Add Claude Code session start hook to install bazel and ibazel (#1013)

Author: statik

.claude/hooks/session-start.sh

@@ -0,0 +1,87 @@
+#!/bin/bash
+set -euo pipefail
+
+# Only run in remote (Claude Code on the web) environments
+if [ "${CLAUDE_CODE_REMOTE:-}" != "true" ]; then
+  exit 0
+fi
+
+INSTALL_DIR="/usr/local/bin"
+PROJECT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+DISTDIR="${PROJECT_DIR}/.bazel-distdir"
+
+mkdir -p "$DISTDIR"
+
+# Install Bazelisk (provides the `bazel` command)
+if ! command -v bazel &>/dev/null; then
+  echo "Installing Bazelisk..."
+  BAZELISK_VERSION="v1.25.0"
+  curl -fsSL "https://github.com/bazelbuild/bazelisk/releases/download/${BAZELISK_VERSION}/bazelisk-linux-amd64" \
+    -o "${INSTALL_DIR}/bazel"
+  chmod +x "${INSTALL_DIR}/bazel"
+  echo "Bazelisk installed successfully"
+fi
+
+# Install ibazel (incremental Bazel)
+if ! command -v ibazel &>/dev/null; then
+  echo "Installing ibazel..."
+  IBAZEL_VERSION="v0.25.3"
+  curl -fsSL "https://github.com/bazelbuild/bazel-watcher/releases/download/${IBAZEL_VERSION}/ibazel_linux_amd64" \
+    -o "${INSTALL_DIR}/ibazel"
+  chmod +x "${INSTALL_DIR}/ibazel"
+  echo "ibazel installed successfully"
+fi
+
+# Create custom Java truststore for Bazel's embedded JDK
+# The remote environment uses a TLS-inspecting proxy whose CA is in the system
+# trust store but not in Bazel's embedded JDK truststore.
+CUSTOM_CACERTS="${DISTDIR}/cacerts"
+PROXY_CA="/usr/local/share/ca-certificates/swp-ca-production.crt"
+
+if [ ! -f "$CUSTOM_CACERTS" ] && [ -f "$PROXY_CA" ]; then
+  echo "Creating custom truststore with proxy CA..."
+
+  # Prime Bazel installation to get its embedded JDK
+  bazel version >/dev/null 2>&1
+
+  BAZEL_INSTALL="$(bazel info install_base 2>/dev/null)"
+  BAZEL_CACERTS="${BAZEL_INSTALL}/embedded_tools/jdk/lib/security/cacerts"
+
+  if [ -f "$BAZEL_CACERTS" ]; then
+    cp "$BAZEL_CACERTS" "$CUSTOM_CACERTS"
+    keytool -importcert -keystore "$CUSTOM_CACERTS" -storepass changeit \
+      -noprompt -alias "anthropic-proxy-ca" -file "$PROXY_CA" >/dev/null 2>&1
+    echo "Custom truststore created with proxy CA"
+  fi
+fi
+
+# Generate user.bazelrc for the remote proxy environment
+# - Disable Bzlmod (this project uses WORKSPACE, not MODULE.bazel)
+# - Use distdir for pre-downloaded dependencies
+# - Enable proxy auth for JDK HTTPS tunneling
+# - Use custom truststore with proxy's TLS inspection CA
+BAZELRC="${PROJECT_DIR}/user.bazelrc"
+if [ ! -f "$BAZELRC" ]; then
+  cat > "$BAZELRC" << EOF
+# Auto-generated by Claude Code session-start hook for remote environments
+# This file is gitignored - see .bazelrc try-import
+common --noenable_bzlmod
+build --distdir=.bazel-distdir
+fetch --distdir=.bazel-distdir
+query --distdir=.bazel-distdir
+
+# Enable proxy auth for HTTPS tunneling (disabled by default in JDK)
+startup --host_jvm_args=-Djdk.http.auth.tunneling.disabledSchemes=
+startup --host_jvm_args=-Djdk.http.auth.proxying.disabledSchemes=
+
+# Use custom truststore that includes the proxy's TLS inspection CA
+startup --host_jvm_args=-Djavax.net.ssl.trustStore=${DISTDIR}/cacerts
+startup --host_jvm_args=-Djavax.net.ssl.trustStorePassword=changeit
+EOF
+  echo "Created user.bazelrc with proxy-friendly settings"
+fi
+
+# Pre-download Bazel WORKSPACE dependencies into distdir
+"${PROJECT_DIR}/scripts/bazel_fetch_deps.sh"
+
+echo "Session startup complete: bazel and ibazel are available"

