Машина 3-C «Машина охвата A/B/C/D» собрана (TDD): coverage-machine.mjs —
A граф зависимостей (buildDependencyGraph/topoOrder/findHoles/decompositionGroups),
B реестр нужды↔решения (coverageRegistry: дыры+сироты), C requestsChecklist,
D ограничения как нужды (effectiveNeeds), хребет readinessChecklist (4 галочки + §).
Независимый верификатор охвата (рычаг E §6.3). 19 новых тестов, регрессия 2158 GREEN.
Add /^cd\s+app$/ to SAFE_EXACT so already-whitelisted commands (pest,
php artisan test) run from app/. Scope limited to the literal `app` dir:
cd into any other path (incl. protected .claude/runtime, memory/,
transcripts) stays default-deny, so the cwd-shift read-bypass is contained.
Mutations remain caught at the hard-blacklist + chain-mutating rule, and
each chain segment after `cd app &&` must still be independently whitelisted.
Owner-authorized, narrow scope = literal `app` only.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The Stream H wrapper shipped a deliberate no-op main() — the lock did nothing.
This wires it live: PreToolUse on a mutating tool acquires/refreshes the
workspace lock (blocks only when a DIFFERENT session holds a fresh, non-stale
lock); the Stop event releases it. Fail-open on any error so a lock bug can
never wedge the user out of their own session.
- runAcquireDecision({event,now,pid,cwd,readLock,writeLock}) — compose
acquire() + decide().
- runReleaseAction({event,cwd,readLock,deleteLock}) — release() if this
session owns the lock, no-op otherwise.
- live main(): branches on tool_name (present → acquire/refresh; absent/Stop
→ release); real fs binding via runtimeDir()/session-lock-<workspaceHash>.json.
Activation registers BOTH the PreToolUse (acquire) AND the Stop (release)
entries — the Stop wiring is mandatory; without it the lock is never released
and the next abnormal exit would lock the user out. Script:
.scratch/activate-point2-hooks.ps1 (also registers safe-baseline-metering +
runtime-write-deny per the point-2 plan).
Plan: docs/superpowers/plans/2026-05-30-router-gate-v4-stream-H.md Task 7.
Regression: parallel-session-lock 12/12 GREEN; full tools suite 1958 passed | 2 skipped.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The per-tool judge compares each mutating tool call against the classifier's
distilled task summary read from router-state. That summary is lossy and
frequently "(unknown)" even for a perfectly explicit user request — and with an
unknown task the judge has nothing to compare against, so "Сомнения → NO"
blocked every real edit. Reproduced repeatedly this session: an explicit
"реализуй ... main() ..." prompt still classified unknown → all edits blocked,
including the judge's own fix. Calibration 2 (allow on unknown) was rejected by
the owner as a discipline hole.
Calibration 4 (soft, scope-preserving): when — and only when — the classifier
summary is "(unknown)"/empty, fall back to judging against the user's actual
last prompt (the ground-truth request) instead of nothing. The judge still runs
and still blocks on doubt; it just uses better evidence. When the summary is
meaningful, behaviour is unchanged (the user-prompt reader is not consulted).
When both summary and prompt are unavailable, the task stays "(unknown)" and
doubt→block is preserved.
NOT calibration 2: this does not blindly allow on unknown — it re-grounds the
judge in the literal user request, which the controller cannot fabricate (the
user writes it; it is read locally from the session transcript).
- tools/llm-judge-per-tool.mjs: resolveEffectiveTask(declaredTask, lastUserPrompt).
- tools/enforce-llm-judge-per-tool.mjs: runPerTool reads the last user prompt
(helpers.lastUserPromptText + readTranscript) only on an unknown summary;
main() binds it.
Regression: judge tests 57/57 GREEN; full tools suite 1951 passed | 2 skipped.
The 6 remaining failures are uncommitted point-2 WIP in
enforce-parallel-session-lock.test.mjs — not part of this change, not committed.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The Layer-4 per-tool judge over-blocked: it judged every Skill/Edit/Write/
Bash/Task against the declared task and blocked on doubt. A vague prompt
classifies as unknown/ambiguous, so the judge then blocked essentially all
artifact-producing tools — including the prescribed §17 skill entry and the
mandatory TDD test run — making legitimate, owner-mandated work impossible
and blocking its own fix (3 reproduced blocks this session).
Calibration 1 (scope fix, NOT a discipline drop): remove `Skill` from
MUTATING_TOOLS in tools/llm-judge-per-tool.mjs. Invoking a skill mutates no
state and is the §17-mandated entry into work; the real mutations it leads to
(Edit/Write/MultiEdit/Bash/PowerShell/Task/commit/push) stay fully judged.
Calibration 3 (scope fix, NOT a discipline drop): add isTestRunnerBashEvent to
tools/enforce-llm-judge-per-tool.mjs and skip it in runPerTool, mirroring the
existing readonly-Bash exemption. A test run (vitest/pest/phpunit/php artisan
test/composer test/npm test) only inspects + reports and is a mandatory TDD
step; commands chaining to a mutation (&& ; | backtick $() are NOT exempt.
doubt→block on real mutations against a known task is unchanged (covered by the
"mutating Bash (git commit) STILL judged" test). Calibration 2 (allow on
unknown task) was rejected by the owner as a discipline hole and not added.
Regression: vitest tools-only 1945 passed | 2 skipped (+18 calibration tests).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Closes design gap in v4 whitelist: dev commands (pest, composer test/pint/stan/insights/rector,
php artisan test/migrate variants/db:seed/cache:clear etc., vendor/bin/pest) were falling into
default-deny. That blocked sessions working on app/ code and pushed controllers toward override
phrases or requests to disable the defense.
Changes are surgical and do not weaken discipline defense:
- 4 new SAFE_EXACT regex entries for specific dev commands
- tinker EXCLUDED on purpose (REPL = arbitrary PHP exec risk)
- migrate:install and other unknown migrate subcommands stay blocked via
lookahead instead of word-boundary (precision fix)
- Hard-blacklist for mutating package operations, chain-semantics C13,
file-watcher, TDD-gate, path-deny, coverage requirement and the other 15
defense hooks are NOT touched.
TDD: 22 RED allow-tests + 7 still-block tests + 3 regression tests.
Full tools-only regression 1821/1821 GREEN.
Live smoke verified: composer test allowed; migrate:install blocked.
Whitelist v3.8 was sized around vitest tools-only; Laravel app/ dev workflow
slipped through. This commit corrects that without touching the architecture.
Sibling Claude session 2026-05-30 found that lastTurnEntries treats
harness-injected skill bodies as spurious turn boundaries, breaking both
enforce-memory-coverage (can't find user's coverage line) AND
enforce-normative-content-rules::detectLegitSkillActive (can't find the
Skill tool_use that lives in the assistant message BEFORE the body).
Refinement applied here: this session inspected 29 isMeta:true entries
across the live transcript (8f4ba767-...jsonl) via a debug helper and
found isMeta:true is ALSO used for "Continue from where you left off"
auto-resume, Stop hook feedback strings, and <local-command-caveat>
wrappers — those are real user-equivalent boundaries that must remain
visible. Sibling's blanket "skip isMeta" proposal would have broken them.
Discriminator: skip ONLY when isMeta === true AND typeof sourceToolUseID
=== 'string' (tool-spawned content). Skill bodies have the linking field;
the other isMeta sources do not. The sourceToolUseID field is harness-
controlled and not writable by controller from inside a tool call —
cannot be spoofed.
Behaviour after fix:
* Skill body injection → skipped → walk continues back to find user's
real prompt (with coverage line).
* The assistant message containing the Skill tool_use is now inside the
turn → detectLegitSkillActive finds it → normative writes pass when
invoked under an active claude-md-management skill.
* "Continue from where you left off." → still treated as turn boundary.
* Stop hook feedback strings → still treated as turn boundary.
TDD:
* 3 new tests in tools/enforce-hook-helpers.test.mjs under the
"lastTurnEntries / lastUserPromptText / lastAssistantText / turnToolUses"
describe block:
- lastTurnEntries skips skill body injections (isMeta + sourceToolUseID)
- lastTurnEntries does NOT skip "Continue from where you left off"
(isMeta but no sourceToolUseID)
- turnToolUses includes Skill tool_use spawned in same turn as the
injected skill body
* 2/3 RED→GREEN (the "Continue" negative test passed on baseline already
since its string content satisfies the existing string-content branch).
Scope:
* Fixes 2 of the 5 structural quirks documented in the Stream H
completion log (enforce-memory-coverage gap, enforce-normative-
content-rules detectLegitSkillActive gap).
