@event4u/agent-config 1.19.0 → 1.21.0

package/scripts/schemas/rule.schema.json

@@ -26,18 +26,67 @@
     },
     "load_context": {
       "type": "array",
-      "items": {"type": "string", "pattern": "\\.md$"},
-      "description": "Lazy on-demand context references. Path rules and budget caps enforced by scripts/lint_load_context.py. Contract: docs/contracts/load-context-schema.md."
+      "items": {
+        "type": "string",
+        "pattern": "^((\\.\\./)*contexts/|agents/contexts/|\\.agent-src/contexts/)[^\\s]+\\.md$",
+        "description": "Logical name (preferred — `contexts/<area>/<file>.md`) or project-local (`agents/contexts/<file>.md`). The `.agent-src.uncompressed/` prefix is rejected by the regex; the rewriter (`scripts/compress.py::_rewrite_paths`) resolves logical names at compress time. Rewritten relative forms (`../contexts/...`, `../../contexts/...`) are accepted so the linter passes on the compressed mirror in CI."
+      },
+      "description": "Lazy on-demand context references. Use logical names rooted at the source (e.g. `contexts/execution/foo.md`); the `.agent-src.uncompressed/` prefix is forbidden by the regex (road-to-path-fixes.md P5.3). Path rules and budget caps enforced by scripts/lint_load_context.py. Contract: docs/contracts/load-context-schema.md."
     },
     "load_context_eager": {
       "type": "array",
-      "items": {"type": "string", "pattern": "\\.md$"},
-      "description": "Eager auto-loaded context references. Counts against the per-rule char budget; enforced by scripts/lint_load_context.py."
+      "items": {
+        "type": "string",
+        "pattern": "^((\\.\\./)*contexts/|agents/contexts/|\\.agent-src/contexts/)[^\\s]+\\.md$",
+        "description": "Same logical-name rule as `load_context`."
+      },
+      "description": "Eager auto-loaded context references. Same logical-name rule as `load_context`. Counts against the per-rule char budget; enforced by scripts/lint_load_context.py."
     },
     "tier": {
       "type": "string",
-      "enum": ["1", "2a", "2b", "3", "safety-floor", "mechanical-already"],
-      "description": "Hardening tier per road-to-rule-hardening.md. Optional today, recommended for new rules. Tracked in agents/contexts/rule-trigger-matrix.md. Tier 3 rules also referenced in agents/contexts/tier-3-dispositions.md."
+      "enum": ["1", "2a", "2b", "3", "safety-floor", "mechanical-already", "kernel", "tier-1", "tier-2"],
+      "description": "Hardening tier. Legacy values (1/2a/2b/3/safety-floor/mechanical-already) accepted; new router-canonical values (kernel/tier-1/tier-2) introduced by road-to-kernel-and-router.md Phase 4."
+    },
+    "triggers": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "properties": {
+          "keyword": {"type": "string"},
+          "phrase": {"type": "string"},
+          "intent": {"type": "string"},
+          "file_pattern": {"type": "string"},
+          "path_prefix": {"type": "string", "description": "Literal path-prefix match pattern the host evaluates against the file the agent is editing — NOT a file reference. The rewriter leaves it verbatim. Source-of-truth rules that must fire on edits under `.agent-src.uncompressed/` keep that prefix here (the prefix ban applies only to `load_context:` and body links — see road-to-path-fixes.md P2.2 / AI-Council 2026-05-06)."},
+          "command": {"type": "string"},
+          "reason": {"type": "string"}
+        }
+      },
+      "description": "Router activation triggers (Phase 3 of road-to-kernel-and-router.md). Forbidden on kernel rules, required on non-kernel rules. Schema: docs/contracts/rule-router.md."
+    },
+    "routes_to": {
+      "type": "array",
+      "items": {"type": "string", "pattern": "^(skill|guideline|command|contract):"},
+      "description": "Router targets (skill / guideline / command / contract). Forbidden on kernel rules. Schema: docs/contracts/rule-router.md."
+    },
+    "profile": {
+      "type": "string",
+      "enum": ["minimal", "balanced", "full"],
+      "description": "Optional profile override; rare. Tier-derived default applies otherwise."
+    },
+    "validator_ignore": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "required": ["type", "pattern"],
+        "properties": {
+          "type": {"type": "string", "enum": ["substring", "regex"]},
+          "pattern": {"type": "string", "minLength": 1},
+          "reason": {"type": "string", "description": "Human-readable rationale for the suppression — surfaced in audit logs."}
+        }
+      },
+      "description": "Per-rule allowlist consumed by the post-compression validator (scripts/check_compressed_paths.py). Rules that document forbidden path substrings as their subject matter (e.g. augment-portability, no-roadmap-references) declare the literal strings here so the gate does not flag itself. road-to-path-fixes.md P5.1."
     }
   }
 }

