@deftai/directive-content 0.55.2 → 0.56.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (217) hide show
  1. package/.githooks/pre-commit +143 -0
  2. package/.githooks/pre-push +121 -0
  3. package/QUICK-START.md +2 -2
  4. package/Taskfile.yml +934 -0
  5. package/UPGRADING.md +47 -1
  6. package/events/README.md +3 -3
  7. package/package.json +5 -4
  8. package/scripts/_agents_md.py +494 -0
  9. package/scripts/_cache_fetch.py +635 -0
  10. package/scripts/_cache_quota.py +529 -0
  11. package/scripts/_cache_refresh.py +163 -0
  12. package/scripts/_cache_validate.py +209 -0
  13. package/scripts/_content_root.py +42 -0
  14. package/scripts/_doctor_state.py +277 -0
  15. package/scripts/_event_detect.py +305 -0
  16. package/scripts/_events.py +514 -0
  17. package/scripts/_lifecycle_hygiene.py +568 -0
  18. package/scripts/_pathspec.py +91 -0
  19. package/scripts/_policy_show_cli.py +266 -0
  20. package/scripts/_precutover.py +92 -0
  21. package/scripts/_project_context.py +224 -0
  22. package/scripts/_project_definition_io.py +164 -0
  23. package/scripts/_relocate_snapshot.py +209 -0
  24. package/scripts/_relocate_states.py +343 -0
  25. package/scripts/_resolve_preflight_path.py +152 -0
  26. package/scripts/_safe_subprocess.py +167 -0
  27. package/scripts/_session_start_hook.py +205 -0
  28. package/scripts/_sor_gate_diff.py +365 -0
  29. package/scripts/_stdio_utf8.py +59 -0
  30. package/scripts/_triage_bootstrap_gitignore.py +904 -0
  31. package/scripts/_triage_classify_cli.py +122 -0
  32. package/scripts/_triage_queue_cli.py +625 -0
  33. package/scripts/_triage_scope_cli.py +343 -0
  34. package/scripts/_triage_scope_drift_cli.py +121 -0
  35. package/scripts/_triage_scope_ignores.py +286 -0
  36. package/scripts/_triage_scope_milestone.py +432 -0
  37. package/scripts/_triage_scope_mutations.py +337 -0
  38. package/scripts/_triage_scope_renderers.py +207 -0
  39. package/scripts/_triage_smoketest_stages.py +674 -0
  40. package/scripts/_triage_subscribe_cli.py +140 -0
  41. package/scripts/_triage_welcome_cli.py +421 -0
  42. package/scripts/_vbrief_build.py +239 -0
  43. package/scripts/_vbrief_fidelity.py +479 -0
  44. package/scripts/_vbrief_legacy.py +589 -0
  45. package/scripts/_vbrief_reconciliation.py +883 -0
  46. package/scripts/_vbrief_routing.py +277 -0
  47. package/scripts/_vbrief_safety.py +778 -0
  48. package/scripts/_vbrief_sources.py +312 -0
  49. package/scripts/_vbrief_speckit.py +262 -0
  50. package/scripts/_vbrief_story_quality.py +353 -0
  51. package/scripts/_vbrief_validation.py +299 -0
  52. package/scripts/build_dist.py +412 -0
  53. package/scripts/cache.py +1078 -0
  54. package/scripts/cache_scanner.py +745 -0
  55. package/scripts/candidates_log.py +432 -0
  56. package/scripts/capacity_backfill.py +680 -0
  57. package/scripts/capacity_show.py +653 -0
  58. package/scripts/ci_local.py +689 -0
  59. package/scripts/code_structure_validate.py +765 -0
  60. package/scripts/codebase_default_extractor.py +495 -0
  61. package/scripts/codebase_map.py +304 -0
  62. package/scripts/codebase_map_fresh.py +104 -0
  63. package/scripts/codebase_projection_registry.py +94 -0
  64. package/scripts/codebase_provider.py +582 -0
  65. package/scripts/doctor.py +2257 -0
  66. package/scripts/framework_commands.py +505 -0
  67. package/scripts/gh_rest.py +882 -0
  68. package/scripts/github_auth_modes.py +437 -0
  69. package/scripts/github_body.py +292 -0
  70. package/scripts/ip_risk.py +531 -0
  71. package/scripts/issue_emit.py +670 -0
