@ekkos/cli 0.2.18 → 1.0.0

package/templates/windsurf-hooks/README.md

@@ -0,0 +1,212 @@
+# ekkOS Windsurf Cascade Hooks
+
+Complete Golden Loop integration for Windsurf Cascade with proactive memory retrieval, PatternGuard enforcement, and automatic turn capture.
+
+## Features
+
+- **Proactive Memory Retrieval**: Automatically retrieves patterns from all 8 memory layers before each prompt
+- **Endless Context**: Auto-restores conversation context after context compaction (10+ min gaps)
+- **Time Machine**: Supports "Continue from here" to restore past sessions
+- **PatternGuard**: Enforces 100% pattern acknowledgment with SELECT/SKIP markers
+- **Footer Enforcement**: Requires ekkOS™ branded timestamp footer on all responses
+- **Golden Loop Compliance**: Turn contracts, validation, and outcome tracking
+
+## Installation
+
+### 1. Copy hooks to your project
+
+```bash
+# From your project root
+cp -r /path/to/ekkos/templates/windsurf-hooks .windsurf/
+```
+
+### 2. Configure Windsurf hooks
+
+Create `.windsurf/hooks.json` in your project root:
+
+```json
+{
+  "version": 1,
+  "hooks": {
+    "pre_user_prompt": [
+      {
+        "command": "./.windsurf/hooks/pre-user-prompt.sh",
+        "show_output": false
+      }
+    ],
+    "post_cascade_response": [
+      {
+        "command": "./.windsurf/hooks/post-cascade-response.sh",
+        "show_output": false
+      }
+    ]
+  }
+}
+```
+
+### 3. Authenticate ekkOS
+
+Ensure you have a valid ekkOS config:
+
+```bash
+# Check your auth
+cat ~/.ekkos/config.json
+```
+
+If not configured, run `ekkOS: Connect` in VS Code to set up authentication.
+
+### 4. Test the integration
+
+Open Cascade and ask a technical question. You should see:
+
+```
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+🧠 ekkOS™ Memory Substrate
+✓ 3 patterns loaded from memory
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+```
+
+## How It Works
+
+### Hook Flow
+
+```
+User Prompt
+    ↓
+pre_user_prompt hook
+    ├─ Retrieves patterns from ekkOS API
+    ├─ Checks for Time Machine requests
+    ├─ Auto-restores Endless Context (if gap detected)
+    ├─ Writes turn contract
+    └─ Injects patterns + footer requirement
+    ↓
+Cascade processes augmented prompt
+    ↓
+Cascade generates response
+    ↓
+post_cascade_response hook
+    ├─ Validates PatternGuard (acknowledgments)
+    ├─ Checks footer presence
+    ├─ Captures turn to L2 episodic memory
+    ├─ Tracks pattern outcomes
+    └─ Reports compliance status
+```
+
+### Golden Loop Enforcement
+
+**RETRIEVE** (pre_user_prompt):
+- Searches all 8 memory layers
+- Returns patterns with IDs
+- Writes turn contract as evidence
+
+**ACKNOWLEDGE** (Cascade response must include):
+```
+[ekkOS_SELECT]
+- id: <pattern-uuid>
+  reason: <why using>
+  confidence: <0.0-1.0>
+[/ekkOS_SELECT]
+
+[ekkOS_SKIP]
+- id: <pattern-uuid>
+  reason: <why not relevant>
+[/ekkOS_SKIP]
+```
+
+**FOOTER** (required on all responses):
+```
