npm - cclaw-cli - Versions diffs - 0.1.1 → 0.2.1 - Mend

cclaw-cli 0.1.1 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (48) hide show

package/dist/artifact-linter.d.ts +20 -0
package/dist/artifact-linter.js +368 -0
package/dist/cli.d.ts +1 -0
package/dist/cli.js +8 -2
package/dist/config.d.ts +4 -4
package/dist/config.js +56 -5
package/dist/constants.d.ts +4 -4
package/dist/constants.js +6 -3
package/dist/content/autoplan.js +51 -4
package/dist/content/contexts.d.ts +9 -0
package/dist/content/contexts.js +65 -0
package/dist/content/hooks.d.ts +6 -2
package/dist/content/hooks.js +448 -16
package/dist/content/meta-skill.js +26 -0
package/dist/content/next-command.d.ts +9 -0
package/dist/content/next-command.js +138 -0
package/dist/content/observe.d.ts +5 -1
package/dist/content/observe.js +506 -24
package/dist/content/skills.js +126 -0
package/dist/content/stage-schema.d.ts +7 -0
package/dist/content/stage-schema.js +70 -12
package/dist/content/subagents.js +33 -0
package/dist/content/templates.d.ts +1 -0
package/dist/content/templates.js +182 -77
package/dist/content/utility-skills.d.ts +5 -1
package/dist/content/utility-skills.js +208 -2
package/dist/delegation.d.ts +21 -0
package/dist/delegation.js +94 -0
package/dist/doctor.d.ts +5 -1
package/dist/doctor.js +274 -23
package/dist/fs-utils.d.ts +10 -0
package/dist/fs-utils.js +47 -0
package/dist/gate-evidence.d.ts +26 -0
package/dist/gate-evidence.js +157 -0
package/dist/harness-adapters.js +2 -0
package/dist/hook-schema.d.ts +6 -0
package/dist/hook-schema.js +45 -0
package/dist/hook-schemas/claude-hooks.v1.json +12 -0
package/dist/hook-schemas/codex-hooks.v1.json +12 -0
package/dist/hook-schemas/cursor-hooks.v1.json +15 -0
package/dist/install.js +431 -16
package/dist/policy.d.ts +5 -1
package/dist/policy.js +52 -1
package/dist/runs.js +8 -3
package/dist/trace-matrix.d.ts +13 -0
package/dist/trace-matrix.js +182 -0
package/dist/types.d.ts +11 -1
package/package.json +1 -1

package/dist/content/observe.js CHANGED Viewed

@@ -10,11 +10,13 @@
  */
 import { RUNTIME_ROOT } from "../constants.js";
 import { RUNTIME_SHELL_DETECT_ROOT } from "./hooks.js";
-export function promptGuardScript() {
+export function promptGuardScript(options = {}) {
+    const promptGuardMode = options.strictMode === true ? "strict" : "advisory";
     return `#!/usr/bin/env bash
 # cclaw prompt guard hook — generated by cclaw sync
 # Advisory-only guard for risky writes into ${RUNTIME_ROOT} runtime files.
 set -uo pipefail
+PROMPT_GUARD_MODE="${promptGuardMode}"
 HARNESS="codex"
 if [ -n "\${CLAUDE_PROJECT_DIR:-}" ]; then
@@ -74,7 +76,7 @@ case "$TOOL_LOWER" in
     ;;
 esac
-if printf '%s' "$PAYLOAD_LOWER" | grep -Eq '(rm[[:space:]]+-rf[[:space:]]+\.cclaw|curl[[:space:]].*https?://|wget[[:space:]].*https?://|base64[[:space:]]+-d|eval\\(|python[[:space:]]+-c)'; then
+if printf '%s' "$PAYLOAD_LOWER" | grep -Eq '(rm[[:space:]]+-rf[[:space:]]+\.cclaw|curl[[:space:]].*https?://|wget[[:space:]].*https?://|base64[[:space:]]+-d|eval[(]|python[[:space:]]+-c)'; then
   if [ -n "$REASONS" ]; then
     REASONS="$REASONS,suspicious_payload_pattern"
   else
@@ -112,6 +114,221 @@ PY
   if [ -n "$ENTRY" ]; then
     printf '%s\n' "$ENTRY" >> "$GUARD_LOG" 2>/dev/null || true
   fi
+  if [ "$PROMPT_GUARD_MODE" = "strict" ]; then
+    printf '[cclaw] %s (blocked by strict mode)\n' "$NOTE" >&2
+    exit 1
+  fi
+  printf '[cclaw] %s\n' "$NOTE" >&2
+fi
+exit 0
+`;
+}
+export function workflowGuardScript() {
+    return `#!/usr/bin/env bash
+# cclaw workflow guard hook — generated by cclaw sync
+# Enforces stage-aware command discipline and recent flow-state read hygiene.
