@chrono-meta/fh-gate 1.4.30 → 1.4.32

package/CLAUDE.md

@@ -281,13 +281,32 @@ not marketplace-gate alone:
 `LICENSE`/`README` contains a **private harness name or internal codename** · **module paths encode
 internal acronyms**.
 
-**Why no hook (honest)**: the irreversible action is `gh repo create --public` / a visibility flip, **not
-`git commit`** — and it usually happens in a **separate repo**, not forge-harness. The FH pre-commit hook
-cannot catch either. This gate is therefore **AI-behavioral** (proactive trigger below) **+ a portable
-checklist** (`templates/PRE-PUBLISH-CHECKLIST.md`) the operator runs on any repo, on any machine.
+**Hook coverage — two distinct actions (refined 2026-06-17)**:
+- **(a) repo-go-public** (`gh repo create --public` / a visibility flip) is irreversible and usually in a
+  **separate repo** — the FH pre-commit hook **cannot** catch it. That stays **AI-behavioral** (proactive
+  trigger below) **+ a portable checklist** (`templates/PRE-PUBLISH-CHECKLIST.md`), run on any repo/machine.
+- **(b) committing operator-private tokens into public-tracked content of THIS repo IS an effective
+  publish of that content** — and that the pre-commit hook **now catches mechanically**: a
+  **confidentiality scan** of staged tracked *added* lines against the gitignored
+  `.public-surface-patterns` (companion-store names · corp-context framing · home paths · company assets),
+  blocking HIGH/MED + non-allowlisted LOW drift; `PUBLIC_SURFACE_OK=1` overrides for a deliberate reviewed
+  mention. **Two-layer** (mirrors `/public-surface-audit`): the literal tokens live ONLY in the gitignored
+  source — CLAUDE.md and the hook name **only categories**, never the literals (they would leak what they
+  guard). This closes the gap where the prose publish-trigger was **missed on a weaker-tier session**
+  (PR #109: a companion-store name + corp-context framing reached a public PR; the Sonnet session trusted a
+  PR comment over the file content). The scan fires at commit time and is **tier-independent — but only as
+  strong as the loaded patterns**: a COMMITTED `.public-surface-patterns.defaults` (universal patterns:
+  home paths) keeps it from ever being fully blind, while the company-specific literals require the
+  GITIGNORED override to be populated in each authoring env (esp. the company env, where company-origin
+  public PRs are written; absent override → only defaults run, with a loud warning). **Honest scope**:
+  plaintext only (encoded tokens out of scope); a line-split backstop catches a token wrapped across
+  lines; `PUBLIC_SURFACE_OK=1` overrides and is logged to a gitignored audit trail for the weekly audit.
+  Residuals (split-encoding, override-not-populated, override abuse) are documented, not silent.
 
 > Origin: 2026-06-05 `phantom-gate` shipped public, then needed a private→de-company-scrub→re-public
-> round-trip (`fh_signal_2026-06-05_fh-direct`). PSA existed but nothing forced it pre-publish.
+> round-trip (`fh_signal_2026-06-05_fh-direct`). PSA existed but nothing forced it pre-publish. 2026-06-17
+> (PR #109): the commit-time half (b) became a mechanical hook after a weaker-tier session leaked a
+> companion-store name onto a public PR (`fh_signal_2026-06-17` Wave 4).
 
 ---
 
@@ -344,7 +363,7 @@ Proposal format: `"I see [X]. Want me to run /[skill] to [one-line description]?
 | "where does this go", "asset location", "hub vs project", "placement" | `/asset-placement-gate` |
 | "add to marketplace", "OK to publish", "pre-publish check" | `/marketplace-gate` |
 | "did I leak anything", "public surface audit", "private token scan", "is my split clean", "check tracked files for private tokens" | `/public-surface-audit` |
-| "publish", "make public", "make this repo public", "go public", "gh repo create --public", "flip to public", "first public push", "publish the package", "npm publish", "twine upload" (publish intent — **proactive**, fire *before* the action) | **Pre-Publish Surface Gate** (see above → `/public-surface-audit` + `/marketplace-gate` Check 5 must PASS first) |
+| "publish", "make public", "make this repo public", "go public", "gh repo create --public", "flip to public", "first public push", "publish the package", "npm publish", "twine upload", **opening/updating a PR or pushing content to the public hub** (esp. company-origin) (publish intent — **proactive**, fire *before* the action; adding content to an already-public repo IS publishing that content) | **Pre-Publish Surface Gate** (see above → `/public-surface-audit` + `/marketplace-gate` Check 5 must PASS first). The commit-time half is now **hook-enforced** (mechanical confidentiality scan — see Pre-Publish Gate §Hook coverage (b)), so this proactive trigger is the salience layer over a mechanical floor. |
 | "delete the branch", "브랜치 삭제", "브랜치 정리", "clean up branches", "force-push", "rewrite history", "지워도 돼?" (destructive intent — **proactive**, fire *before* the action) | **Destructive-Op Gate** (see above → enumerate → recover → destroy; `templates/predelete_check.sh`) |
 | "look at this again", "is this right", "counterargument", "re-validate" | `/verify-bidirectional` |
 | "MCP failing", "tool keeps erroring", "circuit-breaker", "same error looping" | `/mcp-circuit-breaker` |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chrono-meta/fh-gate",
-  "version": "1.4.30",
+  "version": "1.4.32",
   "description": "FH runtime adapters — run FH governance, skills, and agents via Claude or Codex with machine-parseable gates.",
   "license": "MIT",
   "keywords": [

