cclaw-cli 0.48.11 → 0.48.12

package/README.md

@@ -158,7 +158,7 @@ If cclaw detects a Node / Python / Go project at init time, a sixth
 `pyproject.toml` / `requirements.txt`, `go.mod`). That is the full
 default surface — a new user sees nothing they need to understand yet.
 
-Advanced knobs (`promptGuardMode` / `tddEnforcement` per-axis overrides,
+Advanced knobs (`ironLaws.strictLaws` per-law escapes,
 `tdd.testPathPatterns` / `tdd.productionPathPatterns`,
 `compound.recurrenceThreshold`, `defaultTrack`, `trackHeuristics`,
 `sliceReview`) are **opt-in**: add them by hand when you need them.

package/dist/cli.js

@@ -828,7 +828,7 @@ async function runCommand(parsed, ctx) {
             ctx.stdout.write(`${JSON.stringify({
                 track: previewConfig.defaultTrack ?? "standard",
                 harnesses: previewConfig.harnesses,
-                promptGuardMode: previewConfig.promptGuardMode,
+                strictness: previewConfig.strictness ?? "advisory",
                 gitHookGuards: previewConfig.gitHookGuards,
                 languageRulePacks: previewConfig.languageRulePacks,
                 generatedSurfaces: previewSurfaces

package/dist/config.d.ts

@@ -42,7 +42,7 @@ export declare function readConfig(projectRoot: string): Promise<CclawConfig>;
  * the user set them explicitly. Keeps the default template small and honest:
  * only knobs a new user would meaningfully flip show up.
  */
-type AdvancedConfigKey = "promptGuardMode" | "tddEnforcement" | "tddTestGlobs" | "tdd" | "compound" | "defaultTrack" | "languageRulePacks" | "trackHeuristics" | "sliceReview" | "ironLaws";
+type AdvancedConfigKey = "tddTestGlobs" | "tdd" | "compound" | "defaultTrack" | "languageRulePacks" | "trackHeuristics" | "sliceReview" | "ironLaws";
 /**
  * Options controlling the serialisation shape of `config.yaml`.
  *

