@chrono-meta/fh-gate 1.4.29 → 1.4.31

package/CLAUDE.md

@@ -281,13 +281,32 @@ not marketplace-gate alone:
 `LICENSE`/`README` contains a **private harness name or internal codename** · **module paths encode
 internal acronyms**.
 
-**Why no hook (honest)**: the irreversible action is `gh repo create --public` / a visibility flip, **not
-`git commit`** — and it usually happens in a **separate repo**, not forge-harness. The FH pre-commit hook
-cannot catch either. This gate is therefore **AI-behavioral** (proactive trigger below) **+ a portable
-checklist** (`templates/PRE-PUBLISH-CHECKLIST.md`) the operator runs on any repo, on any machine.
+**Hook coverage — two distinct actions (refined 2026-06-17)**:
+- **(a) repo-go-public** (`gh repo create --public` / a visibility flip) is irreversible and usually in a
+  **separate repo** — the FH pre-commit hook **cannot** catch it. That stays **AI-behavioral** (proactive
+  trigger below) **+ a portable checklist** (`templates/PRE-PUBLISH-CHECKLIST.md`), run on any repo/machine.
+- **(b) committing operator-private tokens into public-tracked content of THIS repo IS an effective
+  publish of that content** — and that the pre-commit hook **now catches mechanically**: a
+  **confidentiality scan** of staged tracked *added* lines against the gitignored
+  `.public-surface-patterns` (companion-store names · corp-context framing · home paths · company assets),
+  blocking HIGH/MED + non-allowlisted LOW drift; `PUBLIC_SURFACE_OK=1` overrides for a deliberate reviewed
+  mention. **Two-layer** (mirrors `/public-surface-audit`): the literal tokens live ONLY in the gitignored
+  source — CLAUDE.md and the hook name **only categories**, never the literals (they would leak what they
+  guard). This closes the gap where the prose publish-trigger was **missed on a weaker-tier session**
+  (PR #109: a companion-store name + corp-context framing reached a public PR; the Sonnet session trusted a
+  PR comment over the file content). The scan fires at commit time and is **tier-independent — but only as
+  strong as the loaded patterns**: a COMMITTED `.public-surface-patterns.defaults` (universal patterns:
+  home paths) keeps it from ever being fully blind, while the company-specific literals require the
+  GITIGNORED override to be populated in each authoring env (esp. the company env, where company-origin
+  public PRs are written; absent override → only defaults run, with a loud warning). **Honest scope**:
+  plaintext only (encoded tokens out of scope); a line-split backstop catches a token wrapped across
+  lines; `PUBLIC_SURFACE_OK=1` overrides and is logged to a gitignored audit trail for the weekly audit.
+  Residuals (split-encoding, override-not-populated, override abuse) are documented, not silent.
 
 > Origin: 2026-06-05 `phantom-gate` shipped public, then needed a private→de-company-scrub→re-public
-> round-trip (`fh_signal_2026-06-05_fh-direct`). PSA existed but nothing forced it pre-publish.
+> round-trip (`fh_signal_2026-06-05_fh-direct`). PSA existed but nothing forced it pre-publish. 2026-06-17
+> (PR #109): the commit-time half (b) became a mechanical hook after a weaker-tier session leaked a
+> companion-store name onto a public PR (`fh_signal_2026-06-17` Wave 4).
 
 ---
 
@@ -344,7 +363,7 @@ Proposal format: `"I see [X]. Want me to run /[skill] to [one-line description]?
 | "where does this go", "asset location", "hub vs project", "placement" | `/asset-placement-gate` |
 | "add to marketplace", "OK to publish", "pre-publish check" | `/marketplace-gate` |
 | "did I leak anything", "public surface audit", "private token scan", "is my split clean", "check tracked files for private tokens" | `/public-surface-audit` |
-| "publish", "make public", "make this repo public", "go public", "gh repo create --public", "flip to public", "first public push", "publish the package", "npm publish", "twine upload" (publish intent — **proactive**, fire *before* the action) | **Pre-Publish Surface Gate** (see above → `/public-surface-audit` + `/marketplace-gate` Check 5 must PASS first) |
+| "publish", "make public", "make this repo public", "go public", "gh repo create --public", "flip to public", "first public push", "publish the package", "npm publish", "twine upload", **opening/updating a PR or pushing content to the public hub** (esp. company-origin) (publish intent — **proactive**, fire *before* the action; adding content to an already-public repo IS publishing that content) | **Pre-Publish Surface Gate** (see above → `/public-surface-audit` + `/marketplace-gate` Check 5 must PASS first). The commit-time half is now **hook-enforced** (mechanical confidentiality scan — see Pre-Publish Gate §Hook coverage (b)), so this proactive trigger is the salience layer over a mechanical floor. |
 | "delete the branch", "브랜치 삭제", "브랜치 정리", "clean up branches", "force-push", "rewrite history", "지워도 돼?" (destructive intent — **proactive**, fire *before* the action) | **Destructive-Op Gate** (see above → enumerate → recover → destroy; `templates/predelete_check.sh`) |
 | "look at this again", "is this right", "counterargument", "re-validate" | `/verify-bidirectional` |
 | "MCP failing", "tool keeps erroring", "circuit-breaker", "same error looping" | `/mcp-circuit-breaker` |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chrono-meta/fh-gate",
-  "version": "1.4.29",
+  "version": "1.4.31",
   "description": "FH runtime adapters — run FH governance, skills, and agents via Claude or Codex with machine-parseable gates.",
   "license": "MIT",
   "keywords": [

