npm - cclaw-cli - Versions diffs - 0.48.6 → 0.48.7 - Mend

cclaw-cli 0.48.6 → 0.48.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/content/hooks.d.ts +2 -2
package/dist/content/hooks.js +182 -47
package/dist/content/iron-laws.d.ts +8 -0
package/dist/content/iron-laws.js +9 -0
package/dist/content/observe.js +381 -56
package/dist/content/stages/review.js +2 -2
package/dist/content/templates.js +8 -0
package/dist/doctor.js +6 -2
package/dist/install.js +3 -1
package/dist/internal/advance-stage.js +6 -2
package/dist/internal/tdd-red-evidence.d.ts +7 -0
package/dist/internal/tdd-red-evidence.js +130 -0
package/package.json +1 -1

package/dist/content/hooks.d.ts CHANGED Viewed

@@ -8,7 +8,8 @@
 export interface HookRuntimeOptions {
 }
 /** Shared bash preamble for generated hook scripts. */
-export declare const RUNTIME_SHELL_DETECT_ROOT = "HARNESS=\"codex\"\nif [ -n \"${CLAUDE_PROJECT_DIR:-}\" ]; then\n  HARNESS=\"claude\"\nelif [ -n \"${CURSOR_PROJECT_DIR:-}\" ] || [ -n \"${CURSOR_PROJECT_ROOT:-}\" ]; then\n  HARNESS=\"cursor\"\nelif [ -n \"${OPENCODE_PROJECT_DIR:-}\" ] || [ -n \"${OPENCODE_PROJECT_ROOT:-}\" ]; then\n  HARNESS=\"opencode\"\nfi\n\nROOT=\"\"\nfor candidate in \"${CCLAW_PROJECT_ROOT:-}\" \"${CLAUDE_PROJECT_DIR:-}\" \"${CURSOR_PROJECT_DIR:-}\" \"${CURSOR_PROJECT_ROOT:-}\" \"${OPENCODE_PROJECT_DIR:-}\" \"${OPENCODE_PROJECT_ROOT:-}\" \"${PWD:-}\"; do\n  if [ -n \"$candidate\" ] && [ -d \"$candidate/.cclaw\" ]; then\n    ROOT=\"$candidate\"\n    break\n  fi\ndone\nif [ -z \"$ROOT\" ]; then\n  ROOT=\"${CCLAW_PROJECT_ROOT:-${CLAUDE_PROJECT_DIR:-${CURSOR_PROJECT_DIR:-${CURSOR_PROJECT_ROOT:-${OPENCODE_PROJECT_DIR:-${OPENCODE_PROJECT_ROOT:-${PWD}}}}}}}\"\nfi";
+export declare const RUNTIME_SHELL_DETECT_ROOT = "CCLAW_HOOK_LIB_PATH=\"\"\nfor candidate in \"${CCLAW_PROJECT_ROOT:-}\" \"${CLAUDE_PROJECT_DIR:-}\" \"${CURSOR_PROJECT_DIR:-}\" \"${CURSOR_PROJECT_ROOT:-}\" \"${OPENCODE_PROJECT_DIR:-}\" \"${OPENCODE_PROJECT_ROOT:-}\" \"${PWD:-}\"; do\n  if [ -n \"$candidate\" ] && [ -f \"$candidate/.cclaw/hooks/_lib.sh\" ]; then\n    CCLAW_HOOK_LIB_PATH=\"$candidate/.cclaw/hooks/_lib.sh\"\n    break\n  fi\ndone\nif [ -n \"$CCLAW_HOOK_LIB_PATH\" ] && [ -f \"$CCLAW_HOOK_LIB_PATH\" ]; then\n  # shellcheck disable=SC1090\n  . \"$CCLAW_HOOK_LIB_PATH\"\nfi\n\nif command -v cclaw_hook_detect_root >/dev/null 2>&1; then\n  cclaw_hook_detect_root\nelse\n  HARNESS=\"codex\"\n  if [ -n \"${CLAUDE_PROJECT_DIR:-}\" ]; then\n    HARNESS=\"claude\"\n  elif [ -n \"${CURSOR_PROJECT_DIR:-}\" ] || [ -n \"${CURSOR_PROJECT_ROOT:-}\" ]; then\n    HARNESS=\"cursor\"\n  elif [ -n \"${OPENCODE_PROJECT_DIR:-}\" ] || [ -n \"${OPENCODE_PROJECT_ROOT:-}\" ]; then\n    HARNESS=\"opencode\"\n  fi\n\n  ROOT=\"\"\n  for candidate in \"${CCLAW_PROJECT_ROOT:-}\" \"${CLAUDE_PROJECT_DIR:-}\" \"${CURSOR_PROJECT_DIR:-}\" \"${CURSOR_PROJECT_ROOT:-}\" \"${OPENCODE_PROJECT_DIR:-}\" \"${OPENCODE_PROJECT_ROOT:-}\" \"${PWD:-}\"; do\n    if [ -n \"$candidate\" ] && [ -d \"$candidate/.cclaw\" ]; then\n      ROOT=\"$candidate\"\n      break\n    fi\n  done\n  if [ -z \"$ROOT\" ]; then\n    ROOT=\"${CCLAW_PROJECT_ROOT:-${CLAUDE_PROJECT_DIR:-${CURSOR_PROJECT_DIR:-${CURSOR_PROJECT_ROOT:-${OPENCODE_PROJECT_DIR:-${OPENCODE_PROJECT_ROOT:-${PWD}}}}}}}\"\n  fi\nfi";
+export declare function hookLibScript(): string;
