@jaguilar87/gaia 5.0.2 → 5.0.4

package/.claude-plugin/marketplace.json

@@ -8,7 +8,7 @@
     {
       "name": "gaia-ops",
       "description": "Full DevOps orchestration for Claude Code. Eight specialized agents handle the complete development lifecycle — analysis, planning, execution, and deployment. Gaia-Ops scans your codebase to understand it and injects the right context into each sub-agent. Every command is classified by risk: read-only runs freely, state changes pause for your approval, and irreversible operations are permanently blocked.",
-      "version": "5.0.2",
+      "version": "5.0.4",
       "category": "devops",
       "author": {
         "name": "jaguilar87",
@@ -20,7 +20,7 @@
     {
       "name": "gaia-security",
       "description": "Keeps you in the loop only when it matters. Gaia Security analyzes every command and classifies it into risk tiers: read-only queries run freely, simulations and validations pass through, and state-changing operations (create, delete, apply, push) pause for your explicit approval before executing. Irreversible commands like dropping databases or deleting cloud infrastructure are permanently blocked.",
-      "version": "5.0.2",
+      "version": "5.0.4",
       "category": "security",
       "author": {
         "name": "jaguilar87",

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "gaia-ops",
-  "version": "5.0.2",
+  "version": "5.0.4",
   "description": "Security-first orchestrator with specialized agents, hooks, and governance for AI coding",
   "author": {
     "name": "jaguilar87",

package/ARCHITECTURE.md

@@ -72,7 +72,6 @@ Order is short-circuit -- first match wins:
    |                          If mutative + no active grant -> generate nonce, block
    |                          If mutative + active grant -> allow (T3)
    |                          If not mutative -> safe by elimination (T0)
-6. gitops_validator       --> GitOps policy for kubectl/helm/flux
 ```
 
 ### Task/Agent Validation

package/CHANGELOG.md

@@ -7,6 +7,60 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [5.0.4] - 2026-06-06
+
+### COMMAND_SET Batch Approval, Consent-Reducing Approval Verbs, Contract Advisory Field, Version Source Sync
+
+Patch release superseding 5.0.3 (which was never published to npm due to a pyproject.toml version drift that failed pre-publish validation). This release adds the version source sync fix on top of all 5.0.3 changes: COMMAND_SET batch-approval wired end-to-end, consent-reducing approval verbs reclassified out of T3, advisory contract field added, redundant `gitops_validator` removed, and all version sources (package.json, pyproject.toml, .claude-plugin/plugin.json, .claude-plugin/marketplace.json, CHANGELOG.md) aligned. Full suite green (4555 passed).
+
+#### Added
+
+- **COMMAND_SET batch approval, end-to-end** — a payload carrying a `command_set`
+  of more than one mutative command now activates into ONE `COMMAND_SET` grant
+  covering the whole batch instead of being degraded to a single command. The
+  create side (`activate_db_pending_by_prefix` Step 3b in `approval_grants.py`,
+  fed by `_intake_command_set_pending` in `handoff_persister.py` and persisted via
+  `gaia/store/writer.py`) was previously orphaned; it is now wired to the
+  byte-for-byte consume path in `bash_validator`. The batch is consumed
+  item-by-item under a single consent.
+
+- **Advisory `user_facing_summary` field on the agent contract** — an additive,
+  optional field in the `agent_contract_handoff` envelope (`contract_validator.py`,
+  `response_contract.py`) carrying a human-readable summary for the orchestrator to
+  surface. Purely additive; absence does not affect validation.
+
+#### Changed
+
+- **Consent-reducing approval verbs are no longer T3** — `gaia approvals
+  revoke|reject|reject-all|clean` only revoke or discard grants Gaia itself issued
+  (they reduce capability, never reach remote state), so they are reclassified out
+  of T3 via `CONSENT_REDUCING_SUBCOMMAND_EXCEPTIONS` in `mutative_verbs.py`. `gaia
+  approvals approve` *grants* capability and remains T3.
