@orchestrator-claude/cli 3.12.0 → 3.12.2

package/dist/index.d.ts

@@ -12,5 +12,5 @@
 /**
  * CLI version
  */
-export declare const CLI_VERSION = "3.12.0";
+export declare const CLI_VERSION = "3.12.2";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.js

@@ -24,7 +24,7 @@ import { OutputFormatter } from './formatters/OutputFormatter.js';
 /**
  * CLI version
  */
-export const CLI_VERSION = '3.12.0';
+export const CLI_VERSION = '3.12.2';
 /**
  * Main CLI function
  */

package/dist/templates/base/claude/hooks/post-phase-checkpoint.sh

@@ -1,322 +1,203 @@
 #!/bin/bash
-# Post-Phase Checkpoint Hook
-# Automatically creates git checkpoints when workflow phases complete
+# Post-Phase Checkpoint Hook (RFC-012 compatible)
+# Registers a checkpoint in PostgreSQL via the Orchestrator REST API.
+# Replaces the deprecated orchestrator-index.json approach (TD-105 F-04).
 #
 # Triggered by: PostToolUse on Task tool (after agent completes)
-# Behavior: Detects phase transitions and creates git commits
+# Behavior: Infers the just-completed phase from the active workflow state
+#           and registers a checkpoint via the REST API.
 #
-# Requirements:
-#   - jq (for JSON parsing)
-#   - git (for checkpoint commits)
+# Required env vars:
+#   ORCHESTRATOR_API_URL        - Base URL (e.g. http://localhost:3000)
+#   ORCHESTRATOR_PROJECT_TOKEN  - Bearer token for API authentication
 #
-# Debug mode: ORCH_CHECKPOINT_DEBUG=1 to enable verbose logging
+# Optional env vars:
+#   ORCHESTRATOR_PROJECT_ID     - Project ID for project-scoped workflow query
+#   ORCH_CHECKPOINT_DEBUG=1     - Enable verbose logging
+#
+# Always exits 0 (non-blocking).
 
-set -e
+set -euo pipefail
 
-# Configuration
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
-INDEX_FILE="$PROJECT_ROOT/.orchestrator/orchestrator-index.json"
-STATE_DIR="$PROJECT_ROOT/.orchestrator/.state"
-LOG_FILE="$STATE_DIR/checkpoint-hook.log"
-LAST_PHASE_FILE="$STATE_DIR/last-checkpointed-phase"
-
-# Ensure state directory exists
-mkdir -p "$STATE_DIR"
-
-# Debug mode
+STATE_DIR="$SCRIPT_DIR/../../.orchestrator/.state"
+LOG_FILE="${STATE_DIR}/checkpoint-hook.log"
+LAST_PHASE_FILE="${STATE_DIR}/last-checkpointed-phase"
 DEBUG="${ORCH_CHECKPOINT_DEBUG:-0}"
 
-# Logging functions
-log_debug() {
-  if [ "$DEBUG" = "1" ]; then
-    echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] [DEBUG] $1" >> "$LOG_FILE"
-    echo "[DEBUG] $1" >&2
-  fi
-}
-
-log_info() {
-  echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] [INFO] $1" >> "$LOG_FILE"
-  if [ "$DEBUG" = "1" ]; then
-    echo "[INFO] $1" >&2
-  fi
-}
+mkdir -p "$STATE_DIR"
 
-log_warn() {
-  echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] [WARN] $1" >> "$LOG_FILE"
-  echo "[WARN] $1" >&2
-}
+log_info()  { echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] [INFO]  $1" >> "$LOG_FILE"; }
+log_warn()  { echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] [WARN]  $1" >> "$LOG_FILE"; echo "[WARN]  $1" >&2; }
+log_debug() { [ "$DEBUG" = "1" ] && echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] [DEBUG] $1" >> "$LOG_FILE" || true; }
 
-log_error() {
-  echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] [ERROR] $1" >> "$LOG_FILE"
-  echo "[ERROR] $1" >&2
-}
+# ── prerequisites ─────────────────────────────────────────────────────────────
 
-# Check prerequisites
 check_prerequisites() {
-  # Check jq
-  if ! command -v jq &> /dev/null; then
-    log_error "jq is not installed. Checkpoints disabled."
+  if ! command -v curl &>/dev/null; then
+    log_warn "curl not found. Checkpoints disabled."
     return 1
   fi
-
-  # Check git
-  if ! command -v git &> /dev/null; then
-    log_error "git is not installed. Checkpoints disabled."
+  if ! command -v jq &>/dev/null; then
+    log_warn "jq not found. Checkpoints disabled."
     return 1
   fi
-
-  # Check if we're in a git repo
-  if ! git -C "$PROJECT_ROOT" rev-parse --is-inside-work-tree &> /dev/null; then
-    log_warn "Not a git repository. Checkpoints disabled."
+  if [ -z "${ORCHESTRATOR_API_URL:-}" ]; then
+    log_debug "ORCHESTRATOR_API_URL not set. Checkpoints disabled."
     return 1
   fi
-
-  # Check index file
-  if [ ! -f "$INDEX_FILE" ]; then
-    log_debug "No orchestrator-index.json found. Skipping."
+  if [ -z "${ORCHESTRATOR_PROJECT_TOKEN:-}" ]; then
+    log_debug "ORCHESTRATOR_PROJECT_TOKEN not set. Checkpoints disabled."
     return 1
   fi
-
   return 0
 }
 
