@hiveai/cli 0.10.8 → 0.10.9

package/dist/index.js

@@ -2743,6 +2743,7 @@ ${SEED_FOOTER(stack)}` });
 }
 
 // src/commands/init.ts
+var HAIVE_GITHUB_ACTION_REF = `v${"0.10.9"}`;
 var PROJECT_CONTEXT_TEMPLATE = `# Project context
 
 > Generated by \`haive init\`. Run \`haive init --bootstrap\` to auto-fill from your codebase,
@@ -2777,6 +2778,7 @@ This repo uses **hAIve** for shared context. The map:
 1. **Before editing** for a goal, call \`get_briefing\` (task + files/symbols) to load ranked context \u2014 or \`mem_relevant_to\` if project context is already loaded this session.
 2. **When an approach fails**, call \`mem_tried\` right away so the next agent skips the dead end.
 3. **Before closing** a substantive session, run the \`post_task\` prompt to capture what was learned.
+4. **Before final response**, run \`haive enforce finish\`. If it blocks, commit/push, bump/tag shippable releases, then rerun it.
 
 If the haive MCP server is not available, tell the developer rather than silently skipping it.
 
@@ -2803,6 +2805,7 @@ This repository uses **hAIve**. Running \`haive init\` means the team expects ag
 
 - On failure: **\`mem_tried\`** immediately.
 - Before closing a substantive session: MCP prompt **\`post_task\`** when there is something worth capturing.
+- Before final response: **\`haive enforce finish\`** must pass; it checks commit/push and release version/tag protocol.
 
 ## If haive MCP is missing
 
@@ -2898,7 +2901,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: Doucs91/hAIve/packages/github-action@main
+      - uses: Doucs91/hAIve/packages/github-action@${HAIVE_GITHUB_ACTION_REF}
         with:
           github-token: \${{ secrets.GITHUB_TOKEN }}
           # post-if-empty: 'true'   # uncomment to always post (even when no memories found)
@@ -6715,7 +6718,9 @@ async function preCommitCheck(input, ctx) {
   };
 }
 function classifyWarning(warning, paths, anchoredBlocks = false) {
-  const affectedFiles = paths.filter((p) => !p.startsWith(".ai/.usage/"));
+  const affectedFiles = paths.filter(
+    (p) => !p.startsWith(".ai/.usage/") && !p.startsWith(".ai/.cache/") && !p.startsWith(".ai/.runtime/")
+  );
   const repairCommand = repairCommandForWarning(warning, affectedFiles);
   const fileDowngrade = fileTypeDowngradeReason(warning, affectedFiles);
   if (fileDowngrade) {
@@ -6746,6 +6751,15 @@ function classifyWarning(warning, paths, anchoredBlocks = false) {
     };
   }
   if (isBlockingWarning(warning)) {
+    if (warning.scope === "personal") {
+      return {
+        ...warning,
+        level: "review",
+        rationale: "personal anti-pattern memories are review guidance unless a deterministic block-severity sensor fires",
+        affected_files: affectedFiles,
+        repair_command: repairCommand
+      };
+    }
     if (warning.has_sensor && !warning.reasons.includes("sensor")) {
       return {
         ...warning,
@@ -6766,7 +6780,7 @@ function classifyWarning(warning, paths, anchoredBlocks = false) {
   const hasSemantic = warning.reasons.includes("semantic");
   const semanticScore = warning.semantic_score ?? 0;
   const highConfidence = warning.confidence === "authoritative" || warning.confidence === "trusted";
-  if (anchoredBlocks && highConfidence && warning.reasons.includes("anchor") && (warning.reasons.includes("literal") || hasSemantic && semanticScore >= 0.45)) {
+  if (anchoredBlocks && highConfidence && warning.scope !== "personal" && warning.reasons.includes("anchor") && (warning.reasons.includes("literal") || hasSemantic && semanticScore >= 0.45)) {
     if (warning.has_sensor && !warning.reasons.includes("sensor")) {
       return {
         ...warning,
@@ -6900,8 +6914,20 @@ function isJsonConfigFile(base) {
   return false;
 }
 function repairCommandForWarning(warning, paths) {
-  const firstPath = paths[0];
-  return firstPath ? `haive briefing --files "${firstPath}" --task "review ${warning.id}"` : `haive memory show ${warning.id}`;
+  const targetPath = repairTargetPathForWarning(warning, paths);
+  return targetPath ? `haive briefing --files "${targetPath}" --task "review ${warning.id}"` : `haive memory show ${warning.id}`;
+}
+function repairTargetPathForWarning(warning, paths) {
+  const usablePaths = paths.filter(
+    (p) => !p.startsWith(".ai/.usage/") && !p.startsWith(".ai/.cache/") && !p.startsWith(".ai/.runtime/")
+  );
+  const anchors = warning.anchor_paths ?? [];
+  for (const file of usablePaths) {
+    if (anchors.some((anchor) => anchor === file || file.startsWith(`${anchor}/`) || anchor.startsWith(`${file}/`))) {
+      return file;
+    }
+  }
+  return usablePaths[0];
 }
 var CONFIG_PATTERNS = [
   ".eslintrc",
@@ -7355,7 +7381,19 @@ This creates/updates a single rolling recap that **get_briefing automatically su
 
 Calling \`mem_session_end\` also **clears the pending-distill marker** (if any), confirming that this session's learnings have been properly captured rather than left as an auto-recap skeleton.
