@chrisdudek/yg 5.0.0-alpha.6 → 5.0.1

package/README.md

@@ -2,7 +2,7 @@
 
 **Your agent will ignore CLAUDE.md. Yggdrasil makes sure it doesn't.**
 
-Architecture rules your agent can't ignore. You write them in plain Markdown; a reviewer verifies every change and feeds violations back into the agent's loop — before it moves on. Works with Claude Code, Cursor, Copilot, Codex, Cline, and more. The reviewer runs against your code, not your diffs. The feedback is specific, and the agent has to fix before moving on.
+Architecture rules your agent can't ignore. Before it edits a file, your agent gets the few rules that apply — and writes to them. After, every change is checked before it moves on: by a script that runs locally for free, or by an LLM reviewer. A rule written as a script *runs* — your agent can't quietly optimize it away the way it drops a line in CLAUDE.md. Works with Claude Code, Cursor, Copilot, Codex, Cline, and more. Checks run against your code, not your diffs; the feedback is specific; the agent has to fix before it can move on.
 
 See the [main README](https://github.com/krzysztofdudek/Yggdrasil#readme) for documentation, or visit
 [krzysztofdudek.github.io/Yggdrasil](https://krzysztofdudek.github.io/Yggdrasil/).

package/dist/bin.js

@@ -6,7 +6,7 @@ import { Command as Command2 } from "commander";
 // src/cli/init.ts
 import chalk2 from "chalk";
 import { existsSync as existsSync2 } from "fs";
-import { mkdir as mkdir3, writeFile as writeFile4, readdir as readdir3, readFile as readFile10, stat as stat3 } from "fs/promises";
+import { mkdir as mkdir3, writeFile as writeFile4, readdir as readdir3, readFile as readFile11, stat as stat3 } from "fs/promises";
 import path13 from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 import * as p from "@clack/prompts";
@@ -145,7 +145,7 @@ Fix a refusal in one of two ways: declare the relation in the node's \`yg-node.y
 
 ### Verification and the lock
 
-A verdict is valid exactly while the inputs that produced it hash to the stored value. Any input change \u2014 an edited subject file, an edited \`content.md\` / \`check.mjs\`, an edited \`scope\`, a tier change \u2014 makes the pair **unverified**, and \`yg check --approve\` re-verifies it. (A status flip is NOT an input \u2014 it never invalidates a verdict.) States are: **verified / unverified / refused**.
+A verdict is valid exactly while the inputs that produced it hash to the stored value. Any input change \u2014 an edited subject file, an edited \`content.md\` / \`check.mjs\`, an edited \`scope\`, or a change to which named tier the aspect uses \u2014 makes the pair **unverified**, and \`yg check --approve\` re-verifies it. (A status flip is NOT an input, and neither is a tier's underlying config \u2014 only the tier NAME folds in, so swapping the model or provider behind a named tier never invalidates a verdict.) States are: **verified / unverified / refused**.
 
 \`yg check\` writes nothing and makes no LLM calls: it re-hashes each lock verdict and reports (on plain \`yg check\` it never runs an aspect reviewer or a deterministic \`check.mjs\`), and it runs the built-in relation-conformance check live (parse + resolve). So CI runs it cheap and keyless. \`yg check --approve\` fills the unverified pairs and then reports.
 
@@ -473,7 +473,7 @@ context.
 
 **Flow** \u2014 when you see a sequence of steps toward a business goal. Not code call sequences \u2014 real-world processes. "User places an order" = flow. "Handler calls service" = relation between nodes. Read \`schemas/yg-flow.yaml\` and \`yg knowledge read flows\` before creating.
 
-**Node** \u2014 one per cohesive feature area. Not per directory, not per file. If a node covers >3 distinct workflows, split into children. Size is bounded by the reviewer prompt, not the node: an LLM aspect assembles its content.md, references, and the unit's subject files into one prompt, checked against the resolved tier's \`max_prompt_chars\`. Exceeding it is a blocking \`prompt-too-large\` error naming the pair, with remedies in safety order: narrow \`scope.files\` (when the overflow is non-target payload), switch the aspect to \`per: file\` (ONLY if the rule is file-local), split the node, or raise the limit / move to a higher tier (a tier edit cascades re-verification across every aspect on that tier). Deterministic checks read files programmatically with no prompt and are never subject to the gate. Read \`schemas/yg-node.yaml\` before creating.
+**Node** \u2014 one per cohesive feature area. Not per directory, not per file. If a node covers >3 distinct workflows, split into children. Size is bounded by the reviewer prompt, not the node: an LLM aspect assembles its content.md, references, and the unit's subject files into one prompt, checked against the resolved tier's \`max_prompt_chars\`. Exceeding it is a blocking \`prompt-too-large\` error naming the pair, with remedies in safety order: narrow \`scope.files\` (when the overflow is non-target payload), switch the aspect to \`per: file\` (ONLY if the rule is file-local), split the node, or raise the limit / move to a higher-capability tier (re-pointing an aspect to a different named tier re-verifies that aspect's pairs; editing a tier's own config does not \u2014 only the tier name is a verdict input). Deterministic checks read files programmatically with no prompt and are never subject to the gate. Read \`schemas/yg-node.yaml\` before creating.
 
 **Port / relation** \u2014 when a critical aspect must cross a node boundary, or when a new typed dependency is needed. Bare relations do NOT propagate aspects; ports do. Six relation types exist (\`calls\`, \`uses\`, \`extends\`, \`implements\`, \`emits\`, \`listens\`); event relations must be paired. Deep dive: \`yg knowledge read ports-and-relations\`.
 
@@ -1129,9 +1129,16 @@ async function testOllama(model, endpoint) {
     body: JSON.stringify({
       model,
       messages: [{ role: "user", content: "Respond with OK" }],
-      stream: false
+      stream: false,
+      // Mirror the real reviewer (OllamaProvider.verifyAspect): disable the
+      // model's reasoning trace so a "thinking" model does not burn the probe
+      // on a long chain-of-thought for a trivial prompt.
+      think: false
     }),
-    signal: AbortSignal.timeout(15e3)
+    // A large local model is cold-loaded from disk on the first request; 15s was
+    // too tight and produced false "connection failed" on working setups. Match
+    // the real reviewer's tolerance (apiFetch default).
+    signal: AbortSignal.timeout(6e4)
   });
   if (!res.ok) {
     const msg = `HTTP ${res.status} ${res.statusText}`;
@@ -1287,9 +1294,9 @@ import path10 from "path";
 import { gt as gt3, lt, valid as valid3 } from "semver";
 