+set -uo pipefail
+WORKFLOW_GUARD_MODE="\${CCLAW_WORKFLOW_GUARD_MODE:-advisory}"
+MAX_FLOW_READ_AGE_SEC="\${CCLAW_WORKFLOW_GUARD_MAX_AGE_SEC:-1800}"
+${RUNTIME_SHELL_DETECT_ROOT}
+STATE_DIR="$ROOT/${RUNTIME_ROOT}/state"
+FLOW_STATE_FILE="$STATE_DIR/flow-state.json"
+GUARD_STATE_FILE="$STATE_DIR/workflow-guard.json"
+GUARD_LOG="$STATE_DIR/workflow-guard.jsonl"
+mkdir -p "$STATE_DIR" 2>/dev/null || true
+INPUT=$(cat 2>/dev/null || echo '{}')
+[ -n "$INPUT" ] || exit 0
+TOOL="unknown"
+PAYLOAD=""
+if command -v jq >/dev/null 2>&1; then
+  TOOL=$(printf '%s' "$INPUT" | jq -r '.tool_name // .tool // "unknown"' 2>/dev/null || echo "unknown")
+  PAYLOAD=$(printf '%s' "$INPUT" | jq -r '.tool_input // .input // .arguments // .params // .payload // {} | tostring' 2>/dev/null || echo "")
+elif command -v python3 >/dev/null 2>&1; then
+  TOOL=$(INPUT_JSON="$INPUT" python3 - <<'PY'
+import json
+import os
+try:
+    value = json.loads(os.environ.get("INPUT_JSON", "{}"))
+except Exception:
+    value = {}
+tool = value.get("tool_name") or value.get("tool") or "unknown"
+print(tool if isinstance(tool, str) else "unknown")
+PY
+)
+  PAYLOAD=$(printf '%s' "$INPUT")
+else
+  PAYLOAD=$(printf '%s' "$INPUT")
+fi
+[ -n "$PAYLOAD" ] || PAYLOAD=$(printf '%s' "$INPUT")
+TOOL_LOWER=$(printf '%s' "$TOOL" | tr '[:upper:]' '[:lower:]')
+PAYLOAD_LOWER=$(printf '%s' "$PAYLOAD" | tr '[:upper:]' '[:lower:]')
+TS=$(date -u +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || echo "")
+NOW_EPOCH=$(date +%s 2>/dev/null || echo "0")
+REASONS=""
+CURRENT_STAGE="none"
+if [ -f "$FLOW_STATE_FILE" ]; then
+  if command -v jq >/dev/null 2>&1; then
+    CURRENT_STAGE=$(jq -r '.currentStage // "none"' "$FLOW_STATE_FILE" 2>/dev/null || echo "none")
+  elif command -v python3 >/dev/null 2>&1; then
+    CURRENT_STAGE=$(python3 - "$FLOW_STATE_FILE" <<'PY'
+import json
+import sys
+stage = "none"
+try:
+    with open(sys.argv[1], "r", encoding="utf-8") as fh:
+        parsed = json.load(fh)
+    value = parsed.get("currentStage")
+    if isinstance(value, str) and value:
+        stage = value
+except Exception:
+    pass
+print(stage)
+PY
+)
+  fi
+fi
+LAST_FLOW_READ_AT=0
+if [ -f "$GUARD_STATE_FILE" ]; then
+  if command -v jq >/dev/null 2>&1; then
+    LAST_FLOW_READ_AT=$(jq -r '.lastFlowReadAtEpoch // 0' "$GUARD_STATE_FILE" 2>/dev/null || echo "0")
+  elif command -v python3 >/dev/null 2>&1; then
+    LAST_FLOW_READ_AT=$(python3 - "$GUARD_STATE_FILE" <<'PY'
+import json
+import sys
+value = 0
+try:
+    with open(sys.argv[1], "r", encoding="utf-8") as fh:
+        parsed = json.load(fh)
+    raw = parsed.get("lastFlowReadAtEpoch", 0)
+    if isinstance(raw, (int, float)):
+        value = int(raw)
+except Exception:
+    pass
+print(value)
+PY
+)
+  fi
+fi
+[ -n "$LAST_FLOW_READ_AT" ] || LAST_FLOW_READ_AT=0
+stage_index() {
+  case "$1" in
+    brainstorm) echo 1 ;;
+    scope) echo 2 ;;
+    design) echo 3 ;;
