@gajae-code/coding-agent 0.7.2 → 0.7.4

package/src/gjc-runtime/tmux-common.ts

@@ -1,3 +1,5 @@
+import { resolveGjcTmuxBinary } from "./psmux-detect";
+
 export const GJC_DEFAULT_TMUX_SESSION = "gajae_code";
 export const GJC_TMUX_SESSION_PREFIX = `${GJC_DEFAULT_TMUX_SESSION}_`;
 export const GJC_TMUX_COMMAND_ENV = "GJC_TMUX_COMMAND";
@@ -31,10 +33,33 @@ export function envDisabled(value: string | undefined): boolean {
 	return normalized === "0" || normalized === "false" || normalized === "off" || normalized === "no";
 }
 
-export function resolveGjcTmuxCommand(env: NodeJS.ProcessEnv = process.env): string {
-	return env[GJC_TMUX_COMMAND_ENV]?.trim() || env.GJC_TEAM_TMUX_COMMAND?.trim() || "tmux";
+/**
+ * Resolve the tmux (or tmux-compatible multiplexer) command GJC should invoke.
+ *
+ * This is the shared entry point used by every GJC code path that needs to talk
+ * to a multiplexer: `gjc --tmux` planning, `gjc session ...`, `gjc team ...`,
+ * the lifecycle controller, and the harness resident owner. Routing all of
+ * them through the same resolver means a single `GJC_TMUX_COMMAND` override or
+ * a single Windows psmux / pmux detection wins for the whole process — the
+ * failure mode where `gjc --tmux` creates a psmux-backed session and then
+ * `gjc session status` fails because it queries literal `tmux` is closed off.
+ *
+ * Explicit `GJC_TMUX_COMMAND` / `GJC_TEAM_TMUX_COMMAND` overrides are honored on
+ * every platform. On native Windows without an override the resolver walks
+ * `psmux`, then `pmux`, then `tmux` and uses the first binary present on PATH.
+ * On POSIX the resolver returns `tmux` (the historical default) and only
+ * falls through to the platform-aware walker if the caller opts in.
+ */
+export function resolveGjcTmuxCommand(
+	env: NodeJS.ProcessEnv = process.env,
+	platform: NodeJS.Platform = process.platform,
+): string {
+	return resolveGjcTmuxBinary({ env, platform }).command;
 }
 
+export type { PsmuxProbe, ResolvedTmuxBinary, ResolveGjcTmuxBinaryOptions } from "./psmux-detect";
+export { clearPsmuxDetectionCache, detectPsmux, probePsmux, resolveGjcTmuxBinary } from "./psmux-detect";
+
 /**
  * Build the exact-session target for tmux *option* commands
  * (`show-options` / `set-option`) and `display-message -t`.
@@ -55,7 +80,9 @@ export function buildGjcTmuxUntaggedSessionHint(tmuxCommand: string): string {
 	return (
 		`the active multiplexer "${tmuxCommand}" lists this session but did not return GJC's ${GJC_TMUX_PROFILE_OPTION} ownership tag; ` +
 		"GJC-managed sessions and `gjc team` require a tmux provider that round-trips tmux user options. " +
-		"Alternative multiplexers such as psmux on Windows do not persist user options yet, so the Windows-native psmux path is not fully supported; " +
+		"For psmux on Windows, cwd/start-directory flags such as `-c` do not isolate the server namespace; psmux uses the tmux-compatible global `-L <namespace>` flag for that. " +
+		"GJC_TMUX_COMMAND and GJC_TEAM_TMUX_COMMAND are binary overrides, not shell command lines, so `psmux -L name` is not a supported value. " +
+		"Alternative multiplexers such as psmux on Windows do not reliably persist user options yet, so the Windows-native psmux path is not fully supported; " +
 		"use real tmux for GJC-managed session and team flows."
 	);
 }

