@onlooker-community/ecosystem 0.24.0 → 0.25.0

package/.claude-plugin/marketplace.json

@@ -163,6 +163,19 @@
       "license": "MIT",
       "keywords": ["memory", "episodic", "transcript", "indexing", "session", "retrieval"],
       "tags": ["memory", "context-engineering"]
+    },
+    {
+      "name": "assayer",
+      "source": "./plugins/assayer",
+      "description": "Claim verification. At session end, parses the agent's final message for testable success claims (\"I ran the tests, they pass\", \"the build is green\") and cross-checks each against the actual command results in the session transcript, classifying it corroborated, contradicted, or unverifiable. Catches lying-without-malice. Advisory by default. Requires the ecosystem plugin.",
+      "author": {
+        "name": "Onlooker Community"
+      },
+      "homepage": "https://onlooker.dev",
+      "repository": "https://github.com/onlooker-community/ecosystem",
+      "license": "MIT",
+      "keywords": ["verification", "claims", "exit-codes", "honesty", "testing", "transcript"],
+      "tags": ["verification", "testing"]
     }
   ]
 }

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "ecosystem",
-  "version": "0.24.0",
+  "version": "0.25.0",
   "description": "Observability substrate for Claude Code. Provides the shared ~/.onlooker/ storage root, canonical schema-validated event emission, session and tool tracking hooks, and prompt rules. Required by all other Onlooker plugins.",
   "author": {
     "name": "Onlooker Community",

package/.release-please-manifest.json

@@ -1,5 +1,5 @@
 {
-  ".": "0.24.0",
+  ".": "0.25.0",
   "plugins/archivist": "0.1.0",
   "plugins/tribunal": "1.0.1",
   "plugins/echo": "0.2.0",
@@ -11,5 +11,6 @@
   "plugins/warden": "0.2.0",
   "plugins/librarian": "0.2.0",
   "plugins/curator": "0.1.0",
-  "plugins/historian": "0.2.0"
+  "plugins/historian": "0.2.0",
+  "plugins/assayer": "1.0.0"
 }

package/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## [0.25.0](https://github.com/onlooker-community/ecosystem/compare/ecosystem-v0.24.0...ecosystem-v0.25.0) (2026-06-04)
+
+
+### Features
+
+* **assayer:** introduce claim-verification plugin ([#70](https://github.com/onlooker-community/ecosystem/issues/70)) ([1d0500b](https://github.com/onlooker-community/ecosystem/commit/1d0500b64f8cd670d1cfa1ac070182d72696bdfd))
+
 ## [0.24.0](https://github.com/onlooker-community/ecosystem/compare/ecosystem-v0.23.1...ecosystem-v0.24.0) (2026-06-04)
 
 

package/CLAUDE.md

@@ -37,6 +37,7 @@ scripts/lib/onlooker-event.mjs  ← canonical event builder; all plugins route t
 | governor | SessionStart, PreToolUse (Task), PostToolUse (Task), Stop | Budget gates on subagent spawns; tracks spend per session |
 | tribunal | Stop + skill invocation | Post-task quality gate; also invokable via `/tribunal` |
 | warden | PostToolUse (WebFetch, Read), PreToolUse (Write, Edit, MultiEdit, Bash), SessionStart + skill invocation | Scans ingested content for injection; closes a content gate that blocks write-class tools until cleared via `/warden` |
+| assayer | Stop | Verifies the agent's final-message claims against actual command results in the transcript; advisory |
 
