@miller-tech/uap 1.40.0 → 1.41.0

package/src/policies/enforcers/delivery_enforcement.py

@@ -0,0 +1,97 @@
+#!/usr/bin/env python3
+"""delivery-enforcement enforcer: route substantive coding through `uap deliver`.
+
+Fires on Edit/Write/MultiEdit to source-code files. The intent is that
+non-trivial coding work goes through the `uap deliver` convergence loop (which
+drives a model to verified completion against the real gates) rather than
+ad-hoc hand edits.
+
+SAFETY — default mode is ADVISORY (always allows, logs a nudge), so installing
+this policy never breaks editing. Strict enforcement is opt-in:
+
+  UAP_ENFORCE_DELIVERY=block   # direct source edits outside a deliver context
+                               # are blocked (exit 2)
+
+Escape hatches (always honored, even in block mode):
+  - UAP_DELIVER_ACTIVE=1   set by the deliver loop for its own subprocesses
+  - UAP_DELIVER_BYPASS=1   explicit operator override for a sanctioned manual edit
+
+Exempt by construction: non-source files, docs/configs/scripts/policies, test
+files (deliver protects those itself), and tooling dot-dirs.
+"""
+from __future__ import annotations
+import os
+import sys
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).parent))
+from _common import emit, parse_cli, repo_root  # noqa: E402
+
+EDIT_OPS = {"Edit", "Write", "MultiEdit", "edit", "write", "multiedit"}
+
+# Only real implementation code is gated.
+SOURCE_EXTS = (
+    ".ts", ".tsx", ".mts", ".cts", ".js", ".jsx", ".mjs", ".cjs",
+    ".py", ".go", ".rs", ".java", ".rb", ".php", ".cs", ".swift", ".kt",
+    ".c", ".cc", ".cpp", ".h", ".hpp",
+)
+
+EXEMPT_PREFIXES = (
+    ".claude/", ".cursor/", ".opencode/", ".codex/", ".forge/", ".omp/",
+    ".uap/", ".policy-tools/", ".worktrees/",
+    "src/policies/", "scripts/", "docs/", "policies/", "test/", "tests/",
+)
+
+# Test files are protected by deliver itself; never gate them here.
+TEST_MARKERS = (".test.", ".spec.", "_test.", "/test/", "/tests/", "/__tests__/")
+
+
+def main() -> None:
+    op, args = parse_cli()
+    if op not in EDIT_OPS:
+        emit(True, "not a file-edit operation")
+
+    target = args.get("file_path") or args.get("path") or args.get("target") or ""
+    if not target:
+        emit(True, "no file path in args")
+
+    root = repo_root()
+    try:
+        rel = str(Path(target).resolve().relative_to(root))
+    except ValueError:
+        emit(True, "target outside repo")
+
+    rel_posix = rel.replace(os.sep, "/")
+    low = rel_posix.lower()
+
+    if not low.endswith(SOURCE_EXTS):
+        emit(True, "not source code")
+    if any(rel_posix.startswith(p) for p in EXEMPT_PREFIXES):
+        emit(True, f"exempt path: {rel_posix}")
+    if any(m in "/" + low for m in TEST_MARKERS):
+        emit(True, "test file (protected by deliver itself)")
+
+    # Escape hatches.
+    if os.environ.get("UAP_DELIVER_ACTIVE") == "1":
+        emit(True, "inside a deliver-driven run")
+    if os.environ.get("UAP_DELIVER_BYPASS") == "1":
+        emit(True, "UAP_DELIVER_BYPASS override set")
+
+    msg = (
+        f"delivery-enforcement: '{rel_posix}' is source code being edited directly. "
+        "Route substantive coding through `uap deliver` (drives a model to verified "
+        "completion against the gates), or set UAP_DELIVER_BYPASS=1 for a sanctioned "
+        "manual edit."
+    )
+
+    mode = os.environ.get("UAP_ENFORCE_DELIVERY", "advisory").lower()
+    if mode == "block":
+        emit(False, msg)
+
+    # Advisory (default): never blocks. Surface the nudge, then allow.
+    print(f"[delivery-enforcement advisory] {msg}", file=sys.stderr)
+    emit(True, "advisory: nudge logged (set UAP_ENFORCE_DELIVERY=block to enforce)")
+
+
+if __name__ == "__main__":
+    main()

