adversarial-review-gate 2.0.2 → 2.1.0

package/src/cli/uninstall.js

@@ -0,0 +1,204 @@
+// `adversarial-review uninstall` — remove our hook entries and registry entry.
+//
+// Flags:
+//   --user / --global        operate on user scope (<home>/.claude/settings.json
+//                            and <home>/.adversarial-review/config.json) instead
+//                            of the project (cwd) scope.
+//   --host <claude-code>     restrict to a single native host (default: all
+//                            native hosts; currently only claude-code).
+//   --remove-config          also delete <scope>/.adversarial-review/config.json.
+//   --dry-run                print what WOULD change; touch nothing.
+//
+// Behavior (tolerant + idempotent):
+//   - Remove ONLY our adversarial-review hook entries (dedupe key) from the
+//     relevant .claude/settings.json; preserve every other key/hook.
+//   - Optionally remove the scope's .adversarial-review/config.json.
+//   - Remove this scope's entry from the install registry
+//     (<home>/.adversarial-review/install.json).
+//   - PRINT what it KEPT (it never deletes the shared opencode agent by default).
+
+import { readFile, writeFile, mkdir, rm } from "node:fs/promises";
+import { existsSync } from "node:fs";
+import path from "node:path";
+
+import {
+  removeClaudeCodeHooks,
+  detectClaudeCodeHooks,
+  claudeCodeSettingsPath,
+} from "../hosts/claude-code.js";
+import { resolveHomeDir } from "../core/load-config.js";
+
+const PROJECT_CONFIG_REL = path.join(".adversarial-review", "config.json");
+const USER_INSTALL_REL = path.join(".adversarial-review", "install.json");
+const OPENCODE_AGENT_REL = path.join(
+  ".config",
+  "opencode",
+  "agent",
+  "adversarial-reviewer.md"
+);
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/** Tolerantly read+parse a JSON object file; returns {} on any error. */
+async function readJsonTolerant(filePath) {
+  try {
+    const raw = await readFile(filePath, "utf8");
+    const parsed = JSON.parse(raw);
+    if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) return parsed;
+    return {};
+  } catch {
+    return {};
+  }
+}
+
+/** Normalize a registry key (matches install.js): absolute + lowercased win32 drive. */
+function normalizeRegistryKey(dir) {
+  let resolved = path.resolve(dir);
+  if (process.platform === "win32" && /^[a-zA-Z]:/.test(resolved)) {
+    resolved = resolved[0].toLowerCase() + resolved.slice(1);
+  }
+  return resolved;
+}
+
+/** Atomically write content (mode 0o644 — settings/config are team-shared). */
+async function atomicWrite(filePath, content, mode = 0o644) {
+  const dir = path.dirname(filePath);
+  await mkdir(dir, { recursive: true });
+  const tmp = `${filePath}.tmp${Date.now()}`;
+  await writeFile(tmp, content, { encoding: "utf8", mode });
+  const { rename } = await import("node:fs/promises");
+  await rename(tmp, filePath);
+}
+
+/**
+ * Parse uninstall argv.
+ *
+ * @param {string[]} argv
+ * @returns {{ userScope: boolean, host: string|null, removeConfig: boolean, dryRun: boolean }}
+ */
+function parseArgs(argv) {
+  let userScope = false;
+  let host = null;
+  let removeConfig = false;
+  let dryRun = false;
+
+  for (let i = 0; i < argv.length; i++) {
+    const arg = argv[i];
+    if (arg === "--user" || arg === "--global") {
+      userScope = true;
+    } else if (arg === "--dry-run") {
+      dryRun = true;
+    } else if (arg === "--remove-config") {
+      removeConfig = true;
+    } else if (arg === "--host" && argv[i + 1]) {
+      host = argv[i + 1].trim();
+      i++;
+    } else if (arg.startsWith("--host=")) {
+      host = arg.slice("--host=".length).trim();
+    }
+  }
+
+  return { userScope, host, removeConfig, dryRun };
+}
+
+// ---------------------------------------------------------------------------
