schema_version: "0.1" req_id: "REQ-CM-003" ears_pattern: "unwanted" description: | Primary: REQ-CM-003 (unwanted) — IF caller marker env var is absent or holds unexpected value, THEN PreToolUse hook MUST return deny. Also covers REQ-CM-001 (event-driven verify) by exercising the hook's verification path, and REQ-CM-002 boundary via non-spec scenarios. Reference: rules.html §10.1, verification.html §3.3 REQ-VER-003. setup: env: {} fixtures: [] scenarios: - name: "marker unset → deny on spec file" given: env: {} file_path: "architecture/spec/rules.html" when: tool: "Edit" expect: exit_code: 2 stderr_contains: "folio caller marker check" - name: "marker correct → allow on spec file" given: env: FOLIO_ARCHITECT_CONTEXT: "folio-architect" file_path: "architecture/spec/rules.html" when: tool: "Edit" expect: exit_code: 0 - name: "marker wrong value → deny" given: env: FOLIO_ARCHITECT_CONTEXT: "random-tool" file_path: "architecture/spec/rules.html" when: tool: "Edit" expect: exit_code: 2 stderr_contains: "folio caller marker check" - name: "non-spec file → allow regardless of marker" given: env: {} file_path: "README.md" when: tool: "Edit" expect: exit_code: 0 - name: "Write tool on spec → deny when unset" given: env: {} file_path: "architecture/spec/new-spec.html" when: tool: "Write" expect: exit_code: 2 stderr_contains: "folio caller marker check" - name: "絶対 path 配下 spec + marker unset → deny (folio_under_spec_path 第2 branch lock-in)" # Claude Code は hook の file_path を絶対 path 化する (v2.1.84~)。 絶対 path でも # spec_path 配下と認識し gate を効かせること。 第2 branch *"/$2"* を削除すると # 絶対 path が配下と認識されず gate bypass (allow) になる security 回帰 → expect=2 で lock-in。 given: env: {} file_path: "/home/user/folio/architecture/spec/rules.html" when: tool: "Edit" expect: exit_code: 2 stderr_contains: "folio caller marker check" teardown: cleanup_files: []