package/src/policies/enforcers/doc_live_over_report.py

@@ -0,0 +1,50 @@
+#!/usr/bin/env python3
+"""doc-live-over-report enforcer: block new *_REPORT/*_COMPLETE/*_SUMMARY/*_PLAN md files."""
+from __future__ import annotations
+import re
+import sys
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).parent))
+from _common import emit, parse_cli  # noqa: E402
+
+BLOCKED_RE = re.compile(
+    r"(_REPORT|_COMPLETE|_SUMMARY|_PLAN|_FIX_\d|_\d{4}-\d{2}-\d{2})\.md$",
+    re.I,
+)
+SCOPED_DIRS = ("infra/", "docs/", "")
+WRITE_OPS = {"Write", "write", "create-file"}
+
+
+def main() -> None:
+    op, args = parse_cli()
+    if op not in WRITE_OPS:
+        emit(True, "not a write op")
+
+    path = args.get("file_path") or args.get("path") or ""
+    if not path.endswith(".md"):
+        emit(True, "not a markdown file")
+
+    rel = path.replace("\\", "/")
+    # Strip leading abs path prefix if present
+    for marker in ("/pay2u/", "/miller-tech/"):
+        if marker in rel:
+            rel = rel.split(marker, 1)[1]
+            break
+
+    is_scoped = any(rel.startswith(d) for d in SCOPED_DIRS if d) or "/" not in rel
+    if not is_scoped:
+        emit(True, "out-of-scope path")
+
+    if BLOCKED_RE.search(rel):
+        emit(
+            False,
+            f"doc-live-over-report: '{rel}' is a retrospective/dated doc pattern. "
+            "Update canonical README/runbook instead.",
+        )
+
+    emit(True, "not a blocked doc pattern")
+
+
+if __name__ == "__main__":
+    main()