+
+- **`gaia approvals revoke` unified with auto-detect** — `revoke` now auto-detects
+  a pending approval (pending → grant) and the separate `revoke-v2` command was
+  removed. Behavior is otherwise unchanged.
+
+- **Plan-first heuristic** — COMMAND_SET is now treated as a judgment call, not a
+  default, when deciding how to present batched mutative work.
+
+#### Fixed
+
+- **Guard empty/None `transcript_path`** — `transcript_reader.py` now guards against
+  an empty or `None` transcript path instead of failing downstream during nonce
+  extraction.
+
+- **Harden AI-attribution footer stripping** — the attribution-footer stripping in
+  `bash_validator.py` is hardened against additional footer shapes.
+
+#### Removed
+
+- **Redundant `gitops_validator`** — `hooks/modules/security/gitops_validator.py` and
+  its test are removed; its responsibilities are covered by the unified bash
+  validation path. All references (security `__init__`, `bash_validator` import/call,
+  simulator extractor, surface-routing config, architecture docs, and skill/README
+  references) are cleaned up.
+
 ## [5.0.2] - 2026-06-03
 
 ### Approval-Flow Hardening, mkdir Reclassification, Jira Skill

package/bin/cli/approvals.py

@@ -440,13 +440,17 @@ def cmd_show(args) -> int:
 # Subcommand: revoke
 # ---------------------------------------------------------------------------
 
-def cmd_revoke(args) -> int:
-    """Revoke an active command_set grant by its approval_id.
+def _revoke_grant(args) -> int:
+    """Revoke an active command_set grant by its approval_id (legacy path).
 
     Calls ``writer.revoke_approval_grant(approval_id)`` to mark the grant
     REVOKED in the DB.  After revocation, any unconsumed commands in the
     command_set will require fresh approval.
 
+    This is the legacy ``approval_grants``-table path. It is invoked as the
+    fallback by the unified :func:`cmd_revoke` when an id is not found in the
+    new ``approvals`` table.
+
     Exits 0 on success, 1 if the grant is not found or already in a terminal
     state.
     """
@@ -939,18 +943,14 @@ def cmd_pending(args) -> int:
 # ---------------------------------------------------------------------------
 
 def _resolve_approval_id(raw_id: str) -> str:
-    """Normalize a raw approval_id input.
+    """Normalize a raw approval_id input by trimming surrounding whitespace.
 
-    Accepts:
-      - Full P-{uuid4hex} form: returned as-is.
-      - Bare hex (no P- prefix): prefixed with 'P-'.
-      - P-XXXX short form: returned as-is for prefix search downstream.
+    The input is passed through unchanged otherwise -- both the full
+    ``P-{uuid4hex}`` form and the ``P-XXXX`` short form are returned as-is for
+    exact or prefix lookup downstream. (A bare hex string with no ``P-`` prefix
+    is also returned untouched; the lookup layer handles that case.)
     """
-    stripped = raw_id.strip()
-    if stripped.upper().startswith("P-"):
-        return stripped
-    # Try to detect if it's a bare hex string missing the P- prefix.
-    return stripped
+    return raw_id.strip()
 
 
 def cmd_show_v2(args) -> int:
@@ -1019,14 +1019,16 @@ def cmd_history_single(args) -> int:
 
 
 # ---------------------------------------------------------------------------
-# T3.2: gaia approvals revoke-v2 <id> -- revoke using new approvals table
+# gaia approvals revoke <id> -- unified revoke (auto-detects pending vs grant)
 # ---------------------------------------------------------------------------
 
-def cmd_revoke_v2(args) -> int:
-    """Revoke a pending approval from the new approvals table.
+def cmd_revoke(args) -> int:
+    """Revoke an approval, auto-detecting which store owns it.
