@lannguyensi/harness 0.30.1 → 0.32.0

package/dist/cli/pack/hook-runtime-reality.js

@@ -0,0 +1,160 @@
+// Phase 1 Schritt 3 (harness side) — `harness pack hook runtime-reality` runtime verb.
+//
+// PreToolUse drift gate. Wires @lannguyensi/runtime-reality-checker as a
+// real, blocking PreToolUse hook by composing its PURE policy handler
+// with a host-coupled subprocess probe.
+//
+// Why this verb exists at all: the package's own bin
+// (`runtime-reality-policy-pre-tool-use`) ships with `probe: null`, so it
+// always degrades to allow — it can detect a trigger but never compare
+// against actual runtime state. The probe is deliberately left to the
+// harness side so the agent-grounding repo stays free of host-coupling
+// (see agent-grounding/docs/policy-runtime-reality.md "Actuals probe").
+// This verb is that harness-side half: it spawns the operator-configured
+// `RUNTIME_REALITY_PROBE_CMD`, parses its JSON `ActualProcessState[]`, and
+// injects it into the package handler.
+//
+// Failure mode mirrors the package and the understanding-gate pack hook:
+// every load / parse / probe error degrades to ALLOW (exit 0). The only
+// deny path is a probe that actually produced actuals showing critical
+// drift (or the operator's explicit `RUNTIME_REALITY_*_BLOCK` escalations,
+// which the package handler owns). A misconfigured probe must never
+// tarpit the session.
+import { execFileSync } from "node:child_process";
+import { handlePolicyPreToolUse, loadExpectations, } from "@lannguyensi/runtime-reality-checker/policy";
+/** Hard ceiling on a single probe invocation. The hook's own budget_ms
+ *  (default 30s) is the outer bound; keep the probe well inside it so a
+ *  hung `docker ps` degrades to allow rather than blowing the hook
+ *  budget. */
+const PROBE_TIMEOUT_MS = 10_000;
+/** docker ps on a busy host can emit a lot of lines; 4 MiB is generous. */
+const PROBE_MAX_BUFFER = 4 * 1024 * 1024;
+/**
+ * Validate that the probe's stdout parses to an `ActualProcessState[]`.
+ * The package handler treats a thrown probe as "probe failed" and applies
+ * the fail-open / `PROBE_FAIL_BLOCK` policy, so throwing on malformed
+ * output is the correct signal — not silently returning `[]` (which would
+ * read as "nothing is running" and manufacture phantom critical drift).
+ */
+export function parseProbeOutput(raw) {
+    const trimmed = raw.trim();
+    if (!trimmed) {
+        throw new Error("probe produced empty output");
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(trimmed);
+    }
+    catch (err) {
+        throw new Error(`probe output is not valid JSON: ${String(err)}`);
+    }
+    if (!Array.isArray(parsed)) {
+        throw new Error("probe output is not a JSON array of ActualProcessState");
+    }
+    return parsed.map((item, i) => {
+        if (typeof item !== "object" || item === null) {
+            throw new Error(`probe output[${i}] is not an object`);
+        }
+        const rec = item;
+        if (typeof rec.name !== "string") {
+            throw new Error(`probe output[${i}].name must be a string`);
+        }
+        if (typeof rec.running !== "boolean") {
+            throw new Error(`probe output[${i}].running must be a boolean`);
+        }
+        // startup_mode / port are optional and forwarded as-is; the package's
+        // runRealityCheck only reads them when the expectation declares them.
+        return rec;
+    });
+}
+/**
+ * Build a synchronous probe from an operator-configured command string,
+ * or `null` when none is set (handler then takes the no-probe degrade
+ * path). The command runs via `sh -c` so a full command line with args
+ * works. The resolved keyword is passed on the env (RUNTIME_REALITY_KEYWORD)
+ * so a probe script can scope its output; it is deliberately NOT appended
+ * as a positional arg, which would surprise commands that don't ignore
+ * extra args (e.g. `cat file`, `printf`).
+ */
+export function buildSubprocessProbe(probeCmd, env) {
+    const cmd = probeCmd?.trim();
+    if (!cmd)
+        return null;
+    return ({ keyword }) => {
+        const stdout = execFileSync("sh", ["-c", cmd], {
+            encoding: "utf8",
+            timeout: PROBE_TIMEOUT_MS,
+            maxBuffer: PROBE_MAX_BUFFER,
+            env: { ...env, RUNTIME_REALITY_KEYWORD: keyword },
+        });
+        return parseProbeOutput(stdout);
+    };
+}
+const DEFAULT_DEPS = {
+    loadExpectations,
+    buildProbe: buildSubprocessProbe,
+};
+/**
+ * Pure composition: given the raw PreToolUse stdin and an environment,
+ * build the probe and run the package handler. Injectable deps keep this
+ * unit-testable without spawning real subprocesses.
