@wipcomputer/wip-ldm-os 0.4.76 → 0.4.78

package/SKILL.md

@@ -9,7 +9,7 @@ license: MIT
 compatibility: Requires git, npm, node. Node.js 18+.
 metadata:
   display-name: "LDM OS"
-  version: "0.4.76"
+  version: "0.4.78"
   homepage: "https://github.com/wipcomputer/wip-ldm-os"
   author: "Parker Todd Brooks"
   category: infrastructure

package/lib/deploy.mjs

@@ -14,6 +14,7 @@ import {
   lstatSync, readlinkSync, unlinkSync, chmodSync, readdirSync,
   renameSync, rmSync, statSync, symlinkSync,
 } from 'node:fs';
+import { createHash } from 'node:crypto';
 import { join, basename, resolve, dirname } from 'node:path';
 import { tmpdir } from 'node:os';
 import { detectInterfaces, describeInterfaces, detectToolbox } from './detect.mjs';
@@ -750,6 +751,45 @@ function installCLI(repoPath, door) {
   }
 }
 
+// Stable content hash over a directory tree. Used by deployExtension to
+// decide whether to skip a redeploy. Before this, deployExtension skipped
+// when source and deployed had equal versions ... but a prior partial
+// install could have bumped the package.json without finishing the copy,
+// leaving deployed package.json "current" while other files (guard.mjs,
+// core.mjs, etc.) were stale. The 2026-04-20 wip-release 1.9.74 -> 1.9.75
+// rollout hit that (source core.mjs had runNpmPublish, deployed didn't,
+// both package.jsons reported 1.9.75). Skip only when versions match AND
+// content hashes match; otherwise redeploy to heal the drift.
+function computeTreeHash(dir) {
+  if (!existsSync(dir)) return null;
+  const skipNames = new Set([
+    '.git', 'node_modules', 'ai', '_trash', '.worktrees', 'logs', 'test', 'tests', '__tests__',
+  ]);
+  const hash = createHash('sha256');
+  function walk(d, rel) {
+    let entries;
+    try { entries = readdirSync(d, { withFileTypes: true }); }
+    catch { return; }
+    entries.sort((a, b) => a.name.localeCompare(b.name));
+    for (const e of entries) {
+      if (skipNames.has(e.name)) continue;
+      const p = join(d, e.name);
+      const r = rel ? `${rel}/${e.name}` : e.name;
+      if (e.isDirectory()) walk(p, r);
+      else if (e.isFile()) {
+        try {
+          hash.update(r);
+          hash.update('\0');
+          hash.update(readFileSync(p));
+          hash.update('\0');
+        } catch {}
+      }
+    }
+  }
+  walk(dir, '');
+  return hash.digest('hex');
+}
+
 function deployExtension(repoPath, name) {
   const sourcePkg = readJSON(join(repoPath, 'package.json'));
   const ldmDest = join(LDM_EXTENSIONS, name);
@@ -759,18 +799,28 @@ function deployExtension(repoPath, name) {
 
   const cmp = compareSemver(newVersion, currentVersion);
   if (newVersion && currentVersion && cmp <= 0) {
-    skip(`LDM: ${name} already at v${currentVersion}${cmp < 0 ? ` (source is older: v${newVersion})` : ''}`);
-    // Ensure OC copy exists too
-    const ocName = resolveOcPluginName(repoPath, name);
-    const ocDest = join(OC_EXTENSIONS, ocName);
-    if (!existsSync(ocDest) && !DRY_RUN) {
-      mkdirSync(ocDest, { recursive: true });
-      cpSync(ldmDest, ocDest, { recursive: true });
-      ok(`OpenClaw: synced to ${ocDest}`);
-    } else {
-      skip(`OpenClaw: ${ocName} already at v${currentVersion}`);
+    // Versions equal or deployed is newer. Verify content hash before
+    // short-circuiting ... a prior partial install could have bumped
+    // package.json but not copied the other files, leaving deployed
+    // apparently "current" while code is stale.
+    const srcHash = computeTreeHash(repoPath);
+    const dstHash = computeTreeHash(ldmDest);
+    if (srcHash && dstHash && srcHash === dstHash) {
+      skip(`LDM: ${name} already at v${currentVersion}${cmp < 0 ? ` (source is older: v${newVersion})` : ''}`);
+      // Ensure OC copy exists too
+      const ocName = resolveOcPluginName(repoPath, name);
+      const ocDest = join(OC_EXTENSIONS, ocName);
+      if (!existsSync(ocDest) && !DRY_RUN) {
+        mkdirSync(ocDest, { recursive: true });
+        cpSync(ldmDest, ocDest, { recursive: true });
+        ok(`OpenClaw: synced to ${ocDest}`);
+      } else {
+        skip(`OpenClaw: ${ocName} already at v${currentVersion}`);
+      }
+      return true;
     }
-    return true;
+    // Content differs despite matching version; fall through to redeploy.
+    ok(`LDM: ${name} v${currentVersion} reports same version but content differs; redeploying`);
   }
 
   if (DRY_RUN) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-ldm-os",
-  "version": "0.4.76",
+  "version": "0.4.78",
   "type": "module",
   "description": "LDM OS: identity, memory, and sovereignty infrastructure for AI agents",
   "engines": {

package/shared/docs/dev-guide-wipcomputerinc.md.tmpl

@@ -265,6 +265,63 @@ openclaw gateway restart
 
 Enforced on all 64 repos on 2026-02-20, re-audited 2026-02-27 (18 repos had drifted or were new). No force pushes to main. No direct pushes. No exceptions. The `lesaai` account is not exempt.
 
