@hegemonart/get-design-done 1.59.6 → 1.59.8

package/scripts/skill-templates/quick/SKILL.md

@@ -26,10 +26,12 @@ Fast pipeline run. Skips optional-quality agents for speed while keeping the cor
    - Optional stage name (defaults to full pipeline from the current STATE.md position).
    - `--skip <agent-name>` (repeatable) adds to the skip list.
 2. Read `.design/STATE.md` to determine entry stage if none was passed.
-3. For each stage to execute, spawn the stage skill with a `quick_mode: true` flag and the effective skip list in the spawn context. Stage skills read this flag and route around the listed agents.
+3. For each stage to execute, invoke the stage skill but spawn it with the optional agents in the effective skip list **omitted from the spawn graph** - this skill is the orchestrator, so it simply does not call those agents (the stage skills do not read a `quick_mode` flag; the skipping happens here, by not spawning them). The kept agents run exactly as in the full pipeline.
 4. After each stage, print: "Stage <name> done. Skipped: <list>."
 5. Final summary prints which agents were skipped across the full run.
 
+Mechanism note: `{{command_prefix}}quick` is a lighter-touch *invocation* of the normal stages, not a special stage mode. It reduces ceremony by leaving the listed optional-quality agents out of the spawn graph it orchestrates. There is no flag the stage skills parse - if invoked directly (not via this skill) the stages run their full agent set.
+
 ## Use When
 
 - You trust the problem scope (no need for fresh research).

package/scripts/skill-templates/reflect/SKILL.md

@@ -37,7 +37,7 @@ Run `design-reflector` on demand against the current (or specified) cycle. Produ
    See @skills/reflect/procedures/capability-gap-scan.md for the full procedure.
    The `design-reflector` agent runs the scan automatically as part of its reflection pass; this step lets users dry-run it independently with:
    ```
-   node scripts/lib/reflector/capability-gap-scan.cjs --dry-run
+   node "${CLAUDE_PLUGIN_ROOT}/scripts/lib/reflector/capability-gap-scan.cjs" --dry-run
    ```
    The scan emits `capability_gap` events (`source: "reflector_pattern"`) for recurring patterns lacking a dedicated executable owner; Plan 29-03 aggregates these for `{{command_prefix}}apply-reflections`.
 

package/scripts/skill-templates/router/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: gdd-router
-description: "Routes a /gdd command to fast|quick|full path + S|M|L|XL complexity_class and returns {path, complexity_class, model_tier_overrides, resolved_models, estimated_cost_usd, cache_hits}. Deterministic - no model call. Invoked once at command entry before any Agent spawn. Read by hooks/budget-enforcer.ts."
+description: "Routes a /gdd command to fast|quick|full path + S|M|L|XL complexity_class and returns {path, complexity_class, model_tier_overrides, resolved_models, estimated_cost_usd, cache_hits}. A SKILL.md prompt the model executes to emit a routing-decision JSON from rule tables (no separate agent spawn). Optional/advisory - invoked only by the skills that opt into routing; the budget-enforcer hook tolerates its absence. Read by hooks/budget-enforcer.ts."
 argument-hint: "<intent-string> [<target-artifacts-csv>]"
 tools: Read, Bash, Grep
 ---
@@ -69,7 +69,9 @@ Delegate to `skills/cache-manager/SKILL.md` (Plan 10.1-02). The router lists can
 
 ## Integration Point
 
-Every `{{command_prefix}}*` SKILL.md's first substantive step is: spawn the router via `Task` or inline invocation; receive the JSON blob; pass it to downstream agents as context so the budget-enforcer hook has the router decision available in tool_input metadata when the first Agent spawn fires.
+The router is **optional and advisory**, not a universal first step. Only the handful of skills that explicitly opt into routing reference it (today: the root pipeline `SKILL.md` / `{{command_prefix}}handoff`, and `{{command_prefix}}style` documents that it deliberately does *not* invoke the router because it is a leaf invocation). The pipeline stage skills (explore / plan / design / verify) do **not** spawn the router. When a skill does invoke it, the flow is: invoke the router via `Task` or inline invocation; receive the JSON blob; pass it to downstream agents as context so the budget-enforcer hook has the router decision available in tool_input metadata when the first Agent spawn fires.
+
+When no skill supplies a router decision, the budget-enforcer hook reads `tool_input.context.router_decision` as absent and falls back to its legacy back-compat path - the router's absence is tolerated by design, never an error.
 
