@soulguard/openclaw 0.1.4 → 0.2.0

package/dist/openclaw.plugin.json

@@ -0,0 +1,11 @@
+{
+  "id": "soulguard",
+  "name": "Soulguard",
+  "description": "Identity protection for AI agents",
+  "version": "0.1.0",
+  "configSchema": {
+    "type": "object",
+    "properties": {},
+    "additionalProperties": false
+  }
+}

package/package.json

@@ -1,16 +1,16 @@
 {
   "name": "@soulguard/openclaw",
-  "version": "0.1.4",
+  "version": "0.2.0",
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "scripts": {
-    "build": "bun build src/index.ts --outdir dist --target node",
+    "build": "bun build src/index.ts --outdir dist --target node --format esm --define \"SOULGUARD_VERSION='$(node -p \"require('./package.json').version\")'\" && cp openclaw.plugin.json dist/",
     "test": "bun test",
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "@soulguard/core": "^0.1.3"
+    "@soulguard/core": "^2.0.0"
   },
   "devDependencies": {
     "@types/bun": "latest",

package/src/context.test.ts

@@ -0,0 +1,92 @@
+import { describe, expect, it } from "bun:test";
+import { MockSystemOps } from "@soulguard/core";
+import type { SoulguardConfig } from "@soulguard/core";
+import { getPendingChanges, buildPendingChangesContext } from "./context.js";
+
+const WORKSPACE = "/test-workspace";
+
+const baseConfig: SoulguardConfig = {
+  version: 1,
+  guardian: "soulguardian_agent",
+  files: {
+    "SOUL.md": "protect",
+    "AGENTS.md": "protect",
+  },
+};
+
+function setupOps(staged?: Record<string, string>) {
+  const ops = new MockSystemOps(WORKSPACE);
+  ops.addFile("SOUL.md", "soul content", {
+    owner: "soulguardian",
+    group: "soulguard",
+    mode: "444",
+  });
+  ops.addFile("AGENTS.md", "agents content", {
+    owner: "soulguardian",
+    group: "soulguard",
+    mode: "444",
+  });
+  if (staged) {
+    for (const [path, content] of Object.entries(staged)) {
+      ops.addFile(`.soulguard-staging/${path}`, content, {
+        owner: "agent",
+        group: "staff",
+        mode: "644",
+      });
+    }
+  }
+  return ops;
+}
+
+describe("getPendingChanges", () => {
+  it("returns empty when no staged changes exist", async () => {
+    const ops = setupOps();
+    const result = await getPendingChanges({ ops, config: baseConfig });
+    expect(result.files).toEqual([]);
+  });
+
+  it("detects a modified staged file", async () => {
+    const ops = setupOps({ "SOUL.md": "modified soul" });
+    const result = await getPendingChanges({ ops, config: baseConfig });
+    expect(result.files).toEqual(["SOUL.md"]);
+  });
+
+  it("detects multiple staged files", async () => {
+    const ops = setupOps({ "SOUL.md": "mod1", "AGENTS.md": "mod2" });
+    const result = await getPendingChanges({ ops, config: baseConfig });
+    expect(result.files.sort()).toEqual(["AGENTS.md", "SOUL.md"]);
+  });
+
+  it("ignores unchanged staged files (same content)", async () => {
+    const ops = setupOps({ "SOUL.md": "soul content" });
+    const result = await getPendingChanges({ ops, config: baseConfig });
+    expect(result.files).toEqual([]);
+  });
+});
+
+describe("buildPendingChangesContext", () => {
+  it("returns undefined when no pending changes", async () => {
+    const ops = setupOps();
+    const result = await buildPendingChangesContext({ ops, config: baseConfig });
+    expect(result).toBeUndefined();
+  });
+
+  it("returns context string when there are pending changes", async () => {
+    const ops = setupOps({ "SOUL.md": "modified" });
+    const result = await buildPendingChangesContext({ ops, config: baseConfig });
+    expect(result).toBeDefined();
+    expect(result).toContain("[Soulguard]");
+    expect(result).toContain("1 protected file(s)");
+    expect(result).toContain("SOUL.md");
+    expect(result).toContain("soulguard diff");
+    expect(result).toContain("soulguard reset");
+  });
+
+  it("lists multiple files", async () => {
+    const ops = setupOps({ "SOUL.md": "mod1", "AGENTS.md": "mod2" });
+    const result = await buildPendingChangesContext({ ops, config: baseConfig });
+    expect(result).toContain("2 protected file(s)");
+    expect(result).toContain("SOUL.md");
+    expect(result).toContain("AGENTS.md");
+  });
+});