 Plugins communicate by emitting events to the JSONL log — they do not call each other directly. All plugins depend on the ecosystem substrate; no plugin depends on another plugin directly.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@onlooker-community/ecosystem",
-  "version": "0.24.0",
+  "version": "0.25.0",
   "description": "Agents, skills, hooks, commands, rules, and MCP configurations that power [Onlooker](https://onlooker.dev)",
   "author": {
     "name": "Onlooker Community",
@@ -19,14 +19,14 @@
     "onlooker-install": "install.sh"
   },
   "dependencies": {
-    "@onlooker-community/schema": "^2.5.0"
+    "@onlooker-community/schema": "^2.6.0"
   },
   "scripts": {
     "postinstall": "echo '\\n  onlooker-ecosystem installed!\\n  Run: npx onlooker-install typescript\\n  Docs: https://github.com/onlooker-community/ecosystem\\n'",
     "test": "npm run test:bats && npm run test:schema",
     "test:bats": "bats test/bats",
     "test:schema": "node --test test/node/*.test.mjs",
-    "test:shellcheck": "shellcheck -S error -x install.sh scripts/common.sh scripts/hooks/*.sh scripts/lib/*.sh plugins/archivist/scripts/hooks/*.sh plugins/archivist/scripts/lib/*.sh plugins/tribunal/scripts/hooks/*.sh plugins/tribunal/scripts/lib/*.sh plugins/echo/scripts/hooks/*.sh plugins/echo/scripts/lib/*.sh plugins/governor/scripts/hooks/*.sh plugins/governor/scripts/lib/*.sh plugins/compass/scripts/hooks/*.sh plugins/compass/scripts/lib/*.sh plugins/scribe/scripts/hooks/*.sh plugins/scribe/scripts/lib/*.sh plugins/counsel/scripts/hooks/*.sh plugins/counsel/scripts/lib/*.sh plugins/warden/scripts/hooks/*.sh plugins/warden/scripts/lib/*.sh plugins/librarian/scripts/hooks/*.sh plugins/librarian/scripts/lib/*.sh plugins/curator/scripts/hooks/*.sh plugins/curator/scripts/lib/*.sh plugins/historian/scripts/hooks/*.sh plugins/historian/scripts/lib/*.sh",
+    "test:shellcheck": "shellcheck -S error -x install.sh scripts/common.sh scripts/hooks/*.sh scripts/lib/*.sh plugins/archivist/scripts/hooks/*.sh plugins/archivist/scripts/lib/*.sh plugins/tribunal/scripts/hooks/*.sh plugins/tribunal/scripts/lib/*.sh plugins/echo/scripts/hooks/*.sh plugins/echo/scripts/lib/*.sh plugins/governor/scripts/hooks/*.sh plugins/governor/scripts/lib/*.sh plugins/compass/scripts/hooks/*.sh plugins/compass/scripts/lib/*.sh plugins/scribe/scripts/hooks/*.sh plugins/scribe/scripts/lib/*.sh plugins/counsel/scripts/hooks/*.sh plugins/counsel/scripts/lib/*.sh plugins/warden/scripts/hooks/*.sh plugins/warden/scripts/lib/*.sh plugins/librarian/scripts/hooks/*.sh plugins/librarian/scripts/lib/*.sh plugins/curator/scripts/hooks/*.sh plugins/curator/scripts/lib/*.sh plugins/historian/scripts/hooks/*.sh plugins/historian/scripts/lib/*.sh plugins/assayer/scripts/hooks/*.sh plugins/assayer/scripts/lib/*.sh",
     "lint:references": "node scripts/lint/check-references.mjs",
     "lint:manifests": "node scripts/lint/check-manifests.mjs",
     "coverage:node": "node scripts/coverage/run-coverage.mjs",

package/plugins/assayer/.claude-plugin/plugin.json

@@ -0,0 +1,14 @@
+{
+  "name": "assayer",
+  "version": "1.0.0",
+  "description": "Claim verification. At session end, parses the agent's final message for testable claims (\"I ran the tests, they pass\", \"the build is green\") and checks each against the actual command results in the session transcript, classifying it corroborated, contradicted, or unverifiable. Catches lying-without-malice. Advisory by default. Builds on the Onlooker ecosystem plugin.",
+  "author": {
+    "name": "Onlooker Community",
+    "url": "https://onlooker.dev"
+  },
+  "homepage": "https://onlooker.dev",
+  "repository": "https://github.com/onlooker-community/ecosystem",
+  "license": "MIT",
+  "skills": [],
+  "agents": []
+}

package/plugins/assayer/CHANGELOG.md

@@ -0,0 +1,10 @@
+# Changelog
+
+## 1.0.0 (2026-06-04)
+
+
+### Features
+
+* **assayer:** introduce claim-verification plugin ([#70](https://github.com/onlooker-community/ecosystem/issues/70)) ([1d0500b](https://github.com/onlooker-community/ecosystem/commit/1d0500b64f8cd670d1cfa1ac070182d72696bdfd))
+
+## Changelog

package/plugins/assayer/README.md

@@ -0,0 +1,114 @@
+# Assayer
+
+Claim verification — does the agent's story match the session's receipts?
+
+When an agent finishes, it tells you what it did: "I ran the tests, they pass," "the build is green," "lint is clean." Assayer treats those as **testable claims** and checks each against what actually happened in the session — the Bash commands that ran and whether they errored. A claim that a passing run contradicts is surfaced, not silently trusted. This catches lying-without-malice: the agent isn't deceiving you, it just misremembered, or assumed, or never re-ran after a change.
+
+Assayer is a sibling plugin to [`ecosystem`](../../) and assumes the Onlooker observability substrate (`~/.onlooker/`) is present.
+
+## How it works
+
+| Hook | What Assayer does |
+|------|-------------------|
+| `Stop` | Reads the just-finished session's transcript (`transcript_path`). Extracts the agent's testable success claims from its final message with a single `claude -p` pass, cross-checks each against the actual Bash command results in the same transcript, and emits a verdict per claim plus an audit summary. Advisory only — always exits 0, never blocks Stop. |
+
+The pipeline:
+
+```
+Stop → Transcript Reader → Claim Extractor (claude -p) → Deterministic Verifier → Events
+```
+
+- **Transcript reader** pulls two things from the JSONL transcript: the **final assistant message** (where claims live) and every **Bash command** paired with its result status. Claude Code records a command as a `tool_use` block and its outcome as a `tool_result` carrying an `is_error` flag — there is no per-call numeric exit code, so `is_error` is the success/failure signal.
+- **Claim extractor** (LLM) reads only the final message and identifies success claims, tagging each with a `type` (`tests_pass`, `build_succeeds`, `lint_clean`, `types_check`, `command_succeeds`, `generic`) and a `command_keyword` — the substring it expects in the verifying command. The LLM does **not** judge truth; it only identifies claims and what would settle them.
+- **Verifier** (deterministic bash) is the factual half: for each claim it finds the most recent command matching the claim's keywords and reads its `is_error`. Same inputs always produce the same verdict.
+
+## Verdicts
+
+| Verdict | Meaning |
+|---------|---------|
+| **corroborated** | A matching command ran and succeeded. |
+| **contradicted** | A matching command ran and **failed** — the claim is not backed by the evidence. |
+| **unverified** | No matching command (`no_matching_command`), or the claim implies no checkable command (`ambiguous`). |
+
+The most **recent** matching command wins: an agent may fail, fix, and re-run, and the last run reflects the state the final message describes.
+
+## Activation
+
+Assayer is **off by default** — it calls `claude -p` on every Stop, so it is opt-in. Enable per-project in `.claude/settings.json`:
+
+```json
+{
+  "assayer": {
+    "enabled": true
+  }
+}
+```
+
+Or globally in `~/.claude/settings.json`.
+
+## Configuration
+
+All keys are optional. Unset keys fall back to the plugin's `config.json` defaults.
+
+```json
+{
+  "assayer": {
+    "enabled": false,
+    "evaluation": {
+      "model": "claude-haiku-4-5-20251001",
+      "timeout_seconds": 60
+    },
+    "max_claims": 12,
+    "min_confidence": 0.5,
+    "final_message_chars": 6000
+  }
+}
+```
+
+| Key | Default | Description |
+|-----|---------|-------------|
+| `enabled` | `false` | Must be `true` for any audit to run. |
+| `evaluation.model` | `claude-haiku-4-5-20251001` | Model used for claim extraction. Haiku is fast and cheap; the task is structured and shallow. |
+| `evaluation.timeout_seconds` | `60` | Per-pass wall-clock timeout passed to the `timeout` command. |
+| `max_claims` | `12` | Maximum number of claims to extract from a final message. |
+| `min_confidence` | `0.5` | Claims the extractor scores below this are dropped before verification. |
+| `final_message_chars` | `6000` | How many characters of the final assistant message to feed into extraction. |
+
+## Storage layout
+
+```text
+~/.onlooker/assayer/<project-key>/
+└── audit-<session-id>.json     # advisory summary written at end of each audit
+```
+
+Each audit file records the claim count, the corroborated / contradicted / unverified tallies, the overall verdict, and the per-claim list for review in the next session.
+
+Project key: first 12 hex chars of SHA256 of `git remote get-url origin`, falling back to a hash of the repo root realpath — stable across directory moves, clones, and worktrees of the same repo.
+
+## Events emitted
+
+Assayer emits the canonical `assayer.*` event surface from [`@onlooker-community/schema`](https://github.com/onlooker-community/schema). All events land in `~/.onlooker/logs/onlooker-events.jsonl` and are validated against the schema before write.
+
+| Event | When |
+|-------|------|
+| `assayer.audit.started` | Before verification begins. Includes `claim_count` and `command_count`. |
+| `assayer.claim.contradicted` | A claim is contradicted by a failing command. Includes the `claim`, the `evidence_command`, and a `result_excerpt`. |
+| `assayer.claim.unverified` | A claim has no supporting evidence (`reason`: `no_matching_command` or `ambiguous`). |
+| `assayer.audit.complete` | After all claims are checked. Includes the tallies, the `verdict` (`clean`, `contradictions_found`, `nothing_to_verify`), and `duration_ms`. |
+
+Corroborated claims are counted in the summary rather than emitted individually — the happy path is the quiet path.
+
+## Requirements
+
+- The `ecosystem` plugin installed (for the `~/.onlooker/` substrate and canonical event emission).
+- A release of `@onlooker-community/schema` that includes the `assayer.*` event types (the emitter validates every envelope against the installed schema; older versions reject `assayer.*`).
+- `claude` CLI on `PATH` (the hook shells out to `claude -p` for the extraction pass).
+- `jq` for JSON manipulation.
+- `node` for canonical-event emission.
+- `python3` for millisecond timestamps (standard on macOS and most Linux distributions).
+
+## Architecture decisions
+
+Key decisions made during initial design are recorded in [`docs/adr/`](docs/adr/):
+
+- [ADR-001](docs/adr/001-verify-claims-against-transcript-evidence.md) — Verify claims at Stop against transcript evidence (and why `is_error`, not exit codes, and why advisory)

package/plugins/assayer/config.json

@@ -0,0 +1,14 @@
+{
+  "plugin_name": "assayer",
+  "storage_path": "~/.onlooker",
+  "assayer": {
+    "enabled": false,
+    "evaluation": {
+      "model": "claude-haiku-4-5-20251001",
+      "timeout_seconds": 60
+    },
+    "max_claims": 12,
+    "min_confidence": 0.5,
+    "final_message_chars": 6000
+  }
+}

package/plugins/assayer/docs/adr/001-verify-claims-against-transcript-evidence.md