+    spec) echo 4 ;;
+    plan) echo 5 ;;
+    test) echo 6 ;;
+    build) echo 7 ;;
+    review) echo 8 ;;
+    ship) echo 9 ;;
+    *) echo 0 ;;
+  esac
+}
+detect_target_stage() {
+  local text="$1"
+  for stage in brainstorm scope design spec plan test build review ship; do
+    if printf '%s' "$text" | grep -Eq "(/cc-$stage|cc-$stage)\\b"; then
+      printf '%s' "$stage"
+      return 0
+    fi
+  done
+  printf ''
+  return 0
+}
+TARGET_STAGE=$(detect_target_stage "$PAYLOAD_LOWER")
+if [ -n "$TARGET_STAGE" ] && [ "$CURRENT_STAGE" != "none" ]; then
+  CURRENT_IDX=$(stage_index "$CURRENT_STAGE")
+  TARGET_IDX=$(stage_index "$TARGET_STAGE")
+  if [ "$CURRENT_IDX" -gt 0 ] && [ "$TARGET_IDX" -gt 0 ]; then
+    if [ "$TARGET_IDX" -gt $((CURRENT_IDX + 1)) ]; then
+      REASONS="stage_jump_\${CURRENT_STAGE}_to_\${TARGET_STAGE}"
+    fi
+  fi
+fi
+if [ -n "$TARGET_STAGE" ]; then
+  if [ "$LAST_FLOW_READ_AT" -le 0 ] || [ "$NOW_EPOCH" -le 0 ] || [ $((NOW_EPOCH - LAST_FLOW_READ_AT)) -gt "$MAX_FLOW_READ_AGE_SEC" ]; then
+    if [ -n "$REASONS" ]; then
+      REASONS="$REASONS,stage_invocation_without_recent_flow_read"
+    else
+      REASONS="stage_invocation_without_recent_flow_read"
+    fi
+  fi
+fi
+SHOULD_RECORD_FLOW_READ=0
+case "$TOOL_LOWER" in
+  read|readfile|open|view|cat) SHOULD_RECORD_FLOW_READ=1 ;;
+esac
+if [ "$SHOULD_RECORD_FLOW_READ" -eq 1 ] && printf '%s' "$PAYLOAD_LOWER" | grep -Eq '\.cclaw/state/flow-state\.json'; then
+  TMP_STATE_FILE="$GUARD_STATE_FILE.tmp.$$"
+  if command -v jq >/dev/null 2>&1 && [ -f "$GUARD_STATE_FILE" ]; then
+    jq --arg ts "$TS" --argjson epoch "$NOW_EPOCH" '
+      .lastFlowReadAt = $ts
+      | .lastFlowReadAtEpoch = $epoch
+    ' "$GUARD_STATE_FILE" > "$TMP_STATE_FILE" 2>/dev/null || true
+  elif command -v python3 >/dev/null 2>&1; then
+    python3 - "$GUARD_STATE_FILE" "$TMP_STATE_FILE" "$TS" "$NOW_EPOCH" <<'PY'
+import json
+import sys
+from pathlib import Path
+source = Path(sys.argv[1])
+target = Path(sys.argv[2])
+ts = sys.argv[3]
+epoch = int(float(sys.argv[4])) if sys.argv[4] else 0
+payload = {}
+if source.exists():
+    try:
+        raw = json.loads(source.read_text(encoding="utf-8"))
+        if isinstance(raw, dict):
+            payload.update(raw)
+    except Exception:
+        pass
+payload["lastFlowReadAt"] = ts
+payload["lastFlowReadAtEpoch"] = epoch
+target.write_text(json.dumps(payload, indent=2) + "\\n", encoding="utf-8")
+PY
+  fi
+  if [ -s "$TMP_STATE_FILE" ]; then
+    mv "$TMP_STATE_FILE" "$GUARD_STATE_FILE" 2>/dev/null || rm -f "$TMP_STATE_FILE" 2>/dev/null || true
+  else
+    printf '{\\n  "lastFlowReadAt": "%s",\\n  "lastFlowReadAtEpoch": %s\\n}\\n' "$TS" "$NOW_EPOCH" > "$GUARD_STATE_FILE" 2>/dev/null || true
+  fi
+fi
+if [ -n "$REASONS" ]; then
+  NOTE="Cclaw workflow guard: detected potential flow violation (\${REASONS}). Re-read ${RUNTIME_ROOT}/state/flow-state.json and continue from current stage ordering."