-# Get current phase from orchestrator-index.json
-get_current_phase() {
-  local phase
-  phase=$(jq -r '.activeWorkflow.currentPhase // empty' "$INDEX_FILE" 2>/dev/null)
-  echo "$phase"
+# ── API helpers ────────────────────────────────────────────────────────────────
+
+get_active_workflow() {
+  local project_id="${ORCHESTRATOR_PROJECT_ID:-}"
+  local url="${ORCHESTRATOR_API_URL}/api/v1/workflows?status=in_progress&limit=1"
+  [ -n "$project_id" ] && url="${url}&projectId=${project_id}"
+
+  local tmpfile
+  tmpfile=$(mktemp 2>/dev/null) || return 1
+
+  curl -sf \
+    -H "Authorization: Bearer ${ORCHESTRATOR_PROJECT_TOKEN}" \
+    -H "Content-Type: application/json" \
+    "${url}" \
+    -o "$tmpfile" 2>/dev/null || { rm -f "$tmpfile"; return 1; }
+
+  local result
+  result=$(node -e "
+    const fs=require('fs');
+    try {
+      const d=fs.readFileSync('${tmpfile}','utf8');
+      const j=JSON.parse(d);
+      const wf=Array.isArray(j)?j[0]:j;
+      if(wf&&wf.id){ process.stdout.write(JSON.stringify(wf)); process.exit(0); }
+      process.exit(1);
+    } catch { process.exit(1); }" 2>/dev/null)
+  local rc=$?
+  rm -f "$tmpfile"
+  [ $rc -eq 0 ] && echo "$result" || return 1
 }
 
-# Get workflow ID
-get_workflow_id() {
-  local wf_id
-  wf_id=$(jq -r '.activeWorkflow.id // empty' "$INDEX_FILE" 2>/dev/null)
-  echo "$wf_id"
+create_checkpoint() {
+  local workflow_id="$1"
+  local phase="$2"
+  local description="$3"
+
+  local body
+  body=$(jq -n \
+    --arg phase "$phase" \
+    --arg desc "$description" \
+    '{ phase: $phase, description: $desc }')
+
+  local http_code
+  http_code=$(curl -sf -o /dev/null -w "%{http_code}" \
+    -X POST \
+    -H "Authorization: Bearer ${ORCHESTRATOR_PROJECT_TOKEN}" \
+    -H "Content-Type: application/json" \
+    -d "$body" \
+    "${ORCHESTRATOR_API_URL}/api/v1/workflows/${workflow_id}/checkpoints" 2>/dev/null) || echo ""
+
+  echo "$http_code"
 }
 
-# Get workflow status
-get_workflow_status() {
-  local status
-  status=$(jq -r '.activeWorkflow.status // empty' "$INDEX_FILE" 2>/dev/null)
-  echo "$status"
+# ── dedup guard ────────────────────────────────────────────────────────────────
+
+get_saved_last_phase() {
+  [ -f "$LAST_PHASE_FILE" ] && cat "$LAST_PHASE_FILE" || echo ""
 }
 
-# Get last checkpointed phase from checkpoints array (one with commitHash)
-get_last_checkpointed_phase() {
-  local phase
-  # Find the most recent checkpoint that has a commitHash (indicating it was git-committed)
-  phase=$(jq -r '
-    [.checkpoints[] | select(.commitHash != null and .commitHash != "")]
-    | sort_by(.createdAt)
-    | last
-    | .phase // empty
-  ' "$INDEX_FILE" 2>/dev/null)
-  echo "$phase"
+save_last_phase() {
+  echo "$1" > "$LAST_PHASE_FILE"
 }
 
-# Determine completed phase based on current phase
-# When we see currentPhase = PLAN, it means SPECIFY just completed
-get_completed_phase() {
-  local current_phase="$1"
-  local workflow_status="$2"
+# ── phase inference ────────────────────────────────────────────────────────────
 
-  case "$workflow_status" in
-    "completed")
-      echo "IMPLEMENT"
-      return
-      ;;
+# When workflow is at PLAN, it means SPECIFY just completed, etc.
+get_completed_phase() {
+  local current="$1"
+  local status="$2"
+  case "$status" in
+    "completed") echo "implement"; return ;;
   esac
-
-  case "$current_phase" in
-    "PLAN")
-      echo "SPECIFY"
-      ;;
-    "TASKS")
-      echo "PLAN"
-      ;;
-    "IMPLEMENT")
-      echo "TASKS"
-      ;;
-    *)
-      echo ""
-      ;;
+  case "${current,,}" in
+    "plan")      echo "specify" ;;
+    "tasks")     echo "plan"    ;;
+    "implement") echo "tasks"   ;;
+    *)           echo ""        ;;
   esac
 }
 
