@onlooker-community/ecosystem 0.23.0 → 0.24.0

package/plugins/warden/README.md

@@ -0,0 +1,185 @@
+# Warden
+
+Untrusted-content gate enforcing the Agents Rule of Two.
+
+Warden scans content flowing into the agent through `WebFetch` and `Read` for prompt-injection patterns. When it finds a threat, it closes a session-scoped **content gate** that blocks `Write`, `Edit`, `MultiEdit`, and `Bash` until the user explicitly clears it.
+
+Grounded in Meta's *Agents Rule of Two*: an agent should hold no more than two of {access to private data, ability to take external actions, processing of untrusted content} at once. A coding agent in a real repository already holds the first two — your source and secrets, plus the ability to write files and run commands. The moment it ingests untrusted content (a fetched page, a file of unknown provenance) it holds all three: the dangerous configuration in which untrusted content can steer private data into external actions. Warden cannot un-read content, so it removes the *external-actions* property instead — closing the gate keeps the agent reading and reasoning while a human reviews the situation. Three-of-three collapses back to two-of-three, with the user as the release valve.
+
+Warden is a sibling plugin to [`ecosystem`](../../) and assumes the Onlooker observability substrate (`~/.onlooker/`) is present.
+
+## How it works
+
+Detection and enforcement are split across two hook surfaces, mediated only by the on-disk gate lock — the surfaces never call each other. See [ADR-001](docs/adr/001-detect-after-ingest-gate-before-action.md).
+
+| Surface | What Warden does |
+|---------|------------------|
+| `PostToolUse` (`WebFetch`, `Read`) | Extracts ingested content from `tool_response`, applies the source and skip-glob filters and length cap, and runs the hybrid scanner. A strong pattern hit closes the gate immediately; a weak hit escalates to the evaluator. On a positive verdict it closes the session-scoped gate and emits `warden.threat.detected`. PostToolUse cannot block the read — and deliberately does not, because reading is how the threat is discovered. |
+| `PreToolUse` (`Write`, `Edit`, `MultiEdit`, `Bash`) | Pure lock check: if the gate is closed it returns `{"decision":"block", …}` and emits `warden.gate.blocked`; otherwise it allows silently. No model call, no command parsing. |
+| `SessionStart` | Initializes Warden for the session. A new session always starts with the gate open, even if a prior session saw a threat. |
+| `/warden` skill | The user-facing control surface — reports gate status and is the only sanctioned way to clear a closed gate. |
+
+### Hybrid detection
+
+Detection is a two-stage funnel, balancing coverage against cost and data egress:
+
+1. **Pattern floor** (`warden-patterns.sh`) — a curated regex set mapped to five threat types: `prompt_injection`, `instruction_override`, `credential_exfiltration`, `command_injection`, and `social_engineering`. **Strong** signatures (explicit override/exfil/command-injection phrasing) score `detection.strong_pattern_confidence` (default `0.9`) and close the gate with no model call. **Weak** signatures (social-engineering pressure, soft instruction-shaped imperatives) score `detection.weak_pattern_confidence` (default `0.5`) — below `close_threshold` — and are treated as borderline.
+2. **LLM escalation** (`warden-evaluator.sh`) — borderline content is sanitized and sent to N parallel Haiku judges (majority vote). The gate closes only if the panel judges it an injection with confidence `≥ close_threshold`.
+
+Clean content (no signature) never reaches the model. Set `escalation.enabled: false` for a zero-egress, pattern-only posture.
+
+### Fail-soft posture
+
+- Detection never blocks the read — `PostToolUse` cannot. If escalation errors, Warden falls back to the deterministic pattern verdict.
+- Enforcement is a pure lock check, trivially fail-closed: a present lock always blocks.
+- Event emission is best-effort; a schema-validation or emit failure is logged to stderr and never blocks a session.
+
+## Activation
+
+Warden is **off by default**. Enable per-project in `.claude/settings.json`:
+
+```json
+{
+  "warden": {
+    "enabled": true
+  }
+}
+```
+
+Or globally in `~/.claude/settings.json`.
+
+## Configuration
+
+All keys are optional. Unset keys fall back to the plugin's `config.json` defaults.
