@groundnuty/macf 0.2.35 → 0.2.37

package/plugin/rules/silent-fallback-hazards.md

@@ -4,7 +4,7 @@
 
 > **Workspaces without full `macf init`** (e.g. `groundnuty/macf` itself, or any Claude Code workspace operated by a bot that isn't a MACF-registered agent) can still get this canonical rule via `macf rules refresh --dir <workspace>`. Same copy, no App credentials or registry required.
 
-This rule names the CLASS so agents recognize the shape on first encounter rather than re-discovering each instance from scratch. Nine specific instances are documented below as worked examples spanning different architectural layers (identity, parsing, TUI binding, observability routing, config substitution, multi-agent coordination protocol, metric-instrumentation lifecycle, observability-endpoint routing, release-pipeline-partial-publish). Seven of nine have structural defenses applied or in flight — the pattern of defense generalizes alongside the pattern of hazard.
+This rule names the CLASS so agents recognize the shape on first encounter rather than re-discovering each instance from scratch. Eleven active instances are documented below as worked examples spanning different architectural layers (identity, parsing, TUI binding, observability routing, config substitution, multi-agent coordination protocol, metric-instrumentation lifecycle, observability-endpoint routing, release-pipeline-partial-publish, third-party-action retry-exhaustion, credential-refresh temporal-binding). (Instance 10 — a legacy substrate-routing receipt-gap — was retired 2026-06-07; its number is kept, not reused.) Ten of eleven active instances have structural defenses applied or in flight — the pattern of defense generalizes alongside the pattern of hazard.
 
 Instance 9 is annotated as **sister-shape** (failure correctly surfaced + partial side-effect breaks retry idempotency) — listed here for cross-reference convenience but warrants a sibling canonical rule (`partial-side-effect-hazards.md`) if more instances surface. The two classes share "multi-step pipeline where consumer assumes atomicity" but the failure surface differs: silent-fallback hides at the API boundary; partial-side-effect surfaces loudly but persists semi-state.
 
@@ -23,7 +23,7 @@ The trap is that defensive programming targets exit codes, but exit-code success
 
 ---
 
-## Nine known instances
+## Known instances
 
 ### Instance 1 — gh-token attribution traps
 
@@ -51,10 +51,10 @@ This is a distinct sub-case from the missing-helper / mis-pipefail / wrong-prefi
 **Failure shape:** `tmux send-keys` exits 0 + keystrokes are written to pane stdin, but Claude Code's input handler is bound to a different IPC channel (RC's SDK socket); routing-via-tmux silently bypasses the actual input path → recipient never sees the routed prompt.
 **Recurrence:** Cross-agent triangulated; 2+ confirmed firings on real routes hours apart, same shape.
 **Defense status:** Two-tier per fleet class:
-- **Consumer fleet** (CV agents, tester agents, future macf-init'd consumers): structurally retired via Stage 3 channel-server primitive (HTTP POST bypasses tmux layer entirely). Operational as of DR-020 / macf-actions v3+.
+- **Consumer fleet** (CV agents, tester agents, future macf-init'd consumers): largely mitigated, not fully eliminated. The routed **message** arrives via the channel-server's HTTP/MCP path (not as a keystroke), so the prompt *content* reaches the agent regardless of RC state — that's the structural win over send-keys routing (DR-020 / macf-actions v3+). The **residual**: the channel-server's `wakeViaTmux` nudge still uses send-keys, so under RC-bound input the auto-wake keystroke may not land — the message sits in the MCP channel until the agent next reads it, rather than being lost. So the hazard is reduced to a wake-latency issue, not a content-drop.
 - **Substrate fleet** (workspaces operated as the design surface, not registered MACF consumers): permanent operational reality — substrate workspaces don't run `macf init`. Defensive posture: rule-discipline + Pattern C fragility detector (`tmux display -p '#{session_activity}'` doesn't advance under RC-bound input).
 
-The structural retirement applies to consumer fleet only; substrate fleet expects Instance 3 firings to recur on routes indefinitely; rule-discipline catches the failure at observation time, not pre-emptively.
+The content-drop is retired for the consumer fleet (message arrives via HTTP/MCP); only the wake-nudge residual remains there. The substrate fleet expects full Instance 3 firings to recur on routes indefinitely; rule-discipline catches the failure at observation time, not pre-emptively.
 
 ### Instance 4 — Loki / ClickHouse-logs pipeline divergence (label-vs-structured-metadata)
 
@@ -163,6 +163,60 @@ Both classes share "multi-step pipeline where consumer assumes atomicity" but th
 
 **Codification rationale:** 3 instances across 2 trigger mechanisms + defense pattern stable + operator-witnessed across 2 calendar days (2026-05-18 + 2026-05-19) + cross-agent (instance 1 via science-agent's authoring; instances 2/3 via code-agent's release-cut workflow) — meets all four "When to add a new instance" criteria. The sister-class question (separate `partial-side-effect-hazards.md` canonical rule) is acknowledged inline + deferred to the 5-instance threshold per rule-promotion convention.
 
