@event4u/agent-config 6.0.0 → 6.1.0

package/src/scripts/check_memory.py

@@ -50,8 +50,8 @@ REQUIRED_KEYS = {
 VALID_STATUS = {"active", "deprecated", "archived"}
 VALID_CONFIDENCE = {"low", "medium", "high"}
 # `priority` is optional (default `normal`); enum is the smallest set that
-# solves the tier-0 surfacing use case. See `road-to-dream-skill-adoption.md`
-# § B2 and the Phase 2 council brief for why the `high` tier was rejected.
+# solves the tier-0 surfacing use case. See the Phase 2 council brief for why
+# the `high` tier was rejected.
 VALID_PRIORITY = {"critical", "normal", "low"}
 # Soft-cap on `priority: critical` entries per memory type. Tier-0 inflation
 # is the failure mode: when too many entries claim "always surface", the
@@ -63,10 +63,29 @@ CRITICAL_WARN_THRESHOLD = 10
 # from the generic `stale:` info so reviewers see it before merge.
 CRITICAL_STALE_DAYS = 90
 KNOWN_TYPES = {
-    "domain-invariants", "architecture-decisions",
-    "incident-learnings", "product-rules",
+    "domain-invariants", "incident-learnings", "product-rules",
 }
 
+# Per-type soft entry cap (size-bounding without a decay engine). Over-cap →
+# warning, never a hard fail: the right answer to bloat is a consolidation pass
+# (prune archived, merge duplicates), not CI failure. See
+# road-to-memory-pipeline-consolidation.md Phase 7.
+PER_TYPE_CAPS = {
+    "ownership": 50,
+    "domain-invariants": 150,
+    "product-rules": 100,
+    "incident-learnings": 150,
+    "historical-patterns": 150,
+}
+DEFAULT_TYPE_CAP = 150
+# One-durable-fact-per-entry: a content field longer than this reads as a
+# transcript / narrative blob, not a single durable fact → warning.
+ONE_FACT_MAX_CHARS = 600
+ONE_FACT_FIELDS = ("rule", "pattern", "statement", "observation",
+                   "body", "decision", "note")
+# Per-type entry tally, populated during validation, consumed by main().
+_TYPE_COUNTS: dict = {}
+
 # Redaction heuristics — plain-regex, deliberately conservative.
 # False positives are fixed by quoting the line differently; false
 # negatives are a curator responsibility.
@@ -85,7 +104,7 @@ REDACTION_PATTERNS = [
 # Date-discipline — relative-date phrases without an ISO YYYY-MM-DD anchor
 # within ±20 chars are rejected. Memory entries that say "yesterday" or
 # "last week" rot the moment the file is re-read on another day; the
-# anchor pins meaning. See `road-to-dream-skill-adoption.md` § A5.
+# anchor pins meaning.
 RELATIVE_DATE_PATTERN = re.compile(
     r"(?i)\b(yesterday|today|tomorrow|"
     r"last\s+(?:week|month|year)|"
@@ -186,11 +205,26 @@ def _validate_entry(
                 str(path), 0, "warning",
                 f"critical-stale: last_validated {crit_age} days ago "
                 f"(critical SLA is {CRITICAL_STALE_DAYS} days)", eid))
+    # One-durable-fact-per-entry: reject transcript/narrative blobs. A single
+    # content field over ONE_FACT_MAX_CHARS is the bloat signal.
+    for fld in ONE_FACT_FIELDS:
+        val = entry.get(fld)
+        if isinstance(val, str) and len(val) > ONE_FACT_MAX_CHARS:
+            findings.append(Finding(
+                str(path), 0, "warning",
+                f"one-fact: `{fld}` is {len(val)} chars (limit "
+                f"{ONE_FACT_MAX_CHARS}) — split into separate durable facts, "
+                f"not a narrative blob", eid))
+            break
     # Tier-0 inflation tracking — increment per memory type. The aggregate
     # warning is emitted in main() after all files are validated.
     if critical_counts is not None and priority == "critical" and entry.get("status") == "active":
         mtype = _memory_type(path)
         critical_counts[mtype] = critical_counts.get(mtype, 0) + 1
+    # Per-type entry-count tracking — aggregate cap warning in main().
+    if critical_counts is not None:
+        mt = _memory_type(path)
+        _TYPE_COUNTS[mt] = _TYPE_COUNTS.get(mt, 0) + 1
 