+  if command -v jq >/dev/null 2>&1; then
+    ENTRY=$(jq -n -c \
+      --arg ts "$TS" \
+      --arg tool "$TOOL" \
+      --arg stage "$CURRENT_STAGE" \
+      --arg target "$TARGET_STAGE" \
+      --arg reasons "$REASONS" \
+      --arg note "$NOTE" \
+      '{ts:$ts,tool:$tool,currentStage:$stage,targetStage:$target,reasons:($reasons|split(",")),note:$note}' 2>/dev/null || echo "")
+  else
+    ENTRY=""
+  fi
+  if [ -n "$ENTRY" ]; then
+    printf '%s\n' "$ENTRY" >> "$GUARD_LOG" 2>/dev/null || true
+  fi
+  if [ "$WORKFLOW_GUARD_MODE" = "strict" ]; then
+    printf '[cclaw] %s (blocked by strict mode)\n' "$NOTE" >&2
+    exit 1
+  fi
   printf '[cclaw] %s\n' "$NOTE" >&2
 fi
@@ -186,6 +403,56 @@ rotate_file() {
   fi
 }
+sync_run_artifacts() {
+  if [ "$PHASE" != "post" ]; then
+    return
+  fi
+  [ -n "$ACTIVE_RUN" ] || return
+  if [ "$ACTIVE_RUN" = "none" ]; then
+    return
+  fi
+  local tool_lower
+  tool_lower=$(printf '%s' "$TOOL" | tr '[:upper:]' '[:lower:]')
+  case "$tool_lower" in
+    write|edit|multiedit|multi_edit|delete|applypatch|runcommand|shell|terminal|execcommand) ;;
+    *) return ;;
+  esac
+  local active_dir="$ROOT/${RUNTIME_ROOT}/artifacts"
+  local run_dir="$ROOT/${RUNTIME_ROOT}/runs/$ACTIVE_RUN/artifacts"
+  [ -d "$active_dir" ] || return
+  mkdir -p "$run_dir" 2>/dev/null || return
+  for run_file in "$run_dir"/*; do
+    [ -e "$run_file" ] || continue
+    [ -f "$run_file" ] || continue
+    local base_name
+    base_name=$(basename "$run_file")
+    local active_file="$active_dir/$base_name"
+    if [ ! -f "$active_file" ]; then
+      rm -f "$run_file" 2>/dev/null || true
+      continue
+    fi
+    if command -v cmp >/dev/null 2>&1 && cmp -s "$active_file" "$run_file" 2>/dev/null; then
+      continue
+    fi
+    cp "$active_file" "$run_file" 2>/dev/null || true
+  done
+  for active_file in "$active_dir"/*; do
+    [ -e "$active_file" ] || continue
+    [ -f "$active_file" ] || continue
+    local base_name
+    base_name=$(basename "$active_file")
+    local run_file="$run_dir/$base_name"
+    if [ -f "$run_file" ] && command -v cmp >/dev/null 2>&1 && cmp -s "$active_file" "$run_file" 2>/dev/null; then
+      continue
+    fi
+    cp "$active_file" "$run_file" 2>/dev/null || true
+  done
+}
 # Read stdin (hook JSON)
 INPUT=$(cat 2>/dev/null || echo '{}')
 [ -z "$INPUT" ] && exit 0
@@ -316,6 +583,8 @@ if acquire_lock; then
   trap - EXIT INT TERM
 fi
+sync_run_artifacts
 exit 0
 `;
 }
@@ -421,33 +690,82 @@ elif awk "BEGIN { exit !($REMAINING_PERCENT <= 35) }"; then
   BAND="warning"
 fi
-[ "$BAND" != "none" ] || exit 0
+TTL_SECONDS_RAW="\${CCLAW_CONTEXT_MONITOR_TTL_SEC:-900}"
+if printf '%s' "$TTL_SECONDS_RAW" | grep -Eq '^[0-9]+$'; then
+  TTL_SECONDS="$TTL_SECONDS_RAW"
+else
+  TTL_SECONDS="900"
+fi
 LAST_BAND="none"
+LAST_ADVISORY_BAND="none"
+LAST_ADVISORY_AT=""