package/scripts/schemas/skill.schema.json

@@ -37,6 +37,11 @@
         "pattern": "^[a-z][a-z0-9-]*$"
       }
     },
+    "tier": {
+      "type": "string",
+      "enum": ["senior"],
+      "description": "Optional tier marker. `senior` opts the skill into the Senior-Tier Required Structure check (Context-First lead, Related Skills, Proactive Triggers, Output Artifacts) per .agent-src.uncompressed/rules/skill-quality.md."
+    },
     "execution": {
       "type": "object",
       "additionalProperties": false,

package/scripts/skill_linter.py

@@ -99,6 +99,17 @@ TYPE_PATTERN = re.compile(r'^type:\s*"?(always|auto)"?\s*$', re.MULTILINE)
 SOURCE_PATTERN = re.compile(r'^source:\s*"?(package|project)"?\s*$', re.MULTILINE)
 STATUS_PATTERN = re.compile(r'^status:\s*"?(active|deprecated|superseded)"?\s*$', re.MULTILINE)
 REPLACED_BY_PATTERN = re.compile(r'^replaced_by:\s*"?([\w-]+)"?\s*$', re.MULTILINE)
+TIER_PATTERN = re.compile(r'^tier:\s*"?([\w-]+)"?\s*$', re.MULTILINE)
+
+# --- Senior-tier required-block patterns (skill-quality.md § Senior-Tier Required Structure) ---
+# Heading-only checks; detail-shape lives in skill-quality-mechanics.md.
+SENIOR_RELATED_SKILLS_PATTERN = re.compile(r"^##\s+Related Skills\s*$", re.MULTILINE)
+SENIOR_RELATED_WHEN_PATTERN = re.compile(r"\*\*WHEN to use this\*\*", re.IGNORECASE)
+SENIOR_RELATED_WHEN_NOT_PATTERN = re.compile(r"\*\*WHEN NOT to use this\*\*", re.IGNORECASE)
+SENIOR_PROACTIVE_PATTERN = re.compile(
+    r"^##\s+When the agent should load this\s*$", re.MULTILINE
+)
+SENIOR_OUTPUT_PATTERN = re.compile(r"^##\s+Output\s*$", re.MULTILINE)
 H1_PATTERN = re.compile(r"^# .+", re.MULTILINE)
 DOUBLE_BLANK_PATTERN = re.compile(r"\n{3,}")
 
@@ -106,6 +117,17 @@ VALID_RULE_TYPES = {"always", "auto"}
 VALID_RULE_SOURCES = {"package", "project"}
 VALID_STATUSES = {"active", "deprecated", "superseded"}
 
+# --- Router schema (docs/contracts/rule-router.md) ---
+ROUTER_ALLOWED_TRIGGER_KEYS = {"keyword", "phrase", "intent", "file_pattern",
+                               "path_prefix", "command"}
+ROUTER_ALLOWED_PROFILES = {"minimal", "balanced", "full"}
+KERNEL_RULE_IDS: set[str] = {
+    "agent-authority", "ask-when-uncertain", "commit-policy",
+    "direct-answers", "language-and-tone", "no-cheap-questions",
+    "non-destructive-by-default", "scope-control",
+    "verify-before-complete",
+}
+
 # --- Runtime execution metadata constants ---
 VALID_EXECUTION_TYPES = {"manual", "assisted", "automated"}
 VALID_EXECUTION_HANDLERS = {"none", "shell", "php", "node", "internal"}
@@ -209,6 +231,42 @@ def extract_sections(text: str) -> set[str]:
     return {match.group(1).strip() for match in SECTION_PATTERN.finditer(text)}
 
