { resolve } from 'node:path'; +import { resolve, join, sep } from 'node:path'; import { readTextFile, discoverConfigFiles } from './lib/file-discovery.mjs'; import { finding, scannerResult } from './lib/output.mjs'; import { SEVERITY } from './lib/severity.mjs'; @@ -46,6 +46,68 @@ function isTargetLocal(ctx, f) { return f.absPath.startsWith(ctx.targetPath); } +// Files that are test/demo/vendored config — NOT part of the user's authored +// cascade — must not satisfy "is feature X present?" checks, or they mask real +// gaps. The canonical case: this plugin's own examples/optimal-setup sets +// outputStyle/statusLine/worktree/model/keybindings/.lsp.json, and (because GAP +// always runs includeGlobal) its copies vendored under ~/.claude/plugins/cache +// drive every tier-3 presence check to "present" — hiding the user's real gaps +// on ANY target. Two classes to exclude: +// - plugin-bundled: anything under ~/.claude/plugins/ (absPath marker, mirrors +// the CNF conflict-detector exclusion from M-BUG-2). +// - nested demo/test data: a file whose path RELATIVE TO THE SCAN TARGET sits +// under an examples/ or tests/fixtures/ subtree. relPath (not absPath) is +// deliberate: a fixture scanned AS the target keeps its own files, so the +// frozen v5.0.0 byte-snapshots (scanned from tests/fixtures/marketplace-medium) +// are untouched. (M-BUG-13) +const PLUGIN_TREE_MARKER = `.claude${sep}plugins${sep}`; + +/** + * @param {import('./lib/file-discovery.mjs').ConfigFile} file + * @returns {boolean} true if the file is part of the user's authored config + */ +function isAuthoredConfig(file) { + if (file.absPath.includes(PLUGIN_TREE_MARKER)) return false; + const segs = (file.relPath || '').split(sep); + if (segs.includes('examples')) return false; + const ti = segs.indexOf('tests'); + if (ti !== -1 && segs[ti + 1] === 'fixtures') return false; + return true; +} + +/** + * Read the user→project→local settings cascade directly from the filesystem. + * The settings-key gap checks ask "does the USER's resolved config set X?" — a + * question the includeGlobal discovery answers unreliably on a real machine: the + * top-level ~/.claude/settings.json is missed (its relPath carries no `.claude` + * segment when the walk root IS ~/.claude) and, when many vendored plugins flood + * the walk, dropped by the discovery file cap. Reading the canonical cascade + * paths directly is immune to both. Merged INTO (not replacing) the discovery + * settings so any non-canonical project settings still count and the frozen + * snapshots stay byte-stable. (M-BUG-13) + * @param {string} targetPath + * @returns {Promise>} + */ +async function readSettingsCascade(targetPath) { + const home = process.env.HOME || process.env.USERPROFILE || ''; + const paths = []; + if (home) { + paths.push(['user', join(home, '.claude', 'settings.json')]); + paths.push(['user-local', join(home, '.claude', 'settings.local.json')]); + } + paths.push(['project', join(targetPath, '.claude', 'settings.json')]); + paths.push(['local', join(targetPath, '.claude', 'settings.local.json')]); + + const out = []; + for (const [scope, p] of paths) { + const content = await readTextFile(p); + if (!content) continue; + const parsed = parseJson(content); + if (parsed && typeof parsed === 'object') out.push({ key: `cascade:${scope}:${p}`, parsed }); + } + return out; +} + const TIER_SEVERITY = { t1: SEVERITY.medium, t2: SEVERITY.low, @@ -479,18 +541,30 @@ export async function scan(targetPath, sharedDiscovery) { ? sharedDiscovery : await discoverConfigFiles(resolve(targetPath), { includeGlobal: true }); - // Parse all settings files upfront + // Presence checks ("does the user have feature X?") must see only the user's + // authored cascade — not bundled/vendored/demo config, which masks real gaps + // (M-BUG-13, see isAuthoredConfig). + const authoredFiles = discovery.files.filter(isAuthoredConfig); + + // Parse all settings files upfront (authored discovery files) ... const parsedSettings = new Map(); - for (const file of discovery.files.filter(f => f.type === 'settings-json')) { + for (const file of authoredFiles.filter(f => f.type === 'settings-json')) { const content = await readTextFile(file.absPath); if (content) { const parsed = parseJson(content); parsedSettings.set(`${file.scope}:${file.relPath}`, parsed); } } + // ... plus the real user→project→local cascade read directly, so settings-key + // checks see the true resolved config regardless of the discovery cap/gotcha + // (M-BUG-13). Merged, not replacing — keeps non-canonical project settings and + // the frozen byte-snapshots unchanged. + for (const { key, parsed } of await readSettingsCascade(resolve(targetPath))) { + parsedSettings.set(key, parsed); + } const ctx = { - files: discovery.files, + files: authoredFiles, targetPath: resolve(targetPath), parsedSettings, fileContents: new Map(), diff --git a/tests/scanners/feature-gap-scanner.test.mjs b/tests/scanners/feature-gap-scanner.test.mjs index ed9cf45..c31730a 100644 --- a/tests/scanners/feature-gap-scanner.test.mjs +++ b/tests/scanners/feature-gap-scanner.test.mjs @@ -1,6 +1,6 @@ import { describe, it, beforeEach } from 'node:test'; import assert from 'node:assert/strict'; -import { resolve, join } from 'node:path'; +import { resolve, join, dirname } from 'node:path'; import { fileURLToPath } from 'node:url'; import { mkdtemp, mkdir, writeFile, rm } from 'node:fs/promises'; import { tmpdir } from 'node:os'; @@ -411,3 +411,98 @@ describe('GAP scanner — filter-before lever wiring (chatty hook fixture)', () assert.equal(lever, undefined, `expected no filter-before lever; got id=${lever?.id}`); }); }); + +describe('GAP scanner — test/demo data must not mask real gaps (M-BUG-13)', () => { + // Build a throwaway project (+ optional hermetic HOME settings) and run GAP + // exactly as posture --global does: includeGlobal discovery + scan(). + async function runGap({ projectFiles = {}, homeSettings = null } = {}) { + const project = await mkdtemp(join(tmpdir(), 'config-audit-gap-mask-proj-')); + const home = await mkdtemp(join(tmpdir(), 'config-audit-gap-mask-home-')); + for (const [rel, content] of Object.entries(projectFiles)) { + const abs = join(project, rel); + await mkdir(dirname(abs), { recursive: true }); + await writeFile(abs, content); + } + if (homeSettings) { + await mkdir(join(home, '.claude'), { recursive: true }); + await writeFile(join(home, '.claude', 'settings.json'), JSON.stringify(homeSettings)); + } + const original = process.env.HOME; + process.env.HOME = home; + try { + resetCounter(); + const discovery = await discoverConfigFiles(project, { includeGlobal: true }); + const result = await scan(project, discovery); + return result; + } finally { + process.env.HOME = original; + await rm(project, { recursive: true, force: true }); + await rm(home, { recursive: true, force: true }); + } + } + + const hasGap = (result, titleRe) => + result.findings.some(f => f.scanner === 'GAP' && titleRe.test(f.title || '')); + + it('a nested examples/ settings.json does NOT satisfy the outputStyle check (settings-key)', async () => { + const result = await runGap({ + projectFiles: { + '.claude/CLAUDE.md': '# proj', + 'examples/optimal-setup/.claude/settings.json': JSON.stringify({ outputStyle: 'Explanatory' }), + }, + }); + assert.ok( + hasGap(result, /output style/i), + `example