  72. package/scripts/issue_ingest.py +1064 -0
  73. package/scripts/migrate_preflight.py +418 -0
  74. package/scripts/migrate_vbrief.py +2677 -0
  75. package/scripts/monitor_pr.py +401 -0
  76. package/scripts/pack_migrate_lessons.py +336 -0
  77. package/scripts/pack_migrate_patterns.py +254 -0
  78. package/scripts/pack_migrate_rules.py +350 -0
  79. package/scripts/pack_migrate_skills.py +423 -0
  80. package/scripts/pack_migrate_strategies.py +311 -0
  81. package/scripts/pack_migrate_swarm_spec.py +250 -0
  82. package/scripts/pack_render.py +434 -0
  83. package/scripts/packs_slice.py +712 -0
  84. package/scripts/platform_capabilities.py +336 -0
  85. package/scripts/policy.py +2826 -0
  86. package/scripts/policy_set.py +324 -0
  87. package/scripts/pr_check_closing_keywords.py +524 -0
  88. package/scripts/pr_check_protected_issues.py +267 -0
  89. package/scripts/pr_merge_readiness.py +1004 -0
  90. package/scripts/pr_wait_mergeable.py +669 -0
  91. package/scripts/prd_render.py +159 -0
  92. package/scripts/preflight_architecture_sor.py +974 -0
  93. package/scripts/preflight_branch.py +289 -0
  94. package/scripts/preflight_cache.py +974 -0
  95. package/scripts/preflight_gh.py +721 -0
  96. package/scripts/preflight_implementation.py +272 -0
  97. package/scripts/preflight_story_start.py +838 -0
  98. package/scripts/preflight_wip_cap.py +149 -0
  99. package/scripts/probe_session.py +545 -0
  100. package/scripts/project_render.py +293 -0
  101. package/scripts/quarantine_ext.py +237 -0
  102. package/scripts/reconcile_issues.py +1442 -0
  103. package/scripts/refresh-path.ps1 +107 -0
  104. package/scripts/release.py +2030 -0
  105. package/scripts/release_e2e.py +1011 -0
  106. package/scripts/release_publish.py +486 -0
  107. package/scripts/release_rollback.py +980 -0
  108. package/scripts/relocate.py +1034 -0
  109. package/scripts/resolve_changelog_unreleased.py +667 -0
  110. package/scripts/resolve_version.py +490 -0
  111. package/scripts/resume_conditions.py +706 -0
  112. package/scripts/ritual_sentinel.py +609 -0
  113. package/scripts/roadmap_render.py +635 -0
  114. package/scripts/rule_ownership_lint.py +325 -0
  115. package/scripts/scm.py +591 -0
  116. package/scripts/scope_audit_log.py +387 -0
  117. package/scripts/scope_decompose.py +654 -0
  118. package/scripts/scope_demote.py +509 -0
  119. package/scripts/scope_lifecycle.py +1126 -0
  120. package/scripts/scope_undo.py +772 -0
  121. package/scripts/session_start.py +406 -0
  122. package/scripts/setup_ghx.py +339 -0
  123. package/scripts/setup_windows.ps1 +220 -0
  124. package/scripts/slice_audit.py +585 -0
  125. package/scripts/slice_record.py +530 -0
  126. package/scripts/slice_record_existing.py +692 -0
  127. package/scripts/slug_normalize.py +178 -0
  128. package/scripts/spec_render.py +477 -0
  129. package/scripts/spec_validate.py +238 -0
  130. package/scripts/subagent_monitor.py +658 -0
  131. package/scripts/swarm_complete_cohort.py +644 -0
  132. package/scripts/swarm_launch.py +1206 -0
  133. package/scripts/swarm_readiness.py +554 -0
  134. package/scripts/swarm_verify_review_clean.py +438 -0
  135. package/scripts/swarm_worktrees.py +497 -0
  136. package/scripts/toolchain-check.py +52 -0
  137. package/scripts/triage_actions.py +871 -0
  138. package/scripts/triage_bootstrap.py +1153 -0
  139. package/scripts/triage_bulk.py +630 -0
  140. package/scripts/triage_classify.py +932 -0
  141. package/scripts/triage_help.py +1685 -0
  142. package/scripts/triage_queue.py +1944 -0