 
 def _check_redaction(path: Path, findings: List[Finding]):
@@ -326,59 +360,6 @@ def _check_append_only(base: Optional[str], findings: List[Finding]) -> None:
                                         f"line(s) removed or modified (ref={ref})"))
 
 
-def _shadow_report(fmt: str) -> int:
-    """Report per-type shadow counts from the conflict rule.
-
-    Ships today as scaffolding: without a wired operational backend the
-    counts are all zero (there is nothing on the operational side to
-    suppress). Once agent-memory is present locally, re-running this
-    command will surface real shadows under the same shape — so the
-    downstream consumer (dashboards, weekly cron) never changes.
-    """
-    # Inline import so `check_memory.py` stays importable when someone
-    # runs it on a tree without scripts/ on sys.path (e.g., packaging).
-    sys.path.insert(0, str(Path(__file__).resolve().parent.parent))
-    from scripts.memory_lookup import CURATED_TYPES, RetrievalResult, retrieve
-
-    per_type: dict = {}
-    total_shadows = 0
-    for mtype in sorted(CURATED_TYPES):
-        result = retrieve(types=[mtype], keys=[], limit=1000, with_shadows=True)
-        assert isinstance(result, RetrievalResult)
-        per_type[mtype] = {
-            "hits": len(result.hits),
-            "shadows": len(result.shadows),
-        }
-        total_shadows += len(result.shadows)
-
-    # Best-effort backend-status probe — avoid a hard dependency on
-    # memory_status.py in case it is absent.
-    backend = "unknown"
-    try:
-        from scripts.memory_status import status as _memory_status  # type: ignore
-        backend = _memory_status().status
-    except Exception:  # noqa: BLE001
-        pass
-
-    if fmt == "json":
-        print(json.dumps({
-            "backend": backend,
-            "total_shadows": total_shadows,
-            "per_type": per_type,
-        }, indent=2))
-        return 0
-
-    print(f"Shadow report — backend: {backend}")
-    print(f"  Total operational entries shadowed: {total_shadows}")
-    for mtype, stats in per_type.items():
-        print(f"    {mtype:25s}  hits={stats['hits']:>4}  "
-              f"shadows={stats['shadows']}")
-    if backend == "absent":
-        print("\n  ℹ️  operational backend absent — shadow counts will "
-              "stay zero until @event4u/agent-memory is installed.")
-    return 0
-
-
 def main() -> int:
     ap = argparse.ArgumentParser(description=__doc__)
     ap.add_argument("--path", default="agents/memory", help="Root path to scan")
@@ -388,12 +369,7 @@ def main() -> int:
                          "via git diff against the base ref")
     ap.add_argument("--base", default=None,
                     help="Base ref for --append-only (default: GITHUB_BASE_REF or origin/main)")
-    ap.add_argument("--shadow-report", action="store_true",
-                    help="Report per-type shadow counts from the repo-vs-operational "
-                         "conflict rule (observability scaffolding for weekly cron)")
     args = ap.parse_args()
-    if args.shadow_report:
-        return _shadow_report(args.format)
     root = Path(args.path)
     findings: List[Finding] = []
     if args.append_only:
@@ -408,6 +384,7 @@ def main() -> int:
             print(f"ℹ️  {root} not found — nothing to validate")
         return 0
     critical_counts: dict = {}
+    _TYPE_COUNTS.clear()
     for yml in sorted(root.rglob("*.yml")):
         _validate_file(yml, findings, critical_counts)
     # Tier-0 inflation warning — soft cap on `priority: critical` per type.
@@ -420,6 +397,15 @@ def main() -> int:
                 f"tier-0 inflation: {count} active 'priority: critical' "
                 f"entries (threshold {CRITICAL_WARN_THRESHOLD}) — review "
                 f"whether all still warrant always-surface treatment"))
+    # Per-type entry-count cap (size-bounding, Phase 7). Warn, never block —
+    # over-cap signals a consolidation pass is due (prune archived, merge dups).
+    for mtype, count in sorted(_TYPE_COUNTS.items()):
+        cap = PER_TYPE_CAPS.get(mtype, DEFAULT_TYPE_CAP)
+        if count > cap:
+            findings.append(Finding(
+                f"agents/memory/{mtype}", 0, "warning",
+                f"entry-cap: {count} entries (soft cap {cap}) — run a "
+                f"consolidation pass (prune archived, merge duplicates)"))
     return _emit(findings, args.format)
 
 

package/src/scripts/check_memory_proposal.py

@@ -36,7 +36,7 @@ from typing import Any
 INTAKE_ROOT = Path("agents/memory/intake")
 VALID_TYPES = {
     "historical-patterns", "incident-learnings", "ownership",
-    "domain-invariants", "architecture-decisions", "product-rules",
+    "domain-invariants", "product-rules",
 }
 REQUIRED_INTAKE = ("id", "entry_type", "path", "body")
 PATTERN_MIN_PATHS = 2

package/src/scripts/check_no_external_sources.py

@@ -0,0 +1,101 @@
+#!/usr/bin/env python3
+"""check_no_external_sources — block readable inspiration/harvest source names.
+
+Backstop for the source-confidentiality policy (rule: source-confidentiality;
+the 2026-06-13 sweep). Scans the **tracked** tree for a denylist of external
+inspiration / harvest / comparison source slugs so they cannot re-enter the
+repo by accident. Recommending an integrated tool is allowed; recording that
+we copied / derived / were-inspired-by a named external source is not.
+
+Carve-outs (see external_sources_denylist.json):
+- Vendored Apache/MIT code keeps its license-required attribution.
+- Recommendation/registry docs may name registries (Smithery/Glama).
+- A retained source link must be stored encrypted via
+  src/scripts/_lib/link_crypto.py, never in plaintext.
+
+Exit codes: 0 = clean, 1 = at least one denied token in a non-skipped tracked
+file, 2 = usage / config error.
+
+Usage:
+    python3 src/scripts/check_no_external_sources.py [--json]
+"""
+
+from __future__ import annotations
+
+import fnmatch
+import json
+import re
+import subprocess
+import sys
+from pathlib import Path
+
+ROOT = Path(__file__).resolve().parents[2]
+CONFIG = Path(__file__).with_name("external_sources_denylist.json")
+# Scan only text-ish files; skip binaries / lockfiles / images.
+_SKIP_EXT = {
+    ".png", ".jpg", ".jpeg", ".gif", ".webp", ".ico", ".pdf", ".zip", ".gz",
+    ".woff", ".woff2", ".ttf", ".mp3", ".mp4", ".wav", ".lock",
+}
+
+
+def _tracked_files() -> list[str]:
+    out = subprocess.run(
+        ["git", "ls-files"], cwd=ROOT, capture_output=True, text=True, check=True
+    ).stdout
+    return [line for line in out.splitlines() if line]
+
+
+def _load_config() -> dict:
+    data = json.loads(CONFIG.read_text(encoding="utf-8"))
+    if not data.get("deny"):
+        raise SystemExit("config error: empty deny list")
+    return data
+
+
+def _skipped(path: str, skip_globs: list[str]) -> bool:
+    return any(fnmatch.fnmatch(path, g) for g in skip_globs)
+
+
+def main(argv: list[str]) -> int:
+    as_json = "--json" in argv
+    cfg = _load_config()
+    patterns = [(p, re.compile(p, re.IGNORECASE)) for p in cfg["deny"]]
+    skip_globs = cfg.get("skip_paths", [])
+
+    hits: list[dict] = []
+    for rel in _tracked_files():
+        if Path(rel).suffix.lower() in _SKIP_EXT:
+            continue
+        if _skipped(rel, skip_globs):
+            continue
+        try:
+            text = (ROOT / rel).read_text(encoding="utf-8", errors="replace")
+        except (OSError, IsADirectoryError):
+            continue
+        for lineno, line in enumerate(text.splitlines(), start=1):
+            for raw, rx in patterns:
+                if rx.search(line):
+                    hits.append({"file": rel, "line": lineno, "token": raw,
+                                 "text": line.strip()[:160]})
+
+    if as_json:
+        print(json.dumps({"ok": not hits, "hits": hits}, indent=2))
+    else:
+        if hits:
+            print(f"❌  {len(hits)} external-source reference(s) in the tracked tree:\n")
+            for h in hits:
+                print(f"  {h['file']}:{h['line']}  [{h['token']}]  {h['text']}")
+            print(
+                "\nThese name an external inspiration/harvest source. Remove the name,\n"
+                "or — if a real source link must be retained — encrypt it via\n"
+                "src/scripts/_lib/link_crypto.py. Legitimate carve-outs (vendored code,\n"
+                "registry recommendations) belong in external_sources_denylist.json\n"
+                "skip_paths. See rule: source-confidentiality."
+            )
+        else:
+            print("✅  No external inspiration-source references in the tracked tree.")
+    return 1 if hits else 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main(sys.argv[1:]))

package/src/scripts/check_references.py

@@ -43,6 +43,7 @@ SKIP_DIRS = [
     "agents/roadmaps/skipped",   # skipped roadmaps — abandoned plans w/ forward-refs that never shipped
     "agents/runtime",            # volatile / machine-generated artefacts (gitignored)
     "agents/tmp",                # transient working docs (gitignored) — pr-bodies, council questions, manual-step scratchpads
+    "agents/.harvest-local",     # deliberate gitignored evidence store (source-confidentiality) — refs to it can never resolve in CI
 ]
 
 # Per-file opt-out marker. When present in the first 10 lines of a .md
@@ -117,6 +118,7 @@ EXAMPLE_PATH_PATTERNS = [
     re.compile(r"agents/proposals/"),           # consumer-project self-improvement proposals
     re.compile(r"agents/drafts/"),              # consumer-project artefact drafts
     re.compile(r"agents/\.event4u-bridge\.yml"),  # consumer-project bridge marker (ADR-020)
+    re.compile(r"agents/\.harvest-local/"),     # gitignored harvest-evidence store (source-confidentiality)
     re.compile(r"guidelines/php-"),             # flattened override naming convention
     re.compile(r"rules/no-commit"),            # example rule in commands
     re.compile(r"skills/[\w-]+\.md"),          # short skill refs in examples (not SKILL.md path)

package/src/scripts/cost_by_conversation.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-"""Group cost-tracking sessions by conversation_id (Ruflo `conversation.mjs` `5b71c7a` ref)."""
+"""Group cost-tracking sessions by conversation_id (the external runtime `conversation.mjs` `5b71c7a` ref)."""
 from __future__ import annotations
 import argparse, json, sys
 from collections import defaultdict

package/src/scripts/council_cli.py

@@ -35,13 +35,21 @@ import yaml
 # the council operates on: when invoked via the global `agent-config`
 # wrapper from a consumer project it is that project (anchor-walked from
 # CWD, or pinned via AGENT_CONFIG_PROJECT_ROOT / --root), NOT the package
-# install dir. Hardcoding the package dir here was the bug — settings and
-# `.ai-council.yml` were then read from the package (which has neither), so
-# `council:*` always refused with `ai_council.enabled is false`.
+# install dir.
+#
+# `AI_COUNCIL_FILE` is the council config the CLI reads. Resolution is
+# user-global-first (see `resolve_config_path`): an explicit
+# `$AI_COUNCIL_CONFIG` wins, else a project-local
+# `agents/settings/.ai-council.yml` if checked in, else the canonical
+# per-user `~/.event4u/agent-config/settings/.ai-council.yml`. A single developer
+# configures the council once globally and it applies in every project —
+# the project no longer needs (or should keep) its own copy.
 PACKAGE_ROOT = Path(__file__).resolve().parents[1]
 REPO_ROOT, _ = resolve_project_root(None)
 SETTINGS_FILE = project_settings_path(REPO_ROOT)
-AI_COUNCIL_FILE = REPO_ROOT / "agents" / "settings" / ".ai-council.yml"
+# `AI_COUNCIL_FILE` is resolved below, after `sys.path` is set up and
+# `resolve_config_path` is importable (it lives in `scripts.ai_council.config`,
+# which itself imports `scripts._lib`).
 