-# Create git checkpoint
-create_git_checkpoint() {
-  local phase="$1"
-  local commit_hash=""
-
-  log_info "Creating git checkpoint for phase: $phase"
-
-  # Stage all changes
-  git -C "$PROJECT_ROOT" add -A 2>/dev/null || {
-    log_warn "Failed to stage changes"
-    return 1
-  }
-
-  # Check if there are staged changes
-  if git -C "$PROJECT_ROOT" diff --cached --quiet 2>/dev/null; then
-    log_info "No changes to commit for phase: $phase"
-    echo ""
-    return 0
-  fi
-
-  # Create commit with standard message
-  local commit_msg="[orchestrator] ${phase}: Auto-checkpoint after ${phase} phase"
-
-  if git -C "$PROJECT_ROOT" commit -m "$commit_msg" --no-verify 2>/dev/null; then
-    commit_hash=$(git -C "$PROJECT_ROOT" rev-parse HEAD 2>/dev/null)
-    log_info "Checkpoint commit created: $commit_hash"
-    echo "$commit_hash"
-  else
-    log_warn "Failed to create commit"
-    echo ""
-    return 1
-  fi
-}
-
-# Update orchestrator-index.json with checkpoint
-update_orchestrator_index() {
-  local workflow_id="$1"
-  local phase="$2"
-  local commit_hash="$3"
-  local created_at
-
-  created_at=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
-  local checkpoint_id="cp_${workflow_id}_$(date +%s)"
-  local description="Auto-checkpoint after ${phase} phase"
-
-  log_debug "Updating index with checkpoint: $checkpoint_id"
-
-  # Create temp file for atomic update
-  local temp_file="${INDEX_FILE}.tmp.$$"
-
-  # Use jq to add checkpoint and update statistics
-  if jq --arg id "$checkpoint_id" \
-       --arg wfId "$workflow_id" \
-       --arg phase "$phase" \
-       --arg hash "$commit_hash" \
-       --arg date "$created_at" \
-       --arg desc "$description" '
-    # Add checkpoint to array
-    .checkpoints += [{
-      id: $id,
-      workflowId: $wfId,
-      phase: $phase,
-      commitHash: $hash,
-      createdAt: $date,
-      description: $desc
-    }] |
-    # Update statistics
-    .statistics.totalCheckpoints = (.checkpoints | length) |
-    .statistics.lastActivity = $date
-  ' "$INDEX_FILE" > "$temp_file" 2>/dev/null; then
-
-    # Validate JSON
-    if jq empty "$temp_file" 2>/dev/null; then
-      mv "$temp_file" "$INDEX_FILE"
-      log_info "Index updated with checkpoint: $checkpoint_id"
-      return 0
-    else
-      log_error "Generated invalid JSON"
-      rm -f "$temp_file"
-      return 1
-    fi
-  else
-    log_error "Failed to update index with jq"
-    rm -f "$temp_file"
-    return 1
-  fi
-}
-
-# Save last checkpointed phase
-save_last_phase() {
-  local phase="$1"
-  echo "$phase" > "$LAST_PHASE_FILE"
-}
-
-# Get saved last phase (from state file, not index)
-get_saved_last_phase() {
-  if [ -f "$LAST_PHASE_FILE" ]; then
-    cat "$LAST_PHASE_FILE"
-  else
-    echo ""
-  fi
-}
+# ── main ───────────────────────────────────────────────────────────────────────
 
-# Main execution
 main() {
   log_debug "Hook triggered"
 
-  # Check prerequisites
   if ! check_prerequisites; then
-    log_debug "Prerequisites not met, exiting"
-    exit 0  # Don't fail the hook
+    exit 0
   fi
 
-  # Get current state
-  local current_phase
-  current_phase=$(get_current_phase)
+  local workflow_json
+  workflow_json=$(get_active_workflow 2>/dev/null) || workflow_json=""
 
-  if [ -z "$current_phase" ]; then
-    log_debug "No active workflow phase found"
+  if [ -z "$workflow_json" ]; then
+    log_debug "No active workflow found via API."
     exit 0
   fi
 
-  local workflow_id
-  workflow_id=$(get_workflow_id)
+  local workflow_id current_phase workflow_status
+  workflow_id=$(echo "$workflow_json"     | jq -r '.id // empty'           2>/dev/null || echo "")
+  current_phase=$(echo "$workflow_json"  | jq -r '.currentPhase // empty'  2>/dev/null || echo "")
+  workflow_status=$(echo "$workflow_json" | jq -r '.status // empty'        2>/dev/null || echo "")
 
-  local workflow_status
-  workflow_status=$(get_workflow_status)
-
-  log_debug "Current phase: $current_phase, Status: $workflow_status, Workflow: $workflow_id"
+  if [ -z "$workflow_id" ] || [ -z "$current_phase" ]; then
+    log_debug "Could not parse workflow ID or phase."
+    exit 0
+  fi
 
-  # Determine which phase just completed
   local completed_phase
   completed_phase=$(get_completed_phase "$current_phase" "$workflow_status")
 
   if [ -z "$completed_phase" ]; then
-    log_debug "No completed phase detected from current phase: $current_phase"
+    log_debug "No completed phase inferred from current_phase=${current_phase}."
     exit 0
   fi
 
-  # Check if we already checkpointed this phase
-  local last_checkpointed
-  last_checkpointed=$(get_last_checkpointed_phase)
-
-  local saved_last_phase
-  saved_last_phase=$(get_saved_last_phase)
-
-  log_debug "Completed phase: $completed_phase, Last checkpointed: $last_checkpointed, Saved: $saved_last_phase"
-
-  # Skip if already checkpointed
-  if [ "$completed_phase" = "$last_checkpointed" ] || [ "$completed_phase" = "$saved_last_phase" ]; then
-    log_debug "Phase $completed_phase already checkpointed, skipping"
+  # Dedup guard — skip if we already checkpointed this phase
+  local saved_last
+  saved_last=$(get_saved_last_phase)
+  if [ "$completed_phase" = "$saved_last" ]; then
+    log_debug "Phase ${completed_phase} already checkpointed. Skipping."
     exit 0
   fi
 
-  # Create checkpoint
-  local commit_hash
-  commit_hash=$(create_git_checkpoint "$completed_phase")
+  local description="Auto-checkpoint after ${completed_phase} phase"
+  local http_code
+  http_code=$(create_checkpoint "$workflow_id" "$completed_phase" "$description")
 