 ## Failure Modes
 

package/sdk/cli/index.js

@@ -82,44 +82,69 @@ var init_emitter = __esm({
 
 // sdk/event-stream/writer.ts
 function _findRepoRoot() {
-  let dir = process.cwd();
-  for (let i = 0; i < 8; i++) {
+  return _walkToPackageJson(process.cwd());
+}
+function _walkToPackageJson(startDir) {
+  let dir = startDir;
+  for (let i = 0; i < 12; i++) {
     if ((0, import_node_fs.existsSync)((0, import_node_path.join)(dir, "package.json"))) return dir;
     const parent = (0, import_node_path.dirname)(dir);
     if (parent === dir) break;
     dir = parent;
   }
-  return process.cwd();
+  return startDir;
+}
+function _warnRedactUnavailable() {
+  if (_redactWarned) return;
+  _redactWarned = true;
+  try {
+    process.stderr.write(
+      "[event-stream] WARNING: scripts/lib/redact.cjs could not be loaded \u2014 failing CLOSED: event payloads are dropped (envelope-only) to avoid writing unscrubbed secrets. Run the event writer from inside the plugin tree or set the redact lib on PATH to restore full payloads.\n"
+    );
+  } catch {
+  }
 }
-var import_node_fs, import_node_path, import_node_module, _redact, redact, DEFAULT_EVENTS_PATH, DEFAULT_MAX_LINE_BYTES, EventWriter;
+function _loadRedact() {
+  const candidates = [];
+  const entry = process.argv[1];
+  if (typeof entry === "string" && entry.length > 0) {
+    const entryAbs = (0, import_node_path.isAbsolute)(entry) ? entry : (0, import_node_path.resolve)(entry);
+    const entryRoot = _walkToPackageJson((0, import_node_path.dirname)(entryAbs));
+    candidates.push((0, import_node_path.resolve)(entryRoot, "scripts/lib/redact.cjs"));
+  }
+  const repoRoot = _findRepoRoot();
+  candidates.push((0, import_node_path.resolve)(repoRoot, "scripts/lib/redact.cjs"));
+  candidates.push((0, import_node_path.resolve)(repoRoot, "..", "..", "scripts/lib/redact.cjs"));
+  for (const candidate of candidates) {
+    try {
+      if (!(0, import_node_fs.existsSync)(candidate)) continue;
+      const req = (0, import_node_module.createRequire)(candidate);
+      const mod = req(candidate);
+      if (mod && typeof mod.redact === "function") return mod.redact;
+    } catch {
+    }
+  }
+  return null;
+}
+var import_node_fs, import_node_path, import_node_module, _redactWarned, _realRedact, redact, DEFAULT_EVENTS_PATH, DEFAULT_MAX_LINE_BYTES, EventWriter;
 var init_writer = __esm({
   "sdk/event-stream/writer.ts"() {
     "use strict";
     import_node_fs = require("node:fs");
     import_node_path = require("node:path");
     import_node_module = require("node:module");
-    try {
-      const _root = _findRepoRoot();
-      const _candidate = (0, import_node_path.resolve)(_root, "scripts/lib/redact.cjs");
-      if ((0, import_node_fs.existsSync)(_candidate)) {
-        const _redactRequire = (0, import_node_module.createRequire)((0, import_node_path.join)(_root, "package.json"));
-        const _mod = _redactRequire(_candidate);
-        _redact = _mod.redact;
-      } else {
-        const _altRoot = (0, import_node_path.resolve)(_root, "..", "..");
-        const _altCandidate = (0, import_node_path.resolve)(_altRoot, "scripts/lib/redact.cjs");
-        if ((0, import_node_fs.existsSync)(_altCandidate)) {
-          const _altRequire = (0, import_node_module.createRequire)((0, import_node_path.join)(_altRoot, "package.json"));
-          const _altMod = _altRequire(_altCandidate);
-          _redact = _altMod.redact;
-        } else {
-          _redact = (v) => v;
-        }
+    _redactWarned = false;
+    _realRedact = _loadRedact();
+    redact = _realRedact !== null ? _realRedact : (v) => {
+      _warnRedactUnavailable();
+      if (v !== null && typeof v === "object") {
+        const ev = v;
+        const out = { ...ev };
+        out["payload"] = { _redaction_unavailable: true };
+        return out;
       }
-    } catch {
-      _redact = (v) => v;
-    }
-    redact = _redact;
+      return { _redaction_unavailable: true };
+    };
     DEFAULT_EVENTS_PATH = ".design/telemetry/events.jsonl";
     DEFAULT_MAX_LINE_BYTES = 64 * 1024;
     EventWriter = class {
@@ -2435,6 +2460,7 @@ function getLogger() {
 // sdk/state/index.ts
 var import_node_fs5 = require("node:fs");
 var import_node_path4 = require("node:path");
+var import_node_module2 = require("node:module");
 