  143. package/scripts/triage_reconcile.py +581 -0
  144. package/scripts/triage_refresh.py +643 -0
  145. package/scripts/triage_scope.py +999 -0
  146. package/scripts/triage_scope_drift.py +575 -0
  147. package/scripts/triage_smoketest.py +396 -0
  148. package/scripts/triage_subscribe.py +399 -0
  149. package/scripts/triage_summary.py +1011 -0
  150. package/scripts/triage_welcome.py +1178 -0
  151. package/scripts/ts_check_lane.py +86 -0
  152. package/scripts/validate-links.py +64 -0
  153. package/scripts/validate_strategy_output.py +212 -0
  154. package/scripts/vbrief_activate.py +228 -0
  155. package/scripts/vbrief_migrate_conformance.py +368 -0
  156. package/scripts/vbrief_reconcile_graph.py +306 -0
  157. package/scripts/vbrief_reconcile_labels.py +460 -0
  158. package/scripts/vbrief_reconcile_umbrellas.py +741 -0
  159. package/scripts/vbrief_validate.py +1195 -0
  160. package/scripts/verify-stubs.py +61 -0
  161. package/scripts/verify_capacity.py +160 -0
  162. package/scripts/verify_encoding.py +699 -0
  163. package/scripts/verify_hooks_installed.py +206 -0
  164. package/scripts/verify_investigation.py +360 -0
  165. package/scripts/verify_judgment_gates.py +827 -0
  166. package/scripts/verify_no_task_runtime.py +171 -0
  167. package/scripts/verify_scm_boundary.py +509 -0
  168. package/scripts/verify_session_ritual.py +389 -0
  169. package/scripts/verify_tools.py +426 -0
  170. package/scripts/verify_vbrief_conformance.py +478 -0
  171. package/tasks/architecture.yml +13 -0
  172. package/tasks/cache.yml +69 -0
  173. package/tasks/capacity.yml +38 -0
  174. package/tasks/change.yml +46 -0
  175. package/tasks/changelog.yml +24 -0
  176. package/tasks/ci.yml +49 -0
  177. package/tasks/codebase.yml +47 -0
  178. package/tasks/commit.yml +30 -0
  179. package/tasks/core.yml +126 -0
  180. package/tasks/deployments.yml +54 -0
  181. package/tasks/framework.yml +74 -0
  182. package/tasks/install.yml +60 -0
  183. package/tasks/issue.yml +50 -0
  184. package/tasks/migrate.yml +73 -0
  185. package/tasks/packs.yml +92 -0
  186. package/tasks/policy.yml +75 -0
  187. package/tasks/pr.yml +89 -0
  188. package/tasks/prd.yml +39 -0
  189. package/tasks/project.yml +27 -0
  190. package/tasks/reconcile.yml +32 -0
  191. package/tasks/relocate.yml +56 -0
  192. package/tasks/roadmap.yml +28 -0
  193. package/tasks/scm.yml +126 -0
  194. package/tasks/scope-undo.yml +36 -0
  195. package/tasks/scope.yml +141 -0
  196. package/tasks/session.yml +19 -0
  197. package/tasks/setup.yml +37 -0
  198. package/tasks/slice.yml +69 -0
  199. package/tasks/spec.yml +41 -0
  200. package/tasks/swarm.yml +85 -0
  201. package/tasks/toolchain.yml +13 -0
  202. package/tasks/triage-actions.yml +94 -0
  203. package/tasks/triage-bootstrap.yml +43 -0
  204. package/tasks/triage-bulk.yml +75 -0
  205. package/tasks/triage-classify.yml +30 -0
  206. package/tasks/triage-queue.yml +50 -0
  207. package/tasks/triage-reconcile.yml +29 -0
  208. package/tasks/triage-scope-drift.yml +29 -0
  209. package/tasks/triage-scope.yml +31 -0
  210. package/tasks/triage-smoketest.yml +33 -0
  211. package/tasks/triage-subscribe.yml +36 -0
  212. package/tasks/triage-summary.yml +29 -0
  213. package/tasks/triage-welcome.yml +32 -0
  214. package/tasks/ts.yml +328 -0
  215. package/tasks/vbrief.yml +206 -0
  216. package/tasks/verify.yml +292 -0
  217. package/templates/agents-entry.md +1 -1
@@ -0,0 +1,389 @@
1
+ #!/usr/bin/env python3
2
+ """Fail-closed session ritual verifier (#1348)."""
