@onlooker-community/ecosystem 0.10.0 → 0.14.0

package/plugins/echo/scripts/lib/echo-config.sh

@@ -0,0 +1,108 @@
+#!/usr/bin/env bash
+# Config loading for Echo.
+# Reads config.json from the repo's .claude/settings.json echo.* keys,
+# falling back to the plugin's own config.json defaults.
+
+_ECHO_CONFIG_JSON=""
+_ECHO_PLUGIN_CONFIG_JSON=""
+
+echo_config_load() {
+	local repo_root="${1:-}"
+
+	_ECHO_PLUGIN_CONFIG_JSON=""
+	local plugin_config="${CLAUDE_PLUGIN_ROOT:-}/config.json"
+	if [[ -f "$plugin_config" ]]; then
+		_ECHO_PLUGIN_CONFIG_JSON=$(cat "$plugin_config" 2>/dev/null) || _ECHO_PLUGIN_CONFIG_JSON=""
+	fi
+
+	_ECHO_CONFIG_JSON=""
+	if [[ -n "$repo_root" ]]; then
+		local settings_file="${repo_root}/.claude/settings.json"
+		if [[ -f "$settings_file" ]]; then
+			local settings
+			settings=$(cat "$settings_file" 2>/dev/null) || settings=""
+			local echo_block
+			echo_block=$(printf '%s' "$settings" | jq -c '.echo // empty' 2>/dev/null) || echo_block=""
+			[[ -n "$echo_block" ]] && _ECHO_CONFIG_JSON="$echo_block"
+		fi
+	fi
+}
+
+# Get a single scalar value. Checks settings.json first, then plugin config.json.
+echo_config_get() {
+	local key="$1"
+
+	if [[ -n "$_ECHO_CONFIG_JSON" ]]; then
+		local val
+		val=$(printf '%s' "$_ECHO_CONFIG_JSON" | jq -r "${key} // empty" 2>/dev/null) || val=""
+		[[ -n "$val" && "$val" != "null" ]] && { printf '%s' "$val"; return 0; }
+	fi
+
+	if [[ -n "$_ECHO_PLUGIN_CONFIG_JSON" ]]; then
+		local val
+		val=$(printf '%s' "$_ECHO_PLUGIN_CONFIG_JSON" | jq -r ".echo${key} // empty" 2>/dev/null) || val=""
+		[[ -n "$val" && "$val" != "null" ]] && { printf '%s' "$val"; return 0; }
+	fi
+}
+
+echo_config_get_json() {
+	local key="$1"
+
+	if [[ -n "$_ECHO_CONFIG_JSON" ]]; then
+		local val
+		val=$(printf '%s' "$_ECHO_CONFIG_JSON" | jq -c "${key} // empty" 2>/dev/null) || val=""
+		[[ -n "$val" && "$val" != "null" && "$val" != "empty" ]] && { printf '%s' "$val"; return 0; }
+	fi
+
+	if [[ -n "$_ECHO_PLUGIN_CONFIG_JSON" ]]; then
+		local val
+		val=$(printf '%s' "$_ECHO_PLUGIN_CONFIG_JSON" | jq -c ".echo${key} // empty" 2>/dev/null) || val=""
+		[[ -n "$val" && "$val" != "null" && "$val" != "empty" ]] && { printf '%s' "$val"; return 0; }
+	fi
+}
+
+echo_config_enabled() {
+	local val
+	val=$(echo_config_get '.enabled')
+	[[ "$val" == "true" ]]
+}
+
+echo_config_model() {
+	local val
+	val=$(echo_config_get '.evaluation.model')
+	printf '%s' "${val:-claude-haiku-4-5-20251001}"
+}
+
+echo_config_timeout() {
+	local val
+	val=$(echo_config_get '.evaluation.timeout_seconds')
+	printf '%s' "${val:-60}"
+}
+
+echo_config_drift_threshold() {
+	local val
+	val=$(echo_config_get '.drift_threshold')
+	printf '%s' "${val:-0.05}"
+}
+
+# Prints newline-separated list of watch glob patterns.
+echo_config_watch_paths() {
+	local raw
+	raw=$(echo_config_get_json '.watch_paths')
+	if [[ -n "$raw" ]]; then
+		printf '%s' "$raw" | jq -r '.[]' 2>/dev/null
+	else
+		printf 'plugins/*/agents/*.md\n'
+	fi
+}
+
+# Prints newline-separated list of exclude glob patterns.
+echo_config_exclude_paths() {
+	local raw
+	raw=$(echo_config_get_json '.exclude_paths')
+	if [[ -n "$raw" ]]; then
+		printf '%s' "$raw" | jq -r '.[]' 2>/dev/null
+	fi
+	# Always exclude Echo's own tree — hardcoded, not overridable.
+	printf 'plugins/echo/**\n'
+}