 
-When done, respond with a brief summary: "Saved N memories: [list of IDs]. Session recap saved."
+### 7. Verify the git/release exit protocol \u2014 always
+Run **\`haive enforce finish\`** before your final response.
+
+This executable gate checks the multi-agent git-sync decision:
+- no completed work is left as an uncommitted local diff
+- shippable package changes have a lockstep version bump
+- the release tag \`vX.Y.Z\` exists when a version was bumped
+- commits and tags have been pushed
+- agents never run \`npm publish\` (publication remains human-owned)
+
+If it blocks, fix the reported Git/version/tag/push issue before telling the developer the task is done.
+
+When done, respond with a brief summary: "Saved N memories: [list of IDs]. Session recap saved. hAIve finish gate passed."
 `;
   return {
     description: "Post-task reflection: capture what you learned before closing the session",
@@ -7434,7 +7472,7 @@ When done, respond with: "Imported N memories: [list of IDs]" or "Nothing action
   };
 }
 var SERVER_NAME = "haive";
-var SERVER_VERSION = "0.10.8";
+var SERVER_VERSION = "0.10.9";
 function jsonResult(data) {
   return {
     content: [
@@ -12299,6 +12337,7 @@ import {
   codeMapPath as codeMapPath2,
   findProjectRoot as findProjectRoot42,
   getUsage as getUsage19,
+  isStackPackSeed as isStackPackSeed4,
   loadCodeMap as loadCodeMap7,
   loadConfig as loadConfig11,
   loadMemoriesFromDir as loadMemoriesFromDir33,
@@ -12410,16 +12449,25 @@ function registerDoctor(program2) {
           fix: "haive memory approve <id>   # activate\nhaive memory rm <id>         # or delete if obsolete"
         });
       }
-      const anchorless = memories.filter(
+      const policyMemories = memories.filter((m) => !isStackPackSeed4(m.memory.frontmatter));
+      const anchorless = policyMemories.filter(
         (m) => m.memory.frontmatter.anchor.paths.length === 0 && m.memory.frontmatter.anchor.symbols.length === 0 && m.memory.frontmatter.type !== "session_recap" && m.memory.frontmatter.type !== "glossary" && m.memory.frontmatter.type !== "skill"
       );
-      if (anchorless.length / Math.max(memories.length, 1) > 0.3) {
+      const stackSeeds = memories.filter((m) => isStackPackSeed4(m.memory.frontmatter));
+      if (anchorless.length / Math.max(policyMemories.length, 1) > 0.3) {
         findings.push({
           severity: "warn",
           code: "anchorless-majority",
-          message: `${anchorless.length}/${memories.length} memories have no anchor path/symbol \u2014 staleness undetectable.`,
+          message: `${anchorless.length}/${policyMemories.length} repo-specific memories have no anchor path/symbol \u2014 staleness undetectable.`,
           fix: "Add `paths:` + `symbols:` to mem_save calls to enable haive memory verify."
         });
+      } else if (stackSeeds.length > 0 && policyMemories.length === 0) {
+        findings.push({
+          severity: "info",
+          code: "stack-pack-seeds",
+          message: `${stackSeeds.length} starter stack memor${stackSeeds.length === 1 ? "y is" : "ies are"} present as generic background guidance.`,
+          fix: "Replace or anchor stack-pack seeds when they become repo-specific policy."