package/src/policies/enforcers/expert_review_required.py

@@ -0,0 +1,135 @@
+#!/usr/bin/env python3
+"""expert-review-required enforcer: a parallel expert review must precede ship.
+
+Blocks ship actions (git commit / git push / gh pr create / merge / pr-ready /
+signoff) unless a review artifact exists for the current branch AND covers the
+current HEAD. This makes the `parallel-expert-review` skill's "REQUIRED by
+policy" claim real rather than advisory.
+
+Review artifact: .uap/reviews/<branch-slug>.json, written by the
+parallel-expert-review flow on consolidation. Recognised shape:
+    { "head": "<sha>", "verdict": "approve|...", "reviewers": [...] }
+If the artifact carries a `head` that differs from the current HEAD, the review
+is stale and the op is blocked.
+
+Fail-open: if branch/HEAD cannot be resolved, the op is allowed — non-UAP repos
+and detached states are unaffected. Override: set UAP_NO_REVIEW=1 to bypass.
+"""
+from __future__ import annotations
+
+import json
+import os
+import re
+import sys
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).parent))
+from _common import emit, parse_cli, repo_root, run  # noqa: E402
+
+# Ship verbs are anchored to their tool prefix so that the bare tokens "merge"
+# or "signoff" inside read-only commands (git diff --merge-base, rg merge,
+# cat docs/merge-strategy.md) do not trip the gate.
+SHIP_PATTERNS = (
+    re.compile(r"\bgit\s+(commit|push|merge)\b"),
+    re.compile(r"\bgh\s+pr\s+(create|merge|ready)\b"),
+    re.compile(r"\b(pr[-_ ]?ready|sign[-_ ]?off|ready[-_ ]for[-_ ]review)\b", re.I),
+)
+
+
+def current_branch(root: Path) -> str | None:
+    # symbolic-ref resolves the branch name even on an unborn branch (no commits
+    # yet); rev-parse --abbrev-ref returns "HEAD" in that state.
+    rc, out, _ = run(["git", "symbolic-ref", "--short", "HEAD"], cwd=root)
+    if rc == 0 and out.strip():
+        return out.strip()
+    rc, out, _ = run(["git", "rev-parse", "--abbrev-ref", "HEAD"], cwd=root)
+    if rc == 0 and out.strip() and out.strip() != "HEAD":
+        return out.strip()
+    return None
+
+
+def slug_for(branch: str) -> str:
+    """Injective filename slug for a branch ref.
+
+    A naive `/`->`-` substitution collapses distinct refs (`feature/foo` and
+    `feature-foo`, which can coexist) onto the same artifact, silently bypassing
+    the gate. Percent-encode `%` first, then `/`, so the mapping is reversible
+    and collision-free: `feature/foo` -> `feature%2Ffoo`, `feature-foo` stays
+    `feature-foo`.
+    """
+    return branch.replace("%", "%25").replace("/", "%2F")
+
+
+def head_sha(root: Path) -> str | None:
+    rc, out, _ = run(["git", "rev-parse", "HEAD"], cwd=root)
+    return out.strip() if rc == 0 and out.strip() else None
+
+
+def main() -> None:
+    op, args = parse_cli()
+
+    if os.environ.get("UAP_NO_REVIEW") == "1":
+        emit(True, "UAP_NO_REVIEW override set")
+
+    op_l = op.lower()
+    if op_l != "bash":
+        emit(True, "not a ship operation")
+
+    cmd = args.get("command") or args.get("cmd") or ""
+    if not any(p.search(cmd) for p in SHIP_PATTERNS):
+        emit(True, "not a ship action")
+
+    root = repo_root()
+    branch = current_branch(root)
+    if branch is None:
+        emit(True, "branch not resolvable (detached/non-git) — fail-open")
+    slug = slug_for(branch)
+
+    review = root / ".uap" / "reviews" / f"{slug}.json"
+    if not review.exists():
+        emit(
+            False,
+            f"expert-review-required: no review artifact at .uap/reviews/{slug}.json. "
+            "Run the parallel-expert-review skill (code-quality, security, performance, "
+            "docs, test-coverage reviewers) and record the consolidated verdict before "
+            "shipping. Override for one-off meta-work: UAP_NO_REVIEW=1.",
+        )
+
+    head = head_sha(root)
+    try:
+        data = json.loads(review.read_text())
+    except Exception:  # noqa: BLE001
+        data = {}
+
+    # Defense-in-depth against artifact reuse across branches: if the artifact
+    # records the branch it covers, it must match the current branch.
+    artifact_branch = data.get("branch") if isinstance(data, dict) else None
+    if artifact_branch and artifact_branch != branch:
+        emit(
+            False,
+            f"expert-review-required: review at .uap/reviews/{slug}.json covers branch "
+            f"'{artifact_branch}', not '{branch}'. Re-run the parallel expert review on "
+            "this branch. Override: UAP_NO_REVIEW=1.",
+        )
+
+    # Stale check relative to current HEAD.
+    reviewed_head = data.get("head") if isinstance(data, dict) else None
+    if reviewed_head and head and reviewed_head != head:
+        emit(
+            False,
+            f"expert-review-required: review at .uap/reviews/{slug}.json covers "
+            f"{reviewed_head[:8]} but HEAD is {head[:8]} — the review is stale. "
+            "Re-run the parallel expert review for the current changes. "
+            "Override: UAP_NO_REVIEW=1.",
+        )
+
+    emit(
+        True,
+        f"expert-review satisfied (.uap/reviews/{slug}.json"
+        + (f", head {reviewed_head[:8]}" if reviewed_head else "")
+        + ")",
+    )
+
+
+if __name__ == "__main__":
+    main()