+
+```json
+{
+  "warden": {
+    "enabled": false,
+    "scan": {
+      "sources": ["web_fetch", "file_read"],
+      "max_content_chars": 20000,
+      "skip_globs": ["**/*.lock", "**/*.sum", "**/node_modules/**", "**/.git/**", "**/dist/**", "**/build/**"],
+      "store_snippet": true,
+      "snippet_max_chars": 240
+    },
+    "detection": {
+      "close_threshold": 0.65,
+      "strong_pattern_confidence": 0.9,
+      "weak_pattern_confidence": 0.5
+    },
+    "escalation": {
+      "enabled": true,
+      "borderline_only": true,
+      "model": "claude-haiku-4-5-20251001",
+      "n": 3,
+      "temperature": 0.0,
+      "max_output_tokens": 192,
+      "sample_timeout_seconds": 12,
+      "min_valid_samples": 2
+    },
+    "gate": {
+      "blocked_tools": ["Write", "Edit", "MultiEdit", "Bash"],
+      "clear_policy": "user_override_only"
+    }
+  }
+}
+```
+
+| Key | Default | Description |
+|-----|---------|-------------|
+| `enabled` | `false` | Must be `true` for any scanning or gating to run. |
+| `scan.sources` | `["web_fetch", "file_read"]` | Which ingestion sources to scan. Matches the schema's `source_type` enum. |
+| `scan.max_content_chars` | `20000` | Length cap on the content fed into detection. |
+| `scan.skip_globs` | lockfiles, `node_modules`, `.git`, `dist`, `build`, … | Globs whose reads are not scanned. |
+| `scan.store_snippet` | `true` | Whether to keep a flagged excerpt in the gate record and event payload. |
+| `scan.snippet_max_chars` | `240` | Maximum length of a stored snippet. |
+| `detection.close_threshold` | `0.65` | Confidence at or above which a verdict closes the gate. |
+| `detection.strong_pattern_confidence` | `0.9` | Score assigned to strong pattern hits — above threshold, closes without a model call. |
+| `detection.weak_pattern_confidence` | `0.5` | Score assigned to weak pattern hits — below threshold, escalates to the evaluator. |
+| `escalation.enabled` | `true` | Whether borderline content escalates to the LLM evaluator. `false` is a zero-egress, pattern-only posture. |
+| `escalation.borderline_only` | `true` | Escalate only weak/borderline hits, never clean content. |
+| `escalation.model` | `claude-haiku-4-5-20251001` | Model used for the evaluator panel. |
+| `escalation.n` | `3` | Number of parallel evaluator samples (majority vote). |
+| `escalation.temperature` | `0.0` | Sampling temperature for the evaluator. |
+| `escalation.max_output_tokens` | `192` | Token ceiling per evaluator sample. |
+| `escalation.sample_timeout_seconds` | `12` | Per-sample wall-clock timeout. |
+| `escalation.min_valid_samples` | `2` | Minimum valid samples required to form a verdict. |
+| `gate.blocked_tools` | `["Write", "Edit", "MultiEdit", "Bash"]` | Tools blocked while the gate is closed. |
+| `gate.clear_policy` | `user_override_only` | How a closed gate may be cleared. Only explicit user override is supported. |
+
+On escalation, only a sanitized, length-capped excerpt of the ingested content is sent to the evaluator model. Setting `escalation.enabled: false` disables all egress — Warden then relies on the deterministic pattern floor alone.
+
+## The gate model
+
+The gate is a single session-scoped lock with two states:
+
+- **Open** (default — file absent, or `{"state":"open"}`) — `Write`, `Edit`, `MultiEdit`, and `Bash` are allowed.
+- **Closed** (`{"state":"closed", …}`) — those operations are blocked at `PreToolUse`.
+
+The detection hook **closes** the gate on a positive scan. Once closed, it can be **cleared only by the user** via the `/warden` skill (`clear_policy: user_override_only`) — Warden does not auto-clear in this release. The gate is session-scoped: a brand-new session starts open even if a prior session saw a threat, because the untrusted content lives in a specific session's context.
+
+Clearing the gate re-enables write-class tools but does not remove the flagged content from the conversation — it is still in context. The skill reminds the user of this.
+
+## Storage layout
+
+```text
+~/.onlooker/warden/sessions/<session_id>/
+└── gate.json
+```
+
+`gate.json` when the gate is closed:
+
+```json
+{
+  "state": "closed",
+  "closed_at": 1717000000,
+  "threat": {
+    "threat_id": "01J…",
+    "source_type": "web_fetch",
+    "threat_type": "credential_exfiltration",
+    "confidence": 0.9,
+    "source_url": "https://…",
+    "source_path": null,
+    "snippet": "…sanitized excerpt…",
+    "matched_pattern": "…",
+    "detection_method": "pattern_strong"
+  }
+}
+```
+
+The local record keeps forensic fields (`threat_id`, `matched_pattern`, `detection_method`). The emitted `warden.threat.detected` event carries only the schema-permitted fields — warden payloads use `additionalProperties: false`. State is keyed by `session_id`, not by repository: the gate guards a single session's context.