package/src/gjc-runtime/tmux-sessions.ts

@@ -221,7 +221,13 @@ export function statusGjcTmuxSession(sessionName: string, env: NodeJS.ProcessEnv
 export function createGjcTmuxSession(env: NodeJS.ProcessEnv = process.env): GjcTmuxSessionStatus {
 	const tmuxCommand = resolveGjcTmuxCommand(env);
 	const sessionName = buildGjcTmuxSessionName(env);
-	const command = "exec env GJC_TMUX_LAUNCHED=1 gjc";
+	// Build a shell-bootstrap command appropriate for the host shell. Psmux on
+	// Windows runs the new-session command through PowerShell, so we use the
+	// $env:VAR = ... assignment form there. POSIX keeps the historical exec
+	// env form so the launched gjc inherits GJC_TMUX_LAUNCHED without leaking
+	// into the parent tmux server.
+	const platform = process.platform;
+	const command = platform === "win32" ? "$env:GJC_TMUX_LAUNCHED = '1'; gjc" : "exec env GJC_TMUX_LAUNCHED=1 gjc";
 	const created = Bun.spawnSync([tmuxCommand, "new-session", "-d", "-s", sessionName, command], {
 		stdout: "pipe",
 		stderr: "pipe",
@@ -306,6 +312,50 @@ export function removeGjcTmuxSession(sessionName: string, env: NodeJS.ProcessEnv
 	return session;
 }
 
+/**
+ * Force-close a GJC-managed tmux session, even if a live pane is attached.
+ *
+ * This is the lifecycle-control counterpart to {@link removeGjcTmuxSession}: it
+ * intentionally does NOT refuse live/attached panes (hard-kill is the contract),
+ * but it keeps every safety check so it can only ever kill a genuinely
+ * GJC-managed session:
+ * - re-reads the exact tmux profile immediately before kill (never a non-GJC
+ *   session, even one that collides by name);
+ * - when `expectedSessionId` is given, requires the `@gjc-session-id` tag match;
+ * - when `expectedStateFile` is given, requires the `@gjc-session-state-file`
+ *   tag match.
+ *
+ * Returns the prior status (for audit). Throws a tagged error otherwise:
+ * `gjc_tmux_session_not_found`, `gjc_tmux_session_not_managed`,
+ * `gjc_tmux_session_id_mismatch`, or `gjc_tmux_session_state_file_mismatch`.
+ */
+export function forceCloseGjcTmuxSession(
+	sessionName: string,
+	env: NodeJS.ProcessEnv = process.env,
+	expectedSessionId?: string,
+	expectedStateFile?: string,
+): GjcTmuxSessionStatus {
+	const session = statusGjcTmuxSession(sessionName, env);
+	if (readProfileForExactTarget(session.name, env) !== GJC_TMUX_PROFILE_VALUE) {
+		throw new Error(`gjc_tmux_session_not_managed:${sessionName}`);
+	}
+	if (expectedSessionId !== undefined) {
+		const actual = readExactOptionForGc(session.name, GJC_TMUX_SESSION_ID_OPTION, env);
+		if (actual !== expectedSessionId) {
+			throw new Error(`gjc_tmux_session_id_mismatch:${sessionName}`);
+		}
+	}
+	if (expectedStateFile !== undefined) {
+		const actual = readExactOptionForGc(session.name, GJC_TMUX_SESSION_STATE_FILE_OPTION, env);
+		if (actual !== expectedStateFile) {
+			throw new Error(`gjc_tmux_session_state_file_mismatch:${sessionName}`);
+		}
+	}
+	// Intentionally NOT refusing live/attached panes — force-close is hard-kill.
+	runTmux(["kill-session", "-t", `=${session.name}`], env);
+	return session;
+}
+
 export function attachGjcTmuxSession(sessionName: string, env: NodeJS.ProcessEnv = process.env): never {
 	const session = statusGjcTmuxSession(sessionName, env);
 	const tmuxCommand = resolveGjcTmuxCommand(env);

package/src/gjc-runtime/ultragoal-guard.ts

@@ -65,15 +65,17 @@ function isKnownUltragoalObjective(currentObjective: string): boolean {
 	);
 }
 