+ */
+export function runRuntimeRealityHook(rawStdin, env, deps = DEFAULT_DEPS) {
+    const probe = deps.buildProbe(env.RUNTIME_REALITY_PROBE_CMD, env);
+    return handlePolicyPreToolUse(rawStdin, env, {
+        loadExpectations: deps.loadExpectations,
+        probe,
+    });
+}
+async function readStdin(stream) {
+    if (stream.isTTY)
+        return "";
+    const chunks = [];
+    for await (const chunk of stream) {
+        chunks.push(chunk);
+    }
+    return Buffer.concat(chunks).toString("utf8");
+}
+function allowResult(reason) {
+    return { stdout: "", stderr: "", exitCode: 0, decision: { kind: "skip", reason } };
+}
+/**
+ * CLI entrypoint for `harness pack hook runtime-reality`. Reads the
+ * PreToolUse event JSON on stdin, runs the drift check, writes the
+ * hookSpecificOutput envelope (deny) / stderr message, and RETURNS the
+ * handler result. It deliberately does NOT call `process.exit`: the
+ * caller in src/cli/index.ts throws `HarnessExitError` on a nonzero
+ * exit code, which lets `main.ts` exit only after the promise resolves
+ * so the deny envelope on stdout fully flushes to the pipe first. A
+ * synchronous `process.exit` here could truncate that envelope and
+ * silently defeat the block. Any unexpected failure resolves to ALLOW.
+ */
+export async function runPackHookRuntimeRealityCli(opts = {}) {
+    const stdin = opts.stdin ?? process.stdin;
+    const stdout = opts.stdout ?? process.stdout;
+    const stderr = opts.stderr ?? process.stderr;
+    let raw = "";
+    try {
+        raw = await readStdin(stdin);
+    }
+    catch {
+        return allowResult("stdin read failed, degraded to allow");
+    }
+    let result;
+    try {
+        result = runRuntimeRealityHook(raw, process.env);
+    }
+    catch (err) {
+        // Defense in depth: the handler already degrades internally, but a
+        // bug in probe construction must not crash the hook.
+        const message = `runtime-reality hook failed silently: ${String(err)}\n`;
+        stderr.write(message);
+        return allowResult("hook construction failed, degraded to allow");
+    }
+    if (result.stdout)
+        stdout.write(result.stdout);
+    if (result.stderr)
+        stderr.write(result.stderr);
+    return result;
+}
+//# sourceMappingURL=hook-runtime-reality.js.map

package/dist/cli/pack/hook-runtime-reality.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hook-runtime-reality.js","sourceRoot":"","sources":["../../../src/cli/pack/hook-runtime-reality.ts"],"names":[],"mappings":"AAAA,uFAAuF;AACvF,EAAE;AACF,yEAAyE;AACzE,sEAAsE;AACtE,wCAAwC;AACxC,EAAE;AACF,qDAAqD;AACrD,0EAA0E;AAC1E,uEAAuE;AACvE,sEAAsE;AACtE,uEAAuE;AACvE,wEAAwE;AACxE,yEAAyE;AACzE,2EAA2E;AAC3E,uCAAuC;AACvC,EAAE;AACF,yEAAyE;AACzE,wEAAwE;AACxE,uEAAuE;AACvE,2EAA2E;AAC3E,oEAAoE;AACpE,sBAAsB;AAEtB,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EACL,sBAAsB,EACtB,gBAAgB,GAIjB,MAAM,6CAA6C,CAAC;AAGrD;;;cAGc;AACd,MAAM,gBAAgB,GAAG,MAAM,CAAC;AAChC,2EAA2E;AAC3E,MAAM,gBAAgB,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC;AAEzC;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAW;IAC1C,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC3B,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACjD,CAAC;IACD,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,mCAAmC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACpE,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC;IAC5E,CAAC;IACD,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;QAC5B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YAC9C,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,oBAAoB,CAAC,CAAC;QACzD,CAAC;QACD,MAAM,GAAG,GAAG,IAA+B,CAAC;QAC5C,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,yBAAyB,CAAC,CAAC;QAC9D,CAAC;QACD,IAAI,OAAO,GAAG,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,6BAA6B,CAAC,CAAC;QAClE,CAAC;QACD,sEAAsE;QACtE,sEAAsE;QACtE,OAAO,GAAoC,CAAC;IAC9C,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,oBAAoB,CAClC,QAA4B,EAC5B,GAAsB;IAEtB,MAAM,GAAG,GAAG,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC7B,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,OAAO,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE;QACrB,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE;YAC7C,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,gBAAgB;YACzB,SAAS,EAAE,gBAAgB;YAC3B,GAAG,EAAE,EAAE,GAAG,GAAG,EAAE,uBAAuB,EAAE,OAAO,EAAE;SAClD,CAAC,CAAC;QACH,OAAO,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC,CAAC;AACJ,CAAC;AAOD,MAAM,YAAY,GAA2B;IAC3C,gBAAgB;IAChB,UAAU,EAAE,oBAAoB;CACjC,CAAC;AAEF;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CACnC,QAAgB,EAChB,GAAsB,EACtB,OAA+B,YAAY;IAE3C,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,yBAAyB,EAAE,GAAG,CAAC,CAAC;IAClE,OAAO,sBAAsB,CAAC,QAAQ,EAAE,GAAgB,EAAE;QACxD,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;QACvC,KAAK;KACN,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,MAA6B;IACpD,IAAK,MAA4B,CAAC,KAAK;QAAE,OAAO,EAAE,CAAC;IACnD,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC,KAAe,CAAC,CAAC;IAC/B,CAAC;IACD,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AAChD,CAAC;AAWD,SAAS,WAAW,CAAC,MAAc;IACjC,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,QAAQ,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,CAAC;AACrF,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,OAAiC,EAAE;IAEnC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC;IAC1C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAE7C,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,WAAW,CAAC,sCAAsC,CAAC,CAAC;IAC7D,CAAC;IAED,IAAI,MAAqB,CAAC;IAC1B,IAAI,CAAC;QACH,MAAM,GAAG,qBAAqB,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IACnD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,mEAAmE;QACnE,qDAAqD;QACrD,MAAM,OAAO,GAAG,yCAAyC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC;QACzE,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACtB,OAAO,WAAW,CAAC,6CAA6C,CAAC,CAAC;IACpE,CAAC;IAED,IAAI,MAAM,CAAC,MAAM;QAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC/C,IAAI,MAAM,CAAC,MAAM;QAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC/C,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/cli/pack/hook-solution-acceptance-writeguard.d.ts

