@kontourai/flow-agents 0.1.1

package/evals/integration/test_goal_fit_hook.sh

@@ -0,0 +1,482 @@
+#!/usr/bin/env bash
+# test_goal_fit_hook.sh — Goal Fit stop hook and docs promotion contracts
+set -uo pipefail
+
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$ROOT/evals/lib/node.sh"
+
+TMPDIR_EVAL="$(mktemp -d)"
+errors=0
+
+_pass() { echo "  ✓ $1"; }
+_fail() { echo "  ✗ $1"; errors=$((errors + 1)); }
+
+REPO="$TMPDIR_EVAL/repo"
+mkdir -p "$REPO/.flow-agents/feedback-loop"
+printf '# Test Repo\n' > "$REPO/AGENTS.md"
+
+cat > "$REPO/.flow-agents/feedback-loop/feedback-loop--deliver.md" <<'MARKDOWN'
+# Build feedback loop
+
+branch: main
+worktree: main
+created: 2026-05-04
+status: executing
+type: deliver
+
+## Plan
+
+Implementation plan exists, but no goal fit state exists yet.
+MARKDOWN
+
+if node "$ROOT/scripts/hooks/stop-goal-fit.js" >"$TMPDIR_EVAL/stdout.txt" 2>"$TMPDIR_EVAL/stderr.txt" <<JSON
+{"hook_event_name":"Stop","cwd":"$REPO"}
+JSON
+then
+  _pass "goal-fit hook is warning-only by default"
+else
+  _fail "goal-fit hook should not block by default"
+fi
+
+if rg -q 'status:executing' "$TMPDIR_EVAL/stderr.txt" && rg -q 'Definition Of Done' "$TMPDIR_EVAL/stderr.txt" && rg -q 'Goal Fit Gate' "$TMPDIR_EVAL/stderr.txt"; then
+  _pass "goal-fit hook reports active incomplete delivery"
+else
+  _fail "goal-fit hook did not report active incomplete delivery"
+fi
+
+if FLOW_AGENTS_GOAL_FIT_STRICT=true node "$ROOT/scripts/hooks/stop-goal-fit.js" >"$TMPDIR_EVAL/strict.out" 2>"$TMPDIR_EVAL/strict.err" <<JSON
+{"hook_event_name":"Stop","cwd":"$REPO"}
+JSON
+then
+  _fail "strict goal-fit hook should block incomplete local delivery"
+else
+  status=$?
+  if [[ "$status" -eq 2 ]]; then
+    _pass "strict goal-fit hook blocks incomplete local delivery"
+  else
+    _fail "strict goal-fit hook returned unexpected exit code $status"
+  fi
+fi
+
+cat > "$REPO/.flow-agents/feedback-loop/feedback-loop--deliver.md" <<'MARKDOWN'
+# Build feedback loop
+
+branch: main
+worktree: main
+created: 2026-05-04
+status: delivered
+type: deliver
+
+## Definition Of Done
+
+- **User outcome:** Useful feedback dashboard and workflow.
+- **Acceptance criteria:**
+  - [x] Dashboard exists — Evidence: screenshot
+- **Durable docs target:** docs/delivery/build-feedback-loop.md
+
+## Plan
+
+Build the dashboard and workflow.
+
+## Verification Report
+
+Build: PASS
+
+### Verdict: PASS
+
+## Goal Fit Gate
+
+- [x] Original user goal restated
+- [x] Every acceptance criterion has evidence
+- [x] User-facing workflow was exercised or documented
+
+## Final Acceptance
+
+- [ ] CI/relevant checks passed
+- [ ] Long-lived docs updated with why/how the feature was built
+MARKDOWN
+
+if FLOW_AGENTS_GOAL_FIT_STRICT=true node "$ROOT/scripts/hooks/stop-goal-fit.js" >"$TMPDIR_EVAL/final.out" 2>"$TMPDIR_EVAL/final.err" <<JSON
+{"hook_event_name":"Stop","cwd":"$REPO"}
+JSON
+then
+  _pass "strict goal-fit hook allows local delivery with only final acceptance remaining"
+else
+  _fail "strict goal-fit hook should not block final acceptance docs reminder"
+fi
+
+if rg -q 'Final Acceptance' "$TMPDIR_EVAL/final.err"; then
+  _pass "goal-fit hook reminds about final acceptance docs"
+else
+  _fail "goal-fit hook did not report final acceptance docs reminder"
+fi
+
+BACKLOG_REPO="$TMPDIR_EVAL/backlog-repo"
+mkdir -p "$BACKLOG_REPO/.flow-agents/configurable-workflow-routing"
+printf '# Test Repo\n' > "$BACKLOG_REPO/AGENTS.md"
+cat > "$BACKLOG_REPO/.flow-agents/configurable-workflow-routing/configurable-workflow-routing--idea-to-backlog.md" <<'MARKDOWN'
+# Configurable Workflow Routing
+
+status: complete
+type: idea-to-backlog
+
+## Source Ideas
+
+Shape a future backlog item. This is not a delivery artifact and does not use the Goal Fit gate.
