Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit c4f679d

Browse files
garrytanclaude
andauthored
feat: safety hook skills + skill usage telemetry (v0.7.1) (garrytan#189)
* feat: add /careful, /freeze, /guard, /unfreeze safety hook skills Four new on-demand skills using Claude Code's PreToolUse hooks: - /careful: warns before destructive commands (rm -rf, DROP TABLE, force-push, etc.) - /freeze: blocks file edits outside a specified directory - /guard: composes both into one command - /unfreeze: clears freeze boundary without ending session Pure bash hook scripts with Python fallback for JSON edge cases. Safe exceptions for build artifacts (node_modules, dist, .next, etc.). Hook fire telemetry logs pattern name only (never command content). Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * feat: add skill usage telemetry to preamble TemplateContext system passes skill name through resolver pipeline so each generated SKILL.md gets its own name baked into the telemetry line. Appends to ~/.gstack/analytics/skill-usage.jsonl on every invocation. Covers 14 preamble-using skills + 4 hook skills (inline telemetry). JSONL format: {"skill":"ship","ts":"...","repo":"my-project"} Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * feat: add analytics CLI for skill usage stats bun run analytics reads ~/.gstack/analytics/skill-usage.jsonl and shows top skills, per-repo breakdown, hook fire stats, and daily timeline. Supports --period 7d/30d/all. Handles missing/empty/malformed data. 22 unit tests cover parsing, filtering, formatting, and edge cases. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * feat: add skills-used-this-week to /retro Retro Step 2 now reads skill-usage.jsonl and shows which gstack skills were used during the retro window. Follows the same pattern as the Greptile signal and Backlog Health metrics — read file, filter by date, aggregate, present. Skips silently if no analytics data exists. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * test: add hook script and telemetry tests 32 unit tests for check-careful.sh covering all 8 destructive patterns, safe exceptions, Python fallback, and malformed input handling. 7 unit tests for check-freeze.sh covering boundary enforcement, trailing slash edge case, and missing state file. Telemetry tests verify per-skill name correctness in generated output. Adds careful/freeze/guard/unfreeze/document-release to ALL_SKILLS. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * chore: bump version to 0.6.5 + changelog + mark TODOs shipped Safety hook skills and skill usage telemetry shipped. Analytics CLI and /retro integration included. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * feat: /debug auto-freezes edits to the module being debugged Add PreToolUse hooks (Edit/Write) to debug/SKILL.md.tmpl that reference the existing freeze/bin/check-freeze.sh. After Phase 1 investigation, /debug locks edits to the narrowest affected directory. Graceful degradation: if freeze script is unavailable, scope lock is skipped. Users can run /unfreeze to remove the restriction. Deferred 6 enhancements to TODOS.md, gated on telemetry showing the freeze hook actually fires in real debugging sessions. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> --------- Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
1 parent 2a20692 commit c4f679d

37 files changed

Lines changed: 1749 additions & 31 deletions

File tree

CHANGELOG.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,16 @@
11
# Changelog
22

3+
## [0.7.3] - 2026-03-18
4+
5+
### Added
6+
7+
- **Safety guardrails you can turn on with one command.** Say "be careful" or "safety mode" and `/careful` will warn you before any destructive command — `rm -rf`, `DROP TABLE`, force-push, `kubectl delete`, and more. You can override every warning. Common build artifact cleanups (`rm -rf node_modules`, `dist`, `.next`) are whitelisted.
8+
- **Lock edits to one folder with `/freeze`.** Debugging something and don't want Claude to "fix" unrelated code? `/freeze` blocks all file edits outside a directory you choose. Hard block, not just a warning. Run `/unfreeze` to remove the restriction without ending your session.
9+
- **`/guard` activates both at once.** One command for maximum safety when touching prod or live systems — destructive command warnings plus directory-scoped edit restrictions.
10+
- **`/debug` now auto-freezes edits to the module being debugged.** After forming a root cause hypothesis, `/debug` locks edits to the narrowest affected directory. No more accidental "fixes" to unrelated code during debugging.
11+
- **You can now see which skills you use and how often.** Every skill invocation is logged locally to `~/.gstack/analytics/skill-usage.jsonl`. Run `bun run analytics` to see your top skills, per-repo breakdown, and how often safety hooks actually catch something. Data stays on your machine.
12+
- **Weekly retros now include skill usage.** `/retro` shows which skills you used during the retro window alongside your usual commit analysis and metrics.
13+
314
## [0.7.2] - 2026-03-18
415