package/src/context.ts

@@ -0,0 +1,43 @@
+/**
+ * before_prompt_build context injection — injects a short note when
+ * there are pending staged changes so the agent knows about them
+ * without polluting context on normal turns.
+ */
+
+import { StateTree, type BuildStateOptions } from "@soulguard/core";
+
+// ── Types ──────────────────────────────────────────────────────────────
+
+export type PendingChangesResult = {
+  /** File paths that have pending staged changes. */
+  files: string[];
+};
+
+// ── Core ───────────────────────────────────────────────────────────────
+
+/**
+ * Get pending staged changes using the soulguard state tree.
+ */
+export async function getPendingChanges(options: BuildStateOptions): Promise<PendingChangesResult> {
+  const treeResult = await StateTree.build(options);
+  if (!treeResult.ok) return { files: [] };
+  return { files: treeResult.value.changedFiles().map((f) => f.path) };
+}
+
+/**
+ * Build the context string to inject via before_prompt_build.
+ * Returns undefined if there are no pending changes (no context pollution).
+ */
+export async function buildPendingChangesContext(
+  options: BuildStateOptions,
+): Promise<string | undefined> {
+  const { files } = await getPendingChanges(options);
+  if (files.length === 0) return undefined;
+
+  const fileList = files.join(", ");
+  return (
+    `[Soulguard] ${files.length} protected file(s) have pending staged changes: ${fileList}. ` +
+    `Use \`soulguard diff\` to review. Ask your owner to apply changes, ` +
+    `or use \`soulguard reset\` to discard them.`
+  );
+}

package/src/guard.test.ts

@@ -2,31 +2,34 @@ import { describe, expect, it } from "bun:test";
 import { guardToolCall, type GuardOptions } from "./guard.js";
 
 const defaultOpts: GuardOptions = {
-  vaultFiles: ["SOUL.md", "IDENTITY.md"],
+  protectFiles: ["SOUL.md", "IDENTITY.md"],
+  stateDir: "/home/test/.openclaw",
 };
 
 describe("guardToolCall", () => {
-  it("blocks Write to a vault file", () => {
+  it("blocks Write to a protected file", () => {
     const result = guardToolCall("Write", { file_path: "SOUL.md" }, defaultOpts);
     expect(result.blocked).toBe(true);
-    expect(result.reason).toContain("vault-protected");
-    expect(result.reason).toContain(".soulguard/staging/SOUL.md");
-    expect(result.reason).toContain("reviewed and approved by the owner");
+    expect(result.reason).toContain("protected by soulguard");
+    expect(result.reason).toContain("soulguard stage SOUL.md");
+    expect(result.reason).toContain(".soulguard-staging/SOUL.md");
+    expect(result.reason).toContain("Your owner will review and apply");
   });
 
-  it("blocks Edit to a vault file", () => {
+  it("blocks Edit to a protected file", () => {
     const result = guardToolCall("Edit", { path: "IDENTITY.md" }, defaultOpts);
     expect(result.blocked).toBe(true);
-    expect(result.reason).toContain("vault-protected");
+    expect(result.reason).toContain("protected by soulguard");
+    expect(result.reason).toContain("soulguard stage IDENTITY.md");
   });
 
-  it("allows Write to a non-vault file", () => {
+  it("allows Write to a non-protected file", () => {
     const result = guardToolCall("Write", { file_path: "README.md" }, defaultOpts);
     expect(result.blocked).toBe(false);
   });
 
-  it("allows Write to staging copy of a vault file", () => {
-    const result = guardToolCall("Write", { file_path: ".soulguard/staging/SOUL.md" }, defaultOpts);
+  it("allows Write to staging copy of a protected file", () => {
+    const result = guardToolCall("Write", { file_path: ".soulguard-staging/SOUL.md" }, defaultOpts);
     expect(result.blocked).toBe(false);
   });
 
@@ -35,9 +38,6 @@ describe("guardToolCall", () => {
     expect(result.blocked).toBe(false);
   });
 
-  // TODO: re-enable when glob matching is delegated to @soulguard/core isVaulted() API
-  // For 0.1, only exact matches are supported — globs are not evaluated.
-
   it("handles ./prefix in file paths", () => {
     const result = guardToolCall("Write", { path: "./SOUL.md" }, defaultOpts);
     expect(result.blocked).toBe(true);
@@ -53,6 +53,32 @@ describe("guardToolCall", () => {
     expect(result.blocked).toBe(true);
   });
 
-  // TODO: glob pattern tests — re-enable when delegated to @soulguard/core isVaulted() API
-  // For 0.1, "*.md" in vaultFiles is treated as a literal string, not a glob.
+  it("includes the original path in the block reason", () => {
+    const result = guardToolCall("Write", { file_path: "./SOUL.md" }, defaultOpts);
+    expect(result.blocked).toBe(true);
+    expect(result.reason).toContain("./SOUL.md");
+  });
+
+  it("blocks writes to files inside a protected directory", () => {
+    const opts: GuardOptions = { protectFiles: ["skills"], stateDir: "/home/test/.openclaw" };
+    const result = guardToolCall("Write", { file_path: "skills/my-skill.md" }, opts);
+    expect(result.blocked).toBe(true);
+    expect(result.reason).toContain("skills/my-skill.md");
+  });
+
+  it("blocks Write with absolute path resolved against stateDir", () => {
+    const result = guardToolCall(
+      "Write",
+      { file_path: "/home/test/.openclaw/SOUL.md" },
+      defaultOpts,
+    );
+    expect(result.blocked).toBe(true);
+    expect(result.reason).toContain("protected by soulguard");
+  });
+
+  it("allows writes to files outside a protected directory", () => {
+    const opts: GuardOptions = { protectFiles: ["skills"], stateDir: "/home/test/.openclaw" };
+    const result = guardToolCall("Write", { file_path: "memory/notes.md" }, opts);
+    expect(result.blocked).toBe(false);
+  });
 });

package/src/guard.ts

@@ -1,16 +1,18 @@
 /**
- * before_tool_call guard — blocks writes to vault-protected files and
- * returns a helpful message pointing the agent to the staging workflow.
+ * before_tool_call guard — blocks writes to protected files and
+ * returns a helpful message guiding the agent to the staging workflow.
  */
 
-import { basename } from "node:path";
-import { isVaultedFile, normalizePath } from "@soulguard/core";
+import path from "node:path";
+import { isProtectedFile, isStagingPath, stagingPath } from "@soulguard/core";
 
 // ── Types ──────────────────────────────────────────────────────────────
 
 export type GuardOptions = {
-  /** Vault file paths/patterns from soulguard.json */
-  vaultFiles: string[];
+  /** Protected file paths/patterns from soulguard.json */
+  protectFiles: string[];
+  /** Absolute path to the OpenClaw state dir (e.g. ~/.openclaw/) for resolving absolute tool paths. */
+  stateDir: string;
 };
 
 export type GuardResult = {
@@ -20,15 +22,12 @@ export type GuardResult = {
 
 // ── Constants ──────────────────────────────────────────────────────────
 
-/** OpenClaw tool names that write files. */
-const WRITE_TOOLS = new Set(["Write", "Edit"]);
+/** OpenClaw tool names that write files (lowercase — OpenClaw normalizes names). */
+const WRITE_TOOLS = new Set(["write", "edit"]);
 
 /** Param keys that carry the target file path. */
 const PATH_KEYS = ["file_path", "path", "file"] as const;
 
-/** Staging directory — writes here are always allowed. */
-const STAGING_PREFIX = ".soulguard/staging/";
-
 // ── Main guard ─────────────────────────────────────────────────────────
 
 /**
@@ -41,8 +40,10 @@ export function guardToolCall(
   params: Record<string, unknown>,
   options: GuardOptions,
 ): GuardResult {
-  // Only intercept file-writing tools
-  if (!WRITE_TOOLS.has(toolName)) return { blocked: false };
+  // Only intercept file-writing tools (compare lowercase for robustness)
+  if (!WRITE_TOOLS.has(toolName.toLowerCase())) {
+    return { blocked: false };
+  }
 
   // Extract target path from params
   let targetPath: string | undefined;
@@ -54,21 +55,28 @@ export function guardToolCall(
     }
   }
 
+  // OpenClaw passes absolute paths (e.g. /Users/x/.openclaw/workspace/SOUL.md)
+  // but protectFiles uses relative paths (e.g. workspace/SOUL.md). Make relative.
+  if (targetPath && path.isAbsolute(targetPath)) {
+    targetPath = path.relative(options.stateDir, targetPath);
+  }
+
   if (!targetPath) return { blocked: false };
 