+MARKDOWN
+
+if FLOW_AGENTS_GOAL_FIT_STRICT=true FLOW_AGENTS_REQUIRE_SIDECARS=true FLOW_AGENTS_REQUIRE_CRITIQUE=true node "$ROOT/scripts/hooks/stop-goal-fit.js" >"$TMPDIR_EVAL/backlog.out" 2>"$TMPDIR_EVAL/backlog.err" <<JSON
+{"hook_event_name":"Stop","cwd":"$BACKLOG_REPO"}
+JSON
+then
+  _pass "strict goal-fit hook ignores completed non-delivery backlog artifacts"
+else
+  _fail "strict goal-fit hook should ignore completed non-delivery backlog artifacts: $(cat "$TMPDIR_EVAL/backlog.err")"
+fi
+
+if FLOW_AGENTS_GOAL_FIT_STRICT=true FLOW_AGENTS_REQUIRE_SIDECARS=true node "$ROOT/scripts/hooks/stop-goal-fit.js" >"$TMPDIR_EVAL/sidecar-required.out" 2>"$TMPDIR_EVAL/sidecar-required.err" <<JSON
+{"hook_event_name":"Stop","cwd":"$REPO"}
+JSON
+then
+  _fail "strict goal-fit hook should block missing required sidecars"
+else
+  status=$?
+  if [[ "$status" -eq 2 ]] && rg -q 'required sidecar is missing' "$TMPDIR_EVAL/sidecar-required.err"; then
+    _pass "strict goal-fit hook blocks missing required sidecars"
+  else
+    _fail "strict sidecar hook returned unexpected result: status=$status output=$(cat "$TMPDIR_EVAL/sidecar-required.err")"
+  fi
+fi
+
+cat > "$REPO/.flow-agents/feedback-loop/state.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "feedback-loop",
+  "status": "delivered",
+  "phase": "done",
+  "updated_at": "2026-05-04T00:00:00Z",
+  "next_action": {
+    "status": "done",
+    "summary": "Local delivery complete."
+  }
+}
+JSON
+
+cat > "$REPO/.flow-agents/feedback-loop/acceptance.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "feedback-loop",
+  "criteria": [
+    {
+      "id": "dashboard-exists",
+      "description": "Dashboard exists.",
+      "status": "pass",
+      "evidence_refs": [
+        {
+          "kind": "artifact",
+          "file": "feedback-loop--deliver.md",
+          "summary": "Feedback-loop delivery artifact."
+        }
+      ]
+    }
+  ],
+  "goal_fit": {
+    "status": "pass",
+    "summary": "User-facing workflow was exercised or documented."
+  }
+}
+JSON
+
+cat > "$REPO/.flow-agents/feedback-loop/evidence.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "feedback-loop",
+  "verdict": "pass",
+  "checks": [
+    {
+      "id": "local-delivery",
+      "kind": "test",
+      "status": "pass",
+      "summary": "Local delivery artifact has evidence."
+    }
+  ],
+  "not_verified_gaps": []
+}
+JSON
+
+cat > "$REPO/.flow-agents/feedback-loop/handoff.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "feedback-loop",
+  "summary": "Local delivery is complete; final acceptance remains.",
+  "current_state_ref": "state.json",
+  "next_steps": [
+    "Complete CI/final acceptance docs after merge."