 
+def _count_code_blocks(text: str) -> int:
+    """Return the number of fenced code blocks (``` … ```) in *text*."""
+    fence_count = 0
+    for line in text.splitlines():
+        stripped = line.lstrip()
+        if stripped.startswith("```"):
+            fence_count += 1
+    return fence_count // 2
+
+
+def _fenced_content_ratio(text: str) -> float:
+    """Return the fraction of non-empty lines that sit inside fenced blocks.
+
+    Used as a structural signal: rules / files dominated by verbatim Iron-Law
+    blocks or worked examples score high and are exempted from raw line-count
+    warnings (council review 2026-05-06).
+    """
+    inside = False
+    fenced_lines = 0
+    non_empty = 0
+    for line in text.splitlines():
+        stripped = line.strip()
+        if stripped.startswith("```"):
+            inside = not inside
+            if stripped:
+                non_empty += 1
+            continue
+        if stripped:
+            non_empty += 1
+            if inside:
+                fenced_lines += 1
+    if non_empty == 0:
+        return 0.0
+    return fenced_lines / non_empty
+
+
 def extract_description(text: str) -> Optional[str]:
     frontmatter = FRONTMATTER_PATTERN.search(text)
     if not frontmatter:
@@ -415,6 +473,11 @@ def lint_skill(path: Path, text: str) -> LintResult:
         if execution is not None:
             issues.extend(lint_execution_metadata(execution))
 
+        # --- Senior-tier required-block check (skill-quality.md § Senior-Tier Required Structure) ---
+        tier_match = TIER_PATTERN.search(frontmatter)
+        if tier_match and tier_match.group(1) == "senior":
+            issues.extend(lint_senior_tier_blocks(text))
+
     procedure_block = find_procedure_block(text)
     if procedure_block is not None:
         if not procedure_block:
@@ -479,8 +542,12 @@ def lint_skill(path: Path, text: str) -> LintResult:
             suggestions.append("Add a requirement-checking or validation step before implementation")
 
     # --- Size check (see guidelines/agent-infra/size-and-scope.md) ---
+    # Threshold raised from 300 → 400 (council review 2026-05-06): reference-rich
+    # skills (quality-tools 411, ai-council 399, project-analyzer 341) legitimately
+    # exceed 300 lines without being split-candidates. Structural follow-up tracked
+    # in agents/roadmaps/road-to-structural-linter-reform.md.
     total_lines = len(text.splitlines())
-    if total_lines > 300:
+    if total_lines > 400:
         issues.append(Issue("warning", "skill_too_large", f"Skill has {total_lines} lines; review for split (see size-and-scope guideline)"))
 
     # --- Pointer-only / guideline-dependent skill detection ---
@@ -537,6 +604,131 @@ def extract_frontmatter(text: str) -> Optional[str]:
     return match.group(1) if match else None
 