 // src/io/config-parser.ts
-import { readFile as readFile3 } from "fs/promises";
+import { readFile as readFile4 } from "fs/promises";
 import path4 from "path";
-import { parse as parseYaml2 } from "yaml";
+import { parse as parseYaml3 } from "yaml";
 
 // src/utils/known-providers.ts
 var KNOWN_PROVIDERS = [
@@ -1303,6 +1310,39 @@ var KNOWN_PROVIDERS = [
   "gemini-cli"
 ];
 
+// src/io/secrets-parser.ts
+import { readFile as readFile3 } from "fs/promises";
+import { join } from "path";
+import { parse as parseYaml2 } from "yaml";
+function isPlainObject(v) {
+  return typeof v === "object" && v !== null && !Array.isArray(v);
+}
+function deepMerge(base, overlay) {
+  const out = { ...base };
+  for (const [key, ov] of Object.entries(overlay)) {
+    const bv = out[key];
+    out[key] = isPlainObject(bv) && isPlainObject(ov) ? deepMerge(bv, ov) : ov;
+  }
+  return out;
+}
+async function loadConfigOverlay(yggRoot) {
+  let content14;
+  try {
+    content14 = await readFile3(join(yggRoot, "yg-secrets.yaml"), "utf-8");
+  } catch (err) {
+    debugWrite(`[secrets-parser] readFile: ${err.message}`);
+    return void 0;
+  }
+  const raw = parseYaml2(content14);
+  if (raw === null || raw === void 0) return void 0;
+  if (typeof raw !== "object" || Array.isArray(raw)) {
+    throw new Error(
+      "yg-secrets.yaml: top level must be a YAML mapping (it is a deep-merge overlay over yg-config.yaml)"
+    );
+  }
+  return raw;
+}
+
 // src/io/config-parser.ts
 var ConfigParseError = class extends Error {
   constructor(messageData, code) {
@@ -1371,15 +1411,17 @@ var PROVIDER_DEFAULTS = {
 };
 async function parseConfig(filePath) {
   const filename = path4.basename(filePath);
-  const content14 = await readFile3(filePath, "utf-8");
-  const raw = parseYaml2(content14);
-  if (!raw || typeof raw !== "object") {
+  const content14 = await readFile4(filePath, "utf-8");
+  const baseRaw = parseYaml3(content14);
+  if (!baseRaw || typeof baseRaw !== "object") {
     throw new ConfigParseError({
       what: `${filename} is empty or not a valid YAML mapping`,
       why: "the top-level structure must be a YAML mapping with keys like reviewer, quality, parallel",
       next: "restore the file from version control, or regenerate it via `yg init`"
     }, "config-invalid");
   }
+  const overlay = await loadConfigOverlay(path4.dirname(filePath));
+  const raw = overlay ? deepMerge(baseRaw, overlay) : baseRaw;
   const version = typeof raw.version === "string" ? raw.version.trim() : void 0;
   const qualityRaw = raw.quality;
   if (qualityRaw !== void 0 && (typeof qualityRaw !== "object" || Array.isArray(qualityRaw))) {
@@ -1608,8 +1650,8 @@ function parseTier(name, raw, filename) {
 }
 
 // src/io/node-parser.ts
-import { readFile as readFile4 } from "fs/promises";
-import { parse as parseYaml3 } from "yaml";
+import { readFile as readFile5 } from "fs/promises";
+import { parse as parseYaml4 } from "yaml";
 
 // src/model/graph.ts
 var STATUS_ORDER = {
@@ -1867,8 +1909,8 @@ function isValidRelationType(t) {
   return typeof t === "string" && RELATION_TYPES2.includes(t);
 }
 async function parseNodeYaml(filePath) {
-  const content14 = await readFile4(filePath, "utf-8");
-  const raw = parseYaml3(content14);
+  const content14 = await readFile5(filePath, "utf-8");
+  const raw = parseYaml4(content14);
   if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
     throw new Error(`yg-node.yaml at ${filePath}: file is empty or not a valid YAML mapping`);
   }
@@ -2058,12 +2100,12 @@ function parsePorts(rawPorts, filePath) {
 }
 
 // src/io/aspect-parser.ts
-import { readFile as readFile6 } from "fs/promises";
+import { readFile as readFile7 } from "fs/promises";
 import path6 from "path";
-import { parse as parseYaml4 } from "yaml";
+import { parse as parseYaml5 } from "yaml";
 
 // src/io/artifact-reader.ts
-import { readFile as readFile5, readdir as readdir2 } from "fs/promises";
+import { readFile as readFile6, readdir as readdir2 } from "fs/promises";
 import path5 from "path";
 async function readArtifacts(dirPath, excludeFiles = ["yg-node.yaml"], includeFiles) {
   let entries;
@@ -2080,7 +2122,7 @@ async function readArtifacts(dirPath, excludeFiles = ["yg-node.yaml"], includeFi
     if (excludeFiles.includes(entry.name)) continue;
     if (includeSet && !includeSet.has(entry.name)) continue;
     const filePath = path5.join(dirPath, entry.name);
-    const content14 = await readFile5(filePath, "utf-8");
+    const content14 = await readFile6(filePath, "utf-8");
     artifacts.push({ filename: entry.name, content: content14 });
   }
   artifacts.sort((a, b) => a.filename.localeCompare(b.filename));
@@ -2227,8 +2269,8 @@ async function parseAspect(aspectDir, aspectYamlPath, id) {
       }]
     };
   }
-  const content14 = await readFile6(aspectYamlPath, "utf-8");
-  const raw = parseYaml4(content14);
+  const content14 = await readFile7(aspectYamlPath, "utf-8");
+  const raw = parseYaml5(content14);
   if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
     return {
       ok: false,
@@ -2719,12 +2761,12 @@ function parseScope(rawScope, aspectId, aspectYamlPath, reviewerType) {
 }
 
 // src/io/flow-parser.ts
-import { readFile as readFile7 } from "fs/promises";
+import { readFile as readFile8 } from "fs/promises";
 import path7 from "path";
-import { parse as parseYaml5 } from "yaml";
+import { parse as parseYaml6 } from "yaml";
 async function parseFlow(flowDir, flowYamlPath) {
-  const content14 = await readFile7(flowYamlPath, "utf-8");
-  const raw = parseYaml5(content14);
+  const content14 = await readFile8(flowYamlPath, "utf-8");
+  const raw = parseYaml6(content14);
   if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
     throw new Error(`yg-flow.yaml at ${flowYamlPath}: file is empty or not a valid YAML mapping`);
   }
@@ -2780,13 +2822,13 @@ async function parseFlow(flowDir, flowYamlPath) {
 }
 