+// Main uninstall command
+// ---------------------------------------------------------------------------
+
+/**
+ * @param {string[]} argv
+ * @param {object} io  - { stdin, stdout, stderr, env, cwd }
+ */
+export async function uninstallCommand(argv, io) {
+  const cwd = io.cwd || process.cwd();
+  const env = io.env || process.env;
+  const home = resolveHomeDir(env);
+
+  const { userScope, host, removeConfig, dryRun } = parseArgs(argv);
+
+  // Unknown --host value is a usage error (only claude-code is a native host).
+  if (host && host !== "claude-code") {
+    io.stderr.write(
+      `adversarial-review uninstall: unsupported --host "${host}". ` +
+        `Only "claude-code" has native hooks to remove.\n`
+    );
+    process.exitCode = 2;
+    return;
+  }
+
+  const scopeBase = userScope ? home : cwd;
+  const w = (s) => io.stdout.write(s);
+
+  w(`adversarial-review uninstall${dryRun ? " --dry-run" : ""}: ${userScope ? "user" : "project"} scope\n`);
+
+  // --- 1. Remove our hooks from .claude/settings.json (claude-code) ---
+  const settingsPath = claudeCodeSettingsPath(scopeBase);
+  if (existsSync(settingsPath)) {
+    const existing = await readJsonTolerant(settingsPath);
+    const before = detectClaudeCodeHooks(existing);
+    if (before.sessionStart || before.stop) {
+      const cleaned = removeClaudeCodeHooks(existing);
+      if (dryRun) {
+        w(`  WOULD remove adversarial-review hooks from ${settingsPath}\n`);
+      } else {
+        await atomicWrite(settingsPath, JSON.stringify(cleaned, null, 2), 0o644);
+        w(`  Removed adversarial-review hooks from ${settingsPath}\n`);
+      }
+    } else {
+      w(`  No adversarial-review hooks present in ${settingsPath} (nothing to remove).\n`);
+    }
+  } else {
+    w(`  No .claude/settings.json at ${settingsPath} (nothing to remove).\n`);
+  }
+
+  // --- 2. Optionally remove the scope's config.json ---
+  const configPath = path.join(scopeBase, PROJECT_CONFIG_REL);
+  if (removeConfig) {
+    if (existsSync(configPath)) {
+      if (dryRun) {
+        w(`  WOULD remove ${configPath}\n`);
+      } else {
+        await rm(configPath, { force: true });
+        w(`  Removed ${configPath}\n`);
+      }
+    } else {
+      w(`  No config at ${configPath} (nothing to remove).\n`);
+    }
+  } else if (existsSync(configPath)) {
+    w(`  KEPT ${configPath} (pass --remove-config to delete it).\n`);
+  }
+
+  // --- 3. Remove this scope's entry from the install registry ---
+  const installRegistryPath = path.join(home, USER_INSTALL_REL);
+  const registryKey = normalizeRegistryKey(userScope ? home : cwd);
+  if (existsSync(installRegistryPath)) {
+    const registry = await readJsonTolerant(installRegistryPath);
+    if (Object.prototype.hasOwnProperty.call(registry, registryKey)) {
+      if (dryRun) {
+        w(`  WOULD remove registry entry "${registryKey}" from ${installRegistryPath}\n`);
+      } else {
+        const { [registryKey]: _removed, ...rest } = registry;
+        await atomicWrite(installRegistryPath, JSON.stringify(rest, null, 2), 0o600);
+        w(`  Removed registry entry "${registryKey}" from ${installRegistryPath}\n`);
+      }
+    } else {
+      w(`  No registry entry for "${registryKey}" (nothing to remove).\n`);
+    }
+  } else {
+    w(`  No install registry at ${installRegistryPath} (nothing to remove).\n`);
+  }
+
+  // --- 4. Report what we KEPT (the shared opencode agent is never deleted) ---
+  const opencodeAgentPath = path.join(home, OPENCODE_AGENT_REL);
+  if (existsSync(opencodeAgentPath)) {
+    w(
+      `  KEPT shared opencode read-only agent at ${opencodeAgentPath} ` +
+        `(shared machine-wide; delete it manually if no longer needed).\n`
+    );
+  }
+
+  w(`\nadversarial-review uninstall: complete.\n`);
+  process.exitCode = 0;
+}