+### Instance 10 — retired (legacy substrate-routing receipt-gap)
+
+Documented a send-logged ≠ received gap on the legacy Stage-2 substrate routing last-mile, a path the macf **product** does not use: consumers route via the channel-server / A2A path, whose `notify_received` / `mcp_pushed` + OTel receipt spans (`macf.mcp.push`, `macf.tmux_wake.deliver`) already capture receipt. Removed from canonical 2026-06-07 — legacy-routing operational detail belongs in substrate workbench + git history, not the product rules. The number is retained (not reused) to keep Instances 1–9 + 11 stable as identifiers.
+
+---
+
+### Instance 11 — Third-party retry-wrapping action exits 0 on internal retry-exhaustion (connect-failure masked as step-success)
+
+**Surface:** any consumer-CI step that delegates a connect/auth handshake to a third-party GitHub Action (or wrapper tool) that owns its own internal retry loop — tailnet join (`tailscale/github-action`), OTLP collector connect, cloud-provider auth (`aws-actions/configure-aws-credentials`, `google-github-actions/auth`), registry login, etc. The action retries internally and reports a single aggregate exit code for the step.
+
+**Failure shape:** the wrapped tool fails on EVERY internal retry (a hard error, not a transient one — e.g. an invalid-auth `400` that no amount of retrying can fix), the action **exhausts its retry budget and still exits `0`**, and the workflow continues into a broken state. The connect never happened, but the step is green. The real failure then surfaces far downstream as a *different* problem — every later fetch/query against the resource the step was supposed to make reachable fails, and the symptom (timeout, connection-refused, "endpoint unreachable") points the investigator at the downstream consumer, not at the masked upstream connect. The exit-0 step is the last place anyone looks because it's the one place that reported success.
+
+**Recurrence:** First confirmed instance — groundnuty/macf#461 (2026-06-07). The e2e workflow's `tailscale/github-action` step was configured with `tags: tag:ci`, but the OAuth client + ACL only permit `tag:ci-runner`. `tailscale up` returned `Status 400 "requested tags [tag:ci] are invalid or not permitted"` on all 5 internal retries; the action exited `0`; the runner never joined the tailnet; every subsequent tailnet fetch failed, presenting as a generic **"Tempo query unreachable."** Because the connect step was *green*, it was the last place examined — the diagnosis cycled through transient-retry, Tempo-serve-config, and DNS-vs-IP hypotheses until reading the connect step's **actual output** (not its exit code) surfaced the `400`. (Two *genuinely separate* upstream bugs — a devbox/Nix-install step-ordering fault [#460] and the Tempo query port not being tailnet-exposed [devops-toolkit #88] — were correctly diagnosed and landed first; they were real fixes, not projections of this masked failure. The exit-0 masking is what hid *this* failure for an extra diagnostic cycle even after those two were resolved.)
+
+**Distinct from the sister GHA-surface instances** — do NOT fold this into Instance 5 or Instance 8:
+
+| Aspect | Instance 5 (secrets-misnamed) | Instance 8 (OTLP endpoint silent-drop) | Instance 11 (this) |
+|---|---|---|---|
+| Where the lie originates | empty-string substitution at `${{ }}` expansion, BEFORE the tool runs | exporter silently retries-then-drops, no exit code surfaced at all | third-party action runs, fails every retry, then **exits `0` reporting success** |
+| What's wrong | a required input is missing/renamed | a long-lived process points at a dead endpoint | a connect handshake hard-fails but its wrapper claims success |
+| Downstream disguise | misleading auth error at the *consuming* step | empty observability surface, no failure signal anywhere | masquerades as a *different* downstream problem (here: "Tempo unreachable") |
+
+Instance 5 is "the input was never there"; Instance 8 is "the data went into a void with no signal"; Instance 11 is "the connection step actively *reported success* while having hard-failed." All three live on the GitHub-Actions / CI-plumbing surface but the trust boundary that breaks differs — Instance 11's is specifically *a third party's exit code about its own retry exhaustion*. The tailscale case above is just the worked example: any consumer CI that wraps a connect/auth in a retrying action (tailnet, OTLP, cloud-auth, registry-login) is exposed to the same shape.
+
+**Defense status:** SHIPPED (Pattern A result-invariant assert, with a Pattern D precheck flavor) — a **"Verify <resource> is up" step placed immediately after the connect step**, asserting the connection's result-invariant and failing LOUD (red job) when it doesn't hold. Never trust a third-party action's exit code as evidence that its own internal retries succeeded — assert the post-connect state directly.
+
+```bash
+# After the tailscale connect step (NOT trusting its exit 0):
+tailscale status --json | jq -e '.BackendState == "Running"' >/dev/null \
+  || { echo "::error::tailnet did not come up — tailscale BackendState != Running."; \
+       echo "::error::The connect action may have exhausted retries and exited 0 anyway"; \
+       echo "::error::(e.g. tag/ACL mismatch returns Status 400 on every retry)."; \
+       tailscale status || true; exit 1; }
+echo "✓ tailnet up (BackendState=Running)"
+```
+
+Generalizes to any retry-wrapping action: assert the result-invariant the connect was *supposed to establish* — `BackendState == "Running"` for a tailnet, a successful authenticated probe for cloud-auth, a `200` from the collector's health endpoint for OTLP — in a dedicated step right after the connect, before any downstream consumer runs. This converts a far-downstream misdiagnosis (the 3-hop red-herring chase in #461) into a fail-at-the-boundary red job pointing directly at the broken connect.
+
+---
+
+### Instance 12 — PreToolUse credential-guard validates the *ambient* token, blind to inline mid-command reassignment
+
+**Surface:** the #140 `check-gh-token.sh` PreToolUse hook, plus any refresh idiom that reassigns `GH_TOKEN` *inline within the same Bash command* as the `gh` calls it is meant to guard (`export GH_TOKEN=$(gh token generate ... | jq -r .token) && gh ...`; `export GH_TOKEN=$(cat tok.txt) && gh ...`).
+
+**Failure shape:** the hook validates `GH_TOKEN` purely from the **ambient environment present *before* the command runs** (`GH_TOKEN_VALUE="${GH_TOKEN:-}"`, then the `^ghs_[A-Za-z0-9_]+$` predicate). It never parses the command string for an inline `GH_TOKEN=` / `export GH_TOKEN=$(...)` reassignment. Agents launch with a valid `ghs_` token in ambient env, so the hook **passes and exits 0** — *then* the inline `$(...)` runs, and on an intermittent GitHub-side 401 the naive `| jq` (no `set -o pipefail`) emits empty/`null`, clobbering `GH_TOKEN` to empty **after the hook has already returned**. The chained `gh` calls fall back to the stored `gh auth login` user. **The recommended refresh-chain bypasses its own guard.** The hook only blocks when the ambient is *already* bad — the exact case the rules tell agents not to rely on; in the normal regime (valid ambient) it is a pass-through no-op for every inline-refresh shape, including the file-cache read.
+
+Two adjacent sub-failures: **(a)** `export X=$(helper)` masks a fail-loud helper's non-zero exit, because `export` is a builtin whose own exit `0` replaces the substitution's (ShellCheck SC2155) — so `pipefail` / a fail-loud helper *alone* is insufficient; only `GH_TOKEN=$(helper) || exit 1` (bare assignment + explicit abort) short-circuits the `&&`. **(b)** A redirect `helper > tok.txt` truncates the cache file *before* the helper runs, so a 401 leaves an *empty* file for the next read — write atomic-validated (`mktemp` + `grep ghs_` + `mv`) instead.
+
+**Recurrence:** First confirmed — `macf-cv-architect` 2026-06-12 (4 issue/PR comments posted as the operator under an intermittent GitHub-side 401). Verified by 3-lens adversarial review (source-code / shell-mechanism / alternative-cause, 3-0 survived). Generalizes to every agent's inline / file-cache refresh form; the substrate workbenches additionally had the footgun *taught* by an unrefreshed bootstrap `gh-token-refresh.md` that `macf update` does not distribute.
+
+**Defense status:** layered. **(1) DOC (shipped):** de-footgun `gh-token-refresh.md` (+ `agent-identity.md`) — fail-loud `GH_TOKEN=$(helper) || exit 1`, no inline-refresh, atomic-validated file-cache; this rule's sister `gh-token-attribution-traps.md` strengthened with the export-mask. **(2) STRUCTURAL — the load-bearing fix, Pattern A:** a result-invariant **PostToolUse** check asserting the just-written resource's `author` == expected bot login (`macf-whoami.sh` / `--json author`) — the only level that sees through inline-clobber, file-cache-staleness, *and* future bypass shapes, because it checks what was actually posted, not the command-string shape (filed macf#489). **(3) Decided-against:** teaching the PreToolUse hook to detect inline `GH_TOKEN=$(...)` reassignment — brittle regex over arbitrary shell, and the export-mask makes the safe-predicate subtle.
+
+**Class lesson:** a structural defense that validates a precondition at the **wrong temporal level** — pre-command ambient state instead of the post-mutation runtime value — provides no protection in exactly the regime it was built for. **Result-invariant assertion at the boundary (Pattern A) is the temporal-level-agnostic fix; command-string precondition checks are not.** This is the clearest case yet of *why* Pattern A bears the most weight in this rule.
+
 ---
 