+
+## Events emitted
+
+Warden emits the canonical `warden.*` event surface from [`@onlooker-community/schema`](https://github.com/onlooker-community/schema) (v2.4.0+). All events land in `~/.onlooker/logs/onlooker-events.jsonl` and are validated against the schema before write.
+
+| Event | When | Payload |
+|-------|------|---------|
+| `warden.threat.detected` | A scan closes the gate. | `source_type`, `threat_type`, `confidence` (plus optional `source_url` / `source_path` / `snippet`) |
+| `warden.gate.blocked` | A write/edit/bash operation is blocked by a closed gate. | `blocked_operation`, `threat_source_type` |
+| `warden.threat.cleared` | The user clears the gate via `/warden`. | `source_type`, `cleared_by: user_override` |
+
+## The `/warden` skill
+
+`/warden` is the user-facing control surface for the gate that the hooks open and close automatically.
+
+- `/warden` or `/warden status` — prints whether the gate is OPEN or CLOSED. When closed, prints the recorded threat: `threat_type`, `source_type`, source URL/path, confidence, detection method, matched pattern, and the flagged snippet (when storage is enabled).
+- `/warden clear` (also `reopen`, `override`, `unblock`) — verifies the gate is closed, removes the lock, re-enables `Write`/`Edit`/`Bash`, and emits `warden.threat.cleared` with `cleared_by: user_override`.
+
+The skill resolves the active session automatically: it prefers `$CLAUDE_SESSION_ID`, falls back to the single closed gate when exactly one exists, and reports ambiguity if several sessions have closed gates (re-run with an explicit session id in that case). Closing is automatic; clearing is always a deliberate user decision.
+
+## Requirements
+
+- The `ecosystem` plugin installed (for the `~/.onlooker/` substrate and canonical event emission).
+- `claude` CLI on `PATH` (the evaluator shells out to `claude -p` when escalation is enabled).
+- `jq` for JSON manipulation.
+- `node` for canonical-event emission.
+
+## Architecture decisions
+
+Key decisions made during initial design are recorded in [`docs/adr/`](docs/adr/):
+
+- [ADR-001](docs/adr/001-detect-after-ingest-gate-before-action.md) — Detect after ingestion, gate before action (the detection/enforcement split and its Rule-of-Two mapping)
+
+See also the full plugin design in [`docs/design.md`](docs/design.md).

package/test/bats/librarian-cli.bats

@@ -0,0 +1,305 @@
+#!/usr/bin/env bats
+#
+# Exercises the librarian-cli surface that the /librarian review skill
+# drives. Each test seeds one or more proposals directly into the
+# librarian storage layer (skipping the SessionEnd scan pipeline) and
+# verifies that list/show/accept/reject/defer/status behave as the
+# skill expects:
+#
+#   - list  → returns a count + table, sized to pending proposals only
+#   - show  → renders provenance + body, fails clean on unknown id
+#   - accept → writes the typed memory file with provenance frontmatter,
+#              appends to MEMORY.md, sets status=accepted, emits
+#              librarian.proposal.accepted
+#   - reject → writes a body-hash tombstone, sets status=rejected,
+#              emits librarian.proposal.rejected AND
+#              librarian.tombstone.created
+#   - defer → leaves status pending but stamps the proposal so a
+#             reviewer can tell it was visited
+#   - status → reports pending/accepted/rejected counts
+#
+# The CLI is sourced into the bats shell directly (it's a library, not
+# a hook), so assertions can read both stdout and side-effects on disk.
+
+setup() {
+  source "${BATS_TEST_DIRNAME}/../helpers/setup.bash"
+  setup_test_env
+
+  PLUGIN_ROOT="${REPO_ROOT}/plugins/librarian"
+  export CLAUDE_PLUGIN_ROOT="$PLUGIN_ROOT"
+  export ONLOOKER_ECOSYSTEM_ROOT="$REPO_ROOT"
+
+  PROJECT_REPO="${BATS_TEST_TMPDIR}/repo"
+  mkdir -p "$PROJECT_REPO"
+  git -C "$PROJECT_REPO" init -q
+  git -C "$PROJECT_REPO" config user.email t@example.com
+  git -C "$PROJECT_REPO" config user.name "Test"
+  git -C "$PROJECT_REPO" remote add origin git@github.com:org/librarian-cli-test.git
+
+  # Source the five libs the skill loads, in the same order the SKILL.md
+  # walkthrough sources them. librarian-cli depends on storage + emit +
+  # project-key (and indirectly config).