516
### Fixed

SKILL.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,8 @@ _BRANCH=$(git branch --show-current 2>/dev/null || echo "unknown")
5656
echo "BRANCH: $_BRANCH"
5757
_LAKE_SEEN=$([ -f ~/.gstack/.completeness-intro-seen ] && echo "yes" || echo "no")
5858
echo "LAKE_INTRO: $_LAKE_SEEN"
59+
mkdir -p ~/.gstack/analytics
60+
echo '{"skill":"gstack","ts":"'$(date -u +%Y-%m-%dT%H:%M:%SZ)'","repo":"'$(basename "$(git rev-parse --show-toplevel 2>/dev/null)" 2>/dev/null || echo "unknown")'"}' >> ~/.gstack/analytics/skill-usage.jsonl 2>/dev/null || true
5961
_PROACTIVE=$(~/.claude/skills/gstack/bin/gstack-config get proactive 2>/dev/null || echo "true")
6062
echo "PROACTIVE: $_PROACTIVE"
6163
```

TODOS.md

Lines changed: 20 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -506,34 +506,37 @@ Shipped as v0.5.0 on main. Includes `/plan-design-review` (report-only design au
506506

507507
## Safety & Observability
508508

509-
### On-demand hook skills (/careful, /freeze, /guard)
509+
### On-demand hook skills (/careful, /freeze, /guard) — SHIPPED
510510

511-
**What:** Three new skills that use Claude Code's session-scoped PreToolUse hooks to add safety guardrails on demand.
511+
~~**What:** Three new skills that use Claude Code's session-scoped PreToolUse hooks to add safety guardrails on demand.~~
512512

513-
**Why:** Anthropic's internal skill best practices recommend on-demand hooks for safety. Claude Code already handles destructive command permissions, but these add an explicit opt-in layer for high-risk sessions (touching prod, debugging live systems).
513+
Shipped as `/careful`, `/freeze`, `/guard`, and `/unfreeze` in v0.6.5. Includes hook fire-rate telemetry (pattern name only, no command content) and inline skill activation telemetry.
514514

515-
**Skills:**
516-
- `/careful` — PreToolUse hook on Bash tool. Warns (not blocks) before destructive commands: `rm -rf`, `DROP TABLE`, `git push --force`, `git reset --hard`, `kubectl delete`, `docker system prune`. Uses `permissionDecision: "ask"` so user can override.
517-
- `/freeze` — PreToolUse hook on Edit/Write tools. Restricts file edits to a user-specified directory. Great for debugging without accidentally "fixing" unrelated code.
518-
- `/guard` — meta-skill composing `/careful` + `/freeze` into one command.
515+
### Skill usage telemetry — SHIPPED
519516

520-
**Implementation notes:** Use `${CLAUDE_SKILL_DIR}` (not `${SKILL_DIR}`) for script paths in hook commands. Pure bash JSON parsing (no jq dependency). Freeze dir storage: `${CLAUDE_PLUGIN_DATA}/freeze-dir.txt` with `~/.gstack/freeze-dir.txt` fallback. Ensure trailing `/` on freeze dir paths to prevent `/src` matching `/src-old`.
517+
~~**What:** Track which skills get invoked, how often, from which repo.~~
521518

522-
**Effort:** M (human) / S (CC)
523-
**Priority:** P3
524-
**Depends on:** None
519+
Shipped in v0.6.5. TemplateContext in gen-skill-docs.ts bakes skill name into preamble telemetry line. Analytics CLI (`bun run analytics`) for querying. /retro integration shows skills-used-this-week.
525520

526-
### Skill usage telemetry
521+
### /debug scoped debugging enhancements (gated on telemetry)
527522

528-
**What:** Track which skills get invoked, how often, from which repo.
523+
**What:** Six enhancements to /debug auto-freeze, contingent on telemetry showing the freeze hook actually fires in real debugging sessions.
529524

530-
**Why:** Enables finding undertriggering skills and measuring adoption. Anthropic uses a PreToolUse hook for this; simpler approach is appending JSONL from the preamble.
525+
**Why:** /debug v0.7.1 auto-freezes edits to the module being debugged. If telemetry shows the hook fires often, these enhancements make the experience smarter. If it never fires, the problem wasn't real and these aren't worth building.
531526

532-
**Context:** Add to `generatePreamble()` in `scripts/gen-skill-docs.ts`. Append to `~/.gstack/analytics/skill-usage.jsonl` with skill name, timestamp, and repo name. `mkdir -p` ensures the directory exists.
527+
**Context:** All items are prose additions to `debug/SKILL.md.tmpl`. No new scripts.
533528

534-
**Effort:** S (human) / S (CC)
529+
**Items:**
530+
1. Stack trace auto-detection for freeze directory (parse deepest app frame)
531+
2. Freeze boundary widening (ask to widen instead of hard-block when hitting boundary)
532+
3. Post-fix auto-unfreeze + full test suite run
533+
4. Debug instrumentation cleanup (tag with DEBUG-TEMP, remove before commit)
534+
5. Debug session persistence (~/.gstack/debug-sessions/ — save investigation for reuse)
535+
6. Investigation timeline in debug report (hypothesis log with timing)
536+
537+
**Effort:** M (all 6 combined)
535538
**Priority:** P3
536-
**Depends on:** None
539+
**Depends on:** Telemetry data showing freeze hook fires in real /debug sessions
537540

538541
## Completed
539542

VERSION

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
0.7.2
1+
0.7.3

browse/SKILL.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,8 @@ _BRANCH=$(git branch --show-current 2>/dev/null || echo "unknown")
3131
echo "BRANCH: $_BRANCH"
3232
_LAKE_SEEN=$([ -f ~/.gstack/.completeness-intro-seen ] && echo "yes" || echo "no")
3333
echo "LAKE_INTRO: $_LAKE_SEEN"
34+
mkdir -p ~/.gstack/analytics
35+
echo '{"skill":"browse","ts":"'$(date -u +%Y-%m-%dT%H:%M:%SZ)'","repo":"'$(basename "$(git rev-parse --show-toplevel 2>/dev/null)" 2>/dev/null || echo "unknown")'"}' >> ~/.gstack/analytics/skill-usage.jsonl 2>/dev/null || true
3436
_PROACTIVE=$(~/.claude/skills/gstack/bin/gstack-config get proactive 2>/dev/null || echo "true")
3537
echo "PROACTIVE: $_PROACTIVE"
3638
```