.claude/settings.json

@@ -0,0 +1,14 @@
+{
+  "hooks": {
+    "SessionStart": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "$CLAUDE_PROJECT_DIR/.claude/hooks/session-start.sh"
+          }
+        ]
+      }
+    ]
+  }
+}

.gitignore

@@ -5,6 +5,7 @@ bazel-out
 bazel-testlogs
 bazel-workspace
 user.bazelrc
+.bazel-distdir
 bdist
 dist
 .vscode/

.golangci.yml

@@ -12,7 +12,6 @@ linters:
     - gochecknoinits
     - gocyclo
     - godox
-    - modernize
     - musttag
     - noctx
     - noinlineerr

scripts/bazel_fetch_deps.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+# Pre-download Bazel dependencies using curl (which properly handles proxy auth)
+# This populates --distdir so Bazel doesn't need to download through proxy
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+WORKSPACE_DIR="$(dirname "$SCRIPT_DIR")"
+DISTDIR="${WORKSPACE_DIR}/.bazel-distdir"
+
+mkdir -p "$DISTDIR"
+
+echo "Downloading Bazel dependencies to $DISTDIR..."
+echo "Using proxy: ${HTTP_PROXY:-none}"
+
+# Extract download URLs from WORKSPACE
+# Format: urls = ["https://..."]
+URLS=$(grep -oE 'https://[^"]+\.(tar\.gz|zip)' "$WORKSPACE_DIR/WORKSPACE" | sort -u)
+
+# Resolve Starlark format strings like {0} by extracting version variables
+buildtools_version=$(grep -oP 'buildtools_version = "\K[^"]+' "$WORKSPACE_DIR/WORKSPACE" || true)
+if [ -n "$buildtools_version" ]; then
+  URLS="${URLS//\{0\}/$buildtools_version}"
+fi
+
+downloaded=0
+skipped=0
+failed=0
+
+while IFS= read -r url; do
+  if [ -z "$url" ]; then
+    continue
+  fi
+
+  # Skip URLs that still contain unresolved format strings
+  if [[ "$url" == *"{"* ]]; then
+    echo "⚠ Skipping unresolved URL: $url"
+    failed=$((failed + 1))
+    continue
+  fi
+
+  filename=$(basename "$url")
+  output_file="$DISTDIR/$filename"
+
+  if [ -f "$output_file" ]; then
+    echo "✓ Already have: $filename"
+    skipped=$((skipped + 1))
+    continue
+  fi
+
+  echo "Downloading: $filename"
+  if curl -f -L --retry 3 -o "$output_file.tmp" "$url" 2>/dev/null; then
+    mv "$output_file.tmp" "$output_file"
+    echo "✓ Downloaded: $filename"
+    downloaded=$((downloaded + 1))
+  else
+    echo "✗ Failed: $filename"
+    rm -f "$output_file.tmp"
+    failed=$((failed + 1))
+  fi
+done <<< "$URLS"
+
+echo ""
+echo "Summary:"
+echo "  Downloaded: $downloaded"
+echo "  Skipped (cached): $skipped"
+echo "  Failed: $failed"
+echo "  Location: $DISTDIR"
+echo ""
+if [ "$failed" -eq 0 ]; then
+  echo "✓ All dependencies downloaded successfully!"
+  exit 0
+else
+  echo "⚠ Some downloads failed. Bazel may still work with cached/distdir files."
+  exit 0  # Don't fail the script, downloads may be optional
+fi