add hook health snapshot and guard fixes

Signed-off-by: VibeGuard Agent <1835304752@qq.com>

Author: majiayu000

.claude/commands/vibeguard/stats.md

@@ -3,23 +3,32 @@ name: "VibeGuard: Stats"
 description: "查看 hooks 触发统计 — 拦截/警告/放行次数和原因分析"
 category: VibeGuard
 tags: [vibeguard, stats, logging, observability]
-argument-hint: "[days|all]"
+argument-hint: "[days|all|health [hours]]"
 ---
 
 **核心功能**
 - 分析 `~/.vibeguard/events.jsonl` 中的 hook 触发日志
 - 输出拦截/警告/放行统计、按 hook 分布、原因 Top 5、每日触发量
+- 支持 `health` 快照模式：风险率、Top 风险 hook、最近风险事件 Top 10
 - 帮助用户了解 VibeGuard 是否在工作、拦截了什么
 
 **Steps**
 
-1. 运行统计脚本：
+1. 根据参数运行对应脚本：
    ```bash
-   bash ~/Desktop/code/AI/tools/vibeguard/scripts/stats.sh $ARGUMENTS
+   if [[ "${ARGUMENTS:-}" == health* ]]; then
+     health_arg="${ARGUMENTS#health}"
+     health_arg="${health_arg#"${health_arg%%[![:space:]]*}"}"
+     bash ~/Desktop/code/AI/tools/vibeguard/scripts/hook-health.sh "${health_arg:-24}"
+   else
+     bash ~/Desktop/code/AI/tools/vibeguard/scripts/stats.sh $ARGUMENTS
+   fi
    ```
    参数说明：
    - 无参数：最近 7 天
    - 数字（如 30）：最近 N 天
    - `all`：全部历史
+   - `health`：最近 24 小时健康快照
+   - `health 72`：最近 72 小时健康快照
 
 2. 将统计结果展示给用户，如有异常（如拦截为 0 但使用了一段时间）提醒检查 hooks 配置是否正确

.github/workflows/ci.yml

@@ -121,6 +121,11 @@ jobs:
         shell: bash
         run: bash tests/test_setup.sh
 
+      - name: Hook health regression tests
+        if: runner.os != 'Windows'
+        shell: bash
+        run: bash tests/test_hook_health.sh
+
       - name: Guard unit tests
         if: runner.os != 'Windows'
         continue-on-error: true

CHANGELOG.md

@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Added
+- Codex CLI hooks support: 4 hooks deployed via `~/.codex/hooks.json` with output format adapter (`hooks/run-hook-codex.sh`)
 - Guard message v2 format: OBSERVATION/FIX/DO NOT structure (`guards/`)
 - Baseline scanning: only report issues on newly added lines (`guards/`)
 - Test infrastructure protection rule W-12 (`guards/`)

README.md

@@ -148,6 +148,7 @@ Supports `// vibeguard:ignore` inline comments to skip specific lines.
 ```bash
 bash ~/vibeguard/scripts/quality-grader.sh          # Quality grade (A/B/C/D)
 bash ~/vibeguard/scripts/stats.sh                    # Hook trigger stats (7 days)
+bash ~/vibeguard/scripts/hook-health.sh 24           # Hook health snapshot (risk rate + top hooks + recent risks)
 bash ~/vibeguard/scripts/metrics-exporter.sh         # Prometheus metrics export
 bash ~/vibeguard/scripts/doc-freshness-check.sh      # Rule-guard coverage check
 ```