@@ -0,0 +1,26 @@
+import type { LoaderOptions } from "../loader.js";
+export interface PackHookSolutionAcceptanceWriteguardOptions extends LoaderOptions {
+    stdin?: NodeJS.ReadableStream;
+    stdout?: NodeJS.WritableStream;
+    stderr?: NodeJS.WritableStream;
+    /** Override cwd resolution (test injection). */
+    cwd?: string;
+    /** Override the verdict directory (test injection; default = producer default). */
+    verdictDir?: string;
+}
+export interface PackHookSolutionAcceptanceWriteguardResult {
+    exitCode: number;
+    blocked: boolean;
+    diagnostic: string;
+}
+interface Decision {
+    blocked: boolean;
+    reason: string;
+}
+/**
+ * Pure write-guard decision for a tool event. Exported for direct unit
+ * testing of the full forge-attempt matrix without spinning up the CLI.
+ */
+export declare function evaluateWriteGuard(toolName: string, toolInput: unknown, dir: string, cwd: string): Decision;
+export declare function runPackHookSolutionAcceptanceWriteguardCli(opts?: PackHookSolutionAcceptanceWriteguardOptions): Promise<PackHookSolutionAcceptanceWriteguardResult>;
+export {};

package/dist/cli/pack/hook-solution-acceptance-writeguard.js

@@ -0,0 +1,187 @@
+// `harness pack hook solution-acceptance-writeguard` — PreToolUse
+// anti-forgery write-guard for the `solution-acceptance` policy pack.
+//
+// This is the load-bearing closure of the gate. The completion-gate alone
+// is forgeable: relocating the verdict dir does NOT help because
+// understanding-gate allows all Bash once approved, so an approved agent
+// could `echo '{...ready:true}' > <verdict-dir>/<id>.json` and walk the gate.
+// This hook restores the invariant that the ONLY writer of the verdict dir
+// is the producer (the operator-launched grounding-mcp MCP server, which
+// runs real preflight and does not flow through the agent's gated tools).
+//
+// It denies, on the agent's tool surface:
+//   - Write / Edit / MultiEdit / NotebookEdit whose target file resolves
+//     inside the verdict dir.
+//   - Codex `apply_patch` whose patch body references the verdict dir.
+//   - Bash that is NOT provably read-only AND references the verdict dir
+//     (covers `echo >`, `$SOLUTION_VERDICT_DIR` spellings, `tee`, `mv`/`cp`/
+//     `ln`/`install`, `python3 -c '...path...'`, and `chmod`/`chattr` that
+//     would loosen perms) — or whose shell cwd is inside the dir.
+//
+// Pure reads (`cat <dir>/x.json`) are allowed so the guard is not over-broad.
+//
+// No manifest is consulted: the decision is a pure target-vs-dir check, so
+// the guard cannot be broken by a manifest issue and never blocks a write
+// that does not target the verdict dir. The hook is only wired into settings
+// when the pack is enabled, so a disabled pack never invokes it. It yields to
+// `harness pause` like every other gate.
+//
+// Honest residual (operator decision, 2026-05-30): v1 closes the ENUMERATED
+// write paths above. A path constructed at runtime inside an interpreter
+// with no textual reference is NOT caught; marker signing (a cross-repo
+// follow-up) closes content-authenticity against an unguarded write
+// primitive.
+import { bashReferencesVerdictDir, isInsideDir, PACK_NAME, verdictDir as resolveVerdictDir, } from "../../policy-packs/builtin/solution-acceptance-runtime.js";
+import { isReadOnlyBashCommand } from "./read-only-bash.js";
+import { checkPauseFromLoader } from "../pause-check.js";
+async function readStdin(stream) {
+    return new Promise((resolve, reject) => {
+        let data = "";
+        stream.setEncoding("utf8");
+        stream.on("data", (chunk) => {
+            data += chunk;
+        });
+        stream.on("end", () => resolve(data));
+        stream.on("error", (err) => reject(err));
+    });
+}
+/** Single-file target for path-mutating tools, or null when not applicable. */
+function pathToolTarget(toolName, toolInput) {
+    if (typeof toolInput !== "object" || toolInput === null)
+        return null;
+    const input = toolInput;
+    switch (toolName) {
+        case "Write":
+        case "Edit":
+        case "MultiEdit": {
+            const fp = input["file_path"];
+            return typeof fp === "string" && fp.length > 0 ? fp : null;
+        }
+        case "NotebookEdit": {
+            const np = input["notebook_path"];
+            return typeof np === "string" && np.length > 0 ? np : null;
+        }
+        default:
+            return null;
+    }
+}
+function bashCommandOf(toolInput) {
+    if (typeof toolInput !== "object" || toolInput === null)
+        return "";
+    const cmd = toolInput["command"];
+    return typeof cmd === "string" ? cmd : "";
+}
+/**
+ * Pure write-guard decision for a tool event. Exported for direct unit
+ * testing of the full forge-attempt matrix without spinning up the CLI.
