@agfpd/iapeer-memory 0.2.1 → 0.2.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agfpd/iapeer-memory",
-  "version": "0.2.1",
+  "version": "0.2.3",
   "description": "iapeer-memory — peer memory for the iapeer ecosystem: vault, memoryd (index/search/MCP-http), layer-5 context fragments, role doctrines. The package IS the system; the claude/codex plugins are thin session sockets (docs/10-distribution.md, ADR-009).",
   "license": "MIT",
   "type": "module",
@@ -27,7 +27,7 @@
     "access": "public"
   },
   "dependencies": {
-    "@agfpd/iapeer-memory-core": "0.2.1"
+    "@agfpd/iapeer-memory-core": "0.2.3"
   },
   "devDependencies": {
     "@types/bun": "^1.2.0",

package/src/cli.ts

@@ -52,9 +52,10 @@ Commands:
                             init step / repair path; needs package sources
   provision-peer --cwd P --runtime claude|codex --personality NAME [--occasion O]
                             merge the direct session surfaces into one peer's
-                            cwd (claude: hooks/MCP/skills; codex: project MCP;
-                            idempotent, own keys only); the iapeer core shells
-                            into this at peer birth
+                            cwd (claude: hooks/MCP/skills; codex: project MCP +
+                            hooks.json with a trust-hooks pre-seed; idempotent,
+                            own keys only); the iapeer core shells into this at
+                            peer birth
   unprovision-peer --cwd P --runtime claude|codex [--occasion O]
                             strip OUR surfaces from one peer's cwd (mirror)
   fm-update [ops] FILE...   structural frontmatter edits + attribution stamp
@@ -125,7 +126,7 @@ export async function main(argv: string[]): Promise<number> {
     case "install-binary":
       return cmdInstallBinary(rest, egress);
     case "provision-peer":
-      return cmdProvisionPeer(rest);
+      return cmdProvisionPeer(rest, egress);
     case "unprovision-peer":
       return cmdUnprovisionPeer(rest);
     case "fm-update":

package/src/commands/hook.ts

@@ -44,13 +44,64 @@ import { memoryPaths, type MemoryPaths } from "../paths.js";
 import { DEFAULT_HEARTBEAT_STALE_MS } from "./verify.js";
 import { guardedWriteFileSync } from "@agfpd/iapeer-memory-core";
 
-/** Tools whose writes stamp frontmatter. P5 adds "apply_patch" (codex). */
+/** Tools whose writes stamp frontmatter: claude Write|Edit|MultiEdit +
+ *  codex apply_patch (Ш2; stdin-JSON is Claude-compatible — canon
+ *  «Поверхности конфигурации codex» §Хуки). */
 export const POST_WRITE_TOOLS: ReadonlySet<string> = new Set([
   "Write",
   "Edit",
   "MultiEdit",
+  "apply_patch",
 ]);
 
+/** apply_patch envelope markers (the public codex patch format) — the
+ *  deterministic path source from tool_input's patch text. */
+const PATCH_FILE_RE = /^\*\*\* (?:Update|Add) File: (.+)$/gm;
+
+/** `tool_response` status lines — the VERBATIM form established by the live
+ *  Ш2 e2e (codex-cli 0.138.0, gpt-5.5, captured stdin 11.06):
+ *  a single STRING `"Exit code: 0\nWall time: …\nOutput:\nSuccess. Updated
+ *  the following files:\nA /abs/path.md\n"` — `A`/`M`/`D` markers per file. */
+const RESPONSE_FILE_RE = /^[AMD]\s+(.+)$/;
+
+/**
+ * File-path candidates of a codex apply_patch event. Two sources, union:
+ * the envelope markers inside the patch text (scans every string value of
+ * tool_input — the live field is `command`, the name is not load-bearing)
+ * and the `A/M/D <path>` lines of the tool_response string (verbatim form
+ * above; a D path simply fails the existsSync gate downstream). Relative
+ * paths resolve against the event's `cwd` (stdin carries it — live fact).
+ */
+export function applyPatchPaths(event: {
+  cwd?: string;
+  tool_input?: unknown;
+  tool_response?: unknown;
+}): string[] {
+  const found = new Set<string>();
+  const add = (raw: string): void => {
+    const p = raw.trim();
+    if (!p) return;
+    found.add(path.isAbsolute(p) ? p : path.resolve(event.cwd ?? process.cwd(), p));
+  };
+  const input = event.tool_input;
+  if (input && typeof input === "object") {
+    for (const v of Object.values(input as Record<string, unknown>)) {
+      if (typeof v !== "string") continue;
+      for (const m of v.matchAll(PATCH_FILE_RE)) add(m[1]);
+    }
+  } else if (typeof input === "string") {
+    for (const m of input.matchAll(PATCH_FILE_RE)) add(m[1]);
+  }
+  const resp = event.tool_response;
+  if (typeof resp === "string") {
+    for (const line of resp.split("\n")) {
+      const m = RESPONSE_FILE_RE.exec(line);
+      if (m) add(m[1]);
+    }
+  }
+  return [...found];
+}
+
 /** Min interval between background verify-kicks (anti-storm). */
 export const KICK_DEBOUNCE_MS = 5 * 60_000;
 
