@chrono-meta/fh-gate 1.4.1 → 1.4.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chrono-meta/fh-gate",
-  "version": "1.4.1",
+  "version": "1.4.3",
   "description": "FH runtime adapters — run FH governance, skills, and agents via Claude or Codex with machine-parseable gates.",
   "license": "MIT",
   "keywords": [

package/plugins/fh-meta/agents/fact-checker.md

@@ -2,7 +2,7 @@
 name: fact-checker
 description: Use when (1) about to recommend an asset, skill, or agent that may already exist in the hub, (2) memory or docs contain stale facts, dates, or references, or (3) duplicate work is suspected. Greps hub assets and reports findings. Not for general code review or external persona audits.
 tools: Read, Grep, Glob
-version: 0.3
+version: 0.4
 ---
 
 > **Note:** In external user install environments, the install user is the fact-check verification subject. Hub-wide grep scope = the user's own environment (v0.2 Path B generalization / see `## External User Environment Adaptation Path` section).
@@ -30,6 +30,7 @@ Direct factual errors in the asset under check:
 - Counter mismatches (e.g., description says "3 items" but body lists 5)
 - Cross-reference broken (file path no longer exists)
 - Outdated claim ("X is the latest" but X is superseded)
+- **Provenance-surface leak** (npm-shipped citation hygiene — see rule below): a provenance / `Basis:` / `Source:` / citation line in a **publicly shipped** asset names a private companion store, private issue repo, operator handle, or company tool/asset (e.g. `<org>/<private-companion>#N`, an internal tool codename) instead of a generic reference
 
 ### Broad definition — missed grep / redundant work
 
@@ -40,6 +41,28 @@ Recommendations or new work that should have grep-verified existing assets first
 - Proposing an action already discussed in CATALOG / session logs
 - Re-deriving a definition or framework that already exists
 
+## Provenance-surface rule (narrow-class — npm-shipped citation hygiene)
+
+When the asset under check is **publicly shipped** — a member of `package.json` `files[]` (skills, agents,
+README, AGENTS/CLAUDE/CATALOG/CHEATSHEET, docs) — its provenance lines must cite **generically**. A
+reverse-import `Basis:`, a `Source:`, or any citation that names an operator-private or company-internal
+token is a narrow-class leak, flagged `N`.
+
+| Private/company token (do NOT ship) | Generic form to cite instead |
+|---|---|
+| private companion store / issue repo (`<org>/<private-companion>`, `…#N` issue refs) | "private companion signal" / "a companion-store signal (YYYY-MM-DD)" |
+| operator handle (real username, home path, personal alias) | "the operator" / omit |
+| company harness / tool / asset names (internal harness name, tool codenames, internal infra/domains) | "a field-side sister harness" / "a spec→test-case gate" / the generic capability |
+
+The **methodology stays public — only the private name is removed.** This rule is recurring: the same class
+leaked at npm 1.4.1 (companion names in 3 files) and 1.4.2 (a Wave-P3 `Basis` line). Flag at authoring time
+so it never reaches publish.
+
+**Scope boundary (no role duplication)**: you flag the *provenance/citation lines* of the asset under check —
+a cheap authoring-time catch. The **exhaustive token scan of the whole shipped surface** is
+`/public-surface-audit` (the pre-publish gate); defer the full sweep to it, do not re-implement it here. If
+the caller is about to publish, your `N` finding here is a heads-up, not a substitute for that gate.
+
 ## Your output format (fixed — do not deviate)
 
 ### 1. Scope verified
@@ -118,4 +141,5 @@ External user environment = no hub-specific memory baselines. The core agent beh
 