@@ -0,0 +1,57 @@
+# ADR-001: Verify Claims at Stop Against Transcript Evidence
+
+- Status: Accepted
+- Date: 2026-06-04
+- Deciders: Meagan
+- Tags: assayer, verification, stop-hook, transcript, honesty
+
+## Context and Problem Statement
+
+Every other plugin in the ecosystem assumes the agent's account of its own work is true. Tribunal judges the output, echo scores the prompt, governor counts the spend — but none of them check the most basic thing: when the agent says "I ran the tests and they pass," did the tests actually pass?
+
+This failure mode is not malice. An agent claims success because it intended to verify, or it verified an earlier revision, or it ran the command, saw red, fixed something, and never re-ran. The final message reflects a belief, and the belief can be stale. The session transcript already holds the ground truth — the commands that ran and whether they errored — but nothing reconciles the two.
+
+The question: **how do we check the agent's claims against what actually happened, cheaply and without false alarms?**
+
+## Decision Drivers
+
+- The evidence (commands + results) must already exist and be trustworthy — not reconstructed or re-run.
+- Verification must be deterministic: the same session must always produce the same verdict.
+- False positives are expensive. Flagging a true claim as a lie destroys trust in the plugin faster than missing a false one.
+- It must not interrupt the user's flow for an advisory signal.
+
+## Decision
+
+**Assayer runs at `Stop`, reads the session transcript, and reconciles the agent's final-message claims against the Bash command results recorded in that same transcript.**
+
+Three sub-decisions follow:
+
+### 1. Stop, reading the committed transcript
+
+`Stop` fires once the turn is over and the transcript is fully written to disk — the same `transcript_path` tribunal and compass read. There is no timing-skew risk: every command the agent ran, and every result, is already on disk before assayer looks. Running earlier (e.g. `PostToolUse`) would mean verifying claims that have not been made yet.
+
+### 2. `is_error`, not exit codes
+
+Claude Code's transcript represents a command as a `tool_use` block and its outcome as a `tool_result` carrying an `is_error` boolean. It does **not** expose a per-call numeric exit code. So `is_error` is the success/failure signal: a claim of success contradicted by a matching command whose `is_error` is true. The schema's `assayer.claim.contradicted` payload reflects this honestly — `evidence_command` is required, `exit_code` is optional (populated only when a code is recoverable from output), and a `result_excerpt` captures the failing output for the reader.
+
+### 3. Split the work: LLM identifies, bash verifies
+
+Claim extraction is a language problem — what counts as a testable success claim, and what command would settle it — so an LLM (`claude -p`, Haiku) does it. The factual cross-check is not a language problem; it is a lookup. So a deterministic bash/jq verifier matches each claim to the most recent command containing its keywords and reads `is_error`. The LLM never judges truth; the verifier never interprets language. This keeps the verdict reproducible and unit-testable, and confines the non-determinism to the one step that genuinely needs it.
+
+### 4. Advisory, not blocking
+
+Assayer always exits 0. A contradicted claim is emitted as an event and written to an advisory file, not used to block `Stop`. The turn is already over; the high-value action is a durable, queryable signal ("the agent claimed X; the evidence says otherwise"), not interrupting a finished session. A blocking/enforce mode that re-prompts the agent on contradiction is a plausible future opt-in, but the safe default is advisory.
+
+## Consequences
+
+**Positive**
+
+- Closes the "did it actually work?" gap with zero new infrastructure — the evidence is already in the transcript.
+- Deterministic and testable: the verifier is pure bash/jq with no LLM in the factual path.
+- Off by default and advisory, so it can never block or surprise a session it was not invited to.
+
+**Negative / accepted trade-offs**
+
+- Keyword matching is heuristic. A claim whose verifying command uses unexpected wording falls to `unverified` rather than being checked — a miss, not a false alarm, which is the safer direction to err.
+- `is_error` is coarser than an exit code. A command that exits 0 but prints failures (a test runner that swallows its own status) reads as success. Documented; acceptable for v0.1.
+- One `claude -p` call per Stop. This is why the plugin is off by default.