 // sdk/state/lockfile.ts
 var import_node_fs4 = require("node:fs");
@@ -2501,6 +2527,14 @@ async function acquire(path, opts = {}) {
       }
       const parsed = parseLock(existing);
       if (parsed !== null && isStale(parsed, staleMs)) {
+        const confirm = readLockSafe(lockPath);
+        if (confirm === null) {
+          continue;
+        }
+        if (confirm !== existing) {
+          await sleep(pollMs);
+          continue;
+        }
         try {
           (0, import_node_fs4.unlinkSync)(lockPath);
         } catch (delErr) {
@@ -2559,10 +2593,14 @@ function parseLock(raw) {
   }
 }
 function isStale(payload, staleMs) {
-  if (!isPidAlive(payload.pid, payload.host)) return true;
-  const acquiredAt = Date.parse(payload.acquired_at);
-  if (!Number.isFinite(acquiredAt)) return true;
-  return Date.now() - acquiredAt > staleMs;
+  const pidRecorded = typeof payload.pid === "number" && Number.isInteger(payload.pid) && payload.pid > 0;
+  if (!pidRecorded) {
+    const acquiredAt = Date.parse(payload.acquired_at);
+    if (!Number.isFinite(acquiredAt)) return true;
+    return Date.now() - acquiredAt > staleMs;
+  }
+  if (isPidAlive(payload.pid, payload.host)) return false;
+  return true;
 }
 function isPidAlive(pid, host) {
   if (host !== (0, import_node_os2.hostname)()) {
@@ -3969,6 +4007,8 @@ function gateFor(from, to) {
 }
 