+ */
+export function evaluateWriteGuard(toolName, toolInput, dir, cwd) {
+    // Path-mutating tools: block iff the target resolves inside the dir.
+    const target = pathToolTarget(toolName, toolInput);
+    if (target !== null) {
+        if (isInsideDir(target, dir, cwd)) {
+            return {
+                blocked: true,
+                reason: `${toolName} target resolves inside the harness-protected solution-verdict dir (${dir}); the verdict marker may only be written by the grounding-mcp producer`,
+            };
+        }
+        return { blocked: false, reason: `${toolName} target is outside the verdict dir` };
+    }
+    // Codex apply_patch: best-effort textual reference check on the patch body.
+    if (toolName === "apply_patch") {
+        const input = typeof toolInput === "object" && toolInput !== null
+            ? toolInput
+            : {};
+        const body = typeof input["patch"] === "string"
+            ? input["patch"]
+            : typeof input["input"] === "string"
+                ? input["input"]
+                : JSON.stringify(toolInput ?? "");
+        if (bashReferencesVerdictDir(body, dir)) {
+            return {
+                blocked: true,
+                reason: `apply_patch references the harness-protected solution-verdict dir (${dir})`,
+            };
+        }
+        return { blocked: false, reason: "apply_patch does not reference the verdict dir" };
+    }
+    // Bash: allow provable reads; block non-read-only commands that reference
+    // the dir, or whose shell cwd is inside it.
+    if (toolName === "Bash") {
+        const command = bashCommandOf(toolInput);
+        if (command === "")
+            return { blocked: false, reason: "empty Bash command" };
+        if (isReadOnlyBashCommand(command)) {
+            return { blocked: false, reason: "read-only Bash command" };
+        }
+        if (isInsideDir(".", dir, cwd)) {
+            return {
+                blocked: true,
+                reason: `non-read-only Bash with a shell cwd inside the harness-protected solution-verdict dir (${dir})`,
+            };
+        }
+        if (bashReferencesVerdictDir(command, dir)) {
+            return {
+                blocked: true,
+                reason: `non-read-only Bash references the harness-protected solution-verdict dir (${dir}); the verdict marker may only be written by the grounding-mcp producer`,
+            };
+        }
+        return { blocked: false, reason: "non-read-only Bash does not reference the verdict dir" };
+    }
+    return { blocked: false, reason: `${toolName} is not a guarded write surface` };
+}
+function blockJson(toolName, reason) {
+    const text = `solution-acceptance write-guard: refusing ${toolName}. ${reason}.\n` +
+        `The solution-acceptance verdict marker is derived by the producer from a ` +
+        `real preflight run; hand-writing it would forge a green "done". ` +
+        `Run \`mcp__agent-grounding__solution_evaluate({ id: "<task-id>" })\` instead, ` +
+        `which writes the marker for you.\n` +
+        `Operator override: \`harness pause\`.`;
+    return JSON.stringify({
+        decision: "block",
+        reason: text,
+        hookSpecificOutput: {
+            hookEventName: "PreToolUse",
+            permissionDecision: "deny",
+            permissionDecisionReason: text,
+        },
+    });
+}
+export async function runPackHookSolutionAcceptanceWriteguardCli(opts = {}) {
+    const stdin = opts.stdin ?? process.stdin;
+    const stdout = opts.stdout ?? process.stdout;
+    const stderr = opts.stderr ?? process.stderr;
+    const note = (msg) => {
+        stderr.write(`harness pack hook solution-acceptance-writeguard: ${msg}\n`);
+    };
+    const raw = await readStdin(stdin);
+    let event = {};
+    try {
+        event = JSON.parse(raw.trim() || "{}");
+    }
+    catch {
+        /* event stays {} -> not a guarded surface -> allow */
+    }
+    if (checkPauseFromLoader({ loaderOpts: opts, hookLabel: `${PACK_NAME}-writeguard`, stderr }).paused) {
+        const diagnostic = "harness paused; write-guard allowing without evaluating.";
+        return { exitCode: 0, blocked: false, diagnostic };
+    }
+    const toolName = typeof event.tool_name === "string" ? event.tool_name : "(unknown)";
+    const cwd = typeof opts.cwd === "string" && opts.cwd.length > 0
+        ? opts.cwd
+        : typeof event.cwd === "string" && event.cwd.length > 0