package/plugins/fh-commons/skills/mcp-circuit-breaker/SKILL.md

@@ -66,9 +66,14 @@ Classify failure type:
 | `NOT_FOUND` | 404 / tool not available | Server down / tool removed |
 | `MALFORMED` | Parse error on response | Schema mismatch / API change |
 | `RATE_LIMIT` | 429 / quota exceeded | Too many calls |
+| `ADMIN_GATED` | "instance admin approval required" / server pending org enablement / tool unavailable until approved | Capability exists; the **MCP mount** is gated behind instance/admin permission — not a transport failure. Retrying never recovers it (an admin must act) |
 
 If failure type cannot be determined: classify as `UNKNOWN`.
 
+> **`ADMIN_GATED` is not a retry case.** Distinguish *capability unavailable* from *MCP transport
+> unavailable*: when the block is an org/admin approval dependency, do not burn retries — route straight
+> to the lower-permission substitute in Step 4 (Priority 1b).
+
 ---
 
 ### Step 2. Trip Decision
@@ -81,6 +86,11 @@ Count consecutive failures of the identified tool in the current session context
 | 2 | Escalate warning. Suggest checking server status. |
 | 3+ | **TRIP CIRCUIT** → output circuit open notice, block further calls to this tool |
 
+> **Non-transient types trip at count 1, not 3.** `ADMIN_GATED`, `AUTH`, and `NOT_FOUND` do not recover
+> on retry (an admin must act / credentials must change / the tool is gone), so counting to 3 only wastes
+> calls. On the first failure of one of these types, trip immediately and go to Step 4. The 1→2→3 ramp is
+> for *transient* types (`TIMEOUT`, `RATE_LIMIT`) where a later call may succeed.
+
 Circuit open notice format:
 ```
 ⚡ CIRCUIT OPEN — {tool-name}
@@ -113,14 +123,22 @@ Log entry format:
 
 ### Step 4. Propose Alternatives
 
-Present 3 fallback options ranked by effort:
+Present the relevant fallback options ranked by effort (at least 3):
 
 | Priority | Alternative | When to Use |
 |---|---|---|
 | **1 — Substitute tool** | Use a different MCP tool or built-in tool that covers the same task | Tool-specific failure (NOT_FOUND, AUTH) |
+| **1b — Lower-permission API / workflow substitute** | The MCP mount is gated, but the underlying capability is usually still reachable through a member-scoped path: a Personal-Access-Token REST API call, or a workflow-automation runner. Before relying on it, confirm **credential scope** (a member-level token suffices?), **audit parity** (logged where the MCP path would log?), and **behavior gap** (what the MCP path does that this does not — e.g. natural-language workflow creation vs hand-written JSON). | `ADMIN_GATED` |
 | **2 — Degrade gracefully** | Skip the MCP step, note the gap, continue with available information | TIMEOUT / RATE_LIMIT |
 | **3 — Pause and retry** | Wait for server recovery (HALF-OPEN probe after cooldown) | Transient failure (TIMEOUT, RATE_LIMIT) |
 
+> **Gating carries over to the substitute** (cross-ref the external-MCP tool-gating rule
+> `mcp_tool_gating.md`). A REST/API or
+> workflow-automation tool adopted under Priority 1b is still an external-action surface: classify its
+> calls under the same ask/allow tiers — reads are `allow (untrusted-read)` only after behavior
+> confirmation; any write / send / delete / permission-change stays `ask`. Trading a gated MCP mount for
+> an ungated REST token does not lower the action's risk — only its permission barrier.
+
 Output format:
 ```
 ## Fallback Options for {tool-name}