 // sdk/state/index.ts
+var _moduleDir = typeof __dirname !== "undefined" ? __dirname : (0, import_node_path4.dirname)(process.argv[1] || process.cwd());
+var _require = typeof require !== "undefined" ? require : (0, import_node_module2.createRequire)(process.argv[1] || process.cwd());
 function _findPackageRoot(startDir) {
   let dir = (0, import_node_path4.resolve)(startDir);
   let firstWithPkg = null;
@@ -3976,7 +4016,7 @@ function _findPackageRoot(startDir) {
     const pkgPath = (0, import_node_path4.join)(dir, "package.json");
     if ((0, import_node_fs5.existsSync)(pkgPath)) {
       try {
-        const pkg = require(pkgPath);
+        const pkg = _require(pkgPath);
         if (firstWithPkg === null) firstWithPkg = dir;
         if (pkg.name === "@hegemonart/get-design-done") return dir;
       } catch {
@@ -3993,7 +4033,7 @@ var _backendCache = null;
 function _loadBackend() {
   if (_backendCache !== null) return _backendCache === false ? null : _backendCache;
   try {
-    const pkgRoot = _findPackageRoot(__dirname);
+    const pkgRoot = _findPackageRoot(_moduleDir);
     if (pkgRoot === null) {
       _backendCache = false;
       return null;
@@ -4003,7 +4043,7 @@ function _loadBackend() {
       _backendCache = false;
       return null;
     }
-    _backendCache = require(backendPath);
+    _backendCache = _require(backendPath);
     return _backendCache;
   } catch {
     _backendCache = false;
@@ -4128,14 +4168,41 @@ async function transition(path, toStage) {
     throw new TransitionGateFailed(toStage, gateResult.blockers);
   }
   const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-  const nextState = await mutate(path, (s) => {
-    s.frontmatter.stage = toStage;
-    s.frontmatter.last_checkpoint = nowIso;
-    s.position.stage = toStage;
-    s.timestamps[`${toStage}_started_at`] = nowIso;
-    return s;
-  });
-  return { pass: true, blockers: gateResult.blockers, state: nextState };
+  let lockedFailure = null;
+  let lockedBlockers = gateResult.blockers;
+  try {
+    const nextState = await mutate(path, (s) => {
+      const fromNow = s.position.stage;
+      if (!isStage(fromNow)) {
+        lockedFailure = new TransitionGateFailed(toStage, [
+          `Invalid transition: from="${fromNow}" is not a recognized Stage (changed under lock)`
+        ]);
+        throw lockedFailure;
+      }
+      const gateNow = gateFor(fromNow, toStage);
+      if (gateNow === null) {
+        lockedFailure = new TransitionGateFailed(toStage, [
+          `Invalid transition: ${fromNow} \u2192 ${toStage} (changed under lock)`
+        ]);
+        throw lockedFailure;
+      }
+      const resultNow = gateNow(s);
+      if (!resultNow.pass) {
+        lockedFailure = new TransitionGateFailed(toStage, resultNow.blockers);
+        throw lockedFailure;
+      }
+      lockedBlockers = resultNow.blockers;
+      s.frontmatter.stage = toStage;
+      s.frontmatter.last_checkpoint = nowIso;
+      s.position.stage = toStage;
+      s.timestamps[`${toStage}_started_at`] = nowIso;
+      return s;
+    });
+    return { pass: true, blockers: lockedBlockers, state: nextState };
+  } catch (err) {
+    if (lockedFailure !== null && err === lockedFailure) throw lockedFailure;
+    throw err;
+  }
 }
 
 // scripts/lib/pipeline-runner/state-machine.ts
@@ -4982,7 +5049,7 @@ function collapseBlankLines(text) {
 }
 
 // scripts/lib/session-runner/errors.ts
-var import_node_module2 = require("node:module");
+var import_node_module3 = require("node:module");
 var import_node_fs8 = require("node:fs");
 var import_node_path7 = require("node:path");
 function findRepoRoot() {
@@ -4996,7 +5063,7 @@ function findRepoRoot() {
   return process.cwd();
 }
 var REPO_ROOT = findRepoRoot();
-var nodeRequire = (0, import_node_module2.createRequire)((0, import_node_path7.join)(REPO_ROOT, "package.json"));
+var nodeRequire = (0, import_node_module3.createRequire)((0, import_node_path7.join)(REPO_ROOT, "package.json"));
 var transportClassifier = nodeRequire(
   (0, import_node_path7.resolve)(REPO_ROOT, "sdk/primitives/error-classifier.cjs")
 );
@@ -5348,7 +5415,7 @@ var TranscriptWriter = class {
 };
 
 // scripts/lib/session-runner/index.ts
-var import_node_module3 = require("node:module");
+var import_node_module4 = require("node:module");
 var import_node_fs10 = require("node:fs");
 var import_node_path9 = require("node:path");
 function _findRepoRoot2() {
@@ -5362,7 +5429,7 @@ function _findRepoRoot2() {
   return process.cwd();
 }
 var _REPO_ROOT = _findRepoRoot2();
-var _nodeRequire = (0, import_node_module3.createRequire)((0, import_node_path9.join)(_REPO_ROOT, "package.json"));
+var _nodeRequire = (0, import_node_module4.createRequire)((0, import_node_path9.join)(_REPO_ROOT, "package.json"));
 var jitteredBackoff = _nodeRequire(
   (0, import_node_path9.resolve)(_REPO_ROOT, "sdk/primitives/jittered-backoff.cjs")
 );
@@ -9731,7 +9798,7 @@ ${BUILD_USAGE}`);
 