data/2026-04-01.json

@@ -0,0 +1,80 @@
+{
+  "date": "2026-04-01",
+  "mode": "fast",
+  "score": 87.7,
+  "grade": "B",
+  "layer1": {
+    "tp": 19,
+    "fp": 1,
+    "fn": 3,
+    "tn": 35,
+    "precision": 95.0,
+    "recall": 86.4,
+    "f1": 90.5,
+    "layer1_score": 87.7,
+    "by_hook": {
+      "analysis-paralysis-guard": {
+        "tp": 1,
+        "fp": 0,
+        "fn": 0,
+        "tn": 1
+      },
+      "git-pre-push": {
+        "tp": 2,
+        "fp": 0,
+        "fn": 0,
+        "tn": 2
+      },
+      "post-build-check": {
+        "tp": 1,
+        "fp": 0,
+        "fn": 0,
+        "tn": 5
+      },
+      "post-edit-guard": {
+        "tp": 4,
+        "fp": 1,
+        "fn": 0,
+        "tn": 6
+      },
+      "post-write-guard": {
+        "tp": 3,
+        "fp": 0,
+        "fn": 0,
+        "tn": 5
+      },
+      "pre-bash-guard": {
+        "tp": 5,
+        "fp": 0,
+        "fn": 0,
+        "tn": 9
+      },
+      "pre-commit-guard": {
+        "tp": 1,
+        "fp": 0,
+        "fn": 0,
+        "tn": 1
+      },
+      "pre-edit-guard": {
+        "tp": 2,
+        "fp": 0,
+        "fn": 0,
+        "tn": 1
+      },
+      "pre-write-guard": {
+        "tp": 0,
+        "fp": 0,
+        "fn": 3,
+        "tn": 5
+      }
+    },
+    "total_cases": 58
+  },
+  "layer2": {
+    "layer2_score": 0,
+    "sws": 0,
+    "fpr": 0,
+    "detection_rate": 0,
+    "total_samples": 0
+  }
+}

guards/rust/check_unwrap_in_prod.sh

@@ -40,16 +40,54 @@ if [[ -n "${VIBEGUARD_STAGED_FILES:-}" ]] && [[ -f "${VIBEGUARD_STAGED_FILES}" ]
         # Save diff to a temp file so we can re-read it on Python failure.
         _diff_tmp=$(create_tmpfile)
         git diff --cached -U0 -- "${f}" 2>/dev/null > "${_diff_tmp}"
-        if ! python3 -c "
+        # Write Python script to temp file to avoid bash escaping issues with regex
+        _diff_py=$(create_tmpfile)
+        cat > "${_diff_py}" << 'DIFFPYEOF'
 import sys, re
+
 fname = sys.argv[1]
-# \.(unwrap\(|expect\() matches .unwrap( and .expect( but NOT .unwrap_or*(
-# because after 'unwrap' the next char must be '(' not '_'.
-# Using safe_pat + 'not safe_pat.search()' would exclude lines that have both
-# .expect('msg') and .unwrap_or_default() chained, causing false negatives.
 danger_pat  = re.compile(r'\.(unwrap\(|expect\()')
 comment_pat = re.compile(r'^\s*//')
 hunk_pat    = re.compile(r'^@@ -\d+(?:,\d+)? \+(\d+)(?:,\d+)? @@')
+_ITEM_KW    = re.compile(r'\b(mod|fn|impl|struct|enum|type|trait)\b')
+
+# --- Build test_lines set from original file (reuse standalone logic) ---
+def _count_braces(s):
+    s = re.sub(r'"(?:[^"\\]|\\.)*"', '', s)
+    s = re.sub(r"'(?:[^'\\\\]|\\\\.)*'", '', s)
+    s = re.sub(r'//.*$', '', s)
+    return s.count('{') - s.count('}')
+
+test_lines = set()
+try:
+    with open(fname) as _src:
+        _all = _src.readlines()
+    _pending = False; _in_mod = False; _depth = 0
+    for _i, _ln in enumerate(_all, 1):
+        _s = _ln.strip()
+        if _s.startswith('#[cfg(test)]'):
+            test_lines.add(_i)
+            if _ITEM_KW.search(_s[len('#[cfg(test)]'):]):
+                _in_mod = True; _depth = _count_braces(_s)
+                if _depth <= 0: _in_mod = False
+            else:
+                _pending = True
+            continue
+        if _pending:
+            if _s.startswith('#['):
+                test_lines.add(_i); continue
+            _pending = False
+            if _ITEM_KW.search(_s):
+                _in_mod = True; _depth = _count_braces(_s); test_lines.add(_i)
+                if _depth <= 0: _in_mod = False
+            continue
+        if _in_mod:
+            test_lines.add(_i); _depth += _count_braces(_s)
+            if _depth <= 0: _in_mod = False
+except Exception:
+    pass
+
+# --- Scan diff lines, skip test_lines ---
 current_line = 0
 for raw in sys.stdin:
     line = raw.rstrip('\n')
@@ -61,12 +99,15 @@ for raw in sys.stdin:
         continue
     if line.startswith('+'):
         current_line += 1
+        if current_line in test_lines:
+            continue
         content = line[1:]
         if danger_pat.search(content) and not comment_pat.match(content):
             print('[RS-03] ' + fname + ':' + str(current_line) + ' ' + line)
     elif not line.startswith('-'):
         current_line += 1
-" "${f}" < "${_diff_tmp}" 2>/dev/null; then
+DIFFPYEOF
+        if ! python3 "${_diff_py}" "${f}" < "${_diff_tmp}" 2>/dev/null; then
           echo "[RS-03] WARN: python3 解析失败 ${f}，使用 grep fallback" >&2
           <"${_diff_tmp}" grep '^+' \
             | grep -v '^+++' \

