@kontourai/flow-agents 1.4.0 → 2.0.1

package/scripts/hooks/stop-goal-fit.js

@@ -4,9 +4,22 @@
  *
  * The hook reads .flow-agents artifacts, looks for the most recent active
  * delivery/session file, and reports missing Definition Of Done, Goal Fit, or
- * Final Acceptance state. It is warning-only by default. Set
- * FLOW_AGENTS_GOAL_FIT_STRICT=true to return exit code 2 when local goal fit is
- * incomplete.
+ * Final Acceptance state.
+ *
+ * Enforcement is controlled by FLOW_AGENTS_GOAL_FIT_MODE:
+ *   - block: return exit code 2 (blocks the Stop) when local goal fit is incomplete.
+ *   - warn:  return exit code 0 but still emit the guidance on stderr (default).
+ *   - off:   stay silent.
+ * The legacy FLOW_AGENTS_GOAL_FIT_STRICT=true is honored as an alias for block.
+ * The canonical engine default is warn; shipped runtime configs (e.g. Claude
+ * Code at L2) set block so the installed product enforces while the engine
+ * default and conformance contract stay warn.
+ *
+ * Scope: the gate evaluates the session's current task (.flow-agents/current.json)
+ * when set, so an unrelated active workflow elsewhere in the repo does not gate
+ * this stop. It also never hard-blocks a pre-execution (not-yet-started) task on
+ * mere incompleteness — only genuine false-completion signals (a claimed pass the
+ * capture log or evidence.json contradicts) block before execution begins.
  */
 
 'use strict';
@@ -14,6 +27,7 @@
 const fs = require('fs');
 const path = require('path');
 const { spawnSync } = require('child_process');
+const crypto = require('crypto');
 
 const MAX_STDIN = 1024 * 1024;
 const ACTIVE_STATUSES = new Set([
@@ -29,9 +43,23 @@ const ACTIVE_STATUSES = new Set([
   'blocked',
   'partial',
 ]);
-const DELIVERY_TYPES = new Set(['deliver', 'delivery', 'fix-bug', 'execute-plan', 'verify-work']);
-const SIDECAR_NAMES = new Set(['state.json', 'acceptance.json', 'evidence.json', 'handoff.json']);
-const OPTIONAL_SIDECAR_NAMES = new Set(['critique.json']);
+// WORKFLOW_SESSION_TYPES: used for artifact identification only, not for verdict production.
+const WORKFLOW_SESSION_TYPES = new Set(['deliver', 'delivery', 'fix-bug', 'execute-plan', 'verify-work']);
+// Phase 4c: bundle-only. Required set = {state.json, handoff.json, trust.bundle}. Drop evidence.json/acceptance.json/critique.json.
+const SIDECAR_NAMES = new Set(['state.json', 'handoff.json', 'trust.bundle']);
+const OPTIONAL_SIDECAR_NAMES = new Set();
+
+// A workflow that has not started execution is EXPECTED to be incomplete, so the
+// Stop gate must not hard-block on its missing DOD / Goal Fit / not-done state.
+// Only genuine false-completion signals block a pre-execution task; execution
+// onward gates fully.
+const PRE_EXECUTION_STATUSES = new Set(['new', 'planning', 'planned', 'backlog']);
+const PRE_EXECUTION_PHASES = new Set(['idea', 'backlog', 'pickup', 'planning']);
+
+// Terminal tasks are complete — they must never gate a stop or count as "active".
+// A stale current.json pointing at one, or a graveyard of finished states, must
+// not block an unrelated session.
+const TERMINAL_STATUSES = new Set(['done', 'delivered', 'accepted', 'archived', 'complete', 'completed']);
 
 function parseJson(raw) {
   try { return JSON.parse(raw || '{}'); } catch { return {}; }
@@ -110,7 +138,23 @@ function sidecarValidation(root, artifactDir) {
   if (requireSidecars || requireCritique) {
     const present = new Set(sidecarFiles.map(file => path.basename(file)));
     const requiredNames = new Set(requireSidecars ? SIDECAR_NAMES : []);
-    if (requireCritique) requiredNames.add('critique.json');
+    // Phase 4c: critique.json is no longer written; trust.bundle carries critique claims.
+    // FLOW_AGENTS_REQUIRE_CRITIQUE is satisfied by:
+    //   - critique.json (legacy, may not be in SIDECAR_NAMES but may still be on disk), OR
+    //   - trust.bundle that contains at least one workflow.critique.review claim.
+    if (requireCritique) {
+      // Check disk directly (critique.json is no longer in SIDECAR_NAMES so may not be in present)
+      const hasCritiqueJson = fs.existsSync(path.join(artifactDir, 'critique.json'));
+      const bundleFile = path.join(artifactDir, 'trust.bundle');
+      let hasBundleCritique = false;
+      if (fs.existsSync(bundleFile)) {
+        try {
+          const b = JSON.parse(fs.readFileSync(bundleFile, 'utf8'));
+          hasBundleCritique = Array.isArray(b.claims) && b.claims.some(c => c && c.claimType === 'workflow.critique.review');
+        } catch { /* fall through — no bundle critique */ }
+      }
+      if (!hasCritiqueJson && !hasBundleCritique) requiredNames.add('critique.json');
+    }
     const missing = [...requiredNames].filter(name => !present.has(name)).sort();
     if (missing.length > 0) {
       return missing.map(name => `${relative(root, path.join(artifactDir, name))} sidecar validation: required sidecar is missing`);
@@ -186,7 +230,7 @@ function isWorkflowArtifact(artifact) {
   if (!artifact) return false;
   if (artifact.role === 'plan' || artifact.role === 'review') return false;
   if (artifact.file.endsWith('-plan.md') || artifact.file.endsWith('-review.md')) return false;
-  if (DELIVERY_TYPES.has(artifact.type)) return true;
+  if (WORKFLOW_SESSION_TYPES.has(artifact.type)) return true;
   return /--(deliver|fix-bug|execute-plan|verify-work)\b/.test(path.basename(artifact.file));
 }
 
@@ -219,6 +263,44 @@ function readJsonFile(file) {
   }
 }
 
+// ─── ADR 0010 Phase 2b: re-derive-at-gate via Surface (fail-open) ─────────────
+// Surface (@kontourai/surface) is ESM-only; stop-goal-fit.js is CJS.
+// Load it via a fail-open dynamic import(), cached after the first attempt.
+// If Surface cannot be loaded (package absent, env mismatch), we fall back to
+// the stored claim.status check from #133 — no regression for environments that
+// lack @kontourai/surface. The module is never written to disk.
+let _surfaceModule; // undefined = not tried yet; null = unavailable
+async function tryLoadSurface() {
+  if (_surfaceModule !== undefined) return _surfaceModule;
+  try {
+    const m = await import('@kontourai/surface');
+    _surfaceModule = m;
+    return _surfaceModule;
+  } catch {
+    _surfaceModule = null;
+    return null;
+  }
+}
+
+// ─── ADR 0016 Abstraction A P-c: flow-resolver integration ────────────────────
+// Load the compiled flow-resolver (build/src/lib/flow-resolver.js) via CJS
+// require behind the same hasBuild guard used for the validator. Fail-open:
+// returns null when build/ is absent, require throws, or current.json has no
+// active_flow_id / active_step_id. The caller (bundleEnforcement, sidecarGuidance)
+// treats null as "no active FlowDefinition" and falls back to the workflow.* path.
+function loadActiveFlowStep(flowAgentsDir) {
+  const packageRoot = path.resolve(__dirname, '..', '..');
+  const builtResolver = path.join(packageRoot, 'build', 'src', 'lib', 'flow-resolver.js');
+  if (!fs.existsSync(builtResolver)) return null; // hasBuild guard: no build/ yet
+  try {
+    const resolver = require(builtResolver);
+    if (typeof resolver.resolveActiveFlowStep !== 'function') return null;
+    return resolver.resolveActiveFlowStep(flowAgentsDir);
+  } catch {
+    return null; // require failed or resolver threw — fail-open
+  }
+}
+
 function safeOneLine(value, maxLength = 220) {
   const text = String(value || '').replace(/\s+/g, ' ').trim();
   if (text.length <= maxLength) return text;
@@ -229,19 +311,225 @@ function normalizedStatus(value) {
   return safeOneLine(value, 80).toLowerCase();
 }
 
