feat(hook): orient hook script + setup docs (CLA-105)

[JuzzyDee]

Summary

Adds the SessionStart/PreCompact hook that defeats the bootstrap-failure pattern at the structural level. Fresh Claude Code instances no longer have to decide whether to call recall_orient before evaluating tools — the orientation payload arrives in their context before any tool evaluation fires.

• scripts/oneiro-orient.sh — POSIX bash. Exits 0 silently on any failure (missing config, unreachable worker, auth rejection). A misconfigured hook will never break a session. Auth from ONEIRO_ORIENT_TOKEN env first, then macOS keychain (oneiro-orient service name) as the persistent no-env-leakage default.
• README — new "Install the orient hook" subsection under Quick Start documenting both auth options (keychain recommended) and the settings.json snippet.

Settings.json wiring is per-user local config and intentionally outside this commit. The README has the snippet; install via the update-config skill or a manual edit.

Why

Per CLA-103 context: fresh instances often don't surface or call recall_orient before evaluating tools. Even when they do, the SKILL.md instruction loses against the system prompt's auto-memory section, which gives instances a competing prescription before they ever read the skill. The hook converts SKILL.md from a hopeful prescription into a structural guarantee — orientation is in scope before any heuristic gate fires.

Test plan

• Pipe-test the script with missing config: silent no-op, exit 0
• End-to-end smoke: orientation payload returns from the deployed worker with a new service key over the curl path
• Open a new Claude Code session: confirm orientation arrives in context before the first user message
• After /compact: confirm orientation re-injects

Linked tickets

• CLA-105 (this PR), blocked by CLA-103 (merged)
• Unblocks the "automatic on Claude Code" claim made by CLA-104

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation

  • Added a guide for installing and configuring the orient hook for Claude Code: non‑OAuth service API key setup, Cloudflare secret storage, JSON wiring for session hooks, macOS keychain vs environment variable auth, and fail‑safe behavior so orientation errors won't disrupt sessions.

• New Features

  • Added a Claude Code orient hook that performs authenticated orientation calls and gracefully skips on failure.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: c293590e-8999-46fb-8fd8-f4b33f9ca6d7

📥 Commits

Reviewing files that changed from the base of the PR and between 6c8299b and 16b4aaf.

📒 Files selected for processing (1)

• scripts/oneiro-orient.sh

💤 Files with no reviewable changes (1)

• scripts/oneiro-orient.sh

---

📝 Walkthrough

Walkthrough

This PR adds an orientation hook for Claude Code sessions: a Bash script that fetches orientation context from a worker endpoint using a token from environment or macOS keychain, and README docs showing how to wire and authenticate the hook; failures exit silently so sessions continue.

Changes

Orient Hook Integration

Layer / File(s)	Summary
Orient hook script implementation and behavior scripts/oneiro-orient.sh	Adds oneiro-orient.sh: header comments and runtime checks, resolves TOKEN from ONEIRO_ORIENT_TOKEN or macOS keychain, validates ONEIRO_WORKER_URL, calls ${ONEIRO_WORKER_URL%/}/orientation with Authorization: Bearer TOKEN via curl --silent --fail --max-time 10, prints response on success, and exits 0 with no stdout on any missing config or fetch failure.
Documentation: orient-hook setup README.md	Expanded README with service API key guidance, Cloudflare secret usage, and Claude Code SessionStart/PreCompact hook wiring to run scripts/oneiro-orient.sh, plus auth options (macOS keychain or env var) and note that hook/script failures won't break sessions.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

A rabbit scripts with gentle care,
Fetching keys from here and there,
It taps the worker, waits to see,
If silence falls, it lets things be. 🐰

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: adding a hook script (orient hook script) and documentation (setup docs), matching the core changeset of scripts/oneiro-orient.sh and README additions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch juzzydee/cla-105-orient-hook-auto-inject-orientation-on-sessionstart-and

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

scripts/oneiro-orient.sh (1)

44-50: 💤 Low value

Consider removing the redundant --show-error flag.

The --show-error flag on line 47 displays error messages even with --silent, but stderr is redirected to /dev/null on line 49, so error messages are suppressed anyway. The flag has no effect in this configuration.