-async function ultragoalReadPaths(cwd: string): Promise<UltragoalPaths> {
+async function ultragoalReadPaths(cwd: string): Promise<{ paths: UltragoalPaths; sessionId: string | null }> {
 	const envSessionId = process.env.GJC_SESSION_ID?.trim();
-	if (envSessionId) return getUltragoalPaths(cwd, envSessionId);
+	if (envSessionId) return { paths: getUltragoalPaths(cwd, envSessionId), sessionId: envSessionId };
 	try {
 		const session = await resolveGjcSessionForRead(cwd, { envSessionId: process.env.GJC_SESSION_ID });
-		return getUltragoalPaths(cwd, session.gjcSessionId);
+		return { paths: getUltragoalPaths(cwd, session.gjcSessionId), sessionId: session.gjcSessionId };
 	} catch (error) {
 		if (error instanceof SessionResolutionError && error.code === "no_session") {
-			return getUltragoalPaths(cwd, null);
+			// No session could be resolved (no env, no auto-detectable active session).
+			// Surface the null session id so callers can decide; ask-guard treats it as inactive.
+			return { paths: getUltragoalPaths(cwd, null), sessionId: null };
 		}
 		throw error;
 	}
@@ -82,7 +84,7 @@ async function ultragoalReadPaths(cwd: string): Promise<UltragoalPaths> {
 async function hasDurableUltragoalState(cwd: string): Promise<boolean> {
 	let paths: UltragoalPaths;
 	try {
-		paths = await ultragoalReadPaths(cwd);
+		({ paths } = await ultragoalReadPaths(cwd));
 	} catch (error) {
 		if (error instanceof SessionResolutionError) return true;
 		throw error;
@@ -368,14 +370,26 @@ export async function readUltragoalVerificationState(input: {
 
 export async function isUltragoalAskBlocked(cwd: string): Promise<UltragoalAskBlockDiagnostic> {
 	let paths: UltragoalPaths;
+	let sessionId: string | null;
 	try {
-		paths = await ultragoalReadPaths(cwd);
+		({ paths, sessionId } = await ultragoalReadPaths(cwd));
 	} catch (error) {
 		return activeAskDiagnostic({
 			reason: `Unable to resolve durable Ultragoal state: ${error instanceof Error ? error.message : String(error)}`,
 			source: "durable_state_unreadable",
 		});
 	}
+	// Ultragoal state is session-scoped. When no session can be resolved (no env,
+	// no auto-detectable active session) there is no active run to protect, so the
+	// ask guard must fall open rather than block on legacy/global durable state.
+	if (sessionId === null) {
+		return inactiveAskDiagnostic({
+			reason: "No active GJC session resolved; ultragoal is inactive.",
+			source: "absent",
+			goalsPath: paths.goalsPath,
+			ledgerPath: paths.ledgerPath,
+		});
+	}
 	try {
 		await fs.stat(paths.dir);
 	} catch (error) {
@@ -398,8 +412,8 @@ export async function isUltragoalAskBlocked(cwd: string): Promise<UltragoalAskBl
 	let plan: UltragoalPlan | null;
 	let ledger: UltragoalLedgerEvent[];
 	try {
-		plan = await readUltragoalPlan(cwd);
-		ledger = await readUltragoalLedger(cwd);
+		plan = await readUltragoalPlan(cwd, sessionId);
+		ledger = await readUltragoalLedger(cwd, sessionId);
 	} catch (error) {
 		return activeAskDiagnostic({
 			reason: `Unable to read durable Ultragoal state: ${error instanceof Error ? error.message : String(error)}`,
@@ -409,6 +423,9 @@ export async function isUltragoalAskBlocked(cwd: string): Promise<UltragoalAskBl
 		});
 	}
 	if (!plan) {
+		// goals.json absent or empty while the state dir exists is an inconsistent
+		// durable state, not a clean "no run". Fail closed so the pause guard (which
+		// relies on this `durable_state_unreadable` signal) keeps blocking give-ups.
 		return activeAskDiagnostic({
 			reason: "Durable .gjc/ultragoal state exists but goals.json is missing or empty.",
 			source: "durable_state_unreadable",

