fix(hooks): count X as active only when both AUTH_TOKEN and CT0 are set (#396)

[harjothkhara]

Summary

Addresses part 2 of #396. The SessionStart hook's N sources active line counted X as active whenever AUTH_TOKEN was set, even without CT0:

HAS_X="${ENV_AUTH_TOKEN:-${AUTH_TOKEN:-}}"

But X cookie search only works when both AUTH_TOKEN and CT0 are present — the pipeline gates on both (setup_wizard.py's x_method="cookies" branch, env.py), and --diagnose omits X from available_sources when CT0 is missing. So a half-configured X (auth_token only) was reported as a live source, inflating the count and telling users a dead source was active.

Changes

• hooks/scripts/check-config.sh — require both AUTH_TOKEN and CT0 for the X cookie path. The XAI API path (XAI_API_KEY) is unchanged.
• tests/test_last_run_state.py — 4 regression tests (auth_token-only → not counted, auth_token+ct0 → counted, ct0-only → not counted, xai-only → counted).

The post-research counter (lib/quality_nudge.py) is intentionally left as-is: it already corrects via the run's x_error signal, which the pre-run hook does not have, so credential presence is all the hook can rely on.

Before / after

With SETUP_COMPLETE=1 and AUTH_TOKEN set but no CT0:

	sources active
before	4 (X wrongly counted)
after	3 (HN + Polymarket + Reddit)

Adding CT0 then correctly bumps it to 4.

Testing

• uv run --python 3.13 --with pytest python -m pytest -q --ignore=tests/test_bird_x.py → all green. (test_bird_x.py fails on main too — unrelated local Node ESM issue.)
• bash -n hooks/scripts/check-config.sh → syntax OK.
• Manually ran the hook across all four credential combinations (auth-only, auth+ct0, ct0-only, xai-only) — counts match expectations.

Notes

This touches a different region of check-config.sh (source counting, ~line 118) than the in-flight exit-code PRs (#471/#430/#425) and the Windows-perms PR (#467), so it should merge without conflict.

Related Issues

Addresses #396 (part 2 — source counting). The template wording in part 1 no longer appears in SKILL.md/setup_wizard.py on current main.

[greptile-apps]

Greptile Summary

This PR fixes a source-counting bug in the SessionStart hook: X was counted as active whenever AUTH_TOKEN was set alone, even though the pipeline requires both AUTH_TOKEN and CT0 for cookie-based auth. The fix adds a proper two-variable gate, and four regression tests verify all credential combinations using a delta-based approach to handle variable environments.

• hooks/scripts/check-config.sh: Replaces the single HAS_X assignment with a two-variable check (HAS_X_AUTH + HAS_X_CT0), setting HAS_X=\"yes\" only when both are non-empty; the XAI_API_KEY path is unaffected.
• tests/test_last_run_state.py: Adds _hook_source_count helper and SourceCountTests with four cases (auth-only, auth+ct0, ct0-only, xai-only), comparing against a no-X baseline so the assertions hold whether or not yt-dlp is installed.

Confidence Score: 5/5

Safe to merge — the change is a narrowly scoped fix to a cosmetic counter with no impact on runtime data or authentication logic.

The shell change is minimal and self-contained: two new variable reads and a two-condition guard replace a single assignment. The XAI path and all other source counters are untouched. The four new tests exercise every credential combination using a delta approach that is robust to environment variation, and prior review feedback (context-manager cleanup, full env-var stripping) has been incorporated.

No files require special attention.

Important Files Changed

Filename	Overview
hooks/scripts/check-config.sh	Correctly gates HAS_X on both AUTH_TOKEN/CT0; the XAI path and source-count arithmetic are unchanged and correct.
tests/test_last_run_state.py	Adds four regression tests using TemporaryDirectory context manager and delta-based counting; strips all source-contributing env vars including BSKY_HANDLE and EXA_API_KEY, addressing previous review feedback.

_{Reviews (2): Last reviewed commit: "test(hooks): make X source-count tests e..." | Re-trigger Greptile}

[harjothkhara]

Thanks for the review — both points addressed in d7fbda1 (test-only; the check-config.sh fix is unchanged):

1. Environment-dependent counts. Good catch. Rather than just extend the strip list, I made the assertions delta-based: X's contribution = count(with X creds) − count(no-X baseline). Anything constant across the two runs — yt-dlp (which can't be stripped via env since it's PATH-detected), BSKY_HANDLE, EXA_API_KEY, SCRAPECREATORS — cancels, so the tests assert only the 0/1 that X itself adds. I also added BSKY_HANDLE/EXA_API_KEY to the strip list for clarity. Verified green under a hostile env (leaked BSKY_HANDLE/EXA_API_KEY/AUTH_TOKEN/CT0 + a stub yt-dlp on PATH) that broke the old hardcoded-count version.
2. Leaked temp dir. Switched from tempfile.mkdtemp() to a tempfile.TemporaryDirectory() context manager, matching the existing tests in this file.