 export declare function sessionStartScript(_options?: HookRuntimeOptions): string;
 export declare function stopCheckpointScript(): string;
 export declare function runHookDispatcherScript(): string;
@@ -18,4 +19,3 @@ export { claudeHooksJsonWithObservation as claudeHooksJson } from "./observe.js"
 export { cursorHooksJsonWithObservation as cursorHooksJson } from "./observe.js";
 export { codexHooksJsonWithObservation as codexHooksJson } from "./observe.js";
 export { opencodePluginJs } from "./opencode-plugin.js";
-export declare function hooksAgentsMdBlock(): string;

package/dist/content/hooks.js CHANGED Viewed

@@ -15,34 +15,195 @@ const ESCAPE_FN = `escape_json() {
   str=\${str//$'\\n'/\\\\n}
   printf '%s' "$str"
 }`;
-const DETECT_ROOT = `HARNESS="codex"
-if [ -n "\${CLAUDE_PROJECT_DIR:-}" ]; then
-  HARNESS="claude"
-elif [ -n "\${CURSOR_PROJECT_DIR:-}" ] || [ -n "\${CURSOR_PROJECT_ROOT:-}" ]; then
-  HARNESS="cursor"
-elif [ -n "\${OPENCODE_PROJECT_DIR:-}" ] || [ -n "\${OPENCODE_PROJECT_ROOT:-}" ]; then
-  HARNESS="opencode"
-fi
-ROOT=""
+const HOOK_LIB_FILE = "_lib.sh";
+/** Shared bash preamble for generated hook scripts. */
+export const RUNTIME_SHELL_DETECT_ROOT = `CCLAW_HOOK_LIB_PATH=""
 for candidate in "\${CCLAW_PROJECT_ROOT:-}" "\${CLAUDE_PROJECT_DIR:-}" "\${CURSOR_PROJECT_DIR:-}" "\${CURSOR_PROJECT_ROOT:-}" "\${OPENCODE_PROJECT_DIR:-}" "\${OPENCODE_PROJECT_ROOT:-}" "\${PWD:-}"; do
-  if [ -n "$candidate" ] && [ -d "$candidate/${RUNTIME_ROOT}" ]; then
-    ROOT="$candidate"
+  if [ -n "$candidate" ] && [ -f "$candidate/${RUNTIME_ROOT}/hooks/${HOOK_LIB_FILE}" ]; then
+    CCLAW_HOOK_LIB_PATH="$candidate/${RUNTIME_ROOT}/hooks/${HOOK_LIB_FILE}"
     break
   fi
 done
-if [ -z "$ROOT" ]; then
-  ROOT="\${CCLAW_PROJECT_ROOT:-\${CLAUDE_PROJECT_DIR:-\${CURSOR_PROJECT_DIR:-\${CURSOR_PROJECT_ROOT:-\${OPENCODE_PROJECT_DIR:-\${OPENCODE_PROJECT_ROOT:-\${PWD}}}}}}}"
+if [ -n "$CCLAW_HOOK_LIB_PATH" ] && [ -f "$CCLAW_HOOK_LIB_PATH" ]; then
+  # shellcheck disable=SC1090
+  . "$CCLAW_HOOK_LIB_PATH"
+fi
+if command -v cclaw_hook_detect_root >/dev/null 2>&1; then
+  cclaw_hook_detect_root
+else
+  HARNESS="codex"
+  if [ -n "\${CLAUDE_PROJECT_DIR:-}" ]; then
+    HARNESS="claude"
+  elif [ -n "\${CURSOR_PROJECT_DIR:-}" ] || [ -n "\${CURSOR_PROJECT_ROOT:-}" ]; then
+    HARNESS="cursor"
+  elif [ -n "\${OPENCODE_PROJECT_DIR:-}" ] || [ -n "\${OPENCODE_PROJECT_ROOT:-}" ]; then
+    HARNESS="opencode"
+  fi
+  ROOT=""
+  for candidate in "\${CCLAW_PROJECT_ROOT:-}" "\${CLAUDE_PROJECT_DIR:-}" "\${CURSOR_PROJECT_DIR:-}" "\${CURSOR_PROJECT_ROOT:-}" "\${OPENCODE_PROJECT_DIR:-}" "\${OPENCODE_PROJECT_ROOT:-}" "\${PWD:-}"; do
+    if [ -n "$candidate" ] && [ -d "$candidate/${RUNTIME_ROOT}" ]; then
+      ROOT="$candidate"
+      break
+    fi
+  done
+  if [ -z "$ROOT" ]; then
+    ROOT="\${CCLAW_PROJECT_ROOT:-\${CLAUDE_PROJECT_DIR:-\${CURSOR_PROJECT_DIR:-\${CURSOR_PROJECT_ROOT:-\${OPENCODE_PROJECT_DIR:-\${OPENCODE_PROJECT_ROOT:-\${PWD}}}}}}}"
+  fi
 fi`;
-/** Shared bash preamble for generated hook scripts. */
-export const RUNTIME_SHELL_DETECT_ROOT = DETECT_ROOT;
+export function hookLibScript() {
+    return `#!/usr/bin/env bash
+# cclaw shared hook library — generated by cclaw sync
+# Shared helper functions for root detection and lightweight JSON parsing.
