cclaw-cli 0.48.4 → 0.48.6

package/dist/artifact-linter.js

@@ -1092,6 +1092,14 @@ export async function validateReviewArmy(projectRoot) {
     }
     const severitySet = new Set(["Critical", "Important", "Suggestion"]);
     const statusSet = new Set(["open", "accepted", "resolved"]);
+    const sourceSet = new Set([
+        "spec",
+        "correctness",
+        "security",
+        "performance",
+        "architecture",
+        "external-safety"
+    ]);
     const findingIds = new Set();
     const openCriticalIds = new Set();
     if (!Array.isArray(root.findings)) {
@@ -1128,6 +1136,17 @@ export async function validateReviewArmy(projectRoot) {
             if (!isStringArray(o.reportedBy) || o.reportedBy.length === 0) {
                 errors.push(`findings[${i}].reportedBy must be a non-empty string array.`);
             }
+            if (o.sources !== undefined) {
+                if (!isStringArray(o.sources) || o.sources.length === 0) {
+                    errors.push(`findings[${i}].sources must be a non-empty string array when present.`);
+                }
+                else {
+                    const invalidSources = o.sources.filter((source) => !sourceSet.has(source));
+                    if (invalidSources.length > 0) {
+                        errors.push(`findings[${i}].sources contains unknown values: ${invalidSources.join(", ")}.`);
+                    }
+                }
+            }
             if (o.location === undefined || o.location === null) {
                 errors.push(`findings[${i}].location is required and must be an object with file + line.`);
             }
@@ -1231,6 +1250,19 @@ export async function validateReviewArmy(projectRoot) {
                 }
             }
         }
+        if (rec.layerCoverage !== undefined) {
+            if (rec.layerCoverage === null || typeof rec.layerCoverage !== "object" || Array.isArray(rec.layerCoverage)) {
+                errors.push("reconciliation.layerCoverage must be an object when present.");
+            }
+            else {
+                const coverage = rec.layerCoverage;
+                for (const source of sourceSet) {
+                    if (coverage[source] !== undefined && typeof coverage[source] !== "boolean") {
+                        errors.push(`reconciliation.layerCoverage.${source} must be boolean when present.`);
+                    }
+                }
+            }
+        }
     }
     return { valid: errors.length === 0, errors };
 }

package/dist/config.d.ts

@@ -42,7 +42,7 @@ export declare function readConfig(projectRoot: string): Promise<CclawConfig>;
  * the user set them explicitly. Keeps the default template small and honest:
  * only knobs a new user would meaningfully flip show up.
  */
-type AdvancedConfigKey = "promptGuardMode" | "tddEnforcement" | "tddTestGlobs" | "tdd" | "compound" | "defaultTrack" | "languageRulePacks" | "trackHeuristics" | "sliceReview";
+type AdvancedConfigKey = "promptGuardMode" | "tddEnforcement" | "tddTestGlobs" | "tdd" | "compound" | "defaultTrack" | "languageRulePacks" | "trackHeuristics" | "sliceReview" | "ironLaws";
 /**
  * Options controlling the serialisation shape of `config.yaml`.
  *