package/plugins/echo/scripts/lib/echo-events.sh

@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+# Canonical echo.* event emission.
+# Thin wrapper around the ecosystem plugin's onlooker-event.mjs `emit` mode.
+
+_ECHO_PLUGIN_NAME="echo"
+
+_echo_event_js_path() {
+	if [[ -n "${_ONLOOKER_EVENT_JS:-}" && -f "$_ONLOOKER_EVENT_JS" ]]; then
+		printf '%s' "$_ONLOOKER_EVENT_JS"
+		return 0
+	fi
+	local plugin_root="${CLAUDE_PLUGIN_ROOT:-}"
+	local candidates=(
+		"${plugin_root}/scripts/lib/onlooker-event.mjs"
+		"${plugin_root}/../../scripts/lib/onlooker-event.mjs"
+	)
+	local c
+	for c in "${candidates[@]}"; do
+		[[ -f "$c" ]] && { printf '%s' "$c"; return 0; }
+	done
+	return 1
+}
+
+_echo_session_id() {
+	if [[ -n "${_HOOK_SESSION_ID:-}" ]]; then
+		printf '%s' "$_HOOK_SESSION_ID"
+		return 0
+	fi
+	if [[ -n "${CLAUDE_SESSION_ID:-}" ]]; then
+		printf '%s' "$CLAUDE_SESSION_ID"
+		return 0
+	fi
+	printf 'unknown'
+}
+
+echo_emit_event() {
+	local event_type="${1:-}"
+	local payload="${2:-}"
+	[[ -z "$event_type" || -z "$payload" ]] && return 1
+
+	local event_js
+	event_js=$(_echo_event_js_path) || {
+		printf 'echo-events: cannot locate onlooker-event.mjs\n' >&2
+		return 1
+	}
+
+	local session_id
+	session_id=$(_echo_session_id)
+
+	local params
+	params=$(jq -n \
+		--arg plugin "$_ECHO_PLUGIN_NAME" \
+		--arg sid "$session_id" \
+		--arg type "$event_type" \
+		--argjson payload "$payload" \
+		'{plugin: $plugin, session_id: $sid, event_type: $type, payload: $payload}')
+
+	local event stderr_file
+	stderr_file=$(mktemp -t echo-event-err.XXXXXX 2>/dev/null) || stderr_file="/tmp/echo-event-err.$$"
+	event=$(printf '%s' "$params" \
+		| ONLOOKER_DIR="${ONLOOKER_DIR:-$HOME/.onlooker}" \
+		  ONLOOKER_PLUGIN_NAME="$_ECHO_PLUGIN_NAME" \
+		  node "$event_js" emit 2>"$stderr_file") || {
+		printf 'echo-events: schema validation failed for %s\n' "$event_type" >&2
+		[[ -s "$stderr_file" ]] && cat "$stderr_file" >&2
+		rm -f "$stderr_file"
+		return 1
+	}
+	rm -f "$stderr_file"
+
+	local log_path="${ONLOOKER_EVENTS_LOG:-${ONLOOKER_DIR:-$HOME/.onlooker}/logs/onlooker-events.jsonl}"
+	mkdir -p "$(dirname "$log_path")" 2>/dev/null || return 1
+	printf '%s\n' "$event" >>"$log_path"
+}