+        });
       }
       const decayCandidates = memories.filter((m) => {
         if (m.memory.frontmatter.status !== "validated") return false;
@@ -12535,14 +12583,14 @@ function registerDoctor(program2) {
         fix: "Edit .ai/haive.config.json: set autoSessionEnd: true (or re-run `haive init` without --manual)."
       });
     }
-    findings.push(...await collectInstallFindings(root, "0.10.8"));
+    findings.push(...await collectInstallFindings(root, "0.10.9"));
     try {
       const legacyRaw = execSync3("haive-mcp --version", {
         encoding: "utf8",
         timeout: 3e3,
         stdio: ["ignore", "pipe", "ignore"]
       }).trim();
-      const cliVersion = "0.10.8";
+      const cliVersion = "0.10.9";
       if (legacyRaw && legacyRaw !== cliVersion) {
         findings.push({
           severity: "warn",
@@ -13602,6 +13650,13 @@ function registerEnforce(program2) {
     printReport(report, Boolean(opts.json), Boolean(opts.explain));
     if (report.should_block) process.exit(2);
   });
+  enforce.command("finish").alias("completion").description(
+    "Final agent-exit gate: verify the git sync/release protocol before reporting a task done."
+  ).option("-d, --dir <dir>", "project root").option("--explain", "group findings by blocking/review/info and show repair commands", false).option("--json", "emit JSON", false).action(async (opts) => {
+    const report = await buildFinishReport(opts.dir);
+    printReport(report, Boolean(opts.json), Boolean(opts.explain));
+    if (report.should_block) process.exit(2);
+  });
   enforce.command("session-start").description("Claude Code SessionStart hook: inject briefing and write a local briefing marker.").option("-d, --dir <dir>", "project root").option("--task <text>", "task text to rank memories").option("--source <name>", "marker source", "claude-session-start").option("--session-id <id>", "agent session id").action(async (opts) => {
     const payload = await readHookPayload();
     const root = resolveRoot(opts.dir, payload);
@@ -13711,6 +13766,202 @@ ${briefing.project_context.content.slice(0, 1800)}`);
     process.exit(2);
   });
 }
+async function buildFinishReport(dir) {
+  const root = findProjectRoot49(dir);
+  const paths = resolveHaivePaths45(root);
+  const initialized = existsSync69(paths.haiveDir);
+  const config = initialized ? await loadConfig13(paths) : {};
+  const mode = config.enforcement?.mode ?? "strict";
+  const findings = [];
+  if (!initialized) {
+    return withCategories({
+      root,
+      initialized,
+      mode,
+      score: buildScore([], config.enforcement?.scoreThreshold),
+      should_block: true,
+      findings: [{
+        severity: "error",
+        code: "not-initialized",
+        message: "This repository is not initialized with hAIve.",
+        fix: "Run `haive init` or `haive enforce install`.",
+        impact: 100
+      }]
+    });
+  }
+  const status = await getGitSyncStatus(root);
+  if (!status.available) {
+    findings.push({
+      severity: "error",
+      code: "git-unavailable",
+      message: "Git status could not be inspected, so hAIve cannot verify the exit protocol.",
+      fix: "Run `git status` manually, then commit/push according to the hAIve git-sync protocol.",
+      impact: 100
+    });
+    return finishReport(root, initialized, mode, findings, config);
+  }
+  const shippableDirty = status.dirtyFiles.filter(isShippablePath);
+  if (status.dirtyFiles.length > 0) {
+    findings.push({
+      severity: "error",
+      code: shippableDirty.length > 0 ? "git-sync-uncommitted-shippable" : "git-sync-uncommitted-changes",
+      message: shippableDirty.length > 0 ? `${shippableDirty.length} shippable file(s) are modified but not committed.` : `${status.dirtyFiles.length} file(s) are modified but not committed.`,
+      fix: shippableDirty.length > 0 ? "Bump the lockstep package version if needed, then `git add`, `git commit`, `git tag vX.Y.Z`, `git push && git push --tags`." : "Commit and push these changes before reporting the task done.",
+      reason: "The multi-agent git-sync decision requires agents to leave completed work committed and pushed, not as a local diff.",
+      affected_files: status.dirtyFiles.slice(0, 12),
+      impact: 100
+    });
+    return finishReport(root, initialized, mode, findings, config);
+  }
+  findings.push({
+    severity: "ok",
+    code: "git-worktree-clean",
+    message: "No uncommitted worktree changes remain."