package/dist/config.js

@@ -2,6 +2,7 @@ import fs from "node:fs/promises";
 import path from "node:path";
 import { parse, stringify } from "yaml";
 import { CCLAW_VERSION, DEFAULT_HARNESSES, FLOW_VERSION, RUNTIME_ROOT } from "./constants.js";
+import { isIronLawId, normalizeStrictLawIds } from "./content/iron-laws.js";
 import { exists, writeFileSafe } from "./fs-utils.js";
 import { FLOW_TRACKS, HARNESS_IDS, LANGUAGE_RULE_PACKS } from "./types.js";
 const CONFIG_PATH = `${RUNTIME_ROOT}/config.yaml`;
@@ -25,7 +26,8 @@ const ALLOWED_CONFIG_KEYS = new Set([
     "defaultTrack",
     "languageRulePacks",
     "trackHeuristics",
-    "sliceReview"
+    "sliceReview",
+    "ironLaws"
 ]);
 /**
  * Config keys always present in the minimal init template. Everything else
@@ -141,7 +143,11 @@ export function createDefaultConfig(harnesses = DEFAULT_HARNESSES, defaultTrack
         },
         gitHookGuards: false,
         defaultTrack,
-        languageRulePacks: []
+        languageRulePacks: [],
+        ironLaws: {
+            mode: "advisory",
+            strictLaws: []
+        }
     };
 }
 /**
@@ -409,6 +415,36 @@ export async function readConfig(projectRoot) {
             enforceOnTracks: enforceOnTracks ?? DEFAULT_SLICE_REVIEW_TRACKS
         };
     }
+    const ironLawsRaw = parsed.ironLaws;
+    let ironLaws = undefined;
+    if (Object.prototype.hasOwnProperty.call(parsed, "ironLaws")) {
+        if (!isRecord(ironLawsRaw)) {
+            throw configValidationError(fullPath, `"ironLaws" must be an object`);
+        }
+        const unknownIronLawKeys = Object.keys(ironLawsRaw).filter((key) => key !== "mode" && key !== "strictLaws");
+        if (unknownIronLawKeys.length > 0) {
+            throw configValidationError(fullPath, `"ironLaws" has unknown key(s): ${unknownIronLawKeys.join(", ")}`);
+        }
+        const modeRaw = ironLawsRaw.mode;
+        if (modeRaw !== undefined && modeRaw !== "advisory" && modeRaw !== "strict") {
+            throw configValidationError(fullPath, `"ironLaws.mode" must be "advisory" or "strict"`);
+        }
+        const strictLawIdsRaw = validateStringArray(ironLawsRaw.strictLaws, "ironLaws.strictLaws", fullPath) ?? [];
+        const unknownStrictLawIds = strictLawIdsRaw.filter((id) => !isIronLawId(id));
+        if (unknownStrictLawIds.length > 0) {
+            throw configValidationError(fullPath, `"ironLaws.strictLaws" contains unknown law id(s): ${unknownStrictLawIds.join(", ")}`);
+        }
+        ironLaws = {
+            mode: modeRaw === "strict" ? "strict" : "advisory",
+            strictLaws: normalizeStrictLawIds(strictLawIdsRaw)
+        };
+    }
+    else {
+        ironLaws = {
+            mode: strictness,
+            strictLaws: []
+        };
+    }
     return {
         version: parsed.version ?? CCLAW_VERSION,
         flowVersion: parsed.flowVersion ?? FLOW_VERSION,
@@ -428,7 +464,8 @@ export async function readConfig(projectRoot) {
         defaultTrack,
         languageRulePacks,
         trackHeuristics,
-        sliceReview
+        sliceReview,
+        ironLaws
     };
 }
 function isMinimalKey(key) {
@@ -452,7 +489,8 @@ function buildSerializableConfig(config, options = {}) {
         "defaultTrack",
         "languageRulePacks",
         "trackHeuristics",
-        "sliceReview"
+        "sliceReview",
+        "ironLaws"
     ];
     for (const key of ordered) {
         const value = config[key];
@@ -506,7 +544,8 @@ export async function detectAdvancedKeys(projectRoot) {
             "defaultTrack",
             "languageRulePacks",
             "trackHeuristics",
-            "sliceReview"
+            "sliceReview",
+            "ironLaws"
         ];
         const present = new Set();
         for (const key of advancedCandidates) {