package/plugins/assayer/docs/design.md

@@ -0,0 +1,72 @@
+# Assayer — Design
+
+Assayer is the verification layer of the Onlooker ecosystem. Where tribunal judges *quality* and echo tracks *prompt drift*, assayer answers a narrower, more literal question: **did the things the agent said it did actually happen?**
+
+## The problem: lying-without-malice
+
+An agent's final message is a self-report. It says "tests pass," "build is green," "lint is clean." These read as facts but are really *beliefs*, and beliefs drift from reality in ordinary ways:
+
+- The agent ran the check against an earlier revision, then changed code, and never re-ran.
+- It intended to run the check and narrated as if it had.
+- It misread a noisy command's output.
+
+None of this is deception. But a user who trusts the self-report ships on a false premise. The session transcript already contains the ground truth — every command and its result — so the gap is purely one of reconciliation.
+
+## Pipeline
+
+```
+Stop
+  → Transcript Reader      (final message + commands-with-status)
+  → Claim Extractor        (claude -p, Haiku — language understanding)
+  → Deterministic Verifier (bash/jq — factual lookup)
+  → Events + advisory file
+```
+
+### Transcript reader (`assayer-transcript.sh`)
+
+Two extractions from the JSONL transcript at `transcript_path`:
+
+- `assayer_final_assistant_message` — the text blocks of the last assistant turn that contains any, truncated to `final_message_chars`. This is where claims live.
+- `assayer_collect_commands` — every `Bash` `tool_use` joined to its `tool_result` by `tool_use_id`, yielding `{ command, is_error, excerpt }`. Claude Code does not record a numeric exit code per call; `is_error` is the success/failure signal. See ADR-001.
+
+### Claim extractor (`assayer-extract.sh`)
+
+A single `claude -p` pass reads only the final message and returns a JSON array of claims, each `{ text, type, command_keyword, confidence }`. `type` is one of `tests_pass | build_succeeds | lint_clean | types_check | command_succeeds | generic`. The model identifies claims and what command would settle them; it does not judge whether they are true. `assayer_parse_claims` strips fences, validates the array, coerces unknown types to `generic`, and drops entries without text.
+
+### Deterministic verifier (`assayer-verify.sh`)
+
+`assayer_classify_claim` derives keywords from the claim's `type` (e.g. `tests_pass → ["test"]`) plus the LLM-supplied `command_keyword`, finds the **most recent** command containing any keyword, and classifies on its `is_error`:
+
+- matched + not errored → **corroborated**
+- matched + errored → **contradicted**
+- no match → **unverified** (`no_matching_command`, or `ambiguous` when the claim implies no checkable command)
+
+"Most recent wins" handles the fail-fix-rerun pattern: the last run reflects the final state. The function is pure — no LLM, no filesystem — so it is fully unit-tested.
+
+`assayer_audit_verdict` rolls the per-claim counts into `clean`, `contradictions_found`, or `nothing_to_verify`.
+
+## Events
+
+| Event | Payload highlights |
+|-------|--------------------|
+| `assayer.audit.started` | `audit_id`, `claim_count`, `command_count`, `trigger` |
+| `assayer.claim.contradicted` | `claim`, `claim_type`, `evidence_command`, `result_excerpt`, `confidence` |
+| `assayer.claim.unverified` | `claim`, `claim_type`, `reason` |
+| `assayer.audit.complete` | `corroborated`, `contradicted`, `unverified`, `verdict`, `duration_ms` |
+
+Corroborated claims are counted in the summary, not emitted individually — the happy path stays quiet.
+
+## Non-goals (v0.1)
+
+- **Blocking.** Assayer is advisory; it never blocks `Stop`. An enforce mode is a future opt-in.
+- **Re-running commands.** Assayer reconciles against what already ran; it does not execute anything.
+- **Parsing exit codes from output.** It relies on `is_error`. A command that exits 0 while printing failures reads as success.
+- **Non-Bash evidence.** Only `Bash` results are treated as evidence today.
+
+## Relationship to other plugins
+
+Assayer occupies the verification/execution layer, empty until now. It is complementary to:
+
+- **tribunal** — judges whether the work is *good*; assayer checks whether the *claims about it* are true.
+- **scribe** — writes the narrative of *why*; assayer checks the factual assertions in that narrative's neighbor, the final message.
+- **counsel** — can consume `assayer.*` events to surface recurring honesty gaps over time.