♻️ Proposed simplification

-curl --silent --fail --show-error --max-time 10 \
+curl --silent --fail --max-time 10 \
     --header "Authorization: Bearer ${TOKEN}" \
     "${WORKER_URL%/}/orientation" 2>/dev/null \
     || exit 0

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/oneiro-orient.sh` around lines 44 - 50, The curl invocation building
the orientation request includes --show-error but stderr is redirected to
/dev/null, making that flag redundant; update the curl command in the script
(the curl ... "${WORKER_URL%/}/orientation" invocation) to either remove
--show-error or stop redirecting stderr so the flag has an effect—preferably
remove the --show-error token from the curl arguments to simplify the command.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@README.md`:
- Around line 67-80: Add a short subsection before "Install the orient hook"
that shows how to create and use service API keys: instruct users to generate a
random plaintext key (e.g., with openssl rand -base64 32), explain that this
plaintext key is what the hook expects in ONEIRO_ORIENT_TOKEN or the macOS
keychain entry, and show how to derive the hashed entry for ONEIRO_API_KEYS
(mention using an argon2 hashing tool or the repository's provided hash script
to produce semicolon-separated role:argon2-hash entries for wrangler secret put
ONEIRO_API_KEYS); finally, briefly clarify the difference between OAuth tokens
(used by interactive clients) and these service keys (used by non-interactive
hooks and workers) so readers understand which credential goes where.
- Around line 67-72: Add a brief platform note after the "Option A — macOS
keychain (recommended; no env leakage)" block clarifying that the `security`
command is macOS-only and that Linux/Windows users should use "Option B"
(environment variables) as the cross-platform alternative; reference the
"security" command and the Option A/Option B headings so the note is inserted
immediately after the Option A code block.

In `@scripts/oneiro-orient.sh`:
- Around line 36-42: The keychain lookup for TOKEN uses security
find-generic-password without specifying the account, which can return the wrong
entry; update the security invocation used to populate TOKEN (the command
substitution that assigns TOKEN when command -v security succeeds) to include
the account flag (-a "$USER") so it matches the documented keychain entry and
ensures the correct credential is retrieved.

---

Nitpick comments:
In `@scripts/oneiro-orient.sh`:
- Around line 44-50: The curl invocation building the orientation request
includes --show-error but stderr is redirected to /dev/null, making that flag
redundant; update the curl command in the script (the curl ...
"${WORKER_URL%/}/orientation" invocation) to either remove --show-error or stop
redirecting stderr so the flag has an effect—preferably remove the --show-error
token from the curl arguments to simplify the command.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 370068d9-7c6f-44a9-88dd-cc14e058312c

📥 Commits

Reviewing files that changed from the base of the PR and between d496e03 and 14efc9b.

📒 Files selected for processing (2)

• README.md
• scripts/oneiro-orient.sh

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/oneiro-orient.sh`:
- Around line 40-42: The script fails under set -u because the USER expansion in
the security keychain lookup is unguarded; change the invocation that uses -a
"$USER" to use a safe default (e.g., -a "${USER:-}") so the expansion never
triggers an unbound-variable error and the TOKEN lookup still silently returns
empty on failure; update the line using TOKEN, ONEIRO_ORIENT_TOKEN and the
security command to use the guarded ${USER:-} expansion to preserve the silent
no-op / exit-0 behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: f708e11c-c999-4e69-bd45-16d257efeb60

📥 Commits

Reviewing files that changed from the base of the PR and between 14efc9b and ccfce00.

📒 Files selected for processing (2)

• README.md
• scripts/oneiro-orient.sh

✅ Files skipped from review due to trivial changes (1)

• README.md

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/oneiro-orient.sh`:
- Around line 41-45: The script contains an extra unmatched "fi" that causes a
syntax error; locate the conditional block that checks TOKEN and calls the
security command (the lines using TOKEN, command -v security, and security
find-generic-password) and remove the stray "fi" that immediately follows that
block so the if..then..fi structure is balanced (leave the final "[ -z
\"$TOKEN\" ] && exit 0" check intact).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 53bbba62-dfcc-4b80-8d0a-fcba561ba66c

📥 Commits

Reviewing files that changed from the base of the PR and between ccfce00 and 6c8299b.

📒 Files selected for processing (1)

• scripts/oneiro-orient.sh