 
+def _parse_yaml_list(frontmatter: str, key: str) -> Optional[list]:
+    """Parse a simple top-level YAML list `key:` from frontmatter.
+
+    Supports the two shapes we emit in rule frontmatter:
+      triggers:
+        - keyword: "foo"
+        - phrase: "bar baz"
+      routes_to:
+        - skill:php-coder
+        - guideline:agent-infra/asking-and-brevity-examples
+
+    Returns ``None`` if the key is absent (so the caller can distinguish
+    "missing" from "empty"); returns ``[]`` for an explicitly empty list.
+    """
+    lines = frontmatter.splitlines()
+    out: list = []
+    in_block = False
+    for line in lines:
+        if not in_block:
+            if line.startswith(f"{key}:"):
+                rhs = line[len(key) + 1:].strip()
+                if rhs in ("", "[]"):
+                    if rhs == "[]":
+                        return []
+                    in_block = True
+                else:
+                    return None  # unexpected scalar shape
+            continue
+        if line.startswith("  - "):
+            item = line[4:].strip()
+            if ":" in item and not item.startswith(("'", '"')):
+                k, _, v = item.partition(":")
+                out.append({k.strip(): v.strip().strip('"').strip("'")})
+            else:
+                out.append(item.strip('"').strip("'"))
+        elif line.strip() == "" or line.startswith("    "):
+            continue
+        else:
+            break
+    return out if in_block else None
+
+
+def lint_router_frontmatter(rule_id: str, frontmatter: str,
+                             rule_type: Optional[str]) -> List[Issue]:
+    """Validate `triggers:` / `routes_to:` per docs/contracts/rule-router.md.
+
+    Strict checks (always errors): kernel rules MUST NOT carry router fields;
+    `triggers:` items must use one allowed key; `routes_to:` items must
+    follow `kind:id` with kind ∈ {skill, guideline} and the target file
+    must exist on disk.
+
+    Lenient checks (info-level until Phase 4 migrations land): non-kernel
+    rules without `triggers:` / `routes_to:` get an informational note,
+    not an error — the existing description-matching path still works.
+    """
+    issues: List[Issue] = []
+    triggers = _parse_yaml_list(frontmatter, "triggers")
+    routes_to = _parse_yaml_list(frontmatter, "routes_to")
+
+    is_kernel = rule_id in KERNEL_RULE_IDS or rule_type == "always"
+
+    if is_kernel:
+        if triggers is not None:
+            issues.append(Issue("error", "kernel_has_triggers",
+                "Kernel rules MUST NOT declare triggers: (kernel is unconditional)"))
+        if routes_to is not None:
+            issues.append(Issue("error", "kernel_has_routes_to",
+                "Kernel rules MUST NOT declare routes_to: (kernel body stays inline)"))
+        return issues
+
+    # Non-kernel rule path
+    if triggers is None:
+        issues.append(Issue("info", "router_triggers_missing",
+            "Non-kernel rule has no triggers: — falls back to description matching "
+            "until Phase 4 migration lands"))
+    else:
+        for idx, item in enumerate(triggers):
+            if not isinstance(item, dict) or len(item) != 1:
+                issues.append(Issue("error", "trigger_shape_invalid",
+                    f"triggers[{idx}] must be a single-key mapping"))
+                continue
+            (k,) = item.keys()
+            if k not in ROUTER_ALLOWED_TRIGGER_KEYS:
+                allowed = ", ".join(sorted(ROUTER_ALLOWED_TRIGGER_KEYS))
+                issues.append(Issue("error", "trigger_key_unknown",
+                    f"triggers[{idx}] key '{k}' not in allowed set ({allowed})"))
+
+    if routes_to is None:
+        issues.append(Issue("info", "router_routes_to_missing",
+            "Non-kernel rule has no routes_to: — body should migrate to skill / "
+            "guideline in Phase 4"))
+    else:
+        repo_root = Path(__file__).resolve().parent.parent
+        for idx, item in enumerate(routes_to):
+            if not isinstance(item, str) or ":" not in item:
+                issues.append(Issue("error", "route_shape_invalid",
+                    f"routes_to[{idx}] must be 'kind:id'"))
+                continue
+            kind, _, target_id = item.partition(":")
+            if kind == "skill":
+                target = repo_root / ".agent-src.uncompressed" / "skills" / target_id / "SKILL.md"
+            elif kind == "guideline":
+                target = repo_root / "docs" / "guidelines" / f"{target_id}.md"
+            elif kind == "command":
+                target = repo_root / ".agent-src.uncompressed" / "commands" / f"{target_id}.md"
+            elif kind == "contract":
+                # Contracts live in two places: stable host docs in
+                # docs/contracts/ and load-bearing flows in
+                # .agent-src.uncompressed/contexts/contracts/ (road-to-path-fixes
+                # P4 / Council R2). Try both before failing.
+                target = repo_root / "docs" / "contracts" / f"{target_id}.md"
+                if not target.exists():
+                    alt = repo_root / ".agent-src.uncompressed" / "contexts" / "contracts" / f"{target_id}.md"
+                    if alt.exists():
+                        target = alt
+            else:
+                issues.append(Issue("error", "route_kind_unknown",
+                    f"routes_to[{idx}] kind '{kind}' must be 'skill', 'guideline', 'command', or 'contract'"))
+                continue
+            if not target.exists():
+                issues.append(Issue("error", "route_target_missing",
+                    f"routes_to[{idx}] target '{item}' not found at {target}"))
+    return issues
+
+
 def extract_frontmatter_field(frontmatter: str, pattern: re.Pattern[str]) -> Optional[str]:
     match = pattern.search(frontmatter)
     return match.group(1).strip() if match else None
@@ -603,6 +795,57 @@ def parse_execution_block(frontmatter: str) -> Optional[dict]:
     return result
 