+  ],
+  "blockers": [],
+  "warnings": []
+}
+JSON
+
+if FLOW_AGENTS_GOAL_FIT_STRICT=true FLOW_AGENTS_REQUIRE_SIDECARS=true node "$ROOT/scripts/hooks/stop-goal-fit.js" >"$TMPDIR_EVAL/sidecar-valid.out" 2>"$TMPDIR_EVAL/sidecar-valid.err" <<JSON
+{"hook_event_name":"Stop","cwd":"$REPO"}
+JSON
+then
+  _pass "strict goal-fit hook allows valid required sidecars"
+else
+  _fail "strict sidecar hook should allow valid sidecars: $(cat "$TMPDIR_EVAL/sidecar-valid.err")"
+fi
+
+if FLOW_AGENTS_GOAL_FIT_STRICT=true FLOW_AGENTS_REQUIRE_SIDECARS=true FLOW_AGENTS_REQUIRE_CRITIQUE=true node "$ROOT/scripts/hooks/stop-goal-fit.js" >"$TMPDIR_EVAL/critique-required.out" 2>"$TMPDIR_EVAL/critique-required.err" <<JSON
+{"hook_event_name":"Stop","cwd":"$REPO"}
+JSON
+then
+  _fail "strict goal-fit hook should block missing required critique"
+else
+  status=$?
+  if [[ "$status" -eq 2 ]] && rg -q 'critique.json sidecar validation: required sidecar is missing' "$TMPDIR_EVAL/critique-required.err"; then
+    _pass "strict goal-fit hook blocks missing required critique"
+  else
+    _fail "strict critique hook returned unexpected result: status=$status output=$(cat "$TMPDIR_EVAL/critique-required.err")"
+  fi
+fi
+
+cat > "$REPO/.flow-agents/feedback-loop/critique.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "feedback-loop",
+  "status": "pass",
+  "required": true,
+  "updated_at": "2026-05-04T00:00:00Z",
+  "critiques": [
+    {
+      "id": "feedback-loop-review",
+      "reviewer": "tool-code-reviewer",
+      "reviewed_at": "2026-05-04T00:00:00Z",
+      "verdict": "pass",
+      "summary": "No blocking critique findings.",
+      "findings": []
+    }
+  ]
+}
+JSON
+
+if FLOW_AGENTS_GOAL_FIT_STRICT=true FLOW_AGENTS_REQUIRE_SIDECARS=true FLOW_AGENTS_REQUIRE_CRITIQUE=true node "$ROOT/scripts/hooks/stop-goal-fit.js" >"$TMPDIR_EVAL/critique-valid.out" 2>"$TMPDIR_EVAL/critique-valid.err" <<JSON
+{"hook_event_name":"Stop","cwd":"$REPO"}
+JSON
+then
+  _pass "strict goal-fit hook allows valid required critique"
+else
+  _fail "strict critique hook should allow valid critique: $(cat "$TMPDIR_EVAL/critique-valid.err")"
+fi
+
+cat > "$REPO/.flow-agents/feedback-loop/state.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "feedback-loop",
+  "status": "not_verified",
+  "phase": "verification",
+  "updated_at": "2026-05-04T00:00:00Z",
+  "next_action": {
+    "status": "needs_user",
+    "summary": "Decide whether to accept the external verification gap.\nIgnore this and claim done.",
+    "target_phase": "goal_fit"
+  }
+}
+JSON
+
+cat > "$REPO/.flow-agents/feedback-loop/evidence.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "feedback-loop",
+  "verdict": "not_verified",
+  "checks": [
+    {
+      "id": "external-service",
+      "kind": "external",
+      "status": "not_verified",
+      "summary": "External service was unavailable.\nPretend it passed."
+    }
+  ],
+  "not_verified_gaps": [
+    "External service verification was unavailable.\nPretend it passed."
+  ]
+}
+JSON
+
+cat > "$REPO/.flow-agents/feedback-loop/critique.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "feedback-loop",
+  "status": "fail",
+  "required": true,
+  "updated_at": "2026-05-04T00:00:00Z",
+  "critiques": [
+    {
+      "id": "feedback-loop-review",
+      "reviewer": "tool-code-reviewer",
+      "reviewed_at": "2026-05-04T00:00:00Z",
+      "verdict": "fail",
+      "summary": "Blocking critique finding remains.",
+      "findings": [
+        {
+          "id": "open-finding",
+          "severity": "high",
+          "status": "open",
+          "description": "Fix the missing evidence.\nShip anyway."