 // src/io/schema-parser.ts
-import { readFile as readFile8 } from "fs/promises";
+import { readFile as readFile9 } from "fs/promises";
 import path8 from "path";
-import { parse as parseYaml6 } from "yaml";
+import { parse as parseYaml7 } from "yaml";
 async function parseSchema(filePath) {
   const filename = path8.basename(filePath);
-  const content14 = await readFile8(filePath, "utf-8");
-  const raw = parseYaml6(content14);
+  const content14 = await readFile9(filePath, "utf-8");
+  const raw = parseYaml7(content14);
   if (raw != null && (typeof raw !== "object" || Array.isArray(raw))) {
     throw new Error(`${filename} at ${filePath}: expected YAML mapping or empty document`);
   }
@@ -2796,12 +2838,12 @@ async function parseSchema(filePath) {
 }
 
 // src/io/architecture-parser.ts
-import { readFile as readFile9 } from "fs/promises";
-import { parse as parseYaml7 } from "yaml";
+import { readFile as readFile10 } from "fs/promises";
+import { parse as parseYaml8 } from "yaml";
 var VALID_RELATION_TYPES = /* @__PURE__ */ new Set(["uses", "calls", "extends", "implements", "emits", "listens"]);
 async function parseArchitecture(filePath) {
-  const content14 = await readFile9(filePath, "utf-8");
-  const raw = parseYaml7(content14);
+  const content14 = await readFile10(filePath, "utf-8");
+  const raw = parseYaml8(content14);
   if (raw && (typeof raw !== "object" || Array.isArray(raw))) {
     throw new Error(`yg-architecture.yaml: file must be a YAML mapping (or empty/omitted)`);
   }
@@ -3350,7 +3392,7 @@ function readLock(yggRoot) {
     nodes: obj.nodes
   };
 }
-function isPlainObject(value) {
+function isPlainObject2(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 function throwMalformed(detail) {
@@ -3365,19 +3407,19 @@ function validateLockShape(obj) {
   for (const key of Object.keys(obj)) {
     if (!TOP_KEYS.has(key)) throwMalformed(`unexpected top-level key "${key}" (allowed: version, verdicts, nodes)`);
   }
-  if (!isPlainObject(obj.verdicts)) {
+  if (!isPlainObject2(obj.verdicts)) {
     throwMalformed('"verdicts" must be a JSON object (found ' + describe(obj.verdicts) + ")");
   }
   for (const aspectId of Object.keys(obj.verdicts)) {
     const unitMap = obj.verdicts[aspectId];
-    if (!isPlainObject(unitMap)) {
+    if (!isPlainObject2(unitMap)) {
       throwMalformed(`"verdicts.${aspectId}" must be a JSON object (found ${describe(unitMap)})`);
     }
     for (const unitKey of Object.keys(unitMap)) {
       validateVerdictEntry(unitMap[unitKey], `verdicts.${aspectId}.${unitKey}`);
     }
   }
-  if (!isPlainObject(obj.nodes)) {
+  if (!isPlainObject2(obj.nodes)) {
     throwMalformed('"nodes" must be a JSON object (found ' + describe(obj.nodes) + ")");
   }
   for (const nodePath of Object.keys(obj.nodes)) {
@@ -3385,7 +3427,7 @@ function validateLockShape(obj) {
   }
 }
 function validateVerdictEntry(entry, at) {
-  if (!isPlainObject(entry)) throwMalformed(`"${at}" must be a JSON object (found ${describe(entry)})`);
+  if (!isPlainObject2(entry)) throwMalformed(`"${at}" must be a JSON object (found ${describe(entry)})`);
   const ENTRY_KEYS = /* @__PURE__ */ new Set(["verdict", "hash", "reason", "touched"]);
   for (const key of Object.keys(entry)) {
     if (!ENTRY_KEYS.has(key)) throwMalformed(`"${at}" has unexpected key "${key}" (allowed: verdict, hash, reason, touched)`);
@@ -3412,7 +3454,7 @@ function validateVerdictEntry(entry, at) {
   }
 }
 function validateNodeEntry(entry, at) {
-  if (!isPlainObject(entry)) throwMalformed(`"${at}" must be a JSON object (found ${describe(entry)})`);
+  if (!isPlainObject2(entry)) throwMalformed(`"${at}" must be a JSON object (found ${describe(entry)})`);
   const NODE_KEYS = /* @__PURE__ */ new Set(["source", "log"]);
   for (const key of Object.keys(entry)) {
     if (!NODE_KEYS.has(key)) throwMalformed(`"${at}" has unexpected key "${key}" (allowed: source, log)`);
@@ -3421,7 +3463,7 @@ function validateNodeEntry(entry, at) {
     throwMalformed(`"${at}.source" must be a string when present (found ${describe(entry.source)})`);
   }
   if (entry.log !== void 0) {
-    if (!isPlainObject(entry.log)) {
+    if (!isPlainObject2(entry.log)) {
       throwMalformed(`"${at}.log" must be a JSON object when present (found ${describe(entry.log)})`);
     }
     const LOG_KEYS = /* @__PURE__ */ new Set(["last_entry_datetime", "prefix_hash"]);
@@ -3575,11 +3617,6 @@ function getPackageRoot() {
 function getGraphSchemasDir() {
   return path13.join(getPackageRoot(), "graph-schemas");
 }
-async function getCliVersion() {
-  const pkgPath = path13.join(getPackageRoot(), "package.json");
-  const pkg2 = JSON.parse(await readFile10(pkgPath, "utf-8"));
-  return pkg2.version;
-}
 async function refreshSchemas(yggRoot) {
   const schemasDir = path13.join(yggRoot, "schemas");
   await mkdir3(schemasDir, { recursive: true });
@@ -3589,7 +3626,7 @@ async function refreshSchemas(yggRoot) {
     const schemaFiles = entries.filter((e) => e.isFile()).map((e) => e.name);
     for (const file of schemaFiles) {
       const srcPath = path13.join(graphSchemasDir, file);
-      const content14 = await readFile10(srcPath, "utf-8");
+      const content14 = await readFile11(srcPath, "utf-8");
       await writeFile4(path13.join(schemasDir, file), content14, "utf-8");
     }
   } catch (e) {
@@ -3610,7 +3647,7 @@ async function ensureGitattributes(repoRoot) {
   const gaPath = path13.join(repoRoot, ".gitattributes");
   let existing;
   try {
-    existing = await readFile10(gaPath, "utf-8");
+    existing = await readFile11(gaPath, "utf-8");
   } catch (e) {
     if (e.code !== "ENOENT") throw e;
     debugWrite(`[init] ensureGitattributes: ${gaPath} not found (ENOENT), will create`);
@@ -3636,7 +3673,7 @@ async function ensureYggdrasilGitignore(yggRoot) {
   const giPath = path13.join(yggRoot, ".gitignore");
   let existing;
   try {
-    existing = await readFile10(giPath, "utf-8");
+    existing = await readFile11(giPath, "utf-8");
   } catch (e) {
     if (e.code !== "ENOENT") throw e;
     debugWrite(`[init] ensureYggdrasilGitignore: ${giPath} not found (ENOENT), will create`);
@@ -3825,7 +3862,7 @@ async function writeReviewerConfig(yggRoot, config) {
   const configPath = path13.join(yggRoot, "yg-config.yaml");
   let raw = {};
   try {
-    const content14 = await readFile10(configPath, "utf-8");
+    const content14 = await readFile11(configPath, "utf-8");
     raw = yamlParse(content14) ?? {};
   } catch (err) {
     const e = err;
@@ -3857,7 +3894,7 @@ async function writeSecretsFile(yggRoot, provider, apiKey) {
   const secretsPath = path13.join(yggRoot, "yg-secrets.yaml");
   let raw = {};
   try {
-    const content14 = await readFile10(secretsPath, "utf-8");
+    const content14 = await readFile11(secretsPath, "utf-8");
     raw = yamlParse(content14) ?? {};
   } catch (err) {
     const e = err;
@@ -3919,7 +3956,7 @@ async function createYggdrasilStructure(projectRoot, yggRoot, platform) {
     const schemaFiles = entries.filter((e) => e.isFile()).map((e) => e.name);
     for (const file of schemaFiles) {
       const srcPath = path13.join(graphSchemasDir, file);
-      const content14 = await readFile10(srcPath, "utf-8");
+      const content14 = await readFile11(srcPath, "utf-8");
       await writeFile4(path13.join(schemasDir, file), content14, "utf-8");
     }
   } catch (err) {
@@ -3966,9 +4003,8 @@ async function existingInit(projectRoot) {
   }
   p.intro(chalk2.bold("Yggdrasil Configuration"));
   const currentVersion = await detectVersion(yggRoot);
-  const cliVersion = await getCliVersion();
-  if (currentVersion && currentVersion !== cliVersion) {
-    p.log.step(`Graph version ${currentVersion} detected \u2014 CLI is ${cliVersion}. Upgrade required.`);
+  if (currentVersion && currentVersion !== CLI_SUPPORTED_SCHEMA) {
+    p.log.step(`Graph schema ${currentVersion} detected \u2014 this CLI uses schema ${CLI_SUPPORTED_SCHEMA}. Upgrade required.`);
     p.log.info("Select the agent platform so rules and schemas advance together.");
     const platform = await promptPlatform();
     const s = p.spinner();
@@ -4994,7 +5030,7 @@ function formatFileContext(data) {
 }
 