+LAST_ADVISORY_EPOCH="0"
 if [ -f "$MONITOR_STATE" ]; then
   if command -v jq >/dev/null 2>&1; then
     LAST_BAND=$(jq -r '.lastBand // "none"' "$MONITOR_STATE" 2>/dev/null || echo "none")
+    LAST_ADVISORY_BAND=$(jq -r '.lastAdvisoryBand // .lastBand // "none"' "$MONITOR_STATE" 2>/dev/null || echo "none")
+    LAST_ADVISORY_AT=$(jq -r '.lastAdvisoryAt // ""' "$MONITOR_STATE" 2>/dev/null || echo "")
+    LAST_ADVISORY_EPOCH=$(jq -r 'try ((.lastAdvisoryAt // "" | fromdateiso8601)) catch 0' "$MONITOR_STATE" 2>/dev/null || echo "0")
   elif command -v python3 >/dev/null 2>&1; then
-    LAST_BAND=$(python3 - "$MONITOR_STATE" <<'PY'
+    STATE_META=$(python3 - "$MONITOR_STATE" <<'PY'
 import json
 import sys
 try:
     with open(sys.argv[1], "r", encoding="utf-8") as handle:
         value = json.load(handle)
-    band = value.get("lastBand")
-    if isinstance(band, str):
-        print(band)
-    else:
-        print("none")
+    last_band = value.get("lastBand")
+    if not isinstance(last_band, str):
+        last_band = "none"
+    advisory_band = value.get("lastAdvisoryBand")
+    if not isinstance(advisory_band, str):
+        advisory_band = last_band
+    advisory_at = value.get("lastAdvisoryAt")
+    if not isinstance(advisory_at, str):
+        advisory_at = ""
+    advisory_epoch = 0
+    if advisory_at:
+        try:
+            from datetime import datetime
+            normalized = advisory_at.replace("Z", "+00:00")
+            advisory_epoch = int(datetime.fromisoformat(normalized).timestamp())
+        except Exception:
+            advisory_epoch = 0
+    print(f"{last_band}|{advisory_band}|{advisory_at}|{advisory_epoch}")
 except Exception:
-    print("none")
+    print("none|none||0")
 PY
 )
+    LAST_BAND=$(printf '%s' "$STATE_META" | cut -d'|' -f1)
+    LAST_ADVISORY_BAND=$(printf '%s' "$STATE_META" | cut -d'|' -f2)
+    LAST_ADVISORY_AT=$(printf '%s' "$STATE_META" | cut -d'|' -f3)
+    LAST_ADVISORY_EPOCH=$(printf '%s' "$STATE_META" | cut -d'|' -f4)
   fi
 fi
 TS=$(date -u +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || echo "")
-if [ "$BAND" != "$LAST_BAND" ]; then
+NOW_EPOCH=$(date +%s 2>/dev/null || echo "0")
+if ! printf '%s' "$LAST_ADVISORY_EPOCH" | grep -Eq '^[0-9]+$'; then
+  LAST_ADVISORY_EPOCH="0"
+fi
+SHOULD_EMIT="false"
+if [ "$BAND" != "none" ]; then
+  if [ "$BAND" != "$LAST_ADVISORY_BAND" ]; then
+    SHOULD_EMIT="true"
+  elif [ "$TTL_SECONDS" -eq 0 ]; then
+    SHOULD_EMIT="true"
+  else
+    ELAPSED=$((NOW_EPOCH - LAST_ADVISORY_EPOCH))
+    if [ "$ELAPSED" -ge "$TTL_SECONDS" ]; then
+      SHOULD_EMIT="true"
+    fi
+  fi
+fi
+NEXT_ADVISORY_BAND="$LAST_ADVISORY_BAND"
+NEXT_ADVISORY_AT="$LAST_ADVISORY_AT"
+if [ "$SHOULD_EMIT" = "true" ]; then
   NOTE="Cclaw advisory: context remaining is \${REMAINING_PERCENT}% (\${BAND}). Consider checkpointing or compacting soon."
   if command -v jq >/dev/null 2>&1; then
     ENTRY=$(jq -n -c \
@@ -465,6 +783,8 @@ if [ "$BAND" != "$LAST_BAND" ]; then
     printf '%s\n' "$ENTRY" >> "$WARNINGS_FILE" 2>/dev/null || true
   fi
   printf '[cclaw] %s\n' "$NOTE" >&2
+  NEXT_ADVISORY_BAND="$BAND"
+  NEXT_ADVISORY_AT="$TS"
 fi
 TMP_STATE="$MONITOR_STATE.tmp.$$"
@@ -472,12 +792,14 @@ if command -v jq >/dev/null 2>&1; then
   jq -n \
     --arg ts "$TS" \
     --arg band "$BAND" \
+    --arg advisoryBand "$NEXT_ADVISORY_BAND" \
+    --arg advisoryAt "$NEXT_ADVISORY_AT" \
     --arg remaining "$REMAINING_PERCENT" \
     --arg harness "$HARNESS" \
-    '{lastUpdated:$ts,lastBand:$band,lastRemainingPercent:($remaining|tonumber),harness:$harness}' > "$TMP_STATE" 2>/dev/null || true
+    '{lastUpdated:$ts,lastBand:$band,lastRemainingPercent:($remaining|tonumber),harness:$harness,lastAdvisoryBand:$advisoryBand,lastAdvisoryAt:$advisoryAt}' > "$TMP_STATE" 2>/dev/null || true
 else
-  printf '{\n  "lastUpdated": "%s",\n  "lastBand": "%s",\n  "lastRemainingPercent": %s,\n  "harness": "%s"\n}\n' \
-    "$TS" "$BAND" "$REMAINING_PERCENT" "$HARNESS" > "$TMP_STATE" 2>/dev/null || true
+  printf '{\n  "lastUpdated": "%s",\n  "lastBand": "%s",\n  "lastRemainingPercent": %s,\n  "harness": "%s",\n  "lastAdvisoryBand": "%s",\n  "lastAdvisoryAt": "%s"\n}\n' \
+    "$TS" "$BAND" "$REMAINING_PERCENT" "$HARNESS" "$NEXT_ADVISORY_BAND" "$NEXT_ADVISORY_AT" > "$TMP_STATE" 2>/dev/null || true
 fi
 if [ -s "$TMP_STATE" ]; then
   mv "$TMP_STATE" "$MONITOR_STATE" 2>/dev/null || rm -f "$TMP_STATE" 2>/dev/null || true
@@ -644,6 +966,135 @@ for (const [tool, count] of longPayload.entries()) {
   });
 }
+const toolFilePathCounts = new Map();
+function extractFilePathsFromPayload(dataVal) {
+  const text = toText(dataVal);
+  if (!text) return [];
+  const found = [];
+  const seen = new Set();
+  try {
+    const obj = JSON.parse(text);
+    if (obj && typeof obj === "object" && !Array.isArray(obj)) {
+      const keys = [
+        "path",
+        "file_path",
+        "filePath",
+        "target_file",
+        "file",
+        "filepath",
+        "old_path",
+        "new_path",
+        "targetPath"
+      ];
+      for (const k of keys) {
+        if (!Object.prototype.hasOwnProperty.call(obj, k)) continue;
+        const v = obj[k];
+        if (typeof v === "string" && v.length > 1 && (v.includes("/") || v.includes("\\\\"))) {
+          const norm = v.replace(/\\\\/g, "/").replace(/\\/+/g, "/");
+          if (!seen.has(norm)) {
+            seen.add(norm);
+            found.push(norm);
+          }
+        }
+      }
+    }
+  } catch {
+    // ignore JSON parse errors
+  }
+  return found;
+}
+for (const obs of observations) {
+  const toolRaw = typeof obs.tool === "string" ? obs.tool : "unknown";
+  const tool = toolRaw.trim().replace(/[^A-Za-z0-9._-]+/g, "-") || "unknown";
+  for (const filePath of extractFilePathsFromPayload(obs.data)) {
+    const pairKey = JSON.stringify([tool, filePath]);
+    toolFilePathCounts.set(pairKey, (toolFilePathCounts.get(pairKey) || 0) + 1);
+  }
+}
+for (const [pairKey, uses] of toolFilePathCounts.entries()) {
+  if (uses < 5) continue;
+  let tool = "unknown";