package/src/policies/enforcers/iac_parity.py

@@ -0,0 +1,53 @@
+#!/usr/bin/env python3
+"""iac-parity enforcer: live-state changes must have matching IaC diff."""
+from __future__ import annotations
+import re
+import sys
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).parent))
+from _common import arg_str, emit, parse_cli, run, worktree_root  # noqa: E402
+
+MUTATING_RE = re.compile(
+    r"\b(kubectl|helm|doctl|aws|gcloud)\b.*?\b(apply|patch|create|edit|delete|install|upgrade|rollout|scale|set)\b",
+    re.I,
+)
+IAC_PATHS = (
+    "infra/terraform/",
+    "infra/helm_charts/",
+    "infra/kubernetes/",
+    "infra/k8s/",
+    "infra/policies/",
+)
+
+
+def main() -> None:
+    op, args = parse_cli()
+    blob = f"{op} {arg_str(args)}"
+
+    if not MUTATING_RE.search(blob):
+        emit(True, "not a mutating IaC-scope command")
+
+    root = worktree_root()  # git status must run against the working tree, not MAIN_ROOT
+    rc, out, _ = run(["git", "status", "--porcelain"], cwd=root)
+    if rc != 0:
+        emit(True, "git status unavailable; deferring to post-commit check")
+
+    has_iac = any(
+        line[3:].startswith(IAC_PATHS) or line[3:].lstrip().startswith(IAC_PATHS)
+        for line in out.splitlines()
+    )
+
+    if not has_iac:
+        emit(
+            False,
+            "iac-parity: live-state mutation without matching IaC diff under "
+            + ", ".join(IAC_PATHS)
+            + ". Update Terraform/Helm/K8s manifests in the same worktree.",
+        )
+
+    emit(True, "IaC diff present in worktree")
+
+
+if __name__ == "__main__":
+    main()

package/src/policies/enforcers/mcp_router_first.py

@@ -0,0 +1,37 @@
+#!/usr/bin/env python3
+"""mcp-router-first enforcer: MCP tools must be loaded on demand."""
+from __future__ import annotations
+import re
+import sys
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).parent))
+from _common import arg_str, emit, parse_cli  # noqa: E402
+
+BULK_PATTERNS = re.compile(r"(load[-_ ]all|bulk[-_ ]load|all[-_ ]tools|eager)", re.I)
+
+
+def main() -> None:
+    op, args = parse_cli()
+    blob = f"{op} {arg_str(args)}"
+
+    if op not in {"ToolSearch", "tool_search", "mcp-router", "mcp_router"}:
+        emit(True, "not an MCP-router op")
+
+    query = (args.get("query") or "").strip()
+    max_results = int(args.get("max_results") or 5)
+
+    if BULK_PATTERNS.search(blob):
+        emit(False, "mcp-router-first: bulk/eager MCP tool load detected; query by specific tool name instead")
+
+    if not query or max_results > 20:
+        emit(
+            False,
+            "mcp-router-first: ToolSearch must use a specific query and max_results<=20",
+        )
+
+    emit(True, "scoped MCP router query")
+
+
+if __name__ == "__main__":
+    main()

package/src/policies/enforcers/memory_before_plan.py

@@ -0,0 +1,61 @@
+#!/usr/bin/env python3
+"""memory-before-plan enforcer: plans require a recent uap memory query."""
+from __future__ import annotations
+import re
+import sqlite3
+import sys
+import time
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).parent))
+from _common import arg_str, emit, parse_cli, repo_root  # noqa: E402
+
+PLAN_OPS = {"ExitPlanMode", "Plan", "TodoWrite", "plan", "design"}
+# Only match standalone words, not compounds like 'validate-plan-before-build'
+PLAN_WORD_RE = re.compile(r"(?<![-\w/])(plan the|design the|architect the|propose a plan|roadmap for)", re.I)
+RECENT_SEC = 300
+
+
+def recent_memory_query(root: Path) -> bool:
+    db = root / "agents" / "data" / "memory" / "short_term.db"
+    if not db.exists():
+        return False
+    try:
+        con = sqlite3.connect(f"file:{db}?mode=ro", uri=True, timeout=1.0)
+        cur = con.execute(
+            "SELECT timestamp FROM session_memories "
+            "WHERE content LIKE '%uap memory query%' OR type='memory_query' "
+            "ORDER BY id DESC LIMIT 1"
+        )
+        row = cur.fetchone()
+        con.close()
+        if not row:
+            return False
+        raw = row[0][:19].replace("T", " ")
+        try:
+            ts = time.mktime(time.strptime(raw, "%Y-%m-%d %H:%M:%S"))
+        except Exception:  # noqa: BLE001
+            return False
+        # Memory is stored as UTC from datetime('now'); compare with UTC now
+        return (time.time() - (ts - time.timezone)) < RECENT_SEC
+    except sqlite3.Error:
+        return False
+
+
+def main() -> None:
+    op, args = parse_cli()
+    blob = f"{op} {arg_str(args)}"
+    if op not in PLAN_OPS and not PLAN_WORD_RE.search(blob):
+        emit(True, "not a plan operation")
+
+    if recent_memory_query(repo_root()):
+        emit(True, "recent uap memory query on record")
+
+    emit(
+        False,
+        "memory-before-plan: run `uap memory query <topic>` before planning to surface prior context",
+    )
+
+
+if __name__ == "__main__":
+    main()