+            ? event.cwd
+            : process.cwd();
+    const dir = opts.verdictDir ?? resolveVerdictDir();
+    const decision = evaluateWriteGuard(toolName, event.tool_input, dir, cwd);
+    if (!decision.blocked) {
+        const diagnostic = `allow — ${decision.reason}`;
+        note(diagnostic);
+        return { exitCode: 0, blocked: false, diagnostic };
+    }
+    const diagnostic = `BLOCK — ${decision.reason}`;
+    note(diagnostic);
+    stdout.write(`${blockJson(toolName, decision.reason)}\n`);
+    return { exitCode: 0, blocked: true, diagnostic };
+}
+//# sourceMappingURL=hook-solution-acceptance-writeguard.js.map

package/dist/cli/pack/hook-solution-acceptance-writeguard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hook-solution-acceptance-writeguard.js","sourceRoot":"","sources":["../../../src/cli/pack/hook-solution-acceptance-writeguard.ts"],"names":[],"mappings":"AAAA,kEAAkE;AAClE,sEAAsE;AACtE,EAAE;AACF,0EAA0E;AAC1E,iEAAiE;AACjE,yEAAyE;AACzE,8EAA8E;AAC9E,2EAA2E;AAC3E,yEAAyE;AACzE,0EAA0E;AAC1E,EAAE;AACF,0CAA0C;AAC1C,yEAAyE;AACzE,8BAA8B;AAC9B,uEAAuE;AACvE,yEAAyE;AACzE,6EAA6E;AAC7E,2EAA2E;AAC3E,kEAAkE;AAClE,EAAE;AACF,8EAA8E;AAC9E,EAAE;AACF,2EAA2E;AAC3E,0EAA0E;AAC1E,6EAA6E;AAC7E,8EAA8E;AAC9E,yCAAyC;AACzC,EAAE;AACF,4EAA4E;AAC5E,yEAAyE;AACzE,wEAAwE;AACxE,oEAAoE;AACpE,aAAa;AAEb,OAAO,EACL,wBAAwB,EACxB,WAAW,EACX,SAAS,EACT,UAAU,IAAI,iBAAiB,GAChC,MAAM,2DAA2D,CAAC;AACnE,OAAO,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAE5D,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAwBzD,KAAK,UAAU,SAAS,CAAC,MAA6B;IACpD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,IAAI,IAAI,GAAG,EAAE,CAAC;QACd,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QAC3B,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YAClC,IAAI,IAAI,KAAK,CAAC;QAChB,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QACtC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;AACL,CAAC;AAED,+EAA+E;AAC/E,SAAS,cAAc,CAAC,QAAgB,EAAE,SAAkB;IAC1D,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IACrE,MAAM,KAAK,GAAG,SAAoC,CAAC;IACnD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,OAAO,CAAC;QACb,KAAK,MAAM,CAAC;QACZ,KAAK,WAAW,CAAC,CAAC,CAAC;YACjB,MAAM,EAAE,GAAG,KAAK,CAAC,WAAW,CAAC,CAAC;YAC9B,OAAO,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QAC7D,CAAC;QACD,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,MAAM,EAAE,GAAG,KAAK,CAAC,eAAe,CAAC,CAAC;YAClC,OAAO,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QAC7D,CAAC;QACD;YACE,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,SAAkB;IACvC,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,IAAI;QAAE,OAAO,EAAE,CAAC;IACnE,MAAM,GAAG,GAAI,SAAqC,CAAC,SAAS,CAAC,CAAC;IAC9D,OAAO,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;AAC5C,CAAC;AAOD;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAChC,QAAgB,EAChB,SAAkB,EAClB,GAAW,EACX,GAAW;IAEX,qEAAqE;IACrE,MAAM,MAAM,GAAG,cAAc,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IACnD,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,IAAI,WAAW,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC;YAClC,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,GAAG,QAAQ,uEAAuE,GAAG,yEAAyE;aACvK,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,QAAQ,oCAAoC,EAAE,CAAC;IACrF,CAAC;IAED,4EAA4E;IAC5E,IAAI,QAAQ,KAAK,aAAa,EAAE,CAAC;QAC/B,MAAM,KAAK,GACT,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,IAAI;YACjD,CAAC,CAAE,SAAqC;YACxC,CAAC,CAAC,EAAE,CAAC;QACT,MAAM,IAAI,GACR,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,QAAQ;YAChC,CAAC,CAAE,KAAK,CAAC,OAAO,CAAY;YAC5B,CAAC,CAAC,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,QAAQ;gBAClC,CAAC,CAAE,KAAK,CAAC,OAAO,CAAY;gBAC5B,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC;QACxC,IAAI,wBAAwB,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,CAAC;YACxC,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,sEAAsE,GAAG,GAAG;aACrF,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,gDAAgD,EAAE,CAAC;IACtF,CAAC;IAED,0EAA0E;IAC1E,4CAA4C;IAC5C,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;QACxB,MAAM,OAAO,GAAG,aAAa,CAAC,SAAS,CAAC,CAAC;QACzC,IAAI,OAAO,KAAK,EAAE;YAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC;QAC5E,IAAI,qBAAqB,CAAC,OAAO,CAAC,EAAE,CAAC;YACnC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,wBAAwB,EAAE,CAAC;QAC9D,CAAC;QACD,IAAI,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC;YAC/B,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,0FAA0F,GAAG,GAAG;aACzG,CAAC;QACJ,CAAC;QACD,IAAI,