 # Canonical output dirs per ai-council § "Output path convention".
 # Enforced at write-time by `_validate_council_output_path` so shell-side
@@ -97,8 +105,14 @@ from scripts.ai_council.advisors import (  # noqa: E402
 from scripts.ai_council.cli_hints import format_install_hints  # noqa: E402
 from scripts.ai_council.config import (  # noqa: E402
     AdvisorConfig, CouncilConfig, CouncilConfigError,
-    load_council_config, resolve_api_key,
+    load_council_config, resolve_api_key, resolve_config_path,
 )
+
+# User-global-first resolution: explicit `$AI_COUNCIL_CONFIG`, else a
+# project-local `agents/settings/.ai-council.yml`, else the canonical
+# `~/.event4u/agent-config/settings/.ai-council.yml`. Computed here (not at the
+# REPO_ROOT block above) so `resolve_config_path` is importable.
+AI_COUNCIL_FILE = resolve_config_path(REPO_ROOT)  # noqa: E402
 from scripts.ai_council.solo_dispatch import (  # noqa: E402
     AuthCache, select_solo_member,
 )
@@ -517,7 +531,7 @@ def _construct_api_member(
     if name == "gemini":
         if not api_key_ref:
             raise CouncilDisabledError(
-                "member 'gemini' requires api_key_ref in agents/settings/.ai-council.yml "
+                "member 'gemini' requires api_key_ref in ~/.event4u/agent-config/settings/.ai-council.yml "
                 "(e.g. `env:GEMINI_API_KEY`) — no legacy fallback."
             )
         api_key = resolve_api_key(api_key_ref, scope="ai_council.members.gemini")
@@ -525,7 +539,7 @@ def _construct_api_member(
     if name == "xai":
         if not api_key_ref:
             raise CouncilDisabledError(
-                "member 'xai' requires api_key_ref in agents/settings/.ai-council.yml "
+                "member 'xai' requires api_key_ref in ~/.event4u/agent-config/settings/.ai-council.yml "
                 "(e.g. `env:XAI_API_KEY`) — no legacy fallback."
             )
         api_key = resolve_api_key(api_key_ref, scope="ai_council.members.xai")
@@ -533,7 +547,7 @@ def _construct_api_member(
     if name == "perplexity":
         if not api_key_ref:
             raise CouncilDisabledError(
-                "member 'perplexity' requires api_key_ref in agents/settings/.ai-council.yml "
+                "member 'perplexity' requires api_key_ref in ~/.event4u/agent-config/settings/.ai-council.yml "
                 "(e.g. `env:PERPLEXITY_API_KEY`) — no legacy fallback."
             )
         api_key = resolve_api_key(api_key_ref, scope="ai_council.members.perplexity")
@@ -1054,7 +1068,7 @@ def _emit_debate_estimate(
     if requested > max_rounds_cap:
         raise argparse.ArgumentTypeError(
             f"--rounds={requested} exceeds debate_max_rounds={max_rounds_cap}; "
-            f"raise the cap in agents/settings/.ai-council.yml or lower --rounds."
+            f"raise the cap in ~/.event4u/agent-config/settings/.ai-council.yml or lower --rounds."
         )
     rounds = requested
     per_round_usd = sum(e.total_usd for e in estimates)
@@ -1613,7 +1627,7 @@ def cmd_run(
     # Phase 8 step 5 — opt-in cost disclosure for non-debate lenses.
     # Default mode is "off" for analysis / default (cheap enough that
     # the disclosure is friction); users opt in by setting
-    # `lenses.<name>.cost_disclosure.mode` in agents/settings/.ai-council.yml.
+    # `lenses.<name>.cost_disclosure.mode` in ~/.event4u/agent-config/settings/.ai-council.yml.
     disc_mode, disc_threshold, disc_show = _resolve_cost_disclosure(
         ai_cfg, question.mode,
     )
@@ -1902,7 +1916,7 @@ def cmd_debate(
     if requested > max_rounds_cap:
         raise argparse.ArgumentTypeError(
             f"--rounds={requested} exceeds debate_max_rounds={max_rounds_cap}; "
-            f"raise the cap in agents/settings/.ai-council.yml or lower --rounds."
+            f"raise the cap in ~/.event4u/agent-config/settings/.ai-council.yml or lower --rounds."
         )
     rounds = requested
 
