@cleocode/cleo 2026.5.59 → 2026.5.61

package/dist/cli/index.js

@@ -23340,8 +23340,8 @@ async function loadPlaybookByName(name) {
     return null;
   }
   try {
-    const { getProjectRoot: getProjectRoot33 } = await import("@cleocode/core/internal");
-    const projectRoot = __playbookRuntimeOverrides.projectRoot ?? getProjectRoot33();
+    const { getProjectRoot: getProjectRoot34 } = await import("@cleocode/core/internal");
+    const projectRoot = __playbookRuntimeOverrides.projectRoot ?? getProjectRoot34();
     const resolved = resolvePlaybook(name, {
       projectRoot,
       globalPlaybooksDir: __playbookRuntimeOverrides.globalPlaybooksDir,
@@ -23385,8 +23385,8 @@ async function acquireDb() {
 async function buildDefaultDispatcher() {
   if (__playbookRuntimeOverrides.dispatcher) return __playbookRuntimeOverrides.dispatcher;
   const { orchestrateSpawnExecute: orchestrateSpawnExecute2 } = await Promise.resolve().then(() => (init_engine(), engine_exports));
-  const { getProjectRoot: getProjectRoot33 } = await import("@cleocode/core/internal");
-  const projectRoot = getProjectRoot33();
+  const { getProjectRoot: getProjectRoot34 } = await import("@cleocode/core/internal");
+  const projectRoot = getProjectRoot34();
   return {
     async dispatch(input) {
       try {
@@ -23576,8 +23576,8 @@ var init_playbook2 = __esm({
             projectRoot = __playbookRuntimeOverrides.projectRoot;
           } else {
             try {
-              const { getProjectRoot: getProjectRoot33 } = await import("@cleocode/core/internal");
-              projectRoot = getProjectRoot33();
+              const { getProjectRoot: getProjectRoot34 } = await import("@cleocode/core/internal");
+              projectRoot = getProjectRoot34();
             } catch {
               projectRoot = void 0;
             }
@@ -23641,14 +23641,14 @@ var init_playbook2 = __esm({
         const dispatcher = await buildDefaultDispatcher();
         let result;
         try {
-          const { getProjectRoot: getProjectRoot33 } = await import("@cleocode/core/internal");
+          const { getProjectRoot: getProjectRoot34 } = await import("@cleocode/core/internal");
           const opts = {
             db,
             playbook: parsed.definition,
             playbookHash: parsed.sourceHash,
             initialContext,
             dispatcher,
-            projectRoot: getProjectRoot33()
+            projectRoot: getProjectRoot34()
           };
           if (__playbookRuntimeOverrides.approvalSecret !== void 0) {
             opts.approvalSecret = __playbookRuntimeOverrides.approvalSecret;
@@ -27163,7 +27163,9 @@ var init_tasks3 = __esm({
             scope: params.scope,
             severity: params.severity,
             // T1633: BRAIN duplicate-bypass flag
-            forceDuplicate: params.forceDuplicate
+            forceDuplicate: params.forceDuplicate,
+            // T9218 / ADR-070: mandatory verifier for high-consequence tasks
+            verifier: params.verifier
           }),
           "add"
         );
@@ -28537,11 +28539,11 @@ var init_security = __esm({
 });
 
 // packages/cleo/src/dispatch/middleware/sanitizer.ts
-function createSanitizer(getProjectRoot33) {
+function createSanitizer(getProjectRoot34) {
   return async (req, next) => {
     if (req.params) {
       try {
-        const root = getProjectRoot33 ? getProjectRoot33() : void 0;
+        const root = getProjectRoot34 ? getProjectRoot34() : void 0;
         req.params = sanitizeParams(req.params, root, {
           domain: req.domain,
           operation: req.operation
@@ -29396,6 +29398,19 @@ var init_add = __esm({
         "depends-waiver": {
           type: "string",
           description: "Justification for creating a critical-priority task without --depends (T1856). Records waiver in task metadata."
+        },
+        /**
+         * Path to an existing verifier script (T9218 / ADR-070).