-function sidecarGuidance(root, artifactDir) {
+// ─── ADR 0010 Phase 4b: bundle-first helpers for consumer migration ────────────
+// These helpers extract evidence/critique/acceptance data from the trust.bundle
+// when it is present, falling back to the bespoke sidecar for bundle-less sessions.
+// The sidecar content is IDENTICAL to the bundle projection (Phase 4a guarantee),
+// so consumer reads produce identical verdicts.
+
+/**
+ * Extract the effective "verdict" from trust.bundle workflow.check.* claims,
+ * or from declared claimTypes when a FlowDefinition is active (P-c extension).
+ * Priority of non-pass statuses: fail > not_verified > partial > pass.
+ * Returns null when the bundle has no matching claims.
+ *
+ * @param {Array} claims - trust.bundle claims array
+ * @param {Set<string>|null} [declaredClaimTypes] - optional set of declared claimTypes from gateExpects[]
+ */
+function bundleEvidenceVerdict(claims, declaredClaimTypes) {
+  const checkClaims = claims.filter(c => {
+    if (!c || typeof c.claimType !== 'string') return false;
+    if (c.claimType.startsWith('workflow.check.')) return true;
+    return declaredClaimTypes != null && declaredClaimTypes.has(c.claimType);
+  });
+  if (checkClaims.length === 0) return null;
+  let worst = 'pass';
+  const PRIORITY = { fail: 4, failed: 4, not_verified: 3, 'not-verified': 3, partial: 2, pass: 1, skip: 0 };
+  for (const c of checkClaims) {
+    const v = normalizedStatus(c.value || 'pass');
+    if ((PRIORITY[v] || 0) > (PRIORITY[worst] || 0)) worst = v;
+  }
+  return worst;
+}
+
+/**
+ * Extract the check ID from a claim's subjectId (format: "${slug}/${checkId}").
+ * Returns the part after the first slash, or the full subjectId if no slash.
+ */
+function claimCheckId(subjectId) {
+  const s = String(subjectId || '');
+  const slash = s.indexOf('/');
+  return slash >= 0 ? s.slice(slash + 1) : s;
+}
+
+/**
+ * Build the list of blocking check-claims from trust.bundle (equivalent to
+ * evidence.json.checks filtered to non-pass status).
+ * Returns objects shaped like { id, status, summary } (summary from fieldOrBehavior).
+ *
+ * @param {Array} claims - trust.bundle claims array
+ * @param {Set<string>|null} [declaredClaimTypes] - optional set of declared claimTypes from gateExpects[]
+ */
+function bundleBlockingChecks(claims, declaredClaimTypes) {
+  return claims.filter(c => {
+    if (!c || typeof c.claimType !== 'string') return false;
+    const typeMatch = c.claimType.startsWith('workflow.check.')
+      || (declaredClaimTypes != null && declaredClaimTypes.has(c.claimType));
+    if (!typeMatch) return false;
+    const v = normalizedStatus(c.value || '');
+    return v === 'fail' || v === 'failed' || v === 'not_verified' || v === 'not-verified';
+  }).map(c => ({
+    id: claimCheckId(c.subjectId),
+    status: c.value || 'unknown',
+    summary: c.fieldOrBehavior || '',
+  }));
+}
+
+/**
+ * Determine critique status from trust.bundle workflow.critique.review claims,
+ * or from declared claimTypes when a FlowDefinition is active (P-c extension).
+ * Returns the "worst" value among critique claims, or null when none present.
+ *
+ * @param {Array} claims - trust.bundle claims array
+ * @param {Set<string>|null} [declaredClaimTypes] - optional set of declared claimTypes from gateExpects[]
+ */
+function bundleCritiqueStatus(claims, declaredClaimTypes) {
+  const critiqueClaims = claims.filter(c => {
+    if (!c || typeof c.claimType !== 'string') return false;
+    if (c.claimType === 'workflow.critique.review') return true;
+    return declaredClaimTypes != null && declaredClaimTypes.has(c.claimType);
+  });
+  if (critiqueClaims.length === 0) return null;
+  // A disputed or failed critique is blocking
+  for (const c of critiqueClaims) {
+    const v = normalizedStatus(c.value || '');
+    if (v === 'fail' || v === 'failed' || c.status === 'disputed' || c.status === 'rejected') return c.value || 'fail';
+  }
+  return 'pass';
+}
+
+/**
+ * Build the list of claimed-pass command checks from the trust.bundle's evidence[]
+ * (items with execution.label) and from workflow.check.command claims whose effective
+ * value is "pass" (never-captured claimed pass). Falls back to an empty list when
+ * the bundle has no evidence items.
+ *
+ * Returns objects shaped like { id, kind, status, command } — same shape as
+ * evidence.json.checks — so captureCrossReference's body logic is unchanged.
+ *
+ * @param {object} bundle - trust.bundle object
+ * @param {Set<string>|null} [declaredClaimTypes] - optional set of declared claimTypes from gateExpects[]
+ */
+function bundleClaimedPassCommandChecks(bundle, declaredClaimTypes) {
+  const allEvidence = Array.isArray(bundle.evidence) ? bundle.evidence : [];
+  const allClaims = Array.isArray(bundle.claims) ? bundle.claims : [];
+
+  // Build a map from claimId -> claim for fast lookup
+  const claimById = new Map();
+  for (const c of allClaims) {
+    if (c && c.id) claimById.set(c.id, c);
+  }
+
+  const checks = [];
+  const seen = new Set();
+
+  // (A) Evidence items with execution.label (command captures).
+  // These represent commands that actually ran — include them regardless of
+  // effective status so we can cross-reference against the live log.
+  for (const ev of allEvidence) {
+    if (!ev || !ev.execution || !ev.execution.label) continue;
+    const cmd = String(ev.execution.label || '').replace(/\s+/g, ' ').trim();
+    if (!cmd) continue;
+    const claim = claimById.get(ev.claimId);
+    if (!claim) continue;
+    const claimTypeStr = String(claim.claimType || '');
+    if (!claimTypeStr.startsWith('workflow.check.') && !(declaredClaimTypes != null && declaredClaimTypes.has(claimTypeStr))) continue;
+    // Deduplicate by command
+    if (seen.has(cmd)) continue;
+    seen.add(cmd);
+    const id = claimCheckId(claim.subjectId);
+    // Use 'pass' as the nominal claimed status; cross-reference catches contradictions.
+    checks.push({ id, kind: 'command', status: 'pass', command: cmd });
+  }
+
+  // (B) Workflow.check.command claims with effective value "pass" but no capture
+  // (no evidence item with execution) — these are originally-claimed-pass checks
+  // that were never captured.
+  for (const c of allClaims) {
+    if (!c || typeof c.claimType !== 'string') continue;
+    const isCommandType = c.claimType === 'workflow.check.command'
+      || (declaredClaimTypes != null && declaredClaimTypes.has(c.claimType));
+    if (!isCommandType) continue;
+    if (normalizedStatus(c.value || '') !== 'pass') continue;
+    // Check if this claim already has a capture evidence item (covered in (A))
+    const hasCapture = allEvidence.some(ev => ev && ev.claimId === c.id && ev.execution && ev.execution.label);
+    if (hasCapture) continue;
+    // No capture — use fieldOrBehavior as command identifier for backstop resolution.
+    const evItem = allEvidence.find(ev => ev && ev.claimId === c.id);
+    const cmd = evItem
+      ? normalizeCommand(evItem.excerptOrSummary || '')
+      : normalizeCommand(c.fieldOrBehavior || '');
+    const id = claimCheckId(c.subjectId);
+    if (!cmd) {
+      checks.push({ id, kind: 'command', status: 'pass', command: '' });
+      continue;
+    }
+    if (seen.has(cmd)) continue;
+    seen.add(cmd);
+    checks.push({ id, kind: 'command', status: 'pass', command: cmd });
+  }
+
+  return checks;
+}
+
+/**
+ * Extract pending acceptance criteria from trust.bundle workflow.acceptance.criterion claims,
+ * or from declared claimTypes when a FlowDefinition is active (P-c extension).
+ * Returns the count of claims whose value is pending/not_started/empty/unknown.
+ * Returns null when the bundle has no matching claims.
+ *
+ * @param {Array} claims - trust.bundle claims array
+ * @param {Set<string>|null} [declaredClaimTypes] - optional set of declared claimTypes from gateExpects[]
+ */
+function bundlePendingCriteriaCount(claims, declaredClaimTypes) {
+  const criteriaClaims = claims.filter(c => {
+    if (!c || typeof c.claimType !== 'string') return false;
+    if (c.claimType === 'workflow.acceptance.criterion') return true;
+    return declaredClaimTypes != null && declaredClaimTypes.has(c.claimType);
+  });
+  if (criteriaClaims.length === 0) return null;
+  const pending = criteriaClaims.filter(c => {
+    const v = normalizedStatus(c.value || '');
+    return v === 'pending' || v === 'not_started' || v === '' || v === 'unknown';
+  });
+  return pending.length;
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+
+/**
+ * ADR 0010 Phase 4b: sidecarGuidance — bundle-first evidence/critique reads.
+ * state.json reads are UNCHANGED (state.json stays as primary source).
+ * evidence.json verdict/checks: read from trust.bundle when present, fall back
+ *   to evidence.json for bundle-less sessions (no regression).
+ * not_verified_gaps: always from evidence.json (no bundle equivalent).
+ * critique status: read from trust.bundle when present, fall back to critique.json.
+ *   Finding details: still from critique.json when present (both bundle and sidecar paths).
+ *
+ * ADR 0016 P-c: when activeFlowStep is non-null, pass its declared claimTypes to
+ * bundle helpers so declared-type claims (e.g. builder.verify.tests) produce the
+ * same sidecar guidance signals as workflow.* claims.
+ */
+function sidecarGuidance(root, artifactDir, activeFlowStep) {
+  // Build the declared claimType set from the FlowDefinition gate expects[] (P-c).
+  // Null when no FlowDefinition is active (fallback: helpers use workflow.* prefix only).
+  const declaredClaimTypes = activeFlowStep && Array.isArray(activeFlowStep.gateExpects)
+    ? new Set(activeFlowStep.gateExpects.map(e => e && e.bundle_claim && e.bundle_claim.claimType).filter(Boolean))
+    : null;
   const warnings = [];
   const state = readJsonFile(path.join(artifactDir, 'state.json'));
-  const evidence = readJsonFile(path.join(artifactDir, 'evidence.json'));
-  const critique = readJsonFile(path.join(artifactDir, 'critique.json'));
   const base = relative(root, artifactDir);
 
   if (state) {
     const status = normalizedStatus(state.status || 'unknown');
     const phase = normalizedStatus(state.phase || 'unknown');
     const next = state.next_action && typeof state.next_action === 'object' ? state.next_action : null;
-    if (!['done', 'delivered', 'archived', 'accepted', 'complete', 'completed'].includes(status)) {
-      const nextStatus = next ? normalizedStatus(next.status || 'unknown') : 'unknown';
+    const nextStatus = next ? normalizedStatus(next.status || 'unknown') : 'unknown';
+    // The agent's work is complete when the recorded next action is done — the
+    // gate must not block the agent for a remaining human/CI step (e.g. a verified
+    // task whose only next_action is "commit the migration").
+    const agentComplete = nextStatus === 'done';
+    if (!TERMINAL_STATUSES.has(status) && !agentComplete) {
       const nextSummary = next && next.summary ? `; next_action:${nextStatus} "${safeOneLine(next.summary)}"` : '';
       warnings.push(`${base} workflow state: status:${status} phase:${phase}${nextSummary}`);
     }
@@ -252,54 +540,1074 @@ function sidecarGuidance(root, artifactDir) {
     warnings.push(`${base} next action: ${safeOneLine(next.summary)}${next.target_phase ? ` (target phase: ${safeOneLine(next.target_phase, 80)})` : ''}`);
   }
 