@@ -77,7 +128,12 @@ export function runPostWrite(
 ): PostWriteResult {
   const silent: PostWriteResult = { stamped: false, output: null };
 
-  let event: { tool_name?: string; tool_input?: { file_path?: string } };
+  let event: {
+    tool_name?: string;
+    cwd?: string;
+    tool_input?: { file_path?: string };
+    tool_response?: unknown;
+  };
   try {
     event = JSON.parse(eventJson) as typeof event;
   } catch {
@@ -88,15 +144,20 @@ export function runPostWrite(
   // reference live-smoke fact; the same ordering keeps claude cheap too).
   if (!POST_WRITE_TOOLS.has(tool)) return silent;
 
-  const filePath = event.tool_input?.file_path ?? "";
-  if (!filePath.endsWith(".md")) return silent;
+  // Path candidates: claude tools carry ONE file_path; codex apply_patch
+  // carries a patch over possibly MANY files (Ш2).
+  const candidates =
+    tool === "apply_patch"
+      ? applyPatchPaths(event)
+      : [event.tool_input?.file_path ?? ""];
 
   const vault = env.IAPEER_MEMORY_VAULT_PATH ?? "";
   if (!vault) return silent; // socket without a provisioned system
-  if (!filePath.startsWith(vault.endsWith(path.sep) ? vault : vault + path.sep)) {
-    return silent; // outside the vault — никогда не трогаем чужие файлы
-  }
-  if (!fs.existsSync(filePath)) return silent; // failed write — nothing to stamp
+  const vaultPrefix = vault.endsWith(path.sep) ? vault : vault + path.sep;
+  const files = candidates.filter(
+    (p) => p.endsWith(".md") && p.startsWith(vaultPrefix) && fs.existsSync(p),
+  );
+  if (files.length === 0) return silent;
 
   // Identity: PEER_PERSONALITY → IAPEER_MEMORY_AGENT_NAME. NO cwd guessing
   // (нюанс 10 — deliberate divergence from the reference basename(PWD)).
@@ -112,7 +173,7 @@ export function runPostWrite(
     .filter(Boolean);
 
   fmUpdate({
-    files: [filePath],
+    files,
     ops: [],
     agent,
     vault,
@@ -121,12 +182,15 @@ export function runPostWrite(
     stamp: true,
   });
 
-  // Reminder: ONLY on Write (new note) in the author's OWN memory folder —
-  // an Edit-loop on one note must not spam the context (reference semantics).
+  // Reminder: ONLY on a claude Write (new note) in the author's OWN memory
+  // folder — an Edit-loop must not spam the context (reference semantics).
+  // The codex branch NEVER emits: hookSpecificOutput.additionalContext is a
+  // claude protocol — codex support is unverified (upstream issue #19385
+  // ASKS for it, which reads as «not there»; fact-checked stance, not a gap).
   const ownMemoryDir =
     path.join(vault, taxonomy.folders.agentMemory, agent) + path.sep;
   const output =
-    tool === "Write" && filePath.startsWith(ownMemoryDir)
+    tool === "Write" && files[0]!.startsWith(ownMemoryDir)
       ? JSON.stringify({
           hookSpecificOutput: {
             hookEventName: "PostToolUse",

package/src/commands/init.ts

@@ -444,7 +444,7 @@ export async function cmdInit(argv: string[], egress: Egress): Promise<number> {
       const fleet = readFleetMap(paths.fleetMapPath) ?? [];
       const locked = withProvisionLock({
         stateDir: paths.stateDir,
-        fn: () => sweepProvision({ fleet, hooksDir: paths.hooksDir, port: mcpPort() }),
+        fn: () => sweepProvision(egress, { fleet, hooksDir: paths.hooksDir, port: mcpPort(), iapeerBin: flags.iapeerBin }),
       });
       if (!locked.acquired) {
         step("surfaces", locked.detail, false);