+  });
+  if (!status.upstream) {
+    findings.push({
+      severity: "warn",
+      code: "git-sync-no-upstream",
+      message: "This branch has no upstream, so hAIve cannot verify that commits/tags were pushed.",
+      fix: "Set an upstream with `git push -u origin <branch>`.",
+      impact: 15
+    });
+    return finishReport(root, initialized, mode, findings, config);
+  }
+  if (status.behind > 0) {
+    findings.push({
+      severity: "error",
+      code: "git-sync-behind-upstream",
+      message: `This branch is ${status.behind} commit(s) behind ${status.upstream}.`,
+      fix: "Run `git pull --ff-only` and resolve any conflicts before finishing.",
+      impact: 40
+    });
+  }
+  if (status.ahead > 0) {
+    findings.push({
+      severity: "error",
+      code: "git-sync-unpushed-commits",
+      message: `This branch is ${status.ahead} commit(s) ahead of ${status.upstream}.`,
+      fix: "Run `git push` before reporting the task done.",
+      reason: "The multi-agent git-sync decision requires agents to push completed commits.",
+      impact: 60
+    });
+  } else {
+    findings.push({
+      severity: "ok",
+      code: "git-sync-pushed",
+      message: `Branch is not ahead of ${status.upstream}.`
+    });
+  }
+  const releaseChangedFiles = status.releaseChangedFiles ?? status.changedSinceUpstream;
+  const releaseBaseRef = status.releaseBaseRef ?? status.upstream;
+  const shippableChanged = releaseChangedFiles.filter(isShippablePath);
+  if (shippableChanged.length === 0) {
+    findings.push({
+      severity: "ok",
+      code: "release-version-not-required",
+      message: "No shippable package code changed since upstream; no version/tag required."
+    });
+    return finishReport(root, initialized, mode, findings, config);
+  }
+  findings.push({
+    severity: "info",
+    code: "release-shippable-changes",
+    message: `${shippableChanged.length} shippable file(s) changed since ${releaseBaseRef}.`,
+    affected_files: shippableChanged.slice(0, 12)
+  });
+  const versionState = await inspectReleaseVersionState(root, releaseBaseRef);
+  if (!versionState.lockstep) {
+    findings.push({
+      severity: "error",
+      code: "release-version-not-lockstep",
+      message: `Publishable package versions are not in lockstep: ${versionState.localVersionsLabel}.`,
+      fix: "Set root, core, cli, mcp, and embeddings package.json versions to the same X.Y.Z.",
+      impact: 60
+    });
+    return finishReport(root, initialized, mode, findings, config);
+  }
+  const version = versionState.version;
+  if (!version) {
+    findings.push({
+      severity: "error",
+      code: "release-version-unreadable",
+      message: "Could not read the lockstep package version.",
+      fix: "Verify package.json files are valid JSON.",
+      impact: 60
+    });
+    return finishReport(root, initialized, mode, findings, config);
+  }
+  if (versionState.baseVersion && compareSemver(version, versionState.baseVersion) <= 0) {
+    findings.push({
+      severity: "error",
+      code: "release-version-missing",
+      message: `Shippable code changed, but version stayed at ${version} (base: ${versionState.baseVersion}).`,
+      fix: "Bump the lockstep package version (patch by default), commit the bump, tag it, then push code and tags.",
+      impact: 70
+    });
+  } else {
+    findings.push({
+      severity: "ok",
+      code: "release-version-bumped",
+      message: versionState.baseVersion ? `Lockstep version bumped from ${versionState.baseVersion} to ${version}.` : `Lockstep version is ${version}.`
+    });
+  }
+  const tag = `v${version}`;
+  const localTagAtHead = await tagPointsAtHead(root, tag);
+  if (!localTagAtHead) {
+    findings.push({
+      severity: "error",
+      code: "release-tag-missing",
+      message: `Expected git tag ${tag} to point at HEAD.`,