+🧠 **ekkOS_™** · 📅 YYYY-MM-DD H:MM AM/PM TZ
+```
+
+**CAPTURE** (post_cascade_response):
+- Stores turn in episodic memory (L2)
+- Validates compliance
+- Tracks pattern usage outcomes
+
+## Configuration Options
+
+### Strict Mode
+
+Set `EKKOS_STRICT=1` to block turns when retrieval fails:
+
+```bash
+export EKKOS_STRICT=1
+```
+
+### Auth Sources (priority order)
+
+1. `~/.ekkos/config.json` (preferred - set by VS Code extension)
+2. Project `.env.local` (SUPABASE_SECRET_KEY)
+3. Environment variable `SUPABASE_SECRET_KEY`
+
+### Hook Locations
+
+Cascade merges hooks from all locations (system → user → workspace):
+
+- **System**: `/Library/Application Support/Windsurf/hooks.json` (macOS)
+- **User**: `~/.codeium/windsurf/hooks.json`
+- **Workspace**: `.windsurf/hooks.json` (project-specific)
+
+## File Structure
+
+```
+.windsurf/
+├── hooks.json                    # Hook configuration
+└── hooks/
+    ├── pre-user-prompt.sh        # Retrieval + injection
+    ├── post-cascade-response.sh  # Capture + validation
+    └── lib/
+        └── contract.sh           # Turn contract library
+```
+
+## Troubleshooting
+
+### "No auth token" message
+
+1. Run `ekkOS: Connect` in VS Code
+2. Check `~/.ekkos/config.json` exists with `hookApiKey` or `apiKey`
+3. Verify the key is valid at https://platform.ekkos.dev
+
+### Hooks not firing
+
+1. Check file permissions: `chmod +x .windsurf/hooks/*.sh`
+2. Verify JSON syntax in `hooks.json`
+3. Check Windsurf logs: Cascade toolbar → Settings → Download diagnostics
+4. Ensure `jq` is installed: `which jq`
+
+### Patterns not loading
+
+1. Test API health: `curl https://mcp.ekkos.dev/api/v1/gateway/health`
+2. Check network connectivity
+3. Verify auth token has access to your user data
+
+### Footer enforcement not working
+
+The footer check is in `post_cascade_response`. Non-compliance is logged but doesn't block the response (unless STRICT mode is on). Check your responses include:
+- The 🧠 emoji
+- `ekkOS` text
+- 📅 date stamp
+
+## Comparison: Windsurf vs Cursor/Claude Code
+
+| Feature | Windsurf Hooks | Cursor Hooks | Claude Code |
+|---------|----------------|--------------|-------------|
+| Hook names | `pre_user_prompt`, `post_cascade_response` | `beforeSubmitPrompt`, `afterAgentResponse` | `.claude/` scripts |
+| Auto-inject | ✅ Yes | ✅ Yes | ✅ Yes |
+| Endless Context | ✅ Yes | ✅ Yes | ✅ Yes |
+| Time Machine | ✅ Yes | ✅ Yes | ✅ Yes |
+| PatternGuard | ✅ Yes | ✅ Yes | ✅ Yes |
+| Footer required | ✅ Yes | ✅ Yes | ✅ Yes |
+
+## API Endpoints Used
+
+- `POST /api/v1/context/retrieve` - Pattern retrieval
+- `POST /api/v1/capture` - Turn storage
+- `POST /api/v1/turns/recall` - Endless Context restoration
+- `GET /api/v1/context/restore-request/pending` - Time Machine check
+- `POST /api/v1/context/restore-request/consume` - Time Machine consume
+- `POST /api/v1/patterns/outcome` - Pattern outcome tracking
+
+## License
+
+Part of the ekkOS memory system. See main repository for license details.

package/templates/windsurf-hooks/hooks.json

@@ -1,9 +1,16 @@
 {
   "version": 1,
   "hooks": {
-    "beforeSubmitPrompt": [
+    "pre_user_prompt": [
       {
-        "command": "./.windsurf/hooks/before-submit-prompt.sh"
+        "command": "./.windsurf/hooks/pre-user-prompt.sh",
+        "show_output": false
+      }
+    ],
+    "post_cascade_response": [
+      {
+        "command": "./.windsurf/hooks/post-cascade-response.sh",
+        "show_output": false
       }
     ]
   }

package/templates/windsurf-hooks/install.sh

@@ -0,0 +1,148 @@
+#!/bin/bash
+# ═══════════════════════════════════════════════════════════════════════════
+# ekkOS Windsurf Hooks Installer
+# ═══════════════════════════════════════════════════════════════════════════
+#
+# Usage: ./install.sh [--global]
+#   --global: Install to ~/.windsurf/ (works in all projects)
+#   (default): Install to ./.windsurf/ (project-level only)
+#
+# ═══════════════════════════════════════════════════════════════════════════
+
+set -e
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# Parse arguments
+GLOBAL_INSTALL=false
+if [ "$1" = "--global" ]; then
+  GLOBAL_INSTALL=true
+fi
+
+# Get script directory
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Determine install location
+if [ "$GLOBAL_INSTALL" = true ]; then
+  WINDSURF_DIR="$HOME/.windsurf"
+  echo -e "${BLUE}🧠 ekkOS Windsurf Hooks Installer (GLOBAL)${NC}"
+  echo -e "${BLUE}📍 Installing to: $WINDSURF_DIR/${NC}"
+else
+  WINDSURF_DIR="./.windsurf"
+  echo -e "${BLUE}🧠 ekkOS Windsurf Hooks Installer (Project-level)${NC}"
+fi
+
+echo "═══════════════════════════════════════════════════════════════════"
+
+# Check if running in a project (only for local install)
+if [ "$GLOBAL_INSTALL" = false ]; then
+  if [ ! -d ".git" ] && [ ! -f "package.json" ] && [ ! -f "Cargo.toml" ] && [ ! -f "pyproject.toml" ]; then
+    echo -e "${YELLOW}⚠️  Warning: No project files detected. Make sure you're in a project root.${NC}"
+    read -p "Continue anyway? (y/N) " -n 1 -r
+    echo
+    if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+      exit 1
+    fi
+  fi
+fi
+
+# Check for jq
+if ! command -v jq &> /dev/null; then
+  echo -e "${RED}❌ jq is required but not installed.${NC}"
+  echo "   Install with: brew install jq (macOS) or apt-get install jq (Linux)"
+  exit 1
+fi
+
+# Check for curl
+if ! command -v curl &> /dev/null; then
+  echo -e "${RED}❌ curl is required but not installed.${NC}"
+  exit 1
+fi
+
+# Create .windsurf directory
+echo -e "${BLUE}📁 Creating .windsurf directory...${NC}"
+mkdir -p "$WINDSURF_DIR/hooks/lib"
+
+# Copy hook files
+echo -e "${BLUE}📄 Copying hook files...${NC}"
+cp "$SCRIPT_DIR/hooks.json" "$WINDSURF_DIR/hooks.json"
+cp "$SCRIPT_DIR/pre-user-prompt.sh" "$WINDSURF_DIR/hooks/"
+cp "$SCRIPT_DIR/post-cascade-response.sh" "$WINDSURF_DIR/hooks/"
+cp "$SCRIPT_DIR/lib/contract.sh" "$WINDSURF_DIR/hooks/lib/"
+
+# Make scripts executable
+echo -e "${BLUE}🔧 Setting permissions...${NC}"
+chmod +x "$WINDSURF_DIR/hooks/"*.sh
+chmod +x "$WINDSURF_DIR/hooks/lib/"*.sh
+
+# Check for ekkOS auth
+echo -e "${BLUE}🔐 Checking ekkOS authentication...${NC}"
+EKKOS_CONFIG="$HOME/.ekkos/config.json"
+
+if [ -f "$EKKOS_CONFIG" ]; then
+  if jq -e '.hookApiKey // .apiKey' "$EKKOS_CONFIG" > /dev/null 2>&1; then
+    echo -e "${GREEN}✅ ekkOS auth found in ~/.ekkos/config.json${NC}"
+  else
+    echo -e "${YELLOW}⚠️  ~/.ekkos/config.json exists but no API key found${NC}"
+    echo "   Run 'ekkOS: Connect' in VS Code to authenticate"
+  fi
+else
+  echo -e "${YELLOW}⚠️  No ekkOS config found${NC}"
+  echo "   Run 'ekkOS: Connect' in VS Code to authenticate"
+fi
+
+# Test API connectivity
+echo -e "${BLUE}🌐 Testing ekkOS API connectivity...${NC}"
+if curl -s --connect-timeout 3 https://mcp.ekkos.dev/api/v1/gateway/health > /dev/null 2>&1; then
+  echo -e "${GREEN}✅ ekkOS API is reachable${NC}"
+else
+  echo -e "${YELLOW}⚠️  Could not reach ekkOS API (may be network issues)${NC}"
+fi
+
+# Summary
+echo ""
+echo -e "${GREEN}✅ Installation complete!${NC}"
+echo "═══════════════════════════════════════════════════════════════════"
+echo ""
+
+if [ "$GLOBAL_INSTALL" = true ]; then
+  echo "📂 Installed files (GLOBAL - works in ALL projects):"
+  echo "   ~/.windsurf/hooks.json"
+  echo "   ~/.windsurf/hooks/pre-user-prompt.sh"
+  echo "   ~/.windsurf/hooks/post-cascade-response.sh"
+  echo "   ~/.windsurf/hooks/lib/contract.sh"
+  echo ""
+  echo "🚀 Next steps:"
+  echo "   1. Open any project in Windsurf Cascade"
+  echo "   2. Ask a technical question"
+  echo "   3. You should see: '🧠 ekkOS™ Memory Substrate' header"
+  echo ""
+  echo "� To use in a specific project, create a symlink:"
+  echo "   ln -s ~/.windsurf ./.windsurf"
+else
+  echo "📂 Installed files (Project-level):"
+  echo "   .windsurf/hooks.json"
+  echo "   .windsurf/hooks/pre-user-prompt.sh"
+  echo "   .windsurf/hooks/post-cascade-response.sh"
+  echo "   .windsurf/hooks/lib/contract.sh"
+  echo ""
+  echo "🚀 Next steps:"
+  echo "   1. Open Windsurf Cascade in this project"
+  echo "   2. Ask a technical question"
+  echo "   3. You should see: '🧠 ekkOS™ Memory Substrate' header"
+  echo ""
+  # Git ignore suggestion
+  if [ -d ".git" ]; then
+    if ! grep -q ".windsurf/state" .gitignore 2>/dev/null; then
+      echo -e "${YELLOW}💡 Tip: Add '.windsurf/state' to your .gitignore${NC}"
+    fi
+  fi
+fi
+
+echo ""
+echo "📖 For more info: cat ~/.windsurf/hooks/README.md"

package/templates/windsurf-hooks/lib/contract.sh

@@ -16,6 +16,8 @@ get_contract_dir() {
 
   if [ "$source" = "cursor" ]; then
     echo "$project_root/.cursor/state/ekkos"
+  elif [ "$source" = "windsurf" ]; then
+    echo "$project_root/.windsurf/state/ekkos"
   else
     echo "$project_root/.claude/state/ekkos"
   fi

package/templates/windsurf-hooks/post-cascade-response.sh

@@ -0,0 +1,251 @@
+#!/bin/bash
+# ═══════════════════════════════════════════════════════════════════════════
+# ekkOS_ Hook: post_cascade_response (Windsurf Cascade) - CAPTURE + VALIDATE
+#
+# ARCHITECTURE: Dumb Hook, Smart Backend
+# ═══════════════════════════════════════════════════════════════════════════
+# This hook runs AFTER Cascade completes a response.
+# It is THE CANONICAL capture path for Windsurf Cascade.