+cclaw_hook_detect_root() {
+  HARNESS="codex"
+  if [ -n "\${CLAUDE_PROJECT_DIR:-}" ]; then
+    HARNESS="claude"
+  elif [ -n "\${CURSOR_PROJECT_DIR:-}" ] || [ -n "\${CURSOR_PROJECT_ROOT:-}" ]; then
+    HARNESS="cursor"
+  elif [ -n "\${OPENCODE_PROJECT_DIR:-}" ] || [ -n "\${OPENCODE_PROJECT_ROOT:-}" ]; then
+    HARNESS="opencode"
+  fi
+  ROOT=""
+  for candidate in "\${CCLAW_PROJECT_ROOT:-}" "\${CLAUDE_PROJECT_DIR:-}" "\${CURSOR_PROJECT_DIR:-}" "\${CURSOR_PROJECT_ROOT:-}" "\${OPENCODE_PROJECT_DIR:-}" "\${OPENCODE_PROJECT_ROOT:-}" "\${PWD:-}"; do
+    if [ -n "$candidate" ] && [ -d "$candidate/${RUNTIME_ROOT}" ]; then
+      ROOT="$candidate"
+      break
+    fi
+  done
+  if [ -z "$ROOT" ]; then
+    ROOT="\${CCLAW_PROJECT_ROOT:-\${CLAUDE_PROJECT_DIR:-\${CURSOR_PROJECT_DIR:-\${CURSOR_PROJECT_ROOT:-\${OPENCODE_PROJECT_DIR:-\${OPENCODE_PROJECT_ROOT:-\${PWD}}}}}}}"
+  fi
+}
+cclaw_hook_lower() {
+  printf '%s' "$1" | tr '[:upper:]' '[:lower:]'
+}
+cclaw_hook_extract_tool_and_payload() {
+  local input_json="$1"
+  CCLAW_HOOK_TOOL="unknown"
+  CCLAW_HOOK_PAYLOAD=""
+  if command -v jq >/dev/null 2>&1; then
+    CCLAW_HOOK_TOOL=$(printf '%s' "$input_json" | jq -r '.tool_name // .tool // .toolName // .name // .id // .command // .tool.name // .tool.id // .input.tool_name // .input.tool // .input.toolName // .input.name // .input.id // .input.command // .input.tool.name // .input.tool.id // "unknown"' 2>/dev/null || echo "unknown")
+    CCLAW_HOOK_PAYLOAD=$(printf '%s' "$input_json" | jq -r '.tool_input // .input // .arguments // .params // .payload // {} | tostring' 2>/dev/null || echo "")
+  elif command -v python3 >/dev/null 2>&1; then
+    CCLAW_HOOK_TOOL=$(INPUT_JSON="$input_json" python3 - <<'PY'
+import json
+import os
+try:
+    value = json.loads(os.environ.get("INPUT_JSON", "{}"))
+except Exception:
+    value = {}
+def pick_tool(payload):
+    if not isinstance(payload, dict):
+        return "unknown"
+    candidates = [
+        payload.get("tool_name"),
+        payload.get("tool"),
+        payload.get("toolName"),
+        payload.get("name"),
+        payload.get("id"),
+        payload.get("command")
+    ]
+    top_tool = payload.get("tool")
+    if isinstance(top_tool, dict):
+        candidates.extend([top_tool.get("name"), top_tool.get("id")])
+    nested = payload.get("input")
+    if isinstance(nested, dict):
+        candidates.extend([
+            nested.get("tool_name"),
+            nested.get("tool"),
+            nested.get("toolName"),
+            nested.get("name"),
+            nested.get("id"),
+            nested.get("command")
+        ])
+        nested_tool = nested.get("tool")
+        if isinstance(nested_tool, dict):
+            candidates.extend([nested_tool.get("name"), nested_tool.get("id")])
+    for candidate in candidates:
+        if isinstance(candidate, str) and candidate.strip():
+            return candidate.strip()
+    return "unknown"
+print(pick_tool(value))
+PY
+)
+    CCLAW_HOOK_PAYLOAD=$(printf '%s' "$input_json")
+  else
+    CCLAW_HOOK_PAYLOAD=$(printf '%s' "$input_json")
+  fi
+  [ -n "$CCLAW_HOOK_PAYLOAD" ] || CCLAW_HOOK_PAYLOAD=$(printf '%s' "$input_json")
+  [ -n "$CCLAW_HOOK_TOOL" ] || CCLAW_HOOK_TOOL="unknown"
+}
+cclaw_hook_read_flow_state_minimal() {
+  local flow_state_file="$1"
+  CCLAW_HOOK_FLOW_STAGE="none"
+  CCLAW_HOOK_FLOW_RUN_ID="active"
+  CCLAW_HOOK_FLOW_COMPLETED="0"
+  [ -f "$flow_state_file" ] || return 0
+  if command -v jq >/dev/null 2>&1; then
+    CCLAW_HOOK_FLOW_STAGE=$(jq -r '.currentStage // "none"' "$flow_state_file" 2>/dev/null || echo "none")
+    CCLAW_HOOK_FLOW_RUN_ID=$(jq -r '.activeRunId // "active"' "$flow_state_file" 2>/dev/null || echo "active")
+    CCLAW_HOOK_FLOW_COMPLETED=$(jq -r '(.completedStages // []) | length' "$flow_state_file" 2>/dev/null || echo "0")
+    return 0
+  fi
+  if command -v python3 >/dev/null 2>&1; then
+    local flow_meta
+    flow_meta=$(python3 - "$flow_state_file" <<'PY'
+import json
+import sys
+stage = "none"
+run_id = "active"
+completed = 0
+try:
+    with open(sys.argv[1], "r", encoding="utf-8") as fh:
+        payload = json.load(fh)
+    stage_value = payload.get("currentStage")
+    run_value = payload.get("activeRunId")
+    completed_value = payload.get("completedStages")
+    if isinstance(stage_value, str) and stage_value:
+        stage = stage_value
+    if isinstance(run_value, str) and run_value:
+        run_id = run_value
+    if isinstance(completed_value, list):
+        completed = len(completed_value)
+except Exception:
+    pass
+print(stage)
+print(run_id)
+print(completed)
+PY
+)
+    {
+      IFS= read -r CCLAW_HOOK_FLOW_STAGE
+      IFS= read -r CCLAW_HOOK_FLOW_RUN_ID
+      IFS= read -r CCLAW_HOOK_FLOW_COMPLETED
+    } <<EOF
+$flow_meta
+EOF
+    [ -n "$CCLAW_HOOK_FLOW_STAGE" ] || CCLAW_HOOK_FLOW_STAGE="none"
+    [ -n "$CCLAW_HOOK_FLOW_RUN_ID" ] || CCLAW_HOOK_FLOW_RUN_ID="active"
+    [ -n "$CCLAW_HOOK_FLOW_COMPLETED" ] || CCLAW_HOOK_FLOW_COMPLETED="0"
+  fi
+}
+`;
+}
 export function sessionStartScript(_options = {}) {
     return `#!/usr/bin/env bash
 # cclaw session-start hook — generated by cclaw sync
 # Injects using-cclaw + flow status + active artifacts + compact knowledge digest + checkpoint/activity summary.
 set -euo pipefail
-${DETECT_ROOT}
+${RUNTIME_SHELL_DETECT_ROOT}
 STATE_FILE="$ROOT/${RUNTIME_ROOT}/state/flow-state.json"
 ACTIVE_FEATURE_FILE="$ROOT/${RUNTIME_ROOT}/state/active-feature.json"
@@ -567,7 +728,7 @@ export function stopCheckpointScript() {
 # Writes checkpoint state and reminds agent about flow/session consistency.
 set -euo pipefail
-${DETECT_ROOT}
+${RUNTIME_SHELL_DETECT_ROOT}
 INPUT=$(cat 2>/dev/null || echo '{}')