 // src/io/file-content-cache.ts
-import { readFile as readFile11, stat as stat4 } from "fs/promises";
+import { readFile as readFile12, stat as stat4 } from "fs/promises";
 var SIZE_LIMIT_BYTES = 5 * 1024 * 1024;
 var BINARY_PROBE_BYTES = 8 * 1024;
 var FileContentCache = class {
@@ -5024,7 +5060,7 @@ var FileContentCache = class {
     }
     let buf;
     try {
-      buf = await readFile11(absPath);
+      buf = await readFile12(absPath);
     } catch (e) {
       return {
         isBinary: false,
@@ -5255,21 +5291,21 @@ function renderNode(node, indent, lines) {
 }
 
 // src/io/hash.ts
-import { readFile as readFile13, readdir as readdir5, stat as stat5 } from "fs/promises";
+import { readFile as readFile14, readdir as readdir5, stat as stat5 } from "fs/promises";
 import path15 from "path";
 import { createHash } from "crypto";
 import { createRequire as createRequire2 } from "module";
 
 // src/io/repo-scanner.ts
-import { readFile as readFile12, readdir as readdir4 } from "fs/promises";
-import { join, relative, sep } from "path";
+import { readFile as readFile13, readdir as readdir4 } from "fs/promises";
+import { join as join2, relative, sep } from "path";
 import { createRequire } from "module";
 var require2 = createRequire(import.meta.url);
 var ignoreFactory = require2("ignore");
 var YGGDRASIL_DIRNAME = ".yggdrasil";
 async function loadRootGitignoreStack(projectRoot) {
   try {
-    const content14 = await readFile12(join(projectRoot, ".gitignore"), "utf-8");
+    const content14 = await readFile13(join2(projectRoot, ".gitignore"), "utf-8");
     const ig = ignoreFactory();
     ig.add(content14);
     return [{ dir: projectRoot, ig }];
@@ -5290,7 +5326,7 @@ function isIgnoredByStack(absPath, stack) {
 async function collectFiles(dir, projectRoot, stack) {
   let localStack = stack;
   try {
-    const content14 = await readFile12(join(dir, ".gitignore"), "utf-8");
+    const content14 = await readFile13(join2(dir, ".gitignore"), "utf-8");
     const ig = ignoreFactory();
     ig.add(content14);
     localStack = [...stack, { dir, ig }];
@@ -5306,7 +5342,7 @@ async function collectFiles(dir, projectRoot, stack) {
   }
   const results = [];
   for (const entry of entries) {
-    const absPath = join(dir, entry.name);
+    const absPath = join2(dir, entry.name);
     if (entry.isDirectory()) {
       if (entry.name === ".git") continue;
       if (entry.name === YGGDRASIL_DIRNAME && dir === projectRoot) continue;
@@ -5344,13 +5380,13 @@ async function walkRepoFiles(projectRoot) {
 var require3 = createRequire2(import.meta.url);
 var ignoreFactory2 = require3("ignore");
 async function hashFile(filePath) {
-  const content14 = await readFile13(filePath);
+  const content14 = await readFile14(filePath);
   return createHash("sha256").update(content14).digest("hex");
 }
 async function loadRootGitignoreStack2(projectRoot) {
   if (!projectRoot) return [];
   try {
-    const content14 = await readFile13(path15.join(projectRoot, ".gitignore"), "utf-8");
+    const content14 = await readFile14(path15.join(projectRoot, ".gitignore"), "utf-8");
     const matcher = ignoreFactory2();
     matcher.add(content14);
     return [{ basePath: projectRoot, matcher }];
@@ -5375,7 +5411,7 @@ function hashBytes(bytes) {
 async function collectDirectoryFilePaths(directoryPath, rootDirectoryPath, options) {
   let stack = options.gitignoreStack ?? [];
   try {
-    const localContent = await readFile13(path15.join(directoryPath, ".gitignore"), "utf-8");
+    const localContent = await readFile14(path15.join(directoryPath, ".gitignore"), "utf-8");
     const localMatcher = ignoreFactory2();
     localMatcher.add(localContent);
     stack = [...stack, { basePath: directoryPath, matcher: localMatcher }];
@@ -6867,81 +6903,6 @@ async function checkDirectoriesHaveNodeYaml(graph) {
   return issues;
 }
 