 
+def lint_senior_tier_blocks(text: str) -> List[Issue]:
+    """Validate the four required blocks for `tier: senior` skills.
+
+    Per .agent-src.uncompressed/rules/skill-quality.md § Senior-Tier
+    Required Structure: Context-First lead (description), Related Skills
+    (with WHEN / WHEN NOT lists), Proactive Triggers, Output Artifacts.
+
+    The Context-First lead is checked structurally via description length
+    + content; here we enforce the three section blocks and the WHEN /
+    WHEN NOT two-list pattern inside Related Skills.
+    """
+    issues: List[Issue] = []
+
+    if not SENIOR_RELATED_SKILLS_PATTERN.search(text):
+        issues.append(Issue(
+            "error",
+            "missing_senior_related_skills",
+            "Senior-tier skill missing `## Related Skills` block (skill-quality.md § Senior-Tier Required Structure)",
+        ))
+    else:
+        related_block = extract_section_block(text, "Related Skills") or ""
+        if not SENIOR_RELATED_WHEN_PATTERN.search(related_block):
+            issues.append(Issue(
+                "error",
+                "missing_senior_related_when",
+                "Senior-tier `## Related Skills` block missing `**WHEN to use this**` list",
+            ))
+        if not SENIOR_RELATED_WHEN_NOT_PATTERN.search(related_block):
+            issues.append(Issue(
+                "error",
+                "missing_senior_related_when_not",
+                "Senior-tier `## Related Skills` block missing `**WHEN NOT to use this**` list",
+            ))
+
+    if not SENIOR_PROACTIVE_PATTERN.search(text):
+        issues.append(Issue(
+            "error",
+            "missing_senior_proactive_triggers",
+            "Senior-tier skill missing `## When the agent should load this` block",
+        ))
+
+    if not SENIOR_OUTPUT_PATTERN.search(text):
+        issues.append(Issue(
+            "error",
+            "missing_senior_output_artifacts",
+            "Senior-tier skill missing `## Output` block declaring artifact name + shape",
+        ))
+
+    return issues
+
+
 def lint_execution_metadata(execution: dict) -> List[Issue]:
     """Validate the execution block of a skill."""
     issues: List[Issue] = []
@@ -734,6 +977,9 @@ def lint_rule(path: Path, text: str) -> LintResult:
                                     f"Always-rule with topic-specific description ({', '.join(topic_keywords)}) — "
                                     f"consider auto type per rule-type-governance"))
 
+        # Router schema validation (docs/contracts/rule-router.md, Phase 3.3).
+        issues.extend(lint_router_frontmatter(path.stem, frontmatter, rule_type))
+
     # --- Structure checks ---
     # H1 heading
     if not H1_PATTERN.search(text):
@@ -750,14 +996,18 @@ def lint_rule(path: Path, text: str) -> LintResult:
         issues.append(Issue("warning", "double_blank_lines", "File contains double or triple blank lines"))
 