package/plugins/echo/scripts/lib/echo-project-key.sh

@@ -0,0 +1,81 @@
+#!/usr/bin/env bash
+# Project key derivation for Echo.
+# Mirrors archivist/tribunal: stable 12-char hex key derived from the git remote
+# or repo root, surviving renames, clones, and worktrees.
+
+_echo_sha256_first12() {
+	local input="$1"
+	if command -v shasum >/dev/null 2>&1; then
+		printf '%s' "$input" | shasum -a 256 2>/dev/null | cut -c1-12
+	elif command -v sha256sum >/dev/null 2>&1; then
+		printf '%s' "$input" | sha256sum 2>/dev/null | cut -c1-12
+	else
+		return 1
+	fi
+}
+
+echo_project_remote_url() {
+	local cwd="${1:-}"
+	[[ -z "$cwd" || ! -d "$cwd" ]] && return 0
+	git -C "$cwd" remote get-url origin 2>/dev/null || true
+}
+
+echo_project_repo_root() {
+	local cwd="${1:-}"
+	[[ -z "$cwd" || ! -d "$cwd" ]] && return 0
+
+	if ! git -C "$cwd" rev-parse --is-inside-work-tree >/dev/null 2>&1; then
+		return 0
+	fi
+
+	local common_dir toplevel
+	common_dir=$(git -C "$cwd" rev-parse --git-common-dir 2>/dev/null) || return 0
+
+	if [[ -n "$common_dir" && "$common_dir" != /* ]]; then
+		common_dir="$(cd "$cwd" && cd "$common_dir" 2>/dev/null && pwd -P)" || common_dir=""
+	fi
+
+	if [[ -n "$common_dir" && -d "$common_dir" ]]; then
+		toplevel="$(cd "$common_dir/.." 2>/dev/null && pwd -P)" || toplevel=""
+	fi
+
+	if [[ -z "$toplevel" ]]; then
+		toplevel=$(git -C "$cwd" rev-parse --show-toplevel 2>/dev/null || true)
+		[[ -n "$toplevel" ]] && toplevel="$(cd "$toplevel" 2>/dev/null && pwd -P)"
+	fi
+
+	printf '%s' "$toplevel"
+}
+
+echo_project_key() {
+	local cwd="${1:-}"
+	[[ -z "$cwd" ]] && cwd="$(pwd)"
+
+	local remote
+	remote=$(echo_project_remote_url "$cwd")
+	if [[ -n "$remote" ]]; then
+		_echo_sha256_first12 "remote:$remote"
+		return 0
+	fi
+
+	local root
+	root=$(echo_project_repo_root "$cwd")
+	if [[ -n "$root" ]]; then
+		_echo_sha256_first12 "root:$root"
+		return 0
+	fi
+
+	return 0
+}
+
+# Stable test_id for a file path: first 16 chars of sha256 of the path.
+echo_test_id_for_path() {
+	local path="$1"
+	if command -v shasum >/dev/null 2>&1; then
+		printf '%s' "$path" | shasum -a 256 2>/dev/null | cut -c1-16
+	elif command -v sha256sum >/dev/null 2>&1; then
+		printf '%s' "$path" | sha256sum 2>/dev/null | cut -c1-16
+	else
+		printf '%s' "$path" | od -A n -t x1 | tr -d ' \n' | cut -c1-16
+	fi
+}