-  if (evidence && normalizedStatus(evidence.verdict) && normalizedStatus(evidence.verdict) !== 'pass') {
-    warnings.push(`${base} evidence verdict:${safeOneLine(evidence.verdict, 40)}; do not deliver without accepted gap or new evidence.`);
+  // ── Evidence verdict + checks: bundle-first, fallback to evidence.json ────
+  const bundle = readJsonFile(path.join(artifactDir, 'trust.bundle'));
+  const bundleClaims = bundle && Array.isArray(bundle.claims) ? bundle.claims : null;
+
+  if (bundleClaims) {
+    // Phase 4b: read verdict and per-check signals from trust.bundle claims.
+    // P-c: pass declaredClaimTypes so declared-type claims are included alongside workflow.*.
+    const verdict = bundleEvidenceVerdict(bundleClaims, declaredClaimTypes);
+    if (verdict && verdict !== 'pass' && verdict !== 'skip') {
+      warnings.push(`${base} evidence verdict:${safeOneLine(verdict, 40)}; do not deliver without accepted gap or new evidence.`);
+    }
+    const blockingChecks = bundleBlockingChecks(bundleClaims, declaredClaimTypes);
+    for (const check of blockingChecks.slice(0, 4)) {
+      const status = safeOneLine(check.status || 'unknown', 40);
+      warnings.push(`${base} evidence check ${safeOneLine(check.id || 'unknown', 80)} status:${status}: ${safeOneLine(check.summary)}`);
+    }
+  } else {
+    // Fallback: no bundle — read from evidence.json (existing behavior, no regression).
+    const evidence = readJsonFile(path.join(artifactDir, 'evidence.json'));
+    if (evidence && normalizedStatus(evidence.verdict) && normalizedStatus(evidence.verdict) !== 'pass') {
+      warnings.push(`${base} evidence verdict:${safeOneLine(evidence.verdict, 40)}; do not deliver without accepted gap or new evidence.`);
+    }
+    if (evidence && Array.isArray(evidence.checks)) {
+      const blockingChecks = evidence.checks.filter(check => {
+        const status = normalizedStatus(check && check.status);
+        return status === 'fail' || status === 'failed' || status === 'not_verified' || status === 'not-verified';
+      });
+      for (const check of blockingChecks.slice(0, 4)) {
+        const status = safeOneLine(check.status || 'unknown', 40);
+        warnings.push(`${base} evidence check ${safeOneLine(check.id || 'unknown', 80)} status:${status}: ${safeOneLine(check.summary)}`);
+      }
+    }
   }
+
+  // not_verified_gaps: always from evidence.json (no bundle equivalent).
+  const evidence = readJsonFile(path.join(artifactDir, 'evidence.json'));
   if (evidence && Array.isArray(evidence.not_verified_gaps) && evidence.not_verified_gaps.length > 0) {
     for (const gap of evidence.not_verified_gaps.slice(0, 3)) {
       warnings.push(`${base} evidence NOT_VERIFIED gap: ${safeOneLine(gap)}`);
     }
   }
-  if (evidence && Array.isArray(evidence.checks)) {
-    const blockingChecks = evidence.checks.filter(check => {
-      const status = normalizedStatus(check && check.status);
-      return status === 'fail' || status === 'failed' || status === 'not_verified' || status === 'not-verified';
+
+  // ── Critique: bundle-first status, critique.json for finding details ──────
+  const critique = readJsonFile(path.join(artifactDir, 'critique.json'));
+
+  if (bundleClaims) {
+    // Phase 4b: read critique status from trust.bundle claims.
+    // P-c: pass declaredClaimTypes so declared-type critique claims are included.
+    const critiqueStatusVal = bundleCritiqueStatus(bundleClaims, declaredClaimTypes);
+    const critiqueIsBlocking = critiqueStatusVal !== null && normalizedStatus(critiqueStatusVal) !== 'pass';
+    if (critiqueIsBlocking) {
+      warnings.push(`${base} critique status:${safeOneLine(critiqueStatusVal || 'unknown', 40)}; required critique must pass or findings be accepted.`);
+      // Finding details: still from critique.json when present (both paths use the same details source).
+      const critiques = critique && Array.isArray(critique.critiques) ? critique.critiques : [];
+      let openCount = 0;
+      for (const review of critiques) {
+        const findings = Array.isArray(review && review.findings) ? review.findings : [];
+        for (const finding of findings) {
+          if (!finding || normalizedStatus(finding.status) !== 'open') continue;
+          warnings.push(`${base} critique open ${safeOneLine(finding.severity || 'unknown', 40)}: ${safeOneLine(finding.description)}`);
+          openCount += 1;
+          if (openCount >= 3) break;
+        }
+        if (openCount >= 3) break;
+      }
+    }
+  } else {
+    // Fallback: no bundle — read from critique.json (existing behavior, no regression).
+    if (critique && critique.required === true && normalizedStatus(critique.status) !== 'pass') {
+      warnings.push(`${base} critique status:${safeOneLine(critique.status || 'unknown', 40)}; required critique must pass or findings be accepted.`);
+      const critiques = Array.isArray(critique.critiques) ? critique.critiques : [];
+      let openCount = 0;
+      for (const review of critiques) {
+        const findings = Array.isArray(review && review.findings) ? review.findings : [];
+        for (const finding of findings) {
+          if (!finding || normalizedStatus(finding.status) !== 'open') continue;
+          warnings.push(`${base} critique open ${safeOneLine(finding.severity || 'unknown', 40)}: ${safeOneLine(finding.description)}`);
+          openCount += 1;
+          if (openCount >= 3) break;
+        }
+        if (openCount >= 3) break;
+      }
+    }
+  }
+
+  return warnings;
+}
+
+// -----------------------------------------------------------------------
+// Capture-first evidence determinism (Part B)
+//
+// The trust.bundle (emitted by workflow-sidecar via @kontourai/surface) carries
+// capture-authoritative evidence items. The capture hook (evidence-capture.js)
+// writes REAL command results to command-log.jsonl at the source. Here at the
+// Stop gate we cross-reference claimed-pass command checks against that captured
+// truth, and only fall back to re-running a TRUSTED command when the log has no
+// execution for a claimed-pass command (i.e. it was never actually run).
+//
+// ADR 0010 Phase 4b: source the claimed-pass command checks from the bundle's
+// evidence[] (execution/command items) instead of evidence.json checks.
+// command-log.jsonl path UNCHANGED — it stays the capture truth source.
+// -----------------------------------------------------------------------
+
+function normalizeCommand(value) {
+  return String(value || '').replace(/\s+/g, ' ').trim();
+}
+
+/**
+ * Read command-log.jsonl into a map of normalized-command -> aggregate outcome.
+ * If the same command was run more than once, a single FAIL makes the aggregate
+ * a fail (a caught false-completion must not be masked by a later pass-claim).
+ */
+function readCommandLog(artifactDir) {
+  const file = path.join(artifactDir, 'command-log.jsonl');
+  let raw = '';
+  try { raw = fs.readFileSync(file, 'utf8'); } catch { return new Map(); }
+  const byCommand = new Map();
+  for (const line of raw.split('\n')) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    let entry;
+    try { entry = JSON.parse(trimmed); } catch { continue; }
+    if (!entry || typeof entry.command !== 'string') continue;
+    const key = normalizeCommand(entry.command);
+    if (!key) continue;
+    const failed = entry.observedResult === 'fail' || (Number.isInteger(entry.exitCode) && entry.exitCode !== 0);
+    const prev = byCommand.get(key);
+    byCommand.set(key, {
+      ran: true,
+      failed: failed || (prev ? prev.failed : false),
+      exitCode: Number.isInteger(entry.exitCode) ? entry.exitCode : (prev ? prev.exitCode : null),
     });
-    for (const check of blockingChecks.slice(0, 4)) {
-      const status = safeOneLine(check.status || 'unknown', 40);
-      warnings.push(`${base} evidence check ${safeOneLine(check.id || 'unknown', 80)} status:${status}: ${safeOneLine(check.summary)}`);
+  }
+  return byCommand;
+}
+
+/**
+ * Read command-log.jsonl into a map of normalized-command -> LATEST capture outcome.
+ * The LAST entry for each command wins (unlike readCommandLog which makes FAIL sticky).
+ * Used for both capturedFailReconciliation and captureCrossReference (Fix C): we want to
+ * know the LAST result, so a genuine re-run-to-pass clears the earlier FAIL. Only an actual
+ * re-run (new PASS entry in the log) clears it — a new claim cannot change the log.
+ */
+function readLatestCommandLog(artifactDir) {
+  const file = path.join(artifactDir, 'command-log.jsonl');
+  let raw = '';
+  try { raw = fs.readFileSync(file, 'utf8'); } catch { return new Map(); }
+  const byCommand = new Map();
+  for (const line of raw.split('\n')) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    let entry;
+    try { entry = JSON.parse(trimmed); } catch { continue; }
+    if (!entry || typeof entry.command !== 'string') continue;
+    const key = normalizeCommand(entry.command);
+    if (!key) continue;
+    const failed = entry.observedResult === 'fail' || (Number.isInteger(entry.exitCode) && entry.exitCode !== 0);
+    // LAST entry wins — genuine re-run-to-pass overwrites the earlier FAIL.
+    byCommand.set(key, {
+      ran: true,
+      failed,
+      exitCode: Number.isInteger(entry.exitCode) ? entry.exitCode : null,
+    });
+  }
+  return byCommand;
+}
+
+// ─── Claim-status helpers for capturedFailReconciliation ─────────────────────
+
+/**
+ * Returns true when a claim's stored status+value asserts the command PASSED.
+ * Used to detect namespace-agnostic false-completions.
+ */
+function claimAssertsPass(status, value) {
+  const s = String(status || '').toLowerCase();
+  const v = String(value || '').toLowerCase().replace(/\s+/g, ' ').trim();
+  // Fix E: added 'approved' status alias and 'true'/'ok' value aliases
+  return (s === 'verified' || s === 'assumed' || s === 'accepted' || s === 'trusted' || s === 'approved')
+    && (v === 'pass' || v === 'passed' || v === 'verified' || v === 'true' || v === 'ok');
+}
+
+/**
+ * Returns true when a claim's stored status+value ACKNOWLEDGES a failure
+ * (the agent owned the failure rather than claiming pass).
+ */
+function claimAcknowledgesFailure(status, value) {
+  const s = String(status || '').toLowerCase();
+  const v = String(value || '').toLowerCase().replace(/\s+/g, ' ').trim();
+  return s === 'disputed' || s === 'rejected' || s === 'failing' || s === 'failed'
+    || s === 'not_verified' || s === 'not-verified'
+    || v === 'fail' || v === 'failed' || v === 'not_verified' || v === 'failing';
+}
+
+/**
+ * Returns true when a command string contains an exit-code-neutralizing operator.
+ * A claimed-pass check whose captured command uses one of these cannot be accepted as a
+ * deterministic pass — the real sub-command may have failed silently.
+ *
+ * R6 extended logic (identical patterns used by scripts/ci/trust-reconcile.js — centralize
+ * as a follow-up if drift becomes a maintenance concern):
+ *   - ANY || operator is flagged. A legitimate verification command never needs || — its
+ *     only purpose in a verification command is to mask the real exit code (e.g.
+ *     `npm test || exit 0`, `npm test || echo ok`, `npm test || /bin/true`, `npm test || (exit 0)`).
+ *   - | true  (single pipe into true — always exits 0)
+ *   - Trailing ; or newline followed by: true  :  exit 0  /bin/true
+ *
+ * Fix D: applied in captureCrossReference's satisfied path and capturedFailReconciliation.
+ */
+function hasLaunderingOperator(cmd) {
+  // ANY || in a claimed verification command is an exit-code mask.
+  // Legitimate verification commands never need || — its only purpose there is to
+  // suppress the real exit code (|| exit 0, || echo ok, || /bin/true, || (exit 0), etc.).
+  if (/\|\|/.test(cmd)) return true;
+  // | true  — single-pipe into true: `cmd | true` always exits 0 regardless of left-side exit code.
+  if (/\|\s*true\b/.test(cmd)) return true;
+  // Trailing ; or \n followed by exit-neutralizing commands (same threat, appended after the real cmd):
+  //   ; true    ; :    ; exit 0    ; /bin/true    (and \n variants)
+  if (/[;\n]\s*true\b/.test(cmd)) return true;
+  if (/[;\n]\s*:\s*(?:$|\s|;)/.test(cmd)) return true;
+  if (/[;\n]\s*exit\s+0\b/.test(cmd)) return true;
+  if (/[;\n]\s*\/bin\/true\b/.test(cmd)) return true;
+  return false;
+}
+
+// ─── Hash-chain integrity verification (Increment B2, tamper-EVIDENCE) ────────
+//
+// command-log.jsonl is the independent capture truth source. Each chained entry
+// carries a `_chain` block: {seq, prevHash, hash} where
+//   hash = sha256(prevHash + canonicalJson(record))
+// and canonicalJson is the record WITHOUT `_chain`, keys sorted alphabetically.
+//
+// HONEST FRAMING: this is tamper-EVIDENCE, not tamper-PROOF. An agent that
+// rewrites all hashes can still forge a valid chain. The real tamper-proof
+// boundary is the signed checkpoint (B1). This raises the local bar and catches
+// casual/accidental tampering and corruption.
+//
+// verifyCommandLogChain returns:
+//   "ok"     — all entries have _chain and every hash/linkage is valid.
+//   "legacy" — no _chain fields at all (pre-B2 log); treat as today, no
+//              integrity claim. Backward-compat: existing fixtures stay green.
+//   "broken" — a chained entry has a bad hash or bad linkage; the capture
+//              truth source appears altered/removed/reordered.
+//
+// The genesis prevHash is a fixed arbitrary sentinel — NOT the SHA256 of any
+// specific input string. The comment in evidence-capture.js previously (and
+// incorrectly) claimed it was sha256("flow-agents:command-log:genesis"); it is not.
+// Writer (evidence-capture.js CHAIN_GENESIS) and verifier (CHAIN_GENESIS_VERIFY here)
+// MUST use the same value. Do not change one without changing the other.
+const CHAIN_GENESIS_VERIFY = 'a3f9e2b7d5c84f1e6a0d2c3b9f7e1a4d8c6b5f2e9a0d3c7b1f4e8a2d6c0b9f3';
+
+/**
+ * Canonical JSON for chain verification: record WITHOUT `_chain`, keys sorted.
+ * Must be byte-identical to canonicalJsonForChain() in evidence-capture.js.
+ */
+function canonicalJsonForVerify(record) {
+  const keys = Object.keys(record).filter(k => k !== '_chain').sort();
+  const obj = {};
+  for (const k of keys) obj[k] = record[k];
+  return JSON.stringify(obj);
+}
+
+/**
+ * Verify the hash chain of command-log.jsonl.
+ * Returns { status, brokenAt, forkAt } where:
+ *   status  = "ok" | "legacy" | "broken" | "forked"
+ *   brokenAt = index (0-based) of the first broken entry, or null
+ *   forkAt   = index (0-based) of the first concurrent-fork sibling, or null
+ *
+ * "forked" is a BENIGN concurrent-append race, not tampering: two PostToolUse
+ * captures appended off the same parent tip (e.g. parallel agents sharing one
+ * log) before the writer lock (flow-agents#232) serialized them. It is
+ * distinguished from "broken" because:
+ *   - every entry's hash is still self-consistent (no content was edited), and
+ *   - every entry's parent is reachable (nothing was reordered or removed);
+ *   - the only anomaly is a parent claimed by >1 capture-sourced sibling.
+ * Tamper — a content edit (self-hash mismatch), a reorder, or a deletion
+ * (unreachable parent) — still returns "broken". A fork cannot be used to
+ * launder a content edit: editing a record breaks its self-hash, which is
+ * checked before fork classification.
+ */
+function verifyCommandLogChain(artifactDir) {
+  const file = path.join(artifactDir, 'command-log.jsonl');
+  let raw = '';
+  try { raw = fs.readFileSync(file, 'utf8'); } catch { return { status: 'legacy', brokenAt: null, forkAt: null }; }
+
+  const lines = raw.split('\n').filter(l => l.trim());
+  if (lines.length === 0) return { status: 'legacy', brokenAt: null, forkAt: null };
+
+  // Parse all entries, tolerating unparseable lines (they count as legacy/unchained).
+  const entries = [];
+  for (const line of lines) {
+    try {
+      const entry = JSON.parse(line);
+      if (entry && typeof entry === 'object') entries.push(entry);
+    } catch { /* skip malformed lines */ }
+  }
+  if (entries.length === 0) return { status: 'legacy', brokenAt: null, forkAt: null };
+
+  // Classify: are there any chained entries?
+  const hasAnyChain = entries.some(e => e._chain && typeof e._chain.hash === 'string');
+  if (!hasAnyChain) return { status: 'legacy', brokenAt: null, forkAt: null };
+
+  // Walk in file order. A chained entry is ACCEPTED when both:
+  //   (a) self-consistent: hash === sha256(prevHash + canonicalJson(record)),
+  //       so a content edit (e.g. flipping exitCode) without rehashing fails; and
+  //   (b) reachable: prevHash is genesis or the hash of any prior accepted entry.
+  // We track the SET of reachable hashes (not just the latest tip) so that
+  // concurrent-fork siblings — which share a still-reachable parent — are
+  // tolerated, while a reorder/deletion (parent not reachable) is caught.
+  const reachable = new Set([CHAIN_GENESIS_VERIFY]);
+  const parentSources = new Map(); // prevHash -> [source, ...] (fork detection)
+  let prevWasChained = false;
+  let forked = false;
+  let firstForkAt = null;
+
+  for (let i = 0; i < entries.length; i++) {
+    const entry = entries[i];
+    const chain = entry._chain;
+    if (!chain || typeof chain.hash !== 'string') {
+      // Legacy entry without _chain. If we have already seen a chained entry,
+      // a gap in the chain (a legacy entry in the middle) counts as broken
+      // (it could indicate a removed chained entry was replaced by a legacy one).
+      if (prevWasChained) return { status: 'broken', brokenAt: i, forkAt: null };
+      // Before any chained entry: tolerate (legacy prefix).
+      continue;
     }
+
+    // (a) Self-consistency. A content edit without rehashing fails here.
+    if (typeof chain.prevHash !== 'string') return { status: 'broken', brokenAt: i, forkAt: null };
+    const selfHash = crypto.createHash('sha256')
+      .update(chain.prevHash + canonicalJsonForVerify(entry), 'utf8')
+      .digest('hex');
+    if (chain.hash !== selfHash) return { status: 'broken', brokenAt: i, forkAt: null };
+
+    // (b) Reachability. An unreachable parent means a reorder or a removed
+    // predecessor — structural tamper, not a benign concurrent append.
+    if (!reachable.has(chain.prevHash)) return { status: 'broken', brokenAt: i, forkAt: null };
+
+    // Fork detection: a parent claimed by more than one entry is a fork. It is
+    // benign only when EVERY sibling on that parent is a PostToolUse capture
+    // (two captures racing on the same tip). Any non-capture sibling on a
+    // shared parent is treated as tamper (conservative).
+    const sources = parentSources.get(chain.prevHash) || [];
+    sources.push(entry.source);
+    parentSources.set(chain.prevHash, sources);
+    if (sources.length > 1) {
+      if (!sources.every(s => s === 'postToolUse-capture')) {
+        return { status: 'broken', brokenAt: i, forkAt: null };
+      }
+      if (firstForkAt === null) firstForkAt = i;
+      forked = true;
+    }
+
+    reachable.add(chain.hash);
+    prevWasChained = true;
   }
 