package/dist/config.js

@@ -17,8 +17,6 @@ const ALLOWED_CONFIG_KEYS = new Set([
     "flowVersion",
     "harnesses",
     "strictness",
-    "promptGuardMode",
-    "tddEnforcement",
     "tddTestGlobs",
     "tdd",
     "compound",
@@ -29,6 +27,16 @@ const ALLOWED_CONFIG_KEYS = new Set([
     "sliceReview",
     "ironLaws"
 ]);
+/**
+ * Config keys removed in the advisory-by-default consolidation. Kept here so
+ * the parser can emit a helpful migration error pointing users at the new
+ * single `strictness` knob instead of a generic "unknown key" message.
+ */
+const RETIRED_GUARD_CONFIG_KEYS = new Set([
+    "promptGuardMode",
+    "tddEnforcement",
+    "workflowGuardMode"
+]);
 /**
  * Config keys always present in the minimal init template. Everything else
  * is "advanced" — parsed when present, but not pre-populated by `cclaw init`.
@@ -131,8 +139,6 @@ export function createDefaultConfig(harnesses = DEFAULT_HARNESSES, defaultTrack
         flowVersion: FLOW_VERSION,
         harnesses,
         strictness: "advisory",
-        promptGuardMode: "advisory",
-        tddEnforcement: "advisory",
         tddTestGlobs: [...tddTestPathPatterns],
         tdd: {
             testPathPatterns: tddTestPathPatterns,
@@ -145,7 +151,6 @@ export function createDefaultConfig(harnesses = DEFAULT_HARNESSES, defaultTrack
         defaultTrack,
         languageRulePacks: [],
         ironLaws: {
-            mode: "advisory",
             strictLaws: []
         }
     };
@@ -208,6 +213,12 @@ export async function readConfig(projectRoot) {
     const parsed = (parsedUnknown && typeof parsedUnknown === "object"
         ? parsedUnknown
         : {});
+    const retiredGuardKeys = Object.keys(parsed).filter((key) => RETIRED_GUARD_CONFIG_KEYS.has(key));
+    if (retiredGuardKeys.length > 0) {
+        throw configValidationError(fullPath, `config key(s) ${retiredGuardKeys.join(", ")} were removed; ` +
+            `use the single \`strictness: advisory|strict\` knob instead ` +
+            `(advisory is the default). See docs/config.md#strictness for migration.`);
+    }
     const unknownKeys = Object.keys(parsed).filter((key) => !ALLOWED_CONFIG_KEYS.has(key));
     if (unknownKeys.length > 0) {
         throw configValidationError(fullPath, `unknown top-level key(s): ${unknownKeys.join(", ")}`);
@@ -235,29 +246,6 @@ export async function readConfig(projectRoot) {
         throw configValidationError(fullPath, `"strictness" must be "advisory" or "strict"`);
     }
     const strictness = strictnessRaw === "strict" ? "strict" : "advisory";
-    // Legacy guard fields — keep honouring explicit values for power users who
-    // want asymmetric behaviour (e.g. strict prompt guard + advisory TDD).
-    // When the user only set `strictness`, both axes inherit from it.
-    const hasExplicitPromptGuard = Object.prototype.hasOwnProperty.call(parsed, "promptGuardMode");
-    const promptGuardModeRaw = parsed.promptGuardMode;
-    if (hasExplicitPromptGuard &&
-        promptGuardModeRaw !== "advisory" &&
-        promptGuardModeRaw !== "strict") {
-        throw configValidationError(fullPath, `"promptGuardMode" must be "advisory" or "strict"`);
-    }
-    const promptGuardMode = hasExplicitPromptGuard
-        ? (promptGuardModeRaw === "strict" ? "strict" : "advisory")
-        : strictness;
-    const hasExplicitTddEnforcement = Object.prototype.hasOwnProperty.call(parsed, "tddEnforcement");
-    const tddEnforcementRaw = parsed.tddEnforcement;
-    if (hasExplicitTddEnforcement &&
-        tddEnforcementRaw !== "advisory" &&
-        tddEnforcementRaw !== "strict") {
-        throw configValidationError(fullPath, `"tddEnforcement" must be "advisory" or "strict"`);
-    }
-    const tddEnforcement = hasExplicitTddEnforcement
-        ? (tddEnforcementRaw === "strict" ? "strict" : "advisory")
-        : strictness;
     const tddTestGlobsRaw = parsed.tddTestGlobs;
     const tddTestGlobs = validateStringArray(tddTestGlobsRaw, "tddTestGlobs", fullPath)
         ?? [...DEFAULT_TDD_TEST_GLOBS];
@@ -421,37 +409,31 @@ export async function readConfig(projectRoot) {
         if (!isRecord(ironLawsRaw)) {
             throw configValidationError(fullPath, `"ironLaws" must be an object`);
         }
-        const unknownIronLawKeys = Object.keys(ironLawsRaw).filter((key) => key !== "mode" && key !== "strictLaws");
+        if (Object.prototype.hasOwnProperty.call(ironLawsRaw, "mode")) {
+            throw configValidationError(fullPath, `"ironLaws.mode" was removed; the project-wide \`strictness\` knob now ` +
+                `controls iron-law enforcement. Use \`ironLaws.strictLaws\` for per-law overrides.`);
+        }
+        const unknownIronLawKeys = Object.keys(ironLawsRaw).filter((key) => key !== "strictLaws");
         if (unknownIronLawKeys.length > 0) {
             throw configValidationError(fullPath, `"ironLaws" has unknown key(s): ${unknownIronLawKeys.join(", ")}`);
         }
-        const modeRaw = ironLawsRaw.mode;
-        if (modeRaw !== undefined && modeRaw !== "advisory" && modeRaw !== "strict") {
-            throw configValidationError(fullPath, `"ironLaws.mode" must be "advisory" or "strict"`);
-        }
         const strictLawIdsRaw = validateStringArray(ironLawsRaw.strictLaws, "ironLaws.strictLaws", fullPath) ?? [];
         const unknownStrictLawIds = strictLawIdsRaw.filter((id) => !isIronLawId(id));
         if (unknownStrictLawIds.length > 0) {
             throw configValidationError(fullPath, `"ironLaws.strictLaws" contains unknown law id(s): ${unknownStrictLawIds.join(", ")}`);
         }
         ironLaws = {
-            mode: modeRaw === "strict" ? "strict" : "advisory",
             strictLaws: normalizeStrictLawIds(strictLawIdsRaw)
         };
     }
     else {
-        ironLaws = {
-            mode: strictness,
-            strictLaws: []
-        };
+        ironLaws = { strictLaws: [] };
     }
     return {
         version: parsed.version ?? CCLAW_VERSION,
         flowVersion: parsed.flowVersion ?? FLOW_VERSION,
         harnesses,
         strictness,
-        promptGuardMode,
-        tddEnforcement,
         tddTestGlobs,
         tdd: {
             testPathPatterns: resolvedTddTestPathPatterns,
@@ -480,8 +462,6 @@ function buildSerializableConfig(config, options = {}) {
         "flowVersion",
         "harnesses",
         "strictness",
-        "promptGuardMode",
-        "tddEnforcement",
         "tddTestGlobs",
         "tdd",
         "compound",
@@ -536,8 +516,6 @@ export async function detectAdvancedKeys(projectRoot) {
         if (!isRecord(parsedUnknown))
             return new Set();
         const advancedCandidates = [
-            "promptGuardMode",
-            "tddEnforcement",
             "tddTestGlobs",
             "tdd",
             "compound",