     # --- Content checks (see guidelines/agent-infra/size-and-scope.md) ---
+    # Length thresholds gated by fenced-content density (council review 2026-05-06):
+    # rules dominated by verbatim Iron-Law blocks / worked examples are protected
+    # from the > 40 / > 60 warnings. Hard error at 200 stays unconditional.
     line_count = len([line for line in text.splitlines() if line.strip()])
     total_lines = len(text.splitlines())
+    fenced_ratio = _fenced_content_ratio(text)
     if total_lines > 200:
         issues.append(Issue("error", "rule_too_large", f"Rule has {total_lines} lines (hard limit: 200); must split or move to guideline"))
-    elif line_count > 60:
-        issues.append(Issue("warning", "long_rule", f"Rule has {line_count} non-empty lines; prefer < 60 (see size-and-scope guideline)"))
-    elif line_count > 40:
-        issues.append(Issue("warning", "long_rule", f"Rule has {line_count} non-empty lines; rules should be concise"))
+    elif line_count > 60 and fenced_ratio < 0.30:
+        issues.append(Issue("warning", "long_rule", f"Rule has {line_count} non-empty lines (fenced-content {fenced_ratio:.0%}); prefer < 60 (see size-and-scope guideline)"))
+    elif line_count > 40 and fenced_ratio < 0.30:
+        issues.append(Issue("warning", "long_rule", f"Rule has {line_count} non-empty lines (fenced-content {fenced_ratio:.0%}); rules should be concise"))
 
     for bad_sign in RULE_BAD_SIGNS:
         if bad_sign in text:
@@ -902,9 +1152,16 @@ def lint_command(path: Path, text: str) -> LintResult:
         issues.append(Issue("warning", "no_steps", "Command has no Steps section or numbered sub-headings"))
 
     # --- Size check (see guidelines/agent-infra/size-and-scope.md) ---
+    # Word threshold (1000) gated by structural delegation signal (council review
+    # 2026-05-06): well-factored orchestrators with ≥ 5 sub-sections AND ≥ 3 code
+    # blocks are exempt — the size reflects dispatch breadth, not bloat.
     word_count = len(text.split())
     if word_count > 1000:
-        issues.append(Issue("warning", "large_command", f"Command has {word_count} words (target: 200-600, max ~1000)"))
+        section_count = len(sections)
+        code_block_count = _count_code_blocks(text)
+        delegation_signal = section_count >= 5 and code_block_count >= 3
+        if not delegation_signal:
+            issues.append(Issue("warning", "large_command", f"Command has {word_count} words (target: 200-600, max ~1000); {section_count} sub-sections, {code_block_count} code blocks — lacks delegation structure"))
 
     # File must end with exactly one newline
     if not text.endswith("\n"):
@@ -1656,6 +1913,70 @@ def lint_governance(path: Path, text: str, artifact_type: str, repo_root: Path |
     return issues
 