careful/SKILL.md

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
---
2+
name: careful
3+
version: 0.1.0
4+
description: |
5+
Safety guardrails for destructive commands. Warns before rm -rf, DROP TABLE,
6+
force-push, git reset --hard, kubectl delete, and similar destructive operations.
7+
User can override each warning. Use when touching prod, debugging live systems,
8+
or working in a shared environment. Use when asked to "be careful", "safety mode",
9+
"prod mode", or "careful mode".
10+
allowed-tools:
11+
- Bash
12+
- Read
13+
hooks:
14+
PreToolUse:
15+
- matcher: "Bash"
16+
hooks:
17+
- type: command
18+
command: "bash ${CLAUDE_SKILL_DIR}/bin/check-careful.sh"
19+
statusMessage: "Checking for destructive commands..."
20+
---
21+
<!-- AUTO-GENERATED from SKILL.md.tmpl — do not edit directly -->
22+
<!-- Regenerate: bun run gen:skill-docs -->
23+
24+
# /careful — Destructive Command Guardrails
25+
26+
Safety mode is now **active**. Every bash command will be checked for destructive
27+
patterns before running. If a destructive command is detected, you'll be warned
28+
and can choose to proceed or cancel.
29+
30+
```bash
31+
mkdir -p ~/.gstack/analytics
32+
echo '{"skill":"careful","ts":"'$(date -u +%Y-%m-%dT%H:%M:%SZ)'","repo":"'$(basename "$(git rev-parse --show-toplevel 2>/dev/null)" 2>/dev/null || echo "unknown")'"}' >> ~/.gstack/analytics/skill-usage.jsonl 2>/dev/null || true
33+
```
34+
35+
## What's protected
36+
37+
| Pattern | Example | Risk |
38+
|---------|---------|------|
39+
| `rm -rf` / `rm -r` / `rm --recursive` | `rm -rf /var/data` | Recursive delete |
40+
| `DROP TABLE` / `DROP DATABASE` | `DROP TABLE users;` | Data loss |
41+
| `TRUNCATE` | `TRUNCATE orders;` | Data loss |
42+
| `git push --force` / `-f` | `git push -f origin main` | History rewrite |
43+
| `git reset --hard` | `git reset --hard HEAD~3` | Uncommitted work loss |
44+
| `git checkout .` / `git restore .` | `git checkout .` | Uncommitted work loss |
45+
| `kubectl delete` | `kubectl delete pod` | Production impact |
46+
| `docker rm -f` / `docker system prune` | `docker system prune -a` | Container/image loss |
47+
48+
## Safe exceptions
49+
50+
These patterns are allowed without warning:
51+
- `rm -rf node_modules` / `.next` / `dist` / `__pycache__` / `.cache` / `build` / `.turbo` / `coverage`
52+
53+
## How it works
54+
55+
The hook reads the command from the tool input JSON, checks it against the
56+
patterns above, and returns `permissionDecision: "ask"` with a warning message
57+
if a match is found. You can always override the warning and proceed.
58+
59+
To deactivate, end the conversation or start a new one. Hooks are session-scoped.