package/dist/content/node-hooks.d.ts

@@ -1,7 +1,11 @@
 export interface NodeHookRuntimeOptions {
-    promptGuardMode?: "advisory" | "strict";
-    workflowGuardMode?: "advisory" | "strict";
-    tddEnforcementMode?: "advisory" | "strict";
+    /**
+     * Single enforcement knob derived from `config.strictness`. Generated hooks
+     * embed this value as the default for every guard (prompt, workflow, TDD,
+     * iron-laws-coupled blocks). `CCLAW_STRICTNESS` env var overrides at run
+     * time; per-law strictness still flows through `iron-laws.json`.
+     */
+    strictness?: "advisory" | "strict";
     tddTestPathPatterns?: string[];
     tddProductionPathPatterns?: string[];
 }

package/dist/content/node-hooks.js

@@ -11,9 +11,7 @@ function normalizePatterns(patterns, fallback) {
  * bash/python/jq runtime dependencies.
  */
 export function nodeHookRuntimeScript(options = {}) {
-    const promptGuardMode = options.promptGuardMode === "strict" ? "strict" : "advisory";
-    const workflowGuardMode = options.workflowGuardMode === "strict" ? "strict" : "advisory";
-    const tddEnforcementMode = options.tddEnforcementMode === "strict" ? "strict" : "advisory";
+    const strictness = options.strictness === "strict" ? "strict" : "advisory";
     const tddTestPathPatterns = normalizePatterns(options.tddTestPathPatterns, [
         "**/*.test.*",
         "**/tests/**",
@@ -27,12 +25,17 @@ import process from "node:process";
 import { spawn } from "node:child_process";
 
 const RUNTIME_ROOT = ${JSON.stringify(RUNTIME_ROOT)};
-const DEFAULT_PROMPT_GUARD_MODE = ${JSON.stringify(promptGuardMode)};
-const DEFAULT_WORKFLOW_GUARD_MODE = ${JSON.stringify(workflowGuardMode)};
-const DEFAULT_TDD_ENFORCEMENT_MODE = ${JSON.stringify(tddEnforcementMode)};
+// Single strictness default, derived from config.strictness at install time.
+// \`CCLAW_STRICTNESS\` env var overrides for the current process. All guards
+// (prompt, workflow, TDD, iron-laws) route through \`resolveStrictness()\`.
+const DEFAULT_STRICTNESS = ${JSON.stringify(strictness)};
 const DEFAULT_TDD_TEST_PATH_PATTERNS = ${JSON.stringify(tddTestPathPatterns)};
 const DEFAULT_TDD_PRODUCTION_PATH_PATTERNS = ${JSON.stringify(tddProductionPathPatterns)};
 