 // sdk/cli/commands/dashboard.ts
 var import_node_child_process2 = require("node:child_process");
-var import_node_module4 = require("node:module");
+var import_node_module5 = require("node:module");
 var import_node_http = require("node:http");
 var import_node_fs23 = require("node:fs");
 var import_node_path22 = require("node:path");
@@ -9767,7 +9834,7 @@ function anchorDirs() {
   return out;
 }
 function climbToMarker(startDir) {
-  const req = (0, import_node_module4.createRequire)((0, import_node_path22.join)(startDir, "noop.js"));
+  const req = (0, import_node_module5.createRequire)((0, import_node_path22.join)(startDir, "noop.js"));
   let dir = startDir;
   let firstWithPkg = null;
   for (let i = 0; i < 12; i++) {
@@ -9803,7 +9870,7 @@ function findPackageRoot() {
 }
 function requireFromRoot(relPath) {
   const root = findPackageRoot();
-  const req = (0, import_node_module4.createRequire)((0, import_node_path22.join)(root, "noop.js"));
+  const req = (0, import_node_module5.createRequire)((0, import_node_path22.join)(root, "noop.js"));
   return req((0, import_node_path22.join)(root, relPath));
 }
 function resolveRoot(deps, flags) {

package/sdk/dashboard/data/source.cjs

@@ -24,9 +24,10 @@
  *     `degraded[]` (so gsd-health + the TUI can surface what is missing).
  *   - Absent .design entirely -> every data section null/[] + degraded
  *     populated, still no throw.
- *   - Root resolution: opts.root || GDD_PROJECT_ROOT || package-root walk-up
- *     || cwd. (Package-root walk-up resolves the GDD repo root, where
- *     .design/.planning live.)
+ *   - Root resolution: opts.root || GDD_PROJECT_ROOT || cwd marker walk-up
+ *     (.design/.planning/.claude-plugin) || package-root walk-up. The cwd
+ *     marker walk resolves the USER's project; package-root is a last-resort
+ *     fallback (it would otherwise always pin the installed plugin's own dir).
  *   - The .ts libs (sdk/state, sdk/event-stream) cannot be static-require()d
  *     from a .cjs — they are loaded via dynamic import(pathToFileURL),
  *     memoized once per process. The .cjs libs are require()d directly via the
@@ -100,15 +101,59 @@ function importEventStream() {
 // ---------------------------------------------------------------------------
 // Root resolution
 // ---------------------------------------------------------------------------
+/**
+ * Walk UP from `startCwd` looking for a GDD project marker — `.design/` OR
+ * `.planning/` OR `.claude-plugin/plugin.json`. First match wins; returns the
+ * directory that holds the marker, or null if none is found before the
+ * filesystem root.
+ *
+ * This mirrors `resolveProjectRoot()` in
+ * `sdk/mcp/gdd-mcp/tools/shared.ts` (the canonical D-05 marker walk) so the
+ * dashboard resolves the USER's project, not the plugin's own install dir.
+ *
+ * @param {string} [startCwd]
+ * @returns {string|null}
+ */
+function cwdMarkerWalk(startCwd = process.cwd()) {
+  let dir = path.resolve(startCwd);
+  // Bound the climb defensively (deep trees / odd mounts).
+  for (let i = 0; i < 64; i++) {
+    if (
+      fs.existsSync(path.join(dir, '.design')) ||
+      fs.existsSync(path.join(dir, '.planning')) ||
+      fs.existsSync(path.join(dir, '.claude-plugin', 'plugin.json'))
+    ) {
+      return dir;
+    }
+    const parent = path.dirname(dir);
+    if (parent === dir) return null; // reached filesystem root
+    dir = parent;
+  }
+  return null;
+}
+
 /**
  * Resolve the project root the dashboard reads from:
- *   opts.root || GDD_PROJECT_ROOT (env) || package-root walk-up || cwd.
+ *   opts.root || GDD_PROJECT_ROOT (env) || cwd marker walk-up || package-root.
+ *
+ * D2 fix: `packageRoot()` ALWAYS succeeds (it walks up from __dirname and
+ * lands on the installed plugin's own package.json, e.g.
+ * node_modules/@hegemonart/get-design-done), so when it preceded the cwd
+ * resolution an installed `gdd-dashboard` always showed the PLUGIN's own
+ * (empty) data instead of the user's project. We now resolve the user's
+ * project FIRST via a cwd-upward marker walk (the same D-05 algorithm the
+ * gdd-mcp tools use), and only fall back to the package root as a last
+ * resort. Running the dashboard INSIDE the gdd repo still works — the marker
+ * walk finds the repo's own .design/.planning, which IS the project root.
+ *
  * @param {{root?: string}} [opts]
  * @returns {string}
  */
 function resolveRoot(opts = {}) {
   if (opts.root) return path.resolve(opts.root);
   if (process.env.GDD_PROJECT_ROOT) return path.resolve(process.env.GDD_PROJECT_ROOT);
+  const fromCwd = cwdMarkerWalk();
+  if (fromCwd) return fromCwd;
   try {
     return packageRoot();
   } catch {
@@ -610,6 +655,7 @@ module.exports = {
   loadDashboardModel,
   // Exposed for tests + sibling reuse (executors D/F may want the scrapers).
   resolveRoot,
+  cwdMarkerWalk,
   scrapeStateFile,
   scrapeEventsFile,
 };

