@friedbotstudio/create-baseline 0.2.0 → 0.3.0

package/README.md

@@ -64,7 +64,7 @@ A team that installs the baseline stops typing *"don't push, don't `--amend`, do
 | **Hooks** at PreToolUse / PostToolUse / SessionStart / Stop / PreCompact / UserPromptSubmit | 22 | `.claude/hooks/` |
 | **Skills** across artifact drafting, workflow phases, phase workers, spec helpers, orchestration, memory, audit, alternate tracks, and shared globals | 36 | `.claude/skills/` |
 | **Subagent** — `swarm-worker`, executes pre-decided recipes inside isolated git worktrees | 1 | `.claude/agents/` |
-| **Workflow phases** — intake → scout → research → spec → tdd → simplify → security → integrate → document → archive → commit | 11 | enforced by `track_guard` |
+| **Workflow phases** — intake → scout → research → spec → tdd → simplify → security → integrate → document → archive → memory-flush → commit | 11 | enforced by `track_guard` |
 | **Consent gates** — `/approve-spec`, `/approve-swarm`, `/grant-commit`. User-typed; structurally un-invokable by Claude | 3 | `consent_gate_grant` UserPromptSubmit hook |
 | **MCP servers** declared in `.mcp.json` — `context7` (third-party API docs), `plantuml` (diagram render), `playwright` (cross-engine smoke) | 3 | `.mcp.json` |
 
@@ -148,13 +148,17 @@ cd ./your-project
 /harness
 ```
 
-The three consent gates pause the workflow until you type the corresponding command:
+The three workflow-phase consent gates pause the workflow until you type the corresponding command:
 
 - **`/approve-spec <slug>`** — after the spec phase, before any code is written
 - **`/approve-swarm <slug>`** — after `/swarm-plan`, before parallel dispatch
 - **`/grant-commit`** — after `/archive`, before the commit lands
 
-Each gate writes a short-lived consent marker via a UserPromptSubmit hook that runs *before* Claude is invoked on the body. Claude cannot forge the marker; the corresponding write-boundary guard validates it on disk before allowing the approval token through.
+A fourth consent gate sits outside the phase pipeline:
+
+- **`/grant-push`** — opens a 5-minute window for `git push` on a protected branch (per `project.json → git.protected_branches`). Pushes on non-protected branches need no consent.
+
+Each gate writes a short-lived consent marker via a UserPromptSubmit hook that runs *before* Claude is invoked on the body. Claude cannot forge the marker; the write-boundary guard validates it on disk before allowing the approval token through.
 
 ## How the enforcement works
 

package/obj/template/.claude/commands/grant-push.md

@@ -0,0 +1,19 @@
+---
+description: Grant consent for Claude to run `git push`. Valid for 5 minutes. Required by the Git Commit Guard hook on protected branches.
+argument-hint: "[optional note]"
+allowed-tools: Bash(mkdir:*), Bash(date:*), Bash(tee:*), Bash(git:*), Write
+disable-model-invocation: true
+---
+
+Write a consent token to `.claude/state/push_consent` so the Git Commit Guard hook allows the next `git push` on a protected branch. The token is the current UNIX epoch timestamp on line 1; any optional note goes on line 2.
+
+How this works structurally: when the user typed `/grant-push`, the `consent_gate_grant` UserPromptSubmit hook ran *before* this body was passed to Claude and wrote a short-lived consent marker at `.claude/state/.push_consent_grant`. The `git_commit_guard` PreToolUse hook (Write matcher) reads that marker and allows Claude to write the consent file because the marker is fresh. Claude cannot forge the marker — that's what makes the gate structural. The Bash-matcher leg of the same guard then enforces the consent token on the actual `git push` invocation, but only when the current branch matches `project.json → git.protected_branches`.
+
+Steps:
+
+1. **Git-repo precheck.** Run `git rev-parse --is-inside-work-tree 2>/dev/null`. If the exit status is non-zero, this project is not a git repository: refuse to write the consent token and tell the user "Not a git repository — `/grant-push` is inapplicable. Push has no meaning outside a git repo." Stop here.