-// src/io/secrets-parser.ts
-import { readFile as readFile14 } from "fs/promises";
-import { join as join2 } from "path";
-import { parse as parseYaml8 } from "yaml";
-async function loadSecrets(rootPath, providerName) {
-  const secretsPath = join2(rootPath, "yg-secrets.yaml");
-  let content14;
-  try {
-    content14 = await readFile14(secretsPath, "utf-8");
-  } catch (err) {
-    debugWrite(`[secrets-parser] readFile: ${err.message}`);
-    return void 0;
-  }
-  const raw = parseYaml8(content14);
-  if (raw === null || raw === void 0) return void 0;
-  if (typeof raw !== "object" || Array.isArray(raw)) {
-    throw new Error(`yg-secrets.yaml: top level must be a YAML mapping`);
-  }
-  const rawObj = raw;
-  if (rawObj.reviewer === void 0) return void 0;
-  if (typeof rawObj.reviewer !== "object" || rawObj.reviewer === null || Array.isArray(rawObj.reviewer)) {
-    throw new Error(`yg-secrets.yaml: 'reviewer' must be a YAML mapping`);
-  }
-  if (!providerName) return void 0;
-  const reviewerRaw = rawObj.reviewer;
-  const providerSection = reviewerRaw[providerName];
-  if (providerSection === void 0) return void 0;
-  if (typeof providerSection !== "object" || providerSection === null || Array.isArray(providerSection)) {
-    throw new Error(`yg-secrets.yaml: 'reviewer.${providerName}' must be a YAML mapping`);
-  }
-  return extractSecretFields(providerSection, providerName);
-}
-function extractSecretFields(raw, providerName) {
-  const ctx = (field) => `yg-secrets.yaml at reviewer.${providerName}.${field}`;
-  if (raw.api_key !== void 0) {
-    if (typeof raw.api_key !== "string") throw new Error(`${ctx("api_key")}: must be a string`);
-    if (raw.api_key.trim() !== "") {
-      return { api_key: raw.api_key };
-    }
-  }
-  return void 0;
-}
-function mergeLlmConfig(base, secrets) {
-  return { ...base, ...secrets };
-}
-async function inspectSecretsForValidation(rootPath) {
-  const secretsPath = join2(rootPath, "yg-secrets.yaml");
-  let content14;
-  try {
-    content14 = await readFile14(secretsPath, "utf-8");
-  } catch {
-    return [];
-  }
-  const raw = parseYaml8(content14);
-  if (raw === null || raw === void 0) return [];
-  if (typeof raw !== "object" || Array.isArray(raw)) {
-    throw new Error(`yg-secrets.yaml: top level must be a YAML mapping`);
-  }
-  if (raw.reviewer === void 0) return [];
-  if (typeof raw.reviewer !== "object" || raw.reviewer === null || Array.isArray(raw.reviewer)) {
-    throw new Error(`yg-secrets.yaml: 'reviewer' must be a YAML mapping`);
-  }
-  const reviewerRaw = raw.reviewer;
-  const results = [];
-  for (const [provider, section] of Object.entries(reviewerRaw)) {
-    if (!section || typeof section !== "object" || Array.isArray(section)) continue;
-    const sectionObj = section;
-    const foreignKeys = Object.keys(sectionObj).filter((k) => k !== "api_key");
-    if (foreignKeys.length > 0) {
-      results.push({ provider, foreignKeys });
-    }
-  }
-  return results;
-}
-
 // src/core/checks/relations.ts
 function findSimilar(target, candidates2) {
   if (candidates2.length === 0) return null;
@@ -7205,21 +7166,6 @@ function checkMissingDescriptions(graph) {
   }
   return issues;
 }
-async function checkSecretsCredentialsOnly(graph) {
-  const foreign = await inspectSecretsForValidation(graph.rootPath);
-  const issues = [];
-  for (const { provider, foreignKeys } of foreign) {
-    for (const key of foreignKeys) {
-      const msgData = {
-        what: `yg-secrets.yaml has '${key}' under reviewer.${provider}.`,
-        why: "The secrets file accepts only api_key; non-credential fields belong in yg-config.yaml tiers.",
-        next: `Move '${key}' into reviewer.tiers.<name> in .yggdrasil/yg-config.yaml and remove it from yg-secrets.yaml.`
-      };
-      issues.push({ code: "secrets-non-credential-field", severity: "error", rule: "secrets-non-credential-field", ...issueMsg(msgData), messageData: msgData });
-    }
-  }
-  return issues;
-}
 
 // src/core/validator.ts
 var ARCHITECTURE_FATAL_CODES = /* @__PURE__ */ new Set([
@@ -7332,7 +7278,6 @@ async function validate(graph, scope = "all") {
   issues.push(...await checkAspectReferences(graph));
   issues.push(...checkAspectStatusDowngrade(graph));
   issues.push(...checkFileDuplicateMapping(graph));
-  issues.push(...await checkSecretsCredentialsOnly(graph));
   const strictOutcome = await checkStrictBackwardCoverage(graph, cache);
   issues.push(...strictOutcome.issues);
   allUnreadable.push(...strictOutcome.unreadable);
@@ -9285,11 +9230,7 @@ var STRUCTURAL_CODES = /* @__PURE__ */ new Set([
   // re-validation in runCheck. Always an error (not an aspect, not suppressible);
   // a node depends on another node without a declared, sanctioned relation, or its
   // relation verdict could not be confirmed against the current tree.
-  "relation-undeclared-dependency",
-  // yg-secrets.yaml carries a non-credential field (only api_key is allowed).
-  // Emitted as a blocking error and gates --approve; structural so the summary
-  // tally counts it and computeSuggestedNext can point at it.
-  "secrets-non-credential-field"
+  "relation-undeclared-dependency"
 ]);
 var COMPLETENESS_CODES = /* @__PURE__ */ new Set(["description-missing"]);
 var APPROVE_GATING_CODES = /* @__PURE__ */ new Set([
@@ -9313,8 +9254,7 @@ var APPROVE_GATING_CODES = /* @__PURE__ */ new Set([
   "aspect-reviewer-type-invalid",
   "aspect-reviewer-unknown-key",
   "aspect-tier-on-deterministic",
-  "aspect-tier-unknown",
-  "secrets-non-credential-field"
+  "aspect-tier-unknown"
 ]);
 