package/plugins/fh-meta/skills/phantom-quench/SKILL.md

@@ -1,6 +1,16 @@
 ---
 name: phantom-quench
-description: The grounding member of the quench series — extracts proper nouns, numerical values, and branching conditions from artifacts (TCs, analysis reports, design documents), back-traces them to declared source files — local files by literal grep, and external cited sources (arXiv/DOI/URL and version claims) by fetch-and-support-check (the Non-Model Ground pass: a claim is grounded only when its anchor is non-model — a grep hit or a literal span from a fetched source — never another model's agreement) — and marks anything not found as a Phantom Claim (ungrounded — present in the artifact but not traceable to a declared source; not a claim that it is necessarily false), and a cited source that exists but does not support the claim as Unsupported. If steel-quench attacks output patterns (self-declarations, cushion language), phantom-quench attacks input tracing (where did this come from?). Renamed from source-grounding-audit (2026-06-06, quench-series); the old name appears here so legacy references still route to this skill (alias stub directory removed 2026-06-12). Triggered by "phantom detection", "phantom-quench", "phantom claim", "hallucinated claim detection", "source back-trace", "source audit", "verify source", "TC evidence tracing", "where did this come from", "grounding audit", "source grounding audit", "false claim detection", "citation support check", "does the source support this claim", "cited but not verified", "claim to source".
+description: >-
+  Input-tracing grounding audit for artifacts such as test cases, analysis reports,
+  and design docs. Extracts proper nouns, numbers, citations, version claims, and
+  branching conditions, then back-traces each to declared local files by grep or to
+  external sources by fetch-and-support checks. Marks missing anchors as Phantom
+  Claims and cited-but-unsupporting anchors as Unsupported. A claim is grounded only
+  by non-model evidence: a local hit or literal source span, never another model's
+  agreement. Renamed from source-grounding-audit; old-name references still route
+  here. Triggered by: "phantom detection", "phantom claim", "source back-trace",
+  "where did this come from", "verify source", "does the source support this claim",
+  "grounding audit", "source grounding audit", "citation support check".
 user-invocable: true
 allowed-tools: ["Read", "Write", "Edit", "Bash", "Grep", "Glob", "WebFetch", "WebSearch"]
 model: sonnet

package/plugins/fh-meta/skills/steel-quench/SKILL.md

@@ -1,7 +1,16 @@
 ---
 name: steel-quench
 description: >-
-  A meta-skill that concretizes a designer's anxiety into AI-driven all-angle challenger attacks (via fh-commons:quench-challenger) and shakes off flaws through defensive rounds. Systematically surfaces root weaknesses of near-complete projects wave by wave, guaranteeing near-human-review quality without direct human deep inspection. Wave 4 (Meta-Aware Adversary) is an advanced mode where the challenger uses its own AI nature — hallucination, context collapse, prompt injection, tool lock-in — as attack vectors. Wave-P3 (gate-passage re-attack) re-attacks an artifact on Coverage/Narrative/False-confidence right after an upstream gate declares PASS. Built-in fh-commons:quench-challenger agent outputs harness structure 6-axis attack+prescription pairs; after convergence, fh-meta:persona-innovator auto-extracts new patterns. Triggered by: "quench this", "devil's judgment", "all-angle review", "end-to-end verification", "steel quench", "deep pre-completion inspection", "shake out design anxiety", "attack from the root", "did it really pass?".
+  All-angle verification meta-skill for near-complete artifacts. Turns vague design
+  anxiety into structured challenger waves using fh-commons:quench-challenger, then
+  drives defense and convergence until root weaknesses, residual risks, and added
+  complexity are explicit. Covers standard attack/defense rounds, optional
+  Meta-Aware Adversary mode for AI-specific risks such as hallucination, context
+  collapse, prompt injection, and tool lock-in, and Wave-P3 re-attack after an
+  upstream gate declares PASS. Built-in outputs emphasize attack-plus-prescription
+  pairs and can feed fh-meta:persona-innovator after convergence. Triggered by:
+  "quench this", "devil's judgment", "all-angle review", "end-to-end verification",
+  "steel quench", "deep pre-completion inspection", "did it really pass?".
 user-invocable: true
 allowed-tools: ["Read", "Write", "Edit", "Bash", "Grep", "Glob", "WebSearch", "Agent"]
 model: opus