 ## How to recognize the class on first encounter
@@ -306,7 +360,7 @@ Silent-fallback hazards are **architectural**, not implementation bugs. They eme
 
 For coordination-system safety analysis: this is a class of hazards multi-agent systems must explicitly defend against. Each new instance teaches the same lesson; the class-name is what makes the lesson transferable across agents.
 
-### Defense-pattern emergence (7-of-9 known instances have structural defense applied or shipped)
+### Defense-pattern emergence (9-of-10 active instances have structural defense applied or shipped)
 
 | Instance | Surface | Structural defense | Pattern |
 |---|---|---|---|
@@ -319,10 +373,12 @@ For coordination-system safety analysis: this is a class of hazards multi-agent
 | 7 — OTel-counter cumulative-state vs short-lived-process lifecycle | Metric-instrumentation lifecycle | Two-phase: doc workaround `sum(increase(...))` + OTel SDK delta temporality | Pattern A |
 | 8 — OTLP endpoint silent-drop | Observability-endpoint routing | Five-surface defense: CLI release-discipline + substrate testers env-override + canonical template `:14318` default + cluster-side compat port-map + agent-process `doctor-otel.sh` Pattern A | Pattern A (composite — first multi-architectural-layer case in this rule; instances 1-7 have single-pattern defenses) |
 | 9 — Sigstore TLOG orphans on failed npm publish (sister-class) | npm publish + sigstore attestation pipeline | Three-defense composite: bump-version recovery (DR-022 Amendment L) + pre-flight registry-collision check (Pattern D analog, macf#380) + TLOG-state observability (devops-toolkit#74+#77 Grafana dashboard live) | Pattern D analog (pre-flight precheck) + recovery-procedure-codification |
+| 11 — Third-party retry-wrapping action exits 0 on retry-exhaustion | Consumer-CI connect/auth via third-party action (tailnet, OTLP, cloud-auth, registry-login) | SHIPPED — "Verify <resource> is up" step immediately after the connect asserts the connection's result-invariant (e.g. `tailscale status` `BackendState == "Running"`) + fails LOUD; never trusts the action's exit code about its own retry exhaustion (macf#461) | Pattern A (post-connect result-invariant assert) + Pattern D flavor (precheck-before-downstream) |
+| 12 — PreToolUse credential-guard validates ambient token, blind to inline reassignment | gh-token PreToolUse hook + inline `export GH_TOKEN=$(...) && gh` (refresh-chain or file-cache) | DOC shipped (de-footgun `gh-token-refresh.md` + atomic-validated cache) + STRUCTURAL in flight (Pattern A result-invariant PostToolUse whoami post-check, macf#489) | Pattern A (result-invariant post-check — a wrong-temporal-level precondition can't see the inline clobber) |
 
-Seven of nine instances have structural defense applied or shipped. Defense patterns (A, B, C, D, E) generalize across instances — they're reusable defense templates, not case-specific fixes. **Pattern A (result-invariant assertion at the boundary) bears the most weight** — it's the structural defense for instances 4, 7, AND 8 (3 of 9), each at a different architectural boundary (logs pipeline, metric counter, observability endpoint). Instance 8's five-surface defense topology (consumer canonical + cluster-side compat port-map + concrete Pattern A impl) demonstrates that structural defense at the observability-pipeline-class can compose across architectural layers — the canonical-distribution layer + the cluster-infrastructure layer + the assertion-script layer all reinforce each other rather than substituting for each other. Instance 9 demonstrates that the Pattern D template generalizes from workflow-secrets-prechecks to release-pipeline-prechecks AND that recovery-procedure-codification (DR-022 Amendment L's bump-version-not-tag-retry) is its own defense category — distinct from detection-pre-merge defenses (Patterns A/B/D) and discrimination-at-receiver defenses (Pattern E).
+Ten of eleven active instances have structural defense applied, shipped, or in flight. Defense patterns (A, B, C, D, E) generalize across instances — they're reusable defense templates, not case-specific fixes. **Pattern A (result-invariant assertion at the boundary) bears the most weight** — it's the structural defense for instances 4, 7, 8, 11, AND 12 (5 of 11), each at a different architectural boundary (logs pipeline, metric counter, observability endpoint, third-party-action connect-verify, credential-refresh temporal-binding). Instance 8's five-surface defense topology (consumer canonical + cluster-side compat port-map + concrete Pattern A impl) demonstrates that structural defense at the observability-pipeline-class can compose across architectural layers — the canonical-distribution layer + the cluster-infrastructure layer + the assertion-script layer all reinforce each other rather than substituting for each other. Instance 9 demonstrates that the Pattern D template generalizes from workflow-secrets-prechecks to release-pipeline-prechecks AND that recovery-procedure-codification (DR-022 Amendment L's bump-version-not-tag-retry) is its own defense category — distinct from detection-pre-merge defenses (Patterns A/B/D) and discrimination-at-receiver defenses (Pattern E).
 
