@manukyalo/scopelock 2.3.0 → 3.0.0

package/README.md

@@ -1,4 +1,4 @@
-# scopelock
+# scopelock v3.0
 
 **Anti-hallucination scope locking for AI coding agents.**
 
@@ -12,86 +12,101 @@ npm install -g @manukyalo/scopelock
 
 ## Features
 
-- **File-level locks**: Run `scopelock lock src/auth.ts` to make the file read-only for agents.
-- **Function-level locks**: Don't want to lock the whole file? Lock specific AST functions so agents can only edit adjacent code.
-- **Dependency Lockdown**: Zero-trust dependency management. Automatically locks `package.json` and other dependency manifests on init to prevent silent dependency drift.
+- **File & Function Locks**: Run `scopelock lock src/auth.ts` or `scopelock lock src/auth.ts:validateToken` to make code read-only for agents.
+- **Production Path Locks (Seal)**: Use `scopelock seal` for critical paths like billing. Agents cannot override this; it requires explicit human sign-off via `scopelock unseal --human-approved=<ticket>`.
+- **Blast Radius Map**: Prevent scope creep *before* it happens. Run `scopelock impact <file>` to see every file that imports a target file before you touch it.
+- **Dependency Lockdown**: Zero-trust dependency management. Automatically locks `package.json` on init to prevent silent dependency drift.
 - **Secret Sentinel**: A hard-blocking pre-commit scanner that physically prevents agents from committing AWS keys, Stripe tokens, or `.env` leaks.
-- **Zero dependencies**: Written in pure Node.js. Install it anywhere without bloating your `node_modules`.
+- **Test Coverage Gate**: Run `scopelock guard --tests` to block any source code changes that aren't accompanied by tests.
+- **Rollback Snapshots**: Run `scopelock save` before an agent starts working, and `scopelock restore` to obliterate any rogue changes instantly.
 
 ---
 
 ## Commands
 
 ```bash
-  scopelock init                           Scan repo and generate .scopelock.json
-  scopelock lock <file>[:<func>] [reason]  Lock a file or a specific function
-  scopelock unlock <file>[:<func>] <reason> Unlock (reason is mandatory)
-  scopelock allow-secret <file> <reason>   Bypass Secret Sentinel for a specific file
-  scopelock context [task]                 Generate AI context block for a task
-  scopelock check                          Check git diff for scope violations and secret leaks
-  scopelock status                         Show manifest summary
+  scopelock init                                    Scan repo and generate .scopelock.json
+  scopelock lock <file>[:<func>] [reason]           Lock a file or a specific function
+  scopelock unlock <file>[:<func>] <reason>          Unlock (reason is mandatory)
+  scopelock seal <file> <reason>                    Permanent production-path lock (no override)
+  scopelock unseal <file> --human-approved=<ticket> <reason>  Release a seal
+  scopelock impact <file>                           Show all files that import this file
+  scopelock trust <file> <reason>                   Bypass Secret Sentinel for a specific file
+  scopelock save                                    Auto-snapshot repo state before an agent session
+  scopelock restore                                 Rollback to the last snapshot
+  scopelock context [task]                          Generate AI context block for a task
+  scopelock guard [--tests]                         Check git diff for violations and secret leaks
+  scopelock status                                  Show manifest summary
 ```
 
-### `scopelock init`
-Scan the repo and generate `.scopelock.json`. Automatically ignores `node_modules`, `.git`, `.next`, `dist`, `build`, `out`, `coverage`, and other build artifacts.
-
-### `scopelock lock <file>[:<function>] [reason]`
-Lock a whole file or a specific named function.
+### `scopelock lock` & `unlock`
+Lock a whole file or a specific named function. Unlock requires a reason that gets logged to history.
 
 ```bash
-# Lock a whole file
 scopelock lock src/lib/supabase.ts "production client — stable"
-
-# Lock a specific function (validates it exists before locking)
 scopelock lock src/auth/token.ts:validateToken "tested — do not touch"
+scopelock unlock src/auth/token.ts:validateToken "fixing JWT expiry edge case"
 ```
 
-### `scopelock unlock <file>[:<function>] <reason>`
-Unlock a file or function. Reason is mandatory and logged.
+### `scopelock seal` & `unseal`
+For files that should *never* be touched without human oversight (e.g., `/billing`, `/migrations`). Seals cannot be removed by `unlock`.
 
 ```bash
-scopelock unlock src/auth/token.ts:validateToken "fixing JWT expiry edge case"
+scopelock seal src/billing/stripe.ts "core billing logic"
+scopelock unseal src/billing/stripe.ts --human-approved=PR-123 "updating webhook"
 ```
 
-### `scopelock allow-secret <file> <reason>`
-Bypass the Secret Sentinel hard-block for a specific file (e.g., when intentionally committing a mock test key).
+### `scopelock impact`
+Before making a change, see the blast radius. Outputs a list of all files in the repository that import the target file.
 
 ```bash
-scopelock allow-secret test/run.js "this is a mock stripe key for testing"
+scopelock impact src/utils/auth.ts
 ```
 
-### `scopelock check`
-Two-tier scope violation check against `git diff HEAD`. Exits non-zero on violations or secret leaks. Wire this up as a `pre-commit` hook.
+### `scopelock guard`
+Two-tier scope violation check against `git diff HEAD`. Exits non-zero on violations or secret leaks. Wire this up as a `pre-commit` hook. Add `--tests` to strictly enforce test coverage for any changed logic.
 
 ```bash
-scopelock check
+scopelock guard
+scopelock guard --tests
 ```
 
-### `scopelock context [task]`
-Output a token-efficient AI context block with all locks clearly flagged.
+### `scopelock save` & `restore`
+Never fear an agent hallucination destroying your workspace again. `save` stores a snapshot in git stash that survives hard resets. `restore` obliterates the working directory and cleanly reverts to the snapshot.
 
 ```bash
-scopelock context "Update the login page"
+scopelock save
+scopelock restore
 ```
+
+### `scopelock trust`
+Bypass the Secret Sentinel hard-block for a specific file (e.g., when intentionally committing a mock test key).
+
+```bash
+scopelock trust test/run.js "this is a mock stripe key for testing"
 ```
-[SCOPE CONTEXT]
-Task: Update the login page
 
-Status:
-  🔒 locked   — 1 file(s)
-  ✏️ active   — 0 file(s)
-  ⬜ unscoped — 14 file(s)
+### `scopelock context`
+Output a token-efficient AI context block with all locks clearly flagged for the agent's system prompt.
 
-Locked files:
-  src/lib/supabase.ts
+```bash
+scopelock context "Update the login page"
 ```
 
-## Agent Skill
+## Agent Skills (Godmode)
+
+`scopelock` ships with 7 native AI Agent Skills located in the `skills/` folder. 
+If you use an agent framework (like Antigravity or Cline) that supports Markdown skills, point it to these folders to automatically teach the agent how to use `scopelock` safely.
 