hooks/post-edit-guard.sh

@@ -106,7 +106,7 @@ case "$FILE_PATH" in
         # CLI 项目允许 console，跳过（bin 字段 / src/cli.* / scripts 含 cli）
         _PKG_DIR=$(dirname "$FILE_PATH")
         _IS_CLI=false
-        while [[ "$_PKG_DIR" != "/" ]]; do
+        while [[ "$_PKG_DIR" != "/" && "$_PKG_DIR" != "." ]]; do
           if [[ -f "$_PKG_DIR/package.json" ]]; then
             grep -qE '"bin"' "$_PKG_DIR/package.json" 2>/dev/null && _IS_CLI=true
             grep -qE '"[^"]*":\s*"[^"]*cli[^"]*"' "$_PKG_DIR/package.json" 2>/dev/null && _IS_CLI=true

scripts/CLAUDE.md

@@ -17,6 +17,7 @@ VibeGuard 工具脚本，提供统计、合规检查、指标收集等功能。
 | `gc/gc-scheduled.sh` | 定期 GC + 学习 + 反思：日志归档、worktree 清理、metrics 清理、跨会话学习信号检测、会话质量反思报告 |
 | `project-init.sh` | 项目级脚手架：检测语言/框架 → 列出激活守卫/规则 → 生成 CLAUDE.md 片段建议，并安装 pre-commit/pre-push hook |
 | `quality-grader.sh` | 质量等级评分：从 events.jsonl 计算 A/B/C/D 等级，推荐 GC 频率 |
+| `hook-health.sh` | Hook 健康快照：最近 N 小时风险率、Top 风险 hook、最近风险事件 Top 10 |
 | `verify/doc-freshness-check.sh` | 文档新鲜度：交叉比对 rules/ 和 guards/ 的规则 ID 覆盖度 |
 | `log-capability-change.sh` | 能力进化日志：从 git log 提取守卫/规则/Skill 变更时间线 |
 | `constraint-recommender.py` | 约束推荐器：基于项目语言/框架自动生成 preflight 约束初稿 |
@@ -35,4 +36,5 @@ VibeGuard 工具脚本，提供统计、合规检查、指标收集等功能。
 bash scripts/stats.sh          # 最近 7 天统计
 bash scripts/stats.sh 30       # 最近 30 天
 bash scripts/stats.sh all      # 全部历史
+bash scripts/hook-health.sh 24 # 最近 24 小时健康快照
 ```

scripts/hook-health.sh

@@ -0,0 +1,116 @@
+#!/usr/bin/env bash
+# VibeGuard Hook Health Snapshot
+# 读取 events.jsonl，输出最近 N 小时的健康快照。
+#
+# 用法：
+#   bash scripts/hook-health.sh        # 最近 24 小时
+#   bash scripts/hook-health.sh 72     # 最近 72 小时
+
+set -euo pipefail
+
+HOURS="${1:-24}"
+LOG_FILE="${VIBEGUARD_LOG_DIR:-${HOME}/.vibeguard}/events.jsonl"
+
+if ! [[ "${HOURS}" =~ ^[0-9]+$ ]] || [[ "${HOURS}" -le 0 ]]; then
+  echo "参数必须是正整数小时数，例如: 24"
+  exit 1
+fi
+
+if [[ ! -f "${LOG_FILE}" ]]; then
+  echo "没有日志数据。hooks 触发后会自动记录到 ${LOG_FILE}"
+  exit 0
+fi
+
+VG_HOURS="${HOURS}" VG_LOG_FILE="${LOG_FILE}" python3 - <<'PY'
+import json
+import os
+import sys
+from collections import Counter
+from datetime import datetime, timedelta, timezone
+
+
+def parse_ts(ts: str):
+    if not ts:
+        return None
+    try:
+        return datetime.fromisoformat(ts.replace("Z", "+00:00"))
+    except ValueError:
+        return None
+
+
+hours = int(os.environ["VG_HOURS"])
+log_file = os.environ["VG_LOG_FILE"]
+now = datetime.now(timezone.utc)
+cutoff = now - timedelta(hours=hours)
+