settings.json must not mask the outputStyle gap; got: ${result.findings.map(f => f.title).join(' | ')}`, + ); + }); + + it('a nested examples/ keybindings.json does NOT satisfy the keybindings check (file-type)', async () => { + const result = await runGap({ + projectFiles: { + '.claude/CLAUDE.md': '# proj', + 'examples/optimal-setup/.claude/keybindings.json': JSON.stringify({}), + }, + }); + assert.ok( + hasGap(result, /keybinding/i), + `example keybindings.json must not mask the keybindings gap; got: ${result.findings.map(f => f.title).join(' | ')}`, + ); + }); + + it('a nested tests/fixtures/ settings.json does NOT satisfy the model check', async () => { + const result = await runGap({ + projectFiles: { + '.claude/CLAUDE.md': '# proj', + 'tests/fixtures/demo/.claude/settings.json': JSON.stringify({ model: 'opus' }), + }, + }); + assert.ok( + hasGap(result, /model config/i), + `fixture settings.json must not mask the model gap; got: ${result.findings.map(f => f.title).join(' | ')}`, + ); + }); + + it("the project's OWN real .claude/settings.json IS counted (not over-excluded)", async () => { + const result = await runGap({ + projectFiles: { + '.claude/CLAUDE.md': '# proj', + '.claude/settings.json': JSON.stringify({ outputStyle: 'Explanatory' }), + }, + }); + assert.ok( + !hasGap(result, /output style/i), + `real project settings.json must satisfy outputStyle; got: ${result.findings.map(f => f.title).join(' | ')}`, + ); + }); + + it('the real ~/.claude/settings.json IS seen for settings-key checks (gotcha fix end-to-end)', async () => { + const result = await runGap({ + homeSettings: { statusLine: { type: 'command', command: 'x' } }, + }); + assert.ok( + !hasGap(result, /status line/i), + `~/.claude/settings.json statusLine must be discovered; got: ${result.findings.map(f => f.title).join(' | ')}`, + ); + }); +}); From eb0b3fd29d6abd43f6bda80d4de5fb385dacd6fa Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Tue, 30 Jun 2026 11:02:45 +0200 Subject: [PATCH 24/31] fix(acr): size-neutral copy for "CLAUDE.md not modular" GAP (M-BUG-14) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The t2_2 feature-gap check is a pure presence check (rules file OR @import present) with no length gate, consistent with its t2_3/t2_4/t2_5 siblings. But the humanized copy claimed the file is "one big block" and that splitting makes it "easier on the loading time" — an unconditional size/load-cost overclaim. For a ~625-token non-modular CLAUDE.md the load saving is trivial, so the description lied. Found by dogfooding feature-gap against linkedin-posts. Decided fix = copy-softening, NOT a length gate in t2_2 (that would make it the only size-gated check among the presence-check siblings + risks byte-stability if a short non-modular CLAUDE.md fixture exists in snapshots). - humanizer-data.mjs: title "one big block" -> "all live in one file"; description drops "long"/"loading time", keeps the honest structural "split into linked files with @import or .claude/rules/" framing. recommendation unchanged. - RED-first unit test pins the size-neutral copy (no "big"/"long"/"loading time" in title/desc, structural split framing kept). Frozen v5.0.0 snapshots untouched (RAW envelope bypasses humanizer); SC-5 default-output byte-stable (no non-modular GAP finding in those fixtures). Suite 1355->1356/0. Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01683eAqVecv9VZfQzL8CQ9h --- scanners/lib/humanizer-data.mjs | 4 ++-- tests/lib/humanizer-data.test.mjs | 17 +++++++++++++++++ 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/scanners/lib/humanizer-data.mjs b/scanners/lib/humanizer-data.mjs index adf6802..a0e1dcf 100644 --- a/scanners/lib/humanizer-data.mjs +++ b/scanners/lib/humanizer-data.mjs @@ -435,8 +435,8 @@ export const TRANSLATIONS = { recommendation: 'Consider moving team-wide settings to project scope and keeping personal ones at user or local scope.', }, 'CLAUDE.md not modular': { - title: 'Your instructions file is one big block', - description: 'Splitting long instructions into smaller linked files makes them easier to maintain and easier on the loading time.', + title: 'Your instructions all live in one file', + description: 'Splitting your instructions into smaller linked files with `@import` or `.claude/rules/` keeps each part focused and easier to maintain.', recommendation: 'Break out long sections into separate files and link them with `@import`.', }, 'No path-scoped rules': { diff --git a/tests/lib/humanizer-data.test.mjs b/tests/lib/humanizer-data.test.mjs index e0df242..fc4683c 100644 --- a/tests/lib/humanizer-data.test.mjs +++ b/tests/lib/humanizer-data.test.mjs @@ -162,6 +162,23 @@ test('CML, SET, HKV, RUL, MCP, IMP, GAP, TOK, PLH have non-empty static maps', ( } }); +test('GAP "CLAUDE.md not modular" copy is size-neutral (M-BUG-14)', () => { + // The t2_2 check is a pure presence check (no length gate), so a small + // non-modular CLAUDE.md must not be told it is "big"/"long" or that it + // costs "loading time". Title + description must stay size/cost-neutral + // and keep only the honest structural "split into linked files" framing. + const t = TRANSLATIONS.GAP.static['CLAUDE.md not modular']; + assert.ok(t, 'GAP static map missing "CLAUDE.md not modular"'); + const title = t.title.toLowerCase(); + const desc = t.description.toLowerCase(); + assert.ok(!/\bbig\b/.test(title), `title overclaims size: "${t.title}"`); + assert.ok(!/\blong\b/.test(title), `title overclaims size: "${t.title}"`); + assert.ok(!/\bbig\b/.test(desc), `description overclaims size: "${t.description}"`); + assert.ok(!/\blong\b/.test(desc), `description overclaims size: "${t.description}"`); + assert.ok(!/loading time/.test(desc), `description overclaims load cost: "${t.description}"`); + assert.ok(/split/.test(desc), `description should keep structural split framing: "${t.description}"`); +}); + test('CNF, COL, PLH have at least one pattern entry (template-literal titles)', () => { // These scanners use template-literal titles for some findings. for (const prefix of ['CNF', 'COL', 'PLH']) { From 2975b0563f2510974395da2b8ff0800b813946d8 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Tue, 30 Jun 2026 12:57:40 +0200 Subject: [PATCH 25/31] fix(acr): honest absence-state copy for two GAP enhancement findings (M-BUG-15) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The t2_3 ("No path-scoped rules") and t3_6 ("No subagent isolation") feature-gap checks iterate a collection (rule files / agent files) and return false for an EMPTY one — so they fire even when the user has zero rules / zero subagents, the same state their presence-gap siblings flag. But the humanized titles presupposed the feature already exists: - "Your rules all load on every conversation" (with zero rules) - "Your subagents share Claude's main work folder" (with zero subagents) The second directly contradicts GAP-005 "You haven't set up any specialized helper agents yet" in the same report — a user cannot simultaneously have no subagents and have subagents that lack isolation. Found by dogfooding the analyze pipeline against linkedin-posts (premise-verifying each finding before trusting the analyzer-agent's report). Decided fix = align the two titles with the house "You haven't set up X yet" absence framing (state-neutral: honest for both the zero-state and the has-but-unconfigured state), NOT a base-feature presence gate in the scanner — that would change the frozen v5.0.0 marketplace-medium baseline (zero rules/agents, freezes these gaps firing) and break the RAW byte contract. Mirrors M-BUG-14's humanizer-layer, copy-only approach. - humanizer-data.mjs: title "Your rules all load on every conversation" -> "You haven't set up path-scoped rules yet"; title "Your subagents share Claude's main work folder" -> "You haven't set up subagent isolation yet". description + recommendation unchanged. t3_5/t3_7 ("Your skills don't ...") left as-is: their possessive is correct in the common case where skills exist; the zero-skills edge is latent, not manifest here. - RED-first unit test pins both titles existence-neutral (forbids "your rules all load" / "your subagents"; feature still named). Frozen v5.0.0 snapshots untouched (RAW bypasses humanizer); default-output snapshot regenerated (2 titles only, no collateral). Verified on linkedin-posts: GAP-004/005/011 now all consistently absence-framed. Suite 1356->1357/0. Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01683eAqVecv9VZfQzL8CQ9h --- scanners/lib/humanizer-data.mjs | 4 ++-- tests/lib/humanizer-data.test.mjs | 24 +++++++++++++++++++ .../default-output/scan-orchestrator.json | 4 ++-- 3 files changed, 28 insertions(+), 4 deletions(-) diff --git a/scanners/lib/humanizer-data.mjs b/scanners/lib/humanizer-data.mjs index a0e1dcf..d4817eb 100644 --- a/scanners/lib/humanizer-data.mjs +++ b/scanners/lib/humanizer-data.mjs @@ -440,7 +440,7 @@ export const TRANSLATIONS = { recommendation: 'Break out long sections into separate files and link them with `@import`.', }, 'No path-scoped rules': { - title: 'Your rules all load on every conversation', + title: 'You haven\'t set up path-scoped rules yet', description: 'Path-scoped rules only load when you\'re working with files that match — keeps each conversation focused.', recommendation: 'Add scoping to your rules so they only load for the files they apply to.', }, @@ -490,7 +490,7 @@ export const TRANSLATIONS = { recommendation: 'Add fields like `model`, `tools`, or `description` to your skill files where useful.', }, 'No subagent isolation': { - title: 'Your subagents share Claude\'s main work folder', + title: 'You haven\'t set up subagent isolation yet', description: 'Isolated subagents run in their own copy of the repo so they can\'t accidentally disturb your main work.', recommendation: 'Add `isolation: worktree` to subagents that do destructive or experimental work.', }, diff --git a/tests/lib/humanizer-data.test.mjs b/tests/lib/humanizer-data.test.mjs index fc4683c..696461d 100644 --- a/tests/lib/humanizer-data.test.mjs +++ b/tests/lib/humanizer-data.test.mjs @@ -179,6 +179,30 @@ test('GAP "CLAUDE.md not modular" copy is size-neutral (M-BUG-14)', () => { assert.ok(/split/.test(desc), `description should keep structural split framing: "${t.description}"`); }); +test('GAP enhancement-gap titles do not presuppose the feature exists (M-BUG-15)', () => { + // t2_3 ("No path-scoped rules") and t3_6 ("No subagent isolation") iterate a + // collection and return false for an EMPTY one — so they fire even when the + // user has zero rules / zero subagents. The humanized title must therefore + // not assert the feature exists, or it contradicts the sibling presence gap + // ("No custom subagents" → "You haven't set up any specialized helper agents + // yet"). Mirror the house "You haven't set up X yet" framing — honest for + // both the zero-state and the has-but-unconfigured state. + const rules = TRANSLATIONS.GAP.static['No path-scoped rules']; + const iso = TRANSLATIONS.GAP.static['No subagent isolation']; + assert.ok(rules, 'GAP static map missing "No path-scoped rules"'); + assert.ok(iso, 'GAP static map missing "No subagent isolation"'); + // Title must not presuppose existing rules / subagents. + assert.ok(!/your rules all load/i.test(rules.title), + `t2_3 title presupposes existing rules: "${rules.title}"`); + assert.ok(!/your subagents/i.test(iso.title), + `t3_6 title presupposes existing subagents: "${iso.title}"`); + // Title must still name the feature it points at. + assert.ok(/path-scoped rules/i.test(rules.title), + `t2_3 title should still name path-scoped rules: "${rules.title}"`); + assert.ok(/isolation/i.test(iso.title), + `t3_6 title should still name subagent isolation: "${iso.title}"`); +}); + test('CNF, COL, PLH have at least one pattern entry (template-literal titles)', () => { // These scanners use template-literal titles for some findings. for (const prefix of ['CNF', 'COL', 'PLH']) { diff --git a/tests/snapshots/default-output/scan-orchestrator.json b/tests/snapshots/default-output/scan-orchestrator.json index 6b23edc..2573415 100644 --- a/tests/snapshots/default-output/scan-orchestrator.json +++ b/tests/snapshots/default-output/scan-orchestrator.json @@ -165,7 +165,7 @@ "id": "CA-GAP-003", "scanner": "GAP", "severity": "low", - "title": "Your rules all load on every conversation", + "title": "You haven't set up path-scoped rules yet", "description": "Path-scoped rules only load when you're working with files that match — keeps each conversation focused.", "file": null, "line": null, @@ -309,7 +309,7 @@ "id": "CA-GAP-012", "scanner": "GAP", "severity": "info", - "title": "Your subagents share Claude's main work folder", + "title": "You haven't set up subagent isolation yet", "description": "Isolated subagents run in their own copy of the repo so they can't accidentally disturb your main work.", "file": null, "line": null, From 239e88cecbfc785dd5ef2216dc3909896cd3d633 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Tue, 30 Jun 2026 13:30:22 +0200 Subject: [PATCH 26/31] fix(acr): on-demand copy for oversized skill-body finding (M-BUG-16) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The skill-listing check emits a third finding for an oversized skill BODY (v5.11 B7, RAW title "Skill body is large (loads on demand when the skill runs)"). The body is an ON-DEMAND cost — it loads only when the skill is invoked, not the always-loaded listing Claude reads every turn. The scanner is careful to distinguish the two (RAW title + comment + evidence note). But the humanizer-data SKL.static map had no entry for this title, so it fell through to SKL._default ("A skill is using more of the listing budget than it should"). The humanized title therefore claimed a listing-budget cost and directly contradicted the finding's own humanized evidence ("loads ON DEMAND only ... NOT every turn like the always-loaded listing") — the same internal contradiction class as M-BUG-15/M-BUG-14, and the same "new finding type added without a matching humanizer entry" gap the scanner checklist warns about. Found by finding-granularity premise-verification of the linkedin-posts scan before feeding it to the analyze pipeline (the prior session's pass focused on the GAP findings and did not catch the SKL fall-through). - humanizer-data.mjs: add SKL.static entry for "Skill body is large (loads on demand when the skill runs)" with on-demand-correct title ("A skill's body is large (it loads only when that skill runs)"), description, and recommendation. No listing-budget language; tier1/tier3 forbidden-word checks pass. - RED-first tests at both layers: humanizer.test.mjs (humanizeFinding path: title is not the listing-budget _default, conveys on-demand body) and humanizer-data.test.mjs (static entry exists, on-demand-correct). RAW envelope unaffected (humanizer bypassed for --raw/--json), frozen v5.0.0 snapshots untouched, default-output fixtures contain no oversized-body skill so no snapshot regen. Suite 1357->1359/0 (+2). Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01683eAqVecv9VZfQzL8CQ9h --- scanners/lib/humanizer-data.mjs | 5 +++++ tests/lib/humanizer-data.test.mjs | 16 ++++++++++++++++ tests/lib/humanizer.test.mjs | 21 +++++++++++++++++++++ 3 files changed, 42 insertions(+) diff --git a/scanners/lib/humanizer-data.mjs b/scanners/lib/humanizer-data.mjs index d4817eb..0575ddd 100644 --- a/scanners/lib/humanizer-data.mjs +++ b/scanners/lib/humanizer-data.mjs @@ -817,6 +817,11 @@ export const TRANSLATIONS = { description: 'Claude Code keeps every active skill\'s description in one shared listing it reads to choose which skill to use, and that listing has a limited size. Added up, your skills\' descriptions run past that size on a smaller setup, so Claude Code may drop some of them — and stop seeing those skills. This is an estimate; a larger setup has more room.', recommendation: 'Free up room: turn off bundled skills you do not use, collapse the heaviest ones so only their names show, or shorten the longest descriptions. The details show the measured total and the room available.', }, + 'Skill body is large (loads on demand when the skill runs)': { + title: 'A skill\'s body is large (it loads only when that skill runs)', + description: 'This skill\'s instructions run longer than the rough guidance for a skill body. The body is not part of the always-loaded listing Claude reads every turn — it loads only when you invoke the skill, so it costs nothing until then. Once it loads, though, it stays in context for the rest of that session.', + recommendation: 'Move reference material into supporting files the skill opens only when needed, so the body stays lean. For a heavy skill you can also run its body in a separate context with `context: fork` in the skill\'s settings.', + }, }, patterns: [], _default: { diff --git a/tests/lib/humanizer-data.test.mjs b/tests/lib/humanizer-data.test.mjs index 696461d..a79b065 100644 --- a/tests/lib/humanizer-data.test.mjs +++ b/tests/lib/humanizer-data.test.mjs @@ -203,6 +203,22 @@ test('GAP enhancement-gap titles do not presuppose the feature exists (M-BUG-15) `t3_6 title should still name subagent isolation: "${iso.title}"`); }); +test('SKL oversized-body copy is on-demand, not listing-budget (M-BUG-16)', () => { + // The skill-listing check emits a third finding for an oversized skill BODY, + // which loads ON DEMAND only when the skill runs — not the always-loaded + // listing. Before the fix this title had no static entry and fell through to + // the SKL _default ("using more of the listing budget"), contradicting the + // finding's own evidence ("NOT every turn like the always-loaded listing"). + const t = TRANSLATIONS.SKL.static['Skill body is large (loads on demand when the skill runs)']; + assert.ok(t, 'SKL static map missing "Skill body is large (loads on demand when the skill runs)"'); + assert.ok(!/listing budget/i.test(t.title), `body title must not claim listing budget: "${t.title}"`); + assert.ok(!/listing budget/i.test(t.description), `body description must not claim listing budget: "${t.description}"`); + // Must convey the on-demand body cost. + assert.ok(/body/i.test(t.title), `body title should name the body: "${t.title}"`); + assert.ok(/loads only|on demand|when (it|that|the) skill runs|when you invoke/i.test(t.title + ' ' + t.description), + `copy should convey the on-demand load: "${t.title}" / "${t.description}"`); +}); + test('CNF, COL, PLH have at least one pattern entry (template-literal titles)', () => { // These scanners use template-literal titles for some findings. for (const prefix of ['CNF', 'COL', 'PLH']) { diff --git a/tests/lib/humanizer.test.mjs b/tests/lib/humanizer.test.mjs index c049a70..c426c93 100644 --- a/tests/lib/humanizer.test.mjs +++ b/tests/lib/humanizer.test.mjs @@ -116,6 +116,27 @@ test('humanizeFinding falls back to _default when title unknown', () => { assert.ok(/instructions file/i.test(out.title), `expected CML _default title, got: ${out.title}`); }); +test('humanizeFinding maps SKL oversized-body finding to an on-demand title, not the listing-budget _default', () => { + // RAW title emitted by skill-listing-scanner for body > threshold (v5.11 B7). + // It is an ON-DEMAND body cost, NOT the always-loaded listing budget — the + // scanner is careful to distinguish them, so the humanized title must not + // regress into "listing budget" language via the SKL _default (M-BUG-16). + const input = makeFinding({ + scanner: 'SKL', + severity: 'low', + title: 'Skill body is large (loads on demand when the skill runs)', + description: 'Skill "repo-init" (user) has a body of about 6223 tokens (712 lines), over the ~5000-token guidance for a skill body.', + evidence: 'body_tokens~6223; threshold=5000 tok; skill="repo-init"; source=user - this is the skill BODY which loads ON DEMAND only when the skill is invoked - NOT every turn like the always-loaded listing.', + }); + const out = humanizeFinding(input); + assert.doesNotMatch(out.title, /listing budget/i, + `body finding must not be framed as a listing-budget cost, got: ${out.title}`); + assert.notEqual(out.title, 'A skill is using more of the listing budget than it should', + 'body finding must have its own mapping, not the SKL _default'); + assert.match(out.title, /body|on demand|when (it|the skill) runs/i, + `humanized title must convey the on-demand body cost, got: ${out.title}`); +}); + test('humanizeFinding passes through original strings when scanner prefix unknown', () => { const input = makeFinding({ scanner: 'XXX', title: 'whatever' }); const out = humanizeFinding(input); From 97867dbf370271588d771b3fb41c40badc47d5b5 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Tue, 30 Jun 2026 13:51:55 +0200 Subject: [PATCH 27/31] fix(acr): AGT findings humanize to "Wasted tokens" not "Other" (M-BUG-17) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The agent-listing scanner (AGT) emits an always-loaded per-turn token cost ("Agent description is long, re-sent every turn in the always-loaded listing"; scanner category 'token-efficiency', "the dominant single always-loaded source"). But SCANNER_TO_CATEGORY in humanizer.mjs had no AGT entry, so its findings fell through to the 'Other' fallback (humanizer.mjs:140) — a bucket that isn't even in the analyzer-agent's category list. Neither the scanner prefix nor the per-finding category ('token-efficiency' is not in CATEGORY_TO_IMPACT) resolved AGT to its true impact. Same class as M-BUG-16/15: a finding type without its matching humanizer mapping landing on a default that mismatches its own evidence. The analogous SKL body finding correctly buckets "Wasted tokens"; AGT (the same always-loaded token-waste mechanism) silently landed under the meaningless "Other". Found during analyze-prep premise-verification of the linkedin-posts scan: the 3 AGT findings bucketed "Other" while the analogous SKL findings bucketed "Wasted tokens". Fix: add AGT: 'Wasted tokens' to SCANNER_TO_CATEGORY, alongside TOK/CPS/SKL. RED-first (extended the Wasted-tokens category test to include AGT; the 'Other' fallback test still uses a synthetic 'XXX' scanner, unaffected). Frozen v5.0.0 untouched (AGT post-dates it; humanizer bypassed for --raw/--json); no default-output snapshot contains AGT -> 0 regen. Suite 1359/0. Verified end-to-end on linkedin-posts: 3 AGT findings now "Wasted tokens", 0 "Other" remaining, 28 findings unchanged (category-only). All 16 orchestrator scanner prefixes now covered by the category map (class closed). Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01683eAqVecv9VZfQzL8CQ9h --- scanners/lib/humanizer.mjs | 1 + tests/lib/humanizer.test.mjs | 9 ++++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/scanners/lib/humanizer.mjs b/scanners/lib/humanizer.mjs index be4f788..ddb0da7 100644 --- a/scanners/lib/humanizer.mjs +++ b/scanners/lib/humanizer.mjs @@ -38,6 +38,7 @@ const SCANNER_TO_CATEGORY = { TOK: 'Wasted tokens', CPS: 'Wasted tokens', SKL: 'Wasted tokens', + AGT: 'Wasted tokens', DIS: 'Dead config', GAP: 'Missed opportunity', PLH: 'Configuration mistake', diff --git a/tests/lib/humanizer.test.mjs b/tests/lib/humanizer.test.mjs index c426c93..6b8f64c 100644 --- a/tests/lib/humanizer.test.mjs +++ b/tests/lib/humanizer.test.mjs @@ -205,10 +205,13 @@ test('humanizeFinding sets category Conflict for CNF/COL', () => { } }); -test('humanizeFinding sets category Wasted tokens for TOK/CPS/SKL', () => { - for (const s of ['TOK', 'CPS', 'SKL']) { +test('humanizeFinding sets category Wasted tokens for TOK/CPS/SKL/AGT', () => { + // AGT (agent-listing budget) is an always-loaded per-turn token cost — the + // agent name+description is re-sent every turn in the listing — so it belongs + // in "Wasted tokens" alongside TOK/CPS/SKL, not the 'Other' fallback (M-BUG-17). + for (const s of ['TOK', 'CPS', 'SKL', 'AGT']) { const out = humanizeFinding(makeFinding({ scanner: s })); - assert.equal(out.userImpactCategory, 'Wasted tokens'); + assert.equal(out.userImpactCategory, 'Wasted tokens', `${s} should map to Wasted tokens`); } }); From 69a4654dd7533774ac6171343d1366d5b72bb917 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Tue, 14 Jul 2026 10:45:57 +0200 Subject: [PATCH 28/31] =?UTF-8?q?docs(plan):=20v5.13=20plan=20=E2=80=94=20?= =?UTF-8?q?model=20routing,=20effort=20awareness,=20dead=20references?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Video-derived audit ('The Model Isn't the Moat') cross-checked against primary sources. Verified: orchestrator+cheap-worker pattern and 5-level per-agent effort tuning (official docs); rejected: the 'Fable low ≈ Opus high' chart claim (contradicted by Anthropic's own pages). Five chunks: register entries BP-MODEL-001/002, fix-engine xhigh hygiene, CA-CML dead prose references, feature-gap model/effort opportunity, planner-agent adversarial gate. Sequenced AFTER DEL B pipeline dogfood + batch release. Co-Authored-By: Claude Fable 5 Claude-Session: https://claude.ai/code/session_01CTontYwY5JGS4nL2AuiASy --- ...v5.13-model-routing-effort-deadref-plan.md | 157 ++++++++++++++++++ 1 file changed, 157 insertions(+) create mode 100644 docs/v5.13-model-routing-effort-deadref-plan.md diff --git a/docs/v5.13-model-routing-effort-deadref-plan.md b/docs/v5.13-model-routing-effort-deadref-plan.md new file mode 100644 index 0000000..844c73e --- /dev/null +++ b/docs/v5.13-model-routing-effort-deadref-plan.md @@ -0,0 +1,157 @@ +# v5.13 Plan — Model Routing, Effort Awareness, Dead References + +Derived from an external video analysis ("The Model Isn't the Moat", 2026-07) cross-checked +against primary sources and against what config-audit already encodes. Every claim acted on +here was verified against Anthropic's own docs; video-only claims are explicitly rejected below. + +## Source verification (done 2026-07-14) + +| Claim from video | Verdict | Source | +|---|---|---| +| Orchestrator + cheaper worker models is a supported, recommended pattern | VERIFIED | code.claude.com/docs/en/sub-agents ("Control costs by routing tasks to faster, cheaper models like Haiku"), code.claude.com/docs/en/workflows | +| Reasoning effort is tunable per settings / session / launch / **per-agent frontmatter** / SDK; levels `low, medium, high, xhigh, max` | VERIFIED | code.claude.com/docs/en/model-config#adjust-effort-level, sub-agents doc | +| Leaked Fable 5 system prompt principles ("partial recognition ≠ current knowledge"; "a prompt implying a file is present doesn't mean one is"; answer-first-then-one-question; tool-call scaling 1 / 3–5 / 5–10) | VERIFIED near-verbatim, **provenance unconfirmed** (third-party leak repo, not Anthropic-confirmed) | github.com/asgeirtj/system_prompts_leaks `Anthropic/claude-fable-5.md` | +| "Fable 5 on low ≈ Opus 4.8 on high, slightly higher cost/quality" score-vs-cost chart | **CONTRADICTED** — no such chart/statement on Anthropic's pages; GPT-5.5 appears only in a testimonial | anthropic.com/news/claude-fable-5-mythos-5 | + +## Already covered — no action + +| Video idea | Existing coverage | +|---|---| +| "Process is the moat" (config/harness > raw model) | The plugin's entire thesis | +| Extract repeated procedure into a skill | BP-MECH-003 + CA-OPT-001 (`optimization-lens-scanner.mjs:121`) | +| CLAUDE.md size/ownership discipline | BP-SIZE-001 + CA-CML line/size checks (`claude-md-linter.mjs:109/:120/:140`) | +| Check that referenced imports exist | CA-IMP broken `@import` (`lib/import-resolver.mjs:88`) — but **only** `@import`, see Chunk 3 | +| Plugin's own agents are model-routed | Agents table already pins sonnet for mechanical, opus for judgment | + +## Gaps → chunks + +Verified gap summary (register-mapper sweep, 2026-07-14): no scanner audits per-agent +`model:`/`effort:` frontmatter; effort has validity-check only (`settings-validator.mjs:195`), +no recommendation; no dead-reference check for prose file mentions in CLAUDE.md; no +adversarial/failure-mode requirement in planner-agent; `fix-engine.mjs:26` effort list +omits `xhigh` (settings-validator has all five). + +### Chunk 1 — Register entries: model routing + effort (dogfoods `knowledge-refresh`) + +Add to `knowledge/best-practices.json` via the knowledge-refresh flow (human-approved write): + +- **BP-MODEL-001** (`category: model-fit`): subagents doing mechanical/read-only work can pin a + cheaper model via `model:` frontmatter; orchestrator keeps the strong model. Source: + code.claude.com/docs/en/sub-agents → `confidence: confirmed`. +- **BP-MODEL-002** (`category: model-fit`): reasoning effort is tunable at five levels in five + places (settings `effortLevel`, `/effort`, `--effort`, per-agent `effort` frontmatter, SDK); + default `high`; higher effort is not universally better for simple tasks. Source: + code.claude.com/docs/en/model-config → `confidence: confirmed`. + +Schema per `scanners/lib/best-practices-register.mjs:42-102` (id/claim/confidence/source.url/ +source.verified required). This chunk doubles as the DEL B dogfood of `/config-audit +knowledge-refresh` (each chunk is also a plugin test). + +### Chunk 2 — fix-engine effort hygiene (tiny, TDD) + +`fix-engine.mjs:26` `VALID_EFFORT_LEVELS = ['low','medium','high','max']` — missing `xhigh`. +Consequence: nearest-match "fix" for a typo like `xhig` corrects to `high`, not `xhigh`. +Red test first: `findNearestEffortLevel('xhig') === 'xhigh'`. Align list with +`settings-validator.mjs:75`. + +### Chunk 3 — CA-CML dead prose references (new deterministic check) + +The strongest video-derived principle ("a prompt implying a file is present doesn't mean one +is") applied to CLAUDE.md quality: flag file paths mentioned in CLAUDE.md **prose** that do not +exist on disk. Today only `@import` targets are existence-checked; stale pointers like +`docs/foo.md` or `scripts/bar.sh` rot silently and burn always-loaded tokens on misdirection. + +Conservative v1 to control false positives: +- Only backtick-quoted tokens that look like relative file paths (contain `/` or a known + extension), resolved against the CLAUDE.md's own directory. +- Skip URLs, globs (`*`), placeholders (`{...