-  if (critique && critique.required === true && normalizedStatus(critique.status) !== 'pass') {
-    warnings.push(`${base} critique status:${safeOneLine(critique.status || 'unknown', 40)}; required critique must pass or findings be accepted.`);
-    const critiques = Array.isArray(critique.critiques) ? critique.critiques : [];
-    let openCount = 0;
-    for (const review of critiques) {
-      const findings = Array.isArray(review && review.findings) ? review.findings : [];
-      for (const finding of findings) {
-        if (!finding || normalizedStatus(finding.status) !== 'open') continue;
-        warnings.push(`${base} critique open ${safeOneLine(finding.severity || 'unknown', 40)}: ${safeOneLine(finding.description)}`);
-        openCount += 1;
-        if (openCount >= 3) break;
+  if (forked) return { status: 'forked', brokenAt: null, forkAt: firstForkAt };
+  return { status: 'ok', brokenAt: null, forkAt: null };
+}
+// ─────────────────────────────────────────────────────────────────────────────
+
+/**
+ * Resolve a TRUSTED command to re-run for a claimed-pass check whose command was
+ * never captured. Priority (most trusted first):
+ *   (a) the command named by the matching acceptance criterion (acceptance.json
+ *       evidence_ref of kind "command", `excerpt`/`command`) — authored upfront.
+ *   (b) the project's declared manifest target — package.json scripts.{test,
+ *       build,lint}, Makefile target, cargo test, pyproject/tox, just/task.
+ *   (c) the model's free-form evidence.checks[].command — ONLY when
+ *       FLOW_AGENTS_GOAL_FIT_RECHECK=true (the RCE-risky opt-in path).
+ * Returns { argv, cwd, source } or null when nothing trusted resolves.
+ */
+function resolveTrustedCommand(root, artifactDir, check, acceptance) {
+  // (a) acceptance criterion command for the matching criterion.
+  const fromAcceptance = acceptanceCommandFor(check, acceptance);
+  if (fromAcceptance) return { argv: ['bash', '-lc', fromAcceptance], cwd: root, source: 'acceptance' };
+
+  // (b) declared manifest target. Map the check command/id to a declared script.
+  const declared = declaredManifestTarget(root, check);
+  if (declared) return { argv: declared.argv, cwd: declared.cwd || root, source: 'manifest' };
+
+  // (c) free-form model command — opt-in only.
+  if (String(process.env.FLOW_AGENTS_GOAL_FIT_RECHECK || '').toLowerCase() === 'true') {
+    const cmd = normalizeCommand(check && check.command);
+    if (cmd) return { argv: ['bash', '-lc', cmd], cwd: root, source: 'model-command (FLOW_AGENTS_GOAL_FIT_RECHECK)' };
+  }
+  return null;
+}
+
+function acceptanceCommandFor(check, acceptance) {
+  if (!acceptance || !Array.isArray(acceptance.criteria)) return null;
+  const checkId = normalizedStatus(check && check.id);
+  const checkCmd = normalizeCommand(check && check.command);
+  let firstCommand = null;
+  for (const criterion of acceptance.criteria) {
+    const refs = Array.isArray(criterion && criterion.evidence_refs) ? criterion.evidence_refs : [];
+    for (const ref of refs) {
+      if (!ref || typeof ref !== 'object' || ref.kind !== 'command') continue;
+      const refCmd = normalizeCommand(ref.excerpt || ref.command);
+      if (!refCmd) continue;
+      if (!firstCommand) firstCommand = refCmd;
+      // Strong match: the criterion id matches the check id, or the commands match.
+      const idMatch = checkId && normalizedStatus(criterion.id) === checkId;
+      if (idMatch || (checkCmd && refCmd === checkCmd)) return refCmd;
+    }
+  }
+  // No id/command match — only fall back to the first authored command when the
+  // check itself names no command (so we still have an upfront-trusted target).
+  return checkCmd ? null : firstCommand;
+}
+
+/**
+ * Map a claimed-pass command check to a project-declared, NAMED manifest target.
+ * Never allowlists arbitrary strings: we only run a target the project itself
+ * declared (npm script, Makefile target, cargo/tox/just/task). The check's
+ * command/id is used to pick WHICH declared target (test|build|lint), not to run
+ * the raw string. `veritas readiness` is just one such declared command — no
+ * special-casing.
+ */
+function declaredManifestTarget(root, check) {
+  const haystack = `${normalizeCommand(check && check.command)} ${normalizedStatus(check && check.id)} ${normalizedStatus(check && check.kind)}`.toLowerCase();
+  let want = null;
+  if (/\btest|spec|jest|vitest|pytest\b/.test(haystack)) want = 'test';
+  else if (/\bbuild|compile|bundle\b/.test(haystack)) want = 'build';
+  else if (/\blint|format|style|typecheck\b/.test(haystack)) want = 'lint';
+  if (!want) return null;
+
+  // package.json scripts.{test,build,lint}
+  const pkg = readJsonFile(path.join(root, 'package.json'));
+  if (pkg && pkg.scripts && typeof pkg.scripts === 'object') {
+    const scriptName = pkg.scripts[want] ? want
+      : want === 'lint' && pkg.scripts.typecheck ? 'typecheck'
+        : null;
+    if (scriptName) return { argv: ['npm', 'run', scriptName, '--silent'], cwd: root };
+  }
+  // Makefile target
+  const makefile = ['Makefile', 'makefile', 'GNUmakefile'].map(n => path.join(root, n)).find(p => fs.existsSync(p));
+  if (makefile) {
+    try {
+      const text = fs.readFileSync(makefile, 'utf8');
+      if (new RegExp(`^${want}\\s*:`, 'm').test(text)) return { argv: ['make', want], cwd: root };
+    } catch { /* ignore */ }
+  }
+  // cargo
+  if (want === 'test' && fs.existsSync(path.join(root, 'Cargo.toml'))) return { argv: ['cargo', 'test'], cwd: root };
+  if (want === 'build' && fs.existsSync(path.join(root, 'Cargo.toml'))) return { argv: ['cargo', 'build'], cwd: root };
+  // py ecosystem: tox / pyproject (declared test target)
+  if (want === 'test' && fs.existsSync(path.join(root, 'tox.ini'))) return { argv: ['tox'], cwd: root };
+  if (want === 'test' && fs.existsSync(path.join(root, 'pyproject.toml'))) return { argv: ['pytest'], cwd: root };
+  // just / task runners
+  for (const runner of [['just', 'justfile'], ['task', 'Taskfile.yml'], ['task', 'Taskfile.yaml']]) {
+    if (fs.existsSync(path.join(root, runner[1]))) return { argv: [runner[0], want], cwd: root };
+  }
+  return null;
+}
+
+function resolveBackstopTimeout() {
+  const raw = Number.parseInt(process.env.FLOW_AGENTS_GOAL_FIT_BACKSTOP_TIMEOUT_MS || '', 10);
+  return Number.isInteger(raw) && raw > 0 ? raw : 120000;
+}
+
+/**
+ * Whether the trusted backstop re-run may ride block mode. Default-on so a
+ * never-actually-run claimed-pass command is caught, but operator-disablable for
+ * latency via FLOW_AGENTS_GOAL_FIT_BACKSTOP=off (re-run becomes warn-only) or
+ * =skip (no re-run at all → record NOT_VERIFIED instead).
+ */
+function resolveBackstopMode() {
+  const v = String(process.env.FLOW_AGENTS_GOAL_FIT_BACKSTOP || '').trim().toLowerCase();
+  if (v === 'off' || v === 'warn' || v === 'skip' || v === 'block') return v === 'warn' ? 'off' : v;
+  return 'block';
+}
+
+function runBackstop(trusted) {
+  const result = spawnSync(trusted.argv[0], trusted.argv.slice(1), {
+    cwd: trusted.cwd,
+    encoding: 'utf8',
+    timeout: resolveBackstopTimeout(),
+    killSignal: 'SIGKILL',
+    stdio: ['ignore', 'pipe', 'pipe'],
+  });
+  if (result.error) return { ran: false, error: result.error.code || result.error.message };
+  if (result.signal) return { ran: false, error: `killed (${result.signal})`, timedOut: result.signal === 'SIGKILL' || result.signal === 'SIGTERM' };
+  return { ran: true, passed: result.status === 0, exitCode: result.status };
+}
+
+/**
+ * ADR 0010 Phase 4b: captureCrossReference — bundle-first command check sourcing.
+ * Sources the claimed-pass command checks from trust.bundle evidence[] (execution/
+ * command items) when the bundle is present, falling back to evidence.json checks
+ * for bundle-less sessions. command-log.jsonl UNCHANGED — it stays the capture
+ * truth source. The teeth (claimed-pass + captured-fail → block) are byte-identical.
+ *
+ * ADR 0016 P-c (fix): accept activeFlowStep so declared-type sessions (e.g.
+ * builder.verify.tests) are visible to the cross-reference, closing the hole
+ * where captureCrossReference was the only capture consumer not threaded with
+ * the FlowDefinition. Mirrors the pattern in bundleEnforcement / sidecarGuidance.
+ */
+function captureCrossReference(root, artifactDir, activeFlowStep) {
+  // Build the declared claimType set from the FlowDefinition gate expects[] (P-c).
+  // Null when no FlowDefinition is active (fallback: bundleClaimedPassCommandChecks
+  // uses workflow.check.* prefix only — no regression for non-FlowDefinition sessions).
+  const declaredClaimTypes = activeFlowStep && Array.isArray(activeFlowStep.gateExpects)
+    ? new Set(activeFlowStep.gateExpects.map(e => e && e.bundle_claim && e.bundle_claim.claimType).filter(Boolean))
+    : null;
+  const bundle = readJsonFile(path.join(artifactDir, 'trust.bundle'));
+  const acceptance = readJsonFile(path.join(artifactDir, 'acceptance.json'));
+  const log = readLatestCommandLog(artifactDir); // Fix C: latest-wins; genuine fix-then-rerun-to-pass clears the block
+  const base = relative(root, artifactDir);
+  const backstopMode = resolveBackstopMode();
+  const warnings = [];
+
+  // AC3 fail-closed: detect a missing command log in a post-execution session.
+  // When state.json confirms the session is past the planning phase (commands should
+  // have run), but command-log.jsonl is absent, emit a FULL_BLOCK warning.
+  // A genuine pre-execution session (no commands expected yet) is NOT blocked —
+  // distinguished by requiring BOTH a non-pre-execution phase AND a non-pre-execution
+  // status (avoids blocking a freshly planned task that has state.json but no log yet).
+  //
+  // BAR-RAISER: an agent could forge state.json with a pre-execution phase to avoid
+  // this. The real anchor is external (signed checkpoints + human review).
+  {
+    const logFileMissing = !fs.existsSync(path.join(artifactDir, 'command-log.jsonl'));
+    if (logFileMissing) {
+      const captureState = readJsonFile(path.join(artifactDir, 'state.json'));
+      if (captureState) {
+        const capturePhase = normalizedStatus(captureState.phase || '');
+        const captureStatus = normalizedStatus(captureState.status || '');
+        // Post-execution: phase is set AND not a pre-execution phase (idea/backlog/pickup/planning).
+        // Also require status is not a pre-execution status (new/planning/planned/backlog).
+        const postExecPhase = capturePhase && !PRE_EXECUTION_PHASES.has(capturePhase);
+        const preExecStatus = !captureStatus || captureStatus === 'new' || PRE_EXECUTION_STATUSES.has(captureStatus);
+        if (postExecPhase && !preExecStatus) {
+          // Fix #216 over-block: only emit the missing-log warning when a command was
+          // actually EXPECTED to be captured — i.e., the trust.bundle evidence has at
+          // least one item with execution.label (concrete proof a command was meant to
+          // be captured). A no-command session (doc review, policy task advanced to
+          // verification without running shell commands) must NOT be blocked here.
+          // Note: `bundle` is already read at the top of captureCrossReference.
+          const captureEvidence = bundle && Array.isArray(bundle.evidence) ? bundle.evidence : [];
+          const hasExpectedCapture = captureEvidence.some(ev => ev && ev.execution && ev.execution.label);
+          if (hasExpectedCapture) {
+            warnings.push(
+              `${base} expected capture log is missing — possible deletion of the capture truth source; ` +
+              `phase:${capturePhase} status:${captureStatus} indicates commands should have run. ` +
+              'Cannot verify command execution deterministically. ' +
+              'Restore from a checkpoint or investigate.'
+            );
+          }
+        }
       }
-      if (openCount >= 3) break;
     }
   }
 