-  // Never block writes to staging
-  const norm = normalizePath(targetPath);
-  if (norm.startsWith(STAGING_PREFIX)) return { blocked: false };
+  // Never block writes to staging files
+  if (isStagingPath(targetPath)) return { blocked: false };
 
-  // Check against vault using core SDK
-  if (!isVaultedFile(options.vaultFiles, targetPath)) return { blocked: false };
+  // Check against protect tier using core SDK
+  if (!isProtectedFile(options.protectFiles, targetPath)) return { blocked: false };
 
-  const fileName = basename(targetPath);
   return {
     blocked: true,
-    reason:
-      `${fileName} is vault-protected by soulguard. ` +
-      `To modify it, edit .soulguard/staging/${norm} instead. ` +
-      `Your changes will be reviewed and approved by the owner.`,
+    reason: [
+      `${targetPath} is protected by soulguard.`,
+      `To propose changes, run \`soulguard stage ${targetPath}\` to create a working copy,`,
+      `then edit the staged file at ${stagingPath(targetPath)}.`,
+      `Run \`soulguard diff\` to review your changes.`,
+      `Your owner will review and apply the changes.`,
+    ].join(" "),
   };
 }

package/src/index.ts

@@ -3,24 +3,26 @@
  *
  * Provides:
  * - Configuration templates (default, paranoid, relaxed)
- * - before_tool_call hooks to intercept writes to vault files
- * - Cron and extension directory gating
+ * - before_tool_call hook to intercept writes to protected files
+ * - Pending-changes context builder (for future before_prompt_build support)
  */
 
-export { templates, defaultTemplate, paranoidTemplate, relaxedTemplate } from "./templates.js";
+export { templates } from "./templates.js";
 export type { TemplateName, Template } from "./templates.js";
 
 export { createSoulguardPlugin } from "./plugin.js";
 export type { SoulguardPluginOptions } from "./plugin.js";
 
 // Default export for OpenClaw plugin discovery
-// createSoulguardPlugin() returns { id, activate(api) } which matches OpenClaw's plugin shape
 import { createSoulguardPlugin } from "./plugin.js";
 export default createSoulguardPlugin();
 
 export { guardToolCall } from "./guard.js";
 export type { GuardOptions, GuardResult } from "./guard.js";
 
+export { getPendingChanges, buildPendingChangesContext } from "./context.js";
+export type { PendingChangesResult } from "./context.js";
+
 export type {
   OpenClawPluginDefinition,
   OpenClawPluginApi,

package/src/openclaw-types.ts

@@ -19,10 +19,12 @@ export type OpenClawPluginApi = {
   registerHook: (
     events: string | string[],
     handler: (...args: unknown[]) => unknown,
-    opts?: { priority?: number },
+    opts?: { name?: string; description?: string; priority?: number },
   ) => void;
   registerTool: (tool: AgentTool, opts?: { optional?: boolean }) => void;
   config: Record<string, unknown>;
+  /** Plugin install directory, e.g. ~/.openclaw/extensions/soulguard/ */
+  rootDir?: string;
   runtime: { workspaceDir?: string };
   resolvePath?: (input: string) => string;
   logger?: { warn: (msg: string) => void; error: (msg: string) => void };

package/src/plugin.ts

@@ -1,16 +1,12 @@
 /**
- * Soulguard OpenClaw plugin — protects vault files from direct writes.
+ * Soulguard OpenClaw plugin — protects files from direct writes.
  */
 
 import { readFileSync } from "node:fs";
+import os from "node:os";
 import { join } from "node:path";
-import { status, diff, parseConfig, NodeSystemOps, type SoulguardConfig } from "@soulguard/core";
+import { parseConfig, protectPatterns } from "@soulguard/core";
 
-/** OpenClaw-specific default config — also vaults openclaw.json */
-const OPENCLAW_DEFAULT_CONFIG: SoulguardConfig = {
-  vault: ["openclaw.json", "soulguard.json"],
-  ledger: [],
-};
 import { guardToolCall } from "./guard.js";
 import type {
   BeforeToolCallEvent,
@@ -18,6 +14,11 @@ import type {
   OpenClawPluginDefinition,
 } from "./openclaw-types.js";
 
