@windyroad/voice-tone 0.5.3 → 0.5.4-preview.374

package/.claude-plugin/plugin.json

@@ -123,5 +123,5 @@
     }
   },
   "name": "wr-voice-tone",
-  "version": "0.5.3"
+  "version": "0.5.4"
 }

package/hooks/external-comms-gate.sh

@@ -24,7 +24,13 @@
 #      (Voice-tone evaluator: skips leak pre-filter — leak detection is the
 #      risk evaluator's concern; voice-tone reviews tone/voice only.)
 #   4. Otherwise: check for THIS evaluator's per-evaluator marker keyed on
-#      sha256(draft_body + '\n' + surface). Marker present → permit.
+#      compute_external_comms_key(draft, surface) =
+#      sha256(normalize(draft, surface) + '\n' + surface) — the SINGLE
+#      canonical key shared with the mark hook (lib/external-comms-key.sh).
+#      For the changeset-author surface normalize() strips the leading YAML
+#      frontmatter block so the gate (which sees the FULL Write content) and
+#      the mark hook (which sees only the <draft> body) hash identical input
+#      (P010 / ADR-028 amended 2026-05-25). Marker present → permit.
 #      Marker absent → deny with directive to delegate to this plugin's
 #      subagent (configured via external-comms-evaluator.conf).
 #
@@ -48,6 +54,12 @@ set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 # shellcheck source=lib/leak-detect.sh
 source "$SCRIPT_DIR/lib/leak-detect.sh"
+# shellcheck source=lib/external-comms-key.sh
+# Provides compute_external_comms_key — the SINGLE canonical marker-key
+# normalization shared with the PostToolUse mark hook (ADR-028 amended
+# 2026-05-25 / P010). Sourced via the same $SCRIPT_DIR/lib convention as
+# leak-detect.sh so byte-identity holds across the synced per-package copies.
+source "$SCRIPT_DIR/lib/external-comms-key.sh"
 
 # ---------- Per-package evaluator config (ADR-028 amended 2026-05-14) ----------
 # Each consumer plugin ships its own external-comms-evaluator.conf alongside this
@@ -231,7 +243,12 @@ fi
 # ---------- Marker-based gate (per-evaluator marker per ADR-028 amended 2026-05-14) ----------
 SESSION_DIR="${TMPDIR:-/tmp}/claude-risk-${SESSION_ID}"
 mkdir -p "$SESSION_DIR"
-KEY=$(printf '%s\n%s' "$DRAFT" "$SURFACE" | shasum -a 256 | cut -d' ' -f1)
+# Canonical marker key — normalize() strips changeset frontmatter + trailing
+# whitespace so this PreToolUse key matches the PostToolUse mark-hook key
+# (compute_external_comms_key in lib/external-comms-key.sh; P010 / ADR-028
+# amended 2026-05-25). For changeset-author $DRAFT is the FULL Write content
+# (frontmatter + body); compute_external_comms_key strips the frontmatter.
+KEY=$(compute_external_comms_key "$DRAFT" "$SURFACE")
 MARKER="${SESSION_DIR}/external-comms-${EXTERNAL_COMMS_EVALUATOR_ID}-reviewed-${KEY}"
 
 if [ -f "$MARKER" ]; then
@@ -244,7 +261,7 @@ fi
 # PostToolUse mark hook can derive the canonical marker key locally
 # (sha256(DRAFT + '\n' + SURFACE)). Single fire per gate cycle.
 VERDICT_PREFIX="${EXTERNAL_COMMS_VERDICT_PREFIX:-EXTERNAL_COMMS_${EXTERNAL_COMMS_EVALUATOR_ID^^}}"
-REASON=$(printf 'BLOCKED (external-comms gate / %s evaluator): %s draft has not been reviewed by %s. Delegate to %s (subagent_type: '"'"'%s'"'"') with a prompt that starts with the line `SURFACE: %s` and wraps the draft body verbatim inside `<draft>...</draft>` markers. The PostToolUse hook derives the marker key from that structure and marks the draft reviewed when the subagent emits %s_VERDICT: PASS — single fire suffices. Use %s for an interactive walkthrough. Override only when intentional: BYPASS_RISK_GATE=1.' \
+REASON=$(printf 'BLOCKED (external-comms gate / %s evaluator): %s draft has not been reviewed by %s. Delegate to %s (subagent_type: '"'"'%s'"'"') with a prompt that starts with the line `SURFACE: %s` and wraps the draft body verbatim inside `<draft>...</draft>` markers (for the changeset-author surface the body is the changeset summary WITHOUT the leading `---` frontmatter block — the gate strips frontmatter before hashing the marker key). The PostToolUse hook derives the marker key from that structure and marks the draft reviewed when the subagent emits %s_VERDICT: PASS — single fire suffices. Use %s for an interactive walkthrough. Override only when intentional: BYPASS_RISK_GATE=1.' \
     "$EXTERNAL_COMMS_EVALUATOR_ID" "$SURFACE" "$EXTERNAL_COMMS_SUBAGENT_TYPE" "$EXTERNAL_COMMS_SUBAGENT_TYPE" "$EXTERNAL_COMMS_SUBAGENT_TYPE" "$SURFACE" "$VERDICT_PREFIX" "$EXTERNAL_COMMS_ASSESS_SKILL")
 deny_with_reason "$REASON"
 exit 0