+  // ── Hash-chain integrity check ──────────────────────────────────────────────
+  // Verify command-log.jsonl before trusting its pass/fail signals. If the chain
+  // is broken (altered, removed, or reordered entries), the capture truth source
+  // is compromised: we must NOT trust its pass signals for claimed-pass checks.
+  //
+  // ok     → proceed normally (chain is valid, log is trustworthy).
+  // legacy → proceed normally (pre-B2 log, no chain to verify, existing behavior).
+  // forked → benign concurrent-append race (not tampering): emit a loud but
+  //          NON-blocking advisory and keep trusting the records. The capture
+  //          contradiction teeth still run (the records are genuine, just not
+  //          linearly ordered); the operator can re-linearize with the repair
+  //          tool. This is what stops honest parallel work from being trapped.
+  // broken → emit a loud warning and treat ALL claimed-pass commands relying on
+  //          this log as NOT_VERIFIED/blocking — do not let them sail through.
+  let chainBroken = false;
+  {
+    const chainResult = verifyCommandLogChain(artifactDir);
+    if (chainResult.status === 'broken') {
+      chainBroken = true;
+      const brokenIdx = chainResult.brokenAt !== null ? ` (entry ${chainResult.brokenAt})` : '';
+      warnings.push(
+        `${base} command-log integrity check FAILED — capture truth source appears tampered${brokenIdx}: ` +
+        'claimed-pass checks relying on it are NOT trusted. ' +
+        'This is tamper-EVIDENCE (hash-chain broken); alteration, removal, or reordering detected. ' +
+        'NOT_VERIFIED: cannot confirm or deny claimed passes.'
+      );
+    } else if (chainResult.status === 'forked') {
+      // NOT a hard block: this string must not match HARD_BLOCK/FULL_BLOCK. A
+      // concurrent fork is benign — no content was edited and nothing was
+      // removed — so honest parallel work proceeds. We surface it loudly and
+      // point at the deterministic repair.
+      const forkIdx = chainResult.forkAt !== null ? ` (entry ${chainResult.forkAt})` : '';
+      warnings.push(
+        `${base} command-log shows a concurrent-capture fork${forkIdx} — two PostToolUse captures appended off the same parent ` +
+        '(parallel writers before the writer lock). This is NOT tampering: every record is self-consistent and reachable. ' +
+        'Records remain trusted; re-linearize with: node scripts/repair-command-log.js <artifact-dir>'
+      );
+    }
+  }
+
+  // Build the list of claimed-pass command checks — bundle-first, evidence.json fallback.
+  let claimedPass;
+  if (bundle && Array.isArray(bundle.claims)) {
+    // Phase 4b: source from trust.bundle evidence[] (execution/command items).
+    claimedPass = bundleClaimedPassCommandChecks(bundle, declaredClaimTypes);
+  } else {
+    // Fallback: no bundle — read from evidence.json (existing behavior, no regression).
+    const evidence = readJsonFile(path.join(artifactDir, 'evidence.json'));
+    if (!evidence || !Array.isArray(evidence.checks)) return warnings;
+    claimedPass = evidence.checks.filter(check => {
+      if (!check || typeof check !== 'object') return false;
+      const kind = normalizedStatus(check.kind);
+      const status = normalizedStatus(check.status);
+      return kind === 'command' && (status === 'pass' || status === 'passed') && normalizeCommand(check.command);
+    });
+  }
+
+  for (const check of claimedPass.slice(0, 8)) {
+    const cmd = normalizeCommand(check.command);
+    if (!cmd) continue;
+    const id = safeOneLine(check.id || cmd, 80);
+    const logged = log.get(cmd);
+
+    if (!chainBroken && logged && logged.ran) {
+      // (1) Cross-reference the capture log first (only when chain is intact).
+      // A broken chain means we cannot trust the log's pass signals — skip this
+      // shortcut and fall through to the backstop/NOT_VERIFIED path below.
+      if (logged.failed) {
+        const exit = Number.isInteger(logged.exitCode) ? ` (exitCode:${logged.exitCode})` : '';
+        warnings.push(`${base} evidence check ${id}: capture log CONTRADICTS claimed pass — command "${safeOneLine(cmd, 120)}" was recorded as FAIL${exit}. This is a caught false-completion.`);
+      } else if (hasLaunderingOperator(cmd)) {
+        // Fix D: exit-code laundering. The captured exit-0 is not trustworthy — the command
+        // baked in '|| true' / '|| :' / '; true' / '; exit 0' / '| true' to mask the real result.
+        warnings.push(`${base} evidence check ${id}: claimed pass relies on an exit-code-laundered command "${safeOneLine(cmd, 120)}" — the exit code is not a trustworthy signal (laundering operators mask the real exit code).`);
+      }
+      // else: log shows it ran and passed with no laundering → satisfied deterministically.
+      continue;
+    }
+
+    // (2) Backstop: the log has NO execution for this claimed-pass command.
+    if (backstopMode === 'skip') {
+      warnings.push(`${base} evidence check ${id}: claimed pass but NOT_VERIFIED — command "${safeOneLine(cmd, 120)}" was never captured and backstop re-run is disabled (FLOW_AGENTS_GOAL_FIT_BACKSTOP=skip).`);
+      continue;
+    }
+    const trusted = resolveTrustedCommand(root, artifactDir, check, acceptance);
+    if (!trusted) {
+      warnings.push(`${base} evidence check ${id}: claimed pass but NOT_VERIFIED — command "${safeOneLine(cmd, 120)}" was never captured and no trusted command (acceptance criterion / declared manifest target) resolves to re-run it. Set FLOW_AGENTS_GOAL_FIT_RECHECK=true to opt into re-running the model's free-form command.`);
+      continue;
+    }
+    const outcome = runBackstop(trusted);
+    if (!outcome.ran) {
+      warnings.push(`${base} evidence check ${id}: claimed pass but NOT_VERIFIED — trusted backstop (${trusted.source}) could not run (${safeOneLine(outcome.error, 80)}).`);
+      continue;
+    }
+    if (!outcome.passed) {
+      const note = `${base} evidence check ${id}: trusted backstop (${trusted.source}) re-run of "${trusted.argv.join(' ')}" FAILED with exit ${outcome.exitCode}, contradicting the claimed pass. This is a caught false-completion.`;
+      if (backstopMode === 'off') warnings.push(`${note} [backstop in warn mode — not blocking]`);
+      else warnings.push(note);
+    }
+    // backstop passed → claim deterministically confirmed by re-run, no warning.
+  }
+
+  return warnings;
+}
+
+/**
+ * Namespace-agnostic captured-FAIL reconciliation (AC1 — closes the allowlist bypass).
+ *
+ * The existing captureCrossReference only checks claims that pass the namespace
+ * allowlist (workflow.* prefix or declared gateExpects[]). A kit-typed claim
+ * (e.g. builder.verify.tests) whose command-log entry says FAIL can slip through
+ * when no active FlowDefinition declares that claimType.
+ *
+ * This function is namespace-agnostic: it builds the LATEST-capture-per-command map
+ * and for each command whose last capture is FAIL it checks:
+ *   (A) Any claim (ANY namespace) asserting pass for that command → false-completion HARD_BLOCK
+ *       Fix A: runs on EVERY stop (status-independent). A claim contradicting the capture is
+ *       a false-completion regardless of whether state.json shows the task as 'done'.
+ * Fix D: also checks commands with laundering operators whose latest capture is PASS (exit 0);
+ *   a claimed-pass for a laundered command is NOT a trustworthy signal.
+ * Fix B: Case B (unaccounted at completion — no-claim-at-all branch) REMOVED.
+ *   It over-blocked incidental failures (grep no-match, git diff --exit-code, etc.).
+ *   Case A covers the real threat (claimed pass contradicts captured fail).
+ * Fix E: verifyCommandLogChain called; on broken chain reconciliation is skipped (log
+ *   integrity is already signalled by captureCrossReference).
+ *
+ * No-over-block guarantees:
+ *   - Fail-then-re-run-to-pass: latest is PASS → not in latestFails → no warning.
+ *   - Acknowledged failure: claim has failing/disputed status → ackClaims → no warning.
+ *   - No-command session: no log → latestLog empty → no warning.
+ *   - Incidental fail (grep/diff/find) with no pass-claim → no warning (Case B removed).
+ */
+function capturedFailReconciliation(root, artifactDir, taskStatus) {
+  // Fix A: removed the `completing` guard. Run on EVERY stop — status-independent.
+  // A claim contradicting the capture is a false-completion whether or not the agent
+  // has set state.json.status to a terminal value. (taskStatus param kept for compat.)
+
+  const latestLog = readLatestCommandLog(artifactDir);
+  if (latestLog.size === 0) return []; // No captures — nothing to reconcile
+
+  // Fix E: verify chain integrity; skip reconciliation when broken (log untrusted).
+  // The main integrity warning is already emitted by captureCrossReference.
+  const chainResult = verifyCommandLogChain(artifactDir);
+  if (chainResult.status === 'broken') return []; // Can't trust pass/fail signals
+
+  // Collect commands whose LATEST capture is FAIL (Case A).
+  const latestFails = new Map(); // cmd -> {failed:true, exitCode}
+  for (const [cmd, info] of latestLog) {
+    if (info.failed) latestFails.set(cmd, info);
+  }
+
+  // Fix D: Collect commands whose latest capture is PASS (exit 0) but whose command
+  // string contains an exit-code-neutralizing operator (laundering). The captured
+  // exit-0 is not a trustworthy signal for these — real test failures are hidden.
+  const launderedPass = new Map(); // cmd -> {failed:false, exitCode:0}
+  for (const [cmd, info] of latestLog) {
+    if (!info.failed && hasLaunderingOperator(cmd)) launderedPass.set(cmd, info);
+  }
+
+  if (latestFails.size === 0 && launderedPass.size === 0) return []; // Nothing to flag
+
+  const base = relative(root, artifactDir);
+  const warnings = [];
+
+  // Load the trust.bundle for claim/evidence analysis.
+  const bundle = readJsonFile(path.join(artifactDir, 'trust.bundle'));
+  const allClaims = bundle && Array.isArray(bundle.claims) ? bundle.claims : [];
+  const allEvidence = bundle && Array.isArray(bundle.evidence) ? bundle.evidence : [];
+
+  // Build: claimId → claim (for fast evidence→claim lookup)
+  const claimById = new Map();
+  for (const c of allClaims) {
+    if (c && c.id) claimById.set(c.id, c);
+  }
+
+  // commandsToCheck: FAIL-latest commands + laundered-pass commands
+  const commandsToCheck = new Set([...latestFails.keys(), ...launderedPass.keys()]);
+
+  // For each relevant command, track what claims say about it.
+  // cmdAcc: cmd → {passClaims: [...], ackClaims: []}
+  const cmdAcc = new Map();
+  const initAcc = (cmd) => {
+    if (!cmdAcc.has(cmd)) cmdAcc.set(cmd, { passClaims: [], ackClaims: [] });
+    return cmdAcc.get(cmd);
+  };
+
+  // Path A: evidence items with execution.label link a claim to a specific command.
+  for (const ev of allEvidence) {
+    if (!ev || !ev.execution || !ev.execution.label) continue;
+    const cmd = normalizeCommand(ev.execution.label);
+    if (!cmd || !commandsToCheck.has(cmd)) continue;
+    const claim = claimById.get(ev.claimId);
+    if (!claim) continue;
+    const acc = initAcc(cmd);
+    const s = String(claim.status || '').toLowerCase();
+    const v = normalizedStatus(claim.value || '');
+    if (claimAssertsPass(s, v)) acc.passClaims.push(claim);
+    if (claimAcknowledgesFailure(s, v)) acc.ackClaims.push(claim);
+  }
+
+  // Path B: claim.fieldOrBehavior resolves directly to the command (field-based resolution).
+  for (const c of allClaims) {
+    if (!c) continue;
+    const cmd = normalizeCommand(c.fieldOrBehavior || '');
+    if (!cmd || !commandsToCheck.has(cmd)) continue;
+    const acc = initAcc(cmd);
+    const s = String(c.status || '').toLowerCase();
+    const v = normalizedStatus(c.value || '');
+    if (claimAssertsPass(s, v)) acc.passClaims.push(c);
+    if (claimAcknowledgesFailure(s, v)) acc.ackClaims.push(c);
+  }
+
+  // Case A: Evaluate each FAIL-latest command for pass-claims (status-independent).
+  for (const [cmd, failInfo] of latestFails) {
+    const exit = Number.isInteger(failInfo.exitCode) ? failInfo.exitCode : null;
+    const exitStr = exit !== null ? ` (exit ${exit})` : '';
+    const acc = cmdAcc.get(cmd);
+
+    if (acc && acc.passClaims.length > 0) {
+      // Any-namespace claim asserts pass for a command whose latest capture is FAIL.
+      // This is the namespace-agnostic false-completion signal.
+      const claim = acc.passClaims[0];
+      warnings.push(
+        `${base} captured command '${safeOneLine(cmd, 120)}' last ran FAIL${exitStr} ` +
+        `but claim ${safeOneLine(claim.subjectId || claim.id, 80)} (${safeOneLine(claim.claimType, 48)}) ` +
+        `asserts pass — namespace-agnostic caught false-completion.`
+      );
+    }
+    // Fix B: Case B (unaccounted at completion — no-claim-at-all) REMOVED.
+    // It over-blocked incidental failures with no pass-claim. Case A covers the real threat.
+    // Acknowledged failure (ackClaims.length > 0) → OK, no warning.
+  }
+
+  // Fix D: Evaluate laundered-pass commands for pass-claims.
+  for (const [cmd] of launderedPass) {
+    const acc = cmdAcc.get(cmd);
+    if (acc && acc.passClaims.length > 0) {
+      const claim = acc.passClaims[0];
+      warnings.push(
+        `${base} captured command '${safeOneLine(cmd, 120)}' claimed pass relies on an ` +
+        `exit-code-laundered command — claim ${safeOneLine(claim.subjectId || claim.id, 80)} ` +
+        `(${safeOneLine(claim.claimType, 48)}) asserts pass but the exit code is not a ` +
+        `trustworthy signal (laundering operators mask the real exit code).`
+      );
+    }
+  }
+
+  return warnings;
+}
+
+// ─── ADR 0010 Phase 2: enforce on the canonical Hachure trust.bundle ──────────
+
+// ─── ADR 0010 Phase 2: enforce on the canonical Hachure trust.bundle ──────────
+// The trust.bundle (emitted by workflow-sidecar via @kontourai/surface) carries
+// each claim's Surface-derived status — including capture-authoritative results
+// (a claimed-pass whose captured command FAILED is already `disputed` here). A
+// high-impact `disputed` claim is the canonical false-completion signal; we gate
+// on the bundle the producers already emit, not on bespoke markdown.
+//
+// ADR 0010 Phase 2b: re-derive-at-gate hardening.
+// We re-derive each claim's status from the bundle's own evidence/events/policies
+// via Surface's canonical deriveClaimStatus, so editing the stored `claim.status`
+// field does not bypass the gate. If the re-derived status is disputed/rejected
+// for a high/critical claim, we block. If the re-derived status DIFFERS from the
+// stored status (e.g. stored "verified" but evidence re-derives to "disputed"),
+// that mismatch is a strong tamper signal — block with an explicit warning.
+// Fail-open: if Surface is unavailable, fall back to the stored-status check.
+//
+// ADR 0016 P-c: when activeFlowStep is non-null, claim-selection uses the gate's
+// declared claimType set (gateExpects[].bundle_claim.claimType). When null, the
+// existing workflow.* prefix filter runs unchanged (fallback). The re-derivation
+// loop, tamper-detection, high/critical filter, and block/exit-2 logic are
+// STRUCTURALLY UNCHANGED — only WHICH claims are selected changes.
+async function bundleEnforcement(artifactDir, activeFlowStep) {
+  const bundle = readJsonFile(path.join(artifactDir, 'trust.bundle'));
+  if (!bundle || !Array.isArray(bundle.claims)) return [];
+
+  const surface = await tryLoadSurface();
+  const warnings = [];
+
+  const allEvidence = Array.isArray(bundle.evidence) ? bundle.evidence : [];
+  const allEvents = Array.isArray(bundle.events) ? bundle.events : [];
+  const allPolicies = Array.isArray(bundle.policies) ? bundle.policies : [];
+
+  // P-c: claim-selection predicate.
+  // When activeFlowStep is non-null, select claims whose claimType is in the
+  // gate's declared set. When null, fall back to the existing workflow.* prefix
+  // filter so no-FlowDefinition sessions are unaffected.
+  const declaredClaimTypes = activeFlowStep && Array.isArray(activeFlowStep.gateExpects)
+    ? new Set(activeFlowStep.gateExpects.map(e => e && e.bundle_claim && e.bundle_claim.claimType).filter(Boolean))
+    : null;
+
+  // SECURITY (Layer 2 — gate-bypass-chain fix): use UNION form instead of if/else.
+  // With the old if/else, an empty declaredClaimTypes (Set{}) from a fake flow with
+  // expects:[] caused isSelectedClaim to return false for EVERY claim — all
+  // bundleEnforcement checks were silently bypassed. The union form ensures workflow.*
+  // claims are ALWAYS enforced regardless of whether a FlowDefinition is active or what
+  // its expects[] contains. Declared claimTypes are added on top of the baseline.
+  //
+  // AC3 two-part dependency (regression guard — see test_captured_fail_reconciliation.sh):
+  //   Part 1 (this union form): ensures bundleEnforcement always enforces workflow.* claims
+  //     regardless of declaredClaimTypes being null or empty Set.
+  //   Part 2 (empty-expects guard below): emits gate-misconfiguration HARD_BLOCK when
+  //     declaredClaimTypes is a non-null empty Set (active flow with expects:[]).
+  //   Both parts are required: Part 1 alone lets the empty-expects bypass slip through
+  //   without a loud signal; Part 2 alone without the union would silently pass 0 claims.
+  const isSelectedClaim = (claim) => {
+    const ct = String(claim.claimType || '');
+    // Union: workflow.* is always selected (baseline); declared types extend it.
+    return ct.startsWith('workflow.') || (declaredClaimTypes != null && declaredClaimTypes.has(ct));
+  };
+
+  // Misconfiguration guard: an active FlowDefinition with zero expects[] is suspicious.
+  // Empty expects can indicate a tampered flow definition (the gate-bypass exploit).
+  // Emit a hard warning so operators see it regardless of session phase.
+  if (declaredClaimTypes !== null && declaredClaimTypes.size === 0) {
+    warnings.push(`gate misconfiguration: active FlowDefinition has empty expects[] (possible tampered flow definition or zero-expects bypass attempt); verify the flow definition is authentic before delivery.`);
+  }
+
+  // AC3 fail-closed (high-assurance path): when @kontourai/surface is unavailable, we
+  // cannot re-derive claim status from evidence/events/policies. For high/critical-impact
+  // selected claims this means we silently trust the stored status field — exactly the
+  // vector re-derive-at-gate (ADR 0010 Phase 2b) was designed to close.
+  // Fail-closed: emit a FULL_BLOCK warning so operators see that re-derivation is absent.
+  // Low-impact-only bundles stay non-blocking (noise reduction for common dev sessions).
+  //
+  // BAR-RAISER, NOT AIRTIGHT: an agent that deletes/corrupts @kontourai/surface to force
+  // surface=null would trigger this path deliberately. The real anchor is external:
+  // signed checkpoints + human review. This raises the cost of the silent-trust vector.
+  if (!surface) {
+    const highImpactCount = bundle.claims.reduce((n, claim) => {
+      if (!claim || typeof claim !== 'object') return n;
+      const impact = String(claim.impactLevel || '').toLowerCase();
+      if (impact !== 'high' && impact !== 'critical') return n;
+      return isSelectedClaim(claim) ? n + 1 : n;
+    }, 0);
+    if (highImpactCount > 0) {
+      warnings.push(
+        `surface unavailable — ${highImpactCount} high/critical-impact claim(s) could not be re-derived at gate; ` +
+        'stored claim status is trusted without independent re-derivation (fail-closed: high-assurance path). ' +
+        'Ensure @kontourai/surface is installed and importable, or escalate for operator review.'
+      );
+    }
+  }
+
+  for (const claim of bundle.claims) {
+    if (!claim || typeof claim !== 'object') continue;
+    const impact = String(claim.impactLevel || '').toLowerCase();
+    const storedStatus = String(claim.status || '').toLowerCase();
+    if (impact !== 'high' && impact !== 'critical') continue;
+    // P-c: claim-selection — only process claims matching the active predicate.
+    if (!isSelectedClaim(claim)) continue;
+
+    // Step 1: Re-derive status via Surface when available.
+    // This closes the gaming vector: editing the stored status field cannot bypass
+    // the gate because we recompute from evidence/events/policies.
+    let recomputedStatus = null; // null means re-derive was not attempted or threw
+    if (surface && typeof surface.deriveClaimStatus === 'function') {
+      const claimId = claim.id;
+      const claimEvidence = allEvidence.filter(ev => ev && ev.claimId === claimId);
+      const claimEvents = allEvents.filter(evt => evt && evt.claimId === claimId);
+      try {
+        const result = surface.deriveClaimStatus({
+          claim,
+          evidence: claimEvidence,
+          events: claimEvents,
+          policies: allPolicies,
+        });
+        recomputedStatus = result && typeof result.status === 'string' ? result.status.toLowerCase() : 'unknown';
+      } catch {
+        // deriveClaimStatus threw (e.g. schema mismatch) — fall back to stored status.
+        recomputedStatus = null;
+      }
+    }
+
+    // Step 2: Compute the effective blocking status.
+    // Use the STRICTER of stored vs recomputed so neither can be individually
+    // gamed: deleting evidence cannot clear a stored `disputed`, and flipping
+    // stored to "verified" cannot hide a recomputed `disputed`.
+    const effectiveDisputed = storedStatus === 'disputed' || storedStatus === 'rejected'
+      || recomputedStatus === 'disputed' || recomputedStatus === 'rejected';
+
+    if (!effectiveDisputed) continue; // neither stored nor recomputed is blocking
+
+    // Step 3: Emit the appropriate warning.
+    // Tamper-detection: stored "verified"/"assumed" but evidence re-derives to
+    // "disputed"/"rejected" — the stored status was likely altered to bypass the gate.
+    const isTampered = recomputedStatus !== null
+      && (storedStatus === 'verified' || storedStatus === 'assumed')
+      && (recomputedStatus === 'disputed' || recomputedStatus === 'rejected');
+
+    if (isTampered) {
+      warnings.push(`trust.bundle claim tampered: ${safeOneLine(claim.subjectId || claim.id, 80)} (${safeOneLine(claim.claimType, 48)}) — stored status "${storedStatus}" does not match recompute "${recomputedStatus}" (possible tampered bundle); caught false-completion. Run: npm run workflow:sidecar -- claim ${safeOneLine(claim.subjectId || claim.id, 80)} ${artifactDir}`);
+    } else {
+      warnings.push(`trust.bundle claim disputed: ${safeOneLine(claim.subjectId || claim.id, 80)} (${safeOneLine(claim.claimType, 48)}) — Surface recompute shows not verified; caught false-completion. Run: npm run workflow:sidecar -- claim ${safeOneLine(claim.subjectId || claim.id, 80)} ${artifactDir}`);
+    }
+  }
   return warnings;
 }
 