package/src/commands/provision-peer.ts

@@ -19,12 +19,13 @@
  *     branched on.
  *
  * Runtime forms: claude — hooks + mcp + skills (surfaces/claude.ts);
- * codex — per-peer MCP via `<cwd>/.codex/config.toml` (surfaces/codex.ts;
- * hooks/skills are the P5 experiment). Exit: 0 ok, 1 a surface failed,
- * 2 usage.
+ * codex — per-peer MCP via `<cwd>/.codex/config.toml` + hooks.json with the
+ * core's trust-hooks pre-seed (surfaces/codex.ts, Ш2; skills deliberately
+ * not delivered — P5 §4.2). Exit: 0 ok, 1 a surface failed, 2 usage.
  */
 
 import fs from "node:fs";
+import type { Egress } from "../egress.js";
 import { memoryPaths } from "../paths.js";
 import {
   provisionClaudePeer,
@@ -53,6 +54,8 @@ type Flags = {
   runtime: (typeof RUNTIMES)[number];
   occasion: Occasion;
   personality: string;
+  /** Explicitly named core binary (hermetic tests; egress explicit-bin). */
+  iapeerBin?: string;
 };
 
 function parseFlags(
@@ -64,6 +67,7 @@ function parseFlags(
   let runtime = "";
   let occasion: string = defaultOccasion;
   let personality = "";
+  let iapeerBin: string | undefined;
   for (let i = 0; i < argv.length; i++) {
     const a = argv[i];
     switch (a) {
@@ -71,6 +75,7 @@ function parseFlags(
       case "--runtime": runtime = argv[++i] ?? ""; break;
       case "--occasion": occasion = argv[++i] ?? ""; break;
       case "--personality": personality = argv[++i] ?? ""; break;
+      case "--iapeer-bin": iapeerBin = argv[++i]; break;
       default:
         console.error(`iapeer-memory ${verb}: unknown flag: ${a}`);
         return null;
@@ -105,6 +110,7 @@ function parseFlags(
     runtime: runtime as Flags["runtime"],
     occasion: occasion as Occasion,
     personality,
+    iapeerBin,
   };
 }
 
@@ -124,7 +130,7 @@ function report(verb: string, flags: Flags, outcomes: SurfaceOutcome[]): number
   return failed ? 1 : 0;
 }
 
-export function cmdProvisionPeer(argv: string[]): number {
+export function cmdProvisionPeer(argv: string[], egress: Egress): number {
   const flags = parseFlags("provision-peer", argv, "sweep-on");
   if (!flags) return 2;
   if (!fs.existsSync(flags.cwd)) {
@@ -136,7 +142,12 @@ export function cmdProvisionPeer(argv: string[]): number {
     stateDir: paths.stateDir,
     fn: () =>
       flags.runtime === "codex"
-        ? provisionCodexPeer({ cwd: flags.cwd, port: mcpPort() })
+        ? provisionCodexPeer(egress, {
+            cwd: flags.cwd,
+            port: mcpPort(),
+            hooksDir: paths.hooksDir,
+            iapeerBin: flags.iapeerBin,
+          })
         : provisionClaudePeer({
             cwd: flags.cwd,
             hooksDir: paths.hooksDir,

package/src/commands/update.ts

@@ -161,7 +161,7 @@ export function cmdUpdate(argv: string[], egress: Egress): number {
     const fleet = readFleetMap(paths.fleetMapPath) ?? [];
     const locked = withProvisionLock({
       stateDir: paths.stateDir,
-      fn: () => sweepProvision({ fleet, hooksDir: paths.hooksDir, port: mcpPort() }),
+      fn: () => sweepProvision(egress, { fleet, hooksDir: paths.hooksDir, port: mcpPort(), iapeerBin }),
     });
     if (!locked.acquired) {
       step("surfaces", locked.detail, false);

package/src/commands/verify.ts

@@ -221,7 +221,7 @@ export function runVerify(egress: Egress, opts: VerifyOptions = {}): CheckResult
         detail: "fleet map unreadable — see fleet-map check",
       });
     } else {
-      const { checks, skipped } = checkFleetSurfaces({
+      const { checks, skipped } = checkFleetSurfaces(egress, {
         fleet,
         hooksDir: paths.hooksDir,
         port: mcpPort(),
@@ -247,7 +247,7 @@ export function runVerify(egress: Egress, opts: VerifyOptions = {}): CheckResult
         const badPeers = fleet.filter((p) => bad.some((b) => b.cwd === p.cwd));
         const locked = withProvisionLock({
           stateDir: paths.stateDir,
-          fn: () => sweepProvision({ fleet: badPeers, hooksDir: paths.hooksDir, port: mcpPort() }),
+          fn: () => sweepProvision(egress, { fleet: badPeers, hooksDir: paths.hooksDir, port: mcpPort(), iapeerBin: opts.iapeerBin }),
         });
         if (!locked.acquired) {
           results.push({ name: "peer-surfaces", status: "fail", detail: locked.detail });

package/src/surfaces/claude.ts

@@ -62,9 +62,16 @@ export function isOurHookCommand(command: string): boolean {
   return base.startsWith(HOOK_SHIM_PREFIX) && base.endsWith(".sh");
 }
 