 - **v0.1** (2026-05-03) — Narrow (stale fact) + broad (missed grep) + N/B verdict baseline
 - **v0.2** (2026-05-08) — Path B generalization + 4-area grep scope expansion + cross-ref updates + meta self-proof circuit self-fact-check path
-- **current = v0.3** (2026-05-08 external user perspective refinement) — Self-X circuit matrix cross-ref (self-fact-check path formalized) + external user scenario refinement (user environment asset matrix auto-mapping + 4-area 5-step grep scope external environment auto-adaptation)
+- **v0.3** (2026-05-08 external user perspective refinement) — Self-X circuit matrix cross-ref (self-fact-check path formalized) + external user scenario refinement (user environment asset matrix auto-mapping + 4-area 5-step grep scope external environment auto-adaptation)
+- **current = v0.4** (2026-06-08) — Provenance-surface rule added (narrow-class npm-shipped citation hygiene): publicly shipped assets must cite provenance generically, never naming private companion/issue repos, operator handles, or company tool/asset names. Recurring leak class (npm 1.4.1 + 1.4.2). Exhaustive scan deferred to `/public-surface-audit` (no role duplication).

package/plugins/fh-meta/skills/steel-quench/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: steel-quench
 description: >-
-  A meta-skill that concretizes a designer's anxiety into AI-driven all-angle challenger attacks (via fh-commons:quench-challenger) and shakes off flaws through defensive rounds. Systematically surfaces root weaknesses of near-complete projects wave by wave, guaranteeing near-human-review quality without direct human deep inspection. Wave 4 (Meta-Aware Adversary) is an advanced mode where the challenger uses its own AI nature — hallucination, context collapse, prompt injection, tool lock-in — as attack vectors. Built-in fh-commons:quench-challenger agent outputs harness structure 6-axis attack+prescription pairs; after convergence, fh-meta:persona-innovator auto-extracts new patterns. Triggered by: "quench this", "devil's judgment", "all-angle review", "end-to-end verification", "steel quench", "deep pre-completion inspection", "shake out design anxiety", "attack from the root".
+  A meta-skill that concretizes a designer's anxiety into AI-driven all-angle challenger attacks (via fh-commons:quench-challenger) and shakes off flaws through defensive rounds. Systematically surfaces root weaknesses of near-complete projects wave by wave, guaranteeing near-human-review quality without direct human deep inspection. Wave 4 (Meta-Aware Adversary) is an advanced mode where the challenger uses its own AI nature — hallucination, context collapse, prompt injection, tool lock-in — as attack vectors. Wave-P3 (gate-passage re-attack) re-attacks an artifact on Coverage/Narrative/False-confidence right after an upstream gate declares PASS. Built-in fh-commons:quench-challenger agent outputs harness structure 6-axis attack+prescription pairs; after convergence, fh-meta:persona-innovator auto-extracts new patterns. Triggered by: "quench this", "devil's judgment", "all-angle review", "end-to-end verification", "steel quench", "deep pre-completion inspection", "shake out design anxiety", "attack from the root", "did it really pass?".
 user-invocable: true
 allowed-tools: ["Read", "Write", "Edit", "Bash", "Grep", "Glob", "WebSearch", "Agent"]
 model: opus
@@ -25,6 +25,7 @@ A designer's anxiety is most dangerous when vague. steel-quench breaks that anxi
 | "shake out design anxiety", "deep pre-completion inspection" | Concretize vague anxiety |
 | "attack from the root" | Re-verify from reason for existence |
 | "diagnose with counterexample", "use this bad case as reference" | Phase 0 calibration |
+| "did it really pass?", "re-attack after the gate", "the gate said PASS" | Wave-P3 gate-passage re-attack |
 | `/steel-quench` | Explicit call |
 
 ---
@@ -38,7 +39,7 @@ A designer's anxiety is most dangerous when vague. steel-quench breaks that anxi
 | **Wave 2** | Defense — defend or state as residual risk | — |
 | **Wave 3+** | Convergence — repeat until zero new S-grade | Zero new S-grade |
 | **Wave 4** (optional) | Meta-Aware Adversary — AI uses its own nature as attack vector | Zero new S-grade + AI-specific criteria |
-| **Wave-P3** (reserved) | Domain gate integration slot | Future use |
+| **Wave-P3** (optional) | Gate-passage re-attack — when an upstream gate declares PASS, re-attack the just-passed artifact on Coverage / Narrative / False-confidence | All 3 dimensions Attack Failed |
 | **Wave 5** (optional) | Multi-Team Adversarial Panel — external CLIs or cross-session Claude | Zero new S-grade cross-team |
 