package/src/core/gate.js

@@ -266,21 +266,86 @@ function cacheKeyFor(job, config) {
 // Coverage enforcement (deferred check 2)
 // ---------------------------------------------------------------------------
 
+// Above this many reviewable changed files we stop requiring per-file coverage.
+// A reviewer cannot reliably enumerate 40+ paths, so demanding an exact match of
+// every one turns real PASSes into spurious BLOCKs. Over the cap we accept any
+// non-empty coverage and record a coverage limitation instead of hard-failing.
+const COVERAGE_FILE_CAP = 40;
+
+// Canonicalize a path citation so coverage comparison is robust to the many FORMS
+// a reviewer may use for the same file. Lower-risk normalizations only:
+//   - POSIX slashes (backslash -> slash);
+//   - trim surrounding whitespace;
+//   - strip a leading "a/" or "b/" git-diff prefix;
+//   - strip a leading "./";
+//   - strip a trailing ":<digits>" line-number suffix (e.g. "src/x.js:42").
+// Returns "" for empty/non-string input.
+function canonicalizePath(p) {
+  let s = String(p == null ? "" : p)
+    .replace(/\\/g, "/")
+    .trim();
+  if (!s) return "";
+  // Strip a trailing ":<digits>" line/column suffix before anything else.
+  s = s.replace(/:\d+$/, "");
+  // Strip git-diff prefixes "a/" or "b/".
+  if (s.startsWith("a/") || s.startsWith("b/")) s = s.slice(2);
+  // Strip a leading "./".
+  while (s.startsWith("./")) s = s.slice(2);
+  return s;
+}
+
+// The basename (last POSIX path segment) of an already-canonicalized path.
+function baseNameOf(canonical) {
+  const idx = canonical.lastIndexOf("/");
+  return idx >= 0 ? canonical.slice(idx + 1) : canonical;
+}
+
 // In enforced/strict, a pass must demonstrate coverage of every reviewable
 // changed file. Returns null when coverage is acceptable, or an error reason.
+//
+// Both the verdict's `coverage.files_examined` citations and the reviewable
+// changed-file paths are CANONICALIZED before comparison (see canonicalizePath),
+// and a changed file is considered covered if EITHER its full canonical path OR
+// its basename appears in the examined set. This prevents a real PASS from
+// BLOCKing merely because the reviewer cited a different path FORM.
 function coverageFailure(verdict, reviewablePaths) {
   const coverage = verdict.coverage || {};
   const examined = Array.isArray(coverage.files_examined) ? coverage.files_examined : [];
+  // Empty coverage on a non-empty reviewable diff is still an operational failure.
   if (reviewablePaths.length > 0 && examined.length === 0) {
     return "empty_coverage";
   }
-  const examinedSet = new Set(examined.map((p) => String(p).replace(/\\/g, "/")));
+  // Per-file cap: with too many changed files, accept any non-empty coverage
+  // rather than demanding an exact per-file enumeration that no reviewer can
+  // reliably produce. The non-empty check above already handled the empty case.
+  if (reviewablePaths.length > COVERAGE_FILE_CAP) {
+    return null;
+  }
+  // Build canonical full-path and basename lookup sets from the citations.
+  const examinedFull = new Set();
+  const examinedBase = new Set();
+  for (const raw of examined) {
+    const canon = canonicalizePath(raw);
+    if (!canon) continue;
+    examinedFull.add(canon);
+    examinedBase.add(baseNameOf(canon));
+  }
   for (const path of reviewablePaths) {
-    if (!examinedSet.has(path)) return `missing_coverage:${path}`;
+    const canon = canonicalizePath(path);
+    const base = baseNameOf(canon);
+    if (examinedFull.has(canon) || examinedBase.has(base)) continue;
+    return `missing_coverage:${canon}`;
   }
   return null;
 }
 
+// True when the reviewable changed-file count exceeds the per-file cap, i.e. when
+// coverageFailure relaxed the per-file requirement. Used to annotate the allow
+// decision with a coverage limitation note (informational only).
+function coverageLimited(reviewablePaths) {
+  return reviewablePaths.length > COVERAGE_FILE_CAP;
+}
+
 // The enforced/strict DEFERRED CHECKS applied to any accepted pass, shared by
 // the external-reviewer path and the native self-review path:
 //   (a) payload_hash must match the exact payload the gate built;
@@ -311,16 +376,14 @@ function deferredCheckFailure(verdict, job, reviewablePaths) {
 //     (payload_hash match + non-empty coverage of every reviewable changed file).
 // For the debate level the verdict's level must also be "debate".
 //
-// A no-op Task carrying only the sentinel token cannot satisfy any of these, so
-// substring forgery is closed. The bare GATE_SENTINEL substring is never trusted
-// for acceptance; only the verdict block's own sentinel + a valid parse counts.
+// Acceptance is decided solely by parseVerdict against `selfJob`: the verdict
+// block's own sentinel (<<<ADVERSARIAL-REVIEW-VERDICT>>>) gates parsing, and a
+// no-op Task that cannot produce a valid, matching verdict block is rejected.
 function selfReviewSatisfied(entries, lastEditKey, selfJob, reviewablePaths, enforced) {
   if (lastEditKey <= 0) return false;
   const outputs = collectReviewOutputs(entries, lastEditKey);
   for (const output of outputs) {
-    // parseVerdict is the sole authority for acceptance. The verdict block's own
-    // sentinel (<<<ADVERSARIAL-REVIEW-VERDICT>>>) gates parsing, so the bare
-    // GATE_SENTINEL substring is never trusted on its own.
+    // parseVerdict is the sole authority for acceptance.
     const parsed = parseVerdict(output, selfJob);
     if (!parsed.ok) continue;
     const verdict = parsed.verdict;
@@ -398,8 +461,8 @@ export async function evaluateGate(input) {
   }
 