+function resolveStrictness() {
+  return process.env.CCLAW_STRICTNESS === "strict" ? "strict" : DEFAULT_STRICTNESS;
+}
+
 function toObject(value) {
   if (!value || typeof value !== "object" || Array.isArray(value)) return null;
   return value;
@@ -1024,9 +1027,7 @@ async function handlePreCompact(runtime) {
 }
 
 async function handlePromptGuard(runtime) {
-  const mode = process.env.PROMPT_GUARD_MODE === "strict"
-    ? "strict"
-    : DEFAULT_PROMPT_GUARD_MODE;
+  const mode = resolveStrictness();
   const stateDir = path.join(runtime.root, RUNTIME_ROOT, "state");
   const guardLog = path.join(stateDir, "prompt-guard.jsonl");
 
@@ -1202,17 +1203,15 @@ function isProductionPath(rawPath, testPatterns, productionPatterns) {
 }
 
 async function handleWorkflowGuard(runtime) {
-  const mode = process.env.CCLAW_WORKFLOW_GUARD_MODE === "strict"
-    ? "strict"
-    : DEFAULT_WORKFLOW_GUARD_MODE;
+  const mode = resolveStrictness();
   const maxAgeRaw = process.env.CCLAW_WORKFLOW_GUARD_MAX_AGE_SEC;
   const maxAgeSec =
     typeof maxAgeRaw === "string" && /^[0-9]+$/u.test(maxAgeRaw)
       ? Number(maxAgeRaw)
       : 1800;
-  const tddEnforcement = process.env.TDD_ENFORCEMENT_MODE === "strict"
-    ? "strict"
-    : DEFAULT_TDD_ENFORCEMENT_MODE;
+  // TDD enforcement now follows the same single strictness knob — keeping the
+  // distinct local binding so the downstream block rules stay self-documenting.
+  const tddEnforcement = mode;
 
   const stateDir = path.join(runtime.root, RUNTIME_ROOT, "state");
   const guardStateFile = path.join(stateDir, "workflow-guard.json");
@@ -1513,9 +1512,7 @@ async function handleContextMonitor(runtime) {
 }
 
 async function handleVerifyCurrentState(runtime) {
-  const mode = process.env.CCLAW_WORKFLOW_GUARD_MODE === "strict"
-    ? "strict"
-    : DEFAULT_WORKFLOW_GUARD_MODE;
+  const mode = resolveStrictness();
   const result = await runCclawInternal(runtime.root, ["verify-current-state", "--quiet"]);
   if (result.missingBinary) {
     process.stderr.write("[cclaw] hook: cclaw binary is required for verify-current-state\\n");

package/dist/doctor.js

@@ -483,17 +483,17 @@ export async function doctorChecks(projectRoot, options = {}) {
                     : `warning: ${RUNTIME_ROOT}/config.yaml uses deprecated "tddTestGlobs". Migrate to "tdd.testPathPatterns".`
                 : `no deprecated "tddTestGlobs" key detected in ${RUNTIME_ROOT}/config.yaml`
         });
-        const expectedMode = parsedConfig.promptGuardMode === "strict" ? "strict" : "advisory";
-        const promptGuardPath = path.join(projectRoot, RUNTIME_ROOT, "hooks", "run-hook.mjs");
-        let promptGuardModeOk = false;
-        if (await exists(promptGuardPath)) {
-            const promptGuardContent = await fs.readFile(promptGuardPath, "utf8");
-            promptGuardModeOk = promptGuardContent.includes(`const DEFAULT_PROMPT_GUARD_MODE = "${expectedMode}"`);
+        const expectedStrictness = parsedConfig.strictness === "strict" ? "strict" : "advisory";
+        const hookRuntimePath = path.join(projectRoot, RUNTIME_ROOT, "hooks", "run-hook.mjs");
+        let strictnessOk = false;
+        if (await exists(hookRuntimePath)) {
+            const runtimeContent = await fs.readFile(hookRuntimePath, "utf8");
+            strictnessOk = runtimeContent.includes(`const DEFAULT_STRICTNESS = "${expectedStrictness}"`);
         }
         checks.push({
-            name: "hook:prompt_guard:mode",
-            ok: promptGuardModeOk,
-            details: `${promptGuardPath} must match promptGuardMode=${expectedMode}`
+            name: "hook:runtime:strictness",
+            ok: strictnessOk,
+            details: `${hookRuntimePath} must embed DEFAULT_STRICTNESS = "${expectedStrictness}" matching config.strictness`
         });
         if (parsedConfig.gitHookGuards === true) {
             const runtimePreCommit = path.join(projectRoot, RUNTIME_ROOT, "hooks", "git", "pre-commit.mjs");

