state.sh used SESSION_FILE for session.json (global tracking data).
Both hook handlers override SESSION_FILE to sessions/<pgrp>.json for
per-session isolation. buddymon_session_reset() at session-stop end
was writing _version:1 data INTO sessions/<pgrp>.json, leaving stale
wrong-format session files that broke buddy lookup.
Fix: rename state.sh variable to SESSION_DATA_FILE — no more collision.
Also:
- Add matcher:'*' to SessionStart and Stop hooks (CC 2.x compatibility)
- Add dead-session GC to session-start.sh (cleans up orphaned PGRP files)
- Add 5 new privacy/security bug_monsters:
LeakWraith (uncommon) — exposed credentials
CipherNull (uncommon) — weak/broken crypto (MD5, ECB, rand() for secrets)
ConsentShadow (rare) — tracking/analytics without consent (CF flagship villain)
ThrottleDemon (common) — ignored 429s and missing backoff
PrivacyLich (legendary) — GDPR/CCPA/breach debt; unkillable, only containable
Claude Code plugin — collectible creatures discovered through coding.
- Bug monsters spawn from error output (NullWraith, RacePhantom, ShadowBit, 11 total)
- 5 Buddymon with affinities, challenges, and evolution chains
- SessionStart hook injects active buddy + challenge into system context
- PostToolUse hook detects error patterns, new languages, and commit events
- Stop hook tallies XP and checks challenge completion
- Single /buddymon command with start/assign/fight/catch/roster subcommands
- Local state in ~/.claude/buddymon/ (roster, encounters, active, session)