3
+
4
+ from __future__ import annotations
5
+
6
+ import argparse
7
+ import contextlib
8
+ import io
9
+ import json
10
+ import os
11
+ import subprocess
12
+ import sys
13
+ import threading
14
+ from collections.abc import Callable
15
+ from dataclasses import dataclass
16
+ from datetime import UTC, datetime, timedelta
17
+ from pathlib import Path
18
+ from typing import Any
19
+
20
+ sys.path.insert(0, str(Path(__file__).resolve().parent))
21
+
22
+ from framework_commands import format_framework_command # noqa: E402
23
+ from policy import resolve_session_ritual_staleness_hours # noqa: E402
24
+ from ritual_sentinel import ( # noqa: E402
25
+ RitualState,
26
+ read_ritual_state,
27
+ ritual_state_path,
28
+ ritual_step,
29
+ write_ritual_state,
30
+ )
31
+
32
+ ENV_SKIP = "DEFT_SESSION_RITUAL_SKIP"
33
+ # The legacy subprocess runner capped each gated check via subprocess timeout=300.
34
+ # In-process calls (#1659) must preserve that bound so a hung entrypoint cannot turn
35
+ # the fail-closed step-0 gate into a permanent block (#1655 review).
36
+ ENTRYPOINT_TIMEOUT_SECONDS = 300.0
37
+ ENTRYPOINT_TIMEOUT_EXIT_CODE = 124
38
+ QUICK_STEPS: tuple[str, ...] = ("alignment", "branch_policy", "triage_welcome")
39
+ GATED_STEPS: tuple[str, ...] = ("doctor", "cache_fresh")
40
+ GATED_ENTRYPOINT_COMMANDS: dict[str, tuple[str, ...]] = {
41
+ "doctor": ("doctor",),
42
+ "cache_fresh": ("verify:cache-fresh",),
43
+ }
44
+
45
+
46
+ @dataclass(frozen=True)
47
+ class VerifyResult:
48
+ code: int
49
+ message: str
50
+ tier: str
51
+ state_path: Path
52
+ bypassed: bool = False
53
+ would_fail_code: int | None = None
54
+
55
+
56
+ Runner = Callable[[list[str], Path], tuple[int, str, str]]
57
+
58
+
59
+ def _utc_now() -> datetime:
60
+ return datetime.now(UTC)
61
+
62
+
63
+ def _truthy(raw: str | None) -> bool:
64
+ return (raw or "").strip().lower() in {"1", "true", "yes", "on"}
65
+
66
+
67
+ def _run_git(project_root: Path, args: list[str]) -> tuple[int, str, str]:
68
+ try:
69
+ proc = subprocess.run(
70
+ ["git", *args],
71
+ cwd=str(project_root),
72
+ capture_output=True,
73
+ text=True,
74
+ encoding="utf-8",
75
+ errors="replace",
76
+ check=False,
77
+ )
78
+ except FileNotFoundError:
79
+ return 127, "", "git executable not found on PATH"
80
+ return proc.returncode, proc.stdout.strip(), proc.stderr.strip()
81
+
82
+
83
+ def _git_head(project_root: Path) -> tuple[str | None, str | None]:
84
+ code, out, err = _run_git(project_root, ["rev-parse", "--verify", "HEAD"])
85
+ if code != 0 or not out:
86
+ return None, err or "could not resolve git HEAD"
87
+ return out, None
88
+
89
+
90
+ def _worktree_path(project_root: Path) -> str:
91
+ code, out, _err = _run_git(project_root, ["rev-parse", "--show-toplevel"])
92
+ if code == 0 and out:
93
+ return str(Path(out).resolve())
94
+ return str(project_root.resolve())
95
+
96
+
97
+ def _call_main(
98
+ main_func: Callable[[list[str]], int],
99
+ argv: list[str],
100
+ *,
101
+ timeout: float | None = None,
102
+ ) -> tuple[int, str, str]:
103
+ """Run an in-process entrypoint, bounding it with a timeout.