-  # Update index (even if no commit, to track the checkpoint)
-  if [ -n "$commit_hash" ]; then
-    if update_orchestrator_index "$workflow_id" "$completed_phase" "$commit_hash"; then
+  case "$http_code" in
+    201|200)
       save_last_phase "$completed_phase"
-      log_info "Checkpoint complete for phase: $completed_phase (commit: $commit_hash)"
-    else
-      log_error "Failed to update index for phase: $completed_phase"
-    fi
-  else
-    log_info "No changes to checkpoint for phase: $completed_phase"
-    save_last_phase "$completed_phase"
-  fi
+      log_info "Checkpoint registered: workflow=${workflow_id}, phase=${completed_phase}"
+      ;;
+    409)
+      save_last_phase "$completed_phase"
+      log_info "Checkpoint already exists (409): phase=${completed_phase}"
+      ;;
+    "")
+      log_warn "API unreachable. Checkpoint skipped for phase=${completed_phase}."
+      ;;
+    *)
+      log_warn "Unexpected HTTP ${http_code} creating checkpoint for phase=${completed_phase}."
+      ;;
+  esac
 
   exit 0
 }
 
-# Run main function
 main "$@"

package/dist/templates/base/claude/hooks/workflow-guard.sh

@@ -20,6 +20,13 @@ FILE_PATH=$(orch_json_field "$STDIN_DATA" "tool_input.file_path")
 
 orch_log "workflow-guard: file_path=$FILE_PATH"
 
+# Explicit bypass via env var (for direct implementation without dogfooding)
+if [ "${SKIP_WORKFLOW_GUARD:-}" = "true" ]; then
+  orch_log "workflow-guard: ALLOW (SKIP_WORKFLOW_GUARD=true)"
+  echo '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow","additionalContext":"Workflow guard bypassed via SKIP_WORKFLOW_GUARD=true."}}'
+  exit 0
+fi
+
 # Only guard src/ and tests/ paths (production code)
 case "$FILE_PATH" in
   */src/*|*/tests/*)
@@ -42,8 +49,27 @@ esac
 WORKFLOW_ID=$(orch_get_active_workflow 2>/dev/null) || WORKFLOW_ID=""
 
 if [ -n "$WORKFLOW_ID" ]; then
-  orch_log "workflow-guard: ALLOW (active workflow: $WORKFLOW_ID)"
-  echo "{\"hookSpecificOutput\":{\"hookEventName\":\"PreToolUse\",\"permissionDecision\":\"allow\",\"additionalContext\":\"Active workflow: ${WORKFLOW_ID}. Write allowed.\"}}"
+  # Check if running inside a sub-agent (agent_id present) or main agent (absent)
+  AGENT_ID=$(orch_json_field "$STDIN_DATA" "agent_id")
+
+  if [ -n "$AGENT_ID" ]; then
+    # Sub-agent writing — ALLOW
+    AGENT_TYPE=$(orch_json_field "$STDIN_DATA" "agent_type")
+    orch_log "workflow-guard: ALLOW (sub-agent: ${AGENT_TYPE:-unknown}, workflow: $WORKFLOW_ID)"
+    echo "{\"hookSpecificOutput\":{\"hookEventName\":\"PreToolUse\",\"permissionDecision\":\"allow\",\"additionalContext\":\"Active workflow: ${WORKFLOW_ID}. Sub-agent ${AGENT_TYPE:-unknown} write allowed.\"}}"
+    exit 0
+  fi
+
+  # Main agent writing directly — check if SKIP_SUBAGENT_GUARD allows it
+  if [ "${SKIP_SUBAGENT_GUARD:-}" = "true" ]; then
+    orch_log "workflow-guard: ALLOW (SKIP_SUBAGENT_GUARD=true, workflow: $WORKFLOW_ID)"
+    echo "{\"hookSpecificOutput\":{\"hookEventName\":\"PreToolUse\",\"permissionDecision\":\"allow\",\"additionalContext\":\"Active workflow: ${WORKFLOW_ID}. Direct write allowed via SKIP_SUBAGENT_GUARD.\"}}"
+    exit 0
+  fi
+
+  # Main agent writing directly — DENY, must use sub-agent
+  orch_log "workflow-guard: DENY (main agent direct write, no sub-agent invocation)"
+  echo "{\"hookSpecificOutput\":{\"hookEventName\":\"PreToolUse\",\"permissionDecision\":\"deny\",\"permissionDecisionReason\":\"Workflow Guard: Direct code writes are blocked. You must invoke a sub-agent (e.g. implementer) to write code. The sub-agent will have write access.\",\"additionalContext\":\"Use the Agent tool to spawn an implementer sub-agent for code changes. The workflow-guard allows writes only from sub-agents (identified by agent_id in hook input).\"}}"
   exit 0
 fi
 

package/dist/templates/base/claude/settings.json

@@ -64,17 +64,6 @@
       }
     ],
     "PreToolUse": [
-      {
-        "matcher": "Task",
-        "hooks": [
-          {
-            "type": "command",
-            "command": ".claude/hooks/track-agent-invocation.sh start",
-            "timeout": 5000,
-            "on_failure": "ignore"
-          }
-        ]
-      },
       {
         "matcher": "mcp__orchestrator-tools__advancePhase",
         "hooks": [
@@ -98,9 +87,22 @@
         ]
       }
     ],
-    "PostToolUse": [
+    "SubagentStart": [
+      {
+        "matcher": "implementer|specifier|planner|task-generator|reviewer|researcher|orchestrator",
+        "hooks": [
+          {
+            "type": "command",
+            "command": ".claude/hooks/track-agent-invocation.sh start",
+            "timeout": 5000,
+            "on_failure": "ignore"
+          }
+        ]
+      }
+    ],
+    "SubagentStop": [
       {
-        "matcher": "Task",
+        "matcher": "implementer|specifier|planner|task-generator|reviewer|researcher|orchestrator",
         "hooks": [
           {
             "type": "command",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@orchestrator-claude/cli",
-  "version": "3.12.0",
+  "version": "3.12.2",
   "description": "Orchestrator CLI - Project scaffolding, migration and management",
   "type": "module",
   "main": "dist/index.js",

