@chrono-meta/fh-gate 1.4.31 → 1.4.32

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chrono-meta/fh-gate",
-  "version": "1.4.31",
+  "version": "1.4.32",
   "description": "FH runtime adapters — run FH governance, skills, and agents via Claude or Codex with machine-parseable gates.",
   "license": "MIT",
   "keywords": [

package/plugins/fh-commons/skills/mcp-circuit-breaker/SKILL.md

@@ -66,9 +66,14 @@ Classify failure type:
 | `NOT_FOUND` | 404 / tool not available | Server down / tool removed |
 | `MALFORMED` | Parse error on response | Schema mismatch / API change |
 | `RATE_LIMIT` | 429 / quota exceeded | Too many calls |
+| `ADMIN_GATED` | "instance admin approval required" / server pending org enablement / tool unavailable until approved | Capability exists; the **MCP mount** is gated behind instance/admin permission — not a transport failure. Retrying never recovers it (an admin must act) |
 
 If failure type cannot be determined: classify as `UNKNOWN`.
 
+> **`ADMIN_GATED` is not a retry case.** Distinguish *capability unavailable* from *MCP transport
+> unavailable*: when the block is an org/admin approval dependency, do not burn retries — route straight
+> to the lower-permission substitute in Step 4 (Priority 1b).
+
 ---
 
 ### Step 2. Trip Decision
@@ -81,6 +86,11 @@ Count consecutive failures of the identified tool in the current session context
 | 2 | Escalate warning. Suggest checking server status. |
 | 3+ | **TRIP CIRCUIT** → output circuit open notice, block further calls to this tool |
 
+> **Non-transient types trip at count 1, not 3.** `ADMIN_GATED`, `AUTH`, and `NOT_FOUND` do not recover
+> on retry (an admin must act / credentials must change / the tool is gone), so counting to 3 only wastes
+> calls. On the first failure of one of these types, trip immediately and go to Step 4. The 1→2→3 ramp is
+> for *transient* types (`TIMEOUT`, `RATE_LIMIT`) where a later call may succeed.
+
 Circuit open notice format:
 ```
 ⚡ CIRCUIT OPEN — {tool-name}
@@ -113,14 +123,22 @@ Log entry format:
 
 ### Step 4. Propose Alternatives
 
-Present 3 fallback options ranked by effort:
+Present the relevant fallback options ranked by effort (at least 3):
 
 | Priority | Alternative | When to Use |
 |---|---|---|
 | **1 — Substitute tool** | Use a different MCP tool or built-in tool that covers the same task | Tool-specific failure (NOT_FOUND, AUTH) |
+| **1b — Lower-permission API / workflow substitute** | The MCP mount is gated, but the underlying capability is usually still reachable through a member-scoped path: a Personal-Access-Token REST API call, or a workflow-automation runner. Before relying on it, confirm **credential scope** (a member-level token suffices?), **audit parity** (logged where the MCP path would log?), and **behavior gap** (what the MCP path does that this does not — e.g. natural-language workflow creation vs hand-written JSON). | `ADMIN_GATED` |
 | **2 — Degrade gracefully** | Skip the MCP step, note the gap, continue with available information | TIMEOUT / RATE_LIMIT |
 | **3 — Pause and retry** | Wait for server recovery (HALF-OPEN probe after cooldown) | Transient failure (TIMEOUT, RATE_LIMIT) |
 
+> **Gating carries over to the substitute** (cross-ref the external-MCP tool-gating rule
+> `mcp_tool_gating.md`). A REST/API or
+> workflow-automation tool adopted under Priority 1b is still an external-action surface: classify its
+> calls under the same ask/allow tiers — reads are `allow (untrusted-read)` only after behavior
+> confirmation; any write / send / delete / permission-change stays `ask`. Trading a gated MCP mount for
+> an ungated REST token does not lower the action's risk — only its permission barrier.
+
 Output format:
 ```
 ## Fallback Options for {tool-name}