package/sdk/event-stream/writer.ts

@@ -38,46 +38,128 @@ import type { BaseEvent } from './types.ts';
 // anchor createRequire on the repo-root package.json discovered by
 // walking up from `process.cwd()`.
 function _findRepoRoot(): string {
-  let dir = process.cwd();
-  for (let i = 0; i < 8; i++) {
+  return _walkToPackageJson(process.cwd());
+}
+
+/**
+ * Walk up from `startDir` until a directory containing `package.json` is
+ * found; returns `startDir` itself if none is found within the bound.
+ */
+function _walkToPackageJson(startDir: string): string {
+  let dir = startDir;
+  for (let i = 0; i < 12; i++) {
     if (existsSync(join(dir, 'package.json'))) return dir;
     const parent = dirname(dir);
     if (parent === dir) break;
     dir = parent;
   }
-  return process.cwd();
+  return startDir;
+}
+
+// S2 fix: redaction now fails CLOSED. Previously, if redact.cjs could not be
+// resolved from the runtime cwd, `_redact` fell through to the IDENTITY
+// function and every event was written UNSCRUBBED — silently leaking secrets
+// into events.jsonl whenever the writer ran outside the plugin tree (hook
+// subprocesses, temp test dirs, unusual install layouts). That is a fail-open
+// security hole.
+//
+// New contract:
+//   * redact.cjs loads  → normal deep-walk scrubbing (unchanged behavior).
+//   * redact.cjs MISSING → fail closed: `redact` returns an envelope-only
+//     placeholder that DROPS the payload body (replacing it with
+//     `{ _redaction_unavailable: true }`) so no raw payload is ever persisted
+//     unscrubbed. A single visible stderr warning is emitted (once per
+//     process, guarded by `_redactWarned`) so the failure is observable.
+//
+// Resolution is also improved: we try createRequire anchored on THIS module
+// (via the runtime-resolved module path) before the cwd-anchored walk, so it
+// loads in more layouts.
+
+/** Module-level guard so the fail-closed warning prints at most once. */
+let _redactWarned = false;
+
+/** Emit the one-time fail-closed warning to stderr (guarded, best-effort). */
+function _warnRedactUnavailable(): void {
+  if (_redactWarned) return;
+  _redactWarned = true;
+  try {
+    process.stderr.write(
+      '[event-stream] WARNING: scripts/lib/redact.cjs could not be loaded — ' +
+        'failing CLOSED: event payloads are dropped (envelope-only) to avoid ' +
+        'writing unscrubbed secrets. Run the event writer from inside the ' +
+        'plugin tree or set the redact lib on PATH to restore full payloads.\n',
+    );
+  } catch {
+    // If stderr itself is broken we have no recourse; swallow.
+  }
 }
 