package/plugins/echo/scripts/lib/echo-ulid.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+# Minimal ULID generator for Echo suite_id and test_id values.
+# Crockford Base32, lexicographically sortable, time-ordered.
+
+_ECHO_ULID_ALPHABET="0123456789ABCDEFGHJKMNPQRSTVWXYZ"
+
+_echo_ulid_encode() {
+	local n="$1"
+	local len="$2"
+	local out=""
+	local i
+	for ((i = 0; i < len; i++)); do
+		out="${_ECHO_ULID_ALPHABET:$((n % 32)):1}${out}"
+		n=$((n / 32))
+	done
+	printf '%s' "$out"
+}
+
+echo_ulid() {
+	local now_ms
+	if [[ "$(uname)" == "Darwin" ]]; then
+		now_ms=$(python3 -c 'import time; print(int(time.time() * 1000))' 2>/dev/null) \
+			|| now_ms=$(($(date +%s) * 1000))
+	else
+		now_ms=$(date +%s%3N 2>/dev/null) || now_ms=$(($(date +%s) * 1000))
+	fi
+
+	local rand_hex rand_hi rand_lo
+	rand_hex=$(openssl rand -hex 10 2>/dev/null)
+	if [[ -n "$rand_hex" && ${#rand_hex} -eq 20 ]]; then
+		rand_hi=$((16#${rand_hex:0:10}))
+		rand_lo=$((16#${rand_hex:10:10}))
+	else
+		rand_hi=$((RANDOM * 32768 + RANDOM))
+		rand_lo=$((RANDOM * 32768 + RANDOM))
+		rand_hi=$(((rand_hi * 256 + RANDOM % 256) & ((1 << 40) - 1)))
+		rand_lo=$(((rand_lo * 256 + RANDOM % 256) & ((1 << 40) - 1)))
+	fi
+
+	local ts_part hi_part lo_part
+	ts_part=$(_echo_ulid_encode "$now_ms" 10)
+	hi_part=$(_echo_ulid_encode "$rand_hi" 8)
+	lo_part=$(_echo_ulid_encode "$rand_lo" 8)
+
+	printf '%s%s%s' "$ts_part" "$hi_part" "$lo_part"
+}

package/plugins/tribunal/.claude-plugin/plugin.json

@@ -0,0 +1,20 @@
+{
+  "name": "tribunal",
+  "version": "1.0.0",
+  "description": "Multi-agent execution with LLM-as-a-Judge quality gates. An Actor performs work; a jury of typed Judges scores it against a project-overridable rubric; a Meta-Judge reviews the jury for bias; the gate decides accept, retry, or exhaust. Grounded in LLM-as-a-Judge (Zheng et al. 2023) and LLM-as-a-Meta-Judge (Wu et al. 2024). Builds on the Onlooker ecosystem plugin.",
+  "author": {
+    "name": "Onlooker Community",
+    "url": "https://onlooker.dev"
+  },
+  "homepage": "https://onlooker.dev",
+  "repository": "https://github.com/onlooker-community/ecosystem",
+  "license": "MIT",
+  "skills": ["./skills/tribunal"],
+  "agents": [
+    "./agents/tribunal-actor.md",
+    "./agents/tribunal-judge-standard.md",
+    "./agents/tribunal-judge-security.md",
+    "./agents/tribunal-judge-adversarial.md",
+    "./agents/tribunal-meta-judge.md"
+  ]
+}

package/plugins/tribunal/CHANGELOG.md

@@ -0,0 +1,10 @@
+# Changelog
+
+## 1.0.0 (2026-05-24)
+
+
+### Features
+
+* **tribunal:** add multi-agent code review plugin :sparkles: ([#30](https://github.com/onlooker-community/ecosystem/issues/30)) ([893f24a](https://github.com/onlooker-community/ecosystem/commit/893f24a8876fdd6ccb5c7dcf2636a7c902e88949))
+
+## Changelog

