@chrono-meta/fh-gate 1.4.31 → 1.4.33

package/CLAUDE.md

@@ -506,7 +506,13 @@ Closing phrase detected ("wrap up", "done", "good work", "end session", etc.)
   → ④ Memory hygiene — update stale entries + record new session findings
   → ④-b npm freshness — if any npm-shipped asset changed this session (the `package.json` `files[]`
        surface: skills · agents · README · AGENTS.md · CLAUDE.md · CHEATSHEET), **propose an npm
-       republish**: version bump + Pre-Publish Surface Gate (`/public-surface-audit` + `/marketplace-gate`
+       republish**: version bump — and the **same bump MUST propagate in lockstep to every
+       `.claude-plugin/plugin.json` + `.claude-plugin/marketplace.json` version** (single-source =
+       `package.json`). The Codex plugin loader keys its cache path on the *plugin.json* version
+       (`~/.codex/plugins/cache/forge-harness/{plugin}/{version}/`), so a frozen plugin.json serves
+       **stale cached skills to Codex/AGENTS.md users** even after content ships (this exact 3-way
+       drift — fh-meta 1.4.1/1.4.11 vs npm 1.4.32 — was found + fixed 2026-06-17). Then Pre-Publish
+       Surface Gate (`/public-surface-audit` + `/marketplace-gate`
        Check 5) + `npm publish` + **`git tag vX.Y.Z` on the bump commit + `git push origin vX.Y.Z`**
        (tag at publish time, in lockstep with the version — keeps git tags aligned with npmjs.com so
        Releases/Tags never drift). The npm-served README and shipped skills/agents freeze at publish

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chrono-meta/fh-gate",
-  "version": "1.4.31",
+  "version": "1.4.33",
   "description": "FH runtime adapters — run FH governance, skills, and agents via Claude or Codex with machine-parseable gates.",
   "license": "MIT",
   "keywords": [

package/plugins/fh-commons/skills/mcp-circuit-breaker/SKILL.md

@@ -66,9 +66,14 @@ Classify failure type:
 | `NOT_FOUND` | 404 / tool not available | Server down / tool removed |
 | `MALFORMED` | Parse error on response | Schema mismatch / API change |
 | `RATE_LIMIT` | 429 / quota exceeded | Too many calls |
+| `ADMIN_GATED` | "instance admin approval required" / server pending org enablement / tool unavailable until approved | Capability exists; the **MCP mount** is gated behind instance/admin permission — not a transport failure. Retrying never recovers it (an admin must act) |
 
 If failure type cannot be determined: classify as `UNKNOWN`.
 
+> **`ADMIN_GATED` is not a retry case.** Distinguish *capability unavailable* from *MCP transport
+> unavailable*: when the block is an org/admin approval dependency, do not burn retries — route straight
+> to the lower-permission substitute in Step 4 (Priority 1b).
+
 ---
 
 ### Step 2. Trip Decision
@@ -81,6 +86,11 @@ Count consecutive failures of the identified tool in the current session context
 | 2 | Escalate warning. Suggest checking server status. |
 | 3+ | **TRIP CIRCUIT** → output circuit open notice, block further calls to this tool |
 