-// Soft load: if redact.cjs is unreachable from the runtime cwd (e.g. a
-// hook subprocess running in a temp test dir three directories above
-// the plugin root), fall through to the identity function. The writer
-// keeps working — events just aren't scrubbed in that environment.
-// Production callers always run from inside the plugin tree.
-let _redact: (v: unknown) => unknown;
-try {
-  const _root = _findRepoRoot();
-  const _candidate = resolve(_root, 'scripts/lib/redact.cjs');
-  if (existsSync(_candidate)) {
-    const _redactRequire = createRequire(join(_root, 'package.json'));
-    const _mod = _redactRequire(_candidate) as { redact: (v: unknown) => unknown };
-    _redact = _mod.redact;
-  } else {
-    // Fallback: also try walking up from this source file's logical
-    // position (3 dirs above writer.ts → repo root).
-    const _altRoot = resolve(_root, '..', '..');
-    const _altCandidate = resolve(_altRoot, 'scripts/lib/redact.cjs');
-    if (existsSync(_altCandidate)) {
-      const _altRequire = createRequire(join(_altRoot, 'package.json'));
-      const _altMod = _altRequire(_altCandidate) as { redact: (v: unknown) => unknown };
-      _redact = _altMod.redact;
-    } else {
-      _redact = (v) => v;
+/**
+ * Attempt to load redact.cjs from a set of candidate roots. Returns the
+ * real `redact` function on success, or `null` if no candidate resolves.
+ */
+function _loadRedact(): ((v: unknown) => unknown) | null {
+  const candidates: string[] = [];
+
+  // We cannot use `import.meta.url` (tsc Node16 classifies this .ts as CJS for
+  // typecheck), so we probe several anchors so redact.cjs loads in as many
+  // layouts as possible BEFORE the fail-closed path engages:
+  //
+  // 1) The entry script (`process.argv[1]`). For hook subprocesses (e.g.
+  //    budget-enforcer.ts spawned by the harness) the entry script lives
+  //    INSIDE the plugin tree even when cwd is a detached temp dir — this is
+  //    the same anchor the hook itself uses via resolveHookPath(). Walking up
+  //    from the entry script to its package.json reliably lands on the plugin
+  //    root regardless of cwd.
+  // 2) A cwd-walked repo root (works when cwd IS inside the plugin tree).
+  // 3) The source-relative layout (writer.ts → ../../scripts/lib/redact.cjs).
+  const entry = process.argv[1];
+  if (typeof entry === 'string' && entry.length > 0) {
+    const entryAbs = isAbsolute(entry) ? entry : resolve(entry);
+    const entryRoot = _walkToPackageJson(dirname(entryAbs));
+    candidates.push(resolve(entryRoot, 'scripts/lib/redact.cjs'));
+  }
+  const repoRoot = _findRepoRoot();
+  candidates.push(resolve(repoRoot, 'scripts/lib/redact.cjs'));
+  candidates.push(resolve(repoRoot, '..', '..', 'scripts/lib/redact.cjs'));
+
+  for (const candidate of candidates) {
+    try {
+      if (!existsSync(candidate)) continue;
+      // Anchor createRequire on the candidate file itself so resolution does
+      // not depend on a package.json being present at a particular ancestor.
+      const req = createRequire(candidate);
+      const mod = req(candidate) as { redact?: (v: unknown) => unknown };
+      if (mod && typeof mod.redact === 'function') return mod.redact;
+    } catch {
+      // Try the next candidate.
     }
   }
-} catch {
-  _redact = (v) => v;
+  return null;
 }
-const redact = _redact;
+
+const _realRedact = _loadRedact();
+
+/**
+ * The redaction function used at the write boundary. When the real redactor
+ * loaded, this is it. When it did not, this is the FAIL-CLOSED shim: it warns
+ * once and returns an envelope-only object with the payload body dropped.
+ */
+const redact: (v: unknown) => unknown =
+  _realRedact !== null
+    ? _realRedact
+    : (v: unknown): unknown => {
+        _warnRedactUnavailable();
+        if (v !== null && typeof v === 'object') {
+          // Preserve envelope metadata; drop the payload body entirely so no
+          // raw (potentially secret-bearing) content is persisted.
+          const ev = v as Record<string, unknown>;
+          const out: Record<string, unknown> = { ...ev };
+          out['payload'] = { _redaction_unavailable: true };
+          return out;
+        }
+        return { _redaction_unavailable: true };
+      };
 
 /** Default relative path for the persisted event stream. */
 export const DEFAULT_EVENTS_PATH = '.design/telemetry/events.jsonl';