+  # shellcheck disable=SC1091
+  source "${PLUGIN_ROOT}/scripts/lib/librarian-config.sh"
+  # shellcheck disable=SC1091
+  source "${PLUGIN_ROOT}/scripts/lib/librarian-project-key.sh"
+  # shellcheck disable=SC1091
+  source "${PLUGIN_ROOT}/scripts/lib/librarian-storage.sh"
+  # shellcheck disable=SC1091
+  source "${PLUGIN_ROOT}/scripts/lib/librarian-emit.sh"
+  # shellcheck disable=SC1091
+  source "${PLUGIN_ROOT}/scripts/lib/librarian-cli.sh"
+
+  PROJECT_KEY=$(librarian_project_key "$PROJECT_REPO")
+  [ -n "$PROJECT_KEY" ]
+
+  LIBRARIAN_DIR="${ONLOOKER_DIR}/librarian/${PROJECT_KEY}"
+  ONLOOKER_EVENTS_LOG="${ONLOOKER_DIR}/logs/onlooker-events.jsonl"
+  export ONLOOKER_EVENTS_LOG
+
+  # Where librarian_cli_accept writes typed memory. The CLI derives the
+  # encoded path from cwd when CLAUDE_PROJECT_ENCODED is unset; mirror
+  # that derivation so tests can assert against the resulting file.
+  ABS_CWD=$(cd "$PROJECT_REPO" && pwd -P)
+  ENCODED=$(printf '%s' "$ABS_CWD" | sed -E 's#/#-#g')
+  MEM_DIR="${TEST_HOME}/.claude/projects/${ENCODED}/memory"
+
+  librarian_storage_init "$PROJECT_KEY"
+}
+
+# Seed a single proposal JSON file directly into the storage layer.
+# Usage: _seed_proposal <id> <type> <title> <filename> <body> [confidence] [status]
+_seed_proposal() {
+  local id="$1" type="$2" title="$3" filename="$4" body="$5"
+  local confidence="${6:-0.82}" status="${7:-pending}"
+  local now json
+  now=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+  json=$(jq -cn \
+    --arg id "$id" \
+    --arg type "$type" \
+    --arg title "$title" \
+    --arg filename "$filename" \
+    --arg body "$body" \
+    --argjson conf "$confidence" \
+    --arg status "$status" \
+    --arg now "$now" \
+    --arg project_key "$PROJECT_KEY" \
+    '{
+       id: $id,
+       project_key: $project_key,
+       status: $status,
+       conflict_state: "none",
+       created_at: $now,
+       updated_at: $now,
+       source_session_ids: ["sess-seeded"],
+       source_artifact_ids: ["01ARTIFACT00000000000000"],
+       proposed: {
+         type: $type,
+         title: $title,
+         filename: $filename,
+         body: $body,
+         classifier_confidence: $conf
+       }
+     }')
+  librarian_storage_write_proposal "$PROJECT_KEY" "$id" "$json" >/dev/null
+}
+
+@test "list reports no-pending when the queue is empty" {
+  run librarian_cli_list "$PROJECT_REPO"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"No pending proposals."* ]]
+}
+
+@test "list summarizes pending proposals and ignores resolved ones" {
+  _seed_proposal "01LISTPENDINGA000000000000" \
+    "feedback" "Prefer functional patterns" "feedback_functional.md" \
+    "Body A."
+  _seed_proposal "01LISTPENDINGB000000000000" \
+    "project" "Auth rewrite is compliance" "project_auth_compliance.md" \
+    "Body B." "0.91"
+  _seed_proposal "01LISTACCEPTED0000000000000" \
+    "user" "Already accepted" "user_old.md" \
+    "Body C." "0.7" "accepted"
+
+  run librarian_cli_list "$PROJECT_REPO"
+  [ "$status" -eq 0 ]
+  # Header counts only pending entries (2 of 3).
+  [[ "$output" == *"2 pending proposal"* ]]
+  # Both pending titles surface.
+  [[ "$output" == *"Prefer functional patterns"* ]]
+  [[ "$output" == *"Auth rewrite is compliance"* ]]
+  # Pending rows include full IDs that can be used with show/accept/reject/defer.