package/templates/base/claude/hooks/post-phase-checkpoint.sh

@@ -1,322 +1,203 @@
 #!/bin/bash
-# Post-Phase Checkpoint Hook
-# Automatically creates git checkpoints when workflow phases complete
+# Post-Phase Checkpoint Hook (RFC-012 compatible)
+# Registers a checkpoint in PostgreSQL via the Orchestrator REST API.
+# Replaces the deprecated orchestrator-index.json approach (TD-105 F-04).
 #
 # Triggered by: PostToolUse on Task tool (after agent completes)
-# Behavior: Detects phase transitions and creates git commits
+# Behavior: Infers the just-completed phase from the active workflow state
+#           and registers a checkpoint via the REST API.
 #
-# Requirements:
-#   - jq (for JSON parsing)
-#   - git (for checkpoint commits)
+# Required env vars:
+#   ORCHESTRATOR_API_URL        - Base URL (e.g. http://localhost:3000)
+#   ORCHESTRATOR_PROJECT_TOKEN  - Bearer token for API authentication
 #
-# Debug mode: ORCH_CHECKPOINT_DEBUG=1 to enable verbose logging
+# Optional env vars:
+#   ORCHESTRATOR_PROJECT_ID     - Project ID for project-scoped workflow query
+#   ORCH_CHECKPOINT_DEBUG=1     - Enable verbose logging
+#
+# Always exits 0 (non-blocking).
 
-set -e
+set -euo pipefail
 
-# Configuration
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
-INDEX_FILE="$PROJECT_ROOT/.orchestrator/orchestrator-index.json"
-STATE_DIR="$PROJECT_ROOT/.orchestrator/.state"
-LOG_FILE="$STATE_DIR/checkpoint-hook.log"
-LAST_PHASE_FILE="$STATE_DIR/last-checkpointed-phase"
-
-# Ensure state directory exists
-mkdir -p "$STATE_DIR"
-
-# Debug mode
+STATE_DIR="$SCRIPT_DIR/../../.orchestrator/.state"
+LOG_FILE="${STATE_DIR}/checkpoint-hook.log"
+LAST_PHASE_FILE="${STATE_DIR}/last-checkpointed-phase"
 DEBUG="${ORCH_CHECKPOINT_DEBUG:-0}"
 
-# Logging functions
-log_debug() {
-  if [ "$DEBUG" = "1" ]; then
-    echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] [DEBUG] $1" >> "$LOG_FILE"
-    echo "[DEBUG] $1" >&2
-  fi
-}
-
-log_info() {
-  echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] [INFO] $1" >> "$LOG_FILE"
-  if [ "$DEBUG" = "1" ]; then
-    echo "[INFO] $1" >&2
-  fi
-}
+mkdir -p "$STATE_DIR"
 
-log_warn() {
-  echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] [WARN] $1" >> "$LOG_FILE"
-  echo "[WARN] $1" >&2
-}
+log_info()  { echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] [INFO]  $1" >> "$LOG_FILE"; }
+log_warn()  { echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] [WARN]  $1" >> "$LOG_FILE"; echo "[WARN]  $1" >&2; }
+log_debug() { [ "$DEBUG" = "1" ] && echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] [DEBUG] $1" >> "$LOG_FILE" || true; }
 
-log_error() {
-  echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] [ERROR] $1" >> "$LOG_FILE"
-  echo "[ERROR] $1" >&2
-}
+# ── prerequisites ─────────────────────────────────────────────────────────────
 
-# Check prerequisites
 check_prerequisites() {
-  # Check jq
-  if ! command -v jq &> /dev/null; then
-    log_error "jq is not installed. Checkpoints disabled."
+  if ! command -v curl &>/dev/null; then
+    log_warn "curl not found. Checkpoints disabled."
     return 1
   fi
-
-  # Check git
-  if ! command -v git &> /dev/null; then
-    log_error "git is not installed. Checkpoints disabled."
+  if ! command -v jq &>/dev/null; then
+    log_warn "jq not found. Checkpoints disabled."
     return 1
   fi
-
-  # Check if we're in a git repo
-  if ! git -C "$PROJECT_ROOT" rev-parse --is-inside-work-tree &> /dev/null; then
-    log_warn "Not a git repository. Checkpoints disabled."
+  if [ -z "${ORCHESTRATOR_API_URL:-}" ]; then
+    log_debug "ORCHESTRATOR_API_URL not set. Checkpoints disabled."
     return 1
   fi
-
-  # Check index file
-  if [ ! -f "$INDEX_FILE" ]; then
-    log_debug "No orchestrator-index.json found. Skipping."
+  if [ -z "${ORCHESTRATOR_PROJECT_TOKEN:-}" ]; then
+    log_debug "ORCHESTRATOR_PROJECT_TOKEN not set. Checkpoints disabled."
     return 1
   fi
-
   return 0
 }
 