-The breadth of layers spanned by 5 different defense patterns (identity, parsing, TUI binding, observability routing, config substitution, multi-agent coordination protocol, metric-instrumentation lifecycle, observability-endpoint routing, release-pipeline-partial-publish) is independent evidence that the hazard CLASS is real. If silent-fallback was a single-instance accident, no defense pattern would emerge. **Pattern A's recurrence across 3 different observability boundaries (logs / metrics / endpoint) is the strongest signal that result-invariant assertion is the load-bearing structural-defense template for the entire observability-pipeline-class** of silent fallback.
+The breadth of layers spanned by 5 different defense patterns (identity, parsing, TUI binding, observability routing, config substitution, multi-agent coordination protocol, metric-instrumentation lifecycle, observability-endpoint routing, release-pipeline-partial-publish, third-party-action retry-exhaustion, credential-refresh temporal-binding) is independent evidence that the hazard CLASS is real. If silent-fallback was a single-instance accident, no defense pattern would emerge. **Pattern A's recurrence across 3 different observability boundaries (logs / metrics / endpoint) is the strongest signal that result-invariant assertion is the load-bearing structural-defense template for the entire observability-pipeline-class** of silent fallback.
 
 ---
 
@@ -336,7 +392,7 @@ Add when ALL of the following hold:
 
 The class-name is what makes the lesson transferable, not multi-agent witness. A single-agent-confirmed instance with a concrete trace + identified defense pattern is sufficient for canonicalization (instances 4, 5, 7, 8 are all single-agent-confirmed). Cross-agent triangulation strengthens the framing but isn't a precondition.
 
-Add as a new numbered section under "Nine known instances" (will become "Ten known instances" etc.) with the same fields: Surface / Failure shape / Recurrence / Defense status. Increment the intro paragraph's instance count + the Defense-pattern emergence header's `N-of-M known instances` count too.
+Add as a new numbered section (the next number is **13** — numbering is append-only; retired instances keep their slot, see Instance 10) with the same fields: Surface / Failure shape / Recurrence / Defense status. Increment the intro paragraph's active-instance count + the Defense-pattern emergence header's `N-of-M active instances` count too.
 