package/dist/content/hooks.js

@@ -48,6 +48,7 @@ STATE_FILE="$ROOT/${RUNTIME_ROOT}/state/flow-state.json"
 ACTIVE_FEATURE_FILE="$ROOT/${RUNTIME_ROOT}/state/active-feature.json"
 CHECKPOINT_FILE="$ROOT/${RUNTIME_ROOT}/state/checkpoint.json"
 ACTIVITY_FILE="$ROOT/${RUNTIME_ROOT}/state/stage-activity.jsonl"
+IRON_LAWS_FILE="$ROOT/${RUNTIME_ROOT}/state/iron-laws.json"
 SUGGESTION_MEMORY_FILE="$ROOT/${RUNTIME_ROOT}/state/suggestion-memory.json"
 CONTEXT_WARNINGS_FILE="$ROOT/${RUNTIME_ROOT}/state/context-warnings.jsonl"
 CONTEXT_MODE_FILE="$ROOT/${RUNTIME_ROOT}/state/context-mode.json"
@@ -352,74 +353,99 @@ if [ -f "$META_SKILL" ]; then
   META_CONTENT=$(cat "$META_SKILL" 2>/dev/null || echo "")
 fi
 
-# --- Build compact knowledge digest (stage-biased, top entries only) ---
+# --- Build compact knowledge digest (stage + branch + diff aware) ---
 KNOWLEDGE_DIGEST=""
 LEARNINGS_COUNT=0
 if [ -f "$KNOWLEDGE_FILE" ] && [ -s "$KNOWLEDGE_FILE" ]; then
   LEARNINGS_COUNT=$(grep -c '^{' "$KNOWLEDGE_FILE" 2>/dev/null || echo "0")
+fi
+
+if command -v cclaw >/dev/null 2>&1 && [ -f "$KNOWLEDGE_FILE" ] && [ -s "$KNOWLEDGE_FILE" ]; then
+  BRANCH_NAME=""
+  if command -v git >/dev/null 2>&1 && git -C "$ROOT" rev-parse --is-inside-work-tree >/dev/null 2>&1; then
+    BRANCH_NAME=$(git -C "$ROOT" rev-parse --abbrev-ref HEAD 2>/dev/null || echo "")
+  fi
+  DIFF_FILES_CSV=""
+  if command -v git >/dev/null 2>&1 && git -C "$ROOT" rev-parse --is-inside-work-tree >/dev/null 2>&1; then
+    DIFF_FILES_CSV=$(git -C "$ROOT" diff --name-only HEAD~5..HEAD 2>/dev/null | head -n 20 | tr '\n' ',' | sed 's/,$//' || echo "")
+  fi
+  OPEN_GATES_CSV=""
+  if [ -f "$STATE_FILE" ] && command -v jq >/dev/null 2>&1; then
+    OPEN_GATES_CSV=$(jq -r --arg stage "$STAGE" '
+      (.stageGateCatalog[$stage].required // [])
+      - (.stageGateCatalog[$stage].passed // [])
+      | join(",")
+    ' "$STATE_FILE" 2>/dev/null || echo "")
+  fi
+  DIGEST_CMD=(cclaw internal knowledge-digest --stage="$STAGE" --limit=8)
+  if [ -n "$BRANCH_NAME" ]; then
+    DIGEST_CMD+=("--branch=$BRANCH_NAME")
+  fi
+  if [ -n "$DIFF_FILES_CSV" ]; then
+    DIGEST_CMD+=("--diff-files=$DIFF_FILES_CSV")
+  fi
+  if [ -n "$OPEN_GATES_CSV" ]; then
+    DIGEST_CMD+=("--open-gates=$OPEN_GATES_CSV")
+  fi
+  KNOWLEDGE_DIGEST=$("\${DIGEST_CMD[@]}" 2>/dev/null || echo "")
+fi
+
+if [ -z "$KNOWLEDGE_DIGEST" ] && [ -f "$KNOWLEDGE_FILE" ] && [ -s "$KNOWLEDGE_FILE" ]; then
   if command -v jq >/dev/null 2>&1; then
-    KNOWLEDGE_DIGEST=$(tail -n 200 "$KNOWLEDGE_FILE" 2>/dev/null | jq -Rsc --arg stage "$STAGE" '
+    KNOWLEDGE_DIGEST=$(tail -n 120 "$KNOWLEDGE_FILE" 2>/dev/null | jq -Rsc --arg stage "$STAGE" '
       split("\\n")
       | map(select(length > 0))
       | map(try fromjson catch null)
       | map(select(type == "object"))
       | map(select((.stage // null) == $stage or (.stage // null) == null))