+> **Non-transient types trip at count 1, not 3.** `ADMIN_GATED`, `AUTH`, and `NOT_FOUND` do not recover
+> on retry (an admin must act / credentials must change / the tool is gone), so counting to 3 only wastes
+> calls. On the first failure of one of these types, trip immediately and go to Step 4. The 1→2→3 ramp is
+> for *transient* types (`TIMEOUT`, `RATE_LIMIT`) where a later call may succeed.
+
 Circuit open notice format:
 ```
 ⚡ CIRCUIT OPEN — {tool-name}
@@ -113,14 +123,22 @@ Log entry format:
 
 ### Step 4. Propose Alternatives
 
-Present 3 fallback options ranked by effort:
+Present the relevant fallback options ranked by effort (at least 3):
 
 | Priority | Alternative | When to Use |
 |---|---|---|
 | **1 — Substitute tool** | Use a different MCP tool or built-in tool that covers the same task | Tool-specific failure (NOT_FOUND, AUTH) |
+| **1b — Lower-permission API / workflow substitute** | The MCP mount is gated, but the underlying capability is usually still reachable through a member-scoped path: a Personal-Access-Token REST API call, or a workflow-automation runner. Before relying on it, confirm **credential scope** (a member-level token suffices?), **audit parity** (logged where the MCP path would log?), and **behavior gap** (what the MCP path does that this does not — e.g. natural-language workflow creation vs hand-written JSON). | `ADMIN_GATED` |
 | **2 — Degrade gracefully** | Skip the MCP step, note the gap, continue with available information | TIMEOUT / RATE_LIMIT |
 | **3 — Pause and retry** | Wait for server recovery (HALF-OPEN probe after cooldown) | Transient failure (TIMEOUT, RATE_LIMIT) |
 
+> **Gating carries over to the substitute** (cross-ref the external-MCP tool-gating rule
+> `mcp_tool_gating.md`). A REST/API or
+> workflow-automation tool adopted under Priority 1b is still an external-action surface: classify its
+> calls under the same ask/allow tiers — reads are `allow (untrusted-read)` only after behavior
+> confirmation; any write / send / delete / permission-change stays `ask`. Trading a gated MCP mount for
+> an ungated REST token does not lower the action's risk — only its permission barrier.
+
 Output format:
 ```
 ## Fallback Options for {tool-name}

package/plugins/fh-meta/skills/contention-layer/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: contention-layer
-description: When two skills or agents produce conflicting verdicts on the same output, reads the conflict as a signal rather than an error and harvests new skill candidates. Routes skills born from contention to fh-meta if they are meta-layer, to commons plugin if project-agnostic, or to field harvest if domain-specific. Triggered by "two skills conflict", "they produce different conclusions", "contention-layer", "contention harvest".
+description: When two skills, agents, or independent research tracks produce conflicting verdicts on the same output, reads the conflict as a signal rather than an error and harvests new skill candidates or insight deltas. Also accepts a Dual-Track Grounding conflict — an open-frontier research track vs an internally-grounded recall track disagreeing — as a research-layer partial analogue of Non-Model Ground (the grounded track is a time-decorrelated anchor, not a non-model one). Routes skills born from contention to fh-meta if they are meta-layer, to commons plugin if project-agnostic, or to field harvest if domain-specific. Triggered by "two skills conflict", "they produce different conclusions", "contention-layer", "contention harvest", "open vs grounded contradiction", "research tracks disagree".
 user-invocable: true
 allowed-tools: ["Read", "Bash", "Grep", "Write"]
 model: sonnet
@@ -20,16 +20,21 @@ When two skills conflict, **harvest the signal** instead of discarding one. Find
 /contention-layer --skills A B       # specify two skills for contention analysis
 ```
 
-Phrase triggers: "two skills conflict" · "weird when used together" · "they produce different conclusions" · "contention harvest" · "contention"
+Phrase triggers: "two skills conflict" · "weird when used together" · "they produce different conclusions" · "contention harvest" · "contention" · "open vs grounded contradiction" · "research tracks disagree" · "dual-track grounding **+ conflict/disagree/contradict**" (the phrase "dual-track grounding" alone collides with `phantom-quench` on the word "grounding" — measured Step-0.5 probe #3, 2026-06-17; it fires this skill only when a conflict word co-occurs)
+
+```
+/contention-layer --tracks open=<deep-research result> grounded=<memory/CATALOG recall>   # Dual-Track Grounding
+```
 
 ## Step 1. Collect Conflict Points
 
-Record clearly which skills conflicted on which output, and in which direction.
+Record clearly which sources conflicted on which output, and in which direction. The conflicting
+**sources** may be two skills/agents, or two independent **research tracks** (Dual-Track Grounding).
 