@@ -844,7 +1005,7 @@ export function runHookDispatcherScript() {
 # Single entrypoint used by harness hook JSON wiring.
 set -euo pipefail
-${DETECT_ROOT}
+${RUNTIME_SHELL_DETECT_ROOT}
 if [ "$#" -lt 1 ]; then
   printf 'Usage: bash ${RUNTIME_ROOT}/hooks/run-hook.cmd <session-start|stop-checkpoint|pre-compact|prompt-guard|workflow-guard|context-monitor>\\n' >&2
@@ -895,7 +1056,7 @@ export function stageCompleteScript() {
 # mutation to \`cclaw internal advance-stage\`.
 set -euo pipefail
-${DETECT_ROOT}
+${RUNTIME_SHELL_DETECT_ROOT}
 if [ "$#" -lt 1 ]; then
   printf 'Usage: bash ${RUNTIME_ROOT}/hooks/stage-complete.sh <stage> [--passed=...] [--evidence-json=...] [--waive-delegation=...] [--waiver-reason=...]\\n' >&2
@@ -926,9 +1087,7 @@ export function preCompactScript() {
 # having to re-derive it from scratch.
 set -uo pipefail
-${DETECT_ROOT}
-INPUT=$(cat 2>/dev/null || echo '{}')
+${RUNTIME_SHELL_DETECT_ROOT}
 STATE_DIR="$ROOT/${RUNTIME_ROOT}/state"
 STATE_FILE="$STATE_DIR/flow-state.json"
@@ -1073,27 +1232,3 @@ export { codexHooksJsonWithObservation as codexHooksJson } from "./observe.js";
 // OpenCode plugin — JS module
 // ---------------------------------------------------------------------------
 export { opencodePluginJs } from "./opencode-plugin.js";
-// ---------------------------------------------------------------------------
-// AGENTS.md block for hooks
-// ---------------------------------------------------------------------------
-export function hooksAgentsMdBlock() {
-    return `### Hooks (real lifecycle integration)
-Cclaw generates real hook integrations for every harness that exposes a
-hook primitive:
-- **Claude/Cursor:** lifecycle rehydration + PreToolUse/PostToolUse + Stop
-- **OpenCode:** session lifecycle + system transform rehydration + bootstrap parity (digest/warnings/knowledge snapshot)
-- **Codex:** Codex CLI ≥ v0.114 exposes lifecycle hooks at \`.codex/hooks.json\`, gated behind \`[features] codex_hooks = true\` in \`~/.codex/config.toml\`. \`PreToolUse\`/\`PostToolUse\` intercept **only the \`Bash\` tool** in Codex; \`Write\`/\`Edit\`/\`WebSearch\`/MCP calls are substituted via the \`/cc\` skill bodies under \`.agents/skills/cc*/SKILL.md\` and explicit in-turn agent steps. See \`.cclaw/references/harnesses/codex-playbook.md\` for the coverage matrix.
-| Harness | Hook file | Events |
-|---------|-----------|--------|
-| Claude Code | \`.claude/hooks/hooks.json\` | SessionStart(startup/resume/clear/compact), PreToolUse, PostToolUse, Stop |
-| Cursor | \`.cursor/hooks.json\` | sessionStart/sessionResume/sessionClear/sessionCompact, preToolUse, postToolUse, stop |
-| OpenCode | \`${RUNTIME_ROOT}/hooks/opencode-plugin.mjs\` | session.created/updated/resumed/cleared/compacted/idle, tool.execute.before/after, system transform |
-| Codex | \`.codex/hooks.json\` | SessionStart(startup/resume), UserPromptSubmit, PreToolUse(Bash), PostToolUse(Bash), Stop (feature-gated by \`codex_hooks = true\`) |
-Hook state files:
-- \`${RUNTIME_ROOT}/state/stage-activity.jsonl\`
-- \`${RUNTIME_ROOT}/state/checkpoint.json\`
-`;
-}

package/dist/content/iron-laws.d.ts CHANGED Viewed

@@ -98,6 +98,14 @@ export declare const IRON_LAWS: readonly [{
     readonly enforcement: "PreToolUse";
     readonly severity: "hard-gate";
     readonly appliesTo: ["ship"];
+}, {
+    readonly id: "review-coverage-complete-before-ship";
+    readonly title: "Review layer coverage before ship";
+    readonly rule: "Block ship finalization when review-army does not confirm full Layer 1/2 coverage map.";
+    readonly rationale: "Prevents finalization when multi-pass review evidence is incomplete or partially missing.";
+    readonly enforcement: "PreToolUse";
+    readonly severity: "hard-gate";
+    readonly appliesTo: ["ship"];
 }, {
     readonly id: "subagent-task-self-contained";
     readonly title: "Subagent tasks are self-contained";

package/dist/content/iron-laws.js CHANGED Viewed

@@ -71,6 +71,15 @@ export const IRON_LAWS = [
         severity: "hard-gate",
         appliesTo: ["ship"]
     },
+    {
+        id: "review-coverage-complete-before-ship",
+        title: "Review layer coverage before ship",
+        rule: "Block ship finalization when review-army does not confirm full Layer 1/2 coverage map.",
+        rationale: "Prevents finalization when multi-pass review evidence is incomplete or partially missing.",
+        enforcement: "PreToolUse",
+        severity: "hard-gate",
+        appliesTo: ["ship"]
+    },
     {
         id: "subagent-task-self-contained",
         title: "Subagent tasks are self-contained",

package/dist/content/observe.js CHANGED Viewed