-# Get current phase from orchestrator-index.json
-get_current_phase() {
-  local phase
-  phase=$(jq -r '.activeWorkflow.currentPhase // empty' "$INDEX_FILE" 2>/dev/null)
-  echo "$phase"
+# ── API helpers ────────────────────────────────────────────────────────────────
+
+get_active_workflow() {
+  local project_id="${ORCHESTRATOR_PROJECT_ID:-}"
+  local url="${ORCHESTRATOR_API_URL}/api/v1/workflows?status=in_progress&limit=1"
+  [ -n "$project_id" ] && url="${url}&projectId=${project_id}"
+
+  local tmpfile
+  tmpfile=$(mktemp 2>/dev/null) || return 1
+
+  curl -sf \
+    -H "Authorization: Bearer ${ORCHESTRATOR_PROJECT_TOKEN}" \
+    -H "Content-Type: application/json" \
+    "${url}" \
+    -o "$tmpfile" 2>/dev/null || { rm -f "$tmpfile"; return 1; }
+
+  local result
+  result=$(node -e "
+    const fs=require('fs');
+    try {
+      const d=fs.readFileSync('${tmpfile}','utf8');
+      const j=JSON.parse(d);
+      const wf=Array.isArray(j)?j[0]:j;
+      if(wf&&wf.id){ process.stdout.write(JSON.stringify(wf)); process.exit(0); }
+      process.exit(1);
+    } catch { process.exit(1); }" 2>/dev/null)
+  local rc=$?
+  rm -f "$tmpfile"
+  [ $rc -eq 0 ] && echo "$result" || return 1
 }
 
-# Get workflow ID
-get_workflow_id() {
-  local wf_id
-  wf_id=$(jq -r '.activeWorkflow.id // empty' "$INDEX_FILE" 2>/dev/null)
-  echo "$wf_id"
+create_checkpoint() {
+  local workflow_id="$1"
+  local phase="$2"
+  local description="$3"
+
+  local body
+  body=$(jq -n \
+    --arg phase "$phase" \
+    --arg desc "$description" \
+    '{ phase: $phase, description: $desc }')
+
+  local http_code
+  http_code=$(curl -sf -o /dev/null -w "%{http_code}" \
+    -X POST \
+    -H "Authorization: Bearer ${ORCHESTRATOR_PROJECT_TOKEN}" \
+    -H "Content-Type: application/json" \
+    -d "$body" \
+    "${ORCHESTRATOR_API_URL}/api/v1/workflows/${workflow_id}/checkpoints" 2>/dev/null) || echo ""
+
+  echo "$http_code"
 }
 
-# Get workflow status
-get_workflow_status() {
-  local status
-  status=$(jq -r '.activeWorkflow.status // empty' "$INDEX_FILE" 2>/dev/null)
-  echo "$status"
+# ── dedup guard ────────────────────────────────────────────────────────────────
+
+get_saved_last_phase() {
+  [ -f "$LAST_PHASE_FILE" ] && cat "$LAST_PHASE_FILE" || echo ""
 }
 
-# Get last checkpointed phase from checkpoints array (one with commitHash)
-get_last_checkpointed_phase() {
-  local phase
-  # Find the most recent checkpoint that has a commitHash (indicating it was git-committed)
-  phase=$(jq -r '
-    [.checkpoints[] | select(.commitHash != null and .commitHash != "")]
-    | sort_by(.createdAt)
-    | last
-    | .phase // empty
-  ' "$INDEX_FILE" 2>/dev/null)
-  echo "$phase"
+save_last_phase() {
+  echo "$1" > "$LAST_PHASE_FILE"
 }
 
-# Determine completed phase based on current phase
-# When we see currentPhase = PLAN, it means SPECIFY just completed
-get_completed_phase() {
-  local current_phase="$1"
-  local workflow_status="$2"
+# ── phase inference ────────────────────────────────────────────────────────────
 
-  case "$workflow_status" in
-    "completed")
-      echo "IMPLEMENT"
-      return
-      ;;
+# When workflow is at PLAN, it means SPECIFY just completed, etc.
+get_completed_phase() {
+  local current="$1"
+  local status="$2"
+  case "$status" in
+    "completed") echo "implement"; return ;;
   esac
-
-  case "$current_phase" in
-    "PLAN")
-      echo "SPECIFY"
-      ;;
-    "TASKS")
-      echo "PLAN"
-      ;;
-    "IMPLEMENT")
-      echo "TASKS"
-      ;;
-    *)
-      echo ""
-      ;;
+  case "${current,,}" in
+    "plan")      echo "specify" ;;
+    "tasks")     echo "plan"    ;;
+    "implement") echo "tasks"   ;;
+    *)           echo ""        ;;
   esac
 }
 