@@ -1959,7 +1973,7 @@ def cmd_debate(
             f"❌  council:debate refused · high-end estimate "
             f"${debate_estimate.high_usd:.4f} exceeds "
             f"debate.max_cost_usd=${cap:.2f}. Lower --rounds, drop "
-            f"members, or raise the cap in agents/settings/.ai-council.yml.\n"
+            f"members, or raise the cap in ~/.event4u/agent-config/settings/.ai-council.yml.\n"
         )
         return 4
 
@@ -2275,7 +2289,7 @@ def _add_common_input_args(p: argparse.ArgumentParser) -> None:
                         "(anonymised) responses for blind spots before "
                         "synthesis. Adds N extra API calls. Opt-in per the "
                         "R2 verdict; also accepts ai_council.peer_review."
-                        "enabled: true in agents/settings/.ai-council.yml.")
+                        "enabled: true in ~/.event4u/agent-config/settings/.ai-council.yml.")
 
 
 def cmd_shadow_report(args: argparse.Namespace) -> int:
@@ -2422,7 +2436,7 @@ def build_parser() -> argparse.ArgumentParser:
                        help="Required to actually start the debate.")
     p_deb.add_argument("--rounds", type=int, default=None,
                        help="Number of debate rounds (default 2). Capped by "
-                            "ai_council.debate_max_rounds in agents/settings/.ai-council.yml.")
+                            "ai_council.debate_max_rounds in ~/.event4u/agent-config/settings/.ai-council.yml.")
     p_deb.add_argument("--auto-continue", action="store_true",
                        default=False, dest="auto_continue",
                        help="Skip the between-round y/N prompt. The hard cap "