104
+
105
+ The legacy subprocess runner passed ``timeout=300`` so a hung check could not
106
+ block the step-0 gate indefinitely. In-process calls drop that protection, so
107
+ the entrypoint runs in a daemon worker thread joined with the same bound; a
108
+ hang returns a fail-closed timeout result instead of blocking dispatch (#1655).
109
+ ``timeout`` resolves to ``ENTRYPOINT_TIMEOUT_SECONDS`` at call time when unset.
110
+ """
111
+ if timeout is None:
112
+ timeout = ENTRYPOINT_TIMEOUT_SECONDS
113
+ result: dict[str, tuple[int, str, str]] = {}
114
+ real_stdout, real_stderr = sys.stdout, sys.stderr
115
+
116
+ def _worker() -> None:
117
+ stdout = io.StringIO()
118
+ stderr = io.StringIO()
119
+ try:
120
+ with contextlib.redirect_stdout(stdout), contextlib.redirect_stderr(stderr):
121
+ code = main_func(argv)
122
+ except SystemExit as exc:
123
+ raw_code = exc.code
124
+ code = raw_code if isinstance(raw_code, int) else (0 if raw_code is None else 1)
125
+ except Exception as exc: # noqa: BLE001 -- ritual state must record failures
126
+ message = f"{type(exc).__name__}: {exc}"
127
+ captured_stderr = stderr.getvalue()
128
+ stderr_value = f"{captured_stderr}\n{message}" if captured_stderr else message
129
+ result["value"] = (2, stdout.getvalue(), stderr_value)
130
+ return
131
+ result["value"] = (int(code or 0), stdout.getvalue(), stderr.getvalue())
132
+
133
+ worker = threading.Thread(target=_worker, name="deft-ritual-entrypoint", daemon=True)
134
+ worker.start()
135
+ worker.join(timeout)
136
+ if worker.is_alive():
137
+ # A hung worker may still hold the process-global stdout/stderr redirect;
138
+ # restore the real streams so the caller's fail-closed message survives.
139
+ sys.stdout, sys.stderr = real_stdout, real_stderr
140
+ label = getattr(main_func, "__name__", "entrypoint")
141
+ return ENTRYPOINT_TIMEOUT_EXIT_CODE, "", f"{label} timed out after {timeout:g}s"
142
+ return result.get("value", (2, "", "entrypoint produced no result"))
143
+
144
+
145
+ def _default_runner(args: list[str], cwd: Path) -> tuple[int, str, str]:
146
+ command, *argv = args
147
+ if command == "doctor":
148
+ import doctor # noqa: PLC0415
149
+
150
+ return _call_main(doctor.cmd_doctor, ["--project-root", str(cwd), *argv])
151
+ if command == "verify:cache-fresh":
152
+ import preflight_cache # noqa: PLC0415
153
+
154
+ return _call_main(
155
+ preflight_cache.main,
156
+ ["--allow-missing-bootstrap", "--project-root", str(cwd), *argv],
157
+ )
158
+ return 2, "", f"unknown session ritual command: {command}"
159
+
160
+
161
+ def _step_passes(step: dict[str, Any] | None) -> bool:
162
+ if not isinstance(step, dict):
163
+ return False
164
+ if step.get("deferred_reason"):
165
+ return True
166
+ return step.get("ok") is True
167
+
168
+
169
+ def _failed_step_message(tier_name: str, step_name: str, step: object) -> str:
170
+ if step is None:
171
+ return (
172
+ f"session ritual {tier_name} step '{step_name}' is missing. "
173
+ f"Run `{format_framework_command(['session:start'])}` before implementation dispatch."