-export type SurfaceAction = "written" | "already" | "removed" | "absent" | "failed";
+export type SurfaceAction =
+  | "written"
+  | "already"
+  | "removed"
+  | "absent"
+  | "failed"
+  /** A live-host step suppressed by the refusing egress (test sandbox). */
+  | "skipped";
 export type SurfaceOutcome = {
-  surface: "hooks" | "mcp" | "skills";
+  surface: "hooks" | "mcp" | "skills" | "trust";
   action: SurfaceAction;
   path: string;
   detail?: string;
@@ -140,7 +147,7 @@ export function expectedMcpEntry(opts: {
   };
 }
 
-type HookEntry = {
+export type HookEntry = {
   matcher?: string;
   hooks: Array<{ type: string; command: string }>;
 };
@@ -164,7 +171,7 @@ export function expectedHookEntries(
 type JsonObject = Record<string, unknown>;
 
 /** null = unreadable-as-object (refuse to clobber); {} when absent. */
-function readJsonObject(filePath: string): JsonObject | null | "absent" {
+export function readJsonObject(filePath: string): JsonObject | null | "absent" {
   let raw: string;
   try {
     raw = fs.readFileSync(filePath, "utf-8");
@@ -180,11 +187,11 @@ function readJsonObject(filePath: string): JsonObject | null | "absent" {
   }
 }
 
-function sameJson(a: unknown, b: unknown): boolean {
+export function sameJson(a: unknown, b: unknown): boolean {
   return JSON.stringify(a) === JSON.stringify(b);
 }
 
-function isOurHookEntry(entry: unknown): boolean {
+export function isOurHookEntry(entry: unknown): boolean {
   if (!entry || typeof entry !== "object") return false;
   const hooks = (entry as HookEntry).hooks;
   if (!Array.isArray(hooks)) return false;

package/src/surfaces/codex.ts

@@ -29,13 +29,22 @@
  * Merge = line-based section surgery on OUR header namespace only
  * (`[mcp_servers.iapeer-memory]` + its subsections), atomic write; unlike
  * the core's append-if-absent we REPLACE a drifted block (repair duty,
- * требование №2). Hooks/skills for codex are the P5 experiment — MCP is
- * deliberately the only codex surface here.
+ * требование №2). Hooks (Ш2) live in `<cwd>/.codex/hooks.json` below;
+ * skills for codex are deliberately NOT delivered (P5 §4.2, boris-agreed).
  */
 
 import fs from "node:fs";
 import path from "node:path";
-import type { SurfaceOutcome } from "./claude.js";
+import { IAPEER_BIN, type Egress } from "../egress.js";
+import {
+  isOurHookEntry,
+  materialiseShims,
+  readJsonObject,
+  sameJson,
+  shimPath,
+  type HookEntry,
+  type SurfaceOutcome,
+} from "./claude.js";
 import { guardedWriteFileSync, guardedUnlinkSync } from "@agfpd/iapeer-memory-core";
 
 export const CODEX_MCP_SECTION = "mcp_servers.iapeer-memory";
@@ -123,34 +132,323 @@ export function removeCodexMcp(opts: { cwd: string }): SurfaceOutcome {
   return { surface: "mcp", action: "removed", path: configPath };
 }
 