-function markdownVerdict(text) {
-  const verdict = (/###\s+Verdict:\s*([A-Za-z_ -]+)/i.exec(text) || [])[1]
-    || (/^Build:\s*\[?([A-Za-z_ -]+)\]?/im.exec(text) || [])[1]
-    || '';
-  return normalizedStatus(verdict).replace(/[^a-z_ -].*$/, '').trim();
+/**
+ * Scope to the session's current task when .flow-agents/current.json points at
+ * one (mirroring evidence-capture.js). Returns the slug dir, or null to fall back
+ * to scanning all of .flow-agents (newest-mtime).
+ */
+function preferredArtifactDir(flowAgentsDir) {
+  const current = readJsonFile(path.join(flowAgentsDir, 'current.json'));
+  if (!current) return null;
+  const slug = current.artifact_dir || current.active_slug;
+  if (typeof slug !== 'string' || !slug.trim()) return null;
+  const safe = slug.replace(/\.\.+/g, '').replace(/^[/\\]+/, '');
+  const dir = path.join(flowAgentsDir, safe);
+  return dir.startsWith(flowAgentsDir + path.sep) && fs.existsSync(dir) ? dir : null;
+}
+
+/**
+ * A task is pre-execution (work not yet started) when its state.json status/phase
+ * is still in the idea→planning band, or (no state.json) its markdown status is.
+ */
+function isPreExecution(artifactDir, markdownStatus) {
+  const state = readJsonFile(path.join(artifactDir, 'state.json'));
+  if (state) {
+    return PRE_EXECUTION_STATUSES.has(normalizedStatus(state.status))
+      || PRE_EXECUTION_PHASES.has(normalizedStatus(state.phase));
+  }
+  return PRE_EXECUTION_STATUSES.has(normalizedStatus(markdownStatus));
+}
+
+
+// ─── Wave 2c: no-bundle/no-state fallback gate ────────────────────────────────
+// Sessions that have NEITHER a trust.bundle NOR a state.json fall through
+// both bundleEnforcement (no bundle) and sidecarGuidance (no state). Without the
+// old markdown heading checks this would create a silent ungated-session path.
+// If a trust.bundle exists, bundleEnforcement handles it. If state.json exists,
+// sidecarGuidance handles it. The gap: a session with only a markdown artifact.
+//
+// ADR 0010 Phase 4b: Adjustment A (Final Acceptance hygiene):
+// When the task is delivered but acceptance criteria are still pending, emit the
+// Final Acceptance reminder. Read from trust.bundle claims when present; fall back
+// to acceptance.json for bundle-less sessions.
+//
+// ADR 0016 P-c: pass activeFlowStep so bundlePendingCriteriaCount includes declared types.
+function missingBundleOrStateSignal(artifactDir, activeFlowStep) {
+  // Build the declared claimType set from the FlowDefinition gate expects[] (P-c).
+  const declaredClaimTypes = activeFlowStep && Array.isArray(activeFlowStep.gateExpects)
+    ? new Set(activeFlowStep.gateExpects.map(e => e && e.bundle_claim && e.bundle_claim.claimType).filter(Boolean))
+    : null;
+  const warnings = [];
+  const hasBundle = fs.existsSync(path.join(artifactDir, 'trust.bundle'));
+  const state = readJsonFile(path.join(artifactDir, 'state.json'));
+
+  if (!hasBundle && !state) {
+    // Neither trust.bundle nor state.json: session is untracked by sidecar path.
+    // Emit a NOT_VERIFIED warning so execution-phase sessions remain gated.
+    const base = path.basename(artifactDir);
+    warnings.push(`${base} NOT_VERIFIED — no trust.bundle or state.json found; run 'workflow-sidecar record-evidence' to build the evidence record before delivery.`);
+    return warnings;
+  }
+
+  // Adjustment A: Final Acceptance hygiene.
+  // When the task is delivered but acceptance criteria are still pending, emit the
+  // Final Acceptance reminder. Bundle-first; fall back to acceptance.json.
+  const bundle = readJsonFile(path.join(artifactDir, 'trust.bundle'));
+  const bundleClaims = bundle && Array.isArray(bundle.claims) ? bundle.claims : null;
+
+  if (bundleClaims) {
+    // Phase 4b: read pending criteria count from trust.bundle claims.
+    // P-c: pass declaredClaimTypes so declared-type acceptance claims are included.
+    const pendingCount = bundlePendingCriteriaCount(bundleClaims, declaredClaimTypes);
+    if (pendingCount !== null && pendingCount > 0) {
+      const base = path.basename(artifactDir);
+      warnings.push(`${base} Final Acceptance: ${pendingCount} acceptance criterion/criteria still pending; complete CI/merge/docs before final delivery.`);
+    }
+  } else {
+    // Fallback: no bundle — read from acceptance.json (existing behavior, no regression).
+    const acceptance = readJsonFile(path.join(artifactDir, 'acceptance.json'));
+    if (acceptance && Array.isArray(acceptance.criteria)) {
+      const pendingCriteria = acceptance.criteria.filter(c => {
+        const s = normalizedStatus(c && c.status);
+        return s === 'pending' || s === 'not_started' || s === '' || s === 'unknown';
+      });
+      if (pendingCriteria.length > 0) {
+        const base = path.basename(artifactDir);
+        warnings.push(`${base} Final Acceptance: ${pendingCriteria.length} acceptance criterion/criteria still pending; complete CI/merge/docs before final delivery.`);
+      }
+    }
+  }
+
+  return warnings;
 }
 