+         *
+         * Required when creating tasks with priority=critical, size=large, or
+         * type=epic. The path must point to an existing .mjs file. Omitting
+         * this on high-consequence tasks causes rejection with E_VERIFIER_REQUIRED.
+         *
+         * Use `cleo verify backfill <taskId>` to generate a stub after creation.
+         */
+        verifier: {
+          type: "string",
+          description: "Path to existing verifier script for this task (required for priority=critical, size=large, type=epic) (T9218 / ADR-070)"
         }
       },
       async run({ args, cmd }) {
@@ -29429,6 +29444,7 @@ var init_add = __esm({
         if (args.scope !== void 0) params["scope"] = args.scope;
         if (args.severity !== void 0) params["severity"] = args.severity;
         if (args["force-duplicate"] !== void 0) params["forceDuplicate"] = args["force-duplicate"];
+        if (args.verifier !== void 0) params["verifier"] = args.verifier;
         if (args.priority === "critical" && !args.depends && args["depends-waiver"] === void 0) {
           cliError(
             'Critical-priority tasks must declare at least one dependency (--depends) or provide a waiver (--depends-waiver "<reason>").',
@@ -33809,9 +33825,9 @@ var init_backup = __esm({
       },
       async run({ args }) {
         const scope = args.scope;
-        const { packBundle, getProjectRoot: getProjectRoot33 } = await import("@cleocode/core/internal");
+        const { packBundle, getProjectRoot: getProjectRoot34 } = await import("@cleocode/core/internal");
         const includesProject = scope === "project" || scope === "all";
-        const projectRoot = includesProject ? getProjectRoot33() : void 0;
+        const projectRoot = includesProject ? getProjectRoot34() : void 0;
         let passphrase;
         if (args.encrypt === true) {
           passphrase = process.env["CLEO_BACKUP_PASSPHRASE"];
@@ -45315,7 +45331,7 @@ var init_nexus4 = __esm({
         const repoPath = args.path ? path3.resolve(args.path) : process.cwd();
         humanInfo(`[nexus] Analyzing: ${repoPath}${isIncremental ? " (incremental)" : ""}`);
         try {
-          const [{ getNexusDb, nexusSchema }, { runPipeline }, { getProjectRoot: getProjectRoot33 }, { eq: eq2 }] = await Promise.all([
+          const [{ getNexusDb, nexusSchema }, { runPipeline }, { getProjectRoot: getProjectRoot34 }, { eq: eq2 }] = await Promise.all([
             import("@cleocode/core/store/nexus-sqlite"),
             import("@cleocode/nexus/pipeline"),
             import("@cleocode/core/internal"),
@@ -45395,7 +45411,7 @@ var init_nexus4 = __esm({
               extensions: { duration_ms: durationMs }
             }
           );
-          void getProjectRoot33;
+          void getProjectRoot34;
         } catch (err) {
           const msg = err instanceof Error ? err.message : String(err);
           cliError(
@@ -52829,8 +52845,8 @@ var init_session4 = __esm({
         "audit-scope": { type: "string", description: "Audit log scope (global|local)" }
       },
       async run({ args }) {
-        const { detectSessionDrift, getProjectRoot: getProjectRoot33 } = await import("@cleocode/core");
-        const projectRoot = await getProjectRoot33();
+        const { detectSessionDrift, getProjectRoot: getProjectRoot34 } = await import("@cleocode/core");
+        const projectRoot = await getProjectRoot34();
         const scope = args["audit-scope"] === "local" ? "local" : "global";
         const report = await detectSessionDrift({ projectRoot, auditScope: scope });
         cliOutput(report, { command: "session drift", operation: "session.drift" });
@@ -55243,11 +55259,13 @@ var init_upgrade = __esm({
 // packages/cleo/src/cli/commands/verify.ts
 var verify_exports = {};
 __export(verify_exports, {
+  backfillCommand: () => backfillCommand3,
   verifyCommand: () => verifyCommand3
 });
 import { spawnSync as spawnSync2 } from "node:child_process";
 import { existsSync as existsSync14 } from "node:fs";
 import { join as join22, resolve as resolve6 } from "node:path";
+import { generateVerifierStub, getProjectRoot as getProjectRoot33, writeVerifierStub } from "@cleocode/core";
 function resolveVerifierScript2(taskId, projectRoot) {
   const id = taskId.toLowerCase();
   const candidates = [
@@ -55269,12 +55287,173 @@ function runVerifier(verifierPath) {
     stderr: result.stderr ?? ""
   };
 }
-var verifyCommand3;
+async function backfillSingle(taskId, projectRoot, force) {
+  const response = await dispatchRaw("query", "tasks", "show", { taskId });
+  if (!response.success) {
+    process.stderr.write(
+      `Error: could not fetch task ${taskId}: ${response.error?.message ?? "unknown error"}
+`
+    );
+    process.exitCode = 1;
+    return;
+  }
+  const task = response.data?.task;
+  if (!task) {
+    process.stderr.write(`Error: task ${taskId} not found.