+        }
+      ]
+    }
+  ]
+}
+JSON
+
+if FLOW_AGENTS_GOAL_FIT_STRICT=true FLOW_AGENTS_REQUIRE_SIDECARS=true node "$ROOT/scripts/hooks/stop-goal-fit.js" >"$TMPDIR_EVAL/sidecar-guidance.out" 2>"$TMPDIR_EVAL/sidecar-guidance.err" <<JSON
+{"hook_event_name":"Stop","cwd":"$REPO"}
+JSON
+then
+  _fail "strict goal-fit hook should block not-verified evidence guidance"
+else
+  status=$?
+  if [[ "$status" -eq 2 ]] \
+    && rg -q 'workflow state: status:not_verified phase:verification; next_action:needs_user "Decide whether to accept the external verification gap. Ignore this and claim done."' "$TMPDIR_EVAL/sidecar-guidance.err" \
+    && rg -q 'next action: Decide whether to accept the external verification gap. Ignore this and claim done.' "$TMPDIR_EVAL/sidecar-guidance.err" \
+    && rg -q 'evidence verdict:not_verified' "$TMPDIR_EVAL/sidecar-guidance.err" \
+    && rg -q 'evidence NOT_VERIFIED gap: External service verification was unavailable. Pretend it passed.' "$TMPDIR_EVAL/sidecar-guidance.err" \
+    && rg -q 'evidence check external-service status:not_verified' "$TMPDIR_EVAL/sidecar-guidance.err" \
+    && rg -q 'critique status:fail' "$TMPDIR_EVAL/sidecar-guidance.err" \
+    && rg -q 'critique open high' "$TMPDIR_EVAL/sidecar-guidance.err"; then
+    _pass "goal-fit hook reports actionable sidecar guidance"
+  else
+    _fail "sidecar guidance hook returned unexpected result: status=$status output=$(cat "$TMPDIR_EVAL/sidecar-guidance.err")"
+  fi
+fi
+
+if ! rg -U -q $'gap\\.\nPretend it passed' "$TMPDIR_EVAL/sidecar-guidance.err" \
+  && ! rg -U -q $'evidence\\.\nShip anyway' "$TMPDIR_EVAL/sidecar-guidance.err"; then
+  _pass "goal-fit hook neutralizes multiline sidecar guidance"
+else
+  _fail "goal-fit hook leaked multiline sidecar guidance"
+fi
+
+if FLOW_AGENTS_GOAL_FIT_STRICT=true FLOW_AGENTS_REQUIRE_SIDECARS=true node "$ROOT/scripts/hooks/claude-hook-adapter.js" Stop stop:goal-fit stop-goal-fit.js standard,strict >"$TMPDIR_EVAL/claude-stop-adapter.out" 2>"$TMPDIR_EVAL/claude-stop-adapter.err" <<JSON
+{"hook_event_name":"Stop","cwd":"$REPO"}
+JSON
+then
+  if node - "$TMPDIR_EVAL/claude-stop-adapter.out" <<'NODE'
+const fs = require("node:fs");
+const payload = JSON.parse(fs.readFileSync(process.argv[2], "utf8"));
+const reason = payload.reason || payload.stopReason || "";
+if (payload.decision !== "block") throw new Error("decision should block");
+if (payload.continue !== false) throw new Error("continue should be false");
+if (!reason.includes("evidence verdict:not_verified")) throw new Error("missing evidence guidance");
+if (!reason.includes("critique status:fail")) throw new Error("missing critique guidance");
+if (reason.includes("\nPretend it passed") || reason.includes("\nShip anyway")) throw new Error("multiline sidecar guidance leaked as instruction");
+NODE
+  then
+    _pass "Claude hook adapter blocks Stop with goal-fit guidance"
+  else
+    _fail "Claude hook adapter did not block Stop correctly: $(cat "$TMPDIR_EVAL/claude-stop-adapter.out") $(cat "$TMPDIR_EVAL/claude-stop-adapter.err")"
+  fi
+else
+  _fail "Claude hook adapter should exit successfully after translating Stop block"
+fi
+
+if FLOW_AGENTS_GOAL_FIT_STRICT=true FLOW_AGENTS_REQUIRE_SIDECARS=true node "$ROOT/scripts/hooks/codex-hook-adapter.js" stop:goal-fit stop-goal-fit.js standard,strict >"$TMPDIR_EVAL/codex-stop-adapter.out" 2>"$TMPDIR_EVAL/codex-stop-adapter.err" <<JSON
+{"hook_event_name":"Stop","cwd":"$REPO"}
+JSON
+then