package/src/gjc-runtime/ultragoal-runtime.ts

@@ -1,11 +1,12 @@
 import * as crypto from "node:crypto";
 import * as path from "node:path";
 import { inflateSync } from "node:zlib";
-
+import { normalizeGoal } from "../goals/state";
+import { buildSessionContext, loadEntriesFromFile, type SessionEntry } from "../session/session-manager";
 import type { WorkflowHudSummary } from "../skill-state/active-state";
 import { buildUltragoalHudSummary as buildWorkflowUltragoalHudSummary } from "../skill-state/workflow-hud";
 import { renderCliWriteReceipt } from "./cli-write-receipt";
-import { DEFAULT_ULTRAGOAL_OBJECTIVE } from "./goal-mode-request";
+import { DEFAULT_ULTRAGOAL_OBJECTIVE, GJC_SESSION_FILE_ENV } from "./goal-mode-request";
 import { gjcRoot, sessionUltragoalDir } from "./session-layout";
 import { resolveGjcSessionForRead, resolveGjcSessionForWrite, writeSessionActivityMarker } from "./session-resolution";
 import { renderUltragoalStatusMarkdown } from "./state-renderer";
@@ -831,6 +832,14 @@ function normalizedEvidenceKind(row: JsonObject): string {
 function evidenceKindMatches(kind: string, words: string[]): boolean {
 	return words.some(word => kind.includes(word));
 }
+function formatActualArtifactKinds(artifactIds: string[], kinds: string[]): string {
+	if (artifactIds.length === 0) return "none";
+	return artifactIds.map((id, index) => `${id}=${kinds[index] ?? "<missing-kind>"}`).join(", ");
+}
+
+function formatExpectedKindWords(words: string[]): string {
+	return words.map(word => `"${word}"`).join(", ");
+}
 
 type SurfaceFamily = "web" | "cli" | "native" | "api-package" | "algorithm-math" | "unknown";
 
@@ -899,9 +908,18 @@ function categorizeComputerChangePath(value: string): UltragoalChangeCategory {
 }
 
 function isComputerControlSurfaceCategory(category: UltragoalChangeCategory): boolean {
-	return (
-		category === "code" || category === "generated-binding" || category === "tool" || category === "settings-registry"
-	);
+	// The computer-use red-team suite is conditional, not universal (see the
+	// ultragoal SKILL): require it only when the change actually touches
+	// computer-control source — the computer tool (`tool`), its settings/registry
+	// wiring (`settings-registry`), or computer Rust (`code`). A bare regeneration
+	// of the SHARED native binding (`generated-binding`: packages/natives/native/
+	// index.{d.ts,js}) is NOT by itself a computer-use change: that file is
+	// generated from Rust, so any real computer-use behavior change must also
+	// touch one of the categories above and will still trigger the suite. Treating
+	// the regenerated aggregate binding as a computer surface forced the suite on
+	// unrelated features (e.g. notifications), which the SKILL explicitly warns
+	// against, so it is excluded here.
+	return category === "code" || category === "tool" || category === "settings-registry";
 }
 