package/hooks/lib/external-comms-key.sh

@@ -1,44 +1,101 @@
 #!/bin/bash
 # Shared helper: derive the external-comms marker key from an agent's
 # tool_input.prompt by extracting the structured `SURFACE: <name>` line
-# and `<draft>...</draft>` block, then computing
-# sha256(DRAFT + '\n' + SURFACE) — the same key shape the gate computes
-# at PreToolUse time (external-comms-gate.sh line 229).
+# and `<draft>...</draft>` block, then computing the canonical key via
+# compute_external_comms_key — the same key shape the gate computes at
+# PreToolUse time (external-comms-gate.sh).
 #
 # P166 + ADR-028 amended 2026-05-16: the PostToolUse:Agent mark hook
 # derives the marker key from observed runtime state instead of trusting
 # an agent-emitted EXTERNAL_COMMS_<EVAL>_KEY line. Removes the
 # double-invocation cost class — single fire per gate cycle suffices.
 #
+# P010 + ADR-028 amended 2026-05-25: the marker key is computed via the
+# SINGLE canonical normalization in compute_external_comms_key, shared
+# byte-for-byte between the gate (PreToolUse) and this mark-hook helper
+# (PostToolUse). The normalization strips the changeset YAML frontmatter
+# block before hashing (the gate sees the FULL Write content incl.
+# frontmatter; the agent wraps only the body in <draft>) and applies a
+# single canonical trailing-whitespace strip so the two sides cannot
+# diverge. Fixes the deny-after-PASS marker-key mismatch (P198 / #149).
+#
 # Canonical source: packages/shared/hooks/lib/external-comms-key.sh
 # Synced byte-identically into each consumer plugin's hooks/lib/ via
 # scripts/sync-external-comms-gate.sh (ADR-017 duplicate-script pattern).
+
+# ---------------------------------------------------------------------------
+# compute_external_comms_key <draft> <surface>
 #
-# Returns the 64-char hex sha256 on stdout when both markers are present
-# in the prompt. Returns empty string when either marker is absent — the
-# caller falls back to the agent-emitted KEY for backward compatibility
-# with cached old SKILL.md / agent prompts.
+# THE single source of truth for the external-comms marker key. Both the
+# PreToolUse gate and the PostToolUse mark hook compute the key through
+# this function so they hash byte-identical input (ADR-028 amended
+# 2026-05-25). Echoes the 64-char lowercase sha256 hex on stdout.
+#
+# normalize(draft, surface):
+#   - changeset-author surface: strip the leading YAML frontmatter block
+#     (`---\n...\n---\n` plus the blank line after it). Changeset files
+#     carry `---\n"@windyroad/x": minor\n---\n\n<body>`; the gate sees the
+#     whole thing via tool_input.content while the agent wraps only the
+#     <body> in <draft>. Stripping frontmatter makes the two inputs equal.
+#     All other surfaces (gh-*, npm-publish) are already body-only via the
+#     gate's --body / --field extraction, so they are left unchanged.
+#   - all surfaces: rstrip ALL trailing whitespace. This single canonical
+#     newline normalization subsumes both the gate's `$()` trailing-newline
+#     strip and this helper's `<draft>` regex single-newline strip, so the
+#     two sides are provably symmetric on trailing whitespace.
+#   key = sha256(normalize(draft, surface) + '\n' + surface)
+# ---------------------------------------------------------------------------
+compute_external_comms_key() {
+    local draft="$1" surface="$2"
+    EXTCOMMS_DRAFT="$draft" EXTCOMMS_SURFACE="$surface" python3 -c "
+import os, re, hashlib
+draft = os.environ.get('EXTCOMMS_DRAFT', '')
+surface = os.environ.get('EXTCOMMS_SURFACE', '')
+# changeset-author: strip the leading YAML frontmatter block + blank line.
+if surface == 'changeset-author':
+    draft = re.sub(r'^---\n.*?\n---\n\n?', '', draft, count=1, flags=re.DOTALL)
+# Single canonical newline normalization: strip all trailing whitespace.
+draft = draft.rstrip()
+print(hashlib.sha256((draft + '\n' + surface).encode('utf-8')).hexdigest())
+" 2>/dev/null
+}
 