+2. Run `date +%s` to get the current epoch.
+3. Write the epoch (and the optional note `$ARGUMENTS` on line 2 if non-empty) to `.claude/state/push_consent`, overwriting any prior token.
+4. Confirm to the user: "Push consent granted at <epoch>, valid for 300s (until <HH:MM:SS local>). The next `git push` on a protected branch will be allowed. Pushes on branches NOT in `project.json → git.protected_branches` do not require this consent."
+
+Do not run `git push` yourself in this command. The user asks explicitly when they want a push; this command only opens the window.

package/obj/template/.claude/commands/init-project.md

@@ -63,7 +63,9 @@ The recommender's SKILL.md instructs it to:
 
 Capture both the narrative and the JSON. Save the JSON to `.claude/state/init/<timestamp>.recommender.json`.
 
-## Step 5 — Aggregate + present
+## Step 5 — Aggregate + present (REVIEW ONLY — NOTHING WRITTEN YET)
+
+**This step is a proposal, not configuration.** Nothing has been written to disk yet: `.claude/project.json` still reads `configured: false`, no new skills/hooks/MCPs are wired, and the `swarm-worker` agent file has not been re-rendered. The user is reading a *proposal* that takes effect only when they explicitly approve in this step.
 
 Show the user one review surface before writing anything:
 
@@ -77,13 +79,32 @@ Show the user one review surface before writing anything:
 3. **Recommender additions** (from JSON `additions`): MCP servers, skills, hooks, and any `swarm_worker_skills` to preload — name + reason for each.
 4. **Gaps flagged** (from JSON `gaps`): things the baseline doesn't cover but might warrant a future spec.
 
-Use `AskUserQuestion` to confirm: "Apply these changes?" Options: `apply`, `apply with edits`, `cancel`.
+After presenting the four blocks, **explicitly tell the user the project is NOT yet configured**. Print this exact block above the confirmation prompt:
+
+```
+⚠ The baseline is still in PROJECT-AGNOSTIC MODE.
 
-If `apply with edits`: take the user's adjustments inline, re-show the surface, ask again.
+None of the proposal above has been applied. `project.json → configured`
+is still `false`. test_runner / lint_runner are still in guide mode.
+Closing this session now leaves the project unconfigured.
+
+The next prompt is an action gate. You must explicitly approve to proceed
+to Step 6 (apply) — otherwise nothing changes.
+```
+
+Use `AskUserQuestion` to confirm. The question SHALL be a full sentence that names the un-configured state explicitly — not "Apply these changes?" alone, but: **"The project is NOT yet configured. Proceed to apply this proposal and finish setup?"** Options:
+
+- `Proceed and apply` — advances to Step 6.
+- `Edit before applying` — take the user's adjustments inline, re-show the surface, ask again.
+- `Cancel — leave project unconfigured` — exit without writing; `configured` stays `false`; surface that the project remains in project-agnostic mode and `/init-project` can be re-run later.
+
+If `Edit before applying`: take the user's adjustments inline, re-show the surface, **ask the same gate again**. Do not silently apply — the gate fires after every edit cycle until the user picks `Proceed and apply` or `Cancel`.
 
 ## Step 6 — Apply
 
-Write to disk now. Do each sub-step in order; if any fails, stop and surface the error before continuing:
+Write to disk now. **This is the first step in the protocol that mutates files in the user's project** — until this step runs, `.claude/project.json` still reads `configured: false` and the baseline stays in project-agnostic mode. Reaching this step means the user explicitly picked `Proceed and apply` at Step 5's gate.
+
+Do each sub-step in order; if any fails, stop and surface the error before continuing:
 
 1. **Pre-create lazy directories**:
    ```bash
@@ -186,6 +207,7 @@ Print a final summary:
 ## Constraints
 
 - **Steps 6 + 7 + 8 are atomic for the user.** If Step 8 fails, do not declare success at Step 9.
+- **Step 5 is review, not setup.** Until the user explicitly picks `Proceed and apply` at Step 5's gate, the project remains in project-agnostic mode. Surfacing recommendations is not configuration; the gate prompt SHALL name the un-configured state in a full sentence so a skimming reader cannot mistake the proposal for a completion notice.