174
+ )
175
+ if isinstance(step, dict) and step.get("deferred_reason"):
176
+ return ""
177
+ message = step.get("message") if isinstance(step, dict) else None
178
+ suffix = f": {message}" if isinstance(message, str) and message else ""
179
+ return f"session ritual {tier_name} step '{step_name}' failed{suffix}"
180
+
181
+
182
+ def _run_gated_step(
183
+ project_root: Path,
184
+ payload: dict[str, Any],
185
+ step_name: str,
186
+ *,
187
+ runner: Runner,
188
+ now: datetime,
189
+ ) -> str | None:
190
+ command = [*GATED_ENTRYPOINT_COMMANDS[step_name]]
191
+ code, stdout, stderr = runner(command, project_root)
192
+ message = stdout.strip() or stderr.strip() or f"{command[0]} exited {code}"
193
+ payload.setdefault("gated_steps", {})[step_name] = ritual_step(
194
+ ok=code == 0,
195
+ ts=now,
196
+ exit_code=code,
197
+ message=message,
198
+ command=command,
199
+ )
200
+ try:
201
+ write_ritual_state(project_root, payload)
202
+ except OSError as exc:
203
+ return f"could not write session ritual state after {step_name}: {exc}"
204
+ return None
205
+
206
+
207
+ def _evaluate_loaded_state(
208
+ project_root: Path,
209
+ state: RitualState,
210
+ *,
211
+ tier: str,
212
+ now: datetime,
213
+ ) -> tuple[int, str]:
214
+ current_head, head_error = _git_head(project_root)
215
+ if current_head is None:
216
+ return 2, head_error or "could not resolve git HEAD"
217
+ current_worktree = _worktree_path(project_root)
218
+ if state.worktree_path != current_worktree:
219
+ return (
220
+ 1,
221
+ "session ritual state belongs to a different worktree "
222
+ f"({state.worktree_path}); run `{format_framework_command(['session:start'])}` here.",
223
+ )
224
+ if state.git_head != current_head:
225
+ return (
226
+ 1,
227
+ "session ritual state is stale because git HEAD changed. "
228
+ f"Run `{format_framework_command(['session:start'])}` again.",
229
+ )
230
+ staleness = resolve_session_ritual_staleness_hours(project_root)
231
+ if staleness.source == "default-on-error":
232
+ return 2, staleness.error or "session ritual staleness policy is invalid"
233
+ max_age = timedelta(hours=staleness.hours)
234
+ if now - state.started_at > max_age:
235
+ start_command = format_framework_command(["session:start"])
236
+ return (
237
+ 1,
238
+ "session ritual state is stale "
239
+ f"(older than {staleness.hours}h). Run `{start_command}` again.",
240
+ )
241
+ for step_name in QUICK_STEPS:
242
+ step = state.quick_steps.get(step_name)
243
+ if not _step_passes(step):
244
+ return 1, _failed_step_message("quick", step_name, step)
245
+ if tier == "gated":
246
+ for step_name in GATED_STEPS:
247
+ step = state.gated_steps.get(step_name)
248
+ if not _step_passes(step):
249
+ return 1, _failed_step_message("gated", step_name, step)
250
+ return 0, f"OK session ritual {tier} tier is fresh."
251
+
252
+
253
+ def verify(
254
+ project_root: Path,
255
+ *,
256
+ tier: str = "quick",
257
+ now: datetime | None = None,
258
+ runner: Runner | None = None,
259
+ bypass: bool | None = None,
260
+ ) -> VerifyResult:
261
+ """Verify the session ritual state and optionally run gated steps."""
262
+ if tier not in {"quick", "gated"}:
263
+ return VerifyResult(
264
+ 2,
265
+ f"tier must be 'quick' or 'gated', got {tier!r}",
266
+ tier,
267
+ ritual_state_path(project_root),
268
+ )
269
+ instant = now or _utc_now()
270
+ is_bypassed = _truthy(os.environ.get(ENV_SKIP)) if bypass is None else bypass
271
+ state_path = ritual_state_path(project_root)
272
+ missing_state_file = not state_path.is_file()
273
+ state, err = read_ritual_state(project_root)
274
+ if state is None:
275
+ code = 1 if missing_state_file else 2
276
+ start_command = format_framework_command(["session:start"])
277
+ message = (
278
+ f"{err}. Run `{start_command}` before implementation dispatch."