package/plugins/fh-meta/skills/edit-manifest/SKILL.md

@@ -8,12 +8,16 @@ model: sonnet
 
 # edit-manifest — Predict-Verify Loop for Harness Edits
 
-> Implements two mechanisms from frontier harness research:
-> - **Change Manifest** (AHE, arXiv:2604.25850): every edit declares a falsifiable prediction;
->   the next iteration verifies it against actual outcomes.
-> - **Validation Gate** (SkillOpt, arXiv:2605.23904): candidate edits are accepted only when
->   the selection-split score strictly improves. Rejected edits are retained as negative
->   feedback for future proposals — not silently discarded.
+> Implements two mechanisms from frontier harness research, named as in their source papers (both terms
+> are the papers' own — verified 2026-06-17 against arXiv full text):
+> - **Change Manifest** (AHE, arXiv:2604.25850): each edit attaches a manifest entry declaring a
+>   falsifiable predicted impact (expected fixes + at-risk regressions); the next round intersects it
+>   with observed task-level deltas to produce a per-edit verdict. (Paper: "the Evolve Agent produces a
+>   change manifest…".)
+> - **Validation Gate** (SkillOpt, arXiv:2605.23904): a candidate is accepted only when its
+>   selection-split score is strictly greater than the current selection score (ties rejected); rejected
+>   edits are kept in an epoch-local buffer, not silently discarded. (Paper: "validation gate" /
+>   "held-out gate".)
 
 FH's regression_guard.sh catches backward regressions. edit-manifest closes the forward
 loop: did the edit actually improve what it claimed to improve?
@@ -201,7 +205,7 @@ Apply `verified_at`, `verification_note`, `gate_decision` to each resolved entry
 