package/plugins/assayer/hooks/hooks.json

@@ -0,0 +1,15 @@
+{
+  "hooks": {
+    "Stop": [
+      {
+        "matcher": "*",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "\"$CLAUDE_PLUGIN_ROOT\"/scripts/hooks/assayer-stop.sh"
+          }
+        ]
+      }
+    ]
+  }
+}

package/plugins/assayer/scripts/hooks/assayer-stop.sh

@@ -0,0 +1,249 @@
+#!/usr/bin/env bash
+# Assayer Stop hook.
+#
+# Triggered by Stop. Off by default — gated on assayer.enabled in config.
+# When enabled, it reads the just-finished session's transcript, extracts the
+# agent's testable success claims from its final message, and cross-checks each
+# against the actual Bash command results in the same transcript. Each claim is
+# classified corroborated / contradicted / unverified and emitted as an event.
+#
+# Hook contract:
+#   - Always exits 0. Advisory only — never blocks Stop.
+#   - Skips silently if disabled, no git context, no transcript, or no claims.
+#   - Recursion guard: exits immediately if ASSAYER_NESTED=1 to prevent a
+#     claude -p subprocess from re-triggering this hook on its own Stop.
+#   - Errors from `claude -p` are swallowed; worst case is no audit written.
+
+set -uo pipefail
+
+# Recursion guard — must be first.
+[[ "${ASSAYER_NESTED:-}" == "1" ]] && exit 0
+export ASSAYER_NESTED=1
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PLUGIN_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
+
+# Resolve the ecosystem root (sibling to this plugin's parent).
+_ECOSYSTEM_ROOT="${ONLOOKER_ECOSYSTEM_ROOT:-}"
+if [[ -z "$_ECOSYSTEM_ROOT" ]]; then
+	_candidate="$(cd "${PLUGIN_ROOT}/../.." 2>/dev/null && pwd)"
+	if [[ -f "${_candidate}/scripts/lib/validate-path.sh" ]]; then
+		_ECOSYSTEM_ROOT="$_candidate"
+	fi
+fi
+
+if [[ -n "$_ECOSYSTEM_ROOT" && -f "${_ECOSYSTEM_ROOT}/scripts/lib/validate-path.sh" ]]; then
+	# shellcheck disable=SC1091
+	CLAUDE_PLUGIN_ROOT="$_ECOSYSTEM_ROOT" source "${_ECOSYSTEM_ROOT}/scripts/lib/validate-path.sh"
+	# shellcheck disable=SC1091
+	CLAUDE_PLUGIN_ROOT="$_ECOSYSTEM_ROOT" source "${_ECOSYSTEM_ROOT}/scripts/lib/onlooker-schema.sh"
+fi
+
+# shellcheck source=../lib/assayer-config.sh
+source "${PLUGIN_ROOT}/scripts/lib/assayer-config.sh"
+# shellcheck source=../lib/assayer-project-key.sh
+source "${PLUGIN_ROOT}/scripts/lib/assayer-project-key.sh"
+# shellcheck source=../lib/assayer-ulid.sh
+source "${PLUGIN_ROOT}/scripts/lib/assayer-ulid.sh"
+# shellcheck source=../lib/assayer-transcript.sh
+source "${PLUGIN_ROOT}/scripts/lib/assayer-transcript.sh"
+# shellcheck source=../lib/assayer-extract.sh
+source "${PLUGIN_ROOT}/scripts/lib/assayer-extract.sh"
+# shellcheck source=../lib/assayer-verify.sh
+source "${PLUGIN_ROOT}/scripts/lib/assayer-verify.sh"
+# shellcheck source=../lib/assayer-events.sh
+CLAUDE_PLUGIN_ROOT="$PLUGIN_ROOT" source "${PLUGIN_ROOT}/scripts/lib/assayer-events.sh"
+
+INPUT=$(cat)
+CWD=$(printf '%s' "$INPUT" | jq -r '.cwd // ""' 2>/dev/null) || CWD=""
+SESSION_ID=$(printf '%s' "$INPUT" | jq -r '.session_id // ""' 2>/dev/null) || SESSION_ID=""
+TRANSCRIPT_PATH=$(printf '%s' "$INPUT" | jq -r '.transcript_path // ""' 2>/dev/null) || TRANSCRIPT_PATH=""
+[[ -z "$TRANSCRIPT_PATH" ]] && TRANSCRIPT_PATH="${CLAUDE_TRANSCRIPT_PATH:-}"
+
+export _HOOK_SESSION_ID="${SESSION_ID:-unknown}"
+
+_done() { exit 0; }
+
+# ---------------------------------------------------------------------------
+# Config + prerequisites
+# ---------------------------------------------------------------------------
+
+REPO_ROOT=$(assayer_project_repo_root "$CWD")
+[[ -z "$REPO_ROOT" ]] && _done
+
+CLAUDE_PLUGIN_ROOT="$PLUGIN_ROOT" assayer_config_load "$REPO_ROOT"
+assayer_config_enabled || _done
+
+PROJECT_KEY=$(assayer_project_key "$CWD")