-`scopelock` includes a native Agent Skill. 
-If you use an agent framework (like Antigravity or Cline) that supports Markdown skills, point it to `skills/scope-enforcement/SKILL.md` to automatically teach the agent how to use `scopelock` safely.
+The skills map directly to features:
+- `scope-enforcement`
+- `dependency-lockdown`
+- `secret-sentinel`
+- `test-coverage-gate`
+- `rollback-snapshot`
+- `blast-radius`
+- `production-path-lock`
 
 ## Data Model
 All state is stored in `.scopelock.json` at the root of your repo.
-
 The manifest is project state, not a personal config. Commit it so your whole team — and all their AI agents — share the same scope boundaries.

package/bin/scopelock.js

@@ -55,60 +55,60 @@ switch (command) {
     break;
   }
 
-  case 'check':
-    git.check(args);
+  case 'guard':
+    git.guard(args);
     break;
 
   case 'status':
     manifest.status();
     break;
 
-  case 'blast-radius': {
+  case 'impact': {
     const target = args[0];
     if (!target) {
-      console.error('Usage: scopelock blast-radius <file>');
+      console.error('Usage: scopelock impact <file>');
       process.exit(1);
     }
     blast.printBlastRadius(target);
     break;
   }
 
-  case 'superlock': {
+  case 'seal': {
     const target = args[0];
-    const reason = args.slice(1).join(' ') || 'production path — superlock applied';
+    const reason = args.slice(1).join(' ') || 'production path — seal applied';
     if (!target) {
-      console.error('Usage: scopelock superlock <file> <reason>');
+      console.error('Usage: scopelock seal <file> <reason>');
       process.exit(1);
     }
-    manifest.superlock(target, reason);
+    manifest.seal(target, reason);
     break;
   }
 
-  case 'sudo-unlock': {
+  case 'unseal': {
     const target = args[0];
     const ticketArg = args.find(a => a.startsWith('--human-approved='));
     const ticket = ticketArg ? ticketArg.replace('--human-approved=', '') : null;
     const reason = args.filter(a => !a.startsWith('--')).slice(1).join(' ');
     if (!target || !ticket || !reason) {
-      console.error('Usage: scopelock sudo-unlock <file> --human-approved=<ticket> <reason>');
+      console.error('Usage: scopelock unseal <file> --human-approved=<ticket> <reason>');
       process.exit(1);
     }
-    manifest.sudoUnlock(target, ticket, reason);
+    manifest.unseal(target, ticket, reason);
     break;
   }
 
-  case 'allow-secret': {
+  case 'trust': {
     const target = args[0];
     const reason = args.slice(1).join(' ');
     if (!target || !reason) {
-      console.error('Usage: scopelock allow-secret <file> <reason>');
+      console.error('Usage: scopelock trust <file> <reason>');
       process.exit(1);
     }
-    manifest.allowSecret(target, reason);
+    manifest.trust(target, reason);
     break;
   }
 
-  case 'snapshot': {
+  case 'save': {
     try {
       const ts = new Date().toISOString().replace(/[:.]/g, '-');
       const manifestObj = manifest.getManifest();
@@ -129,7 +129,7 @@ switch (command) {
       }
 
       manifest.saveManifest(manifestObj);
-      console.log(`✅ Snapshot created. Run 'scopelock revert' to obliterate agent changes and restore this state.`);
+      console.log(`✅ Snapshot created. Run 'scopelock restore' to obliterate agent changes and restore this state.`);
     } catch (e) {
       console.error('Failed to create snapshot.', e.stderr || e.message);
       process.exit(1);
@@ -137,11 +137,11 @@ switch (command) {
     break;
   }
 
-  case 'revert': {
+  case 'restore': {
     try {
       const manifestObj = manifest.getManifest();
       if (!manifestObj.lastSnapshot) {
-        console.error('❌ No snapshot found. Run `scopelock snapshot` first.');
+        console.error('❌ No snapshot found. Run `scopelock save` first.');
         process.exit(1);
       }
       console.log(`Obliterating agent mess...`);
@@ -174,14 +174,14 @@ Usage:
   scopelock init                                    Scan repo and generate .scopelock.json
   scopelock lock <file>[:<func>] [reason]           Lock a file or a specific function
   scopelock unlock <file>[:<func>] <reason>          Unlock (reason is mandatory)
-  scopelock superlock <file> <reason>               Permanent production-path lock (no override)
-  scopelock sudo-unlock <file> --human-approved=<ticket> <reason>  Release a superlock
-  scopelock blast-radius <file>                     Show all files that import this file
-  scopelock allow-secret <file> <reason>            Bypass Secret Sentinel for a specific file
-  scopelock snapshot                                Auto-snapshot repo state before an agent session
-  scopelock revert                                  Rollback to the last snapshot
+  scopelock seal <file> <reason>                    Permanent production-path lock (no override)
+  scopelock unseal <file> --human-approved=<ticket> <reason>  Release a seal
+  scopelock impact <file>                           Show all files that import this file
+  scopelock trust <file> <reason>                   Bypass Secret Sentinel for a specific file
+  scopelock save                                    Auto-snapshot repo state before an agent session
+  scopelock restore                                 Rollback to the last snapshot
   scopelock context [task]                          Generate AI context block for a task
-  scopelock check [--require-tests]                 Check git diff for violations and secret leaks
+  scopelock guard [--tests]                         Check git diff for violations and secret leaks
   scopelock status                                  Show manifest summary
 
 
@@ -190,7 +190,7 @@ Examples:
   scopelock lock src/auth.ts:validateToken "stable — do not touch"
   scopelock unlock src/auth.ts:validateToken "need to fix JWT expiry bug"
   scopelock context "Fix the broken checkout flow"
-  scopelock check
+  scopelock guard
     `);
     process.exit(1);
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@manukyalo/scopelock",
-  "version": "2.3.0",
+  "version": "3.0.0",
   "description": "Anti-hallucination scope locking for AI coding agents.",
   "main": "bin/scopelock.js",
   "bin": {

package/skills/blast-radius/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: blast-radius-map
-description: "Godmode Skill: Before modifying any file, run 'scopelock blast-radius <file>' to see every other file that imports it. Prevents scope creep by making the full impact of a change visible BEFORE the agent writes a single line."
+description: "Godmode Skill: Before modifying any file, run 'scopelock impact <file>' to see every other file that imports it. Prevents scope creep by making the full impact of a change visible BEFORE the agent writes a single line."
 ---
 
 ## Overview
@@ -15,7 +15,7 @@ This skill instructs the agent to **check before it touches**, not after.
 
 1. Run the blast radius check first:
    ```bash
-   scopelock blast-radius src/utils/auth.ts
+   scopelock impact src/utils/auth.ts
    ```
 
 2. Read the output:
@@ -49,7 +49,7 @@ This skill instructs the agent to **check before it touches**, not after.
 
 5. Make your change to the target file only.
 
-6. Run `scopelock check` to verify no locked files were touched.
+6. Run `scopelock guard` to verify no locked files were touched.
 