 - **Never write `configured: true` before Step 8 passes.** A FAIL at Step 8 means the project is in a broken state; leaving `configured: true` would lie to `setup_guard` and the welcome hook in CLAUDE.md.
 - **No silent decisions.** Every project-specific change appears in seed.md §16 so the next reader can see what diverged from baseline.
 - **Idempotent.** Re-running on the same project produces the same §16 (modulo timestamp + run number) and passes `/audit-baseline` cleanly.

package/obj/template/.claude/hooks/consent_gate_grant.mjs

@@ -0,0 +1,107 @@
+#!/usr/bin/env node
+// Consent Gate Grant — UserPromptSubmit
+//
+// JS port of consent_gate_grant.sh, adding a fourth arm for /grant-push.
+//
+// When the user types one of /approve-spec, /approve-swarm, /grant-commit,
+// /grant-push, this hook fires BEFORE Claude is invoked. It writes a
+// short-lived consent marker at .claude/state/.<gate>_grant.
+//
+// The marker is what makes the corresponding approval-token write succeed:
+// the gate-specific PreToolUse guard (spec_approval_guard, swarm_approval_guard,
+// git_commit_guard) reads the marker and allows Claude's write only if a
+// fresh, slug-matched marker is on disk.
+//
+// Why the marker is unforgeable by Claude:
+//   - This hook runs on UserPromptSubmit, OUTSIDE Claude's tool boundary.
+//   - The PreToolUse guards block Claude from writing the marker file.
+//   - Markers expire after consent.gate_marker_ttl_seconds (default 120).
+//
+// Marker shapes:
+//   .spec_approval_grant   line 1: slug · line 2: epoch · line 3: abs spec path
+//   .swarm_approval_grant  line 1: slug · line 2: epoch
+//   .commit_consent_grant  line 1: epoch · line 2: optional note
+//   .push_consent_grant    line 1: epoch · line 2: optional note   (NEW)
+
+import { join } from 'node:path';
+import {
+  readPayload,
+  payloadGet,
+  canonicalSlug,
+  writeMarkerAtomic,
+  logLine,
+  CLAUDE_PROJECT_ROOT,
+  CONSENT_MARKER_SPEC,
+  CONSENT_MARKER_SWARM,
+  CONSENT_MARKER_COMMIT,
+  CONSENT_MARKER_PUSH,
+} from './lib/common.mjs';
+
+const HOOK = 'consent_gate_grant';
+
+async function main() {
+  // Fast-path: rule out 99% of prompts before any regex parsing.
+  const payload = await readPayload();
+  const prompt = payloadGet(payload, '.prompt');
+  if (typeof prompt !== 'string' || prompt.length === 0) return;
+  if (!/\/(approve-spec|approve-swarm|grant-commit|grant-push)/.test(prompt)) return;
+
+  const firstLine = prompt.split(/\r?\n/)[0].trim();
+  const now = Math.floor(Date.now() / 1000);
+
+  let m;
+
+  m = firstLine.match(/^\/approve-spec\s+(\S+)/);
+  if (m) {
+    const arg = m[1];
+    const slug = canonicalSlug(arg);
+    let absPath;
+    if (arg.startsWith('/')) absPath = arg;
+    else if (arg.includes('/')) absPath = join(CLAUDE_PROJECT_ROOT, arg);
+    else absPath = join(CLAUDE_PROJECT_ROOT, 'docs', 'specs', `${slug}.md`);
+    if (writeMarkerAtomic(CONSENT_MARKER_SPEC, slug, String(now), absPath)) {
+      logLine(HOOK, `wrote spec_approval_grant slug=${slug} path=${absPath}`);
+    } else {
+      logLine(HOOK, `FAILED write spec_approval_grant slug=${slug}`);
+    }
+    return;
+  }
+
+  m = firstLine.match(/^\/approve-swarm\s+(\S+)/);
+  if (m) {