+// Injected at build time via --define (see package.json build script)
+declare const SOULGUARD_VERSION: string;
+const PKG_VERSION: string =
+  typeof SOULGUARD_VERSION !== "undefined" ? SOULGUARD_VERSION : "0.0.0-dev";
+
 /** Shared plugin description (plugin.json keeps its own copy). */
 export const PLUGIN_DESCRIPTION = "Identity protection for AI agents";
 
@@ -34,123 +35,39 @@ export function createSoulguardPlugin(options?: SoulguardPluginOptions): OpenCla
     id: "soulguard",
     name: "Soulguard",
     description: PLUGIN_DESCRIPTION,
-    version: "0.1.0",
+    version: PKG_VERSION,
 
     activate(api) {
-      const workspaceDir = api.resolvePath?.(".") ?? api.runtime.workspaceDir ?? ".";
+      // Resolve OpenClaw state dir (~/.openclaw) where soulguard.json lives.
+      // Cannot use api.resolvePath — it resolves relative to process.cwd(), not the workspace.
+      const stateDir = process.env.OPENCLAW_STATE_DIR?.trim() ?? join(os.homedir(), ".openclaw");
       const configFile = options?.configPath ?? "soulguard.json";
-      const configPath = api.resolvePath?.(configFile) ?? join(workspaceDir, configFile);
+      const configPath = join(stateDir, configFile);
 
-      // Load config — fall back to OpenClaw defaults if missing
-      let config: SoulguardConfig;
-      let vaultFiles: string[];
+      // Load config
+      let protectFiles: string[];
       try {
         const raw = JSON.parse(readFileSync(configPath, "utf-8"));
-        config = parseConfig(raw);
-        vaultFiles = config.vault;
+        protectFiles = protectPatterns(parseConfig(raw));
       } catch {
-        // No config file — use OpenClaw defaults (includes openclaw.json)
-        config = OPENCLAW_DEFAULT_CONFIG;
-        vaultFiles = config.vault;
-        api.logger?.warn("soulguard: no soulguard.json found — using OpenClaw defaults");
+        api.logger?.warn(`soulguard: no config found at ${configPath} — plugin inactive`);
+        return;
       }
 
-      if (vaultFiles.length === 0) return;
-
-      // Helper to create ops for the workspace
-      const createOps = () => new NodeSystemOps(workspaceDir);
-
-      // Status tool
-      api.registerTool(
-        {
-          name: "soulguard_status",
-          description: "Check soulguard protection status of vault and ledger files",
-          parameters: { type: "object", properties: {}, required: [] },
-          async execute(_id, _params) {
-            const ops = createOps();
-            const result = await status({
-              config,
-              expectedVaultOwnership: { user: "soulguardian", group: "soulguard", mode: "444" },
-              // TODO: ledger ownership should come from config, not hardcoded (agent user varies per init)
-              expectedLedgerOwnership: { user: "agent", group: "staff", mode: "644" },
-              ops,
-            });
-            if (!result.ok) {
-              return { content: [{ type: "text" as const, text: "Status check failed" }] };
-            }
-            const lines: string[] = ["Soulguard Status:", ""];
-            for (const f of [...result.value.vault, ...result.value.ledger]) {
-              if (f.status === "ok") lines.push(`  ✅ ${f.file.path}`);
-              else if (f.status === "drifted")
-                lines.push(`  ⚠️  ${f.file.path} — ${f.issues.map((i) => i.kind).join(", ")}`);
-              else if (f.status === "missing") lines.push(`  ❌ ${f.path} — missing`);
-              else if (f.status === "error") lines.push(`  ❌ ${f.path} — error: ${f.error.kind}`);
-            }
-            if (result.value.issues.length === 0) lines.push("", "All files ok.");
-            else lines.push("", `${result.value.issues.length} issue(s) found.`);
-            return { content: [{ type: "text" as const, text: lines.join("\n") }] };
-          },
-        },
-        { optional: true },
-      );
-
-      // Diff tool
-      api.registerTool(
-        {
-          name: "soulguard_diff",
-          description: "Show differences between vault files and their staging copies",
-          parameters: {
-            type: "object",
-            properties: {
-              files: {
-                type: "array",
-                items: { type: "string" },
-                description: "Specific files to diff (default: all vault files)",
-              },
-            },
-            required: [],
-          },
-          async execute(_id, params) {
-            const ops = createOps();
-            const files = Array.isArray(params.files) ? (params.files as string[]) : undefined;
-            const result = await diff({ ops, config, files });
-            if (!result.ok) {
-              return {
-                content: [{ type: "text" as const, text: `Diff failed: ${result.error.kind}` }],
-              };
-            }
-            if (!result.value.hasChanges) {
-              return {
-                content: [
-                  { type: "text" as const, text: "No differences — staging matches vault." },
-                ],
-              };
-            }
-            const lines = result.value.files
-              .filter((d) => d.status === "modified" && d.diff)
-              .map((d) => `--- ${d.path}\n${d.diff}`);
-            let text = lines.join("\n\n") || "No modified files.";
-            if (result.value.approvalHash) {
-              text += `\n\n────────────────────────────────────────\nApproval hash: ${result.value.approvalHash}\nTo approve: soulguard approve --hash ${result.value.approvalHash}`;
-            }
-            return { content: [{ type: "text" as const, text }] };
-          },
-        },
-        { optional: true },
-      );
+      if (protectFiles.length === 0) return;
 