 ## Why this exists
 

package/skills/dependency-lockdown/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: dependency-lockdown
-description: "Godmode Skill: Prevents AI agents from silently adding or upgrading npm/pip/cargo packages. Dependency manifest files (package.json, requirements.txt, etc.) are automatically locked by scopelock on init. Any diff touching these files will fail scopelock check until explicitly unlocked with a reason."
+description: "Godmode Skill: Prevents AI agents from silently adding or upgrading npm/pip/cargo packages. Dependency manifest files (package.json, requirements.txt, etc.) are automatically locked by scopelock on init. Any diff touching these files will fail scopelock guard until explicitly unlocked with a reason."
 ---
 
 ## Overview
@@ -22,7 +22,7 @@ On `scopelock init`, the following files are **automatically locked** without an
    scopelock unlock package.json "adding zod for runtime validation of API responses"
    ```
 2. Make your change (add the dependency to the manifest).
-3. Run `scopelock check` to confirm the change is authorized.
+3. Run `scopelock guard` to confirm the change is authorized.
 4. Re-lock the manifest immediately after:
    ```bash
    scopelock lock package.json "dependencies updated and reviewed"

package/skills/production-path-lock/SKILL.md

@@ -1,56 +1,56 @@
 ---
 name: production-path-lock
-description: "Godmode Skill: A permanent, override-resistant lock for critical production paths like /auth, /billing, /migrations. Regular 'scopelock unlock' cannot bypass it. Requires a second human's explicit sign-off via 'scopelock sudo-unlock' with a ticket."
+description: "Godmode Skill: A permanent, override-resistant lock for critical production paths like /auth, /billing, /migrations. Regular 'scopelock unlock' cannot bypass it. Requires a second human's explicit sign-off via 'scopelock unseal' with a ticket."
 ---
 
 ## Overview
 
-Some files must never be touched by an AI agent without explicit human sign-off. Your `/auth` logic, billing handlers, and database migration files are not negotiable. A `superlock` makes this a physical constraint, not a policy.
+Some files must never be touched by an AI agent without explicit human sign-off. Your `/auth` logic, billing handlers, and database migration files are not negotiable. A `seal` makes this a physical constraint, not a policy.
 
-A superlocked file cannot be overridden by `scopelock unlock`. The agent must stop, escalate to a human, and provide a traceable ticket before any modification is allowed.
+A sealed file cannot be overridden by `scopelock unlock`. The agent must stop, escalate to a human, and provide a traceable ticket before any modification is allowed.
 
-## Recommended Files to Superlock on Every Project
+## Recommended Files to Seal on Every Project
 
 ```bash
 # Authentication
-scopelock superlock src/auth/token.ts "core auth — requires senior review"
-scopelock superlock src/middleware/auth.ts "core auth — requires senior review"
+scopelock seal src/auth/token.ts "core auth — requires senior review"
+scopelock seal src/middleware/auth.ts "core auth — requires senior review"
 
 # Billing & Payments
-scopelock superlock src/billing/stripe.ts "billing — requires finance team approval"
-scopelock superlock src/billing/webhooks.ts "billing — requires finance team approval"
+scopelock seal src/billing/stripe.ts "billing — requires finance team approval"
+scopelock seal src/billing/webhooks.ts "billing — requires finance team approval"
 
 # Database Migrations
-scopelock superlock migrations/ "schema changes — requires DBA review"
+scopelock seal migrations/ "schema changes — requires DBA review"
 
 # Security-critical config
-scopelock superlock .env.production "production secrets — never touch"
+scopelock seal .env.production "production secrets — never touch"
 ```
 
 ## Agent Protocol
 
-### When you encounter a superlocked file:
+### When you encounter a sealed file:
 ```
-❌ 'src/auth/token.ts' is SUPERLOCKED and cannot be unlocked with 'scopelock unlock'.
+❌ 'src/auth/token.ts' is SEALED and cannot be unlocked with 'scopelock unlock'.
    This path is a protected production route.
-   Use: scopelock sudo-unlock src/auth/token.ts --human-approved=<ticket> <reason>
+   Use: scopelock unseal src/auth/token.ts --human-approved=<ticket> <reason>
 ```
 
 1. **STOP.** Do not attempt to work around the lock.
 2. **Escalate.** Tell the human you cannot proceed without their explicit approval.
 3. **The human must run:**
    ```bash
-   scopelock sudo-unlock src/auth/token.ts --human-approved=JIRA-123 "fixing JWT expiry bug approved in PR-456"
+   scopelock unseal src/auth/token.ts --human-approved=JIRA-123 "fixing JWT expiry bug approved in PR-456"
    ```
-4. Only after you see the `SUDO-UNLOCKED` confirmation may you proceed.
-5. Re-superlock the file immediately after your change is committed:
+4. Only after you see the `UNSEALED` confirmation may you proceed.
+5. Re-seal the file immediately after your change is committed:
    ```bash
-   scopelock superlock src/auth/token.ts "re-locked after JWT fix — JIRA-123"
+   scopelock seal src/auth/token.ts "re-locked after JWT fix — JIRA-123"
    ```
 
 ## The Audit Trail
 
-Every `sudo-unlock` is permanently logged in `.scopelock.json` with:
+Every `unseal` is permanently logged in `.scopelock.json` with:
 - The timestamp
 - The human-approved ticket number
 - The full reason string
@@ -59,4 +59,4 @@ This creates a traceable, auditable record of every time a production path was m
 
 ## Why this exists
 
-`locked` is a request. `superlocked` is a wall. Some files need a wall.
+`locked` is a request. `sealed` is a wall. Some files need a wall.

package/skills/rollback-snapshot/SKILL.md

@@ -5,19 +5,19 @@ description: "Godmode Skill: Creates a one-command safety net before every agent
 
 ## Overview
 
-Before you let an agent loose on a codebase, you need a guaranteed escape hatch. `scopelock snapshot` creates that escape hatch using git's native stash mechanism. It is instant, requires no external tools, and can restore the repo to its exact pre-session state in under one second.
+Before you let an agent loose on a codebase, you need a guaranteed escape hatch. `scopelock save` creates that escape hatch using git's native stash mechanism. It is instant, requires no external tools, and can restore the repo to its exact pre-session state in under one second.
 
 ## How Storage Works
 
 - The snapshot is stored in **git's local stash** (`.git/refs/stash`) — it never leaves your machine and is never pushed to GitHub.
-- The `.scopelock.json` manifest stores a pointer (`lastSnapshot: "dirty" | "clean"`) so `scopelock revert` knows what to restore.
+- The `.scopelock.json` manifest stores a pointer (`lastSnapshot: "dirty" | "clean"`) so `scopelock restore` knows what to restore.
 - If you clone the repo on a new machine, the snapshot is gone — this is correct. Snapshots are session-scoped, not repository-scoped.
 
 ## Agent Protocol
 
 ### At the start of EVERY agent session:
 ```bash
-scopelock snapshot
+scopelock save
 ```
 This is the first command you run, before writing a single line of code.
 