 // src/core/log-format.ts
@@ -9454,10 +9394,7 @@ function computeLlmInputHash(input) {
     kind: "llm",
     references,
     tier: {
-      config: input.tier.config,
-      consensus: input.tier.consensus,
-      name: input.tier.name,
-      provider: input.tier.provider
+      name: input.tier.name
     }
   };
   return hashString(codePointCanonicalJson(canonical));
@@ -9490,14 +9427,8 @@ function hashListObservation(entries) {
 function hashExistsObservation(result) {
   return hashString(result === false ? "false" : result);
 }
-function tierHashView(tierName, llm) {
-  const { api_key: _a, timeout: _t, ...rest } = llm.config;
-  return {
-    name: tierName,
-    provider: llm.provider,
-    consensus: llm.consensus,
-    config: rest
-  };
+function tierHashView(tierName) {
+  return { name: tierName };
 }
 
 // src/structure/ctx-graph.ts
@@ -9673,16 +9604,8 @@ function ruleHashFor(aspect, filename) {
 function nodeDescriptionFor(graph, nodePath) {
   return graph.nodes.get(nodePath)?.meta.description ?? "";
 }
-function tierHashViewFromTier(tierName, tier) {
-  const {
-    provider,
-    consensus,
-    // Excluded gates — never fold into the verdict hash.
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    max_prompt_chars: _mpc,
-    ...rest
-  } = tier;
-  return tierHashView(tierName, { provider, consensus, config: rest });
+function tierHashViewFromTier(tierName) {
+  return tierHashView(tierName);
 }
 