package/dist/install.js

@@ -720,15 +720,14 @@ async function writeHooks(projectRoot, config) {
     const stateDir = runtimePath(projectRoot, "state");
     await ensureDir(hooksDir);
     await ensureDir(stateDir);
+    const effectiveStrictness = config.strictness ?? "advisory";
     await writeFileSafe(runtimePath(projectRoot, "state", "iron-laws.json"), `${JSON.stringify(ironLawRuntimeDocument({
-        mode: config.ironLaws?.mode,
+        mode: effectiveStrictness,
         strictLaws: config.ironLaws?.strictLaws
     }), null, 2)}\n`);
     await writeFileSafe(path.join(hooksDir, "stage-complete.mjs"), stageCompleteScript());
     await writeFileSafe(path.join(hooksDir, "run-hook.mjs"), nodeHookRuntimeScript({
-        promptGuardMode: config.promptGuardMode ?? config.strictness ?? "advisory",
-        workflowGuardMode: config.strictness ?? "advisory",
-        tddEnforcementMode: config.tddEnforcement ?? config.strictness ?? "advisory",
+        strictness: effectiveStrictness,
         tddTestPathPatterns: config.tdd?.testPathPatterns ?? config.tddTestGlobs,
         tddProductionPathPatterns: config.tdd?.productionPathPatterns
     }));

package/dist/types.d.ts

@@ -110,7 +110,12 @@ export interface CompoundConfig {
     recurrenceThreshold?: number;
 }
 export interface IronLawsConfig {
-    mode?: "advisory" | "strict";
+    /**
+     * Per-law escape hatch: list the iron-law ids that must always be strict,
+     * independent of the project-wide `strictness` knob. Kept as an advanced
+     * override for teams that want e.g. `tdd-red-before-write` strict while the
+     * rest of the pipeline stays advisory.
+     */
     strictLaws?: string[];
 }
 export interface CclawConfig {
@@ -118,30 +123,16 @@ export interface CclawConfig {
     flowVersion: string;
     harnesses: HarnessId[];
     /**
-     * Single-knob strictness for both guard families. When set, cclaw derives
-     * `promptGuardMode` and `tddEnforcement` from this value unless the legacy
-     * fields are explicitly provided. Default: "advisory".
+     * Single knob that controls enforcement behaviour of all hook-driven guards
+     * (prompt guard, workflow guard, TDD enforcement, iron laws). Default:
+     * `"advisory"` — hooks append a stderr nudge and exit 0. `"strict"` flips
+     * the same hooks to fail-closed (non-zero exit) so the harness refuses the
+     * offending action.
      *
-     * Added in v0.43.0 to collapse two fields that always moved together for
-     * ~99% of users. Power users who want asymmetric strictness (e.g. strict
-     * prompt guard, advisory TDD) can still set the legacy fields directly —
-     * explicit per-axis values override the derived strictness.
+     * Per-law escapes live on `ironLaws.strictLaws` for teams that need to keep
+     * specific iron laws strict while the project-wide knob stays advisory.
      */
     strictness?: "advisory" | "strict";
-    /**
-     * Prompt guard behavior for runtime write-risk detection hooks.
-     *
-     * Since v0.43.0 this is an advanced override. Prefer `strictness` in new
-     * configs; set this explicitly only when you need strict prompt guarding
-     * while keeping TDD advisory, or vice versa.
-     */
-    promptGuardMode?: "advisory" | "strict";
-    /**
-     * TDD RED -> GREEN -> REFACTOR enforcement mode used by workflow guard hooks.
-     *
-     * Since v0.43.0 this is an advanced override — see `strictness`.
-     */
-    tddEnforcement?: "advisory" | "strict";
     /**
      * Legacy alias for test-side path detection in workflow-guard.
      * Prefer `tdd.testPathPatterns` in new configs.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cclaw-cli",
-  "version": "0.48.11",
+  "version": "0.48.12",
   "description": "Installer-first flow toolkit for coding agents",
   "type": "module",
   "bin": {