 ---
@@ -148,6 +149,49 @@ Wave 4 convergence = Wave 3 criteria + 3 AI-specific vectors actually reviewed +
 
 ---
 
+## Wave-P3 — Gate-Passage Re-Attack (optional)
+
+**Activation**: When an upstream gate declares PASS on an artifact — any "declared-complete boundary"
+(a verification gate's terminal PASS, a `/pipeline-conductor` green sweep, a `/marketplace-gate` listing
+verdict, the 4-axis auto-gate marker, a domain TC/coverage gate). Propose preemptively, run after approval.
+No gate-PASS in scope → skip Wave-P3 entirely.
+
+> A 1-round gate PASS is exactly when reviewers stop looking — "we just passed" is the lowest-vigilance
+> moment in any workflow. Wave-P3 distrusts the declaration and re-attacks the just-passed artifact on three
+> dimensions the gate's own pass criteria structurally could not check. Only when all three Attack Failed can
+> a **"Real PASS"** be declared.
+
+**Agent utilization**:
+- `fh-commons:quench-challenger` (optional) — adds 6-axis structural attack to each dimension. If absent, run the 3 dimensions directly.
+- `fh-meta:persona-innovator` (after convergence) — error/gap patterns found during Wave-P3 → auto-propose new Cross-Project Pattern rows or skill-candidate signals.
+
+The three dimensions generalize the gate's three blind spots:
+
+| # | Dimension | The blind spot it attacks |
+|:---:|---|---|
+| Wave-P3a | **Coverage** | *What did the gate not check?* Items marked covered/passed that lack a traceable artifact (ID, test, file, citation). |
+| Wave-P3b | **Narrative** | *What story does the passed artifact tell that may be wrong?* Residual hardcoded/environment-coupled values and vague, unverifiable claims the PASS declaration smuggled through. |
+| Wave-P3c | **False-confidence** | *Did the gate produce false confidence?* High-risk items that passed carrying only a binary pass/fail, with no residual-risk or failure-mode caveat. |
+
+Each dimension is `Attack Succeeded` (defect found) or `Attack Failed` (clean).
+
+**Wave-P3 Done When**:
+```
+All 3 dimensions [Attack Failed] → ✅ Real PASS → activate fh-meta:persona-innovator (extract new patterns)
+Any 1 [Attack Succeeded]        → fix affected items, re-run Wave-P3 (max 2 re-runs)
+Still [Attack Succeeded] after 2 re-runs → "gate structural redesign required" → ESCALATE
+```
+
+**Basis**: reverse-imported from a field-side sister harness (private companion signal, 2026-06-08). Field
+evidence: a test-case coverage gate declared a 1-round PASS, then additional FAILs surfaced in rounds 2–3 —
+the gate-PASS-then-defect-found-in-next-stage pattern Wave-P3 collapses. Generalized from the field's
+domain-coupled (a spec→test-case gate) form to a gate-agnostic boundary hook. Shares its root with
+`fh-commons:convergence-loop` (single-pass distrust).
+
+> **Detail**: See `SKILL_detail.md §WaveP3` — per-dimension attack questions, gap criteria, and output format — read when running a gate-passage re-attack.
+
+---
+
 ## External-GT Adjudication (when the target has a public ground truth)
 
 When quenching a **public artifact that has its own ground truth** — a repo's open issues, test suite, or
@@ -242,6 +286,7 @@ sim-conductor Area A (external user perspective)
 - **Always check self-referential pattern (P3).** Cross-validate Wave results with external criteria.
 - **Public target → adjudicate against external GT before claiming.** A finding the target's own docs/policy/threat-model marks intentional or out-of-scope is a false positive, not a catch. See §External-GT Adjudication.
 - **Attack surface limit**: steel-quench attacks output content patterns. Phantom Claim detection → `phantom-quench`.
+- **Gate cross-reference**: any FH skill that declares a PASS / green / listing-ready verdict (`pipeline-conductor`, `marketplace-gate`, the 4-axis auto-gate, `convergence-loop`, domain coverage gates) is a valid Wave-P3 entry point. Invoke `/steel-quench` Wave-P3 on the just-passed artifact rather than editing each gate to embed it — the hook lives here, callers reference it.
 