+      fix: `Run \`git tag ${tag}\` after committing the version bump.`,
+      impact: 50
+    });
+  } else {
+    findings.push({
+      severity: "ok",
+      code: "release-tag-present",
+      message: `Tag ${tag} points at HEAD.`
+    });
+  }
+  const remoteTag = await remoteTagExists(root, tag);
+  if (remoteTag === false) {
+    findings.push({
+      severity: "error",
+      code: "release-tag-unpushed",
+      message: `Tag ${tag} is not present on the remote.`,
+      fix: "Run `git push --tags`.",
+      impact: 50
+    });
+  } else if (remoteTag === true) {
+    findings.push({
+      severity: "ok",
+      code: "release-tag-pushed",
+      message: `Tag ${tag} exists on the remote.`
+    });
+  } else {
+    findings.push({
+      severity: "warn",
+      code: "release-tag-remote-unverified",
+      message: `Could not verify whether tag ${tag} exists on the remote.`,
+      fix: "Run `git push --tags` if you have not already.",
+      impact: 10
+    });
+  }
+  return finishReport(root, initialized, mode, findings, config);
+}
+function finishReport(root, initialized, mode, findings, config) {
+  const score = buildScore(findings, config.enforcement?.scoreThreshold);
+  const hasErrors = findings.some((f) => f.severity === "error");
+  return withCategories({
+    root,
+    initialized,
+    mode,
+    score,
+    should_block: mode === "strict" && hasErrors,
+    findings
+  });
+}
 async function runWithEnforcement(command, args, opts) {
   const root = findProjectRoot49(opts.dir);
   const paths = resolveHaivePaths45(root);
@@ -13840,7 +14091,7 @@ async function buildEnforcementReport(dir, stage, sessionId) {
       findings: [{ severity: "info", code: "enforcement-off", message: "hAIve enforcement is disabled." }]
     });
   }
-  findings.push(...await inspectIntegrationVersions(root, "0.10.8"));
+  findings.push(...await inspectIntegrationVersions(root, "0.10.9"));
   if (config.enforcement?.requireBriefingFirst !== false && stage !== "ci") {
     const hasBriefing = await hasRecentBriefingMarker2(paths, sessionId);
     findings.push(hasBriefing ? { severity: "ok", code: "briefing-loaded", message: "A recent hAIve briefing marker exists." } : {
@@ -13874,7 +14125,7 @@ async function buildEnforcementReport(dir, stage, sessionId) {
     findings.push(...await verifyDecisionCoverage(paths, stage, sessionId));
   }
   if (stage === "pre-commit" || stage === "ci") {
-    findings.push(...await runPrecommitPolicy(paths, config.enforcement?.antiPatternGate ?? "anchored"));
+    findings.push(...await runPrecommitPolicy(paths, config.enforcement?.antiPatternGate ?? "anchored", stage));
   }
   if (config.enforcement?.cleanupGeneratedArtifacts !== false) {
     findings.push(...await findGeneratedArtifacts(paths));
@@ -13998,19 +14249,20 @@ async function verifyDecisionCoverage(paths, stage, sessionId) {
     impact: Math.min(35, 10 + missing.length * 5)
   }];
 }
-async function runPrecommitPolicy(paths, gate) {
+async function runPrecommitPolicy(paths, gate, stage) {
   if (gate === "off") {
     return [{ severity: "info", code: "precommit-policy-off", message: "Anti-pattern gate is disabled (enforcement.antiPatternGate=off)." }];
   }
-  const staged = await runCommand4("git", ["diff", "--cached", "--name-only"], paths.root).catch(() => "");
-  const touchedPaths = staged.split("\n").map((s) => s.trim()).filter(Boolean);
+  const snapshot = await getPolicyDiffSnapshot(paths.root, stage);
+  const touchedPaths = snapshot.paths;
   if (touchedPaths.length === 0) {
-    return [{ severity: "info", code: "no-staged-changes", message: "No staged changes found for pre-commit policy." }];
+    const code = stage === "ci" ? "no-ci-diff-changes" : "no-staged-changes";
+    const message = stage === "ci" ? "No changed files found for CI policy diff." : "No staged changes found for pre-commit policy.";
+    return [{ severity: "info", code, message }];