+[[ -z "$PROJECT_KEY" ]] && _done
+
+command -v claude >/dev/null 2>&1 || _done
+command -v jq >/dev/null 2>&1 || _done
+
+[[ -f "$TRANSCRIPT_PATH" ]] || _done
+
+# ---------------------------------------------------------------------------
+# Read transcript: final message + command evidence
+# ---------------------------------------------------------------------------
+
+FINAL_MESSAGE_CHARS=$(CLAUDE_PLUGIN_ROOT="$PLUGIN_ROOT" assayer_config_final_message_chars)
+FINAL_MESSAGE=$(assayer_final_assistant_message "$TRANSCRIPT_PATH" "$FINAL_MESSAGE_CHARS")
+[[ -z "$FINAL_MESSAGE" ]] && _done
+
+COMMANDS=$(assayer_collect_commands "$TRANSCRIPT_PATH")
+COMMAND_COUNT=$(printf '%s' "$COMMANDS" | jq 'length' 2>/dev/null) || COMMAND_COUNT=0
+
+# ---------------------------------------------------------------------------
+# Extract claims via claude -p
+# ---------------------------------------------------------------------------
+
+MAX_CLAIMS=$(CLAUDE_PLUGIN_ROOT="$PLUGIN_ROOT" assayer_config_max_claims)
+MIN_CONFIDENCE=$(CLAUDE_PLUGIN_ROOT="$PLUGIN_ROOT" assayer_config_min_confidence)
+EVAL_MODEL=$(CLAUDE_PLUGIN_ROOT="$PLUGIN_ROOT" assayer_config_model)
+TIMEOUT_SECS=$(CLAUDE_PLUGIN_ROOT="$PLUGIN_ROOT" assayer_config_timeout)
+
+PROMPT_FILE=$(mktemp -t assayer-prompt.XXXXXX 2>/dev/null) || PROMPT_FILE="/tmp/assayer-prompt.$$"
+trap 'rm -f "$PROMPT_FILE"' EXIT
+assayer_build_extraction_prompt "$FINAL_MESSAGE" "$MAX_CLAIMS" >"$PROMPT_FILE"
+
+CLAUDE_ARGS=(-p --max-turns 1)
+[[ -n "$EVAL_MODEL" ]] && CLAUDE_ARGS+=(--model "$EVAL_MODEL")
+
+RESPONSE=""
+if command -v timeout >/dev/null 2>&1; then
+	RESPONSE=$(timeout "$TIMEOUT_SECS" claude "${CLAUDE_ARGS[@]}" <"$PROMPT_FILE" 2>/dev/null) || RESPONSE=""
+elif command -v gtimeout >/dev/null 2>&1; then
+	RESPONSE=$(gtimeout "$TIMEOUT_SECS" claude "${CLAUDE_ARGS[@]}" <"$PROMPT_FILE" 2>/dev/null) || RESPONSE=""
+else
+	RESPONSE=$(claude "${CLAUDE_ARGS[@]}" <"$PROMPT_FILE" 2>/dev/null) || RESPONSE=""
+fi
+[[ -z "$RESPONSE" ]] && _done
+
+CLAIMS=$(assayer_parse_claims "$RESPONSE")
+CLAIM_COUNT=$(printf '%s' "$CLAIMS" | jq 'length' 2>/dev/null) || CLAIM_COUNT=0
+
+# ---------------------------------------------------------------------------
+# Audit
+# ---------------------------------------------------------------------------
+
+AUDIT_ID=$(assayer_ulid)
+AUDIT_START=$(python3 -c 'import time; print(int(time.time()*1000))' 2>/dev/null || echo 0)
+
+started_payload=$(jq -n \
+	--arg audit_id "$AUDIT_ID" \
+	--argjson claim_count "$CLAIM_COUNT" \
+	--arg trigger "stop" \
+	--argjson command_count "${COMMAND_COUNT:-0}" \
+	'{audit_id: $audit_id, claim_count: $claim_count, trigger: $trigger, command_count: $command_count}')
+assayer_emit_event "assayer.audit.started" "$started_payload" || true
+
+ONLOOKER_BASE="${ONLOOKER_DIR:-$HOME/.onlooker}"
+ASSAYER_DIR="${ONLOOKER_BASE}/assayer/${PROJECT_KEY}"
+mkdir -p "$ASSAYER_DIR" 2>/dev/null || true
+
+count_corroborated=0
+count_contradicted=0
+count_unverified=0
+checked_claims="[]"
+
+while IFS= read -r claim; do
+	[[ -z "$claim" ]] && continue
+
+	# Confidence floor — skip low-confidence extractions. Compare with awk via
+	# -v bindings (not string-interpolated into code), so an LLM- or
+	# config-supplied value is treated as a number and a non-numeric value
+	# degrades to 0 instead of executing as code.
+	conf=$(printf '%s' "$claim" | jq -r '.confidence // 0.6' 2>/dev/null) || conf="0.6"
+	if awk -v a="$conf" -v b="$MIN_CONFIDENCE" 'BEGIN { exit !(a >= b) }' 2>/dev/null; then
+		keep=1
+	else
+		keep=0
+	fi
+	[[ "$keep" != "1" ]] && continue
+
+	claim_text=$(printf '%s' "$claim" | jq -r '.text // ""' 2>/dev/null) || claim_text=""