package/plugins/tribunal/README.md

@@ -0,0 +1,134 @@
+# Tribunal
+
+Multi-agent execution with LLM-as-a-Judge quality gates.
+
+Tribunal wraps a task in a three-tier evaluation loop:
+
+1. An **Actor** subagent performs the work.
+2. A **jury** of typed **Judges** scores the output against a rubric.
+3. A **Meta-Judge** reviews the jury for bias, hallucination, and criteria misapplication.
+4. A configurable **gate policy** decides whether to accept, retry, or give up.
+
+Grounded in two papers:
+
+- [LLM-as-a-Judge (Zheng et al. 2023)](https://arxiv.org/abs/2306.05685) — strong LLMs can score other LLMs against rubrics with reasonable agreement to human judgment.
+- [LLM-as-a-Meta-Judge (Wu et al. 2024)](https://arxiv.org/abs/2407.19594) — a second model reviewing the Judge catches position, verbosity, and self-enhancement bias.
+
+Tribunal is a sibling plugin to [`ecosystem`](../../) and assumes the Onlooker observability substrate (`~/.onlooker/`) is present.
+
+## How it works
+
+| Surface | What tribunal does |
+|---|---|
+| `/tribunal <task>` skill | Orchestrates a full Actor → Jury → Meta → Gate loop, retrying the Actor with Judge critiques until the gate passes or `max_iterations` is reached. Emits the full canonical event stream. |
+| `Stop` hook (opt-in) | When `tribunal.stop_hook.enabled` is true, runs a single advisory pass on the just-finished turn's output and writes a verdict for review on the next session. No retry — the main session has already ended. |
+
+## Default jury
+
+Out of the box, Tribunal empanels **two judges** to showcase the jury model without the cost of a full panel:
+
+- `tribunal-judge-standard` — correctness, completeness, clarity.
+- `tribunal-judge-adversarial` — devil's advocate, actively looks for failure modes and unhandled edges.
+
+The gate uses `majority` policy with `weighted_mean` aggregation, so one strong reject does not automatically block. `tribunal-judge-security` is shipped but off by default — opt in for security-sensitive repos by adding `"security"` to `judge_types`.
+
+## Configuration
+
+Tribunal is enabled by default; the Stop hook is opt-in. Override per-project in your project's `.claude/settings.json`:
+
+```json
+{
+  "tribunal": {
+    "session": {
+      "judge_types": ["standard", "security", "adversarial"],
+      "gate_policy": "majority",
+      "max_iterations": 5
+    },
+    "stop_hook": { "enabled": true }
+  }
+}
+```
+
+The full default `config.json` is the source of truth for available knobs.
+
+### Project rubric override
+
+Drop a `rubrics` file at `<repo>/.claude/tribunal.json` (or globally at `~/.onlooker/tribunal.json`) to override the built-in `default` rubric or add named rubrics referenced as `/tribunal --rubric=<id>`:
+
+```json
+{
+  "rubrics": [
+    {
+      "id": "default",
+      "criteria": [
+        { "name": "correctness", "weight": 0.5, "min_pass": 0.8 },
+        { "name": "tests",       "weight": 0.3, "min_pass": 0.7 },
+        { "name": "docs",        "weight": 0.2, "min_pass": 0.5 }
+      ],
+      "score_threshold": 0.8,
+      "max_iterations": 5,
+      "judge_types": ["standard", "security", "adversarial"],
+      "gate_policy": "majority",
+      "aggregation_method": "weighted_mean"
+    }
+  ]
+}
+```
+
+Project rubrics override built-ins by `id`.
+
+## Subagents
+
+| Agent | `judge_type` | Role |
+|---|---|---|
+| `tribunal-actor` | n/a | Performs the task. Receives prior iteration's verdicts on retries. |
+| `tribunal-judge-standard` | `standard` | General correctness, completeness, clarity. |
+| `tribunal-judge-security` | `security` | Vulnerability-focused: injection, auth bypass, data exposure. |
+| `tribunal-judge-adversarial` | `adversarial` | Actively tries to find failure modes and missing edge cases. |
+| `tribunal-meta-judge` | `meta` | Reviews each Judge's verdict for the six bias types defined in the LLM-as-a-Judge paper. |
+
+`maintainability` and `domain` judge types are recognized in config but not yet shipped as subagents; they degrade to `standard` with a warning. They are planned for v0.2.
+
+## Storage layout
+
+```text
+~/.onlooker/tribunal/<project-key>/
+├── manifest.json
+└── <task_id>/                          # ULID
+    ├── manifest.json
+    ├── session-start.json
+    ├── session-complete.json
+    └── iteration-<iteration_id>/       # ULID per iteration
+        ├── actor.md
+        ├── jury.json
+        ├── verdicts/
+        │   └── <judge_id>.json         # one per judge
+        ├── consensus.json
+        ├── dissent.json                # only when emitted
+        ├── meta.json
+        └── gate.json
+```
+
+Project keying mirrors `archivist`: SHA256 of `git remote get-url origin` (first 12 hex), falling back to a hash of the repo root realpath. Worktrees of the same repo share a key.
+
+## Events emitted
+
+Tribunal emits the full canonical `tribunal.*` event surface from [`@onlooker-community/schema`](https://github.com/onlooker-community/schema) (v2.1.0+):
+
+`session.start`, `iteration.start`, `actor.start`, `actor.complete`, `jury.empaneled`, `judge.start`, `verdict` (one per judge), `meta.start`, `meta.complete`, `consensus.reached`, `dissent.recorded` (when judges disagree), `gate.passed` / `gate.blocked`, `session.complete`.
+
+All events land in `~/.onlooker/logs/onlooker-events.jsonl` and are validated against the schema before write.
+
+## Requirements
+
+- The `ecosystem` plugin installed (for `~/.onlooker/` substrate).
+- `claude` CLI on `PATH` (the Stop hook shells out to `claude -p` for its advisory pass).
+- `jq` for JSON manipulation.
+- `node` for canonical-event emission (the ecosystem plugin already requires this).
+
+## Architecture decisions
+
+Key decisions made during initial design are recorded in [`docs/adr/`](docs/adr/):
+
+- [ADR-001](docs/adr/001-actor-jury-meta-gate-loop.md) — The Actor → Jury → Meta-Judge → Gate loop
+- [ADR-002](docs/adr/002-majority-gate-policy.md) — Majority gate policy as default (and the 2-judge edge case)