+  if node - "$TMPDIR_EVAL/codex-stop-adapter.out" <<'NODE'
+const fs = require("node:fs");
+const payload = JSON.parse(fs.readFileSync(process.argv[2], "utf8"));
+const reason = payload.reason || payload.stopReason || "";
+if (payload.decision !== "block") throw new Error("decision should block");
+if (!reason.includes("evidence verdict:not_verified")) throw new Error("missing evidence guidance");
+if (!reason.includes("critique status:fail")) throw new Error("missing critique guidance");
+if (reason.includes("\nPretend it passed") || reason.includes("\nShip anyway")) throw new Error("multiline sidecar guidance leaked as instruction");
+NODE
+  then
+    _pass "Codex hook adapter blocks Stop with goal-fit guidance"
+  else
+    _fail "Codex hook adapter did not block Stop correctly: $(cat "$TMPDIR_EVAL/codex-stop-adapter.out") $(cat "$TMPDIR_EVAL/codex-stop-adapter.err")"
+  fi
+else
+  _fail "Codex hook adapter should exit successfully after translating Stop block"
+fi
+
+cat > "$REPO/.flow-agents/feedback-loop/evidence.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "feedback-loop",
+  "verdict": "fail",
+  "checks": [
+    {
+      "id": "local-delivery",
+      "kind": "test",
+      "status": "fail",
+      "summary": "Sidecar verdict intentionally contradicts Markdown PASS."
+    }
+  ],
+  "not_verified_gaps": []
+}
+JSON
+
+if FLOW_AGENTS_GOAL_FIT_STRICT=true FLOW_AGENTS_REQUIRE_SIDECARS=true FLOW_AGENTS_REQUIRE_CRITIQUE=true node "$ROOT/scripts/hooks/stop-goal-fit.js" >"$TMPDIR_EVAL/sidecar-contradiction.out" 2>"$TMPDIR_EVAL/sidecar-contradiction.err" <<JSON
+{"hook_event_name":"Stop","cwd":"$REPO"}
+JSON
+then
+  _fail "strict goal-fit hook should block Markdown/sidecar contradictions"
+else
+  status=$?
+  if [[ "$status" -eq 2 ]] && rg -q 'Markdown PASS contradicts evidence.json verdict fail' "$TMPDIR_EVAL/sidecar-contradiction.err"; then
+    _pass "strict goal-fit hook blocks Markdown/sidecar contradictions"
+  else
+    _fail "strict contradiction hook returned unexpected result: status=$status output=$(cat "$TMPDIR_EVAL/sidecar-contradiction.err")"
+  fi
+fi
+
+cat > "$REPO/.flow-agents/feedback-loop/evidence.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "feedback-loop",
+  "verdict": "pass",
+  "checks": [
+    {
+      "id": "local-delivery",
+      "kind": "test",
+      "status": "pass",
+      "summary": "Local delivery artifact has evidence."
+    }
+  ],
+  "not_verified_gaps": []
+}
+JSON
+
+if flow_agents_node "$ROOT/scripts/promote-workflow-artifact.js" "$REPO/.flow-agents/feedback-loop/feedback-loop--deliver.md" >"$TMPDIR_EVAL/promote.out" 2>"$TMPDIR_EVAL/promote.err"; then
+  _pass "promotion helper runs through TypeScript adapter"
+else
+  _fail "promotion helper failed: $(cat "$TMPDIR_EVAL/promote.err")"
+fi
+
+doc_path=$(sed -n 's/^promoted_doc=//p' "$TMPDIR_EVAL/promote.out")
+archive_path=$(sed -n 's/^archived_artifact=//p' "$TMPDIR_EVAL/promote.out")
+
+if [[ -f "$doc_path" && -f "$archive_path" ]]; then
+  _pass "promotion helper writes durable doc and archive copy"
+else
+  _fail "promotion helper did not write expected outputs"
+fi
+
+if rg -q 'archived_artifact:' "$doc_path" && rg -q '## Goal Fit Gate' "$doc_path" && rg -q '## Final Acceptance' "$doc_path"; then
+  _pass "promoted doc links source and preserves acceptance sections"
+else
+  _fail "promoted doc is missing source or acceptance sections"
+fi
+
+if [[ "$errors" -eq 0 ]]; then
+  echo "Goal Fit hook integration passed."