 function isComputerControlSurfaceChangePath(row: UltragoalChangeSetPath): boolean {
@@ -967,7 +985,7 @@ function validateSurfaceArtifactCompatibility(
 		const hasVisual = kinds.some(kind => evidenceKindMatches(kind, ["screenshot", "image", "visual"]));
 		if (!hasBrowser || !hasVisual) {
 			throw new Error(
-				`qualityGate ${fieldName} for GUI/web surfaces must reference browser automation plus screenshot or image-verdict artifacts`,
+				`qualityGate ${fieldName} for GUI/web surfaces must reference browser automation plus screenshot or image-verdict artifacts; surface "${surface}" expected one artifact kind containing one of ${formatExpectedKindWords(["browser", "playwright", "pandawright", "automation"])} and one containing one of ${formatExpectedKindWords(["screenshot", "image", "visual"])}; actual artifact kinds: ${formatActualArtifactKinds(artifactIds, kinds)}`,
 			);
 		}
 		return;
@@ -994,7 +1012,7 @@ function validateSurfaceArtifactCompatibility(
 		const expected = surfaceFamilies[family];
 		if (!kinds.some(kind => evidenceKindMatches(kind, expected.evidence))) {
 			throw new Error(
-				`qualityGate ${fieldName} for ${expected.label} surfaces must reference compatible artifact kinds`,
+				`qualityGate ${fieldName} for ${expected.label} surfaces must reference compatible artifact kinds; surface "${surface}" expected at least one artifact kind containing one of ${formatExpectedKindWords(expected.evidence)}; actual artifact kinds: ${formatActualArtifactKinds(artifactIds, kinds)}`,
 			);
 		}
 	}
@@ -1490,6 +1508,20 @@ function isAllowedCliReplayCommand(command: readonly string[]): boolean {
 	if (executable === "gjc") return args.length === 1 && ["read", "status"].includes(args[0] ?? "");
 	return false;
 }
+function summarizeBlockedCliReplayCommand(command: readonly string[]): string {
+	const executable = command[0] ? basenameCommand(command[0]) : "<missing>";
+	const argCount = Math.max(0, command.length - 1);
+	return `${JSON.stringify(executable)} with ${argCount} arg${argCount === 1 ? "" : "s"}`;
+}
+
+function cliReplayAllowlistDescription(): string {
+	return [
+		'`bun --version`, `node --version`, or deterministic `bun/node -e "console.log(...)"`',
+		"`npm|pnpm|yarn --version` or `npm|pnpm|yarn list`",
+		"read-only `git status|rev-parse|merge-base|diff|show|log` with safe args",
+		"`gjc read` or `gjc status`",
+	].join("; ");
+}
 
