npm - @cleocode/skills - Versions diffs - 2026.4.76 → 2026.4.80 - Mend

@cleocode/skills 2026.4.76 → 2026.4.80

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json +1 -1
package/skills/ct-cleo/SKILL.md +50 -12
package/skills/ct-orchestrator/SKILL.md +34 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cleocode/skills",
-  "version": "2026.4.76",
+  "version": "2026.4.80",
   "description": "CLEO skill definitions - bundled with CLEO monorepo",
   "main": "index.js",
   "types": "index.d.ts",

package/skills/ct-cleo/SKILL.md CHANGED Viewed

@@ -173,21 +173,59 @@ I need system or configuration info
 ---
-## Pre-Complete Gate Ritual
+## Pre-Complete Gate Ritual (ADR-051 — evidence required)
-MANDATORY before every `cleo complete <id>`:
+MANDATORY before every `cleo complete <id>`.  Every verification gate MUST be
+backed by programmatic evidence. CLEO validates commits against the git
+history, file sha256 against disk, tool exit codes against real runs, and
+vitest JSON against the reporter output. No evidence → no gate pass.
-1. `cleo show <id>` — inspect gates
-2. Run each acceptance criterion verifiable (tests, lint, file checks)
-3. `cleo verify <id> --run` — executes programmatic gates
-4. `cleo memory observe "..." --title "..."` — capture learnings
-5. `cleo complete <id>` — should pass cleanly
+### Capture evidence per gate
-Anti-patterns:
-- `cleo complete` without `cleo verify --run`
-- `cleo verify --all` to bypass programmatic gates
-- Skipping memory observe on non-trivial work
-- Self-attesting without programmatic proof (IVTR validate phase exists to prevent this)
+```bash
+# implemented gate: commit + file list
+cleo verify T### --gate implemented \
+  --evidence "commit:$(git rev-parse HEAD);files:packages/a/src/b.ts,packages/a/src/c.ts"
+# testsPassed gate: run tests and capture
+cleo verify T### --gate testsPassed --evidence "tool:pnpm-test"
+# qaPassed gate: biome + tsc both exit 0
+cleo verify T### --gate qaPassed --evidence "tool:biome;tool:tsc"
+# documented gate: docs/spec file
+cleo verify T### --gate documented --evidence "files:docs/specs/T###-spec.md"
+# cleanupDone gate: summary note
+cleo verify T### --gate cleanupDone --evidence "note:removed old helpers"
+# securityPassed gate: scan or waiver
+cleo verify T### --gate securityPassed --evidence "tool:security-scan"
+# Then complete — evidence is RE-VALIDATED at this step
+cleo memory observe "..." --title "..."
+cleo complete T###
+```
+### Anti-patterns (ADR-051)
+- ❌ `cleo verify --all` without `--evidence` — returns `E_EVIDENCE_MISSING`
+- ❌ `cleo complete --force` — flag REMOVED
+- ❌ Modifying source files between `verify` and `complete` — caught by
+     staleness check (`E_EVIDENCE_STALE`)
+- ❌ Passing `note:` as evidence for `implemented` or `testsPassed` —
+     fails `E_EVIDENCE_INSUFFICIENT`
+- ❌ Self-attesting without programmatic proof
+### Emergency override (audited)
+```bash
+CLEO_OWNER_OVERRIDE=1 CLEO_OWNER_OVERRIDE_REASON="<reason>" \
+  cleo verify T### --gate implemented --evidence "note:<justification>"
+```
+Writes to `.cleo/audit/force-bypass.jsonl` with PID, command, and reason. Do not
+normalize.
 ---

package/skills/ct-orchestrator/SKILL.md CHANGED Viewed

@@ -206,9 +206,43 @@ When operating without continuous HITL oversight, additional constraints apply:
 | `cleo show T1234` | Full task details |
 | `cleo add "Task" --parent T1575` | Create child task |
 | `cleo start T1586` / `cleo complete T1586` | Task lifecycle |
+| `cleo verify T1586 --gate <g> --evidence <atoms>` | Evidence-based gate write (ADR-051) |
 | `cleo manifest list --filter pending` | Followup items |
 | `cleo session end --note "summary"` | End session with handoff context |
+## Evidence-Based Completion (ADR-051 / T832)
+As of v2026.4.78, every `cleo verify` gate write requires programmatic evidence.
+`--all` without `--evidence` is REJECTED. `--force` has been REMOVED from
+`cleo complete`. Gates are re-validated at complete time — tampering with
+files between `verify` and `complete` triggers `E_EVIDENCE_STALE`.
+### Evidence per gate (minimum)
+| Gate | Required atoms |
+|------|---------------|
+| `implemented` | `commit:<sha>` AND `files:<comma-separated>` |
+| `testsPassed` | `tool:pnpm-test` OR `test-run:<vitest-json>` |
+| `qaPassed` | `tool:biome` AND `tool:tsc` (OR `tool:pnpm-build`) |
+| `documented` | `files:<docs-path>` OR `url:<doc-url>` |
+| `securityPassed` | `tool:security-scan` OR `note:<waiver>` |
+| `cleanupDone` | `note:<summary>` |
+Orchestrator workflow for each completing task:
+```bash
+# 1. Worker reports done with evidence atoms in manifest key_findings
+# 2. Orchestrator runs:
+cleo verify <taskId> --gate implemented --evidence "commit:$(git rev-parse HEAD);files:<list>"
+cleo verify <taskId> --gate testsPassed --evidence "tool:pnpm-test"
+cleo verify <taskId> --gate qaPassed   --evidence "tool:biome;tool:tsc"
+# 3. Close:
+cleo complete <taskId>
+```
+Emergency: set `CLEO_OWNER_OVERRIDE=1` and `CLEO_OWNER_OVERRIDE_REASON="<reason>"`
+before the verify call — audited to `.cleo/audit/force-bypass.jsonl`.
 ## References
 | Topic | File |