}`, `<...>`, `$VAR`, `${...}`), absolute and + `~/` paths (machine-specific), and paths under `.gitignore`d dirs if cheap to determine. +- Severity: low. New CA-CML-NNN (verify next free NNN at implementation — IDs are dynamic). + +Byte-stability: follow [[adding-scanner-byte-stability]] steps for a new finding type in an +EXISTING scanner — frozen `tests/snapshots/v5.0.0/` must stay untouched; default-output +snapshots regenerate (`UPDATE_SNAPSHOT=1`) only if a fixture actually carries the new type; +humanizer step 7 (M-16/M-17 lessons): `TRANSLATIONS`-static entry for the new RAW title +(CML category mapping already exists). + +### Chunk 4 — feature-gap + inventory: model/effort awareness + +- New T3 opportunity check in `feature-gap-scanner.mjs`: authored agents + (`isAuthoredConfig`, M-BUG-13 lesson) where **no** agent sets `model:` or `effort:` → + "all agents inherit the session model/effort — mechanical agents can be routed cheaper / + effort-calibrated" citing BP-MODEL-001/002. Fires only when authored agents exist + (M-BUG-15 lesson: no enhancement-check on empty collections). Opportunity framing, never + failure — deliberate max-model setups are a valid choice; finding is suppressable + (`.config-audit-ignore`). +- `whats-active` / `manifest`: surface `model`/`effort` per agent in the inventory tables. +- Humanizer wiring step 7 for the new GAP finding; verify via direct `scan()` output, not the + self-suppressed default output ([[agent-commands-need-scanner-scoping]]). +- feat commit → docs-gate: README + CLAUDE.md diffs required. + +### Chunk 5 — planner-agent adversarial gate (do AFTER DEL B pipeline dogfood) + +Add a required "Failure modes" section to `agents/planner-agent.md`'s action-plan contract: +before an action plan is emitted, list what could go wrong per change + rollback trigger. +Mirrors the video's scoping-vs-devil's-advocate distinction; currently absent (zero +adversarial requirements in agents/). **Sequencing constraint:** DEL B step 3.2 judges +planner-agent against a fasit — change the agent only after that dogfood pass, or the +fasit target moves mid-evaluation. + +## Explicitly rejected (do not revisit without new evidence) + +1. **"Fable low ≈ Opus high" cost/score framing** — contradicted by Anthropic's own pages. + Never encode in register, copy, or recommendations. +2. **Tool-call-count effort scaling (1 / 3–5 / 5–10) as a register entry** — source is an + unconfirmed third-party leak → would be `confidence: inferred`, never surfaced. Not worth + carrying. +3. **Cost/intelligence/"taste" model-routing table generator** — subjective scores don't fit + the deterministic, provenance-gated design. BP-MODEL-001 covers the actionable core. +4. **"Fable mode" skill** — a user-level skill, not configuration auditing. Out of plugin scope. +5. **CLAUDE.md prose contradiction detection** — real gap (CA-CNF only covers + settings/permissions/hooks) but not video-driven; keep this plan surgical. + +## Known tension (named, not resolved here) + +The operator's own global policy is Opus/max-effort for ALL subagents, never Haiku — the +opposite of Chunk 4's recommendation. Both are legitimate: the docs-backed routing advice +optimizes cost at equal quality for the general user; the operator deliberately buys maximum +quality. Chunk 4's copy must respect that (opportunity framing + suppressability), and on this +machine the finding will simply be suppressed or ignored. The plugin serves general users; +the operator's setup is not the target of the check. + +## Verification + +Global, after every chunk: +- `node --test 'tests/**/*.test.mjs'` → green (baseline 1359/0; count grows with new tests) +- `git status --porcelain tests/snapshots/v5.0.0/` → empty (frozen untouched) +- TDD: red test exists and fails BEFORE each production change + +Per chunk: +- **C1:** `node --test tests/lib/best-practices-register.test.mjs` green; + `node scanners/knowledge-refresh-cli.mjs` classifies BP-MODEL-001/002 as fresh +- **C2:** `findNearestEffortLevel('xhig')` → `xhigh` (red first); `grep xhigh scanners/fix-engine.mjs` non-empty +- **C3:** fixture CLAUDE.md referencing `docs/missing.md` → finding fires; existing file / + URL / glob / placeholder / `~/` path → silent; humanized output has non-contradictory copy +- **C4:** authored-agent fixture without model/effort → opportunity fires; with either set → + silent; zero authored agents → silent; `userImpactCategory` ≠ `Other` end-to-end via direct scan() +- **C5:** dogfood plan run produces a Failure-modes section; DEL B 3.2 fasit judged BEFORE the change + +## Key assumptions (test before/at implementation) + +1. **Per-agent `effort` frontmatter is official** — verified 2026-07-14 against + code.claude.com/docs/en/sub-agents + /model-config; re-fetch both pages at implementation + (docs move). +2. **New finding type in existing scanner leaves frozen snapshots untouched** — M-17 precedent + says yes when no v5.0.0 fixture carries the type; verify by running the suite and inspecting + which snapshots differ before committing. +3. **Next free CA-CML/CA-GAP finding numbers** — IDs are built dynamically; grep tests + + snapshots for the highest used NNN before assigning. + +## Sequencing vs DEL B (one plan, no relitigation) + +This plan does NOT preempt the active DEL B sequence. Recommended order: +1. DEL B step 3 pipeline dogfood (`analyze → plan → implement → rollback`) — unchanged, next. +2. Batch patch release M-11→M-17 — unchanged. +3. v5.13 chunks 1→5 (chunk 1 doubles as the `knowledge-refresh` dogfood already queued in + DEL B "Resten"; chunk 5 explicitly waits for step 3.2). Release as minor v5.13.0 via + `release-plugin.mjs` when all chunks land. From 4b7b2d9c48d9ef270fde905f8cb7035e534c9b6d Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Thu, 16 Jul 2026 20:24:12 +0200 Subject: [PATCH 29/31] fix(acr): analyze persists agent-returned report (M-BUG-18) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Claude Code subagent harness instructs spawned agents NOT to write report/summary/findings/analysis .md files — the parent reads the final text message. Verified live: analyzer-agent skipped Write entirely and returned the report inline, so analysis-report.md never landed on disk and the plan/interview/status phases would find nothing to read. New contract (orchestrator-writes pattern): analyzer-agent returns the complete report as its final message; the analyze command saves it verbatim to the session directory before presenting the summary. Same class exists in plan/feature-gap/optimize/scanner agent pairs — deliberately left for their own dogfood chunks (plan is judged as-is first per the