 
+# --- Structural malice check (see road-to-suite-closure Phase 5) ---
+#
+# Five regex patterns scan skill / rule / command bodies for **structural**
+# (not semantic) malice. Findings surface as ``Issue("error",
+# "malice:<pattern>", "<line>:<matched>")`` so ``compute_exit_code`` can
+# emit exit code 3 (security-failure), distinct from 2 (build-failure).
+# Semantic checks (PII leakage, prompt injection) are deferred to v2.
+
+# (a) credential exfil — curl|wget piping ${TOKEN}/${KEY}/${SECRET}/...
+#     env vars or hitting ~/.aws/ ~/.ssh/ secrets.
+_MALICE_CRED_EXFIL = re.compile(
+    r"\b(?:curl|wget)\b[^\n]*"
+    r"(?:\$\{?[A-Z_]*(?:TOKEN|KEY|SECRET|PASSWORD|CREDENTIAL|API)[A-Z_]*\}?"
+    r"|~/\.(?:aws|ssh)/)"
+)
+# (b) arbitrary execution — eval/exec over a network-fetched payload, or
+#     `bash <(curl ...)` / `sh <(wget ...)` style remote-execution.
+_MALICE_REMOTE_EXEC = re.compile(
+    r"(?:\b(?:eval|exec)\s*\([^)]*(?:curl|wget|requests\.get|urllib)"
+    r"|\b(?:bash|sh|zsh)\s*<\s*\(\s*(?:curl|wget))"
+)
+# (c) force-push to a protected ref.
+_MALICE_FORCE_PUSH = re.compile(
+    r"\bgit\s+push\b[^\n]*--force(?:-with-lease)?\b[^\n]*"
+    r"\b(?:main|master|prod|production|release)\b"
+)
+# (d) world-readable secrets — chmod 0?[4567]xx on .pem/.key/.env files.
+_MALICE_CHMOD_SECRETS = re.compile(
+    r"\bchmod\s+0?[4567]\d{2}\s+[^\n]*\.(?:pem|key|env)\b"
+)
+# (e) unbounded subprocess shell injection — shell=True interpolating ${VAR}.
+_MALICE_SHELL_INJECT = re.compile(
+    r"\bsubprocess\.[A-Za-z_]+\s*\([^)]*shell\s*=\s*True[^)]*\$\{"
+)
+
+_MALICE_PATTERNS: list[tuple[str, re.Pattern[str]]] = [
+    ("cred_exfil", _MALICE_CRED_EXFIL),
+    ("remote_exec", _MALICE_REMOTE_EXEC),
+    ("force_push_protected", _MALICE_FORCE_PUSH),
+    ("chmod_secrets", _MALICE_CHMOD_SECRETS),
+    ("shell_injection", _MALICE_SHELL_INJECT),
+]
+
+
+def check_structural_malice(text: str) -> List[Issue]:
+    """Return one Issue per malice match. Empty list when clean.
+
+    Issue shape: ``Issue("error", f"malice:{name}", f"{line}:{matched}")``.
+    The ``format_text`` renderer special-cases the ``malice:`` code prefix
+    to emit ``<path>:<line>:malice:<pattern>:<matched>`` per Phase 5.2.
+    """
+    issues: List[Issue] = []
+    for lineno, raw in enumerate(text.splitlines(), start=1):
+        for name, pattern in _MALICE_PATTERNS:
+            match = pattern.search(raw)
+            if match:
+                issues.append(Issue(
+                    severity="error",
+                    code=f"malice:{name}",
+                    message=f"{lineno}:{match.group(0).strip()}",
+                ))
+    return issues
+
+
 # --- Output-schema check (see road-to-trigger-evals Phase 3.5) ---
 #
 # Skills that freeze an output shape (`refine-ticket`, `estimate-ticket`)
@@ -1865,11 +2186,36 @@ def lint_file(path: Path, repo_root: Path | None = None) -> LintResult:
             result.issues.extend(schema_issues)
             result.status = classify_status(result.issues)
 
+    # Post-processing: structural malice scan (errors). Skills, rules,
+    # and commands carry executable patterns; guidelines/personas are
+    # prose-only and skipped to keep noise low.
+    if artifact_type in ("skill", "rule", "command"):
+        malice_issues = check_structural_malice(text)
+        if malice_issues:
+            result.issues.extend(malice_issues)
+            result.status = classify_status(result.issues)
+
     return result
 
 
 def format_text(results: list[LintResult]) -> str:
     lines: list[str] = []
+    # Phase 5.2: malice findings render in the spec shape
+    # ``<path>:<line>:malice:<pattern>:<matched>`` ahead of the badge
+    # block so security-failures are grep-able from the top.
+    malice_total = 0
+    for result in results:
+        for issue in result.issues:
+            if issue.code.startswith("malice:"):
+                pattern_name = issue.code.split(":", 1)[1]
+                lineno, _, matched = issue.message.partition(":")
+                lines.append(
+                    f"{result.file}:{lineno}:malice:{pattern_name}:{matched}"
+                )
+                malice_total += 1
+    if malice_total:
+        lines.append("")
+
     for result in results:
         badge = {"pass": "[PASS]", "pass_with_warnings": "[WARN]", "fail": "[FAIL]"}[result.status]
         lines.append(f"{badge} {result.file} ({result.artifact_type})")
@@ -1888,7 +2234,8 @@ def format_text(results: list[LintResult]) -> str:
     fails = sum(1 for r in results if r.status == "fail")
     warns = sum(1 for r in results if r.status == "pass_with_warnings")
     passes = sum(1 for r in results if r.status == "pass")
-    lines.append(f"Summary: {passes} pass, {warns} warn, {fails} fail, {total} total")
+    suffix = f", {malice_total} malice" if malice_total else ""
+    lines.append(f"Summary: {passes} pass, {warns} warn, {fails} fail, {total} total{suffix}")
     return "\n".join(lines)
 