@@ -26,7 +26,7 @@ Simply commit your work normally. The stash will remain in git until git's garba
 
 ### If the agent goes rogue:
 ```bash
-scopelock revert
+scopelock restore
 ```
 This command:
 1. Runs `git reset --hard HEAD` — obliterates all tracked file changes.

package/skills/scope-enforcement/SKILL.md

@@ -10,7 +10,7 @@ AI coding agents default to the shortest path to a passing result — which freq
 This skill uses `scopelock` — a zero-dependency Node.js CLI — to enforce two tiers of scope protection:
 
 - **File-level:** An entire file is locked. No agent may touch it.
-- **Function-level:** A specific function within a file is locked. The file may be edited, but that function's body is off-limits. `scopelock check` detects if any changed line falls inside the locked function's boundaries.
+- **Function-level:** A specific function within a file is locked. The file may be edited, but that function's body is off-limits. `scopelock guard` detects if any changed line falls inside the locked function's boundaries.
 
 The skill operates at three checkpoints: **Session Start**, **Pre-Commit**, and **Post-Task Review**.
 
@@ -64,7 +64,7 @@ scopelock lock src/auth/token.ts:validateToken "tested, do not touch"
 
 **Step 4: Run the scope check.**
 ```bash
-scopelock check
+scopelock guard
 ```
 
 Two-tier enforcement:
@@ -87,7 +87,7 @@ git restore <file>
 *Genuinely required change:*
 ```bash
 scopelock unlock src/auth/token.ts:validateToken "fixing JWT expiry edge case"
-scopelock check   # must pass before committing
+scopelock guard   # must pass before committing
 ```
 
 ---
@@ -108,7 +108,7 @@ scopelock lock src/auth/token.ts:validateToken "fixed and re-locked"
 
 ```bash
 echo '#!/bin/sh
-scopelock check' > .git/hooks/pre-commit
+scopelock guard' > .git/hooks/pre-commit
 chmod +x .git/hooks/pre-commit
 ```
 
@@ -123,14 +123,14 @@ chmod +x .git/hooks/pre-commit
 | "The agent said it needed to modify that function." | Then re-evaluate scope, not the lock. If you can't write a specific reason, the modification isn't justified. |
 | "Function-level locking is overkill." | File-level locking doesn't stop an agent from rewriting a critical function inside a file marked `active`. |
 | "The parser didn't detect my function." | Use file-level locking instead. Flag the miss — it's a parser bug, not a reason to skip protection. |
-| "Running `scopelock check` slows my commit flow." | Under 300ms. The alternative is debugging a hallucinated refactor for hours. |
+| "Running `scopelock guard` slows my commit flow." | Under 300ms. The alternative is debugging a hallucinated refactor for hours. |
 | ".scopelock.json shouldn't be committed." | Commit it. It's shared project state — your whole team and their agents benefit. |
 
 ---
 
 ## Red Flags
 
-- `scopelock check` reports violations in more than 2 files — significant scope drift.
+- `scopelock guard` reports violations in more than 2 files — significant scope drift.
 - An unlock entry has a vague reason string (e.g., "fix", "update") — bypassed without thinking.
 - The agent proposes unlocking multiple files at once with one generic reason — batch rationalization.
 - A locked function is reported as `function-missing` after a diff — it was deleted or renamed.
@@ -144,7 +144,7 @@ A session is compliant when ALL of the following are true:
 
 - [ ] `.scopelock.json` exists and `scopelock status` shows the expected locks.
 - [ ] `scopelock context "<task>"` output was injected into the agent before any code was written.
-- [ ] `scopelock check` exits `0` before every commit in this session.
+- [ ] `scopelock guard` exits `0` before every commit in this session.
 - [ ] Every `unlock` entry has a specific, task-justified reason string.
 - [ ] No diff contains modifications to locked files or lines inside locked function bodies that were not explicitly unlocked.
 - [ ] All modified files and functions have been reviewed for re-locking post-task.

package/skills/secret-sentinel/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: secret-sentinel
-description: "Godmode Skill: Physically blocks AI agents from committing API keys, tokens, or .env leaks. scopelock check scans every added line in the git diff for high-entropy secrets before the commit is allowed. This is a hard block — not a warning."
+description: "Godmode Skill: Physically blocks AI agents from committing API keys, tokens, or .env leaks. scopelock guard scans every added line in the git diff for high-entropy secrets before the commit is allowed. This is a hard block — not a warning."
 ---
 