package/plugins/tribunal/agents/tribunal-actor.md

@@ -0,0 +1,35 @@
+---
+name: tribunal-actor
+description: Performs a task end-to-end under Tribunal supervision. Receives the task description and, on retry iterations, the prior iteration's jury verdicts and Meta-Judge feedback. Output is the work itself (code changes, an analysis, a refactor plan) rendered as the final assistant message — no JSON wrapping, no scoring; the Judges do that next.
+model: claude-sonnet-4-6
+tools: Read, Edit, Write, Bash, Grep, Glob
+---
+
+# Tribunal Actor
+
+You are the **Actor** in a Tribunal evaluation loop. Your job is to do the work the user asked for. A jury of Judges will score your output against a rubric, and a Meta-Judge will review the jury before the gate decides whether to accept, retry, or give up.
+
+## Inputs
+
+You will receive:
+
+- **Task description** — what to do.
+- **Rubric criteria** — the dimensions the Judges will score on (e.g., correctness, completeness, safety, clarity). Use these as a checklist while you work; they tell you what "good" looks like for this task.
+- **(On retries only) Prior iteration's feedback** — a digest of the Judges' verdicts and any Meta-Judge override or bias notes. Address the specific concerns; do not re-litigate scores.
+
+## Output expectations
+
+- Render your work as the final assistant message — code, edits, an analysis, a plan, whatever the task calls for.
+- Be concrete. Vague directional answers score poorly on `completeness` and `clarity`.
+- When you make a non-obvious choice, state the trade-off in one line. Judges credit this under `correctness` and `clarity`; they penalize unexplained guesses.
+- Do not score yourself. Do not write a "self-review." The Judges will do that.
+
+## What to avoid
+
+- Stalling. If you cannot complete a step, say so explicitly and proceed with what you can finish — partial work that names its gaps scores better than fabricated completeness.
+- Over-engineering. If the task is a one-line fix, give a one-line fix. Adding scaffolding hurts `clarity` and may trip the `adversarial` Judge.
+- Padding. Verbosity is a known judge bias the Meta-Judge will flag against you. Say what needs saying and stop.
+
+## On retry
+
+When you see prior verdicts, treat the lowest-scoring criterion as the priority. If the Meta-Judge flagged `bias_detected`, you can ignore the bias-affected critique on that dimension — but address every concern the Meta-Judge endorsed (`verdict_quality: sound`).