       | reverse
-      | .[0:8]
+      | .[0:6]
       | map("- [" + ((.confidence // "unknown")|tostring) + " • " + ((.stage // "global")|tostring) + " • " + ((.domain // "general")|tostring) + "] " + ((.trigger // "trigger")|tostring) + " -> " + ((.action // "action")|tostring))
       | join("\\n")
     ' 2>/dev/null || echo "")
+  else
+    KNOWLEDGE_DIGEST=$(tail -n 6 "$KNOWLEDGE_FILE" 2>/dev/null || echo "")
+  fi
+fi
+
+if [ -n "$KNOWLEDGE_DIGEST" ]; then
+  printf '# Knowledge digest (auto-generated)\\n\\n%s\\n' "$KNOWLEDGE_DIGEST" > "$KNOWLEDGE_DIGEST_FILE" 2>/dev/null || true
+elif [ -f "$KNOWLEDGE_DIGEST_FILE" ]; then
+  printf '# Knowledge digest (auto-generated)\\n\\n(no matching entries for current stage)\\n' > "$KNOWLEDGE_DIGEST_FILE" 2>/dev/null || true
+fi
+
+IRON_LAWS_SUMMARY=""
+if [ -f "$IRON_LAWS_FILE" ]; then
+  if command -v jq >/dev/null 2>&1; then
+    IRON_LAWS_SUMMARY=$(jq -r '
+      (.laws // [])
+      | map("- [" + (if (.strict // false) then "strict" else "advisory" end) + "] " + ((.id // "law")|tostring) + " -> " + ((.rule // "")|tostring))
+      | .[0:6]
+      | join("\\n")
+    ' "$IRON_LAWS_FILE" 2>/dev/null || echo "")
   elif command -v python3 >/dev/null 2>&1; then
-    KNOWLEDGE_DIGEST=$(python3 - "$KNOWLEDGE_FILE" "$STAGE" <<'PY'
+    IRON_LAWS_SUMMARY=$(python3 - "$IRON_LAWS_FILE" <<'PY'
 import json
 import sys
-
-path = sys.argv[1]
-stage = sys.argv[2]
-entries = []
+out = []
 try:
-    with open(path, "r", encoding="utf-8") as fh:
-        lines = fh.readlines()[-200:]
-    for raw in lines:
-        raw = raw.strip()
-        if not raw:
-            continue
-        try:
-            obj = json.loads(raw)
-        except Exception:
-            continue
-        if not isinstance(obj, dict):
-            continue
-        row_stage = obj.get("stage")
-        if row_stage not in (stage, None):
+    with open(sys.argv[1], "r", encoding="utf-8") as fh:
+        parsed = json.load(fh)
+    for row in (parsed.get("laws") or [])[:6]:
+        if not isinstance(row, dict):
             continue
-        entries.append(obj)
+        strict = "strict" if row.get("strict") else "advisory"
+        law_id = str(row.get("id") or "law")
+        rule = str(row.get("rule") or "")
+        out.append(f"- [{strict}] {law_id} -> {rule}")
 except Exception:
-    entries = []
-
-entries = list(reversed(entries))[:8]
-out = []
-for obj in entries:
-    conf = str(obj.get("confidence", "unknown"))
-    row_stage = str(obj.get("stage", "global"))
-    domain = str(obj.get("domain", "general"))
-    trigger = str(obj.get("trigger", "trigger"))
-    action = str(obj.get("action", "action"))
-    out.append(f"- [{conf} • {row_stage} • {domain}] {trigger} -> {action}")
+    out = []
 print("\\n".join(out))
 PY
 )
-  else
-    KNOWLEDGE_DIGEST=$(tail -n 8 "$KNOWLEDGE_FILE" 2>/dev/null || echo "")
   fi
 fi
 