-export function provisionCodexPeer(opts: { cwd: string; port: number }): SurfaceOutcome[] {
-  return [mergeCodexMcp(opts)];
+// ── hooks surface (Ш2, P5_CODEX_ADAPTER_DESIGN §4.1) ────────────────────────
+//
+// File-based (non-plugin) hooks — live-proven by the iapeer smoke 11.06
+// (codex-cli 0.138.0): `<cwd>/.codex/hooks.json` of a TRUSTED cwd, format
+// Claude-compatible. The SAME shims serve both runtimes (all logic lives in
+// the CLI verbs; codex stdin-JSON is Claude-compatible — canon note
+// «Поверхности конфигурации codex» §Хуки).
+//
+// NO matcher ON PURPOSE: matcher inclusion in the upstream trust-hash
+// identity is unverified (canon note) and an untrusted hook in headless
+// exec SKIPS SILENTLY — the worst failure mode. Without a matcher the
+// identity walks the verified algorithm branch; the CLI's cheap tool_name
+// gate (hook.ts) filters the per-tool noise instead.
+//
+// Trust pre-seed: `iapeer trust-hooks <realpath>` (core ≥0.2.32) — the verb
+// owns the hash algorithm; we never compute it (agreed: one point of
+// truth). Cleanup of [hooks.state] on peer REMOVAL is the core's rail;
+// off-peer/off-all leave orphan records — harmless (keyed on the realpath
+// of a file we just removed; codex finds nothing to run).
+
+export function codexHooksJsonPath(cwd: string): string {
+  return path.join(cwd, ".codex", "hooks.json");
+}
+
+export function expectedCodexHookEntries(
+  hooksDir: string,
+): Record<"PostToolUse" | "SessionStart", HookEntry> {
+  return {
+    PostToolUse: {
+      hooks: [{ type: "command", command: shimPath(hooksDir, "post-write") }],
+    },
+    SessionStart: {
+      hooks: [{ type: "command", command: shimPath(hooksDir, "session-start") }],
+    },
+  };
+}
+
+export function mergeCodexHooks(opts: { cwd: string; hooksDir: string }): SurfaceOutcome {
+  const hooksJson = codexHooksJsonPath(opts.cwd);
+  const current = readJsonObject(hooksJson);
+  if (current === null) {
+    return {
+      surface: "hooks",
+      action: "failed",
+      path: hooksJson,
+      detail: "hooks.json is not a JSON object — refusing to clobber",
+    };
+  }
+  const obj: Record<string, unknown> = current === "absent" ? {} : current;
+  const hooksRaw = obj.hooks;
+  if (
+    hooksRaw !== undefined &&
+    (typeof hooksRaw !== "object" || Array.isArray(hooksRaw) || hooksRaw === null)
+  ) {
+    return {
+      surface: "hooks",
+      action: "failed",
+      path: hooksJson,
+      detail: "hooks.json `hooks` is not an object — refusing to clobber",
+    };
+  }
+  const hooks: Record<string, unknown> = (hooksRaw as Record<string, unknown> | undefined) ?? {};
+  const expected = expectedCodexHookEntries(opts.hooksDir);
+  let changed = false;
+  for (const event of ["PostToolUse", "SessionStart"] as const) {
+    const listRaw = hooks[event];
+    const list: unknown[] = Array.isArray(listRaw) ? listRaw : [];
+    const ours = list.filter(isOurHookEntry);
+    if (ours.length === 1 && sameJson(ours[0], expected[event])) continue;
+    const foreign = list.filter((e) => !isOurHookEntry(e));
+    hooks[event] = [...foreign, expected[event]];
+    changed = true;
+  }
+  if (!changed) {
+    return { surface: "hooks", action: "already", path: hooksJson };
+  }
+  obj.hooks = hooks;
+  writeFileAtomic(hooksJson, `${JSON.stringify(obj, null, 2)}\n`);
+  return { surface: "hooks", action: "written", path: hooksJson };
+}
+
+export function removeCodexHooks(opts: { cwd: string }): SurfaceOutcome {
+  const hooksJson = codexHooksJsonPath(opts.cwd);
+  const current = readJsonObject(hooksJson);
+  if (current === "absent") {
+    return { surface: "hooks", action: "absent", path: hooksJson };
+  }
+  if (current === null) {
+    return {
+      surface: "hooks",
+      action: "failed",
+      path: hooksJson,
+      detail: "hooks.json is not a JSON object — refusing to touch",
+    };
+  }
+  const hooksRaw = current.hooks;
+  if (!hooksRaw || typeof hooksRaw !== "object" || Array.isArray(hooksRaw)) {
+    return { surface: "hooks", action: "absent", path: hooksJson };
+  }
+  const hooks = hooksRaw as Record<string, unknown>;