+`);
+    process.exitCode = 1;
+    return;
+  }
+  const existing = resolveVerifierScript2(taskId, projectRoot);
+  if (existing && !force) {
+    process.stderr.write(
+      `Error: verifier already exists: ${existing}
+  Use --force to overwrite. (T9218 idempotency guard)
+`
+    );
+    process.exitCode = 1;
+    return;
+  }
+  try {
+    const source = generateVerifierStub(
+      task
+    );
+    const outPath = writeVerifierStub(taskId, source, projectRoot, force);
+    process.stdout.write(`Generated: ${outPath}
+`);
+    process.stdout.write(
+      `
+Next steps:
+  1. Replace each \`fail('STUB \u2014 ...')\` block with a real check.
+  2. Verify manually: node ${outPath}
+  3. When the script exits 0: cleo verify ${taskId} --acceptance-check
+`
+    );
+  } catch (err) {
+    const msg = err.message ?? String(err);
+    process.stderr.write(`Error generating verifier for ${taskId}: ${msg}
+`);
+    process.exitCode = 1;
+  }
+}
+async function backfillAllPending(projectRoot, force) {
+  const seen = /* @__PURE__ */ new Set();
+  const pending = [];
+  const queries = [
+    dispatchRaw("query", "tasks", "list", { priority: "critical", limit: 200 }),
+    dispatchRaw("query", "tasks", "list", { size: "large", limit: 200 }),
+    dispatchRaw("query", "tasks", "list", { type: "epic", limit: 200 })
+  ];
+  const results = await Promise.all(queries);
+  for (const response of results) {
+    if (!response.success) continue;
+    const tasks = response.data?.tasks ?? [];
+    for (const t of tasks) {
+      const id = String(t.id ?? "");
+      if (!id || seen.has(id)) continue;
+      seen.add(id);
+      pending.push(t);
+    }
+  }
+  const lacking = pending.filter((t) => {
+    const id = String(t.id ?? "");
+    return !resolveVerifierScript2(id, projectRoot);
+  });
+  if (lacking.length === 0) {
+    process.stdout.write(
+      "All critical/large/epic tasks already have verifier scripts. Nothing to do.\n"
+    );
+    return;
+  }
+  process.stdout.write(
+    `Found ${lacking.length} task(s) lacking a verifier script. Generating stubs...
+
+`
+  );
+  let succeeded = 0;
+  let skipped = 0;
+  let failed = 0;
+  for (const task of lacking) {
+    const id = String(task.id ?? "");
+    try {
+      const source = generateVerifierStub(
+        task
+      );
+      const outPath = writeVerifierStub(id, source, projectRoot, force);
+      process.stdout.write(`  [OK] ${id} \u2192 ${outPath}
+`);
+      succeeded++;
+    } catch (err) {
+      const msg = err.message ?? String(err);
+      if (msg.includes("verifier already exists")) {
+        process.stdout.write(
+          `  [SKIP] ${id}: verifier already exists (use --force to overwrite)
+`
+        );
+        skipped++;
+      } else {
+        process.stderr.write(`  [FAIL] ${id}: ${msg}
+`);
+        failed++;
+      }
+    }
+  }
+  process.stdout.write(
+    `
+Done: ${succeeded} generated, ${skipped} skipped (already exist), ${failed} failed.