+  [[ "$output" == *"01LISTPENDINGA000000000000"* ]]
+  [[ "$output" == *"01LISTPENDINGB000000000000"* ]]
+  # Accepted entry does NOT appear in the list output.
+  [[ "$output" != *"Already accepted"* ]]
+}
+
+@test "show renders provenance + body for an existing proposal" {
+  _seed_proposal "01SHOWPROPOSAL0000000000000" \
+    "feedback" "Some title" "feedback_x.md" \
+    "Body of the memory."
+
+  run librarian_cli_show "01SHOWPROPOSAL0000000000000" "$PROJECT_REPO"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"01SHOWPROPOSAL0000000000000"* ]]
+  [[ "$output" == *"type:                 feedback"* ]]
+  [[ "$output" == *"filename:             feedback_x.md"* ]]
+  [[ "$output" == *"classifier_confidence: 0.82"* ]]
+  [[ "$output" == *"Body of the memory."* ]]
+}
+
+@test "show fails clean on an unknown proposal id" {
+  run librarian_cli_show "01NOSUCHPROPOSAL00000000000" "$PROJECT_REPO"
+  [ "$status" -eq 1 ]
+  [[ "$output" == *"not found"* ]]
+}
+
+@test "accept writes a memory file with provenance frontmatter" {
+  _seed_proposal "01ACCEPTPROPOSAL000000000000" \
+    "feedback" "Prefer functional patterns" "feedback_functional.md" \
+    "User prefers functional patterns.
+
+**Why:** Stated explicitly.
+**How to apply:** Default to plain functions."
+
+  run librarian_cli_accept "01ACCEPTPROPOSAL000000000000" "$PROJECT_REPO"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"Accepted."* ]]
+
+  local out_file="${MEM_DIR}/feedback_functional.md"
+  [ -f "$out_file" ]
+
+  # Frontmatter records who promoted it, when, and from where.
+  grep -q "^source: librarian$" "$out_file"
+  grep -q "^type: feedback$" "$out_file"
+  grep -q "^name: Prefer functional patterns$" "$out_file"
+  grep -q "^classifier_confidence: 0.82$" "$out_file"
+  grep -q "^promoted_at: " "$out_file"
+  # Body survives in full.
+  grep -q "Default to plain functions" "$out_file"
+}
+
+@test "accept appends to MEMORY.md and creates it if missing" {
+  _seed_proposal "01ACCEPTINDEX000000000000000" \
+    "project" "Auth rewrite is compliance" "project_auth_compliance.md" \
+    "Compliance-driven."
+
+  [ ! -f "${MEM_DIR}/MEMORY.md" ]
+
+  run librarian_cli_accept "01ACCEPTINDEX000000000000000" "$PROJECT_REPO"
+  [ "$status" -eq 0 ]
+
+  [ -f "${MEM_DIR}/MEMORY.md" ]
+  grep -F -q "(project_auth_compliance.md)" "${MEM_DIR}/MEMORY.md"
+  grep -F -q "Auth rewrite is compliance" "${MEM_DIR}/MEMORY.md"
+}
+
+@test "accept marks the proposal accepted and emits librarian.proposal.accepted" {
+  _seed_proposal "01ACCEPTEVENT000000000000000" \
+    "user" "User role" "user_role.md" "Body."
+
+  run librarian_cli_accept "01ACCEPTEVENT000000000000000" "$PROJECT_REPO"
+  [ "$status" -eq 0 ]
+
+  # Proposal file flipped to accepted.
+  local proposal_path="${LIBRARIAN_DIR}/proposals/01ACCEPTEVENT000000000000000.json"
+  jq -e '.status == "accepted"' "$proposal_path" >/dev/null
+  jq -e '.final_filename == "user_role.md"' "$proposal_path" >/dev/null
+
+  # Event landed in the canonical events log.
+  [ -f "$ONLOOKER_EVENTS_LOG" ]
+  grep -q '"event_type":"librarian.proposal.accepted"' "$ONLOOKER_EVENTS_LOG"
+  grep '"event_type":"librarian.proposal.accepted"' "$ONLOOKER_EVENTS_LOG" \
+    | jq -e '.payload.proposal_id == "01ACCEPTEVENT000000000000000" and .payload.final_filename == "user_role.md"' >/dev/null
+}
+
+@test "accept refuses path-traversal filenames and writes nothing" {
+  _seed_proposal "01ACCEPTUNSAFE00000000000000" \
+    "user" "Bad filename" "../escape.md" "Body."