   const entries = parseJsonl(transcript || "");
-  // Note: lastReviewKey/lastDebateKey (timestamp-based review detection) are no
-  // longer used for acceptance — native self-review is now verdict-based below.
+  // scanKeys reports only edit evidence; acceptance of a prior review is
+  // verdict-based (collectReviewOutputs + parseVerdict), handled below.
   const { lastEditKey, editedPaths } = scanKeys(entries);
 
   // (3) Build review scope from the authoritative filesystem/git diff.
@@ -492,7 +555,16 @@ export async function evaluateGate(input) {
   };
 
   if (selfReviewSatisfied(entries, lastEditKey, selfJob, reviewablePaths, enforced)) {
-    return allow({ reason: "already_reviewed", level });
+    const passExtra = { reason: "already_reviewed", level };
+    // Mirror the external path: record a coverage limitation when the change has
+    // more reviewable files than the per-file coverage cap.
+    if (enforced && coverageLimited(reviewablePaths)) {
+      passExtra.coverageLimited = true;
+      passExtra.coverageNote =
+        `Coverage limitation: ${reviewablePaths.length} reviewable files exceed the ` +
+        `per-file coverage cap (${COVERAGE_FILE_CAP}); accepted on non-empty coverage.`;
+    }
+    return allow(passExtra);
   }
 
   // Emit the "self-review required" BLOCK for the current level. This is the
@@ -714,6 +786,14 @@ export async function evaluateGate(input) {
     await writeSessionState(stateDir, sessionId, { ...state, cache: nextCache });
   }
   const passExtra = { reason: "external_pass", level, cached: false };
+  // When the change has more reviewable files than the per-file coverage cap, the
+  // gate accepted non-empty (not exhaustive) coverage; record that limitation.
+  if (enforced && coverageLimited(reviewablePaths)) {
+    passExtra.coverageLimited = true;
+    passExtra.coverageNote =
+      `Coverage limitation: ${reviewablePaths.length} reviewable files exceed the ` +
+      `per-file coverage cap (${COVERAGE_FILE_CAP}); accepted on non-empty coverage.`;
+  }
   if (secretWarning) passExtra.systemMessage = secretWarning;
   return allow(passExtra);
 }

package/src/core/load-config.js

@@ -72,7 +72,7 @@ async function readJsonTolerant(file, io, label) {
  * @returns {Promise<object>} resolved config
  */
 export async function loadEffectiveConfig(cwd, io = {}) {
-  const home = homeDir(io.env);
+  const home = resolveHomeDir(io.env);
   const userConfig = await readJsonTolerant(
     path.join(home, USER_CONFIG_REL),
     io,
@@ -115,16 +115,25 @@ export async function loadEffectiveConfig(cwd, io = {}) {
 export function resolveStateDir(env = process.env) {
   const override = env && env.ADVERSARIAL_REVIEW_STATE_DIR;
   if (override) return path.resolve(override);
-  return path.join(homeDir(env), ".adversarial-review", "state");
+  return path.join(resolveHomeDir(env), ".adversarial-review", "state");
 }
 
-// Resolve the user's home directory, honoring an injected env so tests can
-// redirect the user-level base (config.json, policy.json, state dir) without
-// touching the real home dir. Priority:
-//   1. ADVERSARIAL_REVIEW_HOME — dedicated override for the user-level base;
-//   2. HOME / USERPROFILE — standard OS home env vars;
-//   3. os.homedir() — the real home dir.
-function homeDir(env) {
+/**
+ * Resolve the user's home directory, honoring an injected env so tests can
+ * redirect the user-level base (config.json, policy.json, state dir, install
+ * registry, opencode agent) without touching the real home dir.
+ *
+ * This is the SINGLE shared resolver imported by install.js and doctor.js so
+ * the installer/doctor write/read the SAME user-level base the gate later uses.
+ * Priority:
+ *   1. ADVERSARIAL_REVIEW_HOME — dedicated override for the user-level base;
+ *   2. HOME / USERPROFILE — standard OS home env vars;
+ *   3. os.homedir() — the real home dir.
+ *
+ * @param {object} [env]  - environment variables
+ * @returns {string} absolute home dir path
+ */
+export function resolveHomeDir(env) {
   if (env) {
     const fromEnv = env.ADVERSARIAL_REVIEW_HOME || env.HOME || env.USERPROFILE;
     if (fromEnv) return fromEnv;