+    const slug = canonicalSlug(m[1]);
+    if (writeMarkerAtomic(CONSENT_MARKER_SWARM, slug, String(now))) {
+      logLine(HOOK, `wrote swarm_approval_grant slug=${slug}`);
+    } else {
+      logLine(HOOK, `FAILED write swarm_approval_grant slug=${slug}`);
+    }
+    return;
+  }
+
+  m = firstLine.match(/^\/grant-commit(\s.*)?$/);
+  if (m) {
+    const note = (m[1] || '').trim();
+    if (writeMarkerAtomic(CONSENT_MARKER_COMMIT, String(now), note)) {
+      logLine(HOOK, `wrote commit_consent_grant note=${note}`);
+    } else {
+      logLine(HOOK, `FAILED write commit_consent_grant`);
+    }
+    return;
+  }
+
+  m = firstLine.match(/^\/grant-push(\s.*)?$/);
+  if (m) {
+    const note = (m[1] || '').trim();
+    if (writeMarkerAtomic(CONSENT_MARKER_PUSH, String(now), note)) {
+      logLine(HOOK, `wrote push_consent_grant note=${note}`);
+    } else {
+      logLine(HOOK, `FAILED write push_consent_grant`);
+    }
+    return;
+  }
+}
+
+main().catch(() => {
+  // UserPromptSubmit hook must never fail loudly — silent exit on any error.
+  process.exit(0);
+});

package/obj/template/.claude/hooks/git_commit_guard.mjs

@@ -0,0 +1,224 @@
+#!/usr/bin/env node
+// Git Commit Guard — PreToolUse(Bash) and PreToolUse(Write|Edit|MultiEdit)
+//
+// JS port of git_commit_guard.sh, adding branch-aware consent policy:
+//
+//   1. Bash matcher — branch-aware:
+//        - `git push` is no longer in FORBIDDEN_RE (was an unconditional
+//          hard-block; now policy-driven).
+//        - `git commit` and `git push` both consult `git rev-parse
+//          --abbrev-ref HEAD`. Detached HEAD ("HEAD") → DENY explicitly.
+//        - On a branch matched by project.json → git.protected_branches
+//          (or when that key is null/absent → every branch protected),
+//          commits require fresh commit_consent (300s) and pushes require
+//          fresh push_consent (300s).
+//        - When git.branch_pattern is set and the current branch does NOT
+//          match the regex, commits are denied with the pattern surfaced.
+//        - On a non-protected branch, commits and pushes proceed without
+//          consent.
+//
+//   2. Write matcher — unchanged behavior plus an arm for push_consent:
+//        - Blocks Claude from writing the marker files (commit/push_consent_grant).
+//        - Gates writes to commit_consent on a fresh commit-consent marker.
+//        - Gates writes to push_consent on a fresh push-consent marker.
+
+import { execFileSync } from 'node:child_process';
+import { existsSync, readFileSync, unlinkSync } from 'node:fs';
+import {
+  readPayload,
+  payloadGet,
+  projectGet,
+  emitBlock,
+  emitAllow,
+  logLine,
+  canonicalRel,
+  canonicalSlug,
+  validateConsentMarker,
+  blockMarkerSelfWrite,
+  matchAnyGlob,
+  CLAUDE_PROJECT_ROOT,
+  STATE_DIR,
+  CONSENT_MARKER_COMMIT,
+  CONSENT_MARKER_COMMIT_REL,
+  CONSENT_MARKER_PUSH,
+  CONSENT_MARKER_PUSH_REL,
+} from './lib/common.mjs';
+
+const HOOK = 'git_commit_guard';
+
+// Hard-blocks that apply regardless of consent or branch.
+// NOTE: `git push` was previously included; removed in the branch-aware
+// policy. The remaining ops are still flat-out forbidden because they
+// rewrite history, skip safety, or sweep paths.