pipeline sequence). Co-Authored-By: Claude Fable 5 Claude-Session: https://claude.ai/code/session_01CTontYwY5JGS4nL2AuiASy --- agents/analyzer-agent.md | 11 +++- commands/analyze.md | 17 +++-- .../analyze-report-persistence.test.mjs | 62 +++++++++++++++++++ 3 files changed, 83 insertions(+), 7 deletions(-) create mode 100644 tests/commands/analyze-report-persistence.test.mjs diff --git a/agents/analyzer-agent.md b/agents/analyzer-agent.md index 7018314..e406563 100644 --- a/agents/analyzer-agent.md +++ b/agents/analyzer-agent.md @@ -51,11 +51,16 @@ In `--raw` mode, fall back to v5.0.0 severity prefiks and verbatim scanner title 5. **Identify optimizations**: Rules to globalize, missing configs, orphaned files 6. **Security scan**: Aggregate secret warnings, check for insecure patterns 7. **CLAUDE.md quality assessment**: Score each file against rubric, assign letter grades -8. **Generate report**: Write comprehensive markdown report — group findings by `userImpactCategory`, lead with `userActionLanguage` +8. **Generate report**: Compose the comprehensive markdown report — group findings by `userImpactCategory`, lead with `userActionLanguage` ## Output -Write to: `~/.claude/config-audit/sessions/{session-id}/analysis-report.md` +Return the complete report as your final message — do not write it to a file +yourself. The Claude Code subagent harness instructs agents not to write +report/analysis files; your text output IS the deliverable. The orchestrating +command saves your returned report verbatim to +`~/.claude/config-audit/sessions/{session-id}/analysis-report.md` for the +downstream plan/interview/status phases. **Output MUST NOT exceed 300 lines.** Prioritize findings by severity. Use tables, not prose. @@ -183,4 +188,4 @@ Verify report: all findings referenced, recommendations actionable, severity lev - Process findings in memory (typically < 1MB total) - Generate report in single pass -- No file modifications (read-only except report output) +- No file modifications (read-only; the report is returned as your final message) diff --git a/commands/analyze.md b/commands/analyze.md index 438e6f2..6387afd 100644 --- a/commands/analyze.md +++ b/commands/analyze.md @@ -60,12 +60,21 @@ Agent(subagent_type: "config-audit:analyzer-agent") raw severity. The humanizer already replaced jargon-heavy title/description/recommendation strings with plain-language equivalents — render them verbatim, do not paraphrase. - Output to: ~/.claude/config-audit/sessions/{session-id}/analysis-report.md + Return the complete report as your final message. Do not write it + to a file — the orchestrating command saves it to the session directory. ``` -### Step 4: Present summary +### Step 4: Save the report -After the agent completes, read the generated report and show a brief summary: +The agent returns the complete report as its final message — the Claude Code +subagent harness instructs agents not to write report/analysis files themselves, +so the command must persist it. Write the returned report verbatim (no edits, +no truncation) to `~/.claude/config-audit/sessions/{session-id}/analysis-report.md` +using the Write tool. Downstream phases (`plan`, `interview`, `status`) read this file. + +### Step 5: Present summary + +After saving the report, show a brief summary: ```markdown ### Analysis Complete @@ -84,6 +93,6 @@ Full report: `~/.claude/config-audit/sessions/{session-id}/analysis-report.md` - **`/config-audit fix`** — Auto-fix deterministic issues right away ``` -### Step 5: Update state +### Step 6: Update state Update `state.yaml` with `current_phase: "analyze"`, `next_phase: "plan"`. diff --git a/tests/commands/analyze-report-persistence.test.mjs b/tests/commands/analyze-report-persistence.test.mjs new file mode 100644 index 0000000..0d167f2 --- /dev/null +++ b/tests/commands/analyze-report-persistence.test.mjs @@ -0,0 +1,62 @@ +/** + * M-BUG-18 — analysis-report.md persistence contract. + * + * The Claude Code subagent harness instructs spawned agents NOT to write + * report/summary/findings/analysis .md files — the parent reads the agent's + * final text message, not files it creates. The analyzer-agent therefore + * cannot be the one that persists analysis-report.md (verified live: the + * agent skipped Write and returned the report inline). + * + * New contract (orchestrator-writes pattern): + * - analyzer-agent returns the complete report as its final message + * - the analyze command saves that returned report verbatim to + * ~/.claude/config-audit/sessions/{session-id}/analysis-report.md, + * which downstream phases (plan, interview, status) read. + */ + +import { test } from 'node:test'; +import { strict as assert } from 'node:assert'; +import { readFile } from 'node:fs/promises'; +import { resolve, dirname } from 'node:path'; +import { fileURLToPath } from 'node:url'; + +const __dirname = dirname(fileURLToPath(import.meta.url)); +const COMMANDS_DIR = resolve(__dirname, '..', '..', 'commands'); +const AGENTS_DIR = resolve(__dirname, '..', '..', 'agents'); + +test('analyze.md: agent prompt does not tell the agent to write the report file', async () => { + const content = await readFile(resolve(COMMANDS_DIR, 'analyze.md'), 'utf-8'); + assert.doesNotMatch( + content, + /Output to:.*analysis-report\.md/, + 'the spawn prompt must not instruct the subagent to write analysis-report.md — the harness blocks agent-written report files' + ); +}); + +test('analyze.md: command saves the returned report to analysis-report.md', async () => { + const content = await readFile(resolve(COMMANDS_DIR, 'analyze.md'), 'utf-8'); + assert.match( + content, + /return[s]? the complete report as (its|your) final message/i, + 'analyze.md must state that the agent returns the report inline' + ); + assert.match( + content, + /Write tool[\s\S]{0,200}analysis-report\.md|analysis-report\.md[\s\S]{0,200}Write tool/, + 'analyze.md must instruct the command to persist the returned report to analysis-report.md with the Write tool' + ); +}); + +test('analyzer-agent.md: output contract is return-inline, not self-write', async () => { + const content = await readFile(resolve(AGENTS_DIR, 'analyzer-agent.md'), 'utf-8'); + assert.match( + content, + /return the complete report as your final message/i, + 'analyzer-agent must be told its final message IS the report' + ); + assert.doesNotMatch( + content, + /^Write to: .*analysis-report\.md/m, + 'analyzer-agent must not carry the old self-write output contract' + ); +}); From 0cd87e059758f7173deea9ab398b9df0860c1503 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Fri, 17 Jul 2026 03:53:06 +0200 Subject: [PATCH 30/31] fix(rul): globToRegex corrupts mid-pattern /**/ globs (M-BUG-19) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The ? -> [^/] replacement ran AFTER the {{GLOBSTAR_SLASH}} placeholder was restored to '(?:/.+/|/)', corrupting the group opener '(?:' into '([^/]:' — every rule pattern containing a mid-pattern '/**/' silently matched only the zero-dir branch and live rules were flagged 'matches no files' (CA-RUL). Found by dogfooding /config-audit implement on a throwaway repo copy: the implementer agent's correct 'posts/**/post.md' rule was flagged dead. Fix: run the ? replacement before placeholder restoration. Fixture outcomes byte-identical; frozen v5.0.0 baselines untouched. Co-Authored-By: Claude Fable 5 --- scanners/rules-validator.mjs | 4 +-- tests/scanners/rules-validator.test.mjs | 38 +++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 2 deletions(-) diff --git a/scanners/rules-validator.mjs b/scanners/rules-validator.mjs index e277132..4a1b61d 100644 --- a/scanners/rules-validator.mjs +++ b/scanners/rules-validator.mjs @@ -251,9 +251,9 @@ function globToRegex(pattern) { .replace(/\/\*\*\//g, '{{GLOBSTAR_SLASH}}') .replace(/\*\*/g, '{{GLOBSTAR}}') .replace(/\*/g, '[^/]*') + .replace(/\?