feat(#150): bootstrap-skill exemption + Bash-write coverage

[atlas-apex]

Summary

Closes the legitimate-bypass case (#150) and the illegitimate-bypass case (#151) together so the ticket-first gate is coherent. Shipping either alone would leave a window where the framework is internally inconsistent — see AgDR-0011 for the full rationale.

• Bootstrap exemption ([Bug] /setup is blocked by require-active-ticket.sh — bootstrap skill cannot complete #150) — .claude/session/active-bootstrap marker written by /setup, /handover, /update, /split-portfolio on entry; cleared on exit; SessionStart sweep handles stale markers from interrupted sessions; configurable via ticket.bootstrap_skills in .claude/project-config.{defaults,}.json.
• Bash-write coverage ([Bug] require-active-ticket.sh bypassable via Bash file writes (echo>, python -c, tee, sed -i, etc.) #151) — new .claude/hooks/_lib-detect-bash-write.sh heuristic detector (output redirect, tee, sed -i, awk -i inplace, python -c, node -e, ruby -e); require-active-ticket.sh and require-migration-ticket.sh now fire on Bash in addition to Edit|Write|MultiEdit. Design choice: false-negatives preferred over false-positives.

Why bundled

The two issues are the same crack in the gate viewed from two sides:

• [Bug] /setup is blocked by require-active-ticket.sh — bootstrap skill cannot complete #150 alone: bootstrap exemption opens a legit path, but the gate is still trivially bypassable. The exemption ceremonies a gate that doesn't actually gate.
• [Bug] require-active-ticket.sh bypassable via Bash file writes (echo>, python -c, tee, sed -i, etc.) #151 alone: gate hardens, but /setup is now hard-blocked on a fresh fork. Adoption flow is worse than before.

Same shape as #147 / AgDR-0010 which bundled #145 + #146 for the same reason.

Closes me2resh/apexyard#150 only — #151 closed manually post-merge per the single-Closes-per-PR rule.

Testing

• Unit tests on the bash-write detector — bash .claude/hooks/tests/test_detect_bash_write.sh → 32/32 passing. Covers each pattern in the matcher table (positive class), representative reads (negative class), target extraction (positive + documented misses), and the exact bypass attempt repro from [Bug] require-active-ticket.sh bypassable via Bash file writes (echo>, python -c, tee, sed -i, etc.) #151.
• Integration tests on require-active-ticket.sh — bash .claude/hooks/tests/test_require_active_ticket_bash.sh → 12/12 passing. Covers Bash writes blocked w/o ticket, python3 -c "...write_text..." bypass closed, Bash reads pass through, path exemptions still work for Bash, bootstrap-marker exemption works for Edit and Bash, unknown / empty marker correctly falls through, and the legacy active-ticket path still works (regression).
• No regressions in adjacent tests — ran the full .claude/hooks/tests/ suite. The two failing tests (test_single_closes_per_pr.sh, test_validate_pr_required_sections.sh) are pre-existing — they hardcode #113, which has since been CLOSED upstream, and the validator now refuses closed-issue refs. Worth a small follow-up to switch the tests to a synthetic open issue or mock gh.
• Live verification — the hook chain successfully blocked an attempt to commit this PR's body on a fork where the referenced issues didn't exist (closing-keyword check), and accepted the fully-qualified me2resh/apexyard#NNN form. Confirms the existing verify-commit-refs.sh is doing its job and our changes don't interfere with it.

Glossary

Term	Definition
Active-skill marker	.claude/session/active-bootstrap — a one-line file written by a bootstrap-class skill on entry, read by require-active-ticket.sh, removed by the skill on completion (or by the SessionStart sweep on the next session). The mechanism that lets /setup run before any tickets exist without disabling the ticket-first gate.
Bootstrap-class skill	A skill that runs before tracker tickets can exist for the work it's doing — /setup, /handover, /update, /split-portfolio. The list is configurable via ticket.bootstrap_skills in .claude/project-config.{defaults,}.json.
Bash-write bypass	The pre-fix failure mode where any Bash command that wrote to a file (echo > file, tee, sed -i, python -c '…write_text…', etc.) skipped the ticket-first gate because the hook was scoped to Edit|Write|MultiEdit only. Closed in this PR via _lib-detect-bash-write.sh + Bash-matcher wiring.
False-negatives preferred over false-positives	Design choice for the Bash-write matcher: if the matcher is uncertain, let the command through rather than block. Rationale: blocking a legitimate read-only command on a fresh-adopter test is worse for adoption than missing one obscure write pattern. The pattern table is a living list extended on observation.
Bootstrap-marker hygiene	The discipline around writing the marker on skill entry and removing it on completion. A skill that writes but doesn't clear leaves a stale exemption until the next session — caught by clear-bootstrap-marker.sh SessionStart sweep, but inside the same session, the operator-visible marker (cat .claude/session/active-bootstrap) is the only signal.

🤖 Generated with Claude Code