+  let changed = false;
+  for (const event of Object.keys(hooks)) {
+    const list = hooks[event];
+    if (!Array.isArray(list)) continue;
+    const kept = list
+      .map((entry) => {
+        if (!isOurHookEntry(entry)) return entry;
+        const e = entry as HookEntry;
+        const foreignHooks = e.hooks.filter(
+          (h) => !(typeof h?.command === "string" && h.command.split("/").pop()?.startsWith("iapeer-memory.")),
+        );
+        if (foreignHooks.length === 0) return null;
+        return { ...e, hooks: foreignHooks };
+      })
+      .filter((e): e is NonNullable<typeof e> => e !== null);
+    if (kept.length !== list.length || !sameJson(kept, list)) changed = true;
+    if (kept.length === 0) delete hooks[event];
+    else hooks[event] = kept;
+  }
+  if (!changed) {
+    return { surface: "hooks", action: "absent", path: hooksJson };
+  }
+  if (Object.keys(hooks).length === 0) delete current.hooks;
+  if (Object.keys(current).length === 0) {
+    // nothing but our hooks lived here — leave the cwd exactly as found
+    guardedUnlinkSync(hooksJson);
+    return { surface: "hooks", action: "removed", path: hooksJson, detail: "file removed (empty after our entries)" };
+  }
+  writeFileAtomic(hooksJson, `${JSON.stringify(current, null, 2)}\n`);
+  return { surface: "hooks", action: "removed", path: hooksJson };
+}
+
+/** Trust pre-seed via the core verb (≥0.2.32). The refusing egress maps to
+ *  a SKIP (sandbox never touches the live host config); a failed verb is a
+ *  LOUD failure — an untrusted hook skips silently in headless, the worst
+ *  degradation mode (boris's acceptance condition: visible only). */
+export function trustCodexHooks(
+  egress: Egress,
+  opts: { hooksJsonPath: string; iapeerBin?: string },
+): SurfaceOutcome {
+  let real: string;
+  try {
+    real = fs.realpathSync(opts.hooksJsonPath); // trust keys on the REALPATH (core contract)
+  } catch {
+    return {
+      surface: "trust",
+      action: "failed",
+      path: opts.hooksJsonPath,
+      detail: "hooks.json unreadable for realpath — trust not attempted",
+    };
+  }
+  const bin = opts.iapeerBin ?? IAPEER_BIN;
+  const proc = egress.spawnSync([bin, "trust-hooks", real], {
+    explicitBin: opts.iapeerBin !== undefined,
+  });
+  if (proc.refused) {
+    return {
+      surface: "trust",
+      action: "skipped",
+      path: real,
+      detail: "suppressed (test sandbox) — live pre-seed runs on the host",
+    };
+  }
+  if (proc.spawnError) {
+    return { surface: "trust", action: "failed", path: real, detail: `${bin} unavailable: ${proc.spawnError}` };
+  }
+  if (proc.exitCode !== 0) {
+    return {
+      surface: "trust",
+      action: "failed",
+      path: real,
+      detail:
+        (proc.stderr.trim() || proc.stdout.trim() || `trust-hooks exited ${proc.exitCode}`).slice(0, 200) +
+        " — hooks stay UNTRUSTED (headless codex skips them silently); core ≥0.2.32 required",
+    };
+  }
+  const line = proc.stdout.trim().split("\n")[0] ?? "";
+  return {
+    surface: "trust",
+    action: line.toLowerCase().includes("already") ? "already" : "written",
+    path: real,
+    detail: line || undefined,
+  };
+}
+
+export function provisionCodexPeer(
+  egress: Egress,
+  opts: { cwd: string; port: number; hooksDir: string; iapeerBin?: string },
+): SurfaceOutcome[] {
+  // Shims first — the merged hooks.json must never point at a void (same
+  // ordering duty as the claude provision).
+  materialiseShims(opts.hooksDir);
+  const mcp = mergeCodexMcp({ cwd: opts.cwd, port: opts.port });
+  const hooks = mergeCodexHooks({ cwd: opts.cwd, hooksDir: opts.hooksDir });
+  const trust =
+    hooks.action === "failed"
+      ? ({
+          surface: "trust",
+          action: "failed",
+          path: codexHooksJsonPath(opts.cwd),
+          detail: "hooks surface failed — trust not attempted",
+        } as SurfaceOutcome)
+      : trustCodexHooks(egress, {
+          hooksJsonPath: codexHooksJsonPath(opts.cwd),
+          iapeerBin: opts.iapeerBin,
+        });
+  return [mcp, hooks, trust];
 }
 