careful/SKILL.md.tmpl

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
---
2+
name: careful
3+
version: 0.1.0
4+
description: |
5+
Safety guardrails for destructive commands. Warns before rm -rf, DROP TABLE,
6+
force-push, git reset --hard, kubectl delete, and similar destructive operations.
7+
User can override each warning. Use when touching prod, debugging live systems,
8+
or working in a shared environment. Use when asked to "be careful", "safety mode",
9+
"prod mode", or "careful mode".
10+
allowed-tools:
11+
- Bash
12+
- Read
13+
hooks:
14+
PreToolUse:
15+
- matcher: "Bash"
16+
hooks:
17+
- type: command
18+
command: "bash ${CLAUDE_SKILL_DIR}/bin/check-careful.sh"
19+
statusMessage: "Checking for destructive commands..."
20+
---
21+
22+
# /careful — Destructive Command Guardrails
23+
24+
Safety mode is now **active**. Every bash command will be checked for destructive
25+
patterns before running. If a destructive command is detected, you'll be warned
26+
and can choose to proceed or cancel.
27+
28+
```bash
29+
mkdir -p ~/.gstack/analytics
30+
echo '{"skill":"careful","ts":"'$(date -u +%Y-%m-%dT%H:%M:%SZ)'","repo":"'$(basename "$(git rev-parse --show-toplevel 2>/dev/null)" 2>/dev/null || echo "unknown")'"}' >> ~/.gstack/analytics/skill-usage.jsonl 2>/dev/null || true
31+
```
32+
33+
## What's protected
34+
35+
| Pattern | Example | Risk |
36+
|---------|---------|------|
37+
| `rm -rf` / `rm -r` / `rm --recursive` | `rm -rf /var/data` | Recursive delete |
38+
| `DROP TABLE` / `DROP DATABASE` | `DROP TABLE users;` | Data loss |
39+
| `TRUNCATE` | `TRUNCATE orders;` | Data loss |
40+
| `git push --force` / `-f` | `git push -f origin main` | History rewrite |
41+
| `git reset --hard` | `git reset --hard HEAD~3` | Uncommitted work loss |
42+
| `git checkout .` / `git restore .` | `git checkout .` | Uncommitted work loss |
43+
| `kubectl delete` | `kubectl delete pod` | Production impact |
44+
| `docker rm -f` / `docker system prune` | `docker system prune -a` | Container/image loss |
45+
46+
## Safe exceptions
47+
48+
These patterns are allowed without warning:
49+
- `rm -rf node_modules` / `.next` / `dist` / `__pycache__` / `.cache` / `build` / `.turbo` / `coverage`
50+
51+
## How it works
52+
53+
The hook reads the command from the tool input JSON, checks it against the
54+
patterns above, and returns `permissionDecision: "ask"` with a warning message
55+
if a match is found. You can always override the warning and proceed.
56+
57+
To deactivate, end the conversation or start a new one. Hooks are session-scoped.