+#
+# FEATURES:
+# - Turn capture to L2 episodic memory
+# - PatternGuard validation (footer + pattern acknowledgment)
+# - Outcome tracking for Golden Loop
+# - Compliance metadata generation
+#
+# Windsurf Hook Input:
+# {
+#   "agent_action_name": "post_cascade_response",
+#   "trajectory_id": "...",
+#   "execution_id": "...",
+#   "timestamp": "...",
+#   "tool_info": {"response": "..."}
+# }
+#
+# Golden Loop Flow:
+# 1. pre_user_prompt: Retrieves patterns + writes turn contract
+# 2. post_cascade_response: Validates response + captures turn + tracks outcomes
+# ═══════════════════════════════════════════════════════════════════════════
+
+set +e  # Don't exit on errors - be bulletproof
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(dirname "$(dirname "$SCRIPT_DIR")")"
+STATE_DIR="$PROJECT_ROOT/.windsurf/state"
+mkdir -p "$STATE_DIR" 2>/dev/null || true
+
+# Load turn contract library
+if [ -f "$SCRIPT_DIR/lib/contract.sh" ]; then
+  source "$SCRIPT_DIR/lib/contract.sh" 2>/dev/null || true
+fi
+
+# Fallback functions if library didn't load
+if ! command -v read_turn_contract >/dev/null 2>&1; then
+  read_turn_contract() { return 1; }
+fi
+if ! command -v calculate_pattern_guard_coverage >/dev/null 2>&1; then
+  calculate_pattern_guard_coverage() { echo "100"; }
+fi
+if ! command -v check_footer_present >/dev/null 2>&1; then
+  check_footer_present() { echo "true"; }
+fi
+if ! command -v is_turn_compliant >/dev/null 2>&1; then
+  is_turn_compliant() { echo "true"; }
+fi
+if ! command -v get_violation_reason >/dev/null 2>&1; then
+  get_violation_reason() { echo "none"; }
+fi
+if ! command -v cleanup_turn_contract >/dev/null 2>&1; then
+  cleanup_turn_contract() { return 0; }
+fi
+
+# ═══════════════════════════════════════════════════════════════════════════
+# Read JSON input from stdin (Windsurf format)
+# ═══════════════════════════════════════════════════════════════════════════
+INPUT=$(cat)
+
+# Extract response text from Windsurf format
+RESPONSE_TEXT=$(echo "$INPUT" | jq -r '.tool_info.response // ""' 2>/dev/null || echo "")
+
+# Extract trajectory/session info
+TRAJECTORY_ID=$(echo "$INPUT" | jq -r '.trajectory_id // ""' 2>/dev/null || echo "")
+EXECUTION_ID=$(echo "$INPUT" | jq -r '.execution_id // ""' 2>/dev/null || echo "")
+
+# Generate session ID if not provided
+if [ -z "$TRAJECTORY_ID" ] || [ "$TRAJECTORY_ID" = "null" ]; then
+  TRAJECTORY_ID="windsurf-$(date +%s)-$$"
+fi
+
+SESSION_ID="$TRAJECTORY_ID"
+
+# Skip if empty response
+if [ -z "$RESPONSE_TEXT" ] || [ "$RESPONSE_TEXT" = "null" ]; then
+  exit 0
+fi
+
+# ═══════════════════════════════════════════════════════════════════════════
+# Load auth
+# ═══════════════════════════════════════════════════════════════════════════
+EKKOS_CONFIG="$HOME/.ekkos/config.json"
+AUTH_TOKEN=""
+USER_ID=""
+
+if [ -f "$EKKOS_CONFIG" ]; then
+  AUTH_TOKEN=$(jq -r '.hookApiKey // .apiKey // ""' "$EKKOS_CONFIG" 2>/dev/null || echo "")
+  USER_ID=$(jq -r '.userId // ""' "$EKKOS_CONFIG" 2>/dev/null || echo "")
+fi
+
+if [ -z "$AUTH_TOKEN" ] && [ -f "$PROJECT_ROOT/.env.local" ]; then
+  AUTH_TOKEN=$(grep -E "^SUPABASE_SECRET_KEY=" "$PROJECT_ROOT/.env.local" | cut -d'=' -f2- | tr -d '"' | tr -d "'" | tr -d '\r')