 ## Overview
@@ -20,7 +20,7 @@ The Secret Sentinel scans every newly added line for:
 
 ### Before every commit:
 ```bash
-scopelock check
+scopelock guard
 ```
 If a secret is detected, you will see:
 ```
@@ -42,7 +42,7 @@ If a secret is detected, you will see:
 ### Intentional exception (mock/test keys only):
 If you are intentionally committing a **mock** key for testing purposes, a human must explicitly authorize it:
 ```bash
-scopelock allow-secret test/fixtures/mock.ts "contains a mock stripe key for unit tests — not a real key"
+scopelock trust test/fixtures/mock.ts "contains a mock stripe key for unit tests — not a real key"
 ```
 This bypass is logged permanently in `.scopelock.json` for audit purposes.
 

package/skills/test-coverage-gate/SKILL.md

@@ -1,19 +1,19 @@
 ---
 name: test-coverage-gate
-description: "Godmode Skill: Forces the AI agent to write or update test files whenever it modifies application logic. Run 'scopelock check --require-tests' before committing to enforce this rule."
+description: "Godmode Skill: Forces the AI agent to write or update test files whenever it modifies application logic. Run 'scopelock guard --tests' before committing to enforce this rule."
 ---
 
 ## Overview
 
 This skill teaches the agent how to navigate the `scopelock` Test Coverage Gate. 
-When `--require-tests` is active, the CLI will hard-block any commit that modifies a source file (`.js`, `.ts`, `.py`, etc.) if a corresponding test file (`.test.ts`, `.spec.js`, `test/`) is not also modified in the same diff.
+When `--tests` is active, the CLI will hard-block any commit that modifies a source file (`.js`, `.ts`, `.py`, etc.) if a corresponding test file (`.test.ts`, `.spec.js`, `test/`) is not also modified in the same diff.
 
 ## Agent Protocol
 
 1. **Before writing code**: If you are about to modify application logic, understand that your changes will be rejected unless you also provide test coverage.
 2. **Write the code**: Implement the requested feature or fix.
 3. **Write the test**: You *must* update the corresponding test file or create a new one. The file path must contain `.test.`, `.spec.`, or be inside a `test/` or `__tests__/` directory.
-4. **Validation**: Run `scopelock check --require-tests` to mathematically verify your diff will pass the coverage gate.
+4. **Validation**: Run `scopelock guard --tests` to mathematically verify your diff will pass the coverage gate.
 5. **Ship**: Only after the test gate is passed are you allowed to commit or mark the task as complete.
 
 ## Why this exists

package/src/git.js

@@ -1,167 +1,167 @@
-'use strict';
-
-/**
- * src/git.js
- *
- * Scope violation checker — V2.
- *
- * Two tiers of enforcement:
- *   1. File-level:     Any changed file whose manifest status is 'locked' → violation.
- *   2. Function-level: Any changed file that has locked functions →
- *                      parse the diff for changed line numbers, re-extract
- *                      function boundaries from the current file, and flag
- *                      any changed line that falls inside a locked function.
- *
- * Exits 1 if any violation found. Wireable as a pre-commit hook.
- */
-
-const { execSync }      = require('child_process');
-const { getManifest }   = require('./manifest');
-const { getChangedLines } = require('./diff');
-const { extractFunctions } = require('./parser');
-const { detectSecret }  = require('./secrets');
-
-function check(args = []) {
-  const requireTests = args.includes('--require-tests');
-  const manifest = getManifest();
-  let diffOutput;
-
-  try {
-    diffOutput = execSync('git diff HEAD --name-only', {
-      encoding: 'utf8',
-      stdio: ['pipe', 'pipe', 'pipe'],
-    });
-  } catch (err) {
-    console.error('git error — are you inside a git repository with at least one commit?');
-    console.error(err.message);
-    process.exit(1);
-  }
-
-  const changedFiles = diffOutput
-    .split('\n')
-    .map(f => f.trim())
-    .filter(f => f.length > 0);
-
-  if (changedFiles.length === 0) {
-    console.log('✅ Scope check passed — no changes detected.');
-    return;
-  }
-
-  const violations = [];
-  
-  // ── Tier -1: Test Coverage Gate ───────────────────────────────────────────
-  if (requireTests) {
-    const hasSourceChanges = changedFiles.some(f => 
-      !f.includes('.test.') && !f.includes('.spec.') && !f.includes('/test/') && !f.includes('/__tests__/') &&
-      (f.endsWith('.js') || f.endsWith('.ts') || f.endsWith('.py') || f.endsWith('.go') || f.endsWith('.rs'))
-    );
-    const hasTestChanges = changedFiles.some(f => 
-      f.includes('.test.') || f.includes('.spec.') || f.includes('/test/') || f.includes('/__tests__/')
-    );
-    if (hasSourceChanges && !hasTestChanges) {
-      violations.push({
-        type: 'test-gate',
-        file: 'N/A',
-        message: 'TEST GATE VIOLATION: Source logic was modified, but no tests were added or updated. You must write tests to pass `--require-tests`.'
-      });
-    }
-  }
-
-  for (const file of changedFiles) {
-    const normalizedFile = file.replace(/\\/g, '/');
-    const entry          = manifest.files[normalizedFile];
-
-    const changedLines = getChangedLines(normalizedFile);
-
-    // ── Tier 0: Secret Sentinel ─────────────────────────────────────────────
-    if (changedLines.size > 0) {
-      // Check if this file has explicitly allowed secrets
-      const hasOverride = manifest.allowedSecrets && manifest.allowedSecrets[normalizedFile];
-      if (!hasOverride) {
-        for (const [lineNum, content] of changedLines.entries()) {
-          const secretType = detectSecret(content);
-          if (secretType) {
-            violations.push({
-              type: 'secret',
-              file: normalizedFile,
-              message: `SECRET LEAK [${secretType}] detected in '${normalizedFile}' on line ${lineNum}.`,
-            });
-            break; // One secret violation per file is enough
-          }
-        }
-      }
-    }
-
-    // ── Tier 1: File-level lock ─────────────────────────────────────────────
-    if (entry && (entry.status === 'locked' || entry.status === 'superlocked')) {
-      const label = entry.status === 'superlocked' ? 'SUPERLOCKED' : 'LOCKED';
-      violations.push({
-        type: 'file',
-        file: normalizedFile,
-        message: `File '${normalizedFile}' is ${label}.`,
-      });
-      continue; // No need to check functions if the whole file is locked
-    }
-
-    // ── Tier 2: Function-level lock ─────────────────────────────────────────
-    if (!entry || !entry.functions) continue;
-
-    const lockedFunctions = Object.entries(entry.functions)
-      .filter(([, fnData]) => fnData.status === 'locked')
-      .map(([name]) => name);
-
-    if (lockedFunctions.length === 0) continue;
-
-    // Re-extract function boundaries from the current on-disk file
-    const currentFunctions = extractFunctions(normalizedFile);
-
-    for (const lockedFnName of lockedFunctions) {
-      const fn = currentFunctions.find(f => f.name === lockedFnName);
-      if (!fn) {
-        // Function was deleted or renamed — this itself is a violation
-        violations.push({
-          type:    'function-missing',
-          file:    normalizedFile,
-          fn:      lockedFnName,
-          message: `Locked function '${lockedFnName}' in '${normalizedFile}' was removed or renamed.`,