 ```
-Conflicting skill A: {skill name} — verdict: {conclusion}
-Conflicting skill B: {skill name} — verdict: {conclusion}
-Conflicting output: {TC / diagnostic report / design document / ...}
+Conflicting source A: {skill name / "open-frontier research"} — verdict: {conclusion}
+Conflicting source B: {skill name / "internally-grounded recall"} — verdict: {conclusion}
+Conflicting output: {TC / diagnostic report / design document / a factual claim / ...}
 Conflict point: {which item, by which criteria difference}
 ```
 
@@ -38,6 +43,36 @@ Conflict point: {which item, by which criteria difference}
 - `Scope conflict`: A includes, B excludes a certain domain
 - `Order conflict`: Same goal approached with different preconditions
 - `Philosophy conflict`: The measurement purpose itself differs (e.g., risk reduction vs coverage maximization)
+- `Track conflict` (Dual-Track Grounding): The same claim is asserted by an **open-frontier** track
+  (deep-research / WebSearch over external sources) and contradicted — or unsupported — by an
+  **internally-grounded** track (memory / CATALOG / past-session recall). The disagreement is the signal.
+
+### Step 1-b. Dual-Track Grounding — Non-Model Ground at the research layer
+
+When the input is two research tracks rather than two skills, the contention IS the mechanism: two
+**time-decorrelated** anchors disagreeing exposes the agreement-bias gap that judge-only synthesis
+hides (a single track, however strong, can be confidently wrong with nothing to contradict it). This is
+a research-layer **partial analogue of Non-Model Ground** (`[[fh_propagation_nonmodel_ground]]`) — the
+grounded track is a **time-decorrelated, provenance-bearing** anchor (written in a prior session against
+recorded sources, so the present session's agreement-bias cannot silently overwrite it). It is **not** a
+true non-model anchor: memory/CATALOG are model-written, so the independence is temporal + provenance,
+not lineage. The honest bias-reduction is that contradicting a provenance-bearing past claim **forces an
+explicit source check** (the challenger-verify pairing below) rather than a silent overwrite.
+
+```
+Open track (frontier):    deep-research / WebSearch — what the external world currently asserts
+Grounded track (internal): memory + CATALOG + past-session recall — what we already established
+  → AGREE      : low signal (corroboration) — log confidence, no harvest
+  → DISAGREE   : HIGH signal — the open track may be newer (our claim is stale → memory-hygiene),
+                 OR our grounded claim is right and the frontier is noise (→ a publishable delta).
+                 Direction is a judged call; pair it with challenger-verify-before-act (source-verify
+                 BEFORE rewriting either side — never let recency alone win) and route to harvest.
+  → UNSUPPORTED: the open track asserts what the grounded track has no record of, and back-trace
+                 (phantom-quench) finds no source → treat as Phantom, not as a new fact.
+```
+
+Dispatch shape: the two tracks run as independent calls (deep-research ∥ grounded recall — agent-composer
+can parallelize), then their outputs enter Step 2 as source A / source B. The harvest gate below is unchanged.
 
 ## Step 2. Contention Essence — Harvest Gate
 
@@ -106,13 +141,14 @@ After generating skeleton: **"I will place this draft at {path}. Shall I proceed
 
 ```
 [Contention Harvest Report]
-Conflicting skills: {A} vs {B}
-Conflict type: {Criteria / Scope / Order / Philosophy}
+Conflicting sources: {A} vs {B}
+Conflict type: {Criteria / Scope / Order / Philosophy / Track}
 Harvest Gate: Pass / Fail
   └ Reason: {1 line}
 New skill candidate: {name or none}
 Routing path: {fh-meta / commons / field / n/a}
-Next action: {generate draft / exclude / recommend improving existing skill}
+Track-conflict resolution: {memory-hygiene / publishable-delta / phantom / n/a}   # only for Track conflicts (Step 1-b)
+Next action: {generate draft / exclude / recommend improving existing skill / route track-conflict terminal}
 ```
 
 ## Done When
@@ -122,6 +158,9 @@ All steps 1–4 completed
 + [Contention Harvest Report] output (Harvest Gate Pass/Fail stated)
 + If new skill candidate exists: SKILL.md skeleton generated + user confirmation gate complete
 + If no new skill candidate: "Exclude / recommend improving existing skill" stated and exit
++ If Track conflict (Step 1-b): terminal stated — memory-hygiene (stale grounded claim) OR
+  publishable-delta (frontier was noise, our claim holds) OR phantom-quench (unsupported frontier
+  assertion). A track conflict resolving to a terminal is NOT an "exclude" — it is a routed outcome.
 ```
 