+const FORBIDDEN_RE = new RegExp(
+  '(' +
+    '\\bgit\\s+commit\\b[^|&;]*--amend' +
+    '|--no-verify' +
+    '|--no-gpg-sign' +
+    '|\\bgit\\s+reset\\s+--hard\\b' +
+    '|\\bgit\\s+clean\\s+-[a-zA-Z]*f\\b' +
+    '|\\bgit\\s+checkout\\s+--\\s' +
+    '|\\bgit\\s+branch\\s+-D\\b' +
+    '|\\bgit\\s+config\\b' +
+    '|\\bgit\\s+rebase\\s+-i\\b' +
+    '|\\bgit\\s+add\\s+-i\\b' +
+    '|\\bgit\\s+add\\s+(-A|\\.)(?![A-Za-z0-9_/.\\-])' +
+  ')'
+);
+
+function currentBranch() {
+  try {
+    const out = execFileSync('git', ['rev-parse', '--abbrev-ref', 'HEAD'], { encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'], cwd: CLAUDE_PROJECT_ROOT });
+    return out.trim();
+  } catch {
+    return null;
+  }
+}
+
+function isInsideWorkTree() {
+  try {
+    execFileSync('git', ['rev-parse', '--is-inside-work-tree'], { stdio: 'ignore', cwd: CLAUDE_PROJECT_ROOT });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// Returns: { protected: bool, patternViolation: string|null, detached: bool, branch: string|null }
+function branchPolicy() {
+  const branch = currentBranch();
+  if (branch === null) return { protected: false, patternViolation: null, detached: false, branch: null, notGit: true };
+  if (branch === 'HEAD') return { protected: false, patternViolation: null, detached: true, branch, notGit: false };
+
+  // protected_branches: null/absent → every branch protected; else glob match.
+  const globs = projectGet('.git.protected_branches');
+  let isProtected;
+  if (globs == null) {
+    isProtected = true;
+  } else if (Array.isArray(globs)) {
+    isProtected = matchAnyGlob(branch, globs);
+  } else {
+    isProtected = true; // invalid type → fail-safe to protected
+  }
+
+  // branch_pattern: null/absent → no check; string → must match.
+  const pattern = projectGet('.git.branch_pattern');
+  let patternViolation = null;
+  if (typeof pattern === 'string' && pattern.length > 0) {
+    try {
+      if (!new RegExp(pattern).test(branch)) patternViolation = pattern;
+    } catch {
+      // invalid regex → treat as no pattern, warn via log
+      logLine(HOOK, `WARN invalid git.branch_pattern regex: ${pattern}`);
+    }
+  }
+
+  return { protected: isProtected, patternViolation, detached: false, branch, notGit: false };
+}
+
+function validateConsentToken(file, ttlKey, defaultTtl, gateLabel, cmdHint) {
+  let ttl = projectGet(ttlKey);
+  if (typeof ttl !== 'number' || !Number.isFinite(ttl)) ttl = defaultTtl;
+  if (!existsSync(file)) {
+    logLine(HOOK, `BLOCKED no consent file: ${file}`);
+    emitBlock(`${gateLabel}: no consent granted. The user must run \`${cmdHint}\` before a ${cmdHint.includes('push') ? 'push' : 'commit'} is allowed. Consent is valid for ${ttl}s.`);
+  }
+  let grantedAt;
+  try {
+    grantedAt = readFileSync(file, 'utf8').split(/\r?\n/)[0].trim();
+  } catch {
+    grantedAt = '';
+  }
+  if (!/^\d+$/.test(grantedAt)) {
+    logLine(HOOK, `BLOCKED malformed consent file: ${file}`);
+    emitBlock(`${gateLabel}: consent file is malformed. Ask the user to re-run \`${cmdHint}\`.`);
+  }
+  const now = Math.floor(Date.now() / 1000);
+  const age = now - parseInt(grantedAt, 10);
+  if (age > ttl) {
+    logLine(HOOK, `BLOCKED consent expired age=${age}s ttl=${ttl}s file=${file}`);
+    emitBlock(`${gateLabel}: consent expired (${age}s old, TTL ${ttl}s). Ask the user to re-run \`${cmdHint}\`.`);
+  }
+  logLine(HOOK, `ALLOWED age=${age}s file=${file}`);
+}
+
+function handleBash(cmd) {
+  if (!cmd || !/(^|\s)git(\s|$)/.test(cmd)) emitAllow();
+
+  // Hard-blocks first. Push is NOT in this set anymore.