wBAAwB,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE,CAAC;YAC3C,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,6EAA6E,GAAG,yEAAyE;aAClK,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,uDAAuD,EAAE,CAAC;IAC7F,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,QAAQ,iCAAiC,EAAE,CAAC;AAClF,CAAC;AAED,SAAS,SAAS,CAAC,QAAgB,EAAE,MAAc;IACjD,MAAM,IAAI,GACR,6CAA6C,QAAQ,KAAK,MAAM,KAAK;QACrE,2EAA2E;QAC3E,kEAAkE;QAClE,gFAAgF;QAChF,oCAAoC;QACpC,uCAAuC,CAAC;IAC1C,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,QAAQ,EAAE,OAAO;QACjB,MAAM,EAAE,IAAI;QACZ,kBAAkB,EAAE;YAClB,aAAa,EAAE,YAAY;YAC3B,kBAAkB,EAAE,MAAM;YAC1B,wBAAwB,EAAE,IAAI;SAC/B;KACF,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,0CAA0C,CAC9D,OAAoD,EAAE;IAEtD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC;IAC1C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAC7C,MAAM,IAAI,GAAG,CAAC,GAAW,EAAQ,EAAE;QACjC,MAAM,CAAC,KAAK,CAAC,qDAAqD,GAAG,IAAI,CAAC,CAAC;IAC7E,CAAC,CAAC;IAEF,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,CAAC;IACnC,IAAI,KAAK,GAAkB,EAAE,CAAC;IAC9B,IAAI,CAAC;QACH,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,IAAI,CAAkB,CAAC;IAC1D,CAAC;IAAC,MAAM,CAAC;QACP,sDAAsD;IACxD,CAAC;IAED,IAAI,oBAAoB,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,SAAS,aAAa,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC;QACpG,MAAM,UAAU,GAAG,0DAA0D,CAAC;QAC9E,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;IACrD,CAAC;IAED,MAAM,QAAQ,GAAG,OAAO,KAAK,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC;IACrF,MAAM,GAAG,GACP,OAAO,IAAI,CAAC,GAAG,KAAK,QAAQ,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC;QACjD,CAAC,CAAC,IAAI,CAAC,GAAG;QACV,CAAC,CAAC,OAAO,KAAK,CAAC,GAAG,KAAK,QAAQ,IAAI,KAAK,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC;YACrD,CAAC,CAAC,KAAK,CAAC,GAAG;YACX,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;IACtB,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,IAAI,iBAAiB,EAAE,CAAC;IAEnD,MAAM,QAAQ,GAAG,kBAAkB,CAAC,QAAQ,EAAE,KAAK,CAAC,UAAU,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IAC1E,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;QACtB,MAAM,UAAU,GAAG,WAAW,QAAQ,CAAC,MAAM,EAAE,CAAC;QAChD,IAAI,CAAC,UAAU,CAAC,CAAC;QACjB,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;IACrD,CAAC;IAED,MAAM,UAAU,GAAG,WAAW,QAAQ,CAAC,MAAM,EAAE,CAAC;IAChD,IAAI,CAAC,UAAU,CAAC,CAAC;IACjB,MAAM,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC1D,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;AACpD,CAAC"}

package/dist/cli/pack/hook-solution-acceptance.d.ts

@@ -0,0 +1,26 @@
+import { type Manifest } from "../../schema/index.js";
+import { type LoaderOptions } from "../loader.js";
+export interface PackHookSolutionAcceptanceOptions extends LoaderOptions {
+    /** Defaults to process.stdin. */
+    stdin?: NodeJS.ReadableStream;
+    /** Defaults to process.stdout. */
+    stdout?: NodeJS.WritableStream;
+    /** Defaults to process.stderr. */
+    stderr?: NodeJS.WritableStream;
+    /** Override cwd resolution (test injection). */
+    cwd?: string;
+    /** Inject a manifest (test). */
+    manifest?: Manifest;
+    /** Override the harness.generated/ directory (test injection). */
+    generatedDir?: string;
+    /** Override the verdict directory (test injection; default = producer default). */
+    verdictDir?: string;
+    /** Override the active-claim resolution (test injection). */
+    activeClaim?: string | null;
+}
+export interface PackHookSolutionAcceptanceResult {
+    exitCode: number;
+    blocked: boolean;
+    diagnostic: string;
+}
+export declare function runPackHookSolutionAcceptanceCli(opts?: PackHookSolutionAcceptanceOptions): Promise<PackHookSolutionAcceptanceResult>;

package/dist/cli/pack/hook-solution-acceptance.js

@@ -0,0 +1,237 @@
+// `harness pack hook solution-acceptance` — PreToolUse completion-gate for
+// the `solution-acceptance` policy pack.
+//
+// Receives Claude Code's PreToolUse event JSON on stdin and emits a
+// `{ decision: "block" }` envelope when the agent is about to FINISH a task
+// (agent-tasks completion verb, or a `git push` / `gh pr merge` bash
+// command) without a READY solution-acceptance verdict at the current git
+// HEAD.
+//
+// The verdict id is the active-claim task id (the same `active-claim` file
+// `harness approve understanding` consumes). With no active claim the gate
+// fails CLOSED — a sessionId fallback would reopen the wrong-scope bug class
+// understanding-gate already fixed.