package/plugins/tribunal/agents/tribunal-judge-adversarial.md

@@ -0,0 +1,51 @@
+---
+name: tribunal-judge-adversarial
+description: Devil's-advocate Tribunal judge. Actively tries to break the Actor's work — edge cases, empty inputs, concurrent callers, partial failures, version drift, assumptions that are not stated. Pairs well with tribunal-judge-standard to balance optimistic and pessimistic scoring. Emits TribunalVerdictPayload as the final message. Read-only (Bash allowed only to run existing test suites — do not modify code).
+model: claude-opus-4-7
+tools: Read, Grep, Glob, Bash
+---
+
+# Tribunal Adversarial Judge
+
+You are the **Adversarial Judge** in a Tribunal jury. Your job is to try, in good faith, to falsify the Actor's claim that the work is correct. The Standard Judge looks for what is right; you look for what could break.
+
+## Your stance
+
+- Assume the Actor missed something. Prove or disprove it before scoring.
+- You may run existing tests (`Bash`) to confirm or refute Actor claims. Do not write new tests or modify code — read-only stance.
+- You may not invent constraints the task did not impose. The Meta-Judge will flag that as `position` or `verbosity` bias and downweight you.
+
+## What to probe
+
+- **Empty / null / boundary inputs** — does the code handle `[]`, `""`, `0`, `None`, very long inputs?
+- **Concurrent callers** — race on a file lock, on a shared global, on an outer cache.
+- **Partial failures** — what if step 2 of 3 fails — is state left half-written?
+- **Unstated assumptions** — does the code assume sorted input? Timezone-naive timestamps? `LC_ALL=C`? A specific shell?
+- **Version drift** — does it use a flag added in a recent version of a tool? Will it work on the older versions documented as supported?
+- **Idempotency** — what happens on a second run?
+- **Reverse engineering the test** — can you produce an input that satisfies the test but breaks the spirit of the task?
+
+## Scoring discipline
+
+- Each concrete falsification (a reproducible failure or a clear, named gap) drops the score by `0.15`, floor `0.10`.
+- A single vague "this might fail" is worth `0.0` — name the input or do not raise it.
+- If you genuinely cannot falsify, score `0.85+` and say so. Refusing to ever give a high score is `refusal` bias and the Meta-Judge will flag it.
+
+## Output format
+
+Final message is a single JSON object — no prose, no fence:
+
+```json
+{
+  "score": 0.55,
+  "passed": false,
+  "judge_type": "adversarial",
+  "criteria_evaluated": ["edge-cases", "concurrency", "idempotency"],
+  "strengths_count": 1,
+  "weaknesses_count": 2,
+  "confidence": 0.8,
+  "feedback_summary": "Reproduced: empty input array raises IndexError at parse.py:42 instead of returning []. Second run of the migration script duplicates rows — not idempotent. Concurrency story is fine, single-process by design."
+}
+```
+
+`feedback_summary` should describe each falsification with enough specificity that the Actor can reproduce it on retry.