 function resolveCliReplayCommand(command: string[]): string[] {
 	if (basenameCommand(command[0]!) === "bun") return [process.execPath, ...command.slice(1)];
@@ -1578,8 +1610,11 @@ function parseCliReplayRecord(
 	if (!command) throw new Error(`qualityGate ${fieldName}.command must be a non-empty string array`);
 	if (record.replaySafe !== true)
 		throw new Error(`qualityGate ${fieldName}.replaySafe must be true before CLI replay executes`);
-	if (!isAllowedCliReplayCommand(command))
-		throw new Error(`qualityGate ${fieldName}.command is not in the conservative CLI replay allowlist`);
+	if (!isAllowedCliReplayCommand(command)) {
+		throw new Error(
+			`qualityGate ${fieldName}.command is not in the conservative CLI replay allowlist; command ${summarizeBlockedCliReplayCommand(command)} is blocked. Allowed replay commands: ${cliReplayAllowlistDescription()}. For other commands, provide audited replayExempt metadata with reasonCode, reason, approvedBy, and fallbackArtifactRefs that point to a structurally valid fallback artifact.`,
+		);
+	}
 	if (record.normalization !== undefined && record.normalization !== "default") {
 		throw new Error(`qualityGate ${fieldName}.normalization must be default when provided`);
 	}
@@ -2231,6 +2266,28 @@ function snapshotUpdatedAtMilliseconds(value: unknown): number | null {
 	const parsed = Date.parse(trimmed);
 	return Number.isFinite(parsed) ? parsed : null;
 }
+
+function singleSessionLeafId(entries: readonly SessionEntry[]): string | undefined {
+	if (entries.length === 0) return undefined;
+	const parentIds = new Set(
+		entries.map(entry => entry.parentId).filter((parentId): parentId is string => typeof parentId === "string"),
+	);
+	const leafIds = entries.map(entry => entry.id).filter(id => !parentIds.has(id));
+	return leafIds.length === 1 ? leafIds[0] : undefined;
+}
+
+async function readCurrentSessionGjcGoalSnapshot(): Promise<unknown | undefined> {
+	const sessionFile = process.env[GJC_SESSION_FILE_ENV]?.trim();
+	if (!sessionFile) return undefined;
+	const fileEntries = await loadEntriesFromFile(sessionFile);
+	const entries = fileEntries.filter((entry): entry is SessionEntry => entry.type !== "session");
+	const leafId = singleSessionLeafId(entries);
+	if (!leafId) return undefined;
+	const context = buildSessionContext(entries, leafId);
+	if (context.mode !== "goal" && context.mode !== "goal_paused") return undefined;
+	const goal = normalizeGoal(context.modeData?.goal);
+	return goal ? { goal } : undefined;
+}
 async function readGjcGoalSnapshot(input: {
 	cwd: string;
 	value: string | undefined;
@@ -2240,13 +2297,15 @@ async function readGjcGoalSnapshot(input: {
 	errorPrefix: string;
 	allowCompletedLegacyBlocker?: boolean;
 }): Promise<unknown> {
-	if (!input.value?.trim()) {
+	const snapshot = input.value?.trim()
+		? await readStructuredValue(input.cwd, input.value)
+		: await readCurrentSessionGjcGoalSnapshot();
+	if (snapshot === undefined) {
 		if (!input.required) return undefined;
 		throw new Error(
-			`${input.errorPrefix} require --gjc-goal-json from a fresh active goal({"op":"get"}) snapshot; this is the GJC goal-mode receipt, not the .gjc/ultragoal/goals.json goal record`,
+			`${input.errorPrefix} require an active GJC goal-mode snapshot from the current session or --gjc-goal-json; this is the GJC goal-mode receipt, not the .gjc/ultragoal/goals.json goal record`,
 		);
 	}
-	const snapshot = await readStructuredValue(input.cwd, input.value);
 	const snapshotObject = qualityGateObject(snapshot);
 	const detailsObject = qualityGateObject(snapshotObject?.details);
 	const goalObject = qualityGateObject(snapshotObject?.goal) ?? qualityGateObject(detailsObject?.goal);
@@ -3331,18 +3390,19 @@ function renderUltragoalHelp(args: readonly string[]): string | null {
 			"      --status=<value>             pending|active|complete|failed|blocked|review_blocked|superseded",
 			"      --evidence=<value>           Completion or checkpoint evidence text",
 			"      --quality-gate-json=<value>  JSON string or path for complete checkpoints",
-			'      --gjc-goal-json=<value>      JSON string or path containing the current goal({"op":"get"}) snapshot',
+			"      --gjc-goal-json=<value>      Optional JSON/path override for current goal snapshot; omitted complete checkpoints read current session goal state",
 			"      --json                       Output a machine-readable receipt",
 			"",
 			"COMPLETE CHECKPOINT RECEIPTS",
 			"  --quality-gate-json must be an object with architectReview, executorQa, and iteration.",
 			"  executorQa.contractCoverage[] rows require an obligation field; description is not a substitute.",
-			'  --gjc-goal-json must contain the active GJC goal-mode snapshot from goal({"op":"get"}), not the .gjc/ultragoal/goals.json goal record.',
+			"  Complete checkpoints use the current session's active GJC goal-mode snapshot when --gjc-goal-json is omitted.",
+			"  Explicit --gjc-goal-json values must contain an active GJC goal-mode snapshot, not the .gjc/ultragoal/goals.json goal record.",
 			"  goal.updatedAt may be epoch milliseconds or an ISO timestamp and must be fresh.",
 			"",
 			"EXAMPLES",
 			'  $ gjc ultragoal checkpoint --goal-id G001 --status blocked --evidence "waiting on review"',
-			'  $ gjc ultragoal checkpoint --goal-id G001 --status complete --evidence "tests passed" --gjc-goal-json ./goal.json --quality-gate-json ./quality-gate.json --json',
+			'  $ gjc ultragoal checkpoint --goal-id G001 --status complete --evidence "tests passed" --quality-gate-json ./quality-gate.json --json',
 			"",
 		].join("\n");
 	}