+//
+// Failure mode: any error in load / parse / HEAD-resolution / verdict-read
+// resolves to BLOCK (branch-protection's fail-closed posture, not
+// understanding-gate's fail-open). The gate's whole job is to prevent
+// completion without earned acceptance, so a bug that silently allowed a
+// finish through would defeat the purpose. The block envelope always names
+// `solution_evaluate` as the recovery path so the operator is never wedged;
+// `harness pause` (honored first) is the operator's hard override.
+import { readActiveClaim, } from "../../policy-packs/builtin/understanding-before-execution-runtime.js";
+import { DEFAULT_PUSH_BASH_RE, evaluateGate, PACK_NAME, readVerdict, resolveProtectedCompletionTools, verdictDir as resolveVerdictDir, } from "../../policy-packs/builtin/solution-acceptance-runtime.js";
+import { resolveGeneratedDir } from "../../io/generated-dir.js";
+import { resolveGitContext } from "../../runtime/git-context.js";
+import { renderAgentFacing } from "../../runtime/agent-facing.js";
+import { PolicyUxSchema } from "../../schema/index.js";
+import { loadManifest } from "../loader.js";
+import { checkPauseFromLoader } from "../pause-check.js";
+const MCP_AGENT_TASKS_PREFIX = "mcp__agent-tasks__";
+async function readStdin(stream) {
+    return new Promise((resolve, reject) => {
+        let data = "";
+        stream.setEncoding("utf8");
+        stream.on("data", (chunk) => {
+            data += chunk;
+        });
+        stream.on("end", () => resolve(data));
+        stream.on("error", (err) => reject(err));
+    });
+}
+function bashCommandOf(toolInput) {
+    if (typeof toolInput !== "object" || toolInput === null)
+        return "";
+    const cmd = toolInput["command"];
+    return typeof cmd === "string" ? cmd : "";
+}
+/**
+ * Decide whether this PreToolUse call is a gated completion action. Returns
+ * the human label of the action when gated, or null when this call should
+ * pass through (the hook matches all Bash, but only push/merge bash commands
+ * are completion actions).
+ */
+function completionActionLabel(toolName, toolInput, protectedVerbs) {
+    if (toolName.startsWith(MCP_AGENT_TASKS_PREFIX)) {
+        const verb = toolName.slice(MCP_AGENT_TASKS_PREFIX.length);
+        if (protectedVerbs.includes(verb))
+            return `agent-tasks ${verb}`;
+        return null;
+    }
+    if (toolName === "Bash") {
+        const command = bashCommandOf(toolInput);
+        if (command && DEFAULT_PUSH_BASH_RE.test(command))
+            return "git push / gh pr merge";
+        return null;
+    }
+    return null;
+}
+function parseConfigUx(raw, stderr) {
+    if (raw === undefined)
+        return undefined;
+    const result = PolicyUxSchema.safeParse(raw);
+    if (!result.success) {
+        stderr.write(`harness pack hook solution-acceptance: config.ux ignored (${result.error.issues
+            .map((i) => `${i.path.join(".") || "<root>"}: ${i.message}`)
+            .join("; ")})\n`);
+        return undefined;
+    }
+    return result.data;
+}
+function blockJson(actionLabel, toolName, taskId, detail, ux, sessionId) {
+    let reasonText;
+    if (ux) {
+        reasonText = renderAgentFacing(ux, {
+            TOOL_NAME: toolName,
+            SESSION_ID: sessionId,
+        });
+    }
+    else {
+        reasonText =
+            `solution-acceptance: refusing ${actionLabel} (${toolName}). ${detail}\n` +
+                `Completion must be EARNED from a real preflight run, not claimed.\n` +
+                `Run the producer for this task, then retry:\n` +
+                `  mcp__agent-grounding__solution_evaluate({ id: "${taskId}" })\n` +
+                `It runs \`preflight run --json\` (lint/typecheck/test/audit/secret) and records a HEAD-pinned verdict. ` +
+                `A clean run at the current HEAD unblocks this tool; a failing run lists the blockers to fix.\n` +
+                `\n` +
+                `Operator override: \`harness pause\` (yields this and every other gate).`;
+    }
+    return JSON.stringify({
+        decision: "block",
+        reason: reasonText,
+        hookSpecificOutput: {
+            hookEventName: "PreToolUse",
+            permissionDecision: "deny",
+            permissionDecisionReason: reasonText,
+        },
+    });
+}
+export async function runPackHookSolutionAcceptanceCli(opts = {}) {
+    const stdin = opts.stdin ?? process.stdin;
+    const stdout = opts.stdout ?? process.stdout;
+    const stderr = opts.stderr ?? process.stderr;
+    const note = (msg) => {
+        stderr.write(`harness pack hook solution-acceptance: ${msg}\n`);
+    };
+    const raw = await readStdin(stdin);
+    let event = {};
+    try {
+        event = JSON.parse(raw.trim() || "{}");
+    }
+    catch {
+        /* event stays {} */
+    }
+    // Operator pause yields even this gate.
+    if (checkPauseFromLoader({ loaderOpts: opts, hookLabel: PACK_NAME, stderr }).paused) {
+        const diagnostic = "harness paused; solution-acceptance allowing without evaluating.";
+        return { exitCode: 0, blocked: false, diagnostic };
+    }
+    const sessionId = (typeof event.session_id === "string" ? event.session_id : undefined) ??