package/src/core/process.js

@@ -51,25 +51,6 @@ export async function resolveExecutable(command, env = process.env) {
   return null;
 }
 
-/**
- * Spawn a child process with shell:false to prevent shell-injection.
- * stdio defaults to ["ignore", "pipe", "pipe"].
- *
- * @param {string}   command
- * @param {string[]} args
- * @param {object}   options  - { cwd, env, stdio }
- * @returns {import("node:child_process").ChildProcess}
- */
-export function spawnSafe(command, args, options = {}) {
-  return spawn(command, args, {
-    cwd: options.cwd,
-    env: options.env,
-    shell: false,
-    stdio: options.stdio || ["ignore", "pipe", "pipe"],
-    windowsHide: true,
-  });
-}
-
 // Characters that cmd.exe treats as metacharacters when it re-parses the
 // trailing arguments of `cmd.exe /c <batch> <args...>`. An argument containing
 // any of these can break out of the intended command and execute attacker code,

package/src/core/transcript.js

@@ -2,17 +2,12 @@
 // Ports the Python functions from hooks/guard.py:
 //   - ts_key         -> tsKey
 //   - iter_tool_uses -> iterToolUses (inline)
-//   - completed_tool_ids -> completedToolIds (inline in scanKeys)
-//   - scan_keys      -> scanKeys
+//   - completed_tool_ids -> completedToolIds (inline in collectReviewOutputs)
+//   - scan_keys      -> scanKeys (edit evidence only)
 //   - is_subagent    -> isSubagentTranscript
 //   - last_user_text -> lastUserText
 //   - wants_skip     -> wantsSkip
 
-// Sentinels must match guard.py exactly so that review-task detection is
-// consistent between the Python and Node code paths.
-export const GATE_SENTINEL = "adversarial-review-gate";
-export const DEBATE_SENTINEL = "adversarial-debate-gate";
-
 const EDIT_TOOLS = new Set(["Edit", "Write", "MultiEdit", "NotebookEdit"]);
 const REVIEW_TOOLS = new Set(["Task", "Agent"]);
 
@@ -108,36 +103,21 @@ export function tsKey(s) {
 // ---- scanKeys ---------------------------------------------------------------
 
 /**
- * Scan JSONL transcript entries and return edit/review ordering keys plus the
- * set of file paths touched by edit tools.
+ * Scan JSONL transcript entries for edit evidence: the timestamp of the most
+ * recent edit tool-use and the set of file paths touched by edit tools.
+ *
+ * Edit tools: Edit, Write, MultiEdit, NotebookEdit.
  *
- * Mirrors Python's scan_keys() in guard.py exactly:
- *   - Edit tools: Edit, Write, MultiEdit, NotebookEdit
- *   - Review tools: Task, Agent  (counted only when sentinel present AND
- *     the call ran to completion, i.e. has a matching tool_result)
+ * Review-task detection is intentionally NOT done here. Acceptance of a prior
+ * review is verdict-based (collectReviewOutputs + parseVerdict in gate.js), so
+ * the old sentinel-matched lastReviewKey/lastDebateKey ordering keys have been
+ * removed — no production caller consumed them.
  *
  * @param {object[]} entries  Parsed transcript entries
- * @returns {{ lastEditKey: number, lastReviewKey: number, lastDebateKey: number, editedPaths: Set<string> }}
+ * @returns {{ lastEditKey: number, editedPaths: Set<string> }}
  */
 export function scanKeys(entries) {
-  // Collect tool_use ids that have a corresponding tool_result (completed calls).
-  const completed = new Set();
-  for (const e of entries) {
-    const msg = e?.message;
-    if (!msg || typeof msg !== "object") continue;
-    const content = msg.content;
-    if (!Array.isArray(content)) continue;
-    for (const blk of content) {
-      if (blk && typeof blk === "object" && blk.type === "tool_result") {
-        const tid = blk.tool_use_id;
-        if (tid) completed.add(tid);
-      }
-    }
-  }
-
   let lastEditKey = 0;
-  let lastReviewKey = 0;
-  let lastDebateKey = 0;
   const editedPaths = new Set();
 