/g, '[^/]') // must run BEFORE placeholder restore — '(?:' would corrupt .replace(/\{\{GLOBSTAR_SLASH\}\}/g, '(?:/.+/|/)') // **/ matches 0+ intermediate dirs - .replace(/\{\{GLOBSTAR\}\}/g, '.*') - .replace(/\?/g, '[^/]'); + .replace(/\{\{GLOBSTAR\}\}/g, '.*'); // Handle leading patterns if (!regex.startsWith('.*') && !regex.startsWith('/')) { diff --git a/tests/scanners/rules-validator.test.mjs b/tests/scanners/rules-validator.test.mjs index 4cf9390..cfa0d0d 100644 --- a/tests/scanners/rules-validator.test.mjs +++ b/tests/scanners/rules-validator.test.mjs @@ -291,3 +291,41 @@ describe('RUL — user-global rule is not flagged "matches no files" (M-BUG-9 gu assert.equal(dead.length, 0, `user-global rule wrongly flagged dead: ${dead.map(f => f.evidence).join(' | ')}`); }); }); + +describe('RUL — mid-pattern /**/ glob matches intermediate dirs (M-BUG-19)', () => { + // globToRegex restored the {{GLOBSTAR_SLASH}} placeholder to "(?:/.+/|/)" + // BEFORE the ? → [^/] replacement ran, corrupting the group opener "(?:" + // into "([^/]:" — so every pattern containing a mid-pattern "/**/" silently + // matched nothing but the zero-dir "|/" branch, and live rules like + // "posts/**/post.md" were flagged "matches no files". + let tmpRoot; + let result; + + beforeEach(async () => { + resetCounter(); + tmpRoot = await mkdtemp(join(tmpdir(), 'ca-rul-globstar-')); + await mkdir(join(tmpRoot, '.claude', 'rules'), { recursive: true }); + await mkdir(join(tmpRoot, 'posts', '2026-01-23-slug'), { recursive: true }); + await writeFile(join(tmpRoot, 'posts', '2026-01-23-slug', 'post.md'), '# Post\n', 'utf8'); + await writeFile( + join(tmpRoot, '.claude', 'rules', 'post-scope.md'), + '---\npaths: "posts/**/post.md"\n---\n\n# Post rule\nbody\n', + 'utf8', + ); + const discovery = await discoverConfigFiles(tmpRoot); + result = await scan(tmpRoot, discovery); + }); + + afterEach(async () => { + if (tmpRoot) await rm(tmpRoot, { recursive: true, force: true }); + }); + + it('does NOT flag a live posts/**/post.md rule as "matches no files"', () => { + const dead = result.findings.filter(f => f.title.includes('matches no files')); + assert.equal( + dead.length, + 0, + `/**/ rule matched a real file but was flagged dead: ${dead.map(f => f.evidence).join(' | ')}`, + ); + }); +}); From b4d819b72d7fdb276d5d3911edcc91cd6e455ca5 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Fri, 17 Jul 2026 03:53:06 +0200 Subject: [PATCH 31/31] fix(acr): pin Bash >> append discipline on shared implementation log (M-BUG-20) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit implement.md spawns implementer agents in parallel batches, all appending to the same implementation-log.md. Dogfooding showed agents satisfying 'Append result to:' with a full-file Write — the last writer clobbered 4 of 6 entries. Pin the mechanism in both contracts: append with Bash >> heredoc, never the Write/Edit tool on the shared log. Shape tests pin the instruction in both files (empirically verified: agents given the >> instruction appended safely). Co-Authored-By: Claude Fable 5 --- agents/implementer-agent.md | 5 +++ commands/implement.md | 2 + tests/commands/implement-log-append.test.mjs | 41 ++++++++++++++++++++ 3 files changed, 48 insertions(+) create mode 100644 tests/commands/implement-log-append.test.mjs diff --git a/agents/implementer-agent.md b/agents/implementer-agent.md index ecb441e..a1b066a 100644 --- a/agents/implementer-agent.md +++ b/agents/implementer-agent.md @@ -146,6 +146,11 @@ Move content from one file to another. Append to: `~/.claude/config-audit/sessions/{session-id}/implementation-log.md` +**Append discipline (shared log):** other implementer agents may be writing this +log concurrently. ALWAYS append your entry with a Bash `>>` heredoc; +NEVER use the Write or Edit tool on the log file — a full-file Write silently +clobbers entries other agents appended after you read the file. + ### Success ```markdown diff --git a/commands/implement.md b/commands/implement.md index 5f13d51..f2ff97a 100644 --- a/commands/implement.md +++ b/commands/implement.md @@ -78,6 +78,8 @@ Agent(subagent_type: "config-audit:implementer-agent") fields from the action plan (the planner already rendered them) — do not re-derive severity prose. Append result to: ~/.claude/config-audit/sessions/{session-id}/implementation-log.md + Append with Bash `>>` (heredoc) — NEVER the Write tool on this log; + parallel agents share it and a full-file Write clobbers their entries. ``` Show progress between groups using the humanized titles already present in the action plan: diff --git a/tests/commands/implement-log-append.test.mjs b/tests/commands/implement-log-append.test.mjs new file mode 100644 index 0000000..09f0d6c --- /dev/null +++ b/tests/commands/implement-log-append.test.mjs @@ -0,0 +1,41 @@ +/** + * M-BUG-20 — shared implementation-log clobbering under parallel agents. + * + * implement.md step 4 spawns implementer agents in parallel batches, and every + * agent appends its result to the SAME implementation-log.md. Dogfooding + * (2026-07-17, throwaway linkedin-posts copy) showed agents satisfying + * "Append result to:" with a full-file Write: each agent read the log, added + * its entry, and wrote the whole file back — the last writer silently + * clobbered 4 of 6 entries. + * + * Contract: both the command template and the agent prompt must pin the append + * mechanism — Bash `>>`, never the Write/Edit tool — on the shared log. + */ + +import { test } from 'node:test'; +import { strict as assert } from 'node:assert'; +import { readFile } from 'node:fs/promises'; +import { resolve, dirname } from 'node:path'; +import { fileURLToPath } from 'node:url'; + +const __dirname = dirname(fileURLToPath(import.meta.url)); +const ROOT = resolve(__dirname, '..', '..'); + +const APPEND_MECHANISM_REGEX = />>/; +const FORBID_WRITE_TOOL_REGEX = /never[^.\n]*\bwrite\b[^.\n]*tool|\bwrite\b[^.\n]*tool[^.\n]*never/i; + +test('implement.md: agent-spawn template pins Bash >> append on the shared log', async () => { + const content = await readFile(resolve(ROOT, 'commands', 'implement.md'), 'utf-8'); + assert.match(content, APPEND_MECHANISM_REGEX, + 'implement.md must instruct appending to implementation-log.md with Bash >>'); + assert.match(content, FORBID_WRITE_TOOL_REGEX, + 'implement.md must forbid the Write tool on the shared implementation log'); +}); + +test('implementer-agent.md: output section pins Bash >> append and forbids Write tool on the log', async () => { + const content = await readFile(resolve(ROOT, 'agents', 'implementer-agent.md'), 'utf-8'); + assert.match(content, APPEND_MECHANISM_REGEX, + 'implementer-agent.md must instruct appending to the log with Bash >>'); + assert.match(content, FORBID_WRITE_TOOL_REGEX, + 'implementer-agent.md must forbid the Write tool on the shared implementation log'); +});