 ---
 

package/scripts/check-auditor-never-acts.sh

@@ -0,0 +1,167 @@
+#!/usr/bin/env bash
+#
+# check-auditor-never-acts.sh — Claude Code PreToolUse hook that blocks
+# state-mutating `gh` ops (`gh pr merge`, `gh issue close`, `gh pr close`)
+# when the active identity is the AUDITOR (`MACF_AGENT_ROLE=auditor`), while
+# leaving the propose verbs (`gh issue/pr create|comment`) and all reads
+# untouched. Structurally enforces the auditor's "never-acts" boundary per
+# DR-026 (the auditor — self-evolving coordination governance): the auditor
+# is write-PROPOSALS-only; it opens issues/PRs and comments, but never merges
+# or closes — those acts route to a non-auditor implementer / the operator.
+#
+# Why structural and not permission-based: a GitHub App's `pull_requests:write`
+# permission grants merge+close TOGETHER with open-PR; there is no "open-a-PR-
+# but-not-merge" permission scope to express. The never-acts boundary therefore
+# has to be enforced at tool-call time, in the same family as the sibling
+# `check-*.sh` hooks (#140 token / #244+#272 mention / #270 lgtm / #431 close /
+# #489 attribution).
+#
+# Hook contract (PreToolUse): JSON on stdin, exit 0 = allow, exit 2 = block
+# (stderr is fed back to Claude as the error). Same shape as #140's
+# check-gh-token.sh + #270's check-lgtm-gate.sh.
+#
+# Inert for every NON-auditor identity (exit 0 before any parsing) — this is
+# the load-bearing gate that makes fleet-wide distribution safe: shipping this
+# hook to every workspace via `macf init` / `macf update` is a no-op everywhere
+# except the auditor, so code-agent / science-agent / cv-* keep their full
+# `gh` surface unchanged.
+#
+# Override: MACF_SKIP_AUDITOR_ACT_CHECK=1 bypasses (for a sanctioned exception
+# — e.g. the operator explicitly authorizing the auditor to perform a one-off
+# merge/close). Consistent with MACF_SKIP_TOKEN_CHECK / MACF_SKIP_LGTM_CHECK /
+# MACF_SKIP_CLOSE_CHECK / MACF_SKIP_ATTRIBUTION_CHECK in the sister hooks.
+#
+# Refs: groundnuty/macf#499 (this hook); DR-026 §1/§4 (auditor never-acts
+#       boundary; PROPOSED via #495); #140 / #244+#272 / #270 / #431 / #489
+#       (sister Path-2 hooks).
+set -uo pipefail
+
+# Defense-in-depth: any unexpected error past this point must NOT brick the
+# harness. We use `set -uo pipefail` (NOT `-e`) so commands that fail are
+# handled explicitly; this trap is a final safety net for a genuinely
+# unexpected fault — fail open (allow).
+trap 'exit 0' ERR
+
+# 1. Operator override first — cheapest exit. No stdin read, no parsing.
+if [[ "${MACF_SKIP_AUDITOR_ACT_CHECK:-}" == "1" ]]; then
+  exit 0
+fi
+
+# 2. Inert for every non-auditor identity. This is the load-bearing gate —
+#    when the active role isn't the auditor, the hook does nothing, so it is
+#    safe to distribute to every workspace. `MACF_AGENT_ROLE` is exported by
+#    claude.sh (env-files.ts) as the agent's role.
+if [[ "${MACF_AGENT_ROLE:-}" != "auditor" ]]; then
+  exit 0
+fi
+
+# 3. Read the PreToolUse payload. Fall through to allow on parse error — a
+#    broken hook must not brick the harness. Same defense-in-depth as
+#    check-gh-token.sh / check-lgtm-gate.sh.
+INPUT_JSON="$(cat 2>/dev/null || echo "")"
+COMMAND="$(jq -r '.tool_input.command // ""' <<<"$INPUT_JSON" 2>/dev/null || echo "")"
+
+if [[ -z "$COMMAND" ]]; then
+  # No command extractable — allow (defense-in-depth).
+  exit 0
+fi
+
+# 4. Is this a `gh` invocation at all? Reuse the wrapper-aware GH_PATTERN +
+#    SHELL_C_PATTERN from check-gh-token.sh so `sudo gh`, `env X= gh`,
+#    `bash -c "gh …"`, and chained `&& gh` forms all count. If it's not a gh
+#    command, there is nothing for this hook to gate — allow.
+GH_PATTERN='(^|[[:space:];|&])(sudo[[:space:]]+|env[[:space:]]+([A-Za-z_][A-Za-z_0-9]*=[^[:space:]]*[[:space:]]+)*|watch[[:space:]]+|ionice[[:space:]]+|setsid[[:space:]]+|nice[[:space:]]+|time[[:space:]]+|[A-Za-z_][A-Za-z_0-9]*=[^[:space:]]*[[:space:]]+)*gh[[:space:]]'
+SHELL_C_PATTERN='(^|[[:space:];|&])(sudo[[:space:]]+|env[[:space:]]+([A-Za-z_][A-Za-z_0-9]*=[^[:space:]]*[[:space:]]+)*|[A-Za-z_][A-Za-z_0-9]*=[^[:space:]]*[[:space:]]+)*(bash|sh|zsh)[[:space:]]+(-[a-zA-Z]+[[:space:]]+)*-[a-zA-Z]*c[[:space:]]+[^[:space:]].*gh[[:space:]]'
+
+if [[ ! "$COMMAND" =~ $GH_PATTERN ]] && [[ ! "$COMMAND" =~ $SHELL_C_PATTERN ]]; then
+  # Not a gh command — allow.
+  exit 0
+fi
+
+# 5. Is the command one of the BLOCKED acting-verbs? Each op is matched two
+#    ways, mirroring check-lgtm-gate.sh's merge match: a WRAPPER pattern
+#    (sudo / env VAR= / watch / nice / chained-leadin `;|&` / inline VAR=)
+#    and a SHELL_C pattern (`bash -c "gh pr merge …"` and variants). Both
+#    anchor the `gh <noun> <verb>` substring and end on a whitespace-or-EOL
+#    boundary so e.g. `gh pr merge` matches but a hypothetical
+#    `gh pr merge-base` does NOT (exact-subcommand match).
+#
+#    ── BLOCKED acting-verbs (DENYLIST; intentionally minimal) ──────────────
+#    This is a denylist of STATE-MUTATING acts. The propose verbs
+#    (`gh issue create`, `gh pr create`, `gh issue comment`, `gh pr comment`)
+#    are deliberately ABSENT — the auditor is write-proposals-only, so those
+#    must fall through to the allow at the bottom. To extend the boundary
+#    (e.g. block `gh issue edit` of another agent's issue), add a `<noun> <verb>`
+#    entry to BLOCKED_VERBS below; keep the propose verbs out.
+#
+#      gh pr merge     — merging a PR is an act, not a proposal
+#      gh issue close  — closing an issue is an act (reporter-owns-closure)
+#      gh pr close     — closing a PR is an act
+BLOCKED_VERBS=(
+  'pr merge'
+  'issue close'
+  'pr close'
+)
+
+# Build the wrapper + shell-c regexes for a given `<noun> <verb>` and test the
+# command against both. Echoes the canonical `gh <noun> <verb>` label on a hit.
+_match_blocked_verb() {
+  local noun_verb="$1"        # e.g. "pr merge"
+  local cmd="$2"
+  # Translate the space in "<noun> <verb>" into the whitespace-class form.
+  local nv="${noun_verb/ /[[:space:]]+}"
+  local wrapper_pat="(^|[[:space:];|&])(sudo[[:space:]]+|env[[:space:]]+([A-Za-z_][A-Za-z_0-9]*=[^[:space:]]*[[:space:]]+)*|watch[[:space:]]+|ionice[[:space:]]+|setsid[[:space:]]+|nice[[:space:]]+|time[[:space:]]+|[A-Za-z_][A-Za-z_0-9]*=[^[:space:]]*[[:space:]]+)*gh[[:space:]]+${nv}([[:space:]]|$)"
+  local shell_c_pat="(^|[[:space:];|&])(sudo[[:space:]]+|env[[:space:]]+([A-Za-z_][A-Za-z_0-9]*=[^[:space:]]*[[:space:]]+)*|[A-Za-z_][A-Za-z_0-9]*=[^[:space:]]*[[:space:]]+)*(bash|sh|zsh)[[:space:]]+(-[a-zA-Z]+[[:space:]]+)*-[a-zA-Z]*c[[:space:]]+[^[:space:]].*gh[[:space:]]+${nv}([[:space:]]|$)"
+  if [[ "$cmd" =~ $wrapper_pat ]] || [[ "$cmd" =~ $shell_c_pat ]]; then
+    echo "gh ${noun_verb}"
+    return 0
+  fi
+  return 1
+}
+
+BLOCKED_OP=""
+for verb in "${BLOCKED_VERBS[@]}"; do
+  if hit="$(_match_blocked_verb "$verb" "$COMMAND")"; then
+    BLOCKED_OP="$hit"
+    break
+  fi
+done
+
+if [[ -z "$BLOCKED_OP" ]]; then
+  # 6. Not a blocked acting-verb — the propose verbs (gh issue/pr create,
+  #    gh issue/pr comment) and all reads fall through here. Write-proposals-
+  #    only is the auditor's permitted power. Allow.
+  exit 0
+fi
+
+# Blocked acting-verb under the auditor identity — block LOUD.
+cat >&2 <<ERR
+BLOCKED by MACF auditor-never-acts hook: the AUDITOR is write-PROPOSALS-only and
+must never perform a state-mutating act. The command you ran is a \`${BLOCKED_OP}\`,
+which closes/merges a resource — that is an ACT, not a proposal.
+
+Command: ${COMMAND}
+Blocked op: ${BLOCKED_OP}
+
+Per DR-026 §1/§4 (the auditor — self-evolving coordination governance), the
+auditor opens issues + PRs and comments to PROPOSE changes, but the merge/close
+ACT belongs to a non-auditor implementer (code-agent / science-agent) or the
+operator. This boundary is structural because a GitHub App's
+\`pull_requests:write\` permission grants merge+close together with open-PR —
+there is no "open-a-PR-but-not-merge" scope to express it, so the hook enforces
+it at tool-call time.
+
+Fix — route the act to a non-auditor identity:
+  - For a merge: @mention the PR's implementer on the issue thread; they merge
+    after the LGTM gate, per coordination.md / pr-discipline.md.
+  - For a close: @mention the issue's reporter; reporter-owns-closure
+    (coordination.md §Issue Lifecycle 1) — they close after verifying.
+  Leave the auditor's role to the PROPOSAL (the issue / PR / comment) you
+  already created.
+
+Override (ONLY for an operator-sanctioned exception):
+  export MACF_SKIP_AUDITOR_ACT_CHECK=1
+
+Refs: groundnuty/macf#499 (this hook); DR-026 §1/§4 (auditor never-acts).
+ERR
+exit 2