+events = []
+with open(log_file, "r", encoding="utf-8") as f:
+    for line in f:
+        line = line.strip()
+        if not line:
+            continue
+        try:
+            event = json.loads(line)
+        except json.JSONDecodeError:
+            continue
+        event_ts = parse_ts(event.get("ts", ""))
+        if event_ts is None:
+            continue
+        if event_ts >= cutoff:
+            event["_parsed_ts"] = event_ts
+            events.append(event)
+
+if not events:
+    print(f"最近 {hours} 小时没有日志数据。")
+    sys.exit(0)
+
+events.sort(key=lambda e: e["_parsed_ts"])
+total = len(events)
+by_decision = Counter(e.get("decision", "unknown") for e in events)
+pass_count = by_decision.get("pass", 0)
+risk_count = total - pass_count
+risk_rate = (risk_count / total * 100) if total else 0.0
+
+first_ts = events[0].get("ts", "?")
+last_ts = events[-1].get("ts", "?")
+
+print(f"VibeGuard Hook Health (最近 {hours} 小时)")
+print("=" * 44)
+print(f"时间范围: {first_ts} ~ {last_ts}")
+print(f"总触发: {total}")
+print(f"通过(pass): {pass_count}")
+print(f"风险(非 pass): {risk_count}")
+print(f"风险率: {risk_rate:.1f}%")
+print(f"  block: {by_decision.get('block', 0)}")
+print(f"  gate: {by_decision.get('gate', 0)}")
+print(f"  warn: {by_decision.get('warn', 0)}")
+print(f"  escalate: {by_decision.get('escalate', 0)}")
+print(f"  correction: {by_decision.get('correction', 0)}")
+
+non_pass_events = [e for e in events if e.get("decision") != "pass"]
+if non_pass_events:
+    top_non_pass_hooks = Counter(e.get("hook", "unknown") for e in non_pass_events)
+    print("\n风险 Hook Top 5:")
+    for hook, count in top_non_pass_hooks.most_common(5):
+        print(f"  {hook}: {count}")
+
+    print("\n最近风险事件 Top 10:")
+    for i, event in enumerate(reversed(non_pass_events[-10:]), start=1):
+        ts = event.get("ts", "?")
+        session = event.get("session", "?")
+        hook = event.get("hook", "unknown")
+        decision = event.get("decision", "unknown")
+        reason = (event.get("reason") or "").replace("\n", " ").strip()
+        detail = (event.get("detail") or "").replace("\n", " ").strip()
+        if len(reason) > 100:
+            reason = reason[:97] + "..."
+        if len(detail) > 100:
+            detail = detail[:97] + "..."
+        print(f"  {i}. {ts} | {hook} | {decision} | session={session}")
+        if reason:
+            print(f"     reason: {reason}")
+        if detail:
+            print(f"     detail: {detail}")
+
+print()
+PY