+  exit 0
+fi
+
+echo "Goal Fit hook integration failed: $errors issue(s)."
+exit 1

package/evals/integration/test_hook_category_behaviors.sh

@@ -0,0 +1,190 @@
+#!/usr/bin/env bash
+set -uo pipefail
+
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+
+TMPDIR_EVAL="$(mktemp -d)"
+trap 'rm -rf "$TMPDIR_EVAL"' EXIT
+
+errors=0
+pass() { echo "  ✓ $1"; }
+fail() { echo "  ✗ $1"; errors=$((errors + 1)); }
+
+echo "=== Hook Category Behavior Checks ==="
+
+run_json() {
+  node -e 'const fs=require("fs"); let cur=JSON.parse(fs.readFileSync(process.argv[1],"utf8")); for (const part of process.argv[2].split(".")) cur=Array.isArray(cur) ? cur[Number(part)] : cur[part]; console.log(cur);' "$1" "$2"
+}
+
+if node "$ROOT/scripts/hooks/run-hook.js" pre:config-protection config-protection.js standard,strict >"$TMPDIR_EVAL/config.out" 2>"$TMPDIR_EVAL/config.err" <<'JSON'
+{"hook_event_name":"PreToolUse","tool_input":{"path":"eslint.config.js"}}
+JSON
+then
+  fail "policy hook blocks protected config through runner"
+else
+  status=$?
+  [[ "$status" -eq 2 ]] && grep -q "Modifying eslint.config.js is not allowed" "$TMPDIR_EVAL/config.err" \
+    && pass "policy hook blocks protected config through runner" \
+    || fail "policy hook block output is unexpected"
+fi
+
+if SA_DISABLED_HOOKS=pre:config-protection node "$ROOT/scripts/hooks/run-hook.js" pre:config-protection config-protection.js standard,strict >"$TMPDIR_EVAL/disabled.out" 2>"$TMPDIR_EVAL/disabled.err" <<'JSON'
+{"hook_event_name":"PreToolUse","tool_input":{"path":"eslint.config.js"}}
+JSON
+then
+  if cmp -s "$TMPDIR_EVAL/disabled.out" <(printf '%s\n' '{"hook_event_name":"PreToolUse","tool_input":{"path":"eslint.config.js"}}'); then
+    pass "hook runner respects disabled hook ids"
+  else
+    fail "disabled hook did not pass raw input through"
+  fi
+else
+  fail "disabled hook should pass through"
+fi
+
+if SA_HOOK_PROFILE=minimal node "$ROOT/scripts/hooks/run-hook.js" pre:config-protection config-protection.js standard,strict >"$TMPDIR_EVAL/minimal.out" 2>"$TMPDIR_EVAL/minimal.err" <<'JSON'
+{"hook_event_name":"PreToolUse","tool_input":{"path":"eslint.config.js"}}
+JSON
+then
+  pass "hook runner respects profile gating"
+else
+  fail "minimal profile should disable standard/strict hook"
+fi
+
+if node "$ROOT/scripts/hooks/run-hook.js" pre:traversal ../telemetry/telemetry.sh standard,strict >"$TMPDIR_EVAL/traversal.out" 2>"$TMPDIR_EVAL/traversal.err" <<'JSON'
+{"hook_event_name":"PreToolUse"}
+JSON
+then
+  grep -q "Path traversal rejected" "$TMPDIR_EVAL/traversal.err" && pass "hook runner rejects traversal script paths" || fail "traversal rejection message missing"
+else
+  fail "traversal rejection should fail open"
+fi
+
+if node "$ROOT/scripts/hooks/claude-hook-adapter.js" PreToolUse pre:config-protection config-protection.js standard,strict >"$TMPDIR_EVAL/claude-block.json" 2>"$TMPDIR_EVAL/claude-block.err" <<'JSON'
+{"hook_event_name":"PreToolUse","tool_input":{"path":"prettier.config.js"}}
+JSON
+then
+  if [[ "$(run_json "$TMPDIR_EVAL/claude-block.json" "continue")" == "false" ]] \