package/scripts/check-gh-attribution.sh

@@ -0,0 +1,230 @@
+#!/usr/bin/env bash
+#
+# check-gh-attribution.sh — Claude Code PostToolUse hook that, AFTER a
+# `gh`-write Bash op, verifies the just-written GitHub resource (issue /
+# PR / comment) was authored by the BOT, not the operator's user account.
+# A user-attributed write is the silent-fallback Instance-12 attribution
+# trap: the `gh` call fell back to stored `gh auth login` (user) because
+# GH_TOKEN was empty / a `ghp_`/`gho_`/`ghu_` user token / the literal
+# string "null", and nothing surfaced the mismatch at the time. The
+# #140 PreToolUse `check-gh-token.sh` catches the *missing-bot-token*
+# shape BEFORE the call; this hook is the result-invariant backstop that
+# catches a slipped write AFTER the fact by reading who actually authored
+# the resource on GitHub.
+#
+# Hook contract (PostToolUse): JSON on stdin, exit 0 = ok. PostToolUse
+# CANNOT block (the tool already ran) — the loud signal is `exit 2` with a
+# multi-line stderr message, which Claude Code surfaces back to Claude.
+# Read both the newer (`.tool_output.stdout`) and older
+# (`.tool_response.stdout` / `.tool_response`) output shapes defensively.
+#
+# Posture: FAIL-OPEN. `set -uo pipefail` (NOT `-e`) — every uncertain
+# branch (no URL, gh failure, can't parse, can't resolve expected login)
+# exits 0. A false WARN is more costly than a missed one here: the call
+# already happened, and the operator may be running a knowingly
+# user-attributed op. Only a CONFIRMED user-authored write fires `exit 2`.
+#
+# Override: MACF_SKIP_ATTRIBUTION_CHECK=1 bypasses (intentional
+# user-attributed ops, e.g. an onboarding `gh` call before the bot token
+# is wired). Consistent with MACF_SKIP_TOKEN_CHECK / MACF_SKIP_CLOSE_CHECK
+# in the sister hooks.
+#
+# Refs: groundnuty/macf#489 (this hook); silent-fallback-hazards.md
+#       Instance 12; coordination.md §Token & Git Hygiene (the attribution
+#       trap); #140 / #244+#272 / #270 / #431 (sister Path-2 hooks).
+set -uo pipefail
+
+# Cheap exit on operator override — no stdin read, no parsing.
+if [[ "${MACF_SKIP_ATTRIBUTION_CHECK:-}" == "1" ]]; then
+  exit 0
+fi
+
+# Defense-in-depth: any unexpected error past this point must NOT brick the
+# harness. We already use `set -uo pipefail` (no `-e`) so commands that fail
+# are handled explicitly; this trap is a final safety net for a genuinely
+# unexpected fault (e.g. a bash internal error) — fail open.
+trap 'exit 0' ERR
+
+# Read the PostToolUse payload. Fall through to allow on parse error.
+INPUT_JSON="$(cat)"
+COMMAND="$(jq -r '.tool_input.command // ""' <<<"$INPUT_JSON" 2>/dev/null || echo "")"
+[[ -z "$COMMAND" ]] && exit 0
+
+# ── Is this a gh-write op that produces an attributable resource? ─────────
+# Match the write subcommands whose output carries a resource/comment URL:
+#   gh issue comment / gh pr comment   → posts a comment
+#   gh issue create  / gh pr create    → creates the resource
+#   gh issue close … --comment         → posts a closing comment
+#   gh pr close    … --comment         → posts a closing comment
+# A bare `gh issue close` (no --comment) writes nothing attributable → skip.
+# This is a RESULT check (not a blocker), so a simple wrapper-tolerant
+# `grep -qE` over the raw command suffices — we don't need the airtight
+# bypass-resistant regex the PreToolUse blockers carry.
+is_gh_write() {
+  local cmd="$1"
+  if grep -qiE 'gh[[:space:]]+(issue|pr)[[:space:]]+comment([[:space:]]|$)' <<<"$cmd"; then
+    return 0
+  fi
+  if grep -qiE 'gh[[:space:]]+(issue|pr)[[:space:]]+create([[:space:]]|$)' <<<"$cmd"; then
+    return 0
+  fi
+  # close … --comment (the --comment may appear anywhere after the verb)
+  if grep -qiE 'gh[[:space:]]+(issue|pr)[[:space:]]+close([[:space:]]|$)' <<<"$cmd" \
+     && grep -qiE '(^|[[:space:]])--comment([[:space:]]|=|$)' <<<"$cmd"; then
+    return 0
+  fi
+  return 1
+}
+is_gh_write "$COMMAND" || exit 0
+
+# ── Extract the resource URL from the tool output ─────────────────────────
+# `gh issue create` / `gh pr create` print the new URL on stdout; `gh issue
+# comment` / `gh pr comment` print the comment URL (…#issuecomment-<id>).
+# Read both PostToolUse output shapes (newer `.tool_output.stdout`, older
+# `.tool_response.stdout`, oldest `.tool_response` as a raw string).
+OUTPUT="$(jq -r '.tool_output.stdout // .tool_response.stdout // .tool_response // ""' <<<"$INPUT_JSON" 2>/dev/null || echo "")"
+[[ -z "$OUTPUT" ]] && exit 0
+
+URL="$(grep -oE 'https://github\.com/[A-Za-z0-9._-]+/[A-Za-z0-9._-]+/(issues|pull)/[0-9]+(#issuecomment-[0-9]+)?' <<<"$OUTPUT" | head -1 || true)"
+# No URL in output (e.g. `--json` suppressed it, or output was discarded) →
+# fail open. We can't verify what we can't see.
+[[ -z "$URL" ]] && exit 0
+
+# ── Parse the URL → owner / repo / kind / number / optional comment-id ────
+# Form: https://github.com/<owner>/<repo>/(issues|pull)/<N>[#issuecomment-<id>]
+URL_PATH="${URL#https://github.com/}"
+OWNER="$(cut -d/ -f1 <<<"$URL_PATH")"
+REPO="$(cut -d/ -f2 <<<"$URL_PATH")"
+KIND="$(cut -d/ -f3 <<<"$URL_PATH")"          # issues | pull
+NUM_AND_FRAG="$(cut -d/ -f4 <<<"$URL_PATH")"  # <N> | <N>#issuecomment-<id>
+NUM="${NUM_AND_FRAG%%#*}"
+COMMENT_ID=""