+  if (FORBIDDEN_RE.test(cmd)) {
+    logLine(HOOK, `BLOCKED forbidden git op: ${cmd}`);
+    emitBlock('Git Commit Guard: forbidden git operation detected. seed.md forbids `git commit --amend`, `--no-verify`, `--no-gpg-sign`, `git reset --hard`, `git clean -f`, `git checkout -- `, `git branch -D`, `git config`, `git rebase -i`, `git add -i`, `git add -A|.` regardless of consent or branch. Ask the user to approve by stating the exact command.');
+  }
+
+  const isCommit = /\bgit\s+commit\b/.test(cmd);
+  const isPush = /\bgit\s+push\b/.test(cmd);
+  if (!isCommit && !isPush) emitAllow();
+
+  // Article VII applicability: gate operations require git.
+  if (!isInsideWorkTree()) {
+    logLine(HOOK, `ALLOWED not-a-git-repo cmd=${cmd}`);
+    emitAllow();
+  }
+
+  const policy = branchPolicy();
+  if (policy.detached) {
+    logLine(HOOK, `BLOCKED detached HEAD cmd=${cmd}`);
+    emitBlock(`Git Commit Guard: detached HEAD. Check out a branch first. Branch-aware policy needs a named branch to evaluate \`git.protected_branches\` and \`git.branch_pattern\`.`);
+  }
+
+  if (isCommit && policy.patternViolation) {
+    logLine(HOOK, `BLOCKED branch_pattern violation branch=${policy.branch} pattern=${policy.patternViolation}`);
+    emitBlock(`Git Commit Guard: branch '${policy.branch}' does not match \`git.branch_pattern\` (\`${policy.patternViolation}\`). Rename the branch to conform, or set \`git.branch_pattern\` to null in project.json to disable naming enforcement.`);
+  }
+
+  if (!policy.protected) {
+    logLine(HOOK, `ALLOWED unprotected-branch branch=${policy.branch} cmd=${cmd}`);
+    emitAllow();
+  }
+
+  // Protected — require the matching consent token.
+  if (isCommit) {
+    validateConsentToken(`${STATE_DIR}/commit_consent`, '.consent.commit_ttl_seconds', 300, 'Git Commit Guard', '/grant-commit');
+  } else {
+    validateConsentToken(`${STATE_DIR}/push_consent`, '.consent.push_ttl_seconds', 300, 'Git Commit Guard', '/grant-push');
+  }
+  emitAllow();
+}
+
+function handleWrite(payload) {
+  const filePath = payloadGet(payload, '.tool_input.file_path');
+  if (!filePath) emitAllow();
+  const rel = canonicalRel(filePath);
+  if (!rel) emitAllow();
+
+  // Block self-write of the commit / push markers (Claude can never forge them).
+  blockMarkerSelfWrite(rel, CONSENT_MARKER_COMMIT_REL, 'Git Commit Guard', '/grant-commit');
+  blockMarkerSelfWrite(rel, CONSENT_MARKER_PUSH_REL, 'Git Commit Guard', '/grant-push');
+
+  // Gate writes to the consent state files on a fresh marker.
+  if (rel === '.claude/state/commit_consent') {
+    validateConsentMarker(CONSENT_MARKER_COMMIT, 'Git Commit Guard', '/grant-commit');
+  } else if (rel === '.claude/state/push_consent') {
+    validateConsentMarker(CONSENT_MARKER_PUSH, 'Git Commit Guard', '/grant-push');
+  }
+  emitAllow();
+}
+
+async function main() {
+  const payload = await readPayload();
+  const tool = payloadGet(payload, '.tool_name');
+  if (tool === 'Bash') {
+    const cmd = payloadGet(payload, '.tool_input.command');
+    handleBash(cmd);
+  } else if (tool === 'Write' || tool === 'Edit' || tool === 'MultiEdit') {
+    handleWrite(payload);
+  } else {
+    emitAllow();
+  }
+}
+
+main().catch((err) => {
+  logLine(HOOK, `ERROR ${err && err.message ? err.message : String(err)}`);
+  emitAllow();
+});

package/obj/template/.claude/hooks/harness_continuation.sh

@@ -6,18 +6,25 @@
 # tick) and decides whether to re-fire harness on the same turn or stay
 # silent.
 #
-# Three-rung gate (plus sanity rail) — ALL three must pass to emit a block:
-#   1. stop_hook_active flag absent on payload (avoids in-turn recursion).