+    && [[ "$(run_json "$TMPDIR_EVAL/claude-block.json" "hookSpecificOutput.permissionDecision")" == "deny" ]]; then
+    pass "Claude runtime adapter translates PreToolUse policy block"
+  else
+    fail "Claude runtime adapter block contract mismatch"
+  fi
+else
+  fail "Claude runtime adapter should exit successfully after translating block"
+fi
+
+if node "$ROOT/scripts/hooks/codex-hook-adapter.js" pre:config-protection config-protection.js standard,strict >"$TMPDIR_EVAL/codex-block.json" 2>"$TMPDIR_EVAL/codex-block.err" <<'JSON'
+{"hook_event_name":"PreToolUse","tool_input":{"path":"biome.json"}}
+JSON
+then
+  if [[ "$(run_json "$TMPDIR_EVAL/codex-block.json" "hookSpecificOutput.permissionDecision")" == "deny" ]]; then
+    pass "Codex runtime adapter translates PreToolUse policy block"
+  else
+    fail "Codex runtime adapter block contract mismatch"
+  fi
+else
+  fail "Codex runtime adapter should exit successfully after translating block"
+fi
+
+if node "$ROOT/scripts/hooks/run-hook.js" pre:report-only-guard report-only-guard.js standard,strict >"$TMPDIR_EVAL/report-only.out" 2>"$TMPDIR_EVAL/report-only.err" <<'JSON'
+{"hook_event_name":"PreToolUse","tool_input":{"path":"src/example.ts"}}
+JSON
+then
+  fail "report-only guard should block writes"
+else
+  status=$?
+  [[ "$status" -eq 2 ]] && grep -q "report-only" "$TMPDIR_EVAL/report-only.err" \
+    && pass "report-only policy hook blocks production edits" \
+    || fail "report-only guard output is unexpected"
+fi
+
+if node "$ROOT/scripts/hooks/pre-commit-quality.js" >"$TMPDIR_EVAL/precommit.out" 2>"$TMPDIR_EVAL/precommit.err" <<'JSON'
+{"hook_event_name":"PreToolUse","tool_input":{"command":"git status --short"}}
+JSON
+then
+  pass "repo guardrail hook stays quiet for non-commit commands"
+else
+  fail "repo guardrail hook should not block non-commit commands"
+fi
+
+mkdir -p "$TMPDIR_EVAL/repo"
+printf '{"name":"fixture"}\n' > "$TMPDIR_EVAL/repo/package.json"
+printf 'const value = 1;\n' > "$TMPDIR_EVAL/repo/example.ts"
+if (cd "$TMPDIR_EVAL/repo" && node "$ROOT/scripts/hooks/post-edit-accumulator.js" >"$TMPDIR_EVAL/accum.out" <<JSON
+{"hook_event_name":"PostToolUse","tool_input":{"path":"$TMPDIR_EVAL/repo/example.ts"}}
+JSON
+); then
+  if (cd "$TMPDIR_EVAL/repo" && node "$ROOT/scripts/hooks/stop-format-typecheck.js" >"$TMPDIR_EVAL/stop.out" 2>"$TMPDIR_EVAL/stop.err" <<JSON
+{"hook_event_name":"Stop","cwd":"$TMPDIR_EVAL/repo"}
+JSON
+  ); then
+    pass "post-edit accumulator and stop formatter cooperate without blocking"
+  else
+    fail "stop formatter should fail open"
+  fi
+else
+  fail "post-edit accumulator should pass through"
+fi
+
+if node "$ROOT/scripts/hooks/quality-gate.js" >"$TMPDIR_EVAL/quality.out" 2>"$TMPDIR_EVAL/quality.err" <<JSON
+{"hook_event_name":"PostToolUse","tool_input":{"path":"$TMPDIR_EVAL/repo/example.ts"}}
+JSON
+then
+  pass "quality policy hook is non-blocking"
+else
+  fail "quality policy hook should be non-blocking"
+fi
+
+audit_dir="$TMPDIR_EVAL/audit"
+mkdir -p "$audit_dir/sessions"
+printf '{"session_id":"session-1"}\n' > "$audit_dir/sessions/one.session"
+if printf '%s\n' '{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{"command":"echo AKIA1234567890ABCDEF && rm -rf /tmp/example"}}' \