   for (const e of entries) {
@@ -151,7 +131,6 @@ export function scanKeys(entries) {
       if (!blk || typeof blk !== "object" || blk.type !== "tool_use") continue;
       const name = blk.name || "";
       const inp = blk.input || {};
-      const tid = blk.id || "";
 
       if (EDIT_TOOLS.has(name)) {
         if (key > lastEditKey) lastEditKey = key;
@@ -161,23 +140,11 @@ export function scanKeys(entries) {
             if (typeof p === "string" && p) editedPaths.add(p);
           }
         }
-      } else if (REVIEW_TOOLS.has(name) && completed.has(tid)) {
-        // Serialize the input to a lowercase string and check for sentinels.
-        const blob =
-          typeof inp === "object"
-            ? JSON.stringify(inp).toLowerCase()
-            : String(inp).toLowerCase();
-        if (blob.includes(GATE_SENTINEL) && key > lastReviewKey) {
-          lastReviewKey = key;
-        }
-        if (blob.includes(DEBATE_SENTINEL) && key > lastDebateKey) {
-          lastDebateKey = key;
-        }
       }
     }
   }
 
-  return { lastEditKey, lastReviewKey, lastDebateKey, editedPaths };
+  return { lastEditKey, editedPaths };
 }
 
 // ---- collectReviewOutputs ---------------------------------------------------

package/src/core/verdict.js

@@ -1,7 +1,23 @@
 const START = "<<<ADVERSARIAL-REVIEW-VERDICT>>>";
 const END = "<<<END>>>";
+const START_LOWER = START.toLowerCase();
 const MAX_OUTPUT_BYTES = 1024 * 1024;
 
+// Count non-overlapping occurrences of `needle` in `haystack`. Used to detect
+// multiple verdict-block markers case-insensitively (both operands lowercased).
+function countOccurrences(haystack, needle) {
+  if (!needle) return 0;
+  let count = 0;
+  let from = 0;
+  for (;;) {
+    const idx = haystack.indexOf(needle, from);
+    if (idx < 0) break;
+    count += 1;
+    from = idx + needle.length;
+  }
+  return count;
+}
+
 export function parseVerdict(output, job, options = {}) {
   // FIX 3: compute text once to avoid TOCTOU gap with non-idempotent toString objects
   const text = String(output);
@@ -13,15 +29,26 @@ export function parseVerdict(output, job, options = {}) {
   const start = text.indexOf(START);
   if (start < 0) return { ok: false, error: "missing_verdict_start" };
 
-  // FIX 1: reject inputs that contain more than one verdict block (prompt-injection defence)
-  if (text.indexOf(START) !== text.lastIndexOf(START)) {
+  // FIX 1: reject inputs that contain more than one verdict block (prompt-injection defence).
+  // Detect markers case-INSENSITIVELY: a SECOND verdict block authored with a
+  // different-case START marker (e.g. <<<adversarial-review-verdict>>>) must not
+  // slip past an exact-case indexOf/lastIndexOf check. A second verdict block
+  // always carries its own START sentinel, so 2+ START markers is the rejection
+  // signal. END markers are NOT counted here: the trailing-content relaxation
+  // (prose, and even a stray END, after the first block's END) must be preserved.
+  const lower = text.toLowerCase();
+  if (countOccurrences(lower, START_LOWER) > 1) {
     return { ok: false, error: "multiple_verdict_blocks" };
   }
 
   const end = text.indexOf(END, start + START.length);
   if (end < 0) return { ok: false, error: "missing_verdict_end" };
-  const trailing = text.slice(end + END.length).trim();
-  if (trailing) return { ok: false, error: "trailing_output_after_verdict" };
+  // Trailing content after the verdict block's <<<END>>> is intentionally ignored.
+  // Real LLM reviewers intermittently append a sign-off / extra prose after the
+  // verdict block; rejecting it made the gate unusable. Injection safety is preserved
+  // by the single-START requirement above: a second verdict block (the only injection
+  // vector that matters) is already rejected as multiple_verdict_blocks, so trailing
+  // non-START text is harmless.
   const body = text.slice(start + START.length, end).trim();
 
   // FIX 1 (defense-in-depth): reject nested sentinel tokens inside the extracted body