Adds .claude/statusline.sh (reads context_window.used_percentage +
context_window_size straight from the statusLine JSON; green<70/yellow/red
bar) and wires it via .claude/settings.json statusLine. Committed in-repo so
it follows boma to any clone, matching how .claude/ already tracks hooks +
plugins.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Mechanical fix for the 4×-recurring execution-mode menu ask (kaizen 2026-06-10).
A Stop hook reads the transcript and, if the final assistant message presents the
"subagent-driven vs inline — which approach?" menu, blocks the turn and tells the
model to proceed subagent-driven (boma's standing preference). Fails open,
respects stop_hook_active (no loop), tight match signature (no false positives on
meta-discussion). Pipe-tested across 5 scenarios. Activates next session
(settings watcher only tracks files present at session start).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Reviewed the Claude Code config against boma's capabilities and committed a
reproducible, leaner toolchain:
- .claude/settings.json now declares extraKnownMarketplaces + enabledPlugins so a
fresh clone prompts to install the active set: superpowers, context7, terraform
(we use TF, ADR-006), claude-md-management (doc/ADR-heavy). Drops code-simplifier.
- Adds a conservative, read-only/verify permissions allowlist (git status/diff/log,
make lint/test/check, pytest, rbw unlocked, ls/cat/rg/find) — mutations and
outward/destructive commands stay gated, consistent with ADR-002.
- docs/runbooks/claude-code-setup.md: per-machine bootstrap, the deferred
enable-when plugins (security-guidance/semgrep, playwright, hookify, skill-creator),
rbw/venv prerequisites, and a note to keep the dangerous-mode prompt on.
Closes TODO 10.7. Plugin install remains a per-machine /plugin action (no native
auto-install).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Two project hooks (deny-only, fail open): block Write/Edit of generated
inventories/<env>/hosts.yml, and block git commit when the rbw vault agent is
locked. Both pipe-tested across all paths. Activate with a Claude Code restart
(the watcher only tracks settings.json present at session start).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