 ## Failure Fallback
 

package/plugins/fh-meta/skills/steel-quench/SKILL_detail.md

@@ -170,6 +170,64 @@ New S-grade blockers: N (from AI-specific vectors: N)
 
 ---
 
+## §WaveP3 — Gate-Passage Re-Attack (per-dimension spec + output format)
+
+> Summary, activation, agent utilization, and Done When live in `SKILL.md §Wave-P3`. This section holds the
+> per-dimension attack questions and the output format — read when actually running a gate-passage re-attack.
+
+### Wave-P3a — Coverage re-attack
+
+Second-pass search for gaps hiding behind the pass declaration — *what the gate did not check.*
+
+| Attack Question | Gap Criterion |
+|---|---|
+| Do items the gate marked "covered" / "documented" / "done" actually have a traceable artifact (test ID, file, commit, citation)? | Marked-covered item without a backing artifact = gap |
+| Are boundary/edge cases the gate's scope implied actually each enumerated? | Implied-but-absent case = gap |
+| Does every claimed mapping (state→test, requirement→implementation, claim→source) resolve 1:1? | Unresolved mapping = gap |
+
+Verdict: `[Wave-P3a: Attack Succeeded]` (gap found) / `[Wave-P3a: Attack Failed]` (no gap)
+
+### Wave-P3b — Narrative re-attack
+
+Residue the pass declaration carried through unexamined — *the story the artifact tells that may be wrong.*
+
+| Attack Question | Residue Criterion |
+|---|---|
+| Do passed outputs hardcode concrete values where a parameter/placeholder belongs? | 1 hardcoded value = residue |
+| Do passed outputs contain unverifiable vague terms ("works correctly", "handled properly", "normally")? | 1 vague term = residue |
+| Do passed outputs assume environment-coupled values (absolute paths, fixed accounts, machine-specific config)? | 1 coupled assumption = residue |
+
+Verdict: `[Wave-P3b: Attack Succeeded]` (residue found) / `[Wave-P3b: Attack Failed]` (clean)
+
+### Wave-P3c — False-confidence re-attack
+
+High-risk items that passed without a caveat — *did the gate manufacture confidence it had not earned?*
+
+| Attack Question | Missing Criterion |
+|---|---|
+| Do high-risk items (irreversible action, security boundary, branch/assignment logic) carry a failure-mode / FP caveat? | Missing caveat on a high-risk item = gap |
+| Do items prone to confusion (near-identical states, off-by-one boundaries) carry a confusion warning? | Missing warning = gap |
+| Among the highest-priority items, do >50% carry only binary pass/fail with no residual-risk note? | Ratio exceeded = gap |
+
+Verdict: `[Wave-P3c: Attack Succeeded]` (missing found) / `[Wave-P3c: Attack Failed]` (all labeled)
+
+### Wave-P3 Output Format
+
+```
+## Wave-P3 — Gate-Passage Re-Attack Results (gate: {which gate declared PASS})
+
+| Dimension | Attack Result | Discovered Items | Fix Required |
+|:---:|:---:|---|:---:|
+| Wave-P3a (Coverage)          | Succeeded/Failed | [gaps or none]    | Y/N |
+| Wave-P3b (Narrative)         | Succeeded/Failed | [residue or none] | Y/N |
+| Wave-P3c (False-confidence)  | Succeeded/Failed | [missing or none] | Y/N |
+
+✅ Real PASS → persona-innovator: [N new pattern/rule candidates]
+❌ Fix required, re-run (round N)
+```
+
+---
+
 ## §Wave5 — Multi-Team Adversarial Panel (Full Spec)
 
 **Activation**: After Wave 1~4 convergence + A-grade items remain. `--sidecar` flag or "run sidecar wave".