+if [[ "$NUM_AND_FRAG" == *"#issuecomment-"* ]]; then
+  COMMENT_ID="${NUM_AND_FRAG##*#issuecomment-}"
+fi
+# Sanity — if any required piece is missing/odd, fail open.
+[[ -z "$OWNER" || -z "$REPO" || -z "$KIND" || -z "$NUM" ]] && exit 0
+
+# ── Build the ACTUAL-resource API path ────────────────────────────────────
+# Comment-id present → both issue AND pr comments live under the issues
+# comments namespace; else a PR → pulls/<N>; else an issue → issues/<N>.
+if [[ -n "$COMMENT_ID" ]]; then
+  API_PATH="/repos/${OWNER}/${REPO}/issues/comments/${COMMENT_ID}"
+elif [[ "$KIND" == "pull" ]]; then
+  API_PATH="/repos/${OWNER}/${REPO}/pulls/${NUM}"
+else
+  API_PATH="/repos/${OWNER}/${REPO}/issues/${NUM}"
+fi
+
+# ── Query the author (short timeout; one brief retry for API consistency) ─
+# The resource was JUST created, so a first read can occasionally race the
+# write through GitHub's read replicas. One `sleep 1` retry handles that
+# without materially delaying the turn. gh failure / empty → fail open.
+query_author() {
+  GH_PAGER= gh api "$API_PATH" --jq '{login: .user.login, type: .user.type}' 2>/dev/null
+}
+RESP="$(query_author || true)"
+if [[ -z "$RESP" ]]; then
+  sleep 1
+  RESP="$(query_author || true)"
+fi
+[[ -z "$RESP" ]] && exit 0
+
+ACTUAL_LOGIN="$(jq -r '.login // ""' <<<"$RESP" 2>/dev/null || echo "")"
+ACTUAL_TYPE="$(jq -r '.type // ""' <<<"$RESP" 2>/dev/null || echo "")"
+# Couldn't extract an author at all → fail open.
+[[ -z "$ACTUAL_LOGIN" ]] && exit 0
+
+# ── Resolve the EXPECTED bot login (first hit wins; may be empty) ─────────
+# 1. $MACF_EXPECTED_BOT_LOGIN — explicit operator/test override.
+# 2. .macf/macf-agent.json — derive `<name>[bot]` from the workspace config.
+#    The canonical workspace field is `agent_name`; the repo-side
+#    agent-config.json carries `app_name`. Accept either (agent_name first).
+# 3. empty — fall back to the type-based check below.
+EXPECTED_LOGIN="${MACF_EXPECTED_BOT_LOGIN:-}"
+if [[ -z "$EXPECTED_LOGIN" ]]; then
+  AGENT_JSON="${CLAUDE_PROJECT_DIR:-.}/.macf/macf-agent.json"
+  if [[ -f "$AGENT_JSON" ]]; then
+    AGENT_NAME="$(jq -r '.agent_name // .app_name // ""' "$AGENT_JSON" 2>/dev/null || echo "")"
+    if [[ -n "$AGENT_NAME" ]]; then
+      # Append `[bot]` exactly once (tolerate a config that already carries it).
+      EXPECTED_LOGIN="${AGENT_NAME%"[bot]"}[bot]"
+    fi
+  fi
+fi
+
+# Normalize a login for comparison: strip a leading `app/` prefix (gh's
+# GraphQL author.login carries `app/<name>`; the REST `.user.login` does
+# not) and lowercase. Echoes the normalized form.
+normalize_login() {
+  local l="$1"
+  l="${l#app/}"
+  echo "${l,,}"
+}
+
+NORM_ACTUAL="$(normalize_login "$ACTUAL_LOGIN")"
+
+# ── Decide: OK vs MISMATCH ────────────────────────────────────────────────
+MISMATCH=0
+if [[ -n "$EXPECTED_LOGIN" ]]; then
+  NORM_EXPECTED="$(normalize_login "$EXPECTED_LOGIN")"
+  if [[ "$NORM_ACTUAL" == "$NORM_EXPECTED" ]]; then
+    exit 0
+  fi
+  MISMATCH=1
+else
+  # No expected login known — best verifiable signal is the author TYPE.
+  # A Bot authored it → trust it (some bot posted; correct by design).
+  # A User authored it → the Instance-12 trap (a human account wrote it).
+  if [[ "$ACTUAL_TYPE" == "Bot" ]]; then
+    exit 0
+  fi
+  MISMATCH=1
+fi
+
+[[ "$MISMATCH" -ne 1 ]] && exit 0
+
+# ── MISMATCH → loud warning to stderr, then exit 2 ────────────────────────
+EXPECTED_LINE="(unknown — set \$MACF_EXPECTED_BOT_LOGIN or .macf/macf-agent.json)"
+if [[ -n "$EXPECTED_LOGIN" ]]; then
+  EXPECTED_LINE="$EXPECTED_LOGIN"
+fi
+
+cat >&2 <<ERR
+WARNING (MACF attribution-result check): the GitHub resource you just wrote
+appears to be authored by the WRONG account — the silent-fallback Instance-12
+attribution trap (a \`gh\` write fell back to the operator's USER auth instead
+of the bot installation token).
+
+Resource:        ${URL}
+Authored by:     ${ACTUAL_LOGIN} (type: ${ACTUAL_TYPE:-unknown})
+Expected (bot):  ${EXPECTED_LINE}
+
+The tool already ran — this is a PostToolUse check, so the resource is live on
+GitHub under the wrong attribution. Cross-agent routing keys off the bot login;
+a user-attributed comment/issue/PR is invisible to peers and breaks the
+reporter-owns-closure + @mention-routing contracts.
+
+Repair:
+  1. Refresh the bot token (fail-loud helper), THEN re-do the op as the bot:
+
+       GH_TOKEN=\$("\$MACF_WORKSPACE_DIR/.claude/scripts/macf-gh-token.sh" \\
+         --app-id "\$APP_ID" --install-id "\$INSTALL_ID" --key "\$KEY_PATH") || exit 1
+       export GH_TOKEN
+
+  2. If the resource has NOT been replied-to yet, delete the mis-attributed
+     write and re-post it as the bot (clean correction).
+  3. If it HAS already been replied-to / acted-on, do NOT delete — post a
+     short clarify-forward correction comment AS THE BOT noting the prior
+     write was mis-attributed, so the thread stays coherent.
+
+Verify your identity any time:
+  GH_TOKEN=\$GH_TOKEN "\$MACF_WORKSPACE_DIR/.claude/scripts/macf-whoami.sh"
+
+Override (ONLY for intentional user-attributed ops, e.g. onboarding):
+  export MACF_SKIP_ATTRIBUTION_CHECK=1
+
+Refs: groundnuty/macf#489 (this hook); silent-fallback-hazards.md Instance 12;
+coordination.md §Token & Git Hygiene.
+ERR
+exit 2