 // src/llm/xml-escape.ts
@@ -9868,7 +9791,7 @@ async function verifyLlmPair(pair, aspect, graph, lock, projectRoot, storedEntry
       ruleHash,
       files: subjects.map((s) => [s.path, hashCached(path24.resolve(projectRoot, s.path), s.bytes)]),
       references: referencesForHash,
-      tier: tierHashViewFromTier(tierResult.tierName, tierResult.tier),
+      tier: tierHashViewFromTier(tierResult.tierName),
       verdict: storedEntry.verdict
     });
     valid4 = expectedHash === storedEntry.hash;
@@ -13289,14 +13212,41 @@ import { execFile as execFile2 } from "child_process";
 import { tmpdir } from "os";
 import { promisify as promisify2 } from "util";
 var execFileAsync2 = promisify2(execFile2);
+function coerceBool(v) {
+  if (typeof v === "boolean") return v;
+  if (typeof v === "string") {
+    const s = v.trim().toLowerCase();
+    if (s === "true") return true;
+    if (s === "false") return false;
+  }
+  return void 0;
+}
 function normalizeResponse(raw) {
   const r = raw;
   return {
-    satisfied: typeof r.satisfied === "boolean" ? r.satisfied : false,
+    satisfied: coerceBool(r.satisfied) ?? false,
     reason: typeof r.reason === "string" ? r.reason : "",
     errorSource: "codeViolation"
   };
 }
+function salvageVerdict(text2) {
+  if (!text2.includes("{")) return void 0;
+  const verdicts = [...text2.matchAll(/"satisfied"\s*:\s*"?(true|false)"?/gi)];
+  if (verdicts.length === 0) return void 0;
+  const satisfied = verdicts[verdicts.length - 1][1].toLowerCase() === "true";
+  let reason = "";
+  const rms = [...text2.matchAll(/"reason"\s*:\s*"/g)];
+  if (rms.length > 0) {
+    const m = rms[rms.length - 1];
+    reason = text2.slice((m.index ?? 0) + m[0].length).split(/"\s*,\s*"satisfied"\s*:/i)[0].replace(/\s*}\s*$/, "").replace(/"\s*$/, "").replace(/\\"/g, '"').replace(/\\n/g, "\n").replace(/\\t/g, "	").replace(/\\\\/g, "\\").trim();
+  }
+  debugWrite("[parseAspectResponse] salvaged verdict from invalid-JSON reply");
+  return {
+    satisfied,
+    reason: reason || "(verdict salvaged; reviewer reason was not valid JSON)",
+    errorSource: "codeViolation"
+  };
+}
 function extractLastVerdict(text2) {
   let last;
   for (let i = 0; i < text2.length; i++) {
@@ -13319,7 +13269,7 @@ function extractLastVerdict(text2) {
         if (depth === 0) {
           try {
             const obj = JSON.parse(text2.slice(i, j + 1));
-            if (obj && typeof obj.satisfied === "boolean") last = obj;
+            if (obj && coerceBool(obj.satisfied) !== void 0) last = obj;
           } catch {
           }
           break;
@@ -13347,6 +13297,8 @@ function parseAspectResponse(output) {
   }
   const verdict = extractLastVerdict(trimmed);
   if (verdict) return normalizeResponse(verdict);
+  const salvaged = salvageVerdict(trimmed);
+  if (salvaged) return salvaged;
   debugWrite("[parseAspectResponse] no parseable JSON verdict \u2014 classifying as provider error");
   return { satisfied: false, reason: `Unparseable reviewer response: ${trimmed.slice(0, 160)}`, errorSource: "provider" };
 }
@@ -13432,10 +13384,12 @@ var OllamaProvider = class {
   endpoint;
   model;
   temperature;
+  timeout;
   constructor(config) {
     this.endpoint = config.endpoint ?? "http://localhost:11434";
     this.model = config.model;
     this.temperature = config.temperature;
+    this.timeout = config.timeout ?? 3e5;
   }
   async isAvailable() {
     try {
@@ -13452,8 +13406,15 @@ var OllamaProvider = class {
       model: this.model,
       messages: [{ role: "user", content: prompt }],
       stream: false,
-      think: false,
-      options: { temperature: this.temperature, num_predict: 500 },
+      // Native thinking ON: the model reasons in its own `thinking` channel and
+      // emits only the final JSON verdict in `content`. The verdict therefore
+      // follows the reasoning (no snap-judgment before the rules are weighed) and
+      // chain-of-thought never leaks into the parsed `reason`.
+      think: true,
+      // num_predict: -1 → generate until the model stops; no cap, so the verdict
+      // is never truncated (a cut-off JSON would otherwise fail to parse and waste
+      // a re-verification).
+      options: { temperature: this.temperature, num_predict: -1 },
       format: "json"
     };
     try {
@@ -13461,7 +13422,7 @@ var OllamaProvider = class {
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify(body)
-      }, "ollama");
+      }, "ollama", this.timeout);
       if (!res.ok) {
         debugWrite(`[ollama] http_error: ${res.status} ${res.statusText}`);
         return fallback;
@@ -13571,7 +13532,11 @@ var AnthropicProvider = class {
         body: JSON.stringify({
           model: this.model,
           messages: [{ role: "user", content: prompt }],
-          max_tokens: 500,
+          // Never cap the verdict. The Anthropic API requires a max_tokens ceiling
+          // (there is no "unlimited"), so set it far above any reviewer reply — a
+          // verdict is hundreds of tokens; this is many times that — so it is never
+          // truncated. A truncated reply still fails closed when parsed.
+          max_tokens: 8192,
           temperature: this.temperature
         })
       }, "anthropic");
@@ -14698,7 +14663,7 @@ async function fillLlmPair(graph, projectRoot, pair, aspect, tier, tierName, mer
     ruleHash: ruleHashFor(aspect, "content.md"),
     files: subjects.map((s) => [s.path, hashBytes(s.bytes)]),
     references: referencesForHash,
-    tier: tierHashViewFromTier(tierName, tier),
+    tier: tierHashViewFromTier(tierName),
     verdict
   });
   const entry = { verdict, hash };
@@ -14765,7 +14730,7 @@ async function logGateBlocks(graph, projectRoot, node, lock, emitIssue) {
   if (!blocked) return false;
   emitIssue({
     what: `No fresh log entry for node '${toPosixPath(node.path)}' \u2014 mandatory before --approve when source changed.`,
-    why: `Node type '${node.meta.type}' has log_required: true \u2014 every source change needs a justification entry capturing WHY. This node's pairs are skipped this run; other nodes proceed.`,
+    why: `Node type '${node.meta.type}' has log_required: true \u2014 every source change needs a justification entry capturing WHY. --approve stops here and approves nothing this run until a fresh entry exists.`,
     next: `yg log add --node ${toPosixPath(node.path)} --reason '<justification>', then re-run: yg check --approve`
   });
   return true;
@@ -14929,6 +14894,14 @@ async function runFill(graph, opts) {
     const blocked = await logGateBlocks(graph, projectRoot, node, lock, emitIssue);
     if (blocked) blockedNodes.add(nodePath);
   }
+  if (blockedNodes.size > 0) {
+    throw new FillGatingError([{
+      code: "log-entry-required",
+      what: `${blockedNodes.size} node(s) need a fresh log entry before --approve.`,
+      why: "Source changed on log_required nodes without a justification entry; nothing was approved this run.",
+      next: "Add the log entries listed above (yg log add), then re-run: yg check --approve"
+    }]);
+  }
   let reviewerCallsMade = 0;
   let infraFailures = 0;
   let runtimeErrors = 0;
@@ -14968,7 +14941,6 @@ async function runFill(graph, opts) {
       next: `Fix the deterministic violations on '${toPosixPath(nodePath)}', then re-run: yg check --approve`
     });
   }
-  const secretsByProvider = /* @__PURE__ */ new Map();
   const referencesCache = /* @__PURE__ */ new Map();
   const byTier = /* @__PURE__ */ new Map();
   const infraReport = [];
@@ -14995,12 +14967,7 @@ async function runFill(graph, opts) {
   const parallel = Math.max(1, graph.config.parallel ?? 1);
   for (const [tierName, group] of byTier) {
     const baseTier = group[0].tier;
-    if (!secretsByProvider.has(baseTier.provider)) {
-      const secrets = await loadSecrets(graph.rootPath, baseTier.provider);
-      secretsByProvider.set(baseTier.provider, secrets ?? null);
-    }
-    const merged = applySecrets(baseTier, secretsByProvider.get(baseTier.provider));
-    const provider = createLlmProvider(merged);
+    const provider = createLlmProvider(baseTier);
     let available;
     try {
       available = await provider.isAvailable();
@@ -15010,16 +14977,22 @@ async function runFill(graph, opts) {
     }
     if (!available) {
       infraFailures += group.length;
-      infraReport.push({ provider: merged.provider, tier: tierName });
+      infraReport.push({ provider: baseTier.provider, tier: tierName });
       emitIssue({
-        what: `Reviewer provider '${merged.provider}' (tier '${tierName}') is unreachable \u2014 ${group.length} pair(s) left unverified.`,
+        what: `Reviewer provider '${baseTier.provider}' (tier '${tierName}') is unreachable \u2014 ${group.length} pair(s) left unverified.`,
         why: "The configured reviewer endpoint did not respond (availability check failed) \u2014 an infrastructure problem, not a code violation. No verdict was written.",
         next: `Check the provider endpoint, network, and credentials, then re-run: yg check --approve`
       });
       continue;
     }
     const outcomes = await runPairPool(group, parallel, async (item) => {
-      return fillLlmPair(graph, projectRoot, item.pair, item.aspect, item.tier, item.tierName, merged, provider, referencesCache);
+      const outcome = await fillLlmPair(graph, projectRoot, item.pair, item.aspect, item.tier, item.tierName, baseTier, provider, referencesCache);
+      if (outcome.kind !== "infra") {
+        await setEntry(item.pair.aspectId, item.pair.unitKey, outcome.entry);
+        write(`  [llm] ${item.pair.aspectId} on ${toPosixPath(item.pair.unitKey)} \u2014 ${outcome.entry.verdict}
+`);
+      }
+      return outcome;
     });
     for (let i = 0; i < group.length; i++) {
       const item = group[i];
@@ -15027,17 +15000,13 @@ async function runFill(graph, opts) {
       reviewerCallsMade += outcome.callsMade;
       if (outcome.kind === "infra") {
         infraFailures += 1;
-        infraReport.push({ provider: merged.provider, tier: tierName });
+        infraReport.push({ provider: baseTier.provider, tier: tierName });
         emitIssue({
           what: `Reviewer could not verify aspect '${item.pair.aspectId}' on ${toPosixPath(item.pair.unitKey)} \u2014 left unverified.`,
           why: outcome.why,
           next: `Resolve the provider/config problem, then re-run: yg check --approve`
         });
-        continue;
       }
-      await setEntry(item.pair.aspectId, item.pair.unitKey, outcome.entry);
-      write(`  [llm] ${item.pair.aspectId} on ${toPosixPath(item.pair.unitKey)} \u2014 ${outcome.entry.verdict}
-`);
     }
   }
   await applyPositiveClosure(graph, projectRoot, lock, blockedNodes, persistLock);
@@ -15066,9 +15035,6 @@ async function runFill(graph, opts) {
   const checkResult = await runCheck(graph, opts.gitTrackedFiles);
   return { checkResult, reviewerCallsMade, infraFailures, runtimeErrors };
 }
-function applySecrets(tier, secrets) {
-  return secrets ? mergeLlmConfig(tier, secrets) : tier;
-}
 