-        });
-        continue;
-      }
-
-      // Check if any changed line falls within the function's boundaries
-      for (const line of changedLines.keys()) {
-        if (line >= fn.startLine && line <= fn.endLine) {
-          violations.push({
-            type: 'function',
-            file: normalizedFile,
-            fn:   lockedFnName,
-            message:
-              `Locked function '${lockedFnName}' in '${normalizedFile}' was modified ` +
-              `(changed line ${line} is inside [${fn.startLine}–${fn.endLine}]).`,
-          });
-          break; // One violation per function is enough
-        }
-      }
-    }
-  }
-
-  // ── Report ────────────────────────────────────────────────────────────────
-  if (violations.length === 0) {
-    console.log('✅ Scope check passed — no locked files or functions were modified.');
-    return;
-  }
-
-  console.error(`\n❌ Scope violations detected:\n`);
-  for (const v of violations) {
-    console.error(`   VIOLATION: ${v.message}`);
-  }
-  console.error(
-    `\n${violations.length} violation(s) found.\n` +
-    `  • Revert unintentional changes with: git restore <file>\n` +
-    `  • Explicitly unlock with:            scopelock unlock <file>[:<function>] "<reason>"`
-  );
-
-  process.exit(1);
-}
-
-module.exports = { check };
+'use strict';
+
+/**
+ * src/git.js
+ *
+ * Scope violation checker — V2.
+ *
+ * Two tiers of enforcement:
+ *   1. File-level:     Any changed file whose manifest status is 'locked' → violation.
+ *   2. Function-level: Any changed file that has locked functions →
+ *                      parse the diff for changed line numbers, re-extract
+ *                      function boundaries from the current file, and flag
+ *                      any changed line that falls inside a locked function.
+ *
+ * Exits 1 if any violation found. Wireable as a pre-commit hook.
+ */
+
+const { execSync }      = require('child_process');
+const { getManifest }   = require('./manifest');
+const { getChangedLines } = require('./diff');
+const { extractFunctions } = require('./parser');
+const { detectSecret }  = require('./secrets');
+
+function guard(args = []) {
+  const requireTests = args.includes('--tests');
+  const manifest = getManifest();
+  let diffOutput;
+
+  try {
+    diffOutput = execSync('git diff HEAD --name-only', {
+      encoding: 'utf8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+  } catch (err) {
+    console.error('git error — are you inside a git repository with at least one commit?');
+    console.error(err.message);
+    process.exit(1);
+  }
+
+  const changedFiles = diffOutput
+    .split('\n')
+    .map(f => f.trim())
+    .filter(f => f.length > 0);
+
+  if (changedFiles.length === 0) {
+    console.log('✅ Scope guard passed — no changes detected.');
+    return;
+  }
+
+  const violations = [];
+  
+  // ── Tier -1: Test Coverage Gate ───────────────────────────────────────────
+  if (requireTests) {
+    const hasSourceChanges = changedFiles.some(f => 
+      !f.includes('.test.') && !f.includes('.spec.') && !f.includes('/test/') && !f.includes('/__tests__/') &&
+      (f.endsWith('.js') || f.endsWith('.ts') || f.endsWith('.py') || f.endsWith('.go') || f.endsWith('.rs'))
+    );
+    const hasTestChanges = changedFiles.some(f => 
+      f.includes('.test.') || f.includes('.spec.') || f.includes('/test/') || f.includes('/__tests__/')
+    );
+    if (hasSourceChanges && !hasTestChanges) {
+      violations.push({
+        type: 'test-gate',
+        file: 'N/A',
+        message: 'TEST GATE VIOLATION: Source logic was modified, but no tests were added or updated. You must write tests to pass `--tests`.'
+      });
+    }
+  }
+
+  for (const file of changedFiles) {
+    const normalizedFile = file.replace(/\\/g, '/');
+    const entry          = manifest.files[normalizedFile];
+
+    const changedLines = getChangedLines(normalizedFile);
+
+    // ── Tier 0: Secret Sentinel ─────────────────────────────────────────────
+    if (changedLines.size > 0) {
+      // Check if this file has explicitly allowed secrets
+      const hasOverride = manifest.allowedSecrets && manifest.allowedSecrets[normalizedFile];
+      if (!hasOverride) {
+        for (const [lineNum, content] of changedLines.entries()) {
+          const secretType = detectSecret(content);
+          if (secretType) {
+            violations.push({
+              type: 'secret',
+              file: normalizedFile,
+              message: `SECRET LEAK [${secretType}] detected in '${normalizedFile}' on line ${lineNum}.`,
+            });
+            break; // One secret violation per file is enough
+          }
+        }
+      }
+    }
+
+    // ── Tier 1: File-level lock ─────────────────────────────────────────────
+    if (entry && (entry.status === 'locked' || entry.status === 'sealed')) {
+      const label = entry.status === 'sealed' ? 'SEALED' : 'LOCKED';
+      violations.push({
+        type: 'file',
+        file: normalizedFile,
+        message: `File '${normalizedFile}' is ${label}.`,
+      });
+      continue; // No need to check functions if the whole file is locked
+    }
+
+    // ── Tier 2: Function-level lock ─────────────────────────────────────────
+    if (!entry || !entry.functions) continue;
+
+    const lockedFunctions = Object.entries(entry.functions)
+      .filter(([, fnData]) => fnData.status === 'locked')
+      .map(([name]) => name);
+
+    if (lockedFunctions.length === 0) continue;
+
+    // Re-extract function boundaries from the current on-disk file
+    const currentFunctions = extractFunctions(normalizedFile);
+
+    for (const lockedFnName of lockedFunctions) {
+      const fn = currentFunctions.find(f => f.name === lockedFnName);
+      if (!fn) {
+        // Function was deleted or renamed — this itself is a violation
+        violations.push({
+          type:    'function-missing',
+          file:    normalizedFile,
+          fn:      lockedFnName,
+          message: `Locked function '${lockedFnName}' in '${normalizedFile}' was removed or renamed.`,
+        });
+        continue;
+      }
+
+      // Check if any changed line falls within the function's boundaries
+      for (const line of changedLines.keys()) {
+        if (line >= fn.startLine && line <= fn.endLine) {
+          violations.push({
+            type: 'function',
+            file: normalizedFile,
+            fn:   lockedFnName,
+            message:
+              `Locked function '${lockedFnName}' in '${normalizedFile}' was modified ` +
+              `(changed line ${line} is inside [${fn.startLine}–${fn.endLine}]).`,
+          });
+          break; // One violation per function is enough
+        }
+      }
+    }
+  }
+
+  // ── Report ────────────────────────────────────────────────────────────────
+  if (violations.length === 0) {
+    console.log('✅ Scope guard passed — no locked files or functions were modified.');
+    return;
+  }
+
+  console.error(`\n❌ Scope violations detected:\n`);
+  for (const v of violations) {
+    console.error(`   VIOLATION: ${v.message}`);
+  }
+  console.error(
+    `\n${violations.length} violation(s) found.\n` +
+    `  • Revert unintentional changes with: git restore <file>\n` +
+    `  • Explicitly unlock with:            scopelock unlock <file>[:<function>] "<reason>"`
+  );
+
+  process.exit(1);