* Does NOT fix: enforce-read-path-deny LEGIT_SKILLS exemption gap
(separate hook, no lastTurnEntries dependency); TDD-gate cross-actor
blindness (different mechanism — actor session boundaries);
detectFullTestRun regex narrowness (command-pattern matching).
Regression: vitest tools 1788/1788 GREEN (was 1785; +3 new tests).
Plan: docs/superpowers/plans/2026-05-30-lastturnentries-skill-body-skip.md
Closes Stream H Task 10 (H10) that was deferred from the initial Stream H
push. Adds two pure helpers to tools/subagent-prompt-prefix.mjs and wires
them into buildHeader() so subagents spawned inside a linked git worktree
get a SETUP block with vendor symlink + storage/framework mkdir guidance
in their injected prompt.
Two new exports:
1. detectWorktreeMode({cwd, gitDir, gitCommonDir}) — pure detector that
returns {isWorktree, parentRepoRoot}. Worktree is detected when the
per-worktree git-dir differs from the shared git-common-dir; the
parent repo root is derived by stripping the trailing `/.git` segment
from the common dir (separators normalized to forward slashes). Handles
null inputs gracefully and accepts mixed forward/backslash separators.
2. buildSetupBlock({isWorktree, parentRepoRoot, platform}) — pure renderer
that returns the SETUP — worktree bootstrap text block (or '' to omit
when not in a worktree or parentRepoRoot is missing). Picks `mklink /D`
on win32 vs `ln -s` elsewhere. Mentions all four storage/framework
subdirs (cache, sessions, views, testing) per memory
`feedback_subagent_worktree_bootstrap.md` — exactly what Pest 4 needs
to resolve the Eloquent facade and view cache paths inside a worktree.
buildHeader() now resolves --git-dir + --git-common-dir alongside the
existing --show-toplevel, calls detectWorktreeMode to classify the
spawn site, then inserts buildSetupBlock's output between rule 5 and
the END marker. When not in a worktree the block is empty and the header
layout is unchanged.
Regression: vitest tools 1785/1785 GREEN (was 1776; +9 tests across
"detectWorktreeMode (Stream H Task 10)" and "buildSetupBlock (Stream H
Task 10)" describe blocks in the new
tools/subagent-prompt-prefix-h10.test.mjs file). The pre-existing
tools/subagent-prompt-prefix.test.mjs is intentionally excluded from
vitest config (node:test runner used for subprocess-style tests) — H10
helpers are pure and live in the vitest scope so the new test file is
not added to the exclude list.
Stream H Task 10 of 11 — closes the deferred H10. Plan:
docs/superpowers/plans/2026-05-30-router-gate-v4-stream-H.md
Closes Stream H Task 9 (H3). Two cosmetic fixes in tools/path-normalization.mjs
for gate error messages observed during Smoke 5 Real Fix Re-test 2026-05-30
(steps 4 and 5). Both purely affect human-readable display in block messages
— security behaviour is unchanged (path-deny still fires correctly in all
the original test scenarios).
1. Cygwin/git-bash `/c/Users/...` prefix collapsed before path.resolve.
On win32, path.resolve('/c/Users/x') treats `/c/...` as drive-relative
and prepends cwd's drive letter, producing display paths like
`c:/c/users/...` (doubled drive). The fix inserts a single-letter-drive
normalization step BEFORE resolve when the input looks Cygwin-style.
Guarded by `homedir matches ^[a-zA-Z]:` so POSIX test fixtures
(homedir='/h') still get the original behaviour.
2. PowerShell `$env:USERPROFILE` syntax expanded in expandEnvVars.
The expander handled `%NAME%`, `${NAME}`, and bare `$NAME` but not
the PowerShell-native `$env:NAME` form, so messages displayed the
literal `$env:USERPROFILE` instead of the expanded path. Added a
case-insensitive matcher (PowerShell is case-insensitive) covering
all ENV_WHITELIST names. Non-whitelisted `$env:SECRET` still passes
through unchanged.
Regression: vitest tools 1776/1776 GREEN (was 1772; +4 new tests across
"pathNormalize" (+1 cygwin), "expandEnvVars — PowerShell $env:VAR
(Stream H Task 9 cosmetic)" (+3)). One pre-existing test ("case-folds on
win32") would have broken without the homedir-drive guard — guard
preserves it.
Stream H Task 9 of 11. Plan: docs/superpowers/plans/2026-05-30-router-gate-v4-stream-H.md