 
-    Inserts a REVOKED event and updates status to 'revoked'. Requires
-    the approval to be in 'pending' status.
+    First looks the id up in the new ``approvals`` table. If found and
+    ``pending``, inserts a REVOKED event and updates status to 'revoked'.
+    If the id is not present in the new table, falls back to the legacy
+    command_set grant path (:func:`_revoke_grant`).
 
     With ``--yes``, skips the interactive confirmation prompt.
     Exits 0 on success, 1 on error.
@@ -1042,8 +1044,8 @@ def cmd_revoke_v2(args) -> int:
         return 1
 
     if approval is None:
-        # Fall back to old revoke command if not found in new table.
-        return cmd_revoke(args)
+        # Fall back to legacy grant revoke if not found in new table.
+        return _revoke_grant(args)
 
     current_status = approval.get("status", "?")
     if current_status != "pending":
@@ -1596,7 +1598,7 @@ def register(subparsers) -> None:
         help="Full approval_id (P-{uuid4hex}) of the approval to revoke",
     )
     p_revoke.add_argument("--yes", action="store_true", help="Skip confirmation prompt")
-    p_revoke.set_defaults(func=cmd_revoke_v2)
+    p_revoke.set_defaults(func=cmd_revoke)
 
     # approve (T3.3) -- cross-session grant
     p_approve = sub.add_parser(
@@ -1839,7 +1841,7 @@ def _build_standalone_parser() -> argparse.ArgumentParser:
     p_revoke = subparsers.add_parser("revoke", help="Revoke a pending approval")
     p_revoke.add_argument("approval_id", metavar="APPROVAL_ID")
     p_revoke.add_argument("--yes", action="store_true")
-    p_revoke.set_defaults(func=cmd_revoke_v2)
+    p_revoke.set_defaults(func=cmd_revoke)
 
     p_history = subparsers.add_parser("history", help="Show approval history")
     p_history.add_argument("approval_id", metavar="APPROVAL_ID", nargs="?")

package/config/surface-routing.json

@@ -17,7 +17,6 @@
         "infrastructure",
         "orchestration",
         "cluster_details",
-        "monitoring_observability",
         "application_services",
         "infrastructure_topology",
         "architecture_overview"

package/dist/gaia-ops/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "gaia-ops",
-  "version": "5.0.2",
+  "version": "5.0.4",
   "description": "Full DevOps orchestration for Claude Code. Eight specialized agents handle the complete development lifecycle \u2014 analysis, planning, execution, and deployment. Gaia-Ops scans your codebase to understand it and injects the right context into each sub-agent. Every command is classified by risk: read-only runs freely, state changes pause for your approval, and irreversible operations are permanently blocked.",
   "author": {
     "name": "jaguilar87",

package/dist/gaia-ops/config/surface-routing.json

@@ -17,7 +17,6 @@
         "infrastructure",
         "orchestration",
         "cluster_details",
-        "monitoring_observability",
         "application_services",
         "infrastructure_topology",
         "architecture_overview"

package/dist/gaia-ops/hooks/modules/agents/contract_validator.py

@@ -19,6 +19,7 @@ Provides:
     - parse_rollback_executed(): Parse rollback_executed clause (advisory)
     - parse_context_consumption(): Parse context_consumption clause (advisory)
     - parse_memory_suggestions(): Parse memory_suggestions clause (advisory)
+    - parse_user_facing_summary(): Parse user_facing_summary clause (advisory)
 """
 
 import json
@@ -655,6 +656,23 @@ def parse_memory_suggestions(contract: dict) -> List[str]:
     return [str(item) for item in raw if item is not None]
 
 
+def parse_user_facing_summary(contract: dict) -> Optional[str]:
+    """Parse the optional top-level ``user_facing_summary`` clause (advisory).
+
+    The single human-audience field in the contract: a short prose summary the
+    subagent writes once for the user. The orchestrator relays it near-verbatim
+    on a single-agent COMPLETE (N=1) instead of re-synthesizing ``key_outputs``.