-function analyze(root, now = Date.now()) {
-  const dirs = [path.join(root, '.flow-agents')];
-  const artifacts = dirs
+// ─── Gate severity classification regexes (module scope — used by analyze() and run()) ─
+//
+// HARD_BLOCK: always blocks, even for pre-execution and terminal tasks.
+//   Fires on genuine false-completion signals (a claimed pass the capture log or
+//   evidence.json contradicts), integrity failures, and gate misconfiguration.
+//
+// FULL_BLOCK: fires for execution-onward tasks (post-planning, non-terminal).
+//   Includes all HARD_BLOCK patterns plus completeness/hygiene and not-done state.
+//
+// Both are used in analyze() for blocking decisions AND in run() for the AC2
+// MAX_BLOCKS hard-block guard (preventing auto-release of hard blocks).
+const HARD_BLOCK = /contradicts evidence\.json|caught false-completion|evidence verdict:|evidence check .+ status:|critique status|critique open|required sidecar is missing|command-log integrity check FAILED|gate misconfiguration:|exit-code-laundered/;
+// FULL_BLOCK adds: workflow-state hygiene, surface-unavailable fail-closed, missing log.
+const FULL_BLOCK = /status:|Definition Of Done|Goal Fit|sidecar validation:|contradicts evidence\.json|workflow state|evidence verdict|evidence check|NOT_VERIFIED gap|critique status|critique open|next action|caught false-completion|NOT_VERIFIED —|command-log integrity check FAILED|gate misconfiguration:|surface unavailable —|expected capture log is missing|exit-code-laundered/;
+
+async function analyze(root, now = Date.now()) {
+  const flowAgentsDir = path.join(root, '.flow-agents');
+  // Scope to the session's current task when current.json names one, so an
+  // unrelated active workflow elsewhere in the repo does not gate this stop.
+  const scoped = preferredArtifactDir(flowAgentsDir);
+  const searchDirs = scoped ? [scoped] : [flowAgentsDir];
+  const artifacts = searchDirs
     .flatMap(dir => walkMarkdown(dir))
     .map(readArtifact)
     .filter(isWorkflowArtifact)
@@ -317,51 +1625,174 @@ function analyze(root, now = Date.now()) {
     warnings.push(`${relPath} is still status:${status} (${ageMinutes}m old). Do not final-answer as complete unless the next step is explicit.`);
   }
 
-  if (!hasHeading(latest.text, 'Definition Of Done')) {
-    warnings.push(`${relPath} is missing ## Definition Of Done, so the user-facing finish line is not explicit.`);
-  }
+  // Builder heading completeness checks (hasHeading DOD/Goal Fit Gate) removed in ADR 0010 2c.
+  // Verdict is now bundle-driven via bundleEnforcement + sidecarGuidance.
+  // Sessions with neither trust.bundle nor state.json are caught by missingBundleOrStateSignal.
 