-#   2. .claude/state/.harness_active exists (session-scoped in-the-loop marker;
-#      the harness skill creates it on continue, deletes it on yielded/done;
-#      memory_session_start.sh deletes it on session boundary).
-#   3. harness_state.state equals "continue".
+# Gate has two disjunctive paths, both gated by rung 1:
+#   Path A (mid-loop continuation):
+#     1. stop_hook_active flag absent on payload (avoids in-turn recursion).
+#     2. .claude/state/.harness_active marker exists (session-scoped).
+#     3. harness_state.state equals "continue".
+#   Path B (rung 4 — gate-resume after a consent slash command):
+#     1. stop_hook_active flag absent.
+#     4a. harness_state.state equals "yielded".
+#     4b. .claude/state/workflow.json exists and parses.
+#     4c. at least one of {commit_consent, push_consent,
+#         spec_approvals/<slug>.approval, swarm_approvals/<slug>.approval}
+#         exists with mtime newer than harness_state's mtime.
+#   If Path A or Path B passes, the sanity rail runs and a block decision
+#   is emitted. Otherwise: exit 0 silent.
 #
 # Sanity rail: if the marker's slug content disagrees with workflow.json.slug,
 # log one WARN line to harness_continuation.log; the decision is unchanged.
 #
-# If all three pass, emit {"decision":"block","reason":"..."} to stdout.
-# Otherwise: exit 0 silent. Internal failures are treated as silence.
+# Internal failures are treated as silence.
 
 # shellcheck source=./lib/common.sh
 . "${BASH_SOURCE[0]%/*}/lib/common.sh"
@@ -32,17 +39,14 @@ case "$STOP_ACTIVE" in
     ;;
 esac
 
-# Rung 2: active marker presence — session-scoped "in the loop" signal.
+# Marker path (presence check is now inside Python — Path B can fire with
+# the marker absent).
 MARKER="$STATE_DIR/.harness_active"
-if [ ! -f "$MARKER" ]; then
-  log_line harness_continuation "silent: rung2 marker missing ($MARKER)"
-  exit 0
-fi
 
-# Rung 3 (plus sanity rail + emit) — delegate to python for JSON parsing.
+# harness_state existence — both paths need it readable.
 HARNESS_STATE="$STATE_DIR/harness_state"
 if [ ! -r "$HARNESS_STATE" ]; then
-  log_line harness_continuation "silent: rung3a harness_state missing or unreadable"
+  log_line harness_continuation "silent: harness_state missing or unreadable"
   exit 0
 fi
 
@@ -74,21 +78,92 @@ def _warn(message):
     _log('WARN', message)
 
 
-# Rung 3: parse harness_state and check state field.
+def _read_workflow_slug():
+    """Return slug string from workflow.json, or None if file missing/unparseable.
+
+    An empty-string return ('') means the file exists and parses but has no
+    slug field — workflow.json present but ungated by slug.
+    """
+    if not workflow_path or not os.path.exists(workflow_path):
+        return None
+    try:
+        with open(workflow_path) as f:
+            wf = json.load(f)
+        return wf.get('slug') or ''
+    except Exception:
+        return None
+
+
+def _any_consent_newer_than(reference_mtime, workflow_slug):
+    """Rung 4c: is there a consent/approval token with mtime > reference_mtime?
+
+    Scans four canonical paths under $STATE_DIR. The two slug-gated paths
+    (spec_approvals, swarm_approvals) only check when workflow_slug is
+    non-empty.