 
@@ -2087,6 +2434,11 @@ def check_duplication(root: Path) -> list[LintResult]:
 
 
 def compute_exit_code(results: list[LintResult], strict_warnings: bool) -> int:
+    # Phase 5.2: structural-malice findings emit exit code 3 (security-
+    # failure), distinct from 2 (build-failure) so CI surfaces can split.
+    for r in results:
+        if any(issue.code.startswith("malice:") for issue in r.issues):
+            return 3
     if any(r.status == "fail" for r in results):
         return 2
     if any(r.status == "pass_with_warnings" for r in results) and strict_warnings:

package/scripts/smoke_path_resolution.py

@@ -0,0 +1,93 @@
+#!/usr/bin/env python3
+"""Smoke-test path resolution against the package's own `.augment/` projection.
+
+Per `agents/roadmaps/road-to-path-fixes.md` Phase 7 (Council Decision 3,
+2026-05-06): the package's `.augment/` tree has the same shape as the
+`.augment/` tree a consumer would receive after `scripts/install.sh`.
+If `load_context:` entries resolve cleanly here, they resolve cleanly
+in any consumer.
+
+What it does:
+  - Walks `.augment/rules/*.md`.
+  - Parses each rule's YAML frontmatter.
+  - Resolves every `load_context:` and `load_context_eager:` entry
+    against the rule file's directory.
+  - Reports any miss with a file:entry line.
+
+Exit codes: 0 = all entries resolve, 1 = one or more misses, 3 = no
+`.augment/rules/` directory found (run `task sync` first).
+"""
+from __future__ import annotations
+
+import sys
+from pathlib import Path
+
+import yaml
+
+ROOT = Path(__file__).resolve().parent.parent
+AUGMENT_RULES = ROOT / ".augment" / "rules"
+
+
+def _split_frontmatter(text: str):
+    if not text.startswith("---\n"):
+        return None
+    end = text.find("\n---\n", 4)
+    if end == -1:
+        return None
+    try:
+        fm = yaml.safe_load(text[4:end])
+    except yaml.YAMLError:
+        return None
+    return fm if isinstance(fm, dict) else {}
+
+
+def _check_rule(rule_file: Path, misses: list[tuple[str, str]]) -> int:
+    fm = _split_frontmatter(rule_file.read_text(encoding="utf-8"))
+    if not fm:
+        return 0
+    checked = 0
+    rule_dir = rule_file.parent
+    for key in ("load_context", "load_context_eager"):
+        entries = fm.get(key) or []
+        if not isinstance(entries, list):
+            continue
+        for entry in entries:
+            if not isinstance(entry, str):
+                continue
+            checked += 1
+            target = (rule_dir / entry).resolve()
+            if not target.is_file():
+                misses.append((str(rule_file.relative_to(ROOT)), entry))
+    return checked
+
+
+def main() -> int:
+    if not AUGMENT_RULES.is_dir():
+        print(
+            f"❌  {AUGMENT_RULES.relative_to(ROOT)} not found — run `task sync` first",
+            file=sys.stderr,
+        )
+        return 3
+
+    misses: list[tuple[str, str]] = []
+    rule_count = 0
+    entry_count = 0
+    for rule_file in sorted(AUGMENT_RULES.glob("*.md")):
+        rule_count += 1
+        entry_count += _check_rule(rule_file, misses)
+
+    if misses:
+        print(f"❌  {len(misses)} unresolved load_context entr(y/ies):")
+        for rule, entry in misses:
+            print(f"    {rule} → {entry!r}")
+        return 1
+
+    print(
+        f"✅  smoke-path-resolution clean "
+        f"({rule_count} rules, {entry_count} load_context entr(y/ies) resolved)"
+    )
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())