+# ---------------------------------------------------------------------------
+# derive_external_comms_key_from_prompt <prompt>
+#
+# Extracts the (SURFACE, draft-body) pair from an agent prompt's structured
+# `SURFACE: <name>` line + `<draft>...</draft>` block, then delegates to
+# compute_external_comms_key so the normalization lives in exactly one place.
+#
+# Returns the 64-char hex sha256 on stdout when both markers are present in
+# the prompt. Returns empty string when either marker is absent — the caller
+# falls back to the agent-emitted KEY for backward compatibility with cached
+# old SKILL.md / agent prompts.
+# ---------------------------------------------------------------------------
 derive_external_comms_key_from_prompt() {
     local prompt="$1"
     [ -n "$prompt" ] || { echo ""; return 0; }
-    printf '%s' "$prompt" | python3 -c "
-import sys, re, hashlib
+    # Extract SURFACE + <draft> body in one pass. The two fields are emitted
+    # \x1f-separated (ASCII unit separator) so a body containing newlines — or
+    # an empty body — round-trips through command substitution intact (only
+    # trailing newlines are dropped, which compute_external_comms_key rstrips
+    # anyway). Empty output when either marker is absent → empty key.
+    local extracted
+    extracted=$(printf '%s' "$prompt" | python3 -c "
+import sys, re
 text = sys.stdin.read()
-# DRAFT extraction: non-greedy match between <draft>...</draft>.
-# Tolerates an optional newline immediately after <draft> and before </draft>
-# so the body content does not capture wrapping newlines.
+# DRAFT: non-greedy match between <draft>...</draft>, tolerating an optional
+# newline immediately after <draft> and before </draft>.
 draft_match = re.search(r'<draft>\n?(.*?)\n?</draft>', text, re.DOTALL)
-# SURFACE extraction: must be anchored to line start (MULTILINE) to avoid
-# matching prose like 'context says SURFACE: x'. Surface name is a single
-# token: letter + word/hyphen chars.
+# SURFACE: anchored to line start (MULTILINE) so prose like 'context says
+# SURFACE: x' does not match. Surface name is a single letter+word/hyphen token.
 surface_match = re.search(r'^SURFACE:\s*([A-Za-z][\w-]*)', text, re.MULTILINE)
 if not draft_match or not surface_match:
-    print('')
     sys.exit(0)
-draft = draft_match.group(1)
-surface = surface_match.group(1)
-payload = (draft + '\n' + surface).encode('utf-8')
-print(hashlib.sha256(payload).hexdigest())
-" 2>/dev/null
+sys.stdout.write(surface_match.group(1) + '\x1f' + draft_match.group(1))
+" 2>/dev/null) || extracted=""
+    [ -n "$extracted" ] || { echo ""; return 0; }
+    local surface="${extracted%%$'\x1f'*}"
+    local body="${extracted#*$'\x1f'}"
+    compute_external_comms_key "$body" "$surface"
 }

package/hooks/test/external-comms-gate.bats

@@ -198,3 +198,24 @@ run_hook() {
   [ "$status" -eq 0 ]
   [[ "$output" == *"deny"* ]]
 }
+
+# ---------------------------------------------------------------------------
+# P010 / ADR-028 amended 2026-05-25 — deny-after-PASS regression (voice-tone).
+# Mirror of the risk-scorer regression: the gate sees the FULL changeset
+# content (YAML frontmatter + body) but the mark hook keys the marker on the
+# <draft> body. After the fix the gate strips frontmatter before hashing, so
+# a body-keyed voice-tone PASS marker permits the changeset Write.
+# ---------------------------------------------------------------------------
+
+@test "P010: changeset Write permits when the voice-tone PASS marker is keyed on the <draft> body (frontmatter stripped before hash)" {
+  BODY="external-comms gate strips changeset frontmatter before key hash"
+  SURFACE="changeset-author"
+  KEY=$(printf '%s\n%s' "$BODY" "$SURFACE" | shasum -a 256 | cut -d' ' -f1)
+  touch "${RDIR}/external-comms-voice-tone-reviewed-${KEY}"
+
+  CONTENT=$'---\n"@windyroad/voice-tone": patch\n---\n\n'"$BODY"
+  INPUT=$(build_write_input ".changeset/p010-fix.md" "$CONTENT")
+  run_hook "$INPUT"
+  [ "$status" -eq 0 ]
+  [ -z "$output" ]
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@windyroad/voice-tone",
-  "version": "0.5.3",
+  "version": "0.5.4-preview.374",
   "description": "Voice and tone enforcement for user-facing copy",
   "bin": {
     "windyroad-voice-tone": "./bin/install.mjs"