+
+    Strictly additive and advisory -- the validator never rejects based on this
+    field. Returns the trimmed string when present and non-empty, else None.
+    """
+    raw = contract.get("user_facing_summary")
+    if not isinstance(raw, str):
+        return None
+    text = raw.strip()
+    return text or None
+
+
 def extract_plan_status_from_output(agent_output: str) -> str:
     """Extract the effective plan_status string from agent output.
 

package/dist/gaia-ops/hooks/modules/agents/handoff_persister.py

@@ -15,6 +15,180 @@ import logging
 logger = logging.getLogger(__name__)
 
 
+def _normalize_command_set(raw) -> list:
+    """Coerce a raw ``command_set`` into the canonical ``[{command, rationale}]``.
+
+    Mirrors the normalization in ``bash_validator._build_sealed_payload`` and
+    ``approval_grants.activate_db_pending_by_prefix`` so the intake writes the
+    exact shape the activation/consume sides expect. Items without a non-empty
+    ``command`` are dropped; ``rationale`` defaults to "".
+    """
+    out: list = []
+    if isinstance(raw, list):
+        for item in raw:
+            if isinstance(item, dict) and item.get("command"):
+                out.append(
+                    {
+                        "command": item["command"],
+                        "rationale": item.get("rationale", ""),
+                    }
+                )
+    return out
+
+
+def _filter_mutative_command_set(items: list) -> list:
+    """Keep only the command_set items whose command is mutative/T3.
+
+    The consume side (``bash_validator._validate_single_command``) gates the
+    whole COMMAND_SET match path on ``detect_mutative_command(command).is_mutative``:
+    a command that the matcher does not see as mutative NEVER reaches
+    ``match_command_set_grant`` and its index is therefore NEVER consumed. If
+    such a command is included in the grant's ``command_set``, ``len(consumed)``
+    can never reach ``len(command_set)`` and the grant is stuck PENDING forever
+    (it never flips to CONSUMED). To stay in lockstep with the consume gate, the
+    intake filters with the EXACT same predicate, dropping non-mutative commands
+    (e.g. ``touch``, ``ls``, ``cat``) before the grant is ever minted.
+
+    Items that fail to classify (import error, unexpected exception) are kept --
+    failing open here is safer than silently dropping a command from a consent
+    batch the user is about to approve.
+    """
+    try:
+        from modules.security.mutative_verbs import detect_mutative_command
+    except ImportError:
+        import pathlib as _pl
+        import sys as _sys
+
+        _hooks_root = _pl.Path(__file__).resolve().parent.parent.parent
+        _sys.path.insert(0, str(_hooks_root))
+        from modules.security.mutative_verbs import detect_mutative_command
+
+    kept: list = []
+    for item in items:
+        command = item.get("command", "")
+        try:
+            if detect_mutative_command(command).is_mutative:
+                kept.append(item)
+        except Exception:
+            # Fail open: if classification raises, keep the item rather than
+            # silently dropping a command from the user's consent batch.
+            kept.append(item)
+    return kept
+
+
+def _intake_command_set_pending(
+    approval_req: dict,
+    *,
+    agent_id,
+    session_id: str,
+) -> str | None:
+    """INTAKE bridge: plan-first COMMAND_SET envelope -> ONE pending row.
+
+    When a subagent emits an ``APPROVAL_REQUEST`` whose ``approval_request``
+    carries a ``command_set`` of >= 2 ``{command, rationale}`` items and NO
+    ``approval_id`` (plan-first: the batch is declared up-front, before any
+    command was attempted/blocked), this persists exactly ONE pending approval
+    whose ``payload_json`` contains the ``command_set`` key. That is the signal
+    ``activate_db_pending_by_prefix`` reads (Step 3b) to branch into
+    ``create_command_set_grant`` on user approval.
