# Hook-file existence guard (settings.json ↔ disk integrity) — MC #103640 # Hook-file existence guard (settings.json ↔ disk integrity) **Book:** System Architecture **Status:** Implemented + self-verified — MC #103640 (2026-06-15) **Commits:** `7408f0170` (restore 22 hooks, ~/.claude) · `8f7b8e602` (existence guard, ~/system) --- ## Incident that motivated this On 2026-06-15 the CEO flagged that "someone did stupid things with skills/hooks." Tool-forensics found `~/.claude/settings.json` registered **76 hook entries** while **22 of the referenced gate FILES did not exist on disk** (absent from `~/.claude`, `~/system`, and `~/backups`). Every tool call was invoking non-existent gates → **silently dead enforcement**. Root cause (per the CEO's own commit `568e9cee0` / MC #103627): a *"previous session had left a no-op stub"* — a prior session stubbed/deleted registered hooks. The files were never removed by a tracked commit (`git log --diff-filter=D` empty on the HEAD line); they lived only as working-tree files synced from `[BACKUP]` commits and vanished from disk. Missing gates included critical security/claim enforcers: `secret-scanner`, `git-author-guard`, `alai-claim-gate`, `evidence-contract-validator`, `pre-publish-claims-gate`, `john-determinism-gate`, `claim-auto-probe-gate`, +15. ## Why it went undetected `lint-hooks.sh` verified that REQUIRED hooks were **registered** in settings.json (correct event / matcher / ordering, via substring match) — but it never checked that each registered hook's **script file actually exists on disk**. The daily `com.john.hook-drift-detector-v2` runs `lint-hooks.sh`, so the same blind spot meant the daily drift detector also missed it. ## The fix 1. **Restore** — all 22 missing gate hooks restored from canonical git history (`5f7dc6ad5` MC#99730, `79f92e3f9` MC#99197, dated auto-backups) → commit `7408f0170`. Audit went **22 → 0 missing**. 2. **Guard (`lint-hooks.sh`)** — new EXISTENCE pass extracts every hook command's script path (`/Users/*` and `~/*` `.sh/.py/.js`) and verifies `os.path.exists`. Missing → `FAIL`, counted into the summary and `exit 2`. Because the daily drift detector already runs `lint-hooks.sh`, this is enforced daily with no new schedule. 3. **Boot surface (`boot.sh`)** — SessionStart "Hook integrity" check prints `EXISTENCE N present / N referenced` and lists any MISSING-on-disk files via `ok()/fail()`, so the CEO sees it at every boot. ## Verification - `bash -n lint-hooks.sh` / `bash -n boot.sh` → PASS. - Clean state: `EXISTENCE 46 hook file(s) present / 46 referenced`, 0 missing. - Regression: renamed `secret-scanner.sh` away → `FAIL [file-exists:secret-scanner.sh] MISSING ON DISK` + `exit 2`; file restored after test. - Closure passed restored gates live: `mc-ready-gate.sh` (evidence-json) → `evidence-contract-validator.sh` CONFIRMED → ZAKON #30 direct-probe gate. ## Known separate drift (out of scope, logged) `userprompt-cost-guard.sh` is not registered in `UserPromptSubmit` (a registration-drift, the inverse problem — file may exist but isn't wired). Surfaced by `lint-hooks.sh` as a pre-existing FAIL; tracked for follow-up.