-if [ -n "$KNOWLEDGE_DIGEST" ]; then
-  printf '# Knowledge digest (auto-generated)\\n\\n%s\\n' "$KNOWLEDGE_DIGEST" > "$KNOWLEDGE_DIGEST_FILE" 2>/dev/null || true
-elif [ -f "$KNOWLEDGE_DIGEST_FILE" ]; then
-  printf '# Knowledge digest (auto-generated)\\n\\n(no matching entries for current stage)\\n' > "$KNOWLEDGE_DIGEST_FILE" 2>/dev/null || true
-fi
-
 # --- Installed cclaw-cli version vs. project's recorded version (one-block
 # upgrade-check, gstack-style). Purely informational — we never block. ---
 VERSION_NOTE=""
@@ -503,6 +529,11 @@ if [ -n "$KNOWLEDGE_DIGEST" ]; then
 Knowledge digest (top relevant entries):
 $KNOWLEDGE_DIGEST"
 fi
+if [ -n "$IRON_LAWS_SUMMARY" ]; then
+  CTX="$CTX
+Iron laws (enforced policy highlights):
+$IRON_LAWS_SUMMARY"
+fi
 if [ -n "$META_CONTENT" ]; then
   CTX="$CTX
 
@@ -545,6 +576,7 @@ STATE_FILE="$STATE_DIR/flow-state.json"
 CHECKPOINT_FILE="$STATE_DIR/checkpoint.json"
 CHECKPOINT_TMP="$STATE_DIR/checkpoint.json.tmp.$$"
 CHECKPOINT_LOCK_DIR="$STATE_DIR/.checkpoint.lock"
+IRON_LAWS_FILE="$STATE_DIR/iron-laws.json"
 STAGE="none"
 ACTIVE_RUN="none"
 LOOP_COUNT=""
@@ -617,6 +649,38 @@ if command -v git >/dev/null 2>&1; then
   fi
 fi
 
+STRICT_STOP_DIRTY="false"
+if [ -f "$IRON_LAWS_FILE" ]; then
+  if command -v jq >/dev/null 2>&1; then
+    STRICT_STOP_DIRTY=$(jq -r '
+      if (.mode // "advisory") == "strict" then "true"
+      elif ((.laws // []) | any(.id == "stop-clean-or-checkpointed" and .strict == true)) then "true"
+      else "false"
+      end
+    ' "$IRON_LAWS_FILE" 2>/dev/null || echo "false")
+  elif command -v python3 >/dev/null 2>&1; then
+    STRICT_STOP_DIRTY=$(python3 - "$IRON_LAWS_FILE" <<'PY'
+import json
+import sys
+value = "false"
+try:
+    with open(sys.argv[1], "r", encoding="utf-8") as fh:
+        parsed = json.load(fh)
+    if str(parsed.get("mode", "advisory")) == "strict":
+        value = "true"
+    else:
+        for row in parsed.get("laws", []):
+            if isinstance(row, dict) and row.get("id") == "stop-clean-or-checkpointed" and row.get("strict") is True:
+                value = "true"
+                break
+except Exception:
+    value = "false"
+print(value)
+PY
+)
+  fi
+fi
+
 TS=$(date -u +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || echo "")
 mkdir -p "$STATE_DIR" 2>/dev/null || true
 CHECKPOINT_WRITTEN=0
@@ -742,6 +806,11 @@ if [ "$CHECKPOINT_WRITTEN" -eq 0 ]; then
   CHECKPOINT_NOTE="Checkpoint update failed. Review ${RUNTIME_ROOT}/state/checkpoint.json manually."
 fi
 
+if [ "$DIRTY_STATE" = "dirty" ] && [ "$STRICT_STOP_DIRTY" = "true" ]; then
+  printf '[cclaw] Stop blocked by iron law "stop-clean-or-checkpointed": working tree is dirty. Commit/revert changes or update checkpoint blockers before ending the session.\\n' >&2
+  exit 1
+fi
+
 RUN_SYNC_NOTE="Run metadata sync removed; active artifacts stay in ${RUNTIME_ROOT}/artifacts until /cc-ops archive (or cclaw archive runtime)."
 