package/src/policies/enforcers/parallel_reads.py

@@ -0,0 +1,50 @@
+#!/usr/bin/env python3
+"""parallel-reads enforcer: nudge when serial read fan-out is detected."""
+from __future__ import annotations
+import os
+import sys
+import time
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).parent))
+from _common import emit, parse_cli  # noqa: E402
+
+READ_OPS = {"Read", "Grep", "Glob", "WebFetch", "read", "grep", "glob", "webfetch"}
+STATE = Path(os.environ.get("UAP_STATE_DIR", ".uap")) / "parallel_reads.state"
+WINDOW_SEC = 4.0
+THRESHOLD = 2
+
+
+def main() -> None:
+    op, _args = parse_cli()
+    if op not in READ_OPS:
+        emit(True, "not a read op")
+
+    STATE.parent.mkdir(parents=True, exist_ok=True)
+    now = time.time()
+    history: list[float] = []
+    if STATE.exists():
+        try:
+            history = [
+                float(l) for l in STATE.read_text().splitlines() if l.strip()
+            ]
+        except ValueError:
+            history = []
+
+    history = [t for t in history if now - t < WINDOW_SEC]
+    history.append(now)
+    STATE.write_text("\n".join(f"{t}" for t in history[-10:]))
+
+    if len(history) > THRESHOLD:
+        emit(
+            True,
+            f"parallel-reads: {len(history)} serial read ops in {WINDOW_SEC}s "
+            "— batch independent reads in a single tool-call message for 2-5x speed-up",
+            warning=True,
+        )
+
+    emit(True, "read cadence within batch window")
+
+
+if __name__ == "__main__":
+    main()

package/src/policies/enforcers/rtk_wrap.py

@@ -0,0 +1,44 @@
+#!/usr/bin/env python3
+"""rtk-wrap enforcer: heavy CLIs must be invoked via rtk."""
+from __future__ import annotations
+import re
+import sys
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).parent))
+from _common import emit, parse_cli  # noqa: E402
+
+WRAPPED = ("git", "kubectl", "docker", "docker-compose", "npm", "pnpm", "yarn", "helm", "terraform")
+RTK_META = re.compile(r"^\s*rtk\s+(gain|discover|proxy|--version|-V|--help)\b")
+ALREADY_WRAPPED = re.compile(r"^\s*rtk\s+\S+")
+
+
+def main() -> None:
+    op, args = parse_cli()
+    cmd = (args.get("command") or args.get("cmd") or "").strip()
+    if not cmd or op.lower() != "bash":
+        emit(True, "not a Bash command")
+
+    first = cmd.split(maxsplit=1)[0].lstrip("(").lstrip("{")
+    if first == "rtk" and RTK_META.search(cmd):
+        emit(True, "rtk meta command")
+    if ALREADY_WRAPPED.match(cmd):
+        emit(True, "already wrapped")
+
+    # Inspect tokens (ignore env assignments like FOO=bar cmd)
+    tokens = [t for t in cmd.split() if "=" not in t.split("/")[0]]
+    for tok in tokens[:3]:
+        bin_name = tok.split("/")[-1]
+        if bin_name in WRAPPED:
+            emit(
+                False,
+                f"rtk-wrap: '{bin_name}' must be invoked via rtk. "
+                f"Use: rtk {cmd}",
+                bin=bin_name,
+            )
+
+    emit(True, "no wrapped CLI in command")
+
+
+if __name__ == "__main__":
+    main()