package/src/hooks/skill-state.ts

@@ -2,6 +2,7 @@ import { existsSync } from "node:fs";
 import * as path from "node:path";
 import { logger } from "@gajae-code/utils";
 import type { SkillDiscoverySettings } from "../config/skill-settings-defaults";
+import { detectDeepInterviewPlaintextAskLeak } from "../deep-interview/plaintext-gate-guard";
 import { activeSnapshotPath, modeStatePath as sessionModeStatePath } from "../gjc-runtime/session-layout";
 import { resolveGjcSessionForRead } from "../gjc-runtime/session-resolution";
 import { ModeStateSchema, SkillActiveStateSchema } from "../gjc-runtime/state-schema";
@@ -675,6 +676,52 @@ async function readCurrentGoalObjectiveFromSessionFile(sessionFile: string | und
 	return typeof objective === "string" && objective.trim().length > 0 ? objective.trim() : null;
 }
 
+async function readLatestAssistantTextFromSessionFile(sessionFile: string | undefined): Promise<string | null> {
+	const trimmed = sessionFile?.trim();
+	if (!trimmed) return null;
+	let entries: SessionEntry[];
+	try {
+		entries = (await loadEntriesFromFile(trimmed)).filter((entry): entry is SessionEntry => entry.type !== "session");
+	} catch {
+		return null;
+	}
+	if (entries.length === 0) return null;
+	const context = buildSessionContext(entries);
+	for (let index = context.messages.length - 1; index >= 0; index--) {
+		const message = context.messages[index];
+		if (message?.role !== "assistant") continue;
+		const text = message.content
+			.filter(block => block.type === "text")
+			.map(block => block.text)
+			.join("");
+		const trimmedText = text.trim();
+		return trimmedText.length > 0 ? trimmedText : null;
+	}
+	return null;
+}
+
+async function shouldRescueDeepInterviewPlaintextAskLeak(
+	skill: GjcWorkflowSkill,
+	state: ModeState | null,
+	cwd: string,
+	sessionFile: string | undefined,
+): Promise<boolean> {
+	if (skill !== "deep-interview") return false;
+	if (state?.active !== true) return false;
+	const phase = String(state.current_phase ?? "")
+		.trim()
+		.toLowerCase();
+	if (DEEP_INTERVIEW_ABORT_PHASES.has(phase)) return false;
+	if (await deepInterviewSpecCrystallized(state, cwd)) return false;
+	const latestAssistantText = await readLatestAssistantTextFromSessionFile(sessionFile);
+	if (!latestAssistantText) return false;
+	return detectDeepInterviewPlaintextAskLeak(latestAssistantText) !== null;
+}
+
+function buildDeepInterviewPlaintextAskLeakMessage(statePath: string): string {
+	return `GJC deep-interview emitted a Deep Interview question/options block as plain text (${statePath}). It must not wait for a prose answer. Continue immediately by calling the ask tool with the Restate gate question and options: Yes, crystallize; Adjust wording; Missing scope; plus free text/custom input.`;
+}
+
 export async function buildActiveUltragoalPromptContext(input: UserPromptSubmitStateInput): Promise<string | null> {
 	const resolvedSessionId = await resolveBoundarySessionId(input.cwd, input.sessionId);
 	const visibleModeState = await readVisibleModeState(input.cwd, "ultragoal", resolvedSessionId, input.stateDir);
@@ -756,6 +803,16 @@ export async function buildSkillStopOutput(input: StopHookInput): Promise<Record
 				systemMessage: recoveryMessage,
 			};
 		}
+		if (await shouldRescueDeepInterviewPlaintextAskLeak(entry.skill, modeState, input.cwd, input.sessionFile)) {
+			const statePath = modeStatePath(input.cwd, entry.skill, resolvedSessionId);
+			const rescueMessage = buildDeepInterviewPlaintextAskLeakMessage(statePath);
+			return {
+				decision: "block",
+				reason: rescueMessage,
+				stopReason: "gjc_skill_deep_interview_plaintext_ask_leak",
+				systemMessage: rescueMessage,
+			};
+		}
 		if (modeStateReleasesStop(modeState, handoffRequired)) {
 			// A mode-state that claims it releases the Stop block must agree with
 			// authoritative durable state. If a stale/incoherent mode-state would