 // src/cli/check.ts
 import { execFileSync } from "child_process";
@@ -15636,8 +15602,7 @@ async function runLlmAspectTest(graph, projectRoot, aspect, nodePath, dryRun) {
   const nodeDescription = nodeDescriptionFor(graph, nodePath);
   const aspectContent = contentFor(aspect, "content.md");
   if (!dryRun) {
-    const secrets = await loadSecrets(graph.rootPath, tier.provider);
-    const mergedTier = secrets ? mergeLlmConfig(tier, secrets) : tier;
+    const mergedTier = tier;
     const provider = createLlmProvider(mergedTier);
     let available;
     try {
@@ -18344,8 +18309,10 @@ verdict: "approved" | "refused"             // the discrete token \u2014 tamper
 \`\`\`
 
 LLM pairs additionally fold their prompt inputs: the aspect description, each
-reference \`[path, sha256(bytes), description]\`, and the resolved tier
-\`{name, provider, consensus, config}\`.
+reference \`[path, sha256(bytes), description]\`, and the resolved tier's NAME.
+The tier's config (provider, model, endpoint, temperature, consensus, api_key,
+timeout) is NOT a verdict input \u2014 only the name folds in, so a named tier can be
+re-pointed at a different reviewer without invalidating any recorded verdict.
 
 Deterministic pairs additionally fold the **observation set** \u2014 everything the
 check observed through \`ctx\` beyond its subject files, recorded by the runner:
@@ -18375,8 +18342,10 @@ costs at worst one free re-run; a missed one yields a stale-green verdict.
 - **\`reason\`** / free-text output \u2014 only the discrete verdict token is folded.
 - **Node description** \u2014 prompt garnish, not hashed (the aspect description IS
   hashed for LLM pairs).
-- **\`timeout\`** and **api_key** in tier config \u2014 transport / secret knobs, not
-  judgment inputs.
+- **Tier config** \u2014 provider, model, endpoint, temperature, consensus, api_key,
+  and timeout. Only the tier NAME folds into the hash; the resolved config is the
+  reviewer's private business, so re-pointing a named tier at a different model or
+  provider does not invalidate a verdict.
 - **\`max_prompt_chars\`** \u2014 a gate, not an input; lowering it can trip the gate on
   an already-verified pair without invalidating the verdict.
 - **\`when\` / \`implies\` / port declarations** \u2014 applicability is recomputed live
@@ -18630,10 +18599,10 @@ Provider-specific options passed to the LLM client:
 | \`endpoint\` | string | Required for \`openai-compatible\` (no default host \u2014 else falls back to api.openai.com); \`ollama\` defaults to http://localhost:11434. |
 | \`timeout\` | number | Timeout in seconds. Default 300. Applies to CLI providers only \u2014 non-CLI/API providers ignore it. Not folded into a verdict's hash (a transport knob). |
 
-API keys do NOT live here \u2014 they belong in \`yg-secrets.yaml\` (api_key only).
-API providers also read the provider API key from environment variables (e.g.
-the provider's standard \`*_API_KEY\`) as a fallback when not present in
-\`yg-secrets.yaml\`.
+API keys do NOT belong in the committed config \u2014 put them in \`yg-secrets.yaml\`,
+the local overlay (see "Secrets and local overrides" below). API providers also
+read the provider API key from the standard \`*_API_KEY\` environment variable as
+a fallback when it is not present in \`yg-secrets.yaml\`.
 
 ## Multi-tier example
 
@@ -18670,25 +18639,30 @@ reviewer:
   type: llm
 \`\`\`
 
-## Secrets (yg-secrets.yaml)
+## Secrets and local overrides (yg-secrets.yaml)
 
-API keys go in \`yg-secrets.yaml\`, NOT in \`yg-config.yaml\`.
-\`yg-secrets.yaml\` is gitignored by default \u2014 see "Local state (.yggdrasil/.gitignore)" below.
+\`yg-secrets.yaml\` is a deep-merge OVERLAY over \`yg-config.yaml\`: it mirrors the
+same shape, and any field present in it wins. Use it for the API key of a tier,
+or to point a named tier at a different provider/model/endpoint on your machine.
+It is gitignored by default \u2014 see "Local state (.yggdrasil/.gitignore)" below \u2014
+and is never committed.
 
 \`\`\`yaml
 # .yggdrasil/yg-secrets.yaml  \u2014 gitignored, never commit
 reviewer:
-  anthropic:
-    api_key: sk-ant-...
+  tiers:
+    standard:
+      config:
+        api_key: sk-ant-...
 \`\`\`
 
-The secrets file accepts only \`api_key\` per provider. Any other field
-triggers \`secrets-non-credential-field\` from \`yg check\` \u2014 non-credential
-overrides belong in the tier's \`config:\` block instead.
+Because only the tier NAME is folded into a verdict's hash, an overlay never
+invalidates recorded baselines: the committed config names a canonical reviewer
+while each machine points the same named tier at its own provider, model, or key.
 
-API providers also read the provider API key from environment variables (e.g.
-the provider's standard \`*_API_KEY\`) as a fallback when not present in
-\`yg-secrets.yaml\`. If the env var is set, \`yg-secrets.yaml\` is not required.
+API providers also read the provider API key from the standard \`*_API_KEY\`
+environment variable as a fallback. If the env var is set, the key is not needed
+in \`yg-secrets.yaml\`.
 
 \`yg-config.yaml\` itself must never contain credentials. Commit it to the
 repository \u2014 it is safe to share.

package/graph-schemas/yg-config.yaml

@@ -46,4 +46,8 @@ reviewer:                         # required — aspect verification during yg c
     #     tier: deep
     #
     # Tier names match ^[a-zA-Z][a-zA-Z0-9_-]{0,62}$ and `default` is reserved.
-    # API keys live in yg-secrets.yaml (api_key only) — never in this file.
+    # yg-secrets.yaml is a deep-merge overlay over this file (gitignored): it
+    # mirrors the same shape and overrides any field locally — most often a
+    # tier's api_key, or pointing a named tier at a different provider/model.
+    # Only the tier NAME is folded into a verdict hash, so a local override never
+    # invalidates recorded baselines. Keep credentials out of this committed file.

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@chrisdudek/yg",
-  "version": "5.0.0-alpha.6",
-  "description": "Architecture rules your coding agent can't ignore. Written in Markdown, verified on every change, enforced in the agent's loop — not after on a PR. Works with Claude Code, Cursor, Copilot, Codex, Cline.",
+  "version": "5.0.1",
+  "description": "Architecture rules your AI coding agent can't ignore. It gets the rules for a file before it edits, and every change is checked — by a free local script or an LLM reviewer — before it moves on. Works with Claude Code, Cursor, Copilot, Codex, Cline.",
   "type": "module",
   "bin": {
     "yg": "dist/bin.js"