279
+ if code == 1
280
+ else err or "ritual state invalid"
281
+ )
282
+ if is_bypassed:
283
+ return VerifyResult(0, message, tier, state_path, True, code)
284
+ return VerifyResult(code, message, tier, state_path)
285
+
286
+ if tier == "gated" and not is_bypassed:
287
+ precheck_code, precheck_message = _evaluate_loaded_state(
288
+ project_root,
289
+ state,
290
+ tier="quick",
291
+ now=instant,
292
+ )
293
+ if precheck_code != 0:
294
+ return VerifyResult(precheck_code, precheck_message, tier, state_path)
295
+
296
+ payload = dict(state.raw)
297
+ gated = payload.setdefault("gated_steps", {})
298
+ run_cmd = runner or _default_runner
299
+ for step_name in GATED_STEPS:
300
+ step = gated.get(step_name)
301
+ if isinstance(step, dict) and step.get("deferred_reason"):
302
+ continue
303
+ if _step_passes(step):
304
+ continue
305
+ write_error = _run_gated_step(
306
+ project_root,
307
+ payload,
308
+ step_name,
309
+ runner=run_cmd,
310
+ now=instant,
311
+ )
312
+ if write_error is not None:
313
+ return VerifyResult(2, write_error, tier, state_path)
314
+ state, err = read_ritual_state(project_root)
315
+ if state is None:
316
+ code = 2
317
+ message = err or "ritual state invalid after gated update"
318
+ return VerifyResult(code, message, tier, state_path)
319
+
320
+ code, message = _evaluate_loaded_state(project_root, state, tier=tier, now=instant)
321
+ if is_bypassed:
322
+ return VerifyResult(0, message, tier, state_path, True, code if code else None)
323
+ return VerifyResult(code, message, tier, state_path)
324
+
325
+
326
+ def _emit_json(result: VerifyResult) -> str:
327
+ return json.dumps(
328
+ {
329
+ "ready": result.code == 0,
330
+ "exit_code": result.code,
331
+ "tier": result.tier,
332
+ "message": result.message,
333
+ "state_path": str(result.state_path),
334
+ "bypassed": result.bypassed,
335
+ "would_fail_code": result.would_fail_code,
336
+ },
337
+ sort_keys=True,
338
+ )
339
+
340
+
341
+ def _emit_bypass_warning(result: VerifyResult) -> None:
342
+ if result.bypassed and result.would_fail_code:
343
+ print(
344
+ f"[deft] WARNING: {ENV_SKIP}=1 bypassed a session ritual "
345
+ f"failure ({result.message})",
346
+ file=sys.stderr,
347
+ )
348
+
349
+
350
+ def _build_parser() -> argparse.ArgumentParser:
351
+ parser = argparse.ArgumentParser(
352
+ prog="verify_session_ritual.py",
353
+ description="Fail-closed session ritual verifier (#1348).",
354
+ )
355
+ parser.add_argument(
356
+ "--project-root",
357
+ default=".",
358
+ help="Project root containing .deft/ritual-state.json (default: cwd).",
359
+ )
360
+ parser.add_argument(
361
+ "--tier",
362
+ choices=("quick", "gated"),
363
+ default="quick",
364
+ help="Ritual tier to verify. Gated lazily runs doctor/cache checks.",
365
+ )
366
+ parser.add_argument("--json", action="store_true", dest="emit_json")
367
+ return parser
368
+
369
+
370
+ def main(argv: list[str] | None = None) -> int:
371
+ parser = _build_parser()
372
+ args = parser.parse_args(argv)
373
+ project_root = Path(args.project_root).resolve()
374
+ result = verify(project_root, tier=args.tier)
375
+ warning_needed = result.bypassed and result.would_fail_code is not None
376
+ if args.emit_json:
377
+ print(_emit_json(result))
378
+ elif result.code == 0:
379
+ if not warning_needed:
380
+ print(result.message)
381
+ else:
382
+ print(result.message, file=sys.stderr)
383
+ if warning_needed:
384
+ _emit_bypass_warning(result)
385
+ return result.code
386
+
387
+
388
+ if __name__ == "__main__":
389
+ sys.exit(main())