+fi
+
+[ -z "$AUTH_TOKEN" ] && exit 0
+
+MEMORY_API_URL="https://mcp.ekkos.dev"
+
+# ═══════════════════════════════════════════════════════════════════════════
+# Load session state from pre_user_prompt hook
+# ═══════════════════════════════════════════════════════════════════════════
+LAST_QUERY=""
+RETRIEVED_PATTERN_IDS=""
+CONTRACT_DATA=""
+
+# Load the query that triggered this response
+if [ -f "$STATE_DIR/last_query.txt" ]; then
+  LAST_QUERY=$(cat "$STATE_DIR/last_query.txt" 2>/dev/null || echo "")
+fi
+
+# Read the turn contract written by pre_user_prompt
+CONTRACT_DATA=$(read_turn_contract "$SESSION_ID" "windsurf" "$PROJECT_ROOT" 2>/dev/null || echo "")
+
+if [ -n "$CONTRACT_DATA" ]; then
+  RETRIEVAL_OK=$(echo "$CONTRACT_DATA" | jq -r '.retrieval_ok // "false"' 2>/dev/null || echo "false")
+  RETRIEVED_PATTERN_IDS=$(echo "$CONTRACT_DATA" | jq -r '.retrieved_pattern_ids | join(",") // ""' 2>/dev/null || echo "")
+  RETRIEVED_DIRECTIVE_IDS=$(echo "$CONTRACT_DATA" | jq -r '.retrieved_directive_ids | join(",") // ""' 2>/dev/null || echo "")
+  EKKOS_STRICT=$(echo "$CONTRACT_DATA" | jq -r '.ekkos_strict // 0' 2>/dev/null || echo "0")
+else
+  RETRIEVAL_OK="false"
+  EKKOS_STRICT=0
+fi
+
+# Load patterns that were injected
+PATTERN_COUNT=0
+if [ -f "$STATE_DIR/patterns-${SESSION_ID}.json" ]; then
+  PATTERN_COUNT=$(jq 'length' "$STATE_DIR/patterns-${SESSION_ID}.json" 2>/dev/null || echo "0")
+fi
+
+# ═══════════════════════════════════════════════════════════════════════════
+# [PATTERNGUARD] Validate response compliance
+# ═══════════════════════════════════════════════════════════════════════════
+PATTERN_GUARD_COVERAGE=$(calculate_pattern_guard_coverage "$RESPONSE_TEXT" "$RETRIEVED_PATTERN_IDS")
+FOOTER_PRESENT=$(check_footer_present "$RESPONSE_TEXT")
+IS_COMPLIANT=$(is_turn_compliant "$RETRIEVAL_OK" "$PATTERN_GUARD_COVERAGE" "$FOOTER_PRESENT" "$PATTERN_COUNT")
+VIOLATION_REASON=$(get_violation_reason "$RETRIEVAL_OK" "$PATTERN_GUARD_COVERAGE" "$FOOTER_PRESENT" "$PATTERN_COUNT")
+
+# ═══════════════════════════════════════════════════════════════════════════
+# Get turn number
+# ═══════════════════════════════════════════════════════════════════════════
+TURN_FILE="$STATE_DIR/turn_${SESSION_ID}.txt"
+TURN_NUMBER=1
+if [ -f "$TURN_FILE" ]; then
+  TURN_NUMBER=$(cat "$TURN_FILE" 2>/dev/null || echo "0")
+  TURN_NUMBER=$((TURN_NUMBER + 1))
+fi
+echo "$TURN_NUMBER" > "$TURN_FILE"
+
+# ═══════════════════════════════════════════════════════════════════════════
+# [ekkOS_CAPTURE] Capture turn to L2 episodic memory
+# ═══════════════════════════════════════════════════════════════════════════
+# Only capture if we have a query to pair with
+if [ -n "$LAST_QUERY" ]; then
+  # Truncate for API limits
+  QUERY_TRUNCATED="${LAST_QUERY:0:10000}"
+  RESPONSE_TRUNCATED="${RESPONSE_TEXT:0:50000}"
+
+  # Build compliance metadata
+  COMPLIANCE_META=$(cat << EOF
+{
+  "retrieval_ok": $RETRIEVAL_OK,
+  "pattern_guard_required": $(if [ "$PATTERN_COUNT" -gt 0 ]; then echo "true"; else echo "false"; fi),
+  "pattern_guard_coverage_pct": $PATTERN_GUARD_COVERAGE,
+  "footer_present": $FOOTER_PRESENT,
+  "ekkos_strict": $EKKOS_STRICT,