-# Create git checkpoint
-create_git_checkpoint() {
-  local phase="$1"
-  local commit_hash=""
-
-  log_info "Creating git checkpoint for phase: $phase"
-
-  # Stage all changes
-  git -C "$PROJECT_ROOT" add -A 2>/dev/null || {
-    log_warn "Failed to stage changes"
-    return 1
-  }
-
-  # Check if there are staged changes
-  if git -C "$PROJECT_ROOT" diff --cached --quiet 2>/dev/null; then
-    log_info "No changes to commit for phase: $phase"
-    echo ""
-    return 0
-  fi
-
-  # Create commit with standard message
-  local commit_msg="[orchestrator] ${phase}: Auto-checkpoint after ${phase} phase"
-
-  if git -C "$PROJECT_ROOT" commit -m "$commit_msg" --no-verify 2>/dev/null; then
-    commit_hash=$(git -C "$PROJECT_ROOT" rev-parse HEAD 2>/dev/null)
-    log_info "Checkpoint commit created: $commit_hash"
-    echo "$commit_hash"
-  else
-    log_warn "Failed to create commit"
-    echo ""
-    return 1
-  fi
-}
-
-# Update orchestrator-index.json with checkpoint
-update_orchestrator_index() {
-  local workflow_id="$1"
-  local phase="$2"
-  local commit_hash="$3"
-  local created_at
-
-  created_at=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
-  local checkpoint_id="cp_${workflow_id}_$(date +%s)"
-  local description="Auto-checkpoint after ${phase} phase"
-
-  log_debug "Updating index with checkpoint: $checkpoint_id"
-
-  # Create temp file for atomic update
-  local temp_file="${INDEX_FILE}.tmp.$$"
-
-  # Use jq to add checkpoint and update statistics
-  if jq --arg id "$checkpoint_id" \
-       --arg wfId "$workflow_id" \
-       --arg phase "$phase" \
-       --arg hash "$commit_hash" \
-       --arg date "$created_at" \
-       --arg desc "$description" '
-    # Add checkpoint to array
-    .checkpoints += [{
-      id: $id,
-      workflowId: $wfId,
-      phase: $phase,
-      commitHash: $hash,
-      createdAt: $date,
-      description: $desc
-    }] |
-    # Update statistics
-    .statistics.totalCheckpoints = (.checkpoints | length) |
-    .statistics.lastActivity = $date
-  ' "$INDEX_FILE" > "$temp_file" 2>/dev/null; then
-
-    # Validate JSON
-    if jq empty "$temp_file" 2>/dev/null; then
-      mv "$temp_file" "$INDEX_FILE"
-      log_info "Index updated with checkpoint: $checkpoint_id"
-      return 0
-    else
-      log_error "Generated invalid JSON"
-      rm -f "$temp_file"
-      return 1
-    fi
-  else
-    log_error "Failed to update index with jq"
-    rm -f "$temp_file"
-    return 1
-  fi
-}
-
-# Save last checkpointed phase
-save_last_phase() {
-  local phase="$1"
-  echo "$phase" > "$LAST_PHASE_FILE"
-}
-
-# Get saved last phase (from state file, not index)
-get_saved_last_phase() {
-  if [ -f "$LAST_PHASE_FILE" ]; then
-    cat "$LAST_PHASE_FILE"
-  else
-    echo ""
-  fi
-}
+# ── main ───────────────────────────────────────────────────────────────────────
 
-# Main execution
 main() {
   log_debug "Hook triggered"
 
-  # Check prerequisites
   if ! check_prerequisites; then
-    log_debug "Prerequisites not met, exiting"
-    exit 0  # Don't fail the hook
+    exit 0
   fi
 
-  # Get current state
-  local current_phase
-  current_phase=$(get_current_phase)
+  local workflow_json
+  workflow_json=$(get_active_workflow 2>/dev/null) || workflow_json=""
 
-  if [ -z "$current_phase" ]; then
-    log_debug "No active workflow phase found"
+  if [ -z "$workflow_json" ]; then
+    log_debug "No active workflow found via API."
     exit 0
   fi
 
-  local workflow_id
-  workflow_id=$(get_workflow_id)
+  local workflow_id current_phase workflow_status
+  workflow_id=$(echo "$workflow_json"     | jq -r '.id // empty'           2>/dev/null || echo "")
+  current_phase=$(echo "$workflow_json"  | jq -r '.currentPhase // empty'  2>/dev/null || echo "")
+  workflow_status=$(echo "$workflow_json" | jq -r '.status // empty'        2>/dev/null || echo "")
 
-  local workflow_status
-  workflow_status=$(get_workflow_status)
-
-  log_debug "Current phase: $current_phase, Status: $workflow_status, Workflow: $workflow_id"
+  if [ -z "$workflow_id" ] || [ -z "$current_phase" ]; then
+    log_debug "Could not parse workflow ID or phase."
+    exit 0
+  fi
 
-  # Determine which phase just completed
   local completed_phase
   completed_phase=$(get_completed_phase "$current_phase" "$workflow_status")
 
   if [ -z "$completed_phase" ]; then
-    log_debug "No completed phase detected from current phase: $current_phase"
+    log_debug "No completed phase inferred from current_phase=${current_phase}."
     exit 0
   fi
 
-  # Check if we already checkpointed this phase
-  local last_checkpointed
-  last_checkpointed=$(get_last_checkpointed_phase)
-
-  local saved_last_phase
-  saved_last_phase=$(get_saved_last_phase)
-
-  log_debug "Completed phase: $completed_phase, Last checkpointed: $last_checkpointed, Saved: $saved_last_phase"
-
-  # Skip if already checkpointed
-  if [ "$completed_phase" = "$last_checkpointed" ] || [ "$completed_phase" = "$saved_last_phase" ]; then
-    log_debug "Phase $completed_phase already checkpointed, skipping"
+  # Dedup guard — skip if we already checkpointed this phase
+  local saved_last
+  saved_last=$(get_saved_last_phase)
+  if [ "$completed_phase" = "$saved_last" ]; then
+    log_debug "Phase ${completed_phase} already checkpointed. Skipping."
     exit 0
   fi
 
-  # Create checkpoint
-  local commit_hash
-  commit_hash=$(create_git_checkpoint "$completed_phase")
+  local description="Auto-checkpoint after ${completed_phase} phase"
+  local http_code
+  http_code=$(create_checkpoint "$workflow_id" "$completed_phase" "$description")
 