 # --- Escape for JSON ---

package/dist/content/ideate-command.js

@@ -58,6 +58,17 @@ same session, or save/discard the backlog.
 6. **Present the handoff prompt** with four concrete options — not A/B/C
    letters. Default = "Start /cc on the top recommendation".
 
+## Headless mode
+
+For skill-to-skill invocation, emit exactly one JSON envelope:
+
+\`\`\`json
+{"version":"1","kind":"stage-output","stage":"brainstorm","payload":{"command":"/cc-ideate","artifact":".cclaw/artifacts/ideate-<date>-<slug>.md","recommendation":"I-1"},"emittedAt":"<ISO-8601>"}
+\`\`\`
+
+Validate envelopes with:
+\`cclaw internal envelope-validate --stdin\`
+
 ## Primary skill
 
 **${RUNTIME_ROOT}/skills/${IDEATE_SKILL_FOLDER}/SKILL.md**

package/dist/content/iron-laws.d.ts

@@ -0,0 +1,134 @@
+import type { FlowStage } from "../types.js";
+export type IronLawEnforcementPoint = "PreToolUse" | "PostToolUse" | "SessionStart" | "Stop" | "advisory";
+export type IronLawSeverity = "hard-gate" | "soft-gate";
+export interface IronLawDefinition {
+    id: string;
+    title: string;
+    rule: string;
+    rationale: string;
+    enforcement: IronLawEnforcementPoint;
+    severity: IronLawSeverity;
+    appliesTo: "all" | FlowStage[];
+    hookMatcher?: {
+        toolPattern?: string;
+        payloadPattern?: string;
+    };
+}
+export interface IronLawRuntimeRecord {
+    id: string;
+    title: string;
+    rule: string;
+    enforcement: IronLawEnforcementPoint;
+    severity: IronLawSeverity;
+    appliesTo: "all" | FlowStage[];
+    strict: boolean;
+    hookMatcher?: {
+        toolPattern?: string;
+        payloadPattern?: string;
+    };
+}
+export interface IronLawRuntimeDocument {
+    version: 1;
+    generatedAt: string;
+    mode: "advisory" | "strict";
+    strictLaws: string[];
+    laws: IronLawRuntimeRecord[];
+}
+export declare const IRON_LAWS: readonly [{
+    readonly id: "tdd-red-before-write";
+    readonly title: "RED before production write";
+    readonly rule: "Do not edit production code in tdd stage before a failing RED test exists for the slice.";
+    readonly rationale: "Prevents implementation-first behavior and keeps RED as executable specification.";
+    readonly enforcement: "PreToolUse";
+    readonly severity: "hard-gate";
+    readonly appliesTo: ["tdd"];
+    readonly hookMatcher: {
+        readonly toolPattern: "write|edit|multiedit|applypatch|shell|bash";
+        readonly payloadPattern: "\\.(ts|tsx|js|jsx|py|go|java|rs|rb|php|c|cc|cpp|h|hpp)";
+    };
+}, {
+    readonly id: "plan-requires-approval";
+    readonly title: "No implementation before plan approval";
+    readonly rule: "Do not perform write-like actions while plan stage is pending WAIT_FOR_CONFIRM approval.";
+    readonly rationale: "Locks intent before execution and reduces expensive rework from unapproved paths.";
+    readonly enforcement: "PreToolUse";
+    readonly severity: "hard-gate";
+    readonly appliesTo: ["plan"];
+}, {
+    readonly id: "runtime-writes-managed-only";
+    readonly title: "Runtime writes are managed";
+    readonly rule: "Do not mutate .cclaw/state, .cclaw/hooks, or .cclaw/skills by ad-hoc edits unless using cclaw-managed commands.";
+    readonly rationale: "Protects generated runtime integrity and avoids drift that silently breaks hooks or skills.";
+    readonly enforcement: "PreToolUse";
+    readonly severity: "hard-gate";
+    readonly appliesTo: "all";
+    readonly hookMatcher: {
+        readonly toolPattern: "write|edit|multiedit|delete|applypatch|shell|bash";