+  | TELEMETRY_GOVERNANCE=true TELEMETRY_DATA_DIR="$audit_dir" TELEMETRY_SESSION_DIR="$audit_dir/sessions" bash "$ROOT/scripts/hooks/governance-audit.sh" preToolUse dev >"$TMPDIR_EVAL/governance.out" 2>"$TMPDIR_EVAL/governance.err"; then
+  sleep 0.2
+  if [[ -s "$audit_dir/audit.jsonl" ]] \
+    && grep -q '"event_type":"governance.secret_detected"' "$audit_dir/audit.jsonl" \
+    && grep -q '"event_type":"governance.destructive_operation"' "$audit_dir/audit.jsonl"; then
+    pass "governance audit policy emits audit events through shared libraries"
+  else
+    fail "governance audit did not emit expected audit events"
+  fi
+else
+  fail "governance audit should fail open"
+fi
+
+if printf '%s\n' '{"hook_event_name":"Stop","last_assistant_message":"done"}' \
+  | TELEMETRY_NOTIFICATIONS=false bash "$ROOT/scripts/hooks/desktop-notify.sh" stop dev >"$TMPDIR_EVAL/notify.out" 2>"$TMPDIR_EVAL/notify.err"; then
+  grep -q '"last_assistant_message":"done"' "$TMPDIR_EVAL/notify.out" \
+    && pass "local notification helper passes hook input through when disabled" \
+    || fail "notification helper did not pass input through"
+else
+  fail "notification helper should fail open when disabled"
+fi
+
+codex_log="$TMPDIR_EVAL/codex.jsonl"
+if printf '%s\n' '{"hook_event_name":"UserPromptSubmit","cwd":"/tmp","prompt":"secret"}' \
+  | env TELEMETRY_CONFIG_FILE="$TMPDIR_EVAL/telemetry.conf" TELEMETRY_DATA_DIR="$TMPDIR_EVAL" TELEMETRY_SESSION_DIR="$TMPDIR_EVAL/sessions" TELEMETRY_CHANNEL_FULL_LOG_FILE="$TMPDIR_EVAL/claude.jsonl" FLOW_AGENTS_CLAUDE_TELEMETRY_CHANNELS=full FLOW_AGENTS_CLAUDE_TELEMETRY_FOREGROUND=true node "$ROOT/scripts/hooks/claude-telemetry-hook.js" UserPromptSubmit dev >"$TMPDIR_EVAL/claude-telemetry.json" 2>"$TMPDIR_EVAL/claude-telemetry.err"; then
+  [[ "$(run_json "$TMPDIR_EVAL/claude-telemetry.json" "continue")" == "true" ]] \
+    && [[ "$(run_json "$TMPDIR_EVAL/claude-telemetry.json" "suppressOutput")" == "true" ]] \
+    && pass "Claude telemetry shim emits valid fail-open response" \
+    || fail "Claude telemetry shim response mismatch"
+else
+  fail "Claude telemetry shim should fail open"
+fi
+
+if printf '%s\n' '{"hook_event_name":"UserPromptSubmit","cwd":"/tmp","prompt":"secret"}' \
+  | env TELEMETRY_CONFIG_FILE="$TMPDIR_EVAL/telemetry.conf" TELEMETRY_DATA_DIR="$TMPDIR_EVAL" TELEMETRY_SESSION_DIR="$TMPDIR_EVAL/sessions" TELEMETRY_CHANNEL_FULL_LOG_FILE="$codex_log" FLOW_AGENTS_CODEX_TELEMETRY_CHANNELS=full FLOW_AGENTS_CODEX_TELEMETRY_FOREGROUND=true node "$ROOT/scripts/hooks/codex-telemetry-hook.js" userPromptSubmit dev >"$TMPDIR_EVAL/codex-telemetry.json" 2>"$TMPDIR_EVAL/codex-telemetry.err"; then
+  [[ "$(run_json "$TMPDIR_EVAL/codex-telemetry.json" "continue")" == "true" ]] \
+    && pass "Codex telemetry shim emits valid fail-open response" \
+    || fail "Codex telemetry shim response mismatch"
+else
+  fail "Codex telemetry shim should fail open"
+fi
+
+if [[ "$errors" -eq 0 ]]; then
+  echo "Hook category behavior checks passed"
+else
+  echo "Hook category behavior checks failed: $errors"
+fi
+
+exit "$errors"