+}
+
+module.exports = { guard };

package/src/manifest.js

@@ -178,39 +178,39 @@ function lock(target, reason = 'manually locked') {
 }
 
 /**
- * Superlock a file — permanent, override-resistant production path lock.
- * Cannot be removed by 'unlock'. Requires 'sudo-unlock' with a human-approved ticket.
+ * Seal a file — permanent, override-resistant production path lock.
+ * Cannot be removed by 'unlock'. Requires 'unseal' with a human-approved ticket.
  *
  * @param {string} file   File path
  * @param {string} reason Mandatory reason string
  */
-function superlock(file, reason) {
+function seal(file, reason) {
   const relativePath = file.replace(/\\/g, '/');
   const manifest = getManifest();
   ensureFileEntry(manifest, relativePath);
   const entry = manifest.files[relativePath];
 
-  entry.status = 'superlocked';
+  entry.status = 'sealed';
   entry.history.push({
     timestamp: new Date().toISOString(),
-    action:    'superlocked',
+    action:    'sealed',
     reason,
   });
   saveManifest(manifest);
-  console.log(`🔐 SUPERLOCKED ${relativePath}. Only 'scopelock sudo-unlock' with a human-approved ticket can release this.`);
+  console.log(`🔐 SEALED ${relativePath}. Only 'scopelock unseal' with a human-approved ticket can release this.`);
 }
 
 /**
- * Remove a superlock from a file. Requires an explicit human-approved ticket string.
- * This is the only command that can override a 'superlocked' file.
+ * Remove a seal from a file. Requires an explicit human-approved ticket string.
+ * This is the only command that can override a 'sealed' file.
  *
  * @param {string} file     File path
  * @param {string} ticket   Human-approved ticket (e.g. "JIRA-123" or "PR-456")
  * @param {string} reason   Mandatory reason string
  */
-function sudoUnlock(file, ticket, reason) {
+function unseal(file, ticket, reason) {
   if (!ticket || !reason) {
-    console.error('Usage: scopelock sudo-unlock <file> --human-approved=<ticket> <reason>');
+    console.error('Usage: scopelock unseal <file> --human-approved=<ticket> <reason>');
     process.exit(1);
   }
   const relativePath = file.replace(/\\/g, '/');
@@ -218,20 +218,20 @@ function sudoUnlock(file, ticket, reason) {
   ensureFileEntry(manifest, relativePath);
   const entry = manifest.files[relativePath];
 
-  if (entry.status !== 'superlocked') {
-    console.error(`'${relativePath}' is not superlocked. Use 'scopelock unlock' instead.`);
+  if (entry.status !== 'sealed') {
+    console.error(`'${relativePath}' is not sealed. Use 'scopelock unlock' instead.`);
     process.exit(1);
   }
 
   entry.status = 'active';
   entry.history.push({
     timestamp:     new Date().toISOString(),
-    action:        'sudo-unlocked',
+    action:        'unsealed',
     humanApproved: ticket,
     reason,
   });
   saveManifest(manifest);
-  console.log(`🔓 SUDO-UNLOCKED ${relativePath}. Ticket: ${ticket}. Reason: ${reason}`);
+  console.log(`🔓 UNSEALED ${relativePath}. Ticket: ${ticket}. Reason: ${reason}`);
 }
 
 /**
@@ -263,12 +263,12 @@ function unlock(target, reason) {
     saveManifest(manifest);
     console.log(`🔓 Unlocked function '${funcName}' in ${relativePath}. Reason: ${reason}`);
   } else {
-    // Guard against bypassing a superlock with a normal unlock
-    if (entry.status === 'superlocked') {
+    // Guard against bypassing a seal with a normal unlock
+    if (entry.status === 'sealed') {
       console.error(
-        `❌ '${relativePath}' is SUPERLOCKED and cannot be unlocked with 'scopelock unlock'.\n` +
+        `❌ '${relativePath}' is SEALED and cannot be unlocked with 'scopelock unlock'.\n` +
         `   This path is a protected production route.\n` +
-        `   Use: scopelock sudo-unlock ${relativePath} --human-approved=<ticket> <reason>`
+        `   Use: scopelock unseal ${relativePath} --human-approved=<ticket> <reason>`
       );
       process.exit(1);
     }
@@ -286,7 +286,7 @@ function status() {
   const manifest = getManifest();
   const files    = Object.entries(manifest.files);
 
-  const superlocked = files.filter(([, v]) => v.status === 'superlocked');
+  const sealed      = files.filter(([, v]) => v.status === 'sealed');
   const locked      = files.filter(([, v]) => v.status === 'locked');
   const active      = files.filter(([, v]) => v.status === 'active');
   const unscoped    = files.filter(([, v]) => v.status === 'unscoped');
@@ -299,10 +299,16 @@ function status() {
   }
 
   console.log(`\n📋  scopelock status\n`);
+  console.log(`  🛡️   sealed    — ${sealed.length} file(s)`);
   console.log(`  🔒  locked    — ${locked.length} file(s), ${lockedFnCount} function(s)`);
   console.log(`  ✏️   active    — ${active.length} file(s)`);
   console.log(`  ⬜  unscoped  — ${unscoped.length} file(s)\n`);
 
+  if (sealed.length > 0) {
+    console.log('\nSealed files:');
+    sealed.forEach(([f]) => console.log(`  ${f}`));
+  }
+
   if (locked.length > 0) {
     console.log(`Locked files:`);
     for (const [filePath, data] of locked) {
@@ -335,30 +341,20 @@ function status() {
 }
 
 /**
- * Allow a secret to be committed in a specific file.
+ * Trust a file to contain a mock secret, bypassing the Secret Sentinel.
  *
- * @param {string} file  "<file>"
- * @param {string} reason  Mandatory reason string.
+ * @param {string} file
+ * @param {string} reason
  */
-function allowSecret(file, reason) {
+function trust(file, reason) {
   const relativePath = file.replace(/\\/g, '/');
   const manifest = getManifest();
-  
-  if (!manifest.allowedSecrets) {
-    manifest.allowedSecrets = {};
-  }
-  
-  if (!manifest.allowedSecrets[relativePath]) {
-    manifest.allowedSecrets[relativePath] = [];
-  }
-  
-  manifest.allowedSecrets[relativePath].push({
+  manifest.allowedSecrets[relativePath] = {
     timestamp: new Date().toISOString(),
-    reason
-  });
-  
+    reason,
+  };
   saveManifest(manifest);
   console.log(`⚠️  Secret Sentinel bypassed for ${relativePath}. Reason: ${reason}`);
 }
 
-module.exports = { init, lock, unlock, superlock, sudoUnlock, allowSecret, status, getManifest, saveManifest };
+module.exports = { init, lock, unlock, seal, unseal, trust, status, getManifest, saveManifest };

package/test/run.js

@@ -86,25 +86,25 @@ assert(m2.files['readme.txt'].status === 'locked', 'readme.txt is locked');
 
 console.log('\n--- Test 5: File-level violation detection ---');
 fs.appendFileSync('readme.txt', 'AI hallucinated this line.\n');
-const violation1 = run(`${CLI} check`, true);
-assert(violation1.includes('VIOLATION'), 'check detects locked file modification');
+const violation1 = run(`${CLI} guard`, true);
+assert(violation1.includes('VIOLATION'), 'guard detects locked file modification');
 
 console.log('\n--- Test 6: File-level unlock clears violation ---');
 run(`${CLI} unlock readme.txt "intentional update to docs"`);
-const check1 = run(`${CLI} check`);
-assert(check1.includes('passed'), 'check passes after unlock');
+const check1 = run(`${CLI} guard`);
+assert(check1.includes('passed'), 'guard passes after unlock');
 run('git restore readme.txt'); // clean up
 
 console.log('\n--- Test 7: Secret Sentinel detection ---');
 fs.appendFileSync('readme.txt', 'const stripe_key = "sk_test_12345abcdeABCDE12345abcd";\n');
-const secretViolation = run(`${CLI} check`, true);
-assert(secretViolation.includes('SECRET LEAK'), 'check detects leaked stripe key');