package/plugins/fh-meta/skills/phantom-quench/SKILL.md

@@ -1,6 +1,16 @@
 ---
 name: phantom-quench
-description: The grounding member of the quench series — extracts proper nouns, numerical values, and branching conditions from artifacts (TCs, analysis reports, design documents), back-traces them to declared source files — local files by literal grep, and external cited sources (arXiv/DOI/URL and version claims) by fetch-and-support-check (the Non-Model Ground pass: a claim is grounded only when its anchor is non-model — a grep hit or a literal span from a fetched source — never another model's agreement) — and marks anything not found as a Phantom Claim (ungrounded — present in the artifact but not traceable to a declared source; not a claim that it is necessarily false), and a cited source that exists but does not support the claim as Unsupported. If steel-quench attacks output patterns (self-declarations, cushion language), phantom-quench attacks input tracing (where did this come from?). Renamed from source-grounding-audit (2026-06-06, quench-series); the old name appears here so legacy references still route to this skill (alias stub directory removed 2026-06-12). Triggered by "phantom detection", "phantom-quench", "phantom claim", "hallucinated claim detection", "source back-trace", "source audit", "verify source", "TC evidence tracing", "where did this come from", "grounding audit", "source grounding audit", "false claim detection", "citation support check", "does the source support this claim", "cited but not verified", "claim to source".
+description: >-
+  Input-tracing grounding audit for artifacts such as test cases, analysis reports,
+  and design docs. Extracts proper nouns, numbers, citations, version claims, and
+  branching conditions, then back-traces each to declared local files by grep or to
+  external sources by fetch-and-support checks. Marks missing anchors as Phantom
+  Claims and cited-but-unsupporting anchors as Unsupported. A claim is grounded only
+  by non-model evidence: a local hit or literal source span, never another model's
+  agreement. Renamed from source-grounding-audit; old-name references still route
+  here. Triggered by: "phantom detection", "phantom claim", "source back-trace",
+  "where did this come from", "verify source", "does the source support this claim",
+  "grounding audit", "source grounding audit", "citation support check".
 user-invocable: true
 allowed-tools: ["Read", "Write", "Edit", "Bash", "Grep", "Glob", "WebFetch", "WebSearch"]
 model: sonnet

package/plugins/fh-meta/skills/steel-quench/SKILL.md

@@ -1,7 +1,16 @@
 ---
 name: steel-quench
 description: >-
-  A meta-skill that concretizes a designer's anxiety into AI-driven all-angle challenger attacks (via fh-commons:quench-challenger) and shakes off flaws through defensive rounds. Systematically surfaces root weaknesses of near-complete projects wave by wave, guaranteeing near-human-review quality without direct human deep inspection. Wave 4 (Meta-Aware Adversary) is an advanced mode where the challenger uses its own AI nature — hallucination, context collapse, prompt injection, tool lock-in — as attack vectors. Wave-P3 (gate-passage re-attack) re-attacks an artifact on Coverage/Narrative/False-confidence right after an upstream gate declares PASS. Built-in fh-commons:quench-challenger agent outputs harness structure 6-axis attack+prescription pairs; after convergence, fh-meta:persona-innovator auto-extracts new patterns. Triggered by: "quench this", "devil's judgment", "all-angle review", "end-to-end verification", "steel quench", "deep pre-completion inspection", "shake out design anxiety", "attack from the root", "did it really pass?".
+  All-angle verification meta-skill for near-complete artifacts. Turns vague design
+  anxiety into structured challenger waves using fh-commons:quench-challenger, then
+  drives defense and convergence until root weaknesses, residual risks, and added
+  complexity are explicit. Covers standard attack/defense rounds, optional
+  Meta-Aware Adversary mode for AI-specific risks such as hallucination, context
+  collapse, prompt injection, and tool lock-in, and Wave-P3 re-attack after an
+  upstream gate declares PASS. Built-in outputs emphasize attack-plus-prescription
+  pairs and can feed fh-meta:persona-innovator after convergence. Triggered by:
+  "quench this", "devil's judgment", "all-angle review", "end-to-end verification",
+  "steel quench", "deep pre-completion inspection", "did it really pass?".
 user-invocable: true
 allowed-tools: ["Read", "Write", "Edit", "Bash", "Grep", "Glob", "WebSearch", "Agent"]
 model: opus