+    """
+    state_dir = os.path.dirname(state_path)
+    candidates = [
+        os.path.join(state_dir, 'commit_consent'),
+        os.path.join(state_dir, 'push_consent'),
+    ]
+    if workflow_slug:
+        candidates.append(
+            os.path.join(state_dir, 'spec_approvals', f'{workflow_slug}.approval')
+        )
+        candidates.append(
+            os.path.join(state_dir, 'swarm_approvals', f'{workflow_slug}.approval')
+        )
+    for path in candidates:
+        try:
+            if os.path.getmtime(path) > reference_mtime:
+                return True
+        except OSError:
+            continue
+    return False
+
+
+# Parse harness_state and capture its mtime (rung 4 uses the mtime for the
+# fresh-consent comparison).
 try:
+    state_mtime = os.path.getmtime(state_path)
     with open(state_path) as f:
         data = json.load(f)
 except Exception as e:
-    _log('INFO', f'silent: rung3b harness_state unparseable ({e!s})')
+    _log('INFO', f'silent: harness_state unparseable ({e!s})')
     sys.exit(0)
 
 state_value = data.get('state')
-if state_value != 'continue':
-    _log('INFO', f'silent: rung3c state={state_value!r} (expected "continue")')
+
+# Read workflow.json's slug ONCE; both Path B's rung-4 check and the sanity
+# rail consume it. None = missing/unparseable; '' = present but no slug.
+workflow_slug = _read_workflow_slug()
+
+# Branch on state. Path A handles 'continue'; Path B (rung 4) handles
+# 'yielded'. Anything else is silent.
+emit_log_detail = ''
+
+if state_value == 'continue':
+    # Path A: marker must be present (rung 2).
+    if not marker_path or not os.path.exists(marker_path):
+        _log('INFO', 'silent: rung2 marker missing for Path A (state=continue)')
+        sys.exit(0)
+    emit_log_detail = 'Path A (state=continue + marker present)'
+elif state_value == 'yielded':
+    # Path B (rung 4): workflow.json must exist; a consent token must be
+    # newer than harness_state mtime.
+    if workflow_slug is None:
+        _log('INFO', 'silent: rung4 workflow.json missing or unparseable')
+        sys.exit(0)
+    if not _any_consent_newer_than(state_mtime, workflow_slug):
+        _log('INFO', 'silent: rung4 no consent token newer than harness_state')
+        sys.exit(0)
+    emit_log_detail = 'Path B (rung 4, state=yielded + fresh consent)'
+else:
+    _log('INFO', f'silent: state={state_value!r} (not "continue" or "yielded")')
     sys.exit(0)
 
-# Sanity rail: marker slug should match workflow.json slug.
-# Mismatch is a WARN log line; the decision is unchanged.
+# Sanity rail: marker slug should match workflow.json slug. Mismatch is a
+# WARN log line; the decision is unchanged.
 marker_slug = ''
 if marker_path and os.path.exists(marker_path):
     try:
@@ -97,25 +172,17 @@ if marker_path and os.path.exists(marker_path):
     except Exception:
         marker_slug = ''
 
-workflow_slug = ''
-if workflow_path and os.path.exists(workflow_path):
-    try:
-        with open(workflow_path) as f:
-            wf = json.load(f)
-        workflow_slug = wf.get('slug') or ''
-    except Exception:
-        workflow_slug = ''
-
-if marker_slug and workflow_slug and marker_slug != workflow_slug:
-    _warn(f'slug mismatch: marker={marker_slug} workflow={workflow_slug}')
+rail_workflow_slug = workflow_slug or ''
+if marker_slug and rail_workflow_slug and marker_slug != rail_workflow_slug:
+    _warn(f'slug mismatch: marker={marker_slug} workflow={rail_workflow_slug}')
 
-# All rungs passed — emit the block decision.
+# Gate passed — emit the block decision.
 decision = {
     'decision': 'block',
     'reason': 'Workflow continuing per harness_state. Invoke Skill(harness) to advance to the next phase.',
 }
 print(json.dumps(decision))
-_log('INFO', 'emit: decision=block (all rungs passed)')
+_log('INFO', f'emit: decision=block ({emit_log_detail})')
 PY
 
 exit 0