+  let filePath = "";
+  try {
+    const parsed = JSON.parse(pairKey);
+    if (!Array.isArray(parsed) || parsed.length !== 2) continue;
+    if (typeof parsed[0] === "string") tool = parsed[0];
+    if (typeof parsed[1] === "string") filePath = parsed[1];
+  } catch {
+    continue;
+  }
+  if (!filePath) continue;
+  const parts = filePath.split(/[/\\\\]/);
+  let basename = parts[parts.length - 1] || filePath;
+  basename = basename.trim().replace(/[^A-Za-z0-9._-]+/g, "-") || "file";
+  const key = "file-affinity-" + tool + "-" + basename;
+  if (!keyPattern.test(key)) continue;
+  candidates.push({
+    ts: timestamp,
+    skill: "observation",
+    type: "pattern",
+    key: key,
+    insight:
+      "Tool " +
+      tool +
+      " frequently targets " +
+      filePath +
+      "; consider pre-loading it for this stage.",
+    confidence: 4,
+    source: "observed"
+  });
+}
+if (observations.length >= 10) {
+  const stages = new Set();
+  for (const obs of observations) {
+    const s = typeof obs.stage === "string" ? obs.stage.trim() : "none";
+    stages.add(s || "none");
+  }
+  if (stages.size === 1) {
+    const onlyStage = [...stages][0];
+    if (onlyStage && onlyStage !== "none") {
+      const stageSan = onlyStage.replace(/[^A-Za-z0-9._-]+/g, "-") || "none";
+      const times = [];
+      for (const obs of observations) {
+        if (typeof obs.ts === "string") {
+          const ms = Date.parse(obs.ts);
+          if (!Number.isNaN(ms)) times.push(ms);
+        }
+      }
+      times.sort((a, b) => a - b);
+      if (times.length >= 2) {
+        const spanMin = Math.max(
+          1,
+          Math.round((times[times.length - 1] - times[0]) / 60000)
+        );
+        const M = observations.length;
+        const velKey = "stage-velocity-" + stageSan;
+        if (keyPattern.test(velKey)) {
+          candidates.push({
+            ts: timestamp,
+            skill: "observation",
+            type: "operational",
+            key: velKey,
+            insight:
+              "Stage " +
+              onlyStage +
+              " took approximately " +
+              spanMin +
+              " minutes with " +
+              M +
+              " tool calls.",
+            confidence: 3,
+            source: "observed"
+          });
+        }
+      }
+    }
+  }
+}
 const valid = [];
 const bestCandidate = new Map();
 for (const candidate of candidates) {
@@ -964,6 +1415,25 @@ for file in $ARCHIVE_LIST; do
   fi
 done
+# Write session digest for cross-session context
+STATE_FILE="$ROOT/${RUNTIME_ROOT}/state/flow-state.json"
+DIGEST_FILE="$ROOT/${RUNTIME_ROOT}/state/session-digest.md"
+STAGE_NOW="none"
+RUN_DIGEST_ID="none"
+if [ -f "$STATE_FILE" ]; then
+  if command -v jq >/dev/null 2>&1; then
+    STAGE_NOW=$(jq -r '.currentStage // "none"' "$STATE_FILE" 2>/dev/null || echo "none")
+    RUN_DIGEST_ID=$(jq -r '.activeRunId // "none"' "$STATE_FILE" 2>/dev/null || echo "none")
+  fi
+fi
+{
+  printf '%s\\n' "# Session Digest"
+  printf '%s\\n' "- Stage: $STAGE_NOW"
+  printf '%s\\n' "- Observations: $OBS_COUNT"
+  printf '%s\\n' "- Timestamp: $TS"
+  printf '%s\\n' "- Run: $RUN_DIGEST_ID"
+} > "$DIGEST_FILE" 2>/dev/null || true
 # Keep stage activity bounded by line count.
 rotate_file "$ACTIVITY_FILE" 2000
@@ -978,6 +1448,7 @@ exit 0
  */
 export function claudeHooksJsonWithObservation() {
     return JSON.stringify({
+        cclawHookSchemaVersion: 1,
         hooks: {
             SessionStart: [{
                     matcher: "startup|resume|clear|compact",
@@ -991,6 +1462,9 @@ export function claudeHooksJsonWithObservation() {
                     hooks: [{
                             type: "command",
                             command: `bash ${RUNTIME_ROOT}/hooks/prompt-guard.sh`
+                        }, {
+                            type: "command",
+                            command: `bash ${RUNTIME_ROOT}/hooks/workflow-guard.sh`
                         }, {
                             type: "command",
                             command: `bash ${RUNTIME_ROOT}/hooks/observe.sh pre`
@@ -1025,43 +1499,48 @@ export function claudeHooksJsonWithObservation() {
 }
 export function cursorHooksJsonWithObservation() {
     return JSON.stringify({
+        cclawHookSchemaVersion: 1,
         version: 1,
         hooks: {
             sessionStart: [{
-                    command: `${RUNTIME_ROOT}/hooks/session-start.sh`
+                    command: `bash ${RUNTIME_ROOT}/hooks/session-start.sh`
                 }],
             sessionResume: [{
-                    command: `${RUNTIME_ROOT}/hooks/session-start.sh`
+                    command: `bash ${RUNTIME_ROOT}/hooks/session-start.sh`
                 }],
             sessionClear: [{
-                    command: `${RUNTIME_ROOT}/hooks/session-start.sh`
+                    command: `bash ${RUNTIME_ROOT}/hooks/session-start.sh`
                 }],
             sessionCompact: [{
-                    command: `${RUNTIME_ROOT}/hooks/session-start.sh`
+                    command: `bash ${RUNTIME_ROOT}/hooks/session-start.sh`
                 }],
             preToolUse: [{
                     matcher: "*",
-                    command: `${RUNTIME_ROOT}/hooks/prompt-guard.sh`
+                    command: `bash ${RUNTIME_ROOT}/hooks/prompt-guard.sh`
+                }, {
+                    matcher: "*",
+                    command: `bash ${RUNTIME_ROOT}/hooks/workflow-guard.sh`
                 }, {
                     matcher: "*",
-                    command: `${RUNTIME_ROOT}/hooks/observe.sh pre`
+                    command: `bash ${RUNTIME_ROOT}/hooks/observe.sh pre`
                 }],
             postToolUse: [{
                     matcher: "*",
-                    command: `${RUNTIME_ROOT}/hooks/context-monitor.sh`
+                    command: `bash ${RUNTIME_ROOT}/hooks/context-monitor.sh`
                 }, {
                     matcher: "*",
-                    command: `${RUNTIME_ROOT}/hooks/observe.sh post`
+                    command: `bash ${RUNTIME_ROOT}/hooks/observe.sh post`
                 }],
             stop: [
-                { command: `${RUNTIME_ROOT}/hooks/summarize-observations.sh`, timeout: 15 },
-                { command: `${RUNTIME_ROOT}/hooks/stop-checkpoint.sh`, timeout: 10 }
+                { command: `bash ${RUNTIME_ROOT}/hooks/summarize-observations.sh`, timeout: 15 },
+                { command: `bash ${RUNTIME_ROOT}/hooks/stop-checkpoint.sh`, timeout: 10 }
             ]
         }
     }, null, 2);
 }
 export function codexHooksJsonWithObservation() {
     return JSON.stringify({
+        cclawHookSchemaVersion: 1,
         hooks: {
             SessionStart: [{
                     matcher: "startup|resume|clear|compact",
@@ -1076,6 +1555,9 @@ export function codexHooksJsonWithObservation() {
                     hooks: [{
                             type: "command",
                             command: `bash ${RUNTIME_ROOT}/hooks/prompt-guard.sh`
+                        }, {
+                            type: "command",
+                            command: `bash ${RUNTIME_ROOT}/hooks/workflow-guard.sh`
                         }, {
                             type: "command",
                             command: `bash ${RUNTIME_ROOT}/hooks/observe.sh pre`