 Verdict: PASS (Harvest Gate Pass — new skill skeleton generated or no candidates confirmed) | CONDITIONAL_PASS (candidates found, user confirmation pending) | FAIL (Harvest Gate Fail — collision unresolvable, no new skill justified) | ESCALATE (role boundary ambiguous, requires human judgment)

package/plugins/fh-meta/skills/phantom-quench/SKILL.md

@@ -1,6 +1,16 @@
 ---
 name: phantom-quench
-description: The grounding member of the quench series — extracts proper nouns, numerical values, and branching conditions from artifacts (TCs, analysis reports, design documents), back-traces them to declared source files — local files by literal grep, and external cited sources (arXiv/DOI/URL and version claims) by fetch-and-support-check (the Non-Model Ground pass: a claim is grounded only when its anchor is non-model — a grep hit or a literal span from a fetched source — never another model's agreement) — and marks anything not found as a Phantom Claim (ungrounded — present in the artifact but not traceable to a declared source; not a claim that it is necessarily false), and a cited source that exists but does not support the claim as Unsupported. If steel-quench attacks output patterns (self-declarations, cushion language), phantom-quench attacks input tracing (where did this come from?). Renamed from source-grounding-audit (2026-06-06, quench-series); the old name appears here so legacy references still route to this skill (alias stub directory removed 2026-06-12). Triggered by "phantom detection", "phantom-quench", "phantom claim", "hallucinated claim detection", "source back-trace", "source audit", "verify source", "TC evidence tracing", "where did this come from", "grounding audit", "source grounding audit", "false claim detection", "citation support check", "does the source support this claim", "cited but not verified", "claim to source".
+description: >-
+  Input-tracing grounding audit for artifacts such as test cases, analysis reports,
+  and design docs. Extracts proper nouns, numbers, citations, version claims, and
+  branching conditions, then back-traces each to declared local files by grep or to
+  external sources by fetch-and-support checks. Marks missing anchors as Phantom
+  Claims and cited-but-unsupporting anchors as Unsupported. A claim is grounded only
+  by non-model evidence: a local hit or literal source span, never another model's
+  agreement. Renamed from source-grounding-audit; old-name references still route
+  here. Triggered by: "phantom detection", "phantom claim", "source back-trace",
+  "where did this come from", "verify source", "does the source support this claim",
+  "grounding audit", "source grounding audit", "citation support check".
 user-invocable: true
 allowed-tools: ["Read", "Write", "Edit", "Bash", "Grep", "Glob", "WebFetch", "WebSearch"]
 model: sonnet

package/plugins/fh-meta/skills/steel-quench/SKILL.md

@@ -1,7 +1,16 @@
 ---
 name: steel-quench
 description: >-
-  A meta-skill that concretizes a designer's anxiety into AI-driven all-angle challenger attacks (via fh-commons:quench-challenger) and shakes off flaws through defensive rounds. Systematically surfaces root weaknesses of near-complete projects wave by wave, guaranteeing near-human-review quality without direct human deep inspection. Wave 4 (Meta-Aware Adversary) is an advanced mode where the challenger uses its own AI nature — hallucination, context collapse, prompt injection, tool lock-in — as attack vectors. Wave-P3 (gate-passage re-attack) re-attacks an artifact on Coverage/Narrative/False-confidence right after an upstream gate declares PASS. Built-in fh-commons:quench-challenger agent outputs harness structure 6-axis attack+prescription pairs; after convergence, fh-meta:persona-innovator auto-extracts new patterns. Triggered by: "quench this", "devil's judgment", "all-angle review", "end-to-end verification", "steel quench", "deep pre-completion inspection", "shake out design anxiety", "attack from the root", "did it really pass?".
+  All-angle verification meta-skill for near-complete artifacts. Turns vague design
+  anxiety into structured challenger waves using fh-commons:quench-challenger, then
+  drives defense and convergence until root weaknesses, residual risks, and added
+  complexity are explicit. Covers standard attack/defense rounds, optional
+  Meta-Aware Adversary mode for AI-specific risks such as hallucination, context
+  collapse, prompt injection, and tool lock-in, and Wave-P3 re-attack after an
+  upstream gate declares PASS. Built-in outputs emphasize attack-plus-prescription
+  pairs and can feed fh-meta:persona-innovator after convergence. Triggered by:
+  "quench this", "devil's judgment", "all-angle review", "end-to-end verification",
+  "steel quench", "deep pre-completion inspection", "did it really pass?".
 user-invocable: true
 allowed-tools: ["Read", "Write", "Edit", "Bash", "Grep", "Glob", "WebSearch", "Agent"]
 model: opus