+`
+  );
+  process.stdout.write(
+    `
+Next steps for each generated file:
+  1. Replace each \`fail('STUB \u2014 ...')\` block with a real check.
+  2. node scripts/verify-<id>.mjs   (must exit 0 before cleo complete)
+`
+  );
+  if (failed > 0) {
+    process.exitCode = 1;
+  }
+}
+var backfillCommand3, verifyCommand3;
 var init_verify = __esm({
   "packages/cleo/src/cli/commands/verify.ts"() {
     "use strict";
     init_dist();
     init_cli();
+    backfillCommand3 = defineCommand({
+      meta: {
+        name: "backfill",
+        description: "Auto-generate a verifier stub from AC text for a task lacking one (T9218 / ADR-070)"
+      },
+      args: {
+        taskId: {
+          type: "positional",
+          description: "Task ID to generate a verifier stub for (e.g. T9213). Omit when using --all-pending.",
+          required: false
+        },
+        "all-pending": {
+          type: "boolean",
+          description: "Process all critical/large/epic tasks that lack a verifier script (T9218)"
+        },
+        force: {
+          type: "boolean",
+          description: "Overwrite an existing verifier without error (idempotency override)"
+        }
+      },
+      async run({ args, cmd }) {
+        const projectRoot = getProjectRoot33();
+        const force = !!args.force;
+        if (args["all-pending"]) {
+          await backfillAllPending(projectRoot, force);
+          return;
+        }
+        if (!args.taskId) {
+          await showUsage(cmd);
+          return;
+        }
+        await backfillSingle(String(args.taskId), projectRoot, force);
+      }
+    });
     verifyCommand3 = defineCommand({
       meta: { name: "verify", description: "View or modify verification gates for a task" },
       args: {
@@ -55327,6 +55506,21 @@ var init_verify = __esm({
           await showUsage(cmd);
           return;
         }
+        if (args.taskId === "backfill") {
+          const remainingArgs = process.argv.slice(process.argv.indexOf("backfill") + 1);
+          const taskIdArg = remainingArgs.find((a) => !a.startsWith("-"));
+          const allPending = remainingArgs.includes("--all-pending");
+          const force = remainingArgs.includes("--force");
+          const projectRoot = getProjectRoot33();
+          if (allPending) {
+            await backfillAllPending(projectRoot, force);
+          } else if (taskIdArg) {
+            await backfillSingle(taskIdArg, projectRoot, force);
+          } else {
+            await showUsage(cmd);
+          }
+          return;
+        }
         const acceptanceCheckRaw = args["acceptance-check"];
         const shouldRunAcceptanceCheck = acceptanceCheckRaw !== void 0 && acceptanceCheckRaw !== false;
         if (shouldRunAcceptanceCheck) {
@@ -56890,7 +57084,7 @@ async function runStartupMaintenance() {
     detectAndRemoveStrayProjectNexus,
     getGlobalSalt,
     getLogger: getLogger17,
-    getProjectRoot: getProjectRoot33,
+    getProjectRoot: getProjectRoot34,
     isCleanupMarkerSet,
     migrateSignaldockToConduit,
     needsSignaldockToConduitMigration,
@@ -56899,7 +57093,7 @@ async function runStartupMaintenance() {
   } = await import("@cleocode/core/internal");
   let projectRootForCleanup = "";
   try {
-    projectRootForCleanup = getProjectRoot33();
+    projectRootForCleanup = getProjectRoot34();
   } catch {
   }
   if (!isCleanupMarkerSet(CLI_VERSION, projectRootForCleanup)) {
@@ -56919,7 +57113,7 @@ async function runStartupMaintenance() {
   const isInitInvocation = process.argv.slice(2).some((a) => a === "init");
   if (!isInitInvocation) {
     try {
-      const _projectRootForMigration = getProjectRoot33();
+      const _projectRootForMigration = getProjectRoot34();
       if (needsSignaldockToConduitMigration(_projectRootForMigration)) {
         const migrationResult = migrateSignaldockToConduit(_projectRootForMigration);
         if (migrationResult.status === "failed") {