+	claim_type=$(printf '%s' "$claim" | jq -r '.type // "generic"' 2>/dev/null) || claim_type="generic"
+	[[ -z "$claim_text" ]] && continue
+
+	verdict_obj=$(assayer_classify_claim "$claim" "$COMMANDS")
+	verdict=$(printf '%s' "$verdict_obj" | jq -r '.verdict // "unverified"' 2>/dev/null) || verdict="unverified"
+
+	case "$verdict" in
+	contradicted)
+		count_contradicted=$((count_contradicted + 1))
+		evidence_command=$(printf '%s' "$verdict_obj" | jq -r '.evidence_command // ""' 2>/dev/null) || evidence_command=""
+		excerpt=$(printf '%s' "$verdict_obj" | jq -r '.excerpt // ""' 2>/dev/null) || excerpt=""
+		contradicted_payload=$(jq -n \
+			--arg audit_id "$AUDIT_ID" \
+			--arg claim "$claim_text" \
+			--arg claim_type "$claim_type" \
+			--arg evidence_command "$evidence_command" \
+			--arg result_excerpt "$excerpt" \
+			--argjson confidence "$conf" \
+			'{audit_id: $audit_id, claim: $claim, claim_type: $claim_type,
+			  evidence_command: $evidence_command, result_excerpt: $result_excerpt,
+			  confidence: $confidence}')
+		assayer_emit_event "assayer.claim.contradicted" "$contradicted_payload" || true
+		;;
+	corroborated)
+		count_corroborated=$((count_corroborated + 1))
+		;;
+	*)
+		count_unverified=$((count_unverified + 1))
+		reason=$(printf '%s' "$verdict_obj" | jq -r '.reason // "no_evidence"' 2>/dev/null) || reason="no_evidence"
+		unverified_payload=$(jq -n \
+			--arg audit_id "$AUDIT_ID" \
+			--arg claim "$claim_text" \
+			--arg claim_type "$claim_type" \
+			--arg reason "$reason" \
+			'{audit_id: $audit_id, claim: $claim, claim_type: $claim_type, reason: $reason}')
+		assayer_emit_event "assayer.claim.unverified" "$unverified_payload" || true
+		;;
+	esac
+
+	checked_claims=$(printf '%s' "$checked_claims" | jq -c \
+		--arg text "$claim_text" \
+		--arg verdict "$verdict" \
+		'. + [{text: $text, verdict: $verdict}]' 2>/dev/null) || true
+done < <(printf '%s' "$CLAIMS" | jq -c '.[]' 2>/dev/null)
+
+# ---------------------------------------------------------------------------
+# Audit summary
+# ---------------------------------------------------------------------------
+
+AUDIT_END=$(python3 -c 'import time; print(int(time.time()*1000))' 2>/dev/null || echo 0)
+DURATION_MS=$((AUDIT_END - AUDIT_START))
+[[ "$DURATION_MS" -lt 0 ]] && DURATION_MS=0
+
+VERDICT=$(assayer_audit_verdict "$count_contradicted" "$count_corroborated" "$count_unverified")
+
+complete_payload=$(jq -n \
+	--arg audit_id "$AUDIT_ID" \
+	--argjson claim_count "$CLAIM_COUNT" \
+	--argjson corroborated "$count_corroborated" \
+	--argjson contradicted "$count_contradicted" \
+	--argjson unverified "$count_unverified" \
+	--arg verdict "$VERDICT" \
+	--argjson duration_ms "$DURATION_MS" \
+	'{audit_id: $audit_id, claim_count: $claim_count,
+	  corroborated: $corroborated, contradicted: $contradicted,
+	  unverified: $unverified, verdict: $verdict, duration_ms: $duration_ms}')
+assayer_emit_event "assayer.audit.complete" "$complete_payload" || true
+
+# Advisory file for review in the next session.
+SAFE_SESSION_ID=$(printf '%s' "${SESSION_ID:-unknown}" | tr -c 'a-zA-Z0-9-' '_')
+jq -n \
+	--arg audit_id "$AUDIT_ID" \
+	--arg session_id "${SESSION_ID:-unknown}" \
+	--argjson claim_count "$CLAIM_COUNT" \
+	--argjson corroborated "$count_corroborated" \
+	--argjson contradicted "$count_contradicted" \
+	--argjson unverified "$count_unverified" \
+	--arg verdict "$VERDICT" \
+	--argjson claims "$checked_claims" \
+	'{audit_id: $audit_id, session_id: $session_id, claim_count: $claim_count,
+	  corroborated: $corroborated, contradicted: $contradicted,
+	  unverified: $unverified, verdict: $verdict, claims: $claims}' \
+	>"${ASSAYER_DIR}/audit-${SAFE_SESSION_ID}.json" 2>/dev/null || true
+
+_done