package/plugins/tribunal/agents/tribunal-judge-security.md

@@ -0,0 +1,47 @@
+---
+name: tribunal-judge-security
+description: Security-focused Tribunal judge. Scores Actor output through a vulnerability lens — injection, auth, secrets, unsafe shell, path traversal, deserialization, SSRF, race conditions on shared resources. Off by default; opt in by adding "security" to judge_types for security-sensitive code. Emits TribunalVerdictPayload as the final message. Read-only.
+model: claude-opus-4-7
+tools: Read, Grep, Glob
+---
+
+# Tribunal Security Judge
+
+You are the **Security Judge** in a Tribunal jury. Score the Actor's output exclusively through a security lens. If the change has no security surface, score `correctness` neutrally (around `0.75`) with a short note; do not invent issues to justify your presence.
+
+## What to look for
+
+- **Injection** — SQL/command/shell/template/LDAP. Anything that builds a query or command from user input.
+- **AuthN/AuthZ** — bypasses, missing checks, privilege escalation, session handling, token leakage.
+- **Secrets handling** — credentials in logs, env vars echoed to stdout, secrets committed to disk.
+- **Unsafe shell** — `eval`, unquoted expansions, `rm -rf $VAR` without validation, `curl | bash` patterns.
+- **Path traversal** — unconstrained `../` paths, symlink chasing, missing realpath validation.
+- **Deserialization** — `pickle`, unsafe YAML, `JSON.parse` of untrusted input feeding `eval`.
+- **SSRF / open redirects** — fetches whose target derives from user input.
+- **TOCTOU** and races on shared resources, especially around files and locks.
+
+## Scoring discipline
+
+- A single critical finding (RCE, auth bypass, secret leak) caps `score` at `0.3` regardless of other dimensions.
+- Multiple medium findings cap at `0.6`.
+- Read the changed files. Do not score from the summary.
+- Do not flag style or hypothetical "could be exploited if…" without a concrete attack chain. The Meta-Judge will mark you as `biased` if you over-report.
+
+## Output format
+
+Final message is a single JSON object — no prose, no fence:
+
+```json
+{
+  "score": 0.45,
+  "passed": false,
+  "judge_type": "security",
+  "criteria_evaluated": ["injection", "secrets", "path-traversal"],
+  "strengths_count": 1,
+  "weaknesses_count": 2,
+  "confidence": 0.9,
+  "feedback_summary": "scripts/run.sh:24 passes $USER_INPUT to a shell without quoting → command injection. scripts/run.sh:31 logs the API token. Other dimensions clean."
+}
+```
+
+When `passed: false`, every finding in `feedback_summary` must point at a file and (when possible) a line. Vague security objections waste the Actor's retry budget.

package/plugins/tribunal/agents/tribunal-judge-standard.md

@@ -0,0 +1,47 @@
+---
+name: tribunal-judge-standard
+description: Scores Actor output against the active rubric on correctness, completeness, and clarity. Emits a single TribunalVerdictPayload JSON object as the final message — no prose around it. Read-only: you evaluate, you do not edit. Designed for the general case (refactors, docs, analysis, most code changes). Use the security or adversarial judge for those specific lenses.
+model: claude-opus-4-7
+tools: Read, Grep, Glob
+---
+
+# Tribunal Standard Judge
+
+You are the **Standard Judge** in a Tribunal jury. Score the Actor's output against the rubric. Be honest, calibrated, and terse.
+
+## Inputs
+
+- **Task description** — what the Actor was asked to do.
+- **Rubric** — list of criteria with `name`, `weight`, `min_pass`. Score each criterion in [0, 1].
+- **Actor output** — what to evaluate.
+- **Score threshold** — the overall bar for `passed: true`.
+
+## Scoring discipline
+
+- Read the actual files the Actor changed before scoring. Do not score from the Actor's summary alone.
+- A `0.7` means "meets the bar." Reserve `0.9+` for clearly excellent work. Reserve `< 0.5` for clearly broken work.
+- Calibrate against the rubric, not against an imagined ideal answer. A small task done well scores higher than a sprawling task done halfway.
+- Avoid verbosity bias: a long Actor response is not better than a short correct one.
+
+## Output format
+
+Your **final message** must be a single JSON object matching `TribunalVerdictPayload`. No markdown, no prose around it, no code fence — just JSON:
+
+```json
+{
+  "score": 0.82,
+  "passed": true,
+  "judge_type": "standard",
+  "criteria_evaluated": ["correctness", "completeness", "clarity"],
+  "strengths_count": 3,
+  "weaknesses_count": 1,
+  "confidence": 0.85,
+  "feedback_summary": "Patch is correct and minimal. Missing test for the empty-input case. Naming and comments are clear."
+}
+```
+
+Required fields: `score`, `passed`, `judge_type`. `passed` reflects your own judgment based on the rubric thresholds — the orchestrator may still aggregate and override per gate policy.
+
+`feedback_summary` should be 1–3 sentences. Name specific files and lines when you can. This is what the Actor sees on retry.
+
+The orchestrator will inject `judge_id` and `iteration_id` when persisting your verdict.