-      // Register the guard hook
-      // Use registerHook (OpenClaw's actual API) with fallback to on()
-      const hookFn = api.registerHook ?? api.on;
-      hookFn("before_tool_call", (...args: unknown[]) => {
+      // ── Guard hook ─────────────────────────────────────────────────
+      // Block writes to protected files with a helpful message
+      // guiding the agent to use soulguard CLI commands for staging.
+      api.on("before_tool_call", (...args: unknown[]) => {
         const event = args[0];
-        // Defense in depth — verify event shape before casting
         if (!event || typeof event !== "object" || !("toolName" in event)) {
           return undefined;
         }
         const e = event as BeforeToolCallEvent;
         const result = guardToolCall(e.toolName, e.params, {
-          vaultFiles,
+          protectFiles,
+          stateDir,
         });
         if (result.blocked) {
           return { block: true, blockReason: result.reason } satisfies BeforeToolCallResult;

package/src/templates.test.ts

@@ -2,35 +2,31 @@ import { describe, expect, test } from "bun:test";
 import { ALL_KNOWN_PATHS, templates } from "./templates.js";
 
 describe("templates", () => {
-  for (const [name, template] of Object.entries(templates)) {
-    test(`${name}: accounts for all known paths`, () => {
-      const allInTemplate = [...template.vault, ...template.ledger, ...template.unprotected];
-      const sorted = (arr: string[]) => [...arr].sort();
+  const sorted = (arr: readonly string[]) => [...arr].sort();
 
-      expect(sorted(allInTemplate)).toEqual(sorted([...ALL_KNOWN_PATHS]));
+  for (const [name, template] of Object.entries(templates)) {
+    test(`${name}: protect + watch + release = all known paths`, () => {
+      const all = [...template.protect, ...template.watch, ...template.release];
+      expect(sorted(all)).toEqual(sorted(ALL_KNOWN_PATHS));
     });
 
     test(`${name}: no path appears in multiple tiers`, () => {
-      const vaultSet = new Set(template.vault);
-      const ledgerSet = new Set(template.ledger);
-      const unprotectedSet = new Set(template.unprotected);
+      const protectSet = new Set(template.protect);
+      const watchSet = new Set(template.watch);
+      const releaseSet = new Set(template.release);
 
-      for (const path of template.vault) {
-        expect(ledgerSet.has(path)).toBe(false);
-        expect(unprotectedSet.has(path)).toBe(false);
+      for (const path of template.protect) {
+        expect(watchSet.has(path)).toBe(false);
+        expect(releaseSet.has(path)).toBe(false);
       }
-      for (const path of template.ledger) {
-        expect(vaultSet.has(path)).toBe(false);
-        expect(unprotectedSet.has(path)).toBe(false);
+      for (const path of template.watch) {
+        expect(protectSet.has(path)).toBe(false);
+        expect(releaseSet.has(path)).toBe(false);
       }
-      for (const path of template.unprotected) {
-        expect(vaultSet.has(path)).toBe(false);
-        expect(ledgerSet.has(path)).toBe(false);
+      for (const path of template.release) {
+        expect(protectSet.has(path)).toBe(false);
+        expect(watchSet.has(path)).toBe(false);
       }
     });
-
-    test(`${name}: soulguard.json is always in vault`, () => {
-      expect(template.vault).toContain("soulguard.json");
-    });
   }
 });