@wipcomputer/wip-ldm-os 0.4.77 → 0.4.78

package/SKILL.md

@@ -9,7 +9,7 @@ license: MIT
 compatibility: Requires git, npm, node. Node.js 18+.
 metadata:
   display-name: "LDM OS"
-  version: "0.4.77"
+  version: "0.4.78"
   homepage: "https://github.com/wipcomputer/wip-ldm-os"
   author: "Parker Todd Brooks"
   category: infrastructure

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-ldm-os",
-  "version": "0.4.77",
+  "version": "0.4.78",
   "type": "module",
   "description": "LDM OS: identity, memory, and sovereignty infrastructure for AI agents",
   "engines": {

package/shared/docs/dev-guide-wipcomputerinc.md.tmpl

@@ -265,6 +265,63 @@ openclaw gateway restart
 
 Enforced on all 64 repos on 2026-02-20, re-audited 2026-02-27 (18 repos had drifted or were new). No force pushes to main. No direct pushes. No exceptions. The `lesaai` account is not exempt.
 
+## Branch Guard: Runtime Enforcement (wip-branch-guard v1.9.80+)
+
+The branch guard runs as a PreToolUse hook on every Claude Code tool call and as an OpenClaw plugin for Lēsa. Same rules, same deny messages on both sides. Enforces three layers on top of the standard branch/worktree check.
+
+### Layer 1 ... write gate
+
+- On main branch: Write/Edit/NotebookEdit denied. Bash writes denied.
+- On a feature branch NOT in a worktree: writes denied.
+- On a feature branch in a worktree: writes allowed (baseline workflow).
+- Shared-state paths (`~/.claude/plans/`, `workspace/*`, `~/.ldm/shared/`, `~/.openclaw/workspace/`, etc.) always allowed regardless of branch.
+
+### Layer 2 ... destructive-command block
+
+Always denied, any branch: `git clean -f`, `git checkout -- <path>`, `git checkout .`, `git stash drop/pop/clear`, `git reset --hard`, `git restore <path>` (`--staged` is safe). Plus code-execution bypass patterns (`python -c "open().write()"`, `node -e "writeFile()"`).
+
+Denied on any branch: `--no-verify`, `git push --force` (use `--force-with-lease`).
+
+### Layer 3 ... session-level gates (new 2026-04-20)
+
+1. **Onboarding-before-first-write.** Before the first Write/Edit to a repo in a session, the guard requires you to have Read (via the Read tool) `README.md`, `CLAUDE.md`, and any `*RUNBOOK*.md`/`*LANDMINES*.md`/`WORKFLOW*.md` at repo root. State auto-populates from Read calls. 2-hour TTL once onboarded. Override: `LDM_GUARD_SKIP_ONBOARDING=<repo>` or `=1`.
+
+2. **Recently-blocked-file tracking.** If the guard denies a file via Write/Edit, retrying via a different tool on the same path re-denies with "equivalent-action bypass" context. Last 20 denials in a 1-hour rolling window. Override: `LDM_GUARD_ACK_BLOCKED_FILE=<path>`.
+
+3. **External-PR create guard.** `gh pr create --repo <owner>/<repo>` and `gh api repos/<owner>/<repo>/pulls -X POST` are denied if `<owner>` is not `wipcomputer`. Triggered by the 2026-04-18 PR #89 incident. `gh pr view/list/merge/edit` and `gh api .../issues` pass through. Override: `LDM_GUARD_UPSTREAM_PR_APPROVED=<owner>/<repo>` or `=1`.
+
+### Override env vars
+
+All overrides are audited. Every use appends to `~/.ldm/state/bypass-audit.jsonl` as `{kind, ts, session_id, tool, path, via, reason}`. Log rotates at 50 MB to dated archives.
+
+| Env var | Purpose | Shape |
+|---|---|---|
+| `LDM_GUARD_SKIP_ONBOARDING` | Skip onboarding gate | `<repo-path>` or `1` |
+| `LDM_GUARD_ACK_BLOCKED_FILE` | Acknowledge a prior block | `<file-path>` or `1` |
+| `LDM_GUARD_UPSTREAM_PR_APPROVED` | Parker-approved external PR | `<owner>/<repo>` or `1` |
+| `LDM_GUARD_APPROVAL_BACKEND` | Backend selector | `env` (default), future: `bridge`, `kaleidoscope-biometric` |
+| `LDM_GUARD_STATE_DIR` | State file location | dir path (test isolation only) |
+
+Default stance: don't bypass. Read the block message. It tells you what to do.
+
+### Expected first-write ritual
+
+For any repo new to your session:
+
+```
+1. git rev-parse --show-toplevel   # confirm the repo
+2. Read README.md                  # via Read tool
+3. Read CLAUDE.md                  # if present
+4. Read RUNBOOK / LANDMINES / WORKFLOW  # if present at root
+5. Proceed with Write/Edit
+```
+
+State persists at `~/.ldm/state/guard-session.json`. Same session + same repo = onboarded for 2h. New session or TTL expires = re-onboard.
+
+### Bypass audit trail
+
+Every deny and every approved bypass is in `~/.ldm/state/bypass-audit.jsonl`. Append-only JSON Lines. Tail it during post-mortems; rotate archives are `bypass-audit.jsonl.YYYY-MM-DD`.
+
 ## Worktree Workflow (WIP-specific)
 
 Same as the public Dev Guide section, plus: