fix: use readFile utility in hooks and add pattern type safety

- Replace raw fs.readFileSync with readFile() from utils in
  check-console-log.js and post-edit-console-warn.js to eliminate
  TOCTOU race conditions (file deleted between existsSync and read)
- Remove redundant existsSync in post-edit-format.js (exec already
  handles missing files via its catch block)
- Resolve path upfront in post-edit-typecheck.js before tsconfig walk
- Add type guard in getGitModifiedFiles() to skip non-string and
  empty patterns before regex compilation

scripts/hooks/check-console-log.js

@@ -14,7 +14,7 @@
  */
 
 const fs = require('fs');
-const { isGitRepo, getGitModifiedFiles, log } = require('../lib/utils');
+const { isGitRepo, getGitModifiedFiles, readFile, log } = require('../lib/utils');
 
 // Files where console.log is expected and should not trigger warnings
 const EXCLUDED_PATTERNS = [
@@ -49,8 +49,8 @@ process.stdin.on('end', () => {
     let hasConsole = false;
 
     for (const file of files) {
-      const content = fs.readFileSync(file, 'utf8');
-      if (content.includes('console.log')) {
+      const content = readFile(file);
+      if (content && content.includes('console.log')) {
         log(`[Hook] WARNING: console.log found in ${file}`);
         hasConsole = true;
       }

scripts/hooks/post-edit-console-warn.js

@@ -10,6 +10,7 @@
  */
 
 const fs = require('fs');
+const { readFile } = require('../lib/utils');
 
 const MAX_STDIN = 1024 * 1024; // 1MB limit
 let data = '';
@@ -25,8 +26,9 @@ process.stdin.on('end', () => {
     const input = JSON.parse(data);
     const filePath = input.tool_input?.file_path;
 
-    if (filePath && /\.(ts|tsx|js|jsx)$/.test(filePath) && fs.existsSync(filePath)) {
-      const content = fs.readFileSync(filePath, 'utf8');
+    if (filePath && /\.(ts|tsx|js|jsx)$/.test(filePath)) {
+      const content = readFile(filePath);
+      if (!content) { console.log(data); return; }
       const lines = content.split('\n');
       const matches = [];
 

scripts/hooks/post-edit-format.js

@@ -25,14 +25,14 @@ process.stdin.on('end', () => {
     const input = JSON.parse(data);
     const filePath = input.tool_input?.file_path;
 
-    if (filePath && /\.(ts|tsx|js|jsx)$/.test(filePath) && fs.existsSync(filePath)) {
+    if (filePath && /\.(ts|tsx|js|jsx)$/.test(filePath)) {
       try {
         execFileSync('npx', ['prettier', '--write', filePath], {
           stdio: ['pipe', 'pipe', 'pipe'],
           timeout: 15000
         });
       } catch {
-        // Prettier not installed or failed — non-blocking
+        // Prettier not installed, file missing, or failed — non-blocking
       }
     }
   } catch {

scripts/hooks/post-edit-typecheck.js

@@ -27,9 +27,11 @@ process.stdin.on('end', () => {
     const input = JSON.parse(data);
     const filePath = input.tool_input?.file_path;
 
-    if (filePath && /\.(ts|tsx)$/.test(filePath) && fs.existsSync(filePath)) {
+    if (filePath && /\.(ts|tsx)$/.test(filePath)) {
+      const resolvedPath = path.resolve(filePath);
+      if (!fs.existsSync(resolvedPath)) { console.log(data); return; }
       // Find nearest tsconfig.json by walking up (max 20 levels to prevent infinite loop)
-      let dir = path.dirname(path.resolve(filePath));
+      let dir = path.dirname(resolvedPath);
       const root = path.parse(dir).root;
       let depth = 0;
 

scripts/lib/utils.js

@@ -366,6 +366,7 @@ function getGitModifiedFiles(patterns = []) {
     // Pre-compile patterns, skipping invalid ones
     const compiled = [];
     for (const pattern of patterns) {
+      if (typeof pattern !== 'string' || pattern.length === 0) continue;
       try {
         compiled.push(new RegExp(pattern));
       } catch {