+
+    Mutative filtering (Thread a): the command_set is first reduced to ONLY the
+    commands the consume side will treat as mutative/T3 -- see
+    ``_filter_mutative_command_set``. Non-mutative commands (``touch``, ``ls``,
+    ...) never reach the bash_validator matcher, so leaving them in the grant
+    would strand its ``consumed_indexes_json`` short of completion and pin the
+    grant at PENDING forever. After filtering:
+
+      * >= 2 mutative items  -> mint the COMMAND_SET over exactly those items.
+      * exactly 1 mutative   -> NOT a batch. Return None; the caller falls
+        through to the singular ``approval_id`` path and the lone command is
+        gated by the normal hook-block / SCOPE_SEMANTIC_SIGNATURE flow when the
+        agent attempts it. We deliberately do NOT degrade-to-singular here: this
+        function's contract is "mint a COMMAND_SET or stand aside", and the
+        singular flow is owned end-to-end by the hook block path -- minting a
+        singular row from here would duplicate that ownership.
+      * 0 mutative           -> nothing to approve. Return None (no pending).
+
+    A raw ``command_set`` of <= 1 item is likewise not a batch and returns None
+    before filtering, preserving the original contract (never mint for one
+    command, never degrade a batch the other way) and the working plan-first
+    flow for genuine multi-command mutative batches.
+
+    Returns the minted ``approval_id`` (``P-{uuid4hex}``) on success, or None
+    when this is not a plan-first command_set envelope (no action taken).
+    """
+    if not isinstance(approval_req, dict):
+        return None
+    # Plan-first is defined by command_set present AND no approval_id. A request
+    # that already carries an approval_id was minted by the hook block path; it
+    # is the singular flow and must not be re-intaken here.
+    if approval_req.get("approval_id"):
+        return None
+
+    raw_items = _normalize_command_set(approval_req.get("command_set"))
+    if len(raw_items) < 2:
+        # 0 or 1 item: not a batch. Singular path owns it.
+        return None
+
+    # Reduce to the mutative/T3 commands only -- the exact predicate the consume
+    # side uses to decide whether a command reaches the COMMAND_SET matcher.
+    command_set_items = _filter_mutative_command_set(raw_items)
+    if len(command_set_items) < 2:
+        # After filtering there is no batch left: either every command was
+        # non-mutative (0 -> nothing to approve) or just one mutative command
+        # remained (1 -> singular path owns it). Either way, no COMMAND_SET.
+        logger.info(
+            "INTAKE: command_set not minted -- %d/%d items mutative after filter "
+            "(need >= 2 for a batch)",
+            len(command_set_items), len(raw_items),
+        )
+        return None
+
+    # Build a sealed_payload that mirrors bash_validator._build_sealed_payload's
+    # COMMAND_SET shape: command_set verbatim + commands listing every string.
+    # Carry through the subagent's operation/risk fields when present so the
+    # orchestrator's presentation has real values, falling back to neutral
+    # COMMAND_SET defaults otherwise.
+    first_command = command_set_items[0]["command"]
+    sealed_payload = {
+        "operation": approval_req.get("operation")
+        or f"COMMAND_SET intercepted: {len(command_set_items)} commands under one consent",
+        "exact_content": approval_req.get("exact_content") or first_command,
+        "scope": approval_req.get("scope")
+        or (first_command.split()[0] if first_command.strip() else "unknown"),
+        "risk_level": approval_req.get("risk_level") or "medium",
+        "rollback_hint": approval_req.get("rollback") or approval_req.get("rollback_hint"),
+        "rationale": approval_req.get("rationale")
+        or (
+            f"A batch of {len(command_set_items)} related T3 commands requires user "
+            "approval under one consent per the COMMAND_SET policy."