package/src/policies/enforcers/schema_diff_gate.py

@@ -0,0 +1,80 @@
+#!/usr/bin/env python3
+"""schema-diff-gate enforcer: schema/pool changes must pass uap schema-diff."""
+from __future__ import annotations
+import re
+import sqlite3
+import sys
+import time
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).parent))
+from _common import emit, parse_cli, repo_root, run, worktree_root  # noqa: E402
+
+WATCHED_RE = re.compile(
+    r"(migrations/.*\.sql|infra/postgres-spock/|infra/helm_charts/[^/]*pgdog|"
+    r"infra/helm_charts/[^/]*cnpg|infra/helm_charts/[^/]*redis|"
+    r"infra/helm_charts/[^/]*envoy|infra/helm_charts/[^/]*sentinel)",
+    re.I,
+)
+COMMIT_OPS = {"git-commit", "git commit", "Bash"}
+RECENT_SEC = 3600
+
+
+def touched_watched_paths(root: Path) -> list[str]:
+    rc, out, _ = run(["git", "diff", "--name-only", "HEAD"], cwd=root)
+    if rc != 0:
+        return []
+    rc2, staged, _ = run(["git", "diff", "--name-only", "--cached"], cwd=root)
+    all_files = (out + "\n" + (staged if rc2 == 0 else "")).splitlines()
+    return [f for f in all_files if f and WATCHED_RE.search(f)]
+
+
+def schema_diff_ok(root: Path) -> bool:
+    db = root / "agents" / "data" / "memory" / "short_term.db"
+    if not db.exists():
+        return False
+    try:
+        con = sqlite3.connect(f"file:{db}?mode=ro", uri=True, timeout=1.0)
+        cur = con.execute(
+            "SELECT timestamp FROM session_memories "
+            "WHERE content LIKE '%schema-diff%pass%' "
+            "ORDER BY id DESC LIMIT 1"
+        )
+        row = cur.fetchone()
+        con.close()
+        if not row:
+            return False
+        try:
+            ts = time.mktime(time.strptime(row[0][:19], "%Y-%m-%dT%H:%M:%S"))
+        except Exception:  # noqa: BLE001
+            return False
+        return (time.time() - ts) < RECENT_SEC
+    except sqlite3.Error:
+        return False
+
+
+def main() -> None:
+    op, args = parse_cli()
+    cmd = (args.get("command") or "").lower()
+    is_commit = op in COMMIT_OPS or "git commit" in cmd or "git push" in cmd
+    if not is_commit:
+        emit(True, "not a commit/push gate point")
+
+    # git diff runs against the working tree; short_term.db lives in MAIN_ROOT
+    watched = touched_watched_paths(worktree_root())
+    if not watched:
+        emit(True, "no watched schema/pool paths in diff")
+
+    if schema_diff_ok(repo_root()):
+        emit(True, f"recent schema-diff pass covers: {', '.join(watched[:5])}")
+
+    emit(
+        False,
+        "schema-diff-gate: changes to "
+        + ", ".join(watched[:5])
+        + " require `uap schema-diff` to pass (within 1h). Run it and re-commit.",
+    )
+
+
+if __name__ == "__main__":
+    main()

package/src/policies/enforcers/session_memory_write.py

@@ -0,0 +1,52 @@
+#!/usr/bin/env python3
+"""session-memory-write enforcer: code-changing sessions must write a lesson."""
+from __future__ import annotations
+import sqlite3
+import sys
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).parent))
+from _common import emit, parse_cli, repo_root  # noqa: E402
+
+END_OPS = {"session-end", "stop", "terminate", "SessionEnd"}
+
+
+def recent_lesson(root: Path) -> bool:
+    db = root / "agents" / "data" / "memory" / "short_term.db"
+    if not db.exists():
+        return False
+    try:
+        con = sqlite3.connect(f"file:{db}?mode=ro", uri=True, timeout=1.0)
+        cur = con.execute(
+            "SELECT COUNT(*) FROM session_memories "
+            "WHERE type IN ('decision','lesson','pattern') "
+            "AND session_id='current'"
+        )
+        n = cur.fetchone()[0]
+        con.close()
+        return n > 0
+    except sqlite3.Error:
+        return False
+
+
+def main() -> None:
+    op, args = parse_cli()
+    if op not in END_OPS:
+        emit(True, "not a session-end op")
+
+    code_changed = bool(args.get("code_changed"))
+    if not code_changed:
+        emit(True, "no code changes this session")
+
+    if recent_lesson(repo_root()):
+        emit(True, "lesson/decision recorded this session")
+
+    emit(
+        False,
+        "session-memory-write: code changed but no decision/lesson/pattern row in short_term.db. "
+        "Insert one before terminating.",
+    )
+
+
+if __name__ == "__main__":
+    main()