package/src/scripts/external_sources_denylist.json

@@ -0,0 +1,91 @@
+{
+  "_README": "Denylist for check_no_external_sources.py — blocks readable inspiration/harvest/comparison source names from re-entering the tracked tree. See rule source-confidentiality + the 2026-06-13 source-confidentiality sweep. Recommending an integrated tool is allowed; recording that we copied/derived/were-inspired-by an external source is not. To intentionally retain a source link, encrypt it via src/scripts/_lib/link_crypto.py.",
+  "deny": [
+    "kdcllc",
+    "\\bmicrock\\b",
+    "obra/superpowers",
+    "composiohq",
+    "ordinary-claude-skills",
+    "ruvnet",
+    "\\bruflo\\b",
+    "nextlevelbuilder",
+    "juliusbrussee",
+    "\\bcaveman\\b",
+    "tenfoldmarc",
+    "grandamenium",
+    "ginobefun",
+    "deep-reading-analyst-skill",
+    "dustdustpy",
+    "aaddrick",
+    "gammalabtechnologies",
+    "\\bharmonist\\b",
+    "mhattingpete",
+    "claude-skills-marketplace",
+    "dongitran",
+    "coreyhaines",
+    "marketingskills",
+    "neolabhq",
+    "context-engineering-kit",
+    "anthropics/skills",
+    "anthropics/knowledge-work-plugins",
+    "bmad-method",
+    "spec-kit",
+    "awesome-copilot",
+    "alirezarezvani",
+    "conorluddy",
+    "ios-simulator-skill",
+    "anton-abyzov",
+    "\\bspecweave\\b",
+    "aj-geddes",
+    "jezweb",
+    "ui-ux-pro-max",
+    "\\bdeepscan\\b",
+    "\\bhoodini\\b",
+    "dream-skill",
+    "\\bsmithery\\b",
+    "claudekit",
+    "affaan-m",
+    "agency-agents",
+    "msitarzewski",
+    "610ClaudeSubagents",
+    "ChrisRoyse"
+  ],
+  "skip_paths": [
+    "src/scripts/check_no_external_sources.py",
+    "src/scripts/external_sources_denylist.json",
+    "src/skills/design-intelligence/*",
+    "src/skills/corpus-grounding/*",
+    "src/skills/design-tokens/*",
+    "src/skills/react-shadcn-ui/*",
+    "src/skills/tailwind-engineer/*",
+    "src/scripts/cost/*",
+    "src/scripts/validate_safe_paths.py",
+    "dist/agent-src/skills/design-intelligence/*",
+    "dist/agent-src/skills/corpus-grounding/*",
+    "dist/agent-src/skills/design-tokens/*",
+    "dist/agent-src/skills/react-shadcn-ui/*",
+    "dist/agent-src/skills/tailwind-engineer/*",
+    "docs/decisions/ADR-061-corpus-grounding-layer.md",
+    "docs/decisions/ADR-086-read-only-cross-agent-mcp-discovery-helper.md",
+    "docs/mcp.md",
+    "docs/mcp-registries.md",
+    "docs/DISTRIBUTION_CHECKLIST.md",
+    "src/templates/marketing-copy.yml",
+    "internal/workers/mcp/content.json",
+    "internal/workers/mcp/content.json.gz",
+    "internal/workers/mcp/manifest.json",
+    "src/rules/source-confidentiality.md",
+    "dist/agent-src/rules/source-confidentiality.md"
+  ],
+  "skip_reason": {
+    "vendored_cluster": "design-intelligence/corpus-grounding/design-tokens/react-shadcn-ui/tailwind-engineer + cost/*.mjs ship vendored Apache/MIT code; their upstream attribution is license-required and must NOT be stripped (ADR-061).",
+    "recommendation_docs": "mcp.md, mcp-registries.md, DISTRIBUTION_CHECKLIST.md, ADR-086, marketing-copy.yml reference registries (Smithery/Glama) as recommendations/distribution targets — allowed.",
+    "generated_bundles": "content.json* bundle the vendored-cluster skill bodies above.",
+    "self": "the linter + its denylist + the source-confidentiality rule necessarily contain the deny tokens as data.",
+    "validate_safe_paths": "telegraph-derived (MIT) ported code; upstream attribution is license-required."
+  },
+  "_excluded_tokens": {
+    "agent-os": "collides with our own coined 'Agent-OS primitive' term (universal-skills) — too FP-prone to auto-deny; scrub external 'agent-os' mentions by review.",
+    "telegraph-shrink / telegraph-condense": "collide with our own 'telegraph'/'telegraph-condensed' feature vocabulary; the telegraph upstream is guarded via 'caveman' + 'juliusbrussee' instead."
+  }
+}

package/src/scripts/hook_manifest.yaml

@@ -45,6 +45,14 @@ concerns:
     script: src/scripts/minimal_safe_diff_hook.py
     args: []
     fail_closed: false
+  # road-to-security-pillar.md P3.2 — PostToolUse prompt-injection scanner.
+  # Warn-in-context (exit 2), never blocks. Default-OFF: no-ops unless
+  # hooks.injection_scan.enabled is true in .agent-settings.yml. The runtime
+  # backstop layered on the always-on untrusted-input-defense rule.
+  injection-scan:
+    script: src/scripts/injection_scan_hook.py
+    args: []
+    fail_closed: false
   # Phase 2 of road-to-hooks-actually-fire-in-consumers — session_start
   # gate that surfaces the marketplace-install-but-unscaffolded shape.
   # Writes .augment/.first-run-action-needed.md + one stderr line so
@@ -77,14 +85,14 @@ platforms:
     session_start:    [chat-history, first-run-gate, onboarding-gate, verify-before-complete, minimal-safe-diff, profile-staleness, wrapper-freshness]
     session_end:      [chat-history]
     stop:             [chat-history, verify-before-complete]
-    post_tool_use:    [chat-history, roadmap-progress, context-hygiene, verify-before-complete, minimal-safe-diff]
+    post_tool_use:    [chat-history, roadmap-progress, context-hygiene, verify-before-complete, minimal-safe-diff, injection-scan]
 