@@ -16,15 +16,6 @@ set -uo pipefail
 shopt -s globstar 2>/dev/null || true
 PROMPT_GUARD_MODE="${promptGuardMode}"
-HARNESS="codex"
-if [ -n "\${CLAUDE_PROJECT_DIR:-}" ]; then
-  HARNESS="claude"
-elif [ -n "\${CURSOR_PROJECT_DIR:-}" ] || [ -n "\${CURSOR_PROJECT_ROOT:-}" ]; then
-  HARNESS="cursor"
-elif [ -n "\${OPENCODE_PROJECT_DIR:-}" ] || [ -n "\${OPENCODE_PROJECT_ROOT:-}" ]; then
-  HARNESS="opencode"
-fi
 ${RUNTIME_SHELL_DETECT_ROOT}
 STATE_DIR="$ROOT/${RUNTIME_ROOT}/state"
@@ -35,8 +26,12 @@ INPUT=$(cat 2>/dev/null || echo '{}')
 [ -n "$INPUT" ] || exit 0
 TOOL="unknown"
-PAYLOAD=""
-if command -v jq >/dev/null 2>&1; then
+PAYLOAD="$INPUT"
+if command -v cclaw_hook_extract_tool_and_payload >/dev/null 2>&1; then
+  cclaw_hook_extract_tool_and_payload "$INPUT"
+  TOOL="\${CCLAW_HOOK_TOOL:-unknown}"
+  PAYLOAD="\${CCLAW_HOOK_PAYLOAD:-$INPUT}"
+elif command -v jq >/dev/null 2>&1; then
   TOOL=$(printf '%s' "$INPUT" | jq -r '.tool_name // .tool // .toolName // .name // .id // .command // .tool.name // .tool.id // .input.tool_name // .input.tool // .input.toolName // .input.name // .input.id // .input.command // .input.tool.name // .input.tool.id // "unknown"' 2>/dev/null || echo "unknown")
   PAYLOAD=$(printf '%s' "$INPUT" | jq -r '.tool_input // .input // .arguments // .params // .payload // {} | tostring' 2>/dev/null || echo "")
 elif command -v python3 >/dev/null 2>&1; then
@@ -93,8 +88,13 @@ if [ -z "$PAYLOAD" ]; then
   PAYLOAD=$(printf '%s' "$INPUT")
 fi
-PAYLOAD_LOWER=$(printf '%s' "$PAYLOAD" | tr '[:upper:]' '[:lower:]')
-TOOL_LOWER=$(printf '%s' "$TOOL" | tr '[:upper:]' '[:lower:]')
+if command -v cclaw_hook_lower >/dev/null 2>&1; then
+  PAYLOAD_LOWER=$(cclaw_hook_lower "$PAYLOAD")
+  TOOL_LOWER=$(cclaw_hook_lower "$TOOL")
+else
+  PAYLOAD_LOWER=$(printf '%s' "$PAYLOAD" | tr '[:upper:]' '[:lower:]')
+  TOOL_LOWER=$(printf '%s' "$TOOL" | tr '[:upper:]' '[:lower:]')
+fi
 TS=$(date -u +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || echo "")
 REASONS=""
@@ -180,6 +180,7 @@ STATE_DIR="$ROOT/${RUNTIME_ROOT}/state"
 FLOW_STATE_FILE="$STATE_DIR/flow-state.json"
 TDD_LOG_FILE="$STATE_DIR/tdd-cycle-log.jsonl"
 IRON_LAWS_FILE="$STATE_DIR/iron-laws.json"
+REVIEW_ARMY_FILE="$ROOT/${RUNTIME_ROOT}/artifacts/07-review-army.json"
 GUARD_STATE_FILE="$STATE_DIR/workflow-guard.json"
 GUARD_LOG="$STATE_DIR/workflow-guard.jsonl"
 mkdir -p "$STATE_DIR" 2>/dev/null || true
@@ -188,8 +189,12 @@ INPUT=$(cat 2>/dev/null || echo '{}')
 [ -n "$INPUT" ] || exit 0
 TOOL="unknown"
-PAYLOAD=""
-if command -v jq >/dev/null 2>&1; then
+PAYLOAD="$INPUT"
+if command -v cclaw_hook_extract_tool_and_payload >/dev/null 2>&1; then
+  cclaw_hook_extract_tool_and_payload "$INPUT"
+  TOOL="\${CCLAW_HOOK_TOOL:-unknown}"
+  PAYLOAD="\${CCLAW_HOOK_PAYLOAD:-$INPUT}"
+elif command -v jq >/dev/null 2>&1; then
   TOOL=$(printf '%s' "$INPUT" | jq -r '.tool_name // .tool // .toolName // .name // .id // .command // .tool.name // .tool.id // .input.tool_name // .input.tool // .input.toolName // .input.name // .input.id // .input.command // .input.tool.name // .input.tool.id // "unknown"' 2>/dev/null || echo "unknown")
   PAYLOAD=$(printf '%s' "$INPUT" | jq -r '.tool_input // .input // .arguments // .params // .payload // {} | tostring' 2>/dev/null || echo "")
 elif command -v python3 >/dev/null 2>&1; then
@@ -242,8 +247,13 @@ else
 fi
 [ -n "$PAYLOAD" ] || PAYLOAD=$(printf '%s' "$INPUT")
-TOOL_LOWER=$(printf '%s' "$TOOL" | tr '[:upper:]' '[:lower:]')
-PAYLOAD_LOWER=$(printf '%s' "$PAYLOAD" | tr '[:upper:]' '[:lower:]')
+if command -v cclaw_hook_lower >/dev/null 2>&1; then
+  TOOL_LOWER=$(cclaw_hook_lower "$TOOL")
+  PAYLOAD_LOWER=$(cclaw_hook_lower "$PAYLOAD")
+else
+  TOOL_LOWER=$(printf '%s' "$TOOL" | tr '[:upper:]' '[:lower:]')
+  PAYLOAD_LOWER=$(printf '%s' "$PAYLOAD" | tr '[:upper:]' '[:lower:]')
+fi
 TS=$(date -u +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || echo "")
 NOW_EPOCH=$(date +%s 2>/dev/null || echo "0")
 REASONS=""
@@ -254,11 +264,19 @@ if [ -z "$ACTIVE_AGENT" ]; then
     ACTIVE_AGENT=$(printf '%s' "$INPUT" | jq -r '.agent_name // .agent // .input.agent_name // .input.agent // .tool_input.agent_name // .tool_input.agent // ""' 2>/dev/null || echo "")
   fi
 fi
-ACTIVE_AGENT_LOWER=$(printf '%s' "$ACTIVE_AGENT" | tr '[:upper:]' '[:lower:]')
+if command -v cclaw_hook_lower >/dev/null 2>&1; then
+  ACTIVE_AGENT_LOWER=$(cclaw_hook_lower "$ACTIVE_AGENT")
+else
+  ACTIVE_AGENT_LOWER=$(printf '%s' "$ACTIVE_AGENT" | tr '[:upper:]' '[:lower:]')
+fi
 CURRENT_STAGE="none"
 CURRENT_RUN="active"
-if [ -f "$FLOW_STATE_FILE" ]; then
+if command -v cclaw_hook_read_flow_state_minimal >/dev/null 2>&1; then