+
+  run librarian_cli_accept "01ACCEPTUNSAFE00000000000000" "$PROJECT_REPO"
+  [ "$status" -eq 1 ]
+  [[ "$output" == *"Failed to write memory file."* ]]
+
+  # No memory file written anywhere under MEM_DIR or its parent.
+  [ ! -f "${MEM_DIR}/../escape.md" ]
+  [ ! -f "${MEM_DIR}/escape.md" ]
+
+  # Proposal stays pending so a reviewer can resolve it manually.
+  local proposal_path="${LIBRARIAN_DIR}/proposals/01ACCEPTUNSAFE00000000000000.json"
+  jq -e '.status == "pending"' "$proposal_path" >/dev/null
+}
+
+@test "reject writes a tombstone and marks the proposal rejected" {
+  local body="This is the body whose hash anchors the tombstone."
+  _seed_proposal "01REJECTPROPOSAL00000000000" \
+    "feedback" "Some idea" "feedback_some_idea.md" "$body"
+
+  run librarian_cli_reject "01REJECTPROPOSAL00000000000" "stale guidance" "$PROJECT_REPO"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"Rejected"* ]]
+  [[ "$output" == *"stale guidance"* ]]
+
+  # Proposal status now rejected with the reason captured.
+  local proposal_path="${LIBRARIAN_DIR}/proposals/01REJECTPROPOSAL00000000000.json"
+  jq -e '.status == "rejected"' "$proposal_path" >/dev/null
+  jq -e '.reason == "stale guidance"' "$proposal_path" >/dev/null
+
+  # Tombstone file present, keyed on the body hash.
+  local expected_hash
+  expected_hash=$(librarian_body_hash "$body")
+  [ -n "$expected_hash" ]
+  [ -f "${LIBRARIAN_DIR}/tombstones/${expected_hash}.json" ]
+  librarian_storage_has_tombstone "$PROJECT_KEY" "$expected_hash"
+
+  # Both events fired.
+  grep -q '"event_type":"librarian.proposal.rejected"' "$ONLOOKER_EVENTS_LOG"
+  grep -q '"event_type":"librarian.tombstone.created"' "$ONLOOKER_EVENTS_LOG"
+  grep '"event_type":"librarian.proposal.rejected"' "$ONLOOKER_EVENTS_LOG" \
+    | jq -e '.payload.reason == "stale guidance"' >/dev/null
+  grep '"event_type":"librarian.tombstone.created"' "$ONLOOKER_EVENTS_LOG" \
+    | jq -e --arg h "$expected_hash" '.payload.body_hash == $h' >/dev/null
+}
+
+@test "defer stamps the proposal but leaves it pending" {
+  _seed_proposal "01DEFERPROPOSAL000000000000" \
+    "user" "Maybe later" "user_maybe.md" "Body."
+
+  run librarian_cli_defer "01DEFERPROPOSAL000000000000" "$PROJECT_REPO"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"Deferred"* ]]
+
+  local proposal_path="${LIBRARIAN_DIR}/proposals/01DEFERPROPOSAL000000000000.json"
+  jq -e '.status == "pending"' "$proposal_path" >/dev/null
+  jq -e '.deferred == true' "$proposal_path" >/dev/null
+
+  # Defer should NOT touch the memory store.
+  [ ! -d "$MEM_DIR" ] || [ -z "$(ls -A "$MEM_DIR" 2>/dev/null)" ]
+}
+
+@test "status reports counts across pending, accepted, and rejected" {
+  _seed_proposal "01STATUSPENDING0000000000000" "user" "P" "user_p.md" "p" "0.7" "pending"
+  _seed_proposal "01STATUSACCEPTED000000000000" "user" "A" "user_a.md" "a" "0.7" "accepted"
+  _seed_proposal "01STATUSREJECTED000000000000" "user" "R" "user_r.md" "r" "0.7" "rejected"
+
+  run librarian_cli_status "$PROJECT_REPO"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"pending: 1"* ]]
+  [[ "$output" == *"accepted: 1"* ]]
+  [[ "$output" == *"rejected: 1"* ]]
+}
+
+@test "librarian_cli dispatch routes to the right subcommand" {
+  _seed_proposal "01DISPATCH00000000000000000" \
+    "user" "Dispatch test" "user_dispatch.md" "Body."
+
+  # Unknown action returns exit 2.
+  run librarian_cli "explode"
+  [ "$status" -eq 2 ]
+
+  # Known action delegates correctly.
+  run librarian_cli "show" "01DISPATCH00000000000000000" "$PROJECT_REPO"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"Dispatch test"* ]]
+}