Experiment Memory peon-notify

A ShellCheck + custom grep linter pass on all peon-notify hook scripts will find at least 3 additional arithmetic trap instances beyond the known peon-health.sh fix, and integrating it into the pre-commit hook will prevent future regressions

bashlintinghooksops
Hypothesis

A ShellCheck + custom grep linter pass on all peon-notify hook scripts will find at least 3 additional arithmetic trap instances beyond the known peon-health.sh fix, and integrating it into the pre-commit hook will prevent future regressions

Result: pending

Changelog

DateSummary
2026-04-06Audited: chain updated (iteration 4, chain_next set), domain tag ops, last_audited stamped
2026-04-04Initial creation

Hypothesis

We bet that the ((var++)) arithmetic trap found in peon-health.sh is not isolated. Under set -e, any arithmetic expression that evaluates to zero exits the shell immediately : ((n++)) evaluates to 0 when n is 0, triggering an unexpected exit. PeonNotify has 14+ hook scripts totaling 33KB+, all using set -euo pipefail. A single missed ((var++)) in a critical hook can silently kill the entire peon dispatch loop. The hypothesis is that a systematic audit using ShellCheck plus custom grep patterns will find at least 3 additional vulnerable arithmetic expressions, and that wiring the scanner into a pre-commit hook will eliminate future introductions without requiring developers to memorize the edge case.

Method

  1. Inventory: list all .sh files in ~/.claude/hooks/ with their set -e status and line counts
  2. Pattern scan: grep for the 4 vulnerable patterns:
    • ((.*++)) and ((.*--)) (post-increment/decrement)
    • (( RANDOM .*)) outside if/|| context
    • (( ${#.*} .* 0 )) outside if/|| context
    • (( .* == 0 )) outside if/|| context
  3. ShellCheck baseline: run shellcheck -S warning on all scripts, categorize findings by severity
  4. Fix vulnerable patterns: convert ((var++)) to (( ++var )) or (( var += 1 )), wrap standalone comparisons in if blocks
  5. Pre-commit integration: add a .pre-commit-config.yaml entry that runs the pattern scan on staged .sh files
  6. Validation: introduce a deliberately vulnerable pattern in a test script, confirm the pre-commit hook catches it

Results

Pending. Will measure:

  • Number of vulnerable patterns found across all hook scripts
  • ShellCheck finding distribution (error/warning/info)
  • Pre-commit hook detection rate (true positives / total introduced)

Findings

Pending.

Next Steps

If the audit finds significant issues, extract the linter as a standalone tool that can run in CI for any bash-heavy project. The pattern is general: any codebase using set -e bash scripts is vulnerable to the arithmetic-zero-exit trap. The scanner can also be added to the skills/audit-experiments.md quality gate as a pre-commit check for vault hook scripts. See experiments/peon-notify/2026-04-04-staged-retrieval-vault-search for the next peon-notify experiment.