careful/bin/check-careful.sh

Lines changed: 112 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,112 @@
1+
#!/usr/bin/env bash
2+
# check-careful.sh — PreToolUse hook for /careful skill
3+
# Reads JSON from stdin, checks Bash command for destructive patterns.
4+
# Returns {"permissionDecision":"ask","message":"..."} to warn, or {} to allow.
5+
set -euo pipefail
6+
7+
# Read stdin (JSON with tool_input)
8+
INPUT=$(cat)
9+
10+
# Extract the "command" field value from tool_input
11+
# Try grep/sed first (handles 99% of cases), fall back to Python for escaped quotes
12+
CMD=$(printf '%s' "$INPUT" | grep -o '"command"[[:space:]]*:[[:space:]]*"[^"]*"' | head -1 | sed 's/.*:[[:space:]]*"//;s/"$//' || true)
13+
14+
# Python fallback if grep returned empty (e.g., escaped quotes in command)
15+
if [ -z "$CMD" ]; then
16+
CMD=$(printf '%s' "$INPUT" | python3 -c 'import sys,json; print(json.loads(sys.stdin.read()).get("tool_input",{}).get("command",""))' 2>/dev/null || true)
17+
fi
18+
19+
# If we still couldn't extract a command, allow
20+
if [ -z "$CMD" ]; then
21+
echo '{}'
22+
exit 0
23+
fi
24+
25+
# Normalize: lowercase for case-insensitive SQL matching
26+
CMD_LOWER=$(printf '%s' "$CMD" | tr '[:upper:]' '[:lower:]')
27+
28+
# --- Check for safe exceptions (rm -rf of build artifacts) ---
29+
if printf '%s' "$CMD" | grep -qE 'rm\s+(-[a-zA-Z]*r[a-zA-Z]*\s+|--recursive\s+)' 2>/dev/null; then
30+
SAFE_ONLY=true
31+
RM_ARGS=$(printf '%s' "$CMD" | sed -E 's/.*rm\s+(-[a-zA-Z]+\s+)*//;s/--recursive\s*//')
32+
for target in $RM_ARGS; do
33+
case "$target" in
34+
*/node_modules|node_modules|*/\.next|\.next|*/dist|dist|*/__pycache__|__pycache__|*/\.cache|\.cache|*/build|build|*/\.turbo|\.turbo|*/coverage|coverage)
35+
;; # safe target
36+
-*)
37+
;; # flag, skip
38+
*)
39+
SAFE_ONLY=false
40+
break
41+
;;
42+
esac
43+
done
44+
if [ "$SAFE_ONLY" = true ]; then
45+
echo '{}'
46+
exit 0
47+
fi
48+
fi
49+
50+
# --- Destructive pattern checks ---
51+
WARN=""
52+
PATTERN=""
53+
54+
# rm -rf / rm -r / rm --recursive
55+
if printf '%s' "$CMD" | grep -qE 'rm\s+(-[a-zA-Z]*r|--recursive)' 2>/dev/null; then
56+
WARN="Destructive: recursive delete (rm -r). This permanently removes files."
57+
PATTERN="rm_recursive"
58+
fi
59+
60+
# DROP TABLE / DROP DATABASE
61+
if [ -z "$WARN" ] && printf '%s' "$CMD_LOWER" | grep -qE 'drop\s+(table|database)' 2>/dev/null; then
62+
WARN="Destructive: SQL DROP detected. This permanently deletes database objects."
63+
PATTERN="drop_table"
64+
fi
65+
66+
# TRUNCATE
67+
if [ -z "$WARN" ] && printf '%s' "$CMD_LOWER" | grep -qE '\btruncate\b' 2>/dev/null; then
68+
WARN="Destructive: SQL TRUNCATE detected. This deletes all rows from a table."
69+
PATTERN="truncate"
70+
fi
71+
72+
# git push --force / git push -f
73+
if [ -z "$WARN" ] && printf '%s' "$CMD" | grep -qE 'git\s+push\s+.*(-f\b|--force)' 2>/dev/null; then
74+
WARN="Destructive: git force-push rewrites remote history. Other contributors may lose work."
75+
PATTERN="git_force_push"
76+
fi
77+
78+
# git reset --hard
79+
if [ -z "$WARN" ] && printf '%s' "$CMD" | grep -qE 'git\s+reset\s+--hard' 2>/dev/null; then
80+
WARN="Destructive: git reset --hard discards all uncommitted changes."
81+
PATTERN="git_reset_hard"
82+
fi
83+
84+
# git checkout . / git restore .
85+
if [ -z "$WARN" ] && printf '%s' "$CMD" | grep -qE 'git\s+(checkout|restore)\s+\.' 2>/dev/null; then
86+
WARN="Destructive: discards all uncommitted changes in the working tree."
87+
PATTERN="git_discard"
88+
fi
89+
90+
# kubectl delete
91+
if [ -z "$WARN" ] && printf '%s' "$CMD" | grep -qE 'kubectl\s+delete' 2>/dev/null; then
92+
WARN="Destructive: kubectl delete removes Kubernetes resources. May impact production."
93+
PATTERN="kubectl_delete"
94+
fi
95+
96+
# docker rm -f / docker system prune
97+
if [ -z "$WARN" ] && printf '%s' "$CMD" | grep -qE 'docker\s+(rm\s+-f|system\s+prune)' 2>/dev/null; then
98+
WARN="Destructive: Docker force-remove or prune. May delete running containers or cached images."
99+
PATTERN="docker_destructive"
100+
fi
101+
102+
# --- Output ---
103+
if [ -n "$WARN" ]; then
104+
# Log hook fire event (pattern name only, never command content)
105+
mkdir -p ~/.gstack/analytics 2>/dev/null || true
106+
echo '{"event":"hook_fire","skill":"careful","pattern":"'"$PATTERN"'","ts":"'$(date -u +%Y-%m-%dT%H:%M:%SZ)'","repo":"'$(basename "$(git rev-parse --show-toplevel 2>/dev/null)" 2>/dev/null || echo "unknown")'"}' >> ~/.gstack/analytics/skill-usage.jsonl 2>/dev/null || true
107+
108+
WARN_ESCAPED=$(printf '%s' "$WARN" | sed 's/"/\\"/g')
109+
printf '{"permissionDecision":"ask","message":"[careful] %s"}\n' "$WARN_ESCAPED"
110+
else
111+
echo '{}'
112+
fi