-assert(secretViolation.includes('Stripe Secret Key'), 'check identifies secret type');
-
-console.log('\n--- Test 8: Secret Sentinel bypass (allow-secret) ---');
-run(`${CLI} allow-secret readme.txt "it is a mock key for tests"`);
-const secretCheck = run(`${CLI} check`);
-assert(secretCheck.includes('passed'), 'allow-secret successfully bypasses secret sentinel');
+const secretViolation = run(`${CLI} guard`, true);
+assert(secretViolation.includes('SECRET LEAK'), 'guard detects leaked stripe key');
+assert(secretViolation.includes('Stripe Secret Key'), 'guard identifies secret type');
+
+console.log('\n--- Test 8: Secret Sentinel bypass (trust) ---');
+run(`${CLI} trust readme.txt "it is a mock key for tests"`);
+const secretCheck = run(`${CLI} guard`);
+assert(secretCheck.includes('passed'), 'trust successfully bypasses secret sentinel');
 run('git restore readme.txt'); // clean up
 
 console.log('\n--- Test 9: Function-level lock ---');
@@ -126,7 +126,7 @@ function workInProgress() {
   return 'actively being edited -- new change';
 }
 `.trimStart());
-const check2 = run(`${CLI} check`);
+const check2 = run(`${CLI} guard`);
 assert(check2.includes('passed'), 'change outside locked function does not trigger violation');
 
 console.log('\n--- Test 11: Change INSIDE locked function — violation ---');
@@ -139,14 +139,14 @@ function workInProgress() {
   return 'actively being edited -- new change';
 }
 `.trimStart());
-const violation2 = run(`${CLI} check`, true);
+const violation2 = run(`${CLI} guard`, true);
 assert(violation2.includes('VIOLATION'), 'change inside locked function triggers violation');
 assert(violation2.includes('stableFunc'), 'violation names the locked function');
 
 console.log('\n--- Test 12: Function unlock clears function-level violation ---');
 run(`${CLI} unlock app.js:stableFunc "need to update return value for new API"`);
-const check3 = run(`${CLI} check`);
-assert(check3.includes('passed'), 'check passes after function unlock');
+const check3 = run(`${CLI} guard`);
+assert(check3.includes('passed'), 'guard passes after function unlock');
 
 console.log('\n--- Test 13: Lock unknown function fails gracefully ---');
 const badLock = run(`${CLI} lock app.js:doesNotExist "testing"`, true);
@@ -159,55 +159,55 @@ assert(ctx.includes('SCOPE CONTEXT'), 'context output contains header');
 console.log('\n--- Test 15: Test Coverage Gate (Missing Tests) ---');
 fs.writeFileSync('feature.js', 'console.log("new logic");\n');
 run('git add feature.js');
-const testGateOut = run(`${CLI} check --require-tests`, true);
-assert(testGateOut.includes('TEST GATE VIOLATION'), 'check catches missing tests when flag is used');
+const testGateOut = run(`${CLI} guard --tests`, true);
+assert(testGateOut.includes('TEST GATE VIOLATION'), 'guard catches missing tests when flag is used');
 
 console.log('\n--- Test 16: Test Coverage Gate (Tests Provided) ---');
 fs.writeFileSync('feature.test.js', 'console.log("test for logic");\n');
 run('git add feature.test.js');
-const testGatePass = run(`${CLI} check --require-tests`);
-assert(testGatePass.includes('passed'), 'check passes when test files accompany source files');
+const testGatePass = run(`${CLI} guard --tests`);
+assert(testGatePass.includes('passed'), 'guard passes when test files accompany source files');
 
 console.log('\n--- Test 17: Rollback Snapshot Creation ---');
-run(`${CLI} snapshot`);
+run(`${CLI} save`);
 const m4 = JSON.parse(fs.readFileSync('.scopelock.json', 'utf8'));
 assert(m4.lastSnapshot === 'clean' || m4.lastSnapshot === 'dirty', 'snapshot state is tracked in manifest');
 
 console.log('\n--- Test 18: Rollback Revert ---');
 fs.writeFileSync('rogue.js', 'I am a rogue agent destroying things');
-run(`${CLI} revert`);
-assert(!fs.existsSync('rogue.js'), 'revert destroys untracked rogue files');
+run(`${CLI} restore`);
+assert(!fs.existsSync('rogue.js'), 'restore destroys untracked rogue files');
 const m5 = JSON.parse(fs.readFileSync('.scopelock.json', 'utf8'));
-assert(m5.lastSnapshot === null, 'revert clears the snapshot marker');
+assert(m5.lastSnapshot === null, 'restore clears the snapshot marker');
 
-console.log('\n--- Test 19: Production Path Lock (superlock) ---');
-run(`${CLI} superlock app.js "core auth logic — requires PR approval to modify"`);
+console.log('\n--- Test 19: Production Path Lock (seal) ---');
+run(`${CLI} seal app.js "core auth logic — requires PR approval to modify"`);
 const m6 = JSON.parse(fs.readFileSync('.scopelock.json', 'utf8'));
-assert(m6.files['app.js'].status === 'superlocked', 'superlock sets status to superlocked');
+assert(m6.files['app.js'].status === 'sealed', 'seal sets status to sealed');
 
-console.log('\n--- Test 20: superlock blocks regular unlock ---');
+console.log('\n--- Test 20: seal blocks regular unlock ---');
 const superUnlockOut = run(`${CLI} unlock app.js "trying to bypass"`, true);
-assert(superUnlockOut.includes('SUPERLOCKED'), 'regular unlock is blocked on superlocked file');
+assert(superUnlockOut.includes('SEALED'), 'regular unlock is blocked on sealed file');
 
-console.log('\n--- Test 21: superlock blocks scopelock check ---');
+console.log('\n--- Test 21: seal blocks scopelock guard ---');
 fs.appendFileSync('app.js', '\n// rogue addition\n');
-const superCheckOut = run(`${CLI} check`, true);
-assert(superCheckOut.includes('SUPERLOCKED'), 'check reports SUPERLOCKED violation');
+const superCheckOut = run(`${CLI} guard`, true);
+assert(superCheckOut.includes('SEALED'), 'guard reports SEALED violation');
 run('git restore app.js');
 
-console.log('\n--- Test 22: sudo-unlock releases a superlock with ticket ---');
-run(`${CLI} sudo-unlock app.js --human-approved=JIRA-999 "approved by senior eng for critical hotfix"`);
+console.log('\n--- Test 22: unseal releases a seal with ticket ---');
+run(`${CLI} unseal app.js --human-approved=JIRA-999 "approved by senior eng for critical hotfix"`);
 const m7 = JSON.parse(fs.readFileSync('.scopelock.json', 'utf8'));
-assert(m7.files['app.js'].status === 'active', 'sudo-unlock transitions superlocked to active');
-const sudoHistory = m7.files['app.js'].history.find(h => h.action === 'sudo-unlocked');
-assert(sudoHistory && sudoHistory.humanApproved === 'JIRA-999', 'sudo-unlock logs the human-approved ticket');
+assert(m7.files['app.js'].status === 'active', 'unseal transitions sealed to active');
+const sudoHistory = m7.files['app.js'].history.find(h => h.action === 'unsealed');
+assert(sudoHistory && sudoHistory.humanApproved === 'JIRA-999', 'unseal logs the human-approved ticket');
 
-console.log('\n--- Test 23: Blast Radius Map ---');
+console.log('\n--- Test 23: Blast Radius Map (impact) ---');
 // Make app.js import readme.txt by creating an importer
 fs.writeFileSync('importer.js', `import { something } from './app';\n`);
-const blastOut = run(`${CLI} blast-radius app.js`);
-assert(blastOut.includes('Blast Radius'), 'blast-radius outputs the report header');
-assert(blastOut.includes('importer.js'), 'blast-radius correctly identifies importer.js as a dependent');
+const blastOut = run(`${CLI} impact app.js`);
+assert(blastOut.includes('Blast Radius'), 'impact outputs the report header');
+assert(blastOut.includes('importer.js'), 'impact correctly identifies importer.js as a dependent');
 
 // ─── Done ─────────────────────────────────────────────────────────────────────