+        ),
+        "commands": [it["command"] for it in command_set_items],
+        "command_set": command_set_items,
+    }
+
+    try:
+        from gaia.approvals.store import insert_requested
+    except ImportError:
+        import pathlib as _pl
+        import sys as _sys
+
+        _repo_root = _pl.Path(__file__).resolve().parent.parent.parent.parent
+        _sys.path.insert(0, str(_repo_root))
+        from gaia.approvals.store import insert_requested
+
+    approval_id = insert_requested(
+        sealed_payload,
+        agent_id=agent_id,
+        session_id=session_id or None,
+    )
+    logger.info(
+        "INTAKE: plan-first COMMAND_SET pending created approval_id=%s items=%d",
+        (approval_id or "")[:16], len(command_set_items),
+    )
+    return approval_id
+
+
 def persist_handoff(
     parsed_contract,
     agent_output: str,
@@ -38,6 +212,38 @@ def persist_handoff(
     import pathlib as _pl
     import sys as _sys
 
+    agent_id = task_info.get("agent_id") or task_info.get("agent") or "unknown"
+
+    # ---------------------------------------------------------------------
+    # INTAKE bridge (plan-first COMMAND_SET) -- run FIRST and INDEPENDENTLY.
+    #
+    # Minting the pending COMMAND_SET approval is the security-critical path:
+    # it is the consent the user must act on. It must not be coupled to the
+    # audit handoff-row write below -- if insert_agent_contract_handoff fails
+    # for any reason, the user must still get the approval to review. So the
+    # intake runs in its own isolated try, before the handoff-row write.
+    #
+    # Only plan-first envelopes act here: command_set >= 2 items AND no
+    # approval_id. A <= 1 item set or a request that already carries an
+    # approval_id (hook-block / singular path) is a no-op for the intake.
+    # ---------------------------------------------------------------------
+    minted_command_set_id = None
+    if parsed_contract is not None:
+        _env = parsed_contract if isinstance(parsed_contract, dict) else {}
+        _approval_req = _env.get("approval_request")
+        if isinstance(_approval_req, dict):
+            try:
+                minted_command_set_id = _intake_command_set_pending(
+                    _approval_req,
+                    agent_id=agent_id,
+                    session_id=session_id,
+                )
+            except Exception as _intake_exc:
+                logger.warning(
+                    "M4: COMMAND_SET intake failed (non-blocking): %s",
+                    _intake_exc,
+                )
+
     try:
         # Prefer a sibling gaia package if installed; fall back to the repo
         # layout where gaia/ lives two levels above hooks/.
@@ -48,7 +254,6 @@ def persist_handoff(
             _sys.path.insert(0, str(_repo_root))
             from gaia.store import writer as _writer
 
-        agent_id = task_info.get("agent_id") or task_info.get("agent") or "unknown"
         workspace = task_info.get("workspace") or _os.environ.get("GAIA_WORKSPACE") or "global"
         db_path_str = task_info.get("db_path")
         db_path = _pl.Path(db_path_str) if db_path_str else None
@@ -99,7 +304,12 @@ def persist_handoff(
             envelope = parsed_contract if isinstance(parsed_contract, dict) else {}
             approval_req = envelope.get("approval_request")
             if approval_req and isinstance(approval_req, dict):
-                approval_id = approval_req.get("approval_id")
+                # The approval_id is either the one the subagent relayed (hook-block
+                # / singular path) or the one the INTAKE bridge just minted for a
+                # plan-first COMMAND_SET. Either way it points at the pending row
+                # the handoff_approvals audit row should link to.
+                approval_id = approval_req.get("approval_id") or minted_command_set_id
+
                 if approval_id:
                     # Look up the grant to determine the decision at stop time.
                     try:

package/dist/gaia-ops/hooks/modules/agents/response_contract.py

@@ -402,6 +402,31 @@ def parse_memorialize_suggestions(
     return _extract_memorialize_suggestions(contract)
 
 
+def parse_user_facing_summary(
+    agent_output: str,
+    parsed_contract: Optional[dict] = None,
+) -> Optional[str]:
+    """Parse the optional top-level ``user_facing_summary`` field (Option A).