+        process.env["CLAUDE_CODE_SESSION_ID"] ??
+        process.env["CLAUDE_SESSION_ID"] ??
+        "";
+    const toolName = typeof event.tool_name === "string" ? event.tool_name : "(unknown)";
+    const cwd = typeof opts.cwd === "string" && opts.cwd.length > 0
+        ? opts.cwd
+        : typeof event.cwd === "string" && event.cwd.length > 0
+            ? event.cwd
+            : process.cwd();
+    // Load manifest to resolve the pack config. A load failure forces BLOCK
+    // only if this turns out to be a completion action; resolve it first.
+    // `manifestPath` (the resolved manifest base) feeds the harness.generated/
+    // lookup below — it is populated whether the operator passed --config or
+    // the default (~/.harness/harness.yaml) was resolved, so the bare
+    // production hook command still resolves the active-claim id.
+    let manifest = null;
+    let manifestPath;
+    if (opts.manifest) {
+        manifest = opts.manifest;
+    }
+    else {
+        try {
+            const loaded = loadManifest(opts);
+            manifest = loaded.manifest;
+            manifestPath = loaded.resolved.base;
+        }
+        catch (err) {
+            // We cannot tell if this is a gated action without the config, but a
+            // manifest load failure should not block unrelated tool calls. Only
+            // the completion verbs / push commands are ever gated, so classify
+            // by tool name with the DEFAULT verb set as a failsafe.
+            const label = completionActionLabel(toolName, event.tool_input, [
+                "task_finish",
+                "task_submit_pr",
+                "task_merge",
+                "pull_requests_merge",
+            ]);
+            if (label === null) {
+                const diagnostic = `manifest load failed (${err.message}) but ${toolName} is not a completion action; allowing`;
+                note(diagnostic);
+                return { exitCode: 0, blocked: false, diagnostic };
+            }
+            const reason = `manifest load failed (${err.message}); refusing ${label} on failsafe`;
+            const diagnostic = `BLOCK — ${reason}`;
+            note(diagnostic);
+            stdout.write(`${blockJson(label, toolName, "<unknown>", reason, undefined, sessionId)}\n`);
+            return { exitCode: 0, blocked: true, diagnostic };
+        }
+    }
+    const pack = manifest.policy_packs.find((p) => p.name === PACK_NAME);
+    if (!pack) {
+        const diagnostic = `pack "${PACK_NAME}" not declared in manifest, allowing`;
+        note(diagnostic);
+        return { exitCode: 0, blocked: false, diagnostic };
+    }
+    if (!pack.enabled) {
+        const diagnostic = `pack "${PACK_NAME}" is enabled:false, allowing`;
+        note(diagnostic);
+        return { exitCode: 0, blocked: false, diagnostic };
+    }
+    const protectedVerbs = resolveProtectedCompletionTools(pack);
+    const actionLabel = completionActionLabel(toolName, event.tool_input, protectedVerbs);
+    if (actionLabel === null) {
+        const diagnostic = `${toolName} is not a gated completion action; allowing`;
+        note(diagnostic);
+        return { exitCode: 0, blocked: false, diagnostic };
+    }
+    const configUx = parseConfigUx(pack.config["ux"], stderr);
+    // Resolve the verdict id from the active-claim task id. Fail CLOSED when
+    // there is no claim (sessionId fallback would reopen the wrong-scope bug).
+    const generatedDir = opts.generatedDir ??
+        (manifestPath !== undefined
+            ? resolveGeneratedDir({
+                ...(opts.homeDir !== undefined ? { homeDir: opts.homeDir } : {}),
+                manifestPath,
+            })
+            : undefined);
+    const taskId = opts.activeClaim !== undefined
+        ? opts.activeClaim
+        : generatedDir !== undefined
+            ? readActiveClaim(generatedDir)
+            : null;
+    if (!taskId) {
+        const detail = opts.activeClaim === undefined && generatedDir === undefined
+            ? " (could not resolve harness.generated/; pass --config)"
+            : "";
+        const reason = `no active-claim task id recorded${detail}; call mcp__agent-tasks__task_start first (the verdict id is the active task)`;
+        const diagnostic = `BLOCK — ${reason}`;
+        note(diagnostic);
+        stdout.write(`${blockJson(actionLabel, toolName, "<no-active-claim>", reason, configUx, sessionId)}\n`);
+        return { exitCode: 0, blocked: true, diagnostic };
+    }
+    const dir = opts.verdictDir ?? resolveVerdictDir();
+    const currentHead = resolveGitContext(cwd).sha || null;
+    const verdict = readVerdict(dir, taskId);
+    const gate = evaluateGate(verdict, currentHead, taskId);
+    if (gate.allowed) {
+        const diagnostic = `${gate.reason}; allowing ${actionLabel}`;
+        note(diagnostic);
+        return { exitCode: 0, blocked: false, diagnostic };
+    }
+    const diagnostic = `BLOCK — ${gate.reason}`;
+    note(diagnostic);
+    stdout.write(`${blockJson(actionLabel, toolName, taskId, gate.reason, configUx, sessionId)}\n`);
+    return { exitCode: 0, blocked: true, diagnostic };
+}
+//# sourceMappingURL=hook-solution-acceptance.js.map