+  cclaw_hook_read_flow_state_minimal "$FLOW_STATE_FILE"
+  CURRENT_STAGE="\${CCLAW_HOOK_FLOW_STAGE:-none}"
+  CURRENT_RUN="\${CCLAW_HOOK_FLOW_RUN_ID:-active}"
+elif [ -f "$FLOW_STATE_FILE" ]; then
   if command -v jq >/dev/null 2>&1; then
     CURRENT_STAGE=$(jq -r '.currentStage // "none"' "$FLOW_STATE_FILE" 2>/dev/null || echo "none")
     CURRENT_RUN=$(jq -r '.activeRunId // "active"' "$FLOW_STATE_FILE" 2>/dev/null || echo "active")
@@ -674,6 +692,62 @@ is_tdd_production_write_payload() {
   return 0
 }
+collect_tdd_production_paths() {
+  local payload_paths="$1"
+  local out=""
+  [ -n "$payload_paths" ] || {
+    printf ''
+    return 0
+  }
+  while IFS= read -r raw_path; do
+    [ -n "$raw_path" ] || continue
+    local normalized
+    normalized=$(normalize_payload_path "$raw_path")
+    if is_tdd_production_path "$normalized"; then
+      if [ -n "$out" ]; then
+        out="$out"$'\n'"$raw_path"
+      else
+        out="$raw_path"
+      fi
+    fi
+  done <<< "$payload_paths"
+  printf '%s' "$out"
+}
+review_layer_coverage_complete() {
+  if [ ! -f "$REVIEW_ARMY_FILE" ]; then
+    return 1
+  fi
+  if command -v jq >/dev/null 2>&1; then
+    jq -e '
+      ((.reconciliation.layerCoverage.spec // false) == true) and
+      ((.reconciliation.layerCoverage.correctness // false) == true) and
+      ((.reconciliation.layerCoverage.security // false) == true) and
+      ((.reconciliation.layerCoverage.performance // false) == true) and
+      ((.reconciliation.layerCoverage.architecture // false) == true) and
+      ((.reconciliation.layerCoverage["external-safety"] // false) == true)
+    ' "$REVIEW_ARMY_FILE" >/dev/null 2>&1
+    return $?
+  fi
+  if command -v python3 >/dev/null 2>&1; then
+    python3 - "$REVIEW_ARMY_FILE" <<'PY'
+import json
+import sys
+keys = ["spec", "correctness", "security", "performance", "architecture", "external-safety"]
+try:
+    with open(sys.argv[1], "r", encoding="utf-8") as handle:
+        parsed = json.load(handle)
+    coverage = ((parsed.get("reconciliation") or {}).get("layerCoverage") or {})
+    ok = all(coverage.get(key) is True for key in keys)
+except Exception:
+    ok = False
+raise SystemExit(0 if ok else 1)
+PY
+    return $?
+  fi
+  return 1
+}
 tdd_cycle_counts() {
   if [ ! -f "$TDD_LOG_FILE" ] || [ ! -s "$TDD_LOG_FILE" ]; then
     printf '0:0'
@@ -883,54 +957,100 @@ if is_preimplementation_stage "$CURRENT_STAGE" && is_mutating_tool "$TOOL_LOWER"
 fi
 if [ "$CURRENT_STAGE" = "tdd" ] && is_mutating_tool "$TOOL_LOWER"; then
+  TDD_MISSING_RED_PATHS=""
   if is_tdd_production_write_payload "$PAYLOAD_LOWER" "$MUTATION_PATHS"; then
-    if has_open_red_cycle; then
-      TDD_CYCLE_STATE="red_open"
-    else
-      OPEN_RED_STATUS=$?
-      if [ "$OPEN_RED_STATUS" -eq 2 ]; then
-        TDD_CYCLE_STATE="counts_unavailable"
+    PRODUCTION_PATHS=$(collect_tdd_production_paths "$MUTATION_PATHS")
+    PER_PATH_RED_CHECKED="false"
+    if [ -n "$PRODUCTION_PATHS" ] && command -v cclaw >/dev/null 2>&1; then
+      PER_PATH_RED_CHECKED="true"
+      while IFS= read -r production_path; do
+        [ -n "$production_path" ] || continue
+        cclaw internal tdd-red-evidence --path="$production_path" --run-id="$CURRENT_RUN" --quiet >/dev/null 2>&1
+        EVIDENCE_STATUS=$?
+        if [ "$EVIDENCE_STATUS" -eq 0 ]; then
+          continue
+        fi
+        if [ "$EVIDENCE_STATUS" -eq 2 ]; then
+          if [ -n "$TDD_MISSING_RED_PATHS" ]; then
+            TDD_MISSING_RED_PATHS="$TDD_MISSING_RED_PATHS, $production_path"
+          else
+            TDD_MISSING_RED_PATHS="$production_path"
+          fi
+          continue
+        fi
         if [ -n "$REASONS" ]; then
-          REASONS="$REASONS,tdd_cycle_counts_unavailable"
+          REASONS="$REASONS,tdd_red_evidence_check_failed"
         else
-          REASONS="tdd_cycle_counts_unavailable"
+          REASONS="tdd_red_evidence_check_failed"
+        fi
+      done <<< "$PRODUCTION_PATHS"
+      if [ -n "$TDD_MISSING_RED_PATHS" ]; then
+        if [ -n "$REASONS" ]; then
+          REASONS="$REASONS,tdd_write_without_red_for_path"
+        else
+          REASONS="tdd_write_without_red_for_path"
         fi
-      else
-        TDD_CYCLE_STATE=$(tdd_cycle_state)
       fi
     fi
-    if [ "$TDD_CYCLE_STATE" = "need_red" ]; then
-      if [ -n "$REASONS" ]; then
-        REASONS="$REASONS,tdd_write_without_open_red"
+    if [ "$PER_PATH_RED_CHECKED" != "true" ]; then
+      if has_open_red_cycle; then
+        TDD_CYCLE_STATE="red_open"
       else
-        REASONS="tdd_write_without_open_red"
+        OPEN_RED_STATUS=$?