debug/SKILL.md

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,18 @@ allowed-tools:
1616
- Grep
1717
- Glob
1818
- AskUserQuestion
19+
hooks:
20+
PreToolUse:
21+
- matcher: "Edit"
22+
hooks:
23+
- type: command
24+
command: "bash ${CLAUDE_SKILL_DIR}/../freeze/bin/check-freeze.sh"
25+
statusMessage: "Checking debug scope boundary..."
26+
- matcher: "Write"
27+
hooks:
28+
- type: command
29+
command: "bash ${CLAUDE_SKILL_DIR}/../freeze/bin/check-freeze.sh"
30+
statusMessage: "Checking debug scope boundary..."
1931
---
2032
<!-- AUTO-GENERATED from SKILL.md.tmpl — do not edit directly -->
2133
<!-- Regenerate: bun run gen:skill-docs -->
@@ -34,6 +46,8 @@ _BRANCH=$(git branch --show-current 2>/dev/null || echo "unknown")
3446
echo "BRANCH: $_BRANCH"
3547
_LAKE_SEEN=$([ -f ~/.gstack/.completeness-intro-seen ] && echo "yes" || echo "no")
3648
echo "LAKE_INTRO: $_LAKE_SEEN"
49+
mkdir -p ~/.gstack/analytics
50+
echo '{"skill":"debug","ts":"'$(date -u +%Y-%m-%dT%H:%M:%SZ)'","repo":"'$(basename "$(git rev-parse --show-toplevel 2>/dev/null)" 2>/dev/null || echo "unknown")'"}' >> ~/.gstack/analytics/skill-usage.jsonl 2>/dev/null || true
3751
_PROACTIVE=$(~/.claude/skills/gstack/bin/gstack-config get proactive 2>/dev/null || echo "true")
3852
echo "PROACTIVE: $_PROACTIVE"
3953
```
@@ -184,6 +198,31 @@ Output: **"Root cause hypothesis: ..."** — a specific, testable claim about wh
184198

185199
---
186200

201+
## Scope Lock
202+
203+
After forming your root cause hypothesis, lock edits to the affected module to prevent scope creep.
204+
205+
```bash
206+
[ -x "${CLAUDE_SKILL_DIR}/../freeze/bin/check-freeze.sh" ] && echo "FREEZE_AVAILABLE" || echo "FREEZE_UNAVAILABLE"
207+
```
208+
209+
**If FREEZE_AVAILABLE:** Identify the narrowest directory containing the affected files. Write it to the freeze state file:
210+
211+
```bash
212+
STATE_DIR="${CLAUDE_PLUGIN_DATA:-$HOME/.gstack}"
213+
mkdir -p "$STATE_DIR"
214+
echo "<detected-directory>/" > "$STATE_DIR/freeze-dir.txt"
215+
echo "Debug scope locked to: <detected-directory>/"
216+
```
217+
218+
Substitute `<detected-directory>` with the actual directory path (e.g., `src/auth/`). Tell the user: "Edits restricted to `<dir>/` for this debug session. This prevents changes to unrelated code. Run `/unfreeze` to remove the restriction."
219+
220+
If the bug spans the entire repo or the scope is genuinely unclear, skip the lock and note why.
221+
222+
**If FREEZE_UNAVAILABLE:** Skip scope lock. Edits are unrestricted.
223+
224+
---
225+
187226
## Phase 2: Pattern Analysis
188227

189228
Check if this bug matches a known pattern:

0 commit comments

Comments
 (0)