   claude:
     session_start:    [chat-history, first-run-gate, onboarding-gate, verify-before-complete, minimal-safe-diff, profile-staleness, wrapper-freshness]
     session_end:      [chat-history]
     stop:             [chat-history, verify-before-complete]
     user_prompt_submit: [chat-history, verify-before-complete, minimal-safe-diff]
-    post_tool_use:    [chat-history, roadmap-progress, context-hygiene, verify-before-complete, minimal-safe-diff]
+    post_tool_use:    [chat-history, roadmap-progress, context-hygiene, verify-before-complete, minimal-safe-diff, injection-scan]
 
   # Cowork — the Claude desktop app's local-agent-mode runtime, built
   # on top of the Claude Code CLI. Same lifecycle vocabulary, same
@@ -105,7 +113,7 @@ platforms:
     session_end:      [chat-history]
     stop:             [chat-history, verify-before-complete]
     user_prompt_submit: [chat-history, verify-before-complete, minimal-safe-diff]
-    post_tool_use:    [chat-history, roadmap-progress, context-hygiene, verify-before-complete, minimal-safe-diff]
+    post_tool_use:    [chat-history, roadmap-progress, context-hygiene, verify-before-complete, minimal-safe-diff, injection-scan]
 
   # Phase 7.5 — Cursor. `.cursor/hooks.json` (project) is read by the
   # IDE and CLI; `~/.cursor/hooks.json` (user) is opt-in via
@@ -119,7 +127,7 @@ platforms:
     session_end:        [chat-history]
     stop:               [chat-history, verify-before-complete]
     user_prompt_submit: [chat-history, verify-before-complete, minimal-safe-diff]
-    post_tool_use:      [chat-history, roadmap-progress, context-hygiene, verify-before-complete, minimal-safe-diff]
+    post_tool_use:      [chat-history, roadmap-progress, context-hygiene, verify-before-complete, minimal-safe-diff, injection-scan]
 
   # Phase 7.6 — Cline. Hooks live under `.clinerules/hooks/<HookName>`
   # (project, no file extension, must be executable per Cline docs) or
@@ -134,7 +142,7 @@ platforms:
     session_end:        [chat-history]
     stop:               [chat-history, verify-before-complete]
     user_prompt_submit: [chat-history, verify-before-complete, minimal-safe-diff]
-    post_tool_use:      [chat-history, roadmap-progress, context-hygiene, verify-before-complete, minimal-safe-diff]
+    post_tool_use:      [chat-history, roadmap-progress, context-hygiene, verify-before-complete, minimal-safe-diff, injection-scan]
 
   # Phase 7.7 — Windsurf (Cascade). Hooks live at `.windsurf/hooks.json`
   # (project) or `~/.codeium/windsurf/hooks.json` (user). Cascade has
@@ -168,7 +176,7 @@ platforms:
     session_end:        [chat-history]
     stop:               [chat-history, verify-before-complete]
     user_prompt_submit: [chat-history, verify-before-complete, minimal-safe-diff]
-    post_tool_use:      [chat-history, roadmap-progress, context-hygiene, verify-before-complete, minimal-safe-diff]
+    post_tool_use:      [chat-history, roadmap-progress, context-hygiene, verify-before-complete, minimal-safe-diff, injection-scan]
 
   # Phase 7.9 — Copilot has no hook surface. Concerns route through
   # rule-only fallback; the dispatcher silently no-ops on --platform copilot.