+        if [ "$OPEN_RED_STATUS" -eq 2 ]; then
+          TDD_CYCLE_STATE="counts_unavailable"
+          if [ -n "$REASONS" ]; then
+            REASONS="$REASONS,tdd_cycle_counts_unavailable"
+          else
+            REASONS="tdd_cycle_counts_unavailable"
+          fi
+        else
+          TDD_CYCLE_STATE=$(tdd_cycle_state)
+        fi
       fi
-    elif [ "$TDD_CYCLE_STATE" = "__UNAVAILABLE__" ]; then
-      if [ -n "$REASONS" ]; then
-        REASONS="$REASONS,tdd_cycle_counts_unavailable"
-      else
-        REASONS="tdd_cycle_counts_unavailable"
+      if [ "$TDD_CYCLE_STATE" = "need_red" ]; then
+        if [ -n "$REASONS" ]; then
+          REASONS="$REASONS,tdd_write_without_open_red"
+        else
+          REASONS="tdd_write_without_open_red"
+        fi
+      elif [ "$TDD_CYCLE_STATE" = "__UNAVAILABLE__" ]; then
+        if [ -n "$REASONS" ]; then
+          REASONS="$REASONS,tdd_cycle_counts_unavailable"
+        else
+          REASONS="tdd_cycle_counts_unavailable"
+        fi
       fi
     fi
   fi
 fi
 if [ "$CURRENT_STAGE" = "tdd" ] && is_mutating_tool "$TOOL_LOWER"; then
-  if [ "$ACTIVE_AGENT_LOWER" = "tdd-red" ] && is_tdd_production_write_payload "$PAYLOAD_LOWER" "$MUTATION_PATHS"; then
+  ACTIVE_AGENT_EFFECTIVE="$ACTIVE_AGENT_LOWER"
+  if [ -z "$ACTIVE_AGENT_EFFECTIVE" ]; then
+    INFERRED_TDD_PHASE=$(tdd_cycle_state)
+    case "$INFERRED_TDD_PHASE" in
+      need_red) ACTIVE_AGENT_EFFECTIVE="tdd-red" ;;
+      red_open) ACTIVE_AGENT_EFFECTIVE="tdd-green" ;;
+      green_done) ACTIVE_AGENT_EFFECTIVE="tdd-refactor" ;;
+      *) ACTIVE_AGENT_EFFECTIVE="" ;;
+    esac
+  fi
+  if [ "$ACTIVE_AGENT_EFFECTIVE" = "tdd-red" ] && is_tdd_production_write_payload "$PAYLOAD_LOWER" "$MUTATION_PATHS"; then
     if [ -n "$REASONS" ]; then
       REASONS="$REASONS,tdd_red_agent_cannot_write_production"
     else
       REASONS="tdd_red_agent_cannot_write_production"
     fi
   fi
-  if [ "$ACTIVE_AGENT_LOWER" = "tdd-green" ] && is_tdd_test_payload "$PAYLOAD_LOWER" "$MUTATION_PATHS"; then
+  if [ "$ACTIVE_AGENT_EFFECTIVE" = "tdd-green" ] && is_tdd_test_payload "$PAYLOAD_LOWER" "$MUTATION_PATHS"; then
     if [ -n "$REASONS" ]; then
       REASONS="$REASONS,tdd_green_agent_cannot_write_tests"
     else
       REASONS="tdd_green_agent_cannot_write_tests"
     fi
   fi
-  if [ "$ACTIVE_AGENT_LOWER" = "tdd-refactor" ]; then
+  if [ "$ACTIVE_AGENT_EFFECTIVE" = "tdd-refactor" ]; then
     TDD_AGENT_STATE=$(tdd_cycle_state)
     if [ "$TDD_AGENT_STATE" != "green_done" ]; then
       if [ -n "$REASONS" ]; then
@@ -971,6 +1091,13 @@ if [ "$CURRENT_STAGE" = "ship" ] && is_execution_or_mutating_tool "$TOOL_LOWER";
         REASONS="ship_preflight_required"
       fi
     fi
+    if ! review_layer_coverage_complete; then
+      if [ -n "$REASONS" ]; then
+        REASONS="$REASONS,ship_review_coverage_required"
+      else
+        REASONS="ship_review_coverage_required"
+      fi
+    fi
   fi
 fi
@@ -1039,16 +1166,22 @@ PY
 fi
 if [ -n "$REASONS" ]; then
-  if printf '%s' "$REASONS" | grep -Eq 'tdd_red_agent_cannot_write_production'; then
+  if printf '%s' "$REASONS" | grep -Eq 'tdd_write_without_red_for_path'; then
+    NOTE="Cclaw workflow guard: missing failing RED evidence for production path(s): \${TDD_MISSING_RED_PATHS:-unknown}. Log failing tests before touching these files."
+  elif printf '%s' "$REASONS" | grep -Eq 'tdd_write_without_open_red'; then
+    NOTE="Cclaw workflow guard: Write a failing test first before editing production files during tdd stage (state=\${TDD_CYCLE_STATE})."
+  elif printf '%s' "$REASONS" | grep -Eq 'tdd_red_evidence_check_failed'; then
+    NOTE="Cclaw workflow guard: failed to validate per-path RED evidence via \`cclaw internal tdd-red-evidence\`; refusing write until evidence check succeeds."
+  elif printf '%s' "$REASONS" | grep -Eq 'tdd_red_agent_cannot_write_production'; then
     NOTE="Cclaw workflow guard: tdd-red agent is limited to test-side RED work and cannot edit production files."
   elif printf '%s' "$REASONS" | grep -Eq 'tdd_green_agent_cannot_write_tests'; then
     NOTE="Cclaw workflow guard: tdd-green agent can implement production fixes but should not author new RED tests."
   elif printf '%s' "$REASONS" | grep -Eq 'tdd_refactor_before_green'; then
     NOTE="Cclaw workflow guard: tdd-refactor requires a green_done cycle state before refactor edits."