   }
-  const diff = await runCommand4("git", ["diff", "--cached"], paths.root).catch(() => "");
   const { block_on, anchored_blocks } = antiPatternGateParams2(gate);
   const result = await preCommitCheck({
-    diff,
+    diff: snapshot.diff,
     paths: touchedPaths,
     block_on,
     anchored_blocks,
@@ -14020,7 +14272,7 @@ async function runPrecommitPolicy(paths, gate) {
     return [{
       severity: "ok",
       code: "precommit-policy-pass",
-      message: `Pre-commit policy passed for ${touchedPaths.length} staged file(s).`
+      message: `${stage === "ci" ? "CI" : "Pre-commit"} policy passed for ${touchedPaths.length} changed file(s).`
     }];
   }
   return [{
@@ -14171,22 +14423,217 @@ function versionForBinary2(bin) {
   }
 }
 async function getChangedFiles(root, stage) {
-  const commands = stage === "pre-commit" ? [["diff", "--cached", "--name-only"]] : [
-    ["diff", "--cached", "--name-only"],
-    ["diff", "--name-only"]
-  ];
+  if (stage === "ci") {
+    return (await getPolicyDiffSnapshot(root, "ci")).paths;
+  }
+  if (stage === "pre-commit") {
+    return normalizeChangedFileList(
+      await runCommand4("git", ["diff", "--cached", "--name-only"], root).catch(() => "")
+    );
+  }
   const files = /* @__PURE__ */ new Set();
-  for (const args of commands) {
-    const out = await runCommand4("git", args, root).catch(() => "");
-    for (const line of out.split("\n")) {
-      const file = line.trim();
-      if (file) files.add(file);
-    }
+  for (const args of [["diff", "--cached", "--name-only"], ["diff", "--name-only"]]) {
+    for (const file of normalizeChangedFileList(await runCommand4("git", args, root).catch(() => ""))) {
+      files.add(file);
+    }
+  }
+  return [...files];
+}
+async function getPolicyDiffSnapshot(root, stage) {
+  if (stage === "pre-commit") {
+    const diff = await runCommand4("git", ["diff", "--cached"], root).catch(() => "");
+    const names = await runCommand4("git", ["diff", "--cached", "--name-only"], root).catch(() => "");
+    return { diff, paths: normalizeChangedFileList(names), source: "staged" };
+  }
+  const range = await resolveCiDiffRange(root);
+  if (range) {
+    const diff = await runCommand4("git", ["diff", range], root).catch(() => "");
+    const names = await runCommand4("git", ["diff", "--name-only", range], root).catch(() => "");
+    return { diff, paths: normalizeChangedFileList(names), source: range };
+  }
+  return { diff: "", paths: [], source: "none" };
+}
+async function resolveCiDiffRange(root) {
+  const explicitBase = cleanGitSha(process.env.HAIVE_BASE_SHA ?? process.env.HAIVE_BASE_REF);
+  const explicitHead = cleanGitSha(process.env.HAIVE_HEAD_SHA ?? process.env.GITHUB_SHA) ?? "HEAD";
+  if (explicitBase && await gitCommitExists(root, explicitBase)) {
+    return `${explicitBase}...${explicitHead}`;
+  }
+  const eventRange = await resolveGithubEventRange(root);
+  if (eventRange) return eventRange;
+  const baseRef = process.env.GITHUB_BASE_REF?.trim();
+  if (baseRef) {
+    const remoteRef = `origin/${baseRef}`;
+    if (await gitCommitExists(root, remoteRef)) return `${remoteRef}...${explicitHead}`;
+  }
+  if (await gitCommitExists(root, "origin/main")) return `origin/main...${explicitHead}`;
+  if (await gitCommitExists(root, "origin/master")) return `origin/master...${explicitHead}`;
+  if (await gitCommitExists(root, "HEAD^")) return `HEAD^..${explicitHead}`;
+  return null;
+}
+async function resolveGithubEventRange(root) {
+  const eventPath = process.env.GITHUB_EVENT_PATH;
+  if (!eventPath || !existsSync69(eventPath)) return null;
+  try {
+    const event = JSON.parse(await readFile21(eventPath, "utf8"));
+    const prBase = cleanGitSha(event.pull_request?.base?.sha);
+    const prHead = cleanGitSha(event.pull_request?.head?.sha ?? event.after ?? process.env.GITHUB_SHA) ?? "HEAD";