 ## Validation Gate Logic
 
-Mirrors SkillOpt's selection-split gate:
+Mirrors SkillOpt's validation gate (the held-out gate over its selection-split score):
 
 ```
 IF verified evidence shows improvement:
@@ -253,6 +257,6 @@ non-vacuous by the **mandatory cited observation** (no citation → stays pendin
 ## References
 
 - Theoretical basis: AHE (arXiv:2604.25850) §4 change manifest + prediction falsifiability
-- Validation gate: SkillOpt (arXiv:2605.23904) §3.3 selection-split gate + rejected-edit buffer
+- Validation gate: SkillOpt (arXiv:2605.23904) §3.3 validation/held-out gate over the selection-split score + rejected-edit buffer
 - Integrates with: `harvest-loop` Step 0-c · `verify-bidirectional` · 3-axis auto-gate (CLAUDE.md)
 - Manifest file: `tracks/_meta/edit_manifest.yaml`

package/plugins/fh-meta/skills/phantom-quench/SKILL_detail.md

@@ -123,11 +123,16 @@ escalating to full text). Two mechanical, judgment-free rules cover this:
    "section N", "Table N", "Figure N") → fetch full text **first**. Otherwise fetch `/abs/` first. (Do
    *not* pre-decide "is this a body-level mechanism?" — that is a salience-dependent judgment; the
    `§`-marker is the only mechanical signal, and the NONE-escalation below catches the rest.)
-2. **Abstract-NONE escalates** (the self-correcting backstop) — *any* `/abs/` fetch that returns
-   NONE/MENTIONS escalates once to full text before an Unsupported verdict (see Decision rules). A true
-   headline claim already returned ASSERTS on `/abs/`, so it never escalates; only a NONE does, and the
-   escalation is cheap insurance. This subsumes rule 1's misses — a body claim that *didn't* carry a `§`
-   marker still gets full text via its abstract-NONE.
+2. **Abstract NONE/MENTIONS escalates** (the self-correcting backstop) — *any* `/abs/` fetch that
+   returns **NONE or MENTIONS** escalates once to full text before an Unsupported verdict (see Decision
+   rules). A true headline claim already returned ASSERTS on `/abs/`, so it never escalates; only a
+   NONE/MENTIONS does, and the escalation is cheap insurance. (A MENTIONS on the abstract is the common
+   case — the body may ASSERT what the abstract only named; measured 2026-06-17 wild case 2604.25850 was
+   a /abs MENTIONS that became a full-text ASSERTS. A **NEGATES** does *not* escalate — it is
+   polarity-final: a body span asserting the same relation cannot coexist with an abstract that refutes
+   it; a *different, narrower* body claim is a citation-granularity error, still Unsupported, not an
+   escalation target.) This subsumes rule 1's misses — a body claim that *didn't* carry a `§` marker
+   still gets full text via its abstract NONE/MENTIONS.
 
 **HTML is a partial backfill — fall back, never Phantom.** arXiv HTML exists only for LaTeX-source
 papers (roughly post-2023) and some conversions fail, so `/html/{id}` can 404 for a perfectly real
@@ -156,10 +161,10 @@ Polarity is load-bearing: a page saying "X does NOT hold" or "earlier work claim
 contains a span lexically matching the claim. Asking for the label keeps the *retriever* mechanical while
 surfacing the stance the *judge* needs — a NEGATES/MENTIONS span is **not** grounding.
 
-**Coinage at fetch time:** when the claim's key term is a known FH coinage (a name FH invented, not the
-paper's — e.g. "Change Manifest", "Validation Gate"), pass the *mechanism description* — not the coinage
-string — into the `<exact claim>` slot, so the retriever searches for the **relation**, not a label that
-isn't on the page. The Coinage-vs-source-term decision rule (below) then only adjudicates the returned
+**Coinage at fetch time:** when the claim's key term is a known FH coinage (a name FH invented that the
+source does *not* use — e.g. a label like "Drift Gate" for a mechanism the paper describes only in its
+own words), pass the *mechanism description* — not the coinage string — into the `<exact claim>` slot, so
+the retriever searches for the **relation**, not a label that isn't on the page. The Coinage-vs-source-term decision rule (below) then only adjudicates the returned
 span; it never has to overturn a NONE the prompt itself caused.
 
 **Span-evidence format** (a Grounded external verdict is invalid without this):
@@ -186,15 +191,19 @@ Grounded: N / Unsupported: N / Unreachable: N / Phantom: N
 **Decision rules**:
 - Span labelled **ASSERTS** that expresses the claimed relation → **Grounded ✅** (record span).
 - Span labelled **NEGATES or MENTIONS** → **Unsupported 🟠** (a negating or merely-mentioning span is not
-  grounding — the false-Grounded trap).
+  grounding — the false-Grounded trap). **One exception — a MENTIONS from the abstract (`/abs/`) surface
+  escalates first** (per the NONE/MENTIONS escalation below) before being finalized: the body may ASSERT
+  what the abstract only mentioned. A **NEGATES** is final (the source refutes the claim — the body will
+  not undo it); a MENTIONS from a full-text surface is also final.
 - Fetch succeeded, content readable, span = NONE or off-claim → **Unsupported 🟠** (cited-but-not-verified).
-  **Surface-escalation first — abstract-NONE is the mechanical trigger (no judgment):** if the only
-  surface fetched was the abstract (`/abs/`), re-fetch full text (fall back `/html/{id}` → `/pdf/{id}`)
-  before classifying — *any* abstract-NONE escalates once, you do **not** first decide whether the claim
-  "looks body-level" (that judgment is the salience leak this rule removes). A body-supported claim must
-  not be failed on an abstract-only NONE. This is the second-surface escalation, **extended from
-  Unreachable to Unsupported-on-abstract** (2026-06-17 dogfood finding #2). Only after a full-text surface
-  *also* returns NONE/MENTIONS is the verdict Unsupported. (Single-pass: escalate once, then classify — no loop.)