package/scripts/emit-turn-receipt.sh

@@ -0,0 +1,81 @@
+#!/usr/bin/env bash
+# UserPromptSubmit hook — turn-ack receipt for routed prompts
+# (groundnuty/macf#444 Option D, piece 2).
+#
+# When the router injects a prompt it appends a correlation marker
+# `[macf-route:<run_id>:<agent>]` (macf-actions#45, piece 1). When that prompt
+# is submitted AS A TURN, this hook fires and emits a `turn_processed` OTel
+# span carrying (routed_run_id, agent). A reconciler (piece 4) joins the
+# router's delivered-pairs log against these spans: a delivered route with no
+# matching span past the open-threshold = a dropped ping that surfaces
+# structurally (closes the #437 send≠receipt gap). A prompt with NO marker
+# (a typed prompt, a non-routed turn) is a no-op — exit 0, emit nothing.
+#
+# Registered `async: true` (settings.json) so it never adds turn latency. It
+# NEVER blocks the turn: any failure path exits 0 (with a stderr WARN on a
+# genuine emit error — fail-loud per silent-fallback-hazards.md Instance 8).
+#
+# Dependency: a live OTLP endpoint (OTEL_EXPORTER_OTLP_ENDPOINT — populated on
+# substrate by the #418 launcher OTEL block). Absent/unreachable → curl fails
+# → WARN, no span, no crash. So this ships safely before #418's relaunch; it
+# simply no-ops-with-WARN until substrate OTel is live.
+set -uo pipefail
+
+INPUT="$(cat)"
+
+# Extract the submitted prompt text. jq if available; else scan the raw payload.
+PROMPT=""
+if command -v jq >/dev/null 2>&1; then
+  PROMPT="$(printf '%s' "$INPUT" | jq -r '.prompt // empty' 2>/dev/null || true)"
+fi
+[ -z "$PROMPT" ] && PROMPT="$INPUT"
+
+# Route-correlation markers: [macf-route:<digits>:<kebab-agent>]. No match → not
+# a routed prompt → no-op. A COALESCED turn (a busy agent processing several
+# queued routed pings in one turn) carries MULTIPLE markers — emit a receipt for
+# EACH distinct one. A receipt then means "the marked prompt reached the agent",
+# not "a distinct turn happened". (Was `head -1`, which under-emitted → the
+# macf#444 reconciler false-flagged the un-receipted markers as drops — #462.)
+MARKERS="$(printf '%s' "$PROMPT" | grep -oE '\[macf-route:[0-9]+:[a-z0-9-]+\]' | sort -u || true)"
+[ -z "$MARKERS" ] && exit 0
+
+# Need curl + openssl to emit; absent → degrade silently (no span, no noise).
+command -v curl >/dev/null 2>&1 || exit 0
+command -v openssl >/dev/null 2>&1 || exit 0
+
+BASE="${OTEL_EXPORTER_OTLP_ENDPOINT:-http://orzech-dev-agents-monitoring.tail491af.ts.net:4318}"
+BASE="${BASE%/v1/traces}"
+
+# One independent span per distinct marker (own trace/span id + timestamp).
+printf '%s\n' "$MARKERS" | while IFS= read -r MARKER; do
+  [ -z "$MARKER" ] && continue
+  RUN_ID="$(printf '%s' "$MARKER" | sed -E 's/.*\[macf-route:([0-9]+):([a-z0-9-]+)\].*/\1/')"
+  AGENT="$(printf '%s' "$MARKER" | sed -E 's/.*\[macf-route:([0-9]+):([a-z0-9-]+)\].*/\2/')"
+
+  # Nanosecond epoch. `date +%s%N` is GNU-only (substrate is Linux); on a BSD/mac
+  # date that prints a literal `N`, fall back to seconds×1e9.
+  NOW="$(date +%s%N 2>/dev/null || true)"
+  case "$NOW" in
+    *N|'' ) NOW="$(( $(date +%s) * 1000000000 ))" ;;
+  esac
+  TID="$(openssl rand -hex 16)"
+  SID="$(openssl rand -hex 8)"
+
+  # Identity on resource attrs (matches the collector's resource/paper-dims +
+  # the `{resource."gen_ai.agent.name"=…}` TraceQL); correlation on span attrs.
+  curl -sf -m 3 -X POST "${BASE}/v1/traces" \
+    -H 'Content-Type: application/json' --data-binary @- <<JSON >/dev/null \
+    || echo "WARN: turn_processed span emit failed (endpoint=${BASE}/v1/traces run=${RUN_ID} agent=${AGENT})" >&2
+{"resourceSpans":[{"resource":{"attributes":[
+  {"key":"service.name","value":{"stringValue":"${OTEL_SERVICE_NAME:-macf-agent}"}},
+  {"key":"gen_ai.agent.name","value":{"stringValue":"${AGENT}"}},
+  {"key":"service.namespace","value":{"stringValue":"macf"}}
+]},"scopeSpans":[{"scope":{"name":"macf.hook"},"spans":[{
+  "traceId":"${TID}","spanId":"${SID}","name":"turn_processed","kind":1,
+  "startTimeUnixNano":"${NOW}","endTimeUnixNano":"${NOW}",
+  "attributes":[{"key":"routed_run_id","value":{"stringValue":"${RUN_ID}"}},
+    {"key":"agent","value":{"stringValue":"${AGENT}"}}],"status":{"code":1}}]}]}]}
+JSON
+done
+
+exit 0