+## Branch Guard: Runtime Enforcement (wip-branch-guard v1.9.80+)
+
+The branch guard runs as a PreToolUse hook on every Claude Code tool call and as an OpenClaw plugin for Lēsa. Same rules, same deny messages on both sides. Enforces three layers on top of the standard branch/worktree check.
+
+### Layer 1 ... write gate
+
+- On main branch: Write/Edit/NotebookEdit denied. Bash writes denied.
+- On a feature branch NOT in a worktree: writes denied.
+- On a feature branch in a worktree: writes allowed (baseline workflow).
+- Shared-state paths (`~/.claude/plans/`, `workspace/*`, `~/.ldm/shared/`, `~/.openclaw/workspace/`, etc.) always allowed regardless of branch.
+
+### Layer 2 ... destructive-command block
+
+Always denied, any branch: `git clean -f`, `git checkout -- <path>`, `git checkout .`, `git stash drop/pop/clear`, `git reset --hard`, `git restore <path>` (`--staged` is safe). Plus code-execution bypass patterns (`python -c "open().write()"`, `node -e "writeFile()"`).
+
+Denied on any branch: `--no-verify`, `git push --force` (use `--force-with-lease`).
+
+### Layer 3 ... session-level gates (new 2026-04-20)
+
+1. **Onboarding-before-first-write.** Before the first Write/Edit to a repo in a session, the guard requires you to have Read (via the Read tool) `README.md`, `CLAUDE.md`, and any `*RUNBOOK*.md`/`*LANDMINES*.md`/`WORKFLOW*.md` at repo root. State auto-populates from Read calls. 2-hour TTL once onboarded. Override: `LDM_GUARD_SKIP_ONBOARDING=<repo>` or `=1`.
+
+2. **Recently-blocked-file tracking.** If the guard denies a file via Write/Edit, retrying via a different tool on the same path re-denies with "equivalent-action bypass" context. Last 20 denials in a 1-hour rolling window. Override: `LDM_GUARD_ACK_BLOCKED_FILE=<path>`.
+
+3. **External-PR create guard.** `gh pr create --repo <owner>/<repo>` and `gh api repos/<owner>/<repo>/pulls -X POST` are denied if `<owner>` is not `wipcomputer`. Triggered by the 2026-04-18 PR #89 incident. `gh pr view/list/merge/edit` and `gh api .../issues` pass through. Override: `LDM_GUARD_UPSTREAM_PR_APPROVED=<owner>/<repo>` or `=1`.
+
+### Override env vars
+
+All overrides are audited. Every use appends to `~/.ldm/state/bypass-audit.jsonl` as `{kind, ts, session_id, tool, path, via, reason}`. Log rotates at 50 MB to dated archives.
+
+| Env var | Purpose | Shape |
+|---|---|---|
+| `LDM_GUARD_SKIP_ONBOARDING` | Skip onboarding gate | `<repo-path>` or `1` |
+| `LDM_GUARD_ACK_BLOCKED_FILE` | Acknowledge a prior block | `<file-path>` or `1` |
+| `LDM_GUARD_UPSTREAM_PR_APPROVED` | Parker-approved external PR | `<owner>/<repo>` or `1` |
+| `LDM_GUARD_APPROVAL_BACKEND` | Backend selector | `env` (default), future: `bridge`, `kaleidoscope-biometric` |
+| `LDM_GUARD_STATE_DIR` | State file location | dir path (test isolation only) |
+
+Default stance: don't bypass. Read the block message. It tells you what to do.
+
+### Expected first-write ritual
+
+For any repo new to your session:
+
+```
+1. git rev-parse --show-toplevel   # confirm the repo
+2. Read README.md                  # via Read tool
+3. Read CLAUDE.md                  # if present
+4. Read RUNBOOK / LANDMINES / WORKFLOW  # if present at root
+5. Proceed with Write/Edit
+```
+
+State persists at `~/.ldm/state/guard-session.json`. Same session + same repo = onboarded for 2h. New session or TTL expires = re-onboard.
+
+### Bypass audit trail
+
+Every deny and every approved bypass is in `~/.ldm/state/bypass-audit.jsonl`. Append-only JSON Lines. Tail it during post-mortems; rotate archives are `bypass-audit.jsonl.YYYY-MM-DD`.
+
 ## Worktree Workflow (WIP-specific)
 
 Same as the public Dev Guide section, plus: