cclaw-cli 0.48.10 → 0.48.12

package/README.md

@@ -158,7 +158,7 @@ If cclaw detects a Node / Python / Go project at init time, a sixth
 `pyproject.toml` / `requirements.txt`, `go.mod`). That is the full
 default surface — a new user sees nothing they need to understand yet.
 
-Advanced knobs (`promptGuardMode` / `tddEnforcement` per-axis overrides,
+Advanced knobs (`ironLaws.strictLaws` per-law escapes,
 `tdd.testPathPatterns` / `tdd.productionPathPatterns`,
 `compound.recurrenceThreshold`, `defaultTrack`, `trackHeuristics`,
 `sliceReview`) are **opt-in**: add them by hand when you need them.

package/dist/cli.js

@@ -828,7 +828,7 @@ async function runCommand(parsed, ctx) {
             ctx.stdout.write(`${JSON.stringify({
                 track: previewConfig.defaultTrack ?? "standard",
                 harnesses: previewConfig.harnesses,
-                promptGuardMode: previewConfig.promptGuardMode,
+                strictness: previewConfig.strictness ?? "advisory",
                 gitHookGuards: previewConfig.gitHookGuards,
                 languageRulePacks: previewConfig.languageRulePacks,
                 generatedSurfaces: previewSurfaces

package/dist/config.d.ts

@@ -42,7 +42,7 @@ export declare function readConfig(projectRoot: string): Promise<CclawConfig>;
  * the user set them explicitly. Keeps the default template small and honest:
  * only knobs a new user would meaningfully flip show up.
  */
-type AdvancedConfigKey = "promptGuardMode" | "tddEnforcement" | "tddTestGlobs" | "tdd" | "compound" | "defaultTrack" | "languageRulePacks" | "trackHeuristics" | "sliceReview" | "ironLaws";
+type AdvancedConfigKey = "tddTestGlobs" | "tdd" | "compound" | "defaultTrack" | "languageRulePacks" | "trackHeuristics" | "sliceReview" | "ironLaws";
 /**
  * Options controlling the serialisation shape of `config.yaml`.
  *

package/dist/config.js

@@ -17,8 +17,6 @@ const ALLOWED_CONFIG_KEYS = new Set([
     "flowVersion",
     "harnesses",
     "strictness",
-    "promptGuardMode",
-    "tddEnforcement",
     "tddTestGlobs",
     "tdd",
     "compound",
@@ -29,6 +27,16 @@ const ALLOWED_CONFIG_KEYS = new Set([
     "sliceReview",
     "ironLaws"
 ]);
+/**
+ * Config keys removed in the advisory-by-default consolidation. Kept here so
+ * the parser can emit a helpful migration error pointing users at the new
+ * single `strictness` knob instead of a generic "unknown key" message.
+ */
+const RETIRED_GUARD_CONFIG_KEYS = new Set([
+    "promptGuardMode",
+    "tddEnforcement",
+    "workflowGuardMode"
+]);
 /**
  * Config keys always present in the minimal init template. Everything else
  * is "advanced" — parsed when present, but not pre-populated by `cclaw init`.
@@ -131,8 +139,6 @@ export function createDefaultConfig(harnesses = DEFAULT_HARNESSES, defaultTrack
         flowVersion: FLOW_VERSION,
         harnesses,
         strictness: "advisory",
-        promptGuardMode: "advisory",
-        tddEnforcement: "advisory",
         tddTestGlobs: [...tddTestPathPatterns],
         tdd: {
             testPathPatterns: tddTestPathPatterns,
@@ -145,7 +151,6 @@ export function createDefaultConfig(harnesses = DEFAULT_HARNESSES, defaultTrack
         defaultTrack,
         languageRulePacks: [],
         ironLaws: {
-            mode: "advisory",
             strictLaws: []
         }
     };
@@ -208,6 +213,12 @@ export async function readConfig(projectRoot) {
     const parsed = (parsedUnknown && typeof parsedUnknown === "object"
         ? parsedUnknown
         : {});
+    const retiredGuardKeys = Object.keys(parsed).filter((key) => RETIRED_GUARD_CONFIG_KEYS.has(key));
+    if (retiredGuardKeys.length > 0) {
+        throw configValidationError(fullPath, `config key(s) ${retiredGuardKeys.join(", ")} were removed; ` +
+            `use the single \`strictness: advisory|strict\` knob instead ` +
+            `(advisory is the default). See docs/config.md#strictness for migration.`);
+    }
     const unknownKeys = Object.keys(parsed).filter((key) => !ALLOWED_CONFIG_KEYS.has(key));
     if (unknownKeys.length > 0) {
         throw configValidationError(fullPath, `unknown top-level key(s): ${unknownKeys.join(", ")}`);
@@ -235,29 +246,6 @@ export async function readConfig(projectRoot) {
         throw configValidationError(fullPath, `"strictness" must be "advisory" or "strict"`);
     }
     const strictness = strictnessRaw === "strict" ? "strict" : "advisory";
-    // Legacy guard fields — keep honouring explicit values for power users who
-    // want asymmetric behaviour (e.g. strict prompt guard + advisory TDD).
-    // When the user only set `strictness`, both axes inherit from it.
-    const hasExplicitPromptGuard = Object.prototype.hasOwnProperty.call(parsed, "promptGuardMode");
-    const promptGuardModeRaw = parsed.promptGuardMode;
-    if (hasExplicitPromptGuard &&
-        promptGuardModeRaw !== "advisory" &&
-        promptGuardModeRaw !== "strict") {
-        throw configValidationError(fullPath, `"promptGuardMode" must be "advisory" or "strict"`);
-    }
-    const promptGuardMode = hasExplicitPromptGuard
-        ? (promptGuardModeRaw === "strict" ? "strict" : "advisory")
-        : strictness;
-    const hasExplicitTddEnforcement = Object.prototype.hasOwnProperty.call(parsed, "tddEnforcement");
-    const tddEnforcementRaw = parsed.tddEnforcement;
-    if (hasExplicitTddEnforcement &&
-        tddEnforcementRaw !== "advisory" &&
-        tddEnforcementRaw !== "strict") {
-        throw configValidationError(fullPath, `"tddEnforcement" must be "advisory" or "strict"`);
-    }
-    const tddEnforcement = hasExplicitTddEnforcement
-        ? (tddEnforcementRaw === "strict" ? "strict" : "advisory")
-        : strictness;
     const tddTestGlobsRaw = parsed.tddTestGlobs;
     const tddTestGlobs = validateStringArray(tddTestGlobsRaw, "tddTestGlobs", fullPath)
         ?? [...DEFAULT_TDD_TEST_GLOBS];
@@ -421,37 +409,31 @@ export async function readConfig(projectRoot) {
         if (!isRecord(ironLawsRaw)) {
             throw configValidationError(fullPath, `"ironLaws" must be an object`);
         }
-        const unknownIronLawKeys = Object.keys(ironLawsRaw).filter((key) => key !== "mode" && key !== "strictLaws");
+        if (Object.prototype.hasOwnProperty.call(ironLawsRaw, "mode")) {
+            throw configValidationError(fullPath, `"ironLaws.mode" was removed; the project-wide \`strictness\` knob now ` +
+                `controls iron-law enforcement. Use \`ironLaws.strictLaws\` for per-law overrides.`);
+        }
+        const unknownIronLawKeys = Object.keys(ironLawsRaw).filter((key) => key !== "strictLaws");
         if (unknownIronLawKeys.length > 0) {
             throw configValidationError(fullPath, `"ironLaws" has unknown key(s): ${unknownIronLawKeys.join(", ")}`);
         }
-        const modeRaw = ironLawsRaw.mode;
-        if (modeRaw !== undefined && modeRaw !== "advisory" && modeRaw !== "strict") {
-            throw configValidationError(fullPath, `"ironLaws.mode" must be "advisory" or "strict"`);
-        }
         const strictLawIdsRaw = validateStringArray(ironLawsRaw.strictLaws, "ironLaws.strictLaws", fullPath) ?? [];
         const unknownStrictLawIds = strictLawIdsRaw.filter((id) => !isIronLawId(id));
         if (unknownStrictLawIds.length > 0) {
             throw configValidationError(fullPath, `"ironLaws.strictLaws" contains unknown law id(s): ${unknownStrictLawIds.join(", ")}`);
         }
         ironLaws = {
-            mode: modeRaw === "strict" ? "strict" : "advisory",
             strictLaws: normalizeStrictLawIds(strictLawIdsRaw)
         };
     }
     else {
-        ironLaws = {
-            mode: strictness,
-            strictLaws: []
-        };
+        ironLaws = { strictLaws: [] };
     }
     return {
         version: parsed.version ?? CCLAW_VERSION,
         flowVersion: parsed.flowVersion ?? FLOW_VERSION,
         harnesses,
         strictness,
-        promptGuardMode,
-        tddEnforcement,
         tddTestGlobs,
         tdd: {
             testPathPatterns: resolvedTddTestPathPatterns,
@@ -480,8 +462,6 @@ function buildSerializableConfig(config, options = {}) {
         "flowVersion",
         "harnesses",
         "strictness",
-        "promptGuardMode",
-        "tddEnforcement",
         "tddTestGlobs",
         "tdd",
         "compound",
@@ -536,8 +516,6 @@ export async function detectAdvancedKeys(projectRoot) {
         if (!isRecord(parsedUnknown))
             return new Set();
         const advancedCandidates = [
-            "promptGuardMode",
-            "tddEnforcement",
             "tddTestGlobs",
             "tdd",
             "compound",

package/dist/content/doctor-references.js

@@ -13,7 +13,7 @@ Reference docs for \`cclaw doctor\` checks.
 - \`state-and-gates.md\` - flow-state integrity and gate evidence contracts
 - \`delegation-and-preamble.md\` - mandatory delegations and lightweight announce discipline
 - \`traceability.md\` - spec/plan/tdd trace matrix expectations
-- \`tooling-capabilities.md\` - local runtime prerequisites (bash/node/python/jq)
+- \`tooling-capabilities.md\` - local runtime prerequisites (node only)
 - \`config-and-policy.md\` - config schema, rules policy, and validation references
 `,
     "runtime-layout.md": `# Runtime Layout
@@ -116,17 +116,21 @@ Reference docs for \`cclaw doctor\` checks.
 
 ## Required
 
-- \`bash\` for runtime hook scripts
-- \`node\` for generated runtime scripts/plugins
+- \`node\` (>=20) — the only runtime dependency. All hooks, git-hook relays, and the
+  \`cclaw\` CLI itself run on Node.js. No \`bash\`, \`python3\`, or \`jq\` required.
+- \`git\` — needed for worktree and pre-commit/pre-push relays.
 
-## Optional fallback
+## Not required (removed)
 
-- at least one of \`python3\` or \`jq\` for JSON parsing fallback paths
+Earlier releases relied on \`bash\` to execute generated shell hooks and on
+\`python3\`/\`jq\` as JSON fallback parsers. Node-only mode removes both: hooks
+dispatch through \`node .cclaw/hooks/run-hook.mjs <hook-name>\`, so these tools
+are no longer part of the supported runtime contract.
 
 ## Typical fixes
 
-1. Install missing runtime tools.
-2. Keep at least one JSON fallback parser available (\`python3\` or \`jq\`).
+1. Install Node.js 20 or newer (matches \`package.json\` \`engines\`) and ensure \`node\` is on \`PATH\`.
+2. Re-run \`cclaw sync\` to regenerate hook configs after upgrading Node.
 `,
     "config-and-policy.md": `# Config And Policy
 

package/dist/content/node-hooks.d.ts

@@ -1,7 +1,11 @@
 export interface NodeHookRuntimeOptions {
-    promptGuardMode?: "advisory" | "strict";
-    workflowGuardMode?: "advisory" | "strict";
-    tddEnforcementMode?: "advisory" | "strict";
+    /**
+     * Single enforcement knob derived from `config.strictness`. Generated hooks
+     * embed this value as the default for every guard (prompt, workflow, TDD,
+     * iron-laws-coupled blocks). `CCLAW_STRICTNESS` env var overrides at run
+     * time; per-law strictness still flows through `iron-laws.json`.
+     */
+    strictness?: "advisory" | "strict";
     tddTestPathPatterns?: string[];
     tddProductionPathPatterns?: string[];
 }

package/dist/content/node-hooks.js

@@ -11,9 +11,7 @@ function normalizePatterns(patterns, fallback) {
  * bash/python/jq runtime dependencies.
  */
 export function nodeHookRuntimeScript(options = {}) {
-    const promptGuardMode = options.promptGuardMode === "strict" ? "strict" : "advisory";
-    const workflowGuardMode = options.workflowGuardMode === "strict" ? "strict" : "advisory";
-    const tddEnforcementMode = options.tddEnforcementMode === "strict" ? "strict" : "advisory";
+    const strictness = options.strictness === "strict" ? "strict" : "advisory";
     const tddTestPathPatterns = normalizePatterns(options.tddTestPathPatterns, [
         "**/*.test.*",
         "**/tests/**",
@@ -27,12 +25,17 @@ import process from "node:process";
 import { spawn } from "node:child_process";
 
 const RUNTIME_ROOT = ${JSON.stringify(RUNTIME_ROOT)};
-const DEFAULT_PROMPT_GUARD_MODE = ${JSON.stringify(promptGuardMode)};
-const DEFAULT_WORKFLOW_GUARD_MODE = ${JSON.stringify(workflowGuardMode)};
-const DEFAULT_TDD_ENFORCEMENT_MODE = ${JSON.stringify(tddEnforcementMode)};
+// Single strictness default, derived from config.strictness at install time.
+// \`CCLAW_STRICTNESS\` env var overrides for the current process. All guards
+// (prompt, workflow, TDD, iron-laws) route through \`resolveStrictness()\`.
+const DEFAULT_STRICTNESS = ${JSON.stringify(strictness)};
 const DEFAULT_TDD_TEST_PATH_PATTERNS = ${JSON.stringify(tddTestPathPatterns)};
 const DEFAULT_TDD_PRODUCTION_PATH_PATTERNS = ${JSON.stringify(tddProductionPathPatterns)};
 
+function resolveStrictness() {
+  return process.env.CCLAW_STRICTNESS === "strict" ? "strict" : DEFAULT_STRICTNESS;
+}
+
 function toObject(value) {
   if (!value || typeof value !== "object" || Array.isArray(value)) return null;
   return value;
@@ -186,12 +189,12 @@ async function detectRoot(env) {
     try {
       const runtimePath = path.join(candidate, RUNTIME_ROOT);
       const stat = await fs.stat(runtimePath);
-      if (stat.isDirectory()) return candidate;
+      if (stat.isDirectory()) return { root: candidate, foundRuntime: true };
     } catch {
       // continue
     }
   }
-  return candidates[0] || process.cwd();
+  return { root: candidates[0] || process.cwd(), foundRuntime: false };
 }
 
 function toLower(value) {
@@ -1024,9 +1027,7 @@ async function handlePreCompact(runtime) {
 }
 
 async function handlePromptGuard(runtime) {
-  const mode = process.env.PROMPT_GUARD_MODE === "strict"
-    ? "strict"
-    : DEFAULT_PROMPT_GUARD_MODE;
+  const mode = resolveStrictness();
   const stateDir = path.join(runtime.root, RUNTIME_ROOT, "state");
   const guardLog = path.join(stateDir, "prompt-guard.jsonl");
 
@@ -1202,17 +1203,15 @@ function isProductionPath(rawPath, testPatterns, productionPatterns) {
 }
 
 async function handleWorkflowGuard(runtime) {
-  const mode = process.env.CCLAW_WORKFLOW_GUARD_MODE === "strict"
-    ? "strict"
-    : DEFAULT_WORKFLOW_GUARD_MODE;
+  const mode = resolveStrictness();
   const maxAgeRaw = process.env.CCLAW_WORKFLOW_GUARD_MAX_AGE_SEC;
   const maxAgeSec =
     typeof maxAgeRaw === "string" && /^[0-9]+$/u.test(maxAgeRaw)
       ? Number(maxAgeRaw)
       : 1800;
-  const tddEnforcement = process.env.TDD_ENFORCEMENT_MODE === "strict"
-    ? "strict"
-    : DEFAULT_TDD_ENFORCEMENT_MODE;
+  // TDD enforcement now follows the same single strictness knob — keeping the
+  // distinct local binding so the downstream block rules stay self-documenting.
+  const tddEnforcement = mode;
 
   const stateDir = path.join(runtime.root, RUNTIME_ROOT, "state");
   const guardStateFile = path.join(stateDir, "workflow-guard.json");
@@ -1513,12 +1512,10 @@ async function handleContextMonitor(runtime) {
 }
 
 async function handleVerifyCurrentState(runtime) {
-  const mode = process.env.CCLAW_WORKFLOW_GUARD_MODE === "strict"
-    ? "strict"
-    : DEFAULT_WORKFLOW_GUARD_MODE;
+  const mode = resolveStrictness();
   const result = await runCclawInternal(runtime.root, ["verify-current-state", "--quiet"]);
   if (result.missingBinary) {
-    process.stderr.write("[cclaw] codex hook: cclaw binary is required for verify-current-state\\n");
+    process.stderr.write("[cclaw] hook: cclaw binary is required for verify-current-state\\n");
     return 1;
   }
   if (mode === "strict") {
@@ -1555,7 +1552,14 @@ async function main() {
   }
 
   const harness = detectHarness(process.env);
-  const root = await detectRoot(process.env);
+  const { root, foundRuntime } = await detectRoot(process.env);
+  if (!foundRuntime) {
+    // No .cclaw/ runtime in any candidate root — this directory is not
+    // initialized for cclaw. Exit 0 silently so hooks never block harnesses
+    // that run in unrelated repos; users initialize with \`cclaw init\`.
+    process.exitCode = 0;
+    return;
+  }
   const inputRaw = await readStdin();
   const inputData = safeParseJson(inputRaw, {});
   const runtime = {

package/dist/content/observe.js

@@ -1,5 +1,9 @@
 import { RUNTIME_ROOT } from "../constants.js";
 function hookDispatcherCommand(hookName) {
+    // RUNTIME_ROOT is a relative path (".cclaw") that currently contains no
+    // whitespace, so quoting is unnecessary inside the JSON-encoded command
+    // string. If RUNTIME_ROOT ever becomes configurable, wrap the path with
+    // JSON.stringify to survive spaces.
     return `node ${RUNTIME_ROOT}/hooks/run-hook.mjs ${hookName}`;
 }
 export function claudeHooksJsonWithObservation() {

package/dist/content/opencode-plugin.js

@@ -409,6 +409,12 @@ export default function cclawPlugin(ctx) {
             : typeof payload;
         console.error("[cclaw] opencode unknown event payload keys: " + keys);
       }
+      // session.compacted must run pre-compact BEFORE refreshing the bootstrap
+      // cache, otherwise the injected system prompt still shows the pre-compact
+      // digest/state until the next lifecycle event.
+      if (eventType === "session.compacted") {
+        await runHookScript("pre-compact", eventData ?? {});
+      }
       if (
         eventType === "session.created" ||
         eventType === "session.resumed" ||
@@ -424,9 +430,6 @@ export default function cclawPlugin(ctx) {
         // until the next compaction or restart.
         await refreshBootstrapCache(true);
       }
-      if (eventType === "session.compacted") {
-        await runHookScript("pre-compact", eventData ?? {});
-      }
       if (eventType === "session.idle") {
         await runHookScript("stop-checkpoint", { loop_count: 0 });
       }

package/dist/doctor-registry.js

@@ -30,15 +30,6 @@ const RULES = [
             docRef: ref("runtime-layout.md")
         }
     },
-    {
-        test: /^capability:runtime:json_parser$/,
-        metadata: {
-            severity: "warning",
-            summary: "Optional JSON fallback parser availability.",
-            fix: "Install at least one of `python3` or `jq` for resilient fallback parsing.",
-            docRef: ref("tooling-capabilities.md")
-        }
-    },
     {
         test: /^capability:required:/,
         metadata: {

package/dist/doctor.js

@@ -483,17 +483,17 @@ export async function doctorChecks(projectRoot, options = {}) {
                     : `warning: ${RUNTIME_ROOT}/config.yaml uses deprecated "tddTestGlobs". Migrate to "tdd.testPathPatterns".`
                 : `no deprecated "tddTestGlobs" key detected in ${RUNTIME_ROOT}/config.yaml`
         });
-        const expectedMode = parsedConfig.promptGuardMode === "strict" ? "strict" : "advisory";
-        const promptGuardPath = path.join(projectRoot, RUNTIME_ROOT, "hooks", "run-hook.mjs");
-        let promptGuardModeOk = false;
-        if (await exists(promptGuardPath)) {
-            const promptGuardContent = await fs.readFile(promptGuardPath, "utf8");
-            promptGuardModeOk = promptGuardContent.includes(`const DEFAULT_PROMPT_GUARD_MODE = "${expectedMode}"`);
+        const expectedStrictness = parsedConfig.strictness === "strict" ? "strict" : "advisory";
+        const hookRuntimePath = path.join(projectRoot, RUNTIME_ROOT, "hooks", "run-hook.mjs");
+        let strictnessOk = false;
+        if (await exists(hookRuntimePath)) {
+            const runtimeContent = await fs.readFile(hookRuntimePath, "utf8");
+            strictnessOk = runtimeContent.includes(`const DEFAULT_STRICTNESS = "${expectedStrictness}"`);
         }
         checks.push({
-            name: "hook:prompt_guard:mode",
-            ok: promptGuardModeOk,
-            details: `${promptGuardPath} must match promptGuardMode=${expectedMode}`
+            name: "hook:runtime:strictness",
+            ok: strictnessOk,
+            details: `${hookRuntimePath} must embed DEFAULT_STRICTNESS = "${expectedStrictness}" matching config.strictness`
         });
         if (parsedConfig.gitHookGuards === true) {
             const runtimePreCommit = path.join(projectRoot, RUNTIME_ROOT, "hooks", "git", "pre-commit.mjs");
@@ -743,12 +743,9 @@ export async function doctorChecks(projectRoot, options = {}) {
             }
         }
     }
-    // OpenCode plugin source + deployed path
-    checks.push({
-        name: "hook:opencode_plugin_source",
-        ok: await exists(path.join(projectRoot, RUNTIME_ROOT, "hooks", "opencode-plugin.mjs")),
-        details: `${RUNTIME_ROOT}/hooks/opencode-plugin.mjs`
-    });
+    // OpenCode plugin deployed path. (Presence of the source under
+    // `${RUNTIME_ROOT}/hooks/opencode-plugin.mjs` is already asserted by the
+    // generic `hook:script:opencode-plugin.mjs` check above; avoid a duplicate.)
     const opencodeEnabled = configuredHarnesses.includes("opencode");
     const opencodeDeployed = await exists(path.join(projectRoot, ".opencode/plugins/cclaw-plugin.mjs"));
     checks.push({
@@ -1009,27 +1006,11 @@ export async function doctorChecks(projectRoot, options = {}) {
         });
     }
     const hasNode = await commandAvailable("node");
-    const hasPython = await commandAvailable("python3");
-    const hasJq = await commandAvailable("jq");
     checks.push({
         name: "capability:required:node",
         ok: hasNode,
         details: "node is required for cclaw runtime scripts and CLI wiring"
     });
-    checks.push({
-        name: "warning:capability:jq",
-        ok: true,
-        details: hasJq
-            ? "jq available (optional)"
-            : "warning: jq not found; Node hook runtime no longer depends on jq"
-    });
-    checks.push({
-        name: "warning:capability:python3",
-        ok: true,
-        details: hasPython
-            ? "python3 available (optional)"
-            : "warning: python3 not found; Node hook runtime no longer depends on python3"
-    });
     const windowsHookConfigCandidates = [
         path.join(projectRoot, ".claude/hooks/hooks.json"),
         path.join(projectRoot, ".cursor/hooks.json"),

package/dist/install.js

@@ -119,6 +119,11 @@ function resolveChangedFiles(root) {
 const root = resolveRepoRoot();
 const runtimeHook = path.join(root, RUNTIME_ROOT, "hooks", "run-hook.mjs");
 if (!fs.existsSync(runtimeHook)) {
+  // cclaw git relay is installed but the runtime entrypoint is missing —
+  // warn visibly (without blocking the commit) so the drift is noticed.
+  process.stderr.write(
+    "[cclaw] " + HOOK_NAME + ": " + runtimeHook + " not found; run \`cclaw sync\` to reinstall\\n"
+  );
   process.exit(0);
 }
 
@@ -715,15 +720,14 @@ async function writeHooks(projectRoot, config) {
     const stateDir = runtimePath(projectRoot, "state");
     await ensureDir(hooksDir);
     await ensureDir(stateDir);
+    const effectiveStrictness = config.strictness ?? "advisory";
     await writeFileSafe(runtimePath(projectRoot, "state", "iron-laws.json"), `${JSON.stringify(ironLawRuntimeDocument({
-        mode: config.ironLaws?.mode,
+        mode: effectiveStrictness,
         strictLaws: config.ironLaws?.strictLaws
     }), null, 2)}\n`);
     await writeFileSafe(path.join(hooksDir, "stage-complete.mjs"), stageCompleteScript());
     await writeFileSafe(path.join(hooksDir, "run-hook.mjs"), nodeHookRuntimeScript({
-        promptGuardMode: config.promptGuardMode ?? config.strictness ?? "advisory",
-        workflowGuardMode: config.strictness ?? "advisory",
-        tddEnforcementMode: config.tddEnforcement ?? config.strictness ?? "advisory",
+        strictness: effectiveStrictness,
         tddTestPathPatterns: config.tdd?.testPathPatterns ?? config.tddTestGlobs,
         tddProductionPathPatterns: config.tdd?.productionPathPatterns
     }));
@@ -1428,7 +1432,11 @@ function stripManagedHookCommands(value) {
     return { updated: root, changed: true };
 }
 function isManagedRuntimeHookCommand(command) {
-    const normalized = command.trim().replace(/\s+/gu, " ");
+    // Normalize whitespace and collapse any Windows-style backslash path
+    // separators to forward slashes so user-edited hook configs on Windows
+    // (e.g. `node .cclaw\hooks\run-hook.mjs ...`) still round-trip through
+    // sync without being duplicated alongside freshly generated entries.
+    const normalized = command.trim().replace(/\s+/gu, " ").replace(/\\/gu, "/");
     if (/(^|\s)(?:node\s+)?(?:"|')?(?:\.\/)?\.cclaw\/hooks\/run-hook\.mjs(?:"|')?\s+(?:session-start|stop-checkpoint|pre-compact|prompt-guard|workflow-guard|context-monitor|verify-current-state)(?:\s|$)/u.test(normalized)) {
         return true;
     }

package/dist/types.d.ts

@@ -110,7 +110,12 @@ export interface CompoundConfig {
     recurrenceThreshold?: number;
 }
 export interface IronLawsConfig {
-    mode?: "advisory" | "strict";
+    /**
+     * Per-law escape hatch: list the iron-law ids that must always be strict,
+     * independent of the project-wide `strictness` knob. Kept as an advanced
+     * override for teams that want e.g. `tdd-red-before-write` strict while the
+     * rest of the pipeline stays advisory.
+     */
     strictLaws?: string[];
 }
 export interface CclawConfig {
@@ -118,30 +123,16 @@ export interface CclawConfig {
     flowVersion: string;
     harnesses: HarnessId[];
     /**
-     * Single-knob strictness for both guard families. When set, cclaw derives
-     * `promptGuardMode` and `tddEnforcement` from this value unless the legacy
-     * fields are explicitly provided. Default: "advisory".
+     * Single knob that controls enforcement behaviour of all hook-driven guards
+     * (prompt guard, workflow guard, TDD enforcement, iron laws). Default:
+     * `"advisory"` — hooks append a stderr nudge and exit 0. `"strict"` flips
+     * the same hooks to fail-closed (non-zero exit) so the harness refuses the
+     * offending action.
      *
-     * Added in v0.43.0 to collapse two fields that always moved together for
-     * ~99% of users. Power users who want asymmetric strictness (e.g. strict
-     * prompt guard, advisory TDD) can still set the legacy fields directly —
-     * explicit per-axis values override the derived strictness.
+     * Per-law escapes live on `ironLaws.strictLaws` for teams that need to keep
+     * specific iron laws strict while the project-wide knob stays advisory.
      */
     strictness?: "advisory" | "strict";
-    /**
-     * Prompt guard behavior for runtime write-risk detection hooks.
-     *
-     * Since v0.43.0 this is an advanced override. Prefer `strictness` in new
-     * configs; set this explicitly only when you need strict prompt guarding
-     * while keeping TDD advisory, or vice versa.
-     */
-    promptGuardMode?: "advisory" | "strict";
-    /**
-     * TDD RED -> GREEN -> REFACTOR enforcement mode used by workflow guard hooks.
-     *
-     * Since v0.43.0 this is an advanced override — see `strictness`.
-     */
-    tddEnforcement?: "advisory" | "strict";
     /**
      * Legacy alias for test-side path detection in workflow-guard.
      * Prefer `tdd.testPathPatterns` in new configs.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cclaw-cli",
-  "version": "0.48.10",
+  "version": "0.48.12",
   "description": "Installer-first flow toolkit for coding agents",
   "type": "module",
   "bin": {