+  **Surface-escalation first — an abstract NONE/MENTIONS is the mechanical trigger (no judgment):** if the
+  only surface fetched was the abstract (`/abs/`), re-fetch full text (fall back `/html/{id}` → `/pdf/{id}`)
+  before classifying — *any* abstract NONE/MENTIONS escalates once, you do **not** first decide whether the
+  claim "looks body-level" (that judgment is the salience leak this rule removes). A body-supported claim
+  must not be failed on an abstract-only NONE/MENTIONS. This is the second-surface escalation, **extended
+  from Unreachable to Unsupported-on-abstract** (2026-06-17 dogfood finding #2). Only after a full-text
+  surface *also* returns NONE/MENTIONS is the verdict Unsupported. (Single-pass: escalate once, then
+  classify — no loop.)
 - Identifier does not resolve on the **canonical** surface (`/abs/` 404, dead DOI, fabricated id) →
   **Phantom ❌**. A 404 on `/html/` or `/pdf/` while `/abs/` resolves is **surface-absence, not
   identifier-absence** — fall back per *Surface selection*, never Phantom.
@@ -206,33 +215,39 @@ Grounded: N / Unsupported: N / Unreachable: N / Phantom: N
 - **Never** upgrade NONE to Grounded because a second model "thinks it's probably right" (agreement bias).
 
 **Coinage-vs-source-term (the external analogue of Step 2's format normalization — but *judged*, not
-mechanical).** FH sometimes attributes a *coined* name to an external source ("the paper's Change
-Manifest", "its Validation Gate") when the paper uses different words for the same mechanism. A name
+mechanical).** FH sometimes attributes a *coined* name to an external source (e.g. "the paper's Drift
+Gate") when the paper uses different words for the same mechanism. A name
 mismatch alone is not automatically Unsupported — but the path to rescuing it is **deliberately narrow**,
 because this is one rationalization away from the agreement-bias trap above. The failure direction must
 stay conservative (over-flag, never false-Grounded):
 
 - **Possessive/attributive phrasing is presumed a terminology claim.** "the paper's X", "its X",
   "X, per [paper]" → literal absence of the coinage on the source = **Unsupported 🟠**, *unless the FH
-  artifact separately states the underlying relation in non-coinage words* (so the mechanism is
-  independently legible without the label). A runner may **not** reclassify a bare "the paper's X" as a
-  mechanism claim on its own reading — the mechanism claim must already be spelled out **in the artifact**
-  before the span-judged path opens. (Closes the laundering move: relabeling a terminology claim as a
-  mechanism claim to save it.)
+  artifact separately states the underlying relation in non-coinage words* — "separately" means
+  **anywhere in the artifact, including an inline gloss of the coined term** (e.g. "**X** (the spec's
+  accept-only-on-improvement rule)"); proximity does not matter, only that the relation is stated in
+  non-coinage words, so the mechanism is independently legible without the label. A runner may **not**
+  reclassify a bare "the paper's X" (a coinage with *no* such gloss anywhere) as a mechanism claim on its
+  own reading — the mechanism claim must already be spelled out **in the artifact** before the span-judged
+  path opens. (Closes the laundering move: relabeling a terminology claim as a mechanism claim to save it.)
+  An inline gloss grants only *eligibility* for that path — Grounded still comes **only from the fetched
+  source span** (de-label test below), never from the gloss itself; a gloss the source does not support
+  is artifact-internal, fails de-label, and cannot launder a coinage into Grounded.
 - **When the mechanism IS spelled out, ground on the relation, not the string — mechanical de-label
   test:** blank out *both* labels (FH's coinage and the source's term); the span must still literally
   state the operative relation the claim asserts — the same inputs→outputs / the same conditional / the
   same action. If, with both names blanked, the span no longer states the claim, the equivalence was
-  reader-supplied → **Unsupported 🟠**. (2026-06-17 dogfood: SkillOpt's "validation score" /
-  "rejected-edit buffer" survives the de-label test for FH's "Validation Gate" claim — the span states
-  the accept-only-on-improvement relation in its own words.)
+  reader-supplied → **Unsupported 🟠**. (Worked shape: blank FH's coined label *and* the source's own
+  term; a fetched span that still literally states the operative relation — e.g. "accepted only when the
+  score strictly improves" — in the source's own words is Grounded; if the equivalence only holds once
+  you read FH's label back in, it was reader-supplied → Unsupported.)
 - **No self-granted Grounded on a contested match.** If the de-label test is contested rather than clean,
   the runner may **not** write Grounded — the *only* path to Grounded for a disputed term-match is
   **escalate to `/steel-quench` Wave 1** and let the isolated adversary surface the span or reject it.
   Default otherwise = Unsupported. (Removes the runner's discretion to self-select the lenient branch.)
 - **Recommended conservative resolution (publish-facing).** For a publish-facing citation the safer fix
-  is to require the artifact to **quote the paper's own term** ("what SkillOpt calls a 'validation
-  score'") instead of asserting FH's coinage as the paper's — removing the judgment entirely. Reserve the
+  is to require the artifact to **quote the source's own term** (e.g. "what the source itself calls X")
+  instead of asserting an unverified label as the source's — removing the judgment entirely. Reserve the
   judged de-label path for low-stakes internal claims; match effort to stakes.
 
 Unlike Step 2's value-format normalization (mechanical: `300s` ≡ `300 seconds`), coinage-vs-term is