+        readonly payloadPattern: "\\.cclaw/(state|hooks|skills)";
+    };
+}, {
+    readonly id: "flow-state-read-fresh";
+    readonly title: "Fresh flow-state read required";
+    readonly rule: "Before mutating actions, a fresh read of .cclaw/state/flow-state.json must exist within guard freshness window.";
+    readonly rationale: "Prevents stale-stage mutations after context shifts or multi-agent divergence.";
+    readonly enforcement: "PreToolUse";
+    readonly severity: "hard-gate";
+    readonly appliesTo: "all";
+}, {
+    readonly id: "review-layer-order";
+    readonly title: "Review layers are sequential";
+    readonly rule: "Review stage must complete Layer 1 spec compliance before Layer 2 quality/security passes.";
+    readonly rationale: "Stops premature quality discussion when acceptance criteria are not yet satisfied.";
+    readonly enforcement: "advisory";
+    readonly severity: "soft-gate";
+    readonly appliesTo: ["review"];
+}, {
+    readonly id: "review-criticals-close-before-ship";
+    readonly title: "No ship with open criticals";
+    readonly rule: "Ship decisions are blocked when review-army contains open Critical findings or ship blockers.";
+    readonly rationale: "Enforces explicit risk closure before release finalization.";
+    readonly enforcement: "PreToolUse";
+    readonly severity: "hard-gate";
+    readonly appliesTo: ["ship"];
+}, {
+    readonly id: "ship-preflight-required";
+    readonly title: "Preflight required before finalization";
+    readonly rule: "Do not execute release finalization actions until ship preflight gate is passed.";
+    readonly rationale: "Catches regressions before irreversible release steps.";
+    readonly enforcement: "PreToolUse";
+    readonly severity: "hard-gate";
+    readonly appliesTo: ["ship"];
+}, {
+    readonly id: "subagent-task-self-contained";
+    readonly title: "Subagent tasks are self-contained";
+    readonly rule: "Delegated tasks must include explicit objective, constraints, and expected output, not just references.";
+    readonly rationale: "Avoids context loss and low-quality delegation in isolated worker contexts.";
+    readonly enforcement: "advisory";
+    readonly severity: "soft-gate";
+    readonly appliesTo: "all";
+}, {
+    readonly id: "no-secrets-in-artifacts";
+    readonly title: "Never log secrets in artifacts";
+    readonly rule: "Secrets/tokens/passwords must not be written to review, ship, or runtime state artifacts.";
+    readonly rationale: "Prevents accidental credential leakage through generated workflow artifacts.";
+    readonly enforcement: "PostToolUse";
+    readonly severity: "hard-gate";
+    readonly appliesTo: "all";
+}, {
+    readonly id: "stop-clean-or-checkpointed";
+    readonly title: "Stop only from clean checkpoint";
+    readonly rule: "Do not end a session with dirty state unless checkpoint explicitly records unresolved work and blockers.";
+    readonly rationale: "Protects continuity and prevents silent half-finished sessions.";
+    readonly enforcement: "Stop";
+    readonly severity: "hard-gate";
+    readonly appliesTo: "all";
+}];
+export declare function isIronLawId(value: string): boolean;
+export declare function normalizeStrictLawIds(ids: string[] | undefined): string[];
+export declare function ironLawRuntimeDocument(options?: {
+    mode?: "advisory" | "strict";
+    strictLaws?: string[];
+    nowIso?: string;
+}): IronLawRuntimeDocument;
+export declare function ironLawsAgentsMdBlock(): string;
+export declare function ironLawsSkillMarkdown(): string;