-  if (!hasHeading(latest.text, 'Goal Fit Gate')) {
-    warnings.push(`${relPath} is missing ## Goal Fit Gate, so local acceptance has not been checked.`);
-  } else {
-    for (const item of uncheckedInSection(latest.text, 'Goal Fit Gate').slice(0, 6)) {
-      warnings.push(`${relPath} Goal Fit unchecked: ${item}`);
-    }
-  }
-
-  if (status === 'delivered' && hasHeading(latest.text, 'Final Acceptance')) {
-    const uncheckedFinal = uncheckedInSection(latest.text, 'Final Acceptance');
-    if (uncheckedFinal.length > 0) {
-      warnings.push(`${relPath} local delivery is marked delivered, but Final Acceptance still has ${uncheckedFinal.length} open item(s) for CI/merge/docs promotion.`);
-    }
-  }
+  // ADR 0016 P-c: load the active FlowDefinition gate (fail-open: null when absent).
+  // Null → existing workflow.* fallback path unchanged. Non-null → expects[]-driven claim selection.
+  const activeFlowStep = loadActiveFlowStep(flowAgentsDir);
 
   warnings.push(...sidecarValidation(root, path.dirname(latest.file)));
-  const evidence = readJsonFile(path.join(path.dirname(latest.file), 'evidence.json'));
-  if (evidence && markdownVerdict(latest.text) === 'pass' && normalizedStatus(evidence.verdict) === 'fail') {
-    warnings.push(`${relPath} Markdown PASS contradicts evidence.json verdict fail.`);
+  warnings.push(...sidecarGuidance(root, path.dirname(latest.file), activeFlowStep));
+  const captureWarnings = captureCrossReference(root, path.dirname(latest.file), activeFlowStep);
+  warnings.push(...captureWarnings);
+  // Dedup: bundleEnforcement and captureCrossReference can both fire "caught false-completion"
+  // for the same disputed claim. Suppress the bundleEnforcement warning ONLY when
+  // captureCrossReference already produced a hard-block warning ("caught false-completion")
+  // for the same check. NOT_VERIFIED / backstop-skip capture warnings must NOT suppress
+  // the bundle tamper/disputed signal — that mismatch is a re-derive block independent of
+  // whether the command was ever captured (anti-gaming guarantee, ADR 0010 Phase 2b).
+  const captureHardBlockIds = new Set();
+  for (const w of captureWarnings) {
+    if (!/caught false-completion/.test(w)) continue; // only hard blocks suppress bundle warning
+    const m = /evidence check ([^\s:]+):/.exec(w);
+    if (m) captureHardBlockIds.add(m[1]);
   }
-  warnings.push(...sidecarGuidance(root, path.dirname(latest.file)));
+  const bundleWarnings = (await bundleEnforcement(path.dirname(latest.file), activeFlowStep)).filter(w => {
+    if (!captureHardBlockIds.size) return true;
+    // bundleEnforcement warns: "trust.bundle claim disputed: <subjectId> ..."
+    const m = /trust\.bundle claim (?:disputed|tampered): ([^\s(]+)/.exec(w);
+    if (!m) return true;
+    const subjectId = m[1];
+    // subjectId = "slug/checkId" — extract the checkId (last segment)
+    const checkId = subjectId.includes('/') ? subjectId.slice(subjectId.indexOf('/') + 1) : subjectId;
+    // If captureCrossReference already hard-blocked this check, suppress the bundle warning.
+    return !captureHardBlockIds.has(checkId);
+  });
+  warnings.push(...bundleWarnings);
+  warnings.push(...missingBundleOrStateSignal(path.dirname(latest.file), activeFlowStep));
+
+  // A pre-execution task (not started) OR a terminal task (which is itself a
+  // completion *claim*) must not block on mere incompleteness — but a FALSE claim
+  // (capture/evidence contradiction) still blocks at any phase. This is the whole
+  // point of the capture cross-reference: catch a task that falsely claims done.
+  const gateState = readJsonFile(path.join(path.dirname(latest.file), 'state.json'));
+  const taskStatus = gateState ? normalizedStatus(gateState.status) : normalizedStatus(status);
+  const preExecution = isPreExecution(path.dirname(latest.file), status);
+  const terminal = TERMINAL_STATUSES.has(taskStatus);
+
+  // Namespace-agnostic captured-FAIL reconciliation (AC1 — closes the allowlist bypass).
+  // Fix A: status-independent — runs on EVERY stop. A claim contradicting the capture
+  // is a false-completion whether or not the agent says the task is 'done'.
+  warnings.push(...capturedFailReconciliation(root, path.dirname(latest.file), taskStatus));
 
-  const blocking = warnings.some(w => /status:|Definition Of Done|Goal Fit|sidecar validation:|contradicts evidence\.json|workflow state|evidence verdict|evidence check|NOT_VERIFIED gap|critique status|critique open|next action/.test(w));
-  return { warnings, blocking };
+  // Use module-scope HARD_BLOCK / FULL_BLOCK (defined above analyze()).
+  // pre-execution/terminal tasks: only HARD_BLOCK signals cause a block.
+  // execution-onward tasks: FULL_BLOCK signals cause a block.
+  const blockRe = (preExecution || terminal) ? HARD_BLOCK : FULL_BLOCK;
+  const blocking = warnings.some(w => {
+    // Capture cross-reference warn-mode notes never block (operator opted out).
+    if (/\[backstop in warn mode — not blocking\]/.test(w)) return false;
+    return blockRe.test(w);
+  });
+  return { warnings, blocking, preExecution };
+}
+
+/**
+ * Resolve the enforcement mode. FLOW_AGENTS_GOAL_FIT_MODE (block|warn|off) wins;
+ * the legacy FLOW_AGENTS_GOAL_FIT_STRICT=true maps to block; otherwise the
+ * canonical engine default is warn.
+ */
+function resolveGoalFitMode() {
+  const explicit = String(process.env.FLOW_AGENTS_GOAL_FIT_MODE || '').trim().toLowerCase();
+  if (explicit === 'block' || explicit === 'warn' || explicit === 'off') return explicit;
+  const strict = String(process.env.FLOW_AGENTS_GOAL_FIT_STRICT || '').toLowerCase() === 'true';
+  return strict ? 'block' : 'warn';
+}
+
+/**
+ * Escape hatch: cap how many times block mode may refuse the SAME goal-fit gap
+ * in a row, so a genuinely-unsatisfiable goal cannot trap the agent forever.
+ * After this many consecutive identical blocks the hook releases (exit 0) with a
+ * loud notice. Configurable via FLOW_AGENTS_GOAL_FIT_MAX_BLOCKS (default 3).
+ */
+function resolveMaxBlocks() {
+  const raw = Number.parseInt(process.env.FLOW_AGENTS_GOAL_FIT_MAX_BLOCKS || '', 10);
+  return Number.isInteger(raw) && raw > 0 ? raw : 3;
 }
 
-function run(rawInput) {
+function blockStreakFile(root) {
+  return path.join(root, '.flow-agents', '.goal-fit-block-streak.json');
+}
+
+function reasonsHash(warnings) {
+  const text = (warnings || []).join('\n');
+  let h = 5381;
+  for (let i = 0; i < text.length; i += 1) h = ((h << 5) + h + text.charCodeAt(i)) >>> 0;
+  return String(h);
+}
+
+function clearBlockStreak(root) {
+  try { fs.rmSync(blockStreakFile(root), { force: true }); } catch { /* best effort */ }
+}
+
+function bumpBlockStreak(root, hash) {
+  const file = blockStreakFile(root);
+  const prev = readJsonFile(file) || {};
+  const count = prev.hash === hash ? (Number(prev.count) || 0) + 1 : 1;
+  try {
+    fs.mkdirSync(path.dirname(file), { recursive: true });
+    fs.writeFileSync(file, JSON.stringify({ hash, count }));
+  } catch { /* best effort */ }
+  return count;
+}
+
+async function run(rawInput) {
   const input = parseJson(rawInput);
   const root = findRepoRoot(input.cwd || process.cwd());
-  const result = analyze(root);
-  if (result.warnings.length === 0) return rawInput;
+  const mode = resolveGoalFitMode();
+  if (mode === 'off') return rawInput;
+  const result = await analyze(root);
+  if (result.warnings.length === 0) {
+    clearBlockStreak(root);
+    return rawInput;
+  }
 
   const message = [
     '[Hook] Goal Fit warning:',
     ...result.warnings.map(w => ` - ${w}`),
   ].join('\n');
-  const strict = String(process.env.FLOW_AGENTS_GOAL_FIT_STRICT || '').toLowerCase() === 'true';
+
+  if (mode !== 'block' || !result.blocking) {
+    clearBlockStreak(root);
+    return { stdout: rawInput, stderr: message, exitCode: 0 };
+  }
+
+  const maxBlocks = resolveMaxBlocks();
+  const count = bumpBlockStreak(root, reasonsHash(result.warnings));
+  if (count >= maxBlocks) {
+    // AC2: never auto-release a HARD block (caught false-completion, capture contradiction,
+    // tamper signal, gate misconfiguration, integrity failure). An agent burning through
+    // N identical hard blocks to escape via the streak counter must not work.
+    //
+    // BAR-RAISER, NOT AIRTIGHT: an agent with shell access can still reset the streak
+    // by deleting .flow-agents/.goal-fit-block-streak.json or by modifying the warning
+    // text so the hash changes. The real anchor is external (signed checkpoints + human
+    // review). This raises the cost of the burn-through-the-counter escape vector.
+    const isHardBlock = result.warnings.some(w => {
+      if (/\[backstop in warn mode — not blocking\]/.test(w)) return false;
+      return HARD_BLOCK.test(w);
+    });
+    if (isHardBlock) {
+      // Do NOT clear the streak — keep accumulating so the same hard block stays visible.
+      return {
+        stdout: rawInput,
+        stderr: `${message}\n[Hook] Goal Fit: max-blocks reached but the block is a caught false-completion / integrity failure — not auto-releasing; requires a real fix or operator override.`,
+        exitCode: 2,
+      };
+    }
+    clearBlockStreak(root);
+    return {
+      stdout: rawInput,
+      stderr: `${message}\n[Hook] Goal Fit block RELEASED after ${count} consecutive identical blocks (FLOW_AGENTS_GOAL_FIT_MAX_BLOCKS=${maxBlocks}): the same gap persists, surfacing to the human instead of looping.`,
+      exitCode: 0,
+    };
+  }
   return {
     stdout: rawInput,
-    stderr: message,
-    exitCode: strict && result.blocking ? 2 : 0,
+    stderr: `${message}\n[Hook] Goal Fit BLOCK ${count}/${maxBlocks}.`,
+    exitCode: 2,
   };
 }
 
@@ -372,14 +1803,28 @@ if (require.main === module) {
     if (data.length < MAX_STDIN) data += chunk.substring(0, MAX_STDIN - data.length);
   });
   process.stdin.on('end', () => {
-    const output = run(data);
-    if (output && typeof output === 'object') {
-      if (output.stderr) process.stderr.write(output.stderr.endsWith('\n') ? output.stderr : `${output.stderr}\n`);
-      process.stdout.write(String(output.stdout ?? data));
-      process.exit(Number.isInteger(output.exitCode) ? output.exitCode : 0);
-    }
-    process.stdout.write(String(output));
+    // run() is now async (Surface load). We wrap in an async IIFE so the
+    // stdin/exit flow is preserved and errors are surfaced as warnings (fail-open).
+    (async () => {
+      let output;
+      try {
+        output = await run(data);
+      } catch (err) {
+        // Unexpected failure in the async gate path — fail-open, allow the Stop.
+        process.stderr.write(`[Hook] Goal Fit async error (fail-open): ${String(err && err.message || err)}\n`);
+        process.stdout.write(data);
+        process.exit(0);
+        return;
+      }
+      if (output && typeof output === 'object') {
+        if (output.stderr) process.stderr.write(output.stderr.endsWith('\n') ? output.stderr : `${output.stderr}\n`);
+        process.stdout.write(String(output.stdout ?? data));
+        process.exit(Number.isInteger(output.exitCode) ? output.exitCode : 0);
+        return;
+      }
+      process.stdout.write(String(output));
+    })();
   });
 }
 
-module.exports = { analyze, run, uncheckedInSection, findRepoRoot, sidecarGuidance, safeOneLine };
+module.exports = { analyze, run, resolveGoalFitMode, uncheckedInSection, findRepoRoot, sidecarGuidance, safeOneLine, captureCrossReference, bundleEnforcement, loadActiveFlowStep, readCommandLog, resolveTrustedCommand, declaredManifestTarget, verifyCommandLogChain, CHAIN_GENESIS_VERIFY, hasLaunderingOperator };