 export function unprovisionCodexPeer(opts: { cwd: string }): SurfaceOutcome[] {
-  return [removeCodexMcp(opts)];
+  // [hooks.state] cleanup is the core's rail (`iapeer remove`); off-peer/
+  // off-all leave orphan records keyed on a now-absent file — harmless.
+  return [removeCodexMcp(opts), removeCodexHooks(opts)];
 }
 
-/** Read-only drift check (verify's eye, D3): the expected block must sit in
- *  the project-local config byte-exact. */
-export function checkCodexPeer(opts: {
-  cwd: string;
-  port: number;
-}): Array<{ surface: SurfaceOutcome["surface"]; ok: boolean; detail: string }> {
+/** Read-only drift check (verify's eye, D3 + Ш2): the MCP block byte-exact,
+ *  our hook entries in hooks.json, and the trust state via the core's
+ *  `trust-hooks --check` (the hash algorithm lives in ONE place — the core;
+ *  we render its verdict, never compute it). Degradation is VISIBLE by
+ *  acceptance condition: an untrusted hook skips silently in headless. */
+export function checkCodexPeer(
+  egress: Egress,
+  opts: {
+    cwd: string;
+    port: number;
+    hooksDir: string;
+    iapeerBin?: string;
+  },
+): Array<{ surface: SurfaceOutcome["surface"]; ok: boolean; detail: string }> {
+  const checks: Array<{ surface: SurfaceOutcome["surface"]; ok: boolean; detail: string }> = [];
+
   const configPath = codexConfigPath(opts.cwd);
-  let text: string;
+  let text: string | null = null;
   try {
     text = fs.readFileSync(configPath, "utf-8");
   } catch {
-    return [{ surface: "mcp", ok: false, detail: `no codex config at ${configPath}` }];
+    checks.push({ surface: "mcp", ok: false, detail: `no codex config at ${configPath}` });
   }
-  const expected = expectedCodexBlock(opts.port);
-  const ok = text.includes(expected);
-  return [
-    ok
-      ? { surface: "mcp", ok: true, detail: `[${CODEX_MCP_SECTION}] block in place` }
-      : hasOurSection(text)
-        ? { surface: "mcp", ok: false, detail: `[${CODEX_MCP_SECTION}] block drifted in ${configPath}` }
-        : { surface: "mcp", ok: false, detail: `[${CODEX_MCP_SECTION}] block missing in ${configPath}` },
-  ];
+  if (text !== null) {
+    const expected = expectedCodexBlock(opts.port);
+    checks.push(
+      text.includes(expected)
+        ? { surface: "mcp", ok: true, detail: `[${CODEX_MCP_SECTION}] block in place` }
+        : hasOurSection(text)
+          ? { surface: "mcp", ok: false, detail: `[${CODEX_MCP_SECTION}] block drifted in ${configPath}` }
+          : { surface: "mcp", ok: false, detail: `[${CODEX_MCP_SECTION}] block missing in ${configPath}` },
+    );
+  }
+
+  // hooks.json: exactly our entry per event (in-data ownership, shim basename)
+  const hooksJson = codexHooksJsonPath(opts.cwd);
+  const current = readJsonObject(hooksJson);
+  if (current === "absent" || current === null) {
+    checks.push({
+      surface: "hooks",
+      ok: false,
+      detail:
+        current === null
+          ? `hooks.json unreadable as object (${hooksJson})`
+          : `hooks.json missing (${hooksJson})`,
+    });
+  } else {
+    const expected = expectedCodexHookEntries(opts.hooksDir);
+    const hooks = (current.hooks ?? {}) as Record<string, unknown>;
+    const bad: string[] = [];
+    for (const event of ["PostToolUse", "SessionStart"] as const) {
+      const list: unknown[] = Array.isArray(hooks[event]) ? (hooks[event] as unknown[]) : [];
+      const ours = list.filter(isOurHookEntry);
+      if (!(ours.length === 1 && sameJson(ours[0], expected[event]))) bad.push(event);
+    }
+    checks.push(
+      bad.length === 0
+        ? { surface: "hooks", ok: true, detail: "our hook entries in place" }
+        : { surface: "hooks", ok: false, detail: `hook entries drifted/missing: ${bad.join(", ")} (${hooksJson})` },
+    );
+
+    // trust state — only meaningful when the entries are in place
+    if (bad.length === 0) {
+      let real: string | null = null;
+      try {
+        real = fs.realpathSync(hooksJson);
+      } catch {
+        real = null;
+      }
+      if (real === null) {
+        checks.push({ surface: "trust", ok: false, detail: "hooks.json vanished mid-check" });
+      } else {
+        const bin = opts.iapeerBin ?? IAPEER_BIN;
+        const proc = egress.spawnSync([bin, "trust-hooks", real, "--check"], {
+          explicitBin: opts.iapeerBin !== undefined,
+        });
+        if (proc.refused) {
+          checks.push({
+            surface: "trust",
+            ok: true,
+            detail: "trust check skipped (test sandbox)",
+          });
+        } else if (proc.spawnError) {
+          checks.push({
+            surface: "trust",
+            ok: false,
+            detail: `trust state UNKNOWN — ${bin} unavailable (${proc.spawnError}); untrusted hooks skip silently in headless`,
+          });
+        } else if (proc.exitCode === 0) {
+          checks.push({ surface: "trust", ok: true, detail: "hooks trusted (trust-hooks --check)" });
+        } else {
+          checks.push({
+            surface: "trust",
+            ok: false,
+            detail:
+              `hooks NOT trusted (drift/missing per trust-hooks --check): ` +
+              `${(proc.stdout.trim() || proc.stderr.trim()).slice(0, 160)} — repair: provision-peer / update`,
+          });
+        }
+      }
+    }
+  }
+
+  return checks;
 }