+    if (prBase && await gitCommitExists(root, prBase)) return `${prBase}...${prHead}`;
+    const pushBase = cleanGitSha(event.before);
+    const pushHead = cleanGitSha(event.after ?? process.env.GITHUB_SHA) ?? "HEAD";
+    if (pushBase && await gitCommitExists(root, pushBase)) return `${pushBase}..${pushHead}`;
+  } catch {
+    return null;
+  }
+  return null;
+}
+function cleanGitSha(value) {
+  const trimmed = value?.trim();
+  if (!trimmed || /^0+$/.test(trimmed)) return null;
+  return trimmed;
+}
+async function gitCommitExists(root, ref) {
+  try {
+    await runCommand4("git", ["rev-parse", "--verify", `${ref}^{commit}`], root);
+    return true;
+  } catch {
+    return false;
   }
-  return [...files].filter(
+}
+function normalizeChangedFileList(raw) {
+  return raw.split("\n").map((s) => s.trim()).filter(Boolean).filter(
     (file) => !file.startsWith(".ai/.runtime/") && !file.startsWith(".ai/.cache/") && !file.startsWith(".ai/.usage/") && file !== ".ai/.usage/tool-usage.jsonl"
   );
 }
+async function getGitSyncStatus(root) {
+  const dirty = (await runCommand4("git", ["status", "--short", "--untracked-files=all"], root).catch(() => "")).split("\n").map((line) => statusLineToPath(line.trim())).filter(Boolean).filter((file) => normalizeChangedFileList(file).length > 0);
+  const branch = (await runCommand4("git", ["branch", "--show-current"], root).catch(() => "")).trim() || void 0;
+  const upstream = (await runCommand4("git", ["rev-parse", "--abbrev-ref", "--symbolic-full-name", "@{u}"], root).catch(() => "")).trim() || void 0;
+  if (!branch && !upstream) {
+    const inside = (await runCommand4("git", ["rev-parse", "--is-inside-work-tree"], root).catch(() => "")).trim();
+    if (inside !== "true") return { available: false, ahead: 0, behind: 0, dirtyFiles: [], changedSinceUpstream: [] };
+  }
+  let ahead = 0;
+  let behind = 0;
+  let changedSinceUpstream = [];
+  let releaseBaseRef;
+  let releaseChangedFiles;
+  if (upstream) {
+    const counts = (await runCommand4("git", ["rev-list", "--left-right", "--count", `${upstream}...HEAD`], root).catch(() => "")).trim();
+    const [behindRaw, aheadRaw] = counts.split(/\s+/);
+    behind = Number.parseInt(behindRaw ?? "0", 10) || 0;
+    ahead = Number.parseInt(aheadRaw ?? "0", 10) || 0;
+    changedSinceUpstream = normalizeChangedFileList(
+      await runCommand4("git", ["diff", "--name-only", `${upstream}...HEAD`], root).catch(() => "")
+    );
+    if (changedSinceUpstream.length > 0) {
+      releaseBaseRef = upstream;
+      releaseChangedFiles = changedSinceUpstream;
+    }
+  }
+  if (!releaseChangedFiles || releaseChangedFiles.length === 0) {
+    const hasParent = (await runCommand4("git", ["rev-parse", "--verify", "--quiet", "HEAD^"], root).catch(() => "")).trim().length > 0;
+    if (hasParent) {
+      const changedSinceParent = normalizeChangedFileList(
+        await runCommand4("git", ["diff", "--name-only", "HEAD^..HEAD"], root).catch(() => "")
+      );
+      if (changedSinceParent.length > 0) {
+        releaseBaseRef = "HEAD^";
+        releaseChangedFiles = changedSinceParent;
+      }
+    }
+  }
+  return {
+    available: true,
+    branch,
+    upstream,
+    ahead,
+    behind,
+    dirtyFiles: dirty,
+    changedSinceUpstream,
+    ...releaseBaseRef ? { releaseBaseRef } : {},
+    ...releaseChangedFiles ? { releaseChangedFiles } : {}
+  };
+}
+function statusLineToPath(line) {
+  const body = line.replace(/^[ MADRCU?!]{1,2}\s+/, "").trim();
+  const renamed = body.match(/.+ -> (.+)$/);
+  return renamed?.[1]?.trim() ?? body;
+}
+var VERSION_FILES = [
+  "package.json",
+  "packages/core/package.json",
+  "packages/cli/package.json",
+  "packages/mcp/package.json",
+  "packages/embeddings/package.json"
+];
+var SHIPPABLE_PATH_PREFIXES = [
+  "packages/core/src/",
+  "packages/cli/src/",
+  "packages/mcp/src/",
+  "packages/embeddings/src/"
+];