-  # Update index (even if no commit, to track the checkpoint)
-  if [ -n "$commit_hash" ]; then
-    if update_orchestrator_index "$workflow_id" "$completed_phase" "$commit_hash"; then
+  case "$http_code" in
+    201|200)
       save_last_phase "$completed_phase"
-      log_info "Checkpoint complete for phase: $completed_phase (commit: $commit_hash)"
-    else
-      log_error "Failed to update index for phase: $completed_phase"
-    fi
-  else
-    log_info "No changes to checkpoint for phase: $completed_phase"
-    save_last_phase "$completed_phase"
-  fi
+      log_info "Checkpoint registered: workflow=${workflow_id}, phase=${completed_phase}"
+      ;;
+    409)
+      save_last_phase "$completed_phase"
+      log_info "Checkpoint already exists (409): phase=${completed_phase}"
+      ;;
+    "")
+      log_warn "API unreachable. Checkpoint skipped for phase=${completed_phase}."
+      ;;
+    *)
+      log_warn "Unexpected HTTP ${http_code} creating checkpoint for phase=${completed_phase}."
+      ;;
+  esac
 
   exit 0
 }
 
-# Run main function
 main "$@"

package/templates/base/claude/hooks/workflow-guard.sh

@@ -20,6 +20,13 @@ FILE_PATH=$(orch_json_field "$STDIN_DATA" "tool_input.file_path")
 
 orch_log "workflow-guard: file_path=$FILE_PATH"
 
+# Explicit bypass via env var (for direct implementation without dogfooding)
+if [ "${SKIP_WORKFLOW_GUARD:-}" = "true" ]; then
+  orch_log "workflow-guard: ALLOW (SKIP_WORKFLOW_GUARD=true)"
+  echo '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow","additionalContext":"Workflow guard bypassed via SKIP_WORKFLOW_GUARD=true."}}'
+  exit 0
+fi
+
 # Only guard src/ and tests/ paths (production code)
 case "$FILE_PATH" in
   */src/*|*/tests/*)
@@ -42,8 +49,27 @@ esac
 WORKFLOW_ID=$(orch_get_active_workflow 2>/dev/null) || WORKFLOW_ID=""
 
 if [ -n "$WORKFLOW_ID" ]; then
-  orch_log "workflow-guard: ALLOW (active workflow: $WORKFLOW_ID)"
-  echo "{\"hookSpecificOutput\":{\"hookEventName\":\"PreToolUse\",\"permissionDecision\":\"allow\",\"additionalContext\":\"Active workflow: ${WORKFLOW_ID}. Write allowed.\"}}"
+  # Check if running inside a sub-agent (agent_id present) or main agent (absent)
+  AGENT_ID=$(orch_json_field "$STDIN_DATA" "agent_id")
+
+  if [ -n "$AGENT_ID" ]; then
+    # Sub-agent writing — ALLOW
+    AGENT_TYPE=$(orch_json_field "$STDIN_DATA" "agent_type")
+    orch_log "workflow-guard: ALLOW (sub-agent: ${AGENT_TYPE:-unknown}, workflow: $WORKFLOW_ID)"
+    echo "{\"hookSpecificOutput\":{\"hookEventName\":\"PreToolUse\",\"permissionDecision\":\"allow\",\"additionalContext\":\"Active workflow: ${WORKFLOW_ID}. Sub-agent ${AGENT_TYPE:-unknown} write allowed.\"}}"
+    exit 0
+  fi
+
+  # Main agent writing directly — check if SKIP_SUBAGENT_GUARD allows it
+  if [ "${SKIP_SUBAGENT_GUARD:-}" = "true" ]; then
+    orch_log "workflow-guard: ALLOW (SKIP_SUBAGENT_GUARD=true, workflow: $WORKFLOW_ID)"
+    echo "{\"hookSpecificOutput\":{\"hookEventName\":\"PreToolUse\",\"permissionDecision\":\"allow\",\"additionalContext\":\"Active workflow: ${WORKFLOW_ID}. Direct write allowed via SKIP_SUBAGENT_GUARD.\"}}"
+    exit 0
+  fi
+
+  # Main agent writing directly — DENY, must use sub-agent
+  orch_log "workflow-guard: DENY (main agent direct write, no sub-agent invocation)"
+  echo "{\"hookSpecificOutput\":{\"hookEventName\":\"PreToolUse\",\"permissionDecision\":\"deny\",\"permissionDecisionReason\":\"Workflow Guard: Direct code writes are blocked. You must invoke a sub-agent (e.g. implementer) to write code. The sub-agent will have write access.\",\"additionalContext\":\"Use the Agent tool to spawn an implementer sub-agent for code changes. The workflow-guard allows writes only from sub-agents (identified by agent_id in hook input).\"}}"
   exit 0
 fi
 

package/templates/base/claude/settings.json

@@ -64,17 +64,6 @@
       }
     ],
     "PreToolUse": [
-      {
-        "matcher": "Task",
-        "hooks": [
-          {
-            "type": "command",
-            "command": ".claude/hooks/track-agent-invocation.sh start",
-            "timeout": 5000,
-            "on_failure": "ignore"
-          }
-        ]
-      },
       {
         "matcher": "mcp__orchestrator-tools__advancePhase",
         "hooks": [
@@ -98,9 +87,22 @@
         ]
       }
     ],
-    "PostToolUse": [
+    "SubagentStart": [
+      {
+        "matcher": "implementer|specifier|planner|task-generator|reviewer|researcher|orchestrator",
+        "hooks": [
+          {
+            "type": "command",
+            "command": ".claude/hooks/track-agent-invocation.sh start",
+            "timeout": 5000,
+            "on_failure": "ignore"
+          }
+        ]
+      }
+    ],
+    "SubagentStop": [
       {
-        "matcher": "Task",
+        "matcher": "implementer|specifier|planner|task-generator|reviewer|researcher|orchestrator",
         "hooks": [
           {
             "type": "command",