package/src/surfaces/sweep.ts

@@ -22,6 +22,7 @@ import {
   type SurfaceOutcome,
 } from "./claude.js";
 import { checkCodexPeer, provisionCodexPeer, unprovisionCodexPeer } from "./codex.js";
+import type { Egress } from "../egress.js";
 import type { FleetPeer } from "../fleet.js";
 
 export const SESSION_RUNTIMES = ["claude", "codex"] as const;
@@ -46,11 +47,15 @@ function sessionRuntimesOf(peer: FleetPeer): SessionRuntime[] {
   return SESSION_RUNTIMES.filter((r) => peer.runtimes.includes(r));
 }
 
-export function sweepProvision(opts: {
-  fleet: FleetPeer[];
-  hooksDir: string;
-  port: number;
-}): SweepSummary {
+export function sweepProvision(
+  egress: Egress,
+  opts: {
+    fleet: FleetPeer[];
+    hooksDir: string;
+    port: number;
+    iapeerBin?: string;
+  },
+): SweepSummary {
   const results: PeerSweepResult[] = [];
   const skipped: SweepSummary["skipped"] = [];
   for (const peer of opts.fleet) {
@@ -71,7 +76,12 @@ export function sweepProvision(opts: {
     for (const runtime of runtimes) {
       const outcomes =
         runtime === "codex"
-          ? provisionCodexPeer({ cwd: peer.cwd, port: opts.port })
+          ? provisionCodexPeer(egress, {
+              cwd: peer.cwd,
+              port: opts.port,
+              hooksDir: opts.hooksDir,
+              iapeerBin: opts.iapeerBin,
+            })
           : provisionClaudePeer({
               cwd: peer.cwd,
               hooksDir: opts.hooksDir,
@@ -125,11 +135,15 @@ export type PeerCheckResult = {
   problems: string[];
 };
 
-export function checkFleetSurfaces(opts: {
-  fleet: FleetPeer[];
-  hooksDir: string;
-  port: number;
-}): { checks: PeerCheckResult[]; skipped: Array<{ personality: string; reason: string }> } {
+export function checkFleetSurfaces(
+  egress: Egress,
+  opts: {
+    fleet: FleetPeer[];
+    hooksDir: string;
+    port: number;
+    iapeerBin?: string;
+  },
+): { checks: PeerCheckResult[]; skipped: Array<{ personality: string; reason: string }> } {
   const checks: PeerCheckResult[] = [];
   const skipped: Array<{ personality: string; reason: string }> = [];
   for (const peer of opts.fleet) {
@@ -150,7 +164,12 @@ export function checkFleetSurfaces(opts: {
     for (const runtime of runtimes) {
       const surfaceChecks =
         runtime === "codex"
-          ? checkCodexPeer({ cwd: peer.cwd, port: opts.port })
+          ? checkCodexPeer(egress, {
+              cwd: peer.cwd,
+              port: opts.port,
+              hooksDir: opts.hooksDir,
+              iapeerBin: opts.iapeerBin,
+            })
           : checkClaudePeer({
               cwd: peer.cwd,
               hooksDir: opts.hooksDir,

package/src/templates/roles-en.ts

@@ -69,6 +69,12 @@ step, when ALL THREE hold: the Scriber processed the note + the links
 section is complete + no open questions remain (no unanswered author
 pings). Nobody sets it by decision; nobody else clears it.
 
+\`last_edited_by: unstamped\` — the write BYPASSED the hook (a Bash write,
+an external editor): memoryd's detector honestly says «writer unknown»
+instead of a silently inherited attribution. Resolve it by context (the
+content, git, asking the writers); \`needs_review\` is already set — clear
+it under the usual three conditions.
+
 ## Agent-memory curation (light, no Scriber)
 
 1. \`status\` is final → move to the archive subfolder; stop.

package/src/templates/roles-ru.ts

@@ -62,6 +62,12 @@ locale: ru
 дополнена + открытых вопросов нет (все пинги авторам закрыты). Никто не
 ставит флаг решением; никто кроме тебя не снимает.
 
+\`last_edited_by: unstamped\` — запись прошла МИМО хука (Bash-запись,
+внешний редактор): детектор memoryd честно говорит «писатель неизвестен»
+вместо тихо унаследованной атрибуции. Разбирайся по контексту (содержание,
+git, вопрос писателям); needs_review при этом уже стоит — снимаешь по
+обычным трём условиям.
+
 ## Курирование оперативки (лёгкое, без Scriber'а)
 
 1. Финальный \`status\` → move в архивную подпапку; дальше не обрабатывай.