+
+    This is the ONE human-audience field in the contract: a brief prose summary
+    the subagent writes once, intended for the user. The orchestrator relays it
+    near-verbatim on a single-agent COMPLETE (N=1) instead of re-synthesizing
+    ``key_outputs``; for N>1 it is ignored and synthesis proceeds.
+
+    Strictly additive and advisory: the field is never required and never
+    affects contract validity. Returns the trimmed string when present and
+    non-empty, otherwise None (absent, null, blank, or non-string).
+    """
+    contract = parsed_contract if parsed_contract is not None else parse_contract(agent_output)
+    if contract is None:
+        return None
+    raw = contract.get("user_facing_summary")
+    if not isinstance(raw, str):
+        return None
+    text = raw.strip()
+    return text or None
+
+
 def _is_resume_agent_id(value: str) -> bool:
     return bool(_AGENT_ID_PATTERN.match(value or ""))
 
@@ -659,6 +684,7 @@ __all__ = [
     "parse_evidence_report",
     "parse_consolidation_report",
     "parse_memorialize_suggestions",
+    "parse_user_facing_summary",
     "validate_response_contract",
     "save_validation_result",
     "load_last_validation",

package/dist/gaia-ops/hooks/modules/agents/transcript_reader.py

@@ -139,10 +139,25 @@ def extract_injected_context_payload_from_transcript(
     """
     import os
 
+    # Empty/None path guard. Without it, Path("").stem == "" and the substring
+    # match below (``candidate.stem in "" or "" in candidate.stem``) is ALWAYS
+    # True because ``"" in any_string`` is True -- so an empty path would match
+    # (and return) the FIRST payload sitting in gaia-context-payloads/, making
+    # the result depend on whatever happens to be in that directory. Mirror the
+    # guard in read_first_user_content_from_transcript: no path, no match.
+    if not transcript_path:
+        return {}
+
     try:
         payload_dir = Path(os.environ.get("TMPDIR", "/tmp")) / "gaia-context-payloads"
         if payload_dir.exists():
             agent_file = Path(transcript_path).stem  # e.g. "agent-ae190a4da68d626d4"
+            # A stem that came out empty (e.g. path was "/" or "."): nothing to
+            # match against, so the substring test would again degrade to the
+            # always-true ``"" in candidate.stem``. Bail rather than grab an
+            # arbitrary payload.
+            if not agent_file:
+                return {}
             # Match by agent ID substring
             for candidate in payload_dir.glob("*.json"):
                 if candidate.stem in agent_file or agent_file in candidate.stem:

package/dist/gaia-ops/hooks/modules/security/__init__.py

@@ -5,7 +5,6 @@ Provides:
 - tiers: SecurityTier enum and classification
 - blocked_commands: Permanently blocked pattern matching
 - mutative_verbs: Mutative verb detection (user approval workflow)
-- gitops_validator: kubectl/helm/flux validation
 - approval_constants: Approval token patterns (legacy APPROVE: and ElicitationResult)
 - approval_grants: Time-limited T3 command passthrough after user approval
 - shell_unwrapper: Detect and strip wrapper shells for inner command classification
@@ -21,7 +20,6 @@ from .blocked_commands import (
     get_blocked_patterns,
     BlockedCommandResult,
 )
-from .gitops_validator import validate_gitops_workflow, GitOpsValidationResult
 from .mutative_verbs import (
     CLI_FAMILY_LOOKUP,
     CATEGORY_MUTATIVE,
@@ -73,9 +71,6 @@ __all__ = [
     "is_blocked_command",
     "get_blocked_patterns",
     "BlockedCommandResult",
-    # GitOps
-    "validate_gitops_workflow",
-    "GitOpsValidationResult",
     # Mutative verbs
     "CLI_FAMILY_LOOKUP",
     "CATEGORY_MUTATIVE",