+function isShippablePath(file) {
+  return SHIPPABLE_PATH_PREFIXES.some((prefix) => file.startsWith(prefix)) || VERSION_FILES.includes(file);
+}
+async function inspectReleaseVersionState(root, upstream) {
+  const localEntries = await Promise.all(VERSION_FILES.map(async (file) => [file, await readPackageVersion(root, file)]));
+  const localVersions = new Map(localEntries);
+  const unique = new Set([...localVersions.values()].filter(Boolean));
+  const version = unique.size === 1 ? [...unique][0] : void 0;
+  const localVersionsLabel = VERSION_FILES.map((file) => `${file}=${localVersions.get(file) ?? "unreadable"}`).join(", ");
+  const baseVersion = await readPackageVersionAtRef(root, upstream, "package.json");
+  return {
+    lockstep: unique.size === 1 && localVersions.size === VERSION_FILES.length,
+    ...version ? { version } : {},
+    ...baseVersion ? { baseVersion } : {},
+    localVersionsLabel
+  };
+}
+async function readPackageVersion(root, relPath) {
+  try {
+    const data = JSON.parse(await readFile21(path50.join(root, relPath), "utf8"));
+    return typeof data.version === "string" ? data.version : void 0;
+  } catch {
+    return void 0;
+  }
+}
+async function readPackageVersionAtRef(root, ref, relPath) {
+  try {
+    const raw = await runCommand4("git", ["show", `${ref}:${relPath}`], root);
+    const data = JSON.parse(raw);
+    return typeof data.version === "string" ? data.version : void 0;
+  } catch {
+    return void 0;
+  }
+}
+function compareSemver(a, b) {
+  const pa = a.split(/[.-]/).map((part) => Number.parseInt(part, 10) || 0);
+  const pb = b.split(/[.-]/).map((part) => Number.parseInt(part, 10) || 0);
+  const len = Math.max(pa.length, pb.length, 3);
+  for (let i = 0; i < len; i++) {
+    const diff = (pa[i] ?? 0) - (pb[i] ?? 0);
+    if (diff !== 0) return diff;
+  }
+  return 0;
+}
+async function tagPointsAtHead(root, tag) {
+  const tags = await runCommand4("git", ["tag", "--points-at", "HEAD"], root).catch(() => "");
+  return tags.split("\n").map((line) => line.trim()).includes(tag);
+}
+async function remoteTagExists(root, tag) {
+  const branch = (await runCommand4("git", ["branch", "--show-current"], root).catch(() => "")).trim();
+  const branchRemote = branch ? (await runCommand4("git", ["config", "--get", `branch.${branch}.remote`], root).catch(() => "")).trim() : "";
+  const hasOrigin = (await runCommand4("git", ["config", "--get", "remote.origin.url"], root).catch(() => "")).trim().length > 0;
+  const remote = branchRemote || (hasOrigin ? "origin" : "");
+  if (!remote) return null;
+  try {
+    const out = await runCommand4("git", ["ls-remote", "--tags", remote, `refs/tags/${tag}`], root);
+    return out.trim().length > 0;
+  } catch {
+    return null;
+  }
+}
 function buildScore(findings, threshold = 80) {
   const checks = {
     total: findings.length,
@@ -14275,6 +14722,9 @@ jobs:
       - name: Install hAIve
         run: npm install -g @hiveai/cli
       - name: Enforce hAIve policy
+        env:
+          HAIVE_BASE_SHA: \${{ github.event.pull_request.base.sha || github.event.before }}
+          HAIVE_HEAD_SHA: \${{ github.event.pull_request.head.sha || github.sha }}
         run: haive enforce ci
 `, "utf8");
   ui.success(`Created ${path50.relative(root, workflowPath)}`);
@@ -14640,7 +15090,7 @@ function shellQuote(value) {
 
 // src/index.ts
 var program = new Command53();
-program.name("haive").description("hAIve - repo-native memory and context policy for coding-agent harnesses").version("0.10.8").option("--advanced", "show maintenance and experimental commands in help");
+program.name("haive").description("hAIve - repo-native memory and context policy for coding-agent harnesses").version("0.10.9").option("--advanced", "show maintenance and experimental commands in help");
 registerInit(program);
 registerWelcome(program);
 registerResolveProject(program);