+  "retrieved_count": $PATTERN_COUNT,
+  "compliance_version": "1.0",
+  "is_compliant": $IS_COMPLIANT,
+  "violation_reason": "$VIOLATION_REASON"
+}
+EOF
+)
+
+  CAPTURE_PAYLOAD=$(jq -n \
+    --arg session_id "windsurf-$SESSION_ID" \
+    --arg user_id "${USER_ID:-system}" \
+    --arg user_query "$QUERY_TRUNCATED" \
+    --arg assistant_response "$RESPONSE_TRUNCATED" \
+    --argjson turn_number "$TURN_NUMBER" \
+    --argjson compliance "$COMPLIANCE_META" \
+    '{
+      session_id: $session_id,
+      user_id: $user_id,
+      user_query: $user_query,
+      assistant_response: $assistant_response,
+      metadata: {
+        source: "windsurf-cascade",
+        turn_number: $turn_number,
+        compliance: $compliance
+      }
+    }' 2>/dev/null || echo '{}')
+
+  # Fire and forget - don't block Cascade
+  curl -s -X POST "$MEMORY_API_URL/api/v1/capture" \
+    -H "Authorization: Bearer $AUTH_TOKEN" \
+    -H "Content-Type: application/json" \
+    -d "$CAPTURE_PAYLOAD" \
+    --connect-timeout 2 \
+    --max-time 3 >/dev/null 2>&1 &
+
+  # Track pattern outcomes if acknowledgment found
+  if [ "$PATTERN_COUNT" -gt 0 ]; then
+    # Check for [ekkOS_SELECT] markers and track outcomes
+    SELECT_BLOCK=$(echo "$RESPONSE_TEXT" | grep -ozP '\[ekkOS_SELECT\][\s\S]*?\[/ekkOS_SELECT\]' 2>/dev/null | tr '\0' '\n' || true)
+    if [ -n "$SELECT_BLOCK" ]; then
+      # Extract pattern IDs and track them
+      echo "$SELECT_BLOCK" | grep -oE 'id:\s*[a-f0-9-]+' | sed 's/id:\s*//' | while read -r pattern_id; do
+        # Track successful application
+        curl -s -X POST "$MEMORY_API_URL/api/v1/patterns/outcome" \
+          -H "Authorization: Bearer $AUTH_TOKEN" \
+          -H "Content-Type: application/json" \
+          -d "{\"pattern_id\": \"$pattern_id\", \"success\": true, \"source\": \"windsurf-cascade\"}" \
+          --connect-timeout 1 \
+          --max-time 2 >/dev/null 2>&1 &
+      done
+    fi
+  fi
+
+  # Clear last query so we don't double-capture
+  rm -f "$STATE_DIR/last_query.txt" 2>/dev/null || true
+fi
+
+# ═══════════════════════════════════════════════════════════════════════════
+# Cleanup turn contract after successful capture
+# ═══════════════════════════════════════════════════════════════════════════
+cleanup_turn_contract "$SESSION_ID" "windsurf" "$PROJECT_ROOT" 2>/dev/null || true
+
+# Clean up pattern file
+rm -f "$STATE_DIR/patterns-${SESSION_ID}.json" 2>/dev/null || true
+
+# ═══════════════════════════════════════════════════════════════════════════
+# [NON-COMPLIANCE WARNINGS] If Golden Loop violations detected
+# ═══════════════════════════════════════════════════════════════════════════
+if [ "$IS_COMPLIANT" != "true" ] && [ "${EKKOS_STRICT:-0}" != "1" ]; then
+  # Log violation for analysis (fire and forget)
+  curl -s -X POST "$MEMORY_API_URL/api/v1/capture/violation" \
+    -H "Authorization: Bearer $AUTH_TOKEN" \
+    -H "Content-Type: application/json" \
+    -d "{\"session_id\": \"windsurf-$SESSION_ID\", \"user_id\": \"${USER_ID:-system}\", \"violation_reason\": \"$VIOLATION_REASON\", \"turn_number\": $TURN_NUMBER}" \
+    --connect-timeout 1 \
+    --max-time 2 >/dev/null 2>&1 &
+fi
+
+exit 0