-  elif printf '%s' "$REASONS" | grep -Eq 'tdd_write_without_open_red'; then
-    NOTE="Cclaw workflow guard: Write a failing test first before editing production files during tdd stage (state=\${TDD_CYCLE_STATE})."
   elif printf '%s' "$REASONS" | grep -Eq 'ship_preflight_required'; then
     NOTE="Cclaw workflow guard: ship finalization command detected before ship_preflight_passed gate. Run preflight and record evidence first."
+  elif printf '%s' "$REASONS" | grep -Eq 'ship_review_coverage_required'; then
+    NOTE="Cclaw workflow guard: ship finalization requires review layer coverage for spec/correctness/security/performance/architecture/external-safety in 07-review-army.json."
   elif printf '%s' "$REASONS" | grep -Eq 'tdd_cycle_counts_unavailable'; then
     NOTE="Cclaw workflow guard: unable to inspect run-scoped tdd-cycle counts (missing usable jq/python3/awk). Install one of these tools before writing production code in tdd."
   elif printf '%s' "$REASONS" | grep -Eq 'runtime_write_requires_managed_only|direct_flow_state_edit'; then
@@ -1077,10 +1210,10 @@ if [ -n "$REASONS" ]; then
   if printf '%s' "$REASONS" | grep -Eq 'implementation_write_before_'; then
     SHOULD_BLOCK="true"
   fi
-  if printf '%s' "$REASONS" | grep -Eq 'tdd_write_without_open_red' && [ "$TDD_ENFORCEMENT_MODE" = "strict" ]; then
+  if printf '%s' "$REASONS" | grep -Eq 'tdd_write_without_open_red|tdd_write_without_red_for_path' && [ "$TDD_ENFORCEMENT_MODE" = "strict" ]; then
     SHOULD_BLOCK="true"
   fi
-  if printf '%s' "$REASONS" | grep -Eq 'tdd_write_without_open_red' && iron_law_is_strict "tdd-red-before-write"; then
+  if printf '%s' "$REASONS" | grep -Eq 'tdd_write_without_open_red|tdd_write_without_red_for_path' && iron_law_is_strict "tdd-red-before-write"; then
     SHOULD_BLOCK="true"
   fi
   if printf '%s' "$REASONS" | grep -Eq 'runtime_write_requires_managed_only|direct_flow_state_edit' && iron_law_is_strict "runtime-writes-managed-only"; then
@@ -1092,10 +1225,13 @@ if [ -n "$REASONS" ]; then
   if printf '%s' "$REASONS" | grep -Eq 'ship_preflight_required' && iron_law_is_strict "ship-preflight-required"; then
     SHOULD_BLOCK="true"
   fi
+  if printf '%s' "$REASONS" | grep -Eq 'ship_review_coverage_required' && iron_law_is_strict "review-coverage-complete-before-ship"; then
+    SHOULD_BLOCK="true"
+  fi
   if printf '%s' "$REASONS" | grep -Eq 'implementation_write_before_plan_completion' && iron_law_is_strict "plan-requires-approval"; then
     SHOULD_BLOCK="true"
   fi
-  if printf '%s' "$REASONS" | grep -Eq 'tdd_cycle_counts_unavailable'; then
+  if printf '%s' "$REASONS" | grep -Eq 'tdd_cycle_counts_unavailable|tdd_red_evidence_check_failed'; then
     SHOULD_BLOCK="true"
   fi
   if printf '%s' "$REASONS" | grep -Eq 'tdd_red_agent_cannot_write_production|tdd_green_agent_cannot_write_tests|tdd_refactor_before_green'; then
@@ -1117,25 +1253,214 @@ export function contextMonitorScript() {
 # Advisory-only context pressure warnings (best effort).
 set -uo pipefail
-HARNESS="codex"
-if [ -n "\${CLAUDE_PROJECT_DIR:-}" ]; then
-  HARNESS="claude"
-elif [ -n "\${CURSOR_PROJECT_DIR:-}" ] || [ -n "\${CURSOR_PROJECT_ROOT:-}" ]; then
-  HARNESS="cursor"
-elif [ -n "\${OPENCODE_PROJECT_DIR:-}" ] || [ -n "\${OPENCODE_PROJECT_ROOT:-}" ]; then
-  HARNESS="opencode"
-fi
 ${RUNTIME_SHELL_DETECT_ROOT}
 STATE_DIR="$ROOT/${RUNTIME_ROOT}/state"
 MONITOR_STATE="$STATE_DIR/context-monitor.json"
 WARNINGS_FILE="$STATE_DIR/context-warnings.jsonl"
+FLOW_STATE_FILE="$STATE_DIR/flow-state.json"
+TDD_AUTO_EVIDENCE_FILE="$STATE_DIR/tdd-red-evidence.jsonl"
 mkdir -p "$STATE_DIR" 2>/dev/null || true
 INPUT=$(cat 2>/dev/null || echo '{}')
 [ -n "$INPUT" ] || exit 0
+CURRENT_STAGE="none"
+CURRENT_RUN="active"
+if command -v cclaw_hook_read_flow_state_minimal >/dev/null 2>&1; then
+  cclaw_hook_read_flow_state_minimal "$FLOW_STATE_FILE"
+  CURRENT_STAGE="\${CCLAW_HOOK_FLOW_STAGE:-none}"
+  CURRENT_RUN="\${CCLAW_HOOK_FLOW_RUN_ID:-active}"
+elif [ -f "$FLOW_STATE_FILE" ]; then
+  if command -v jq >/dev/null 2>&1; then
+    CURRENT_STAGE=$(jq -r '.currentStage // "none"' "$FLOW_STATE_FILE" 2>/dev/null || echo "none")
+    CURRENT_RUN=$(jq -r '.activeRunId // "active"' "$FLOW_STATE_FILE" 2>/dev/null || echo "active")
+  elif command -v python3 >/dev/null 2>&1; then
+    FLOW_META=$(python3 - "$FLOW_STATE_FILE" <<'PY'
+import json
+import sys
+stage = "none"
+run_id = "active"
+try:
+    with open(sys.argv[1], "r", encoding="utf-8") as fh:
+        payload = json.load(fh)
+    stage_value = payload.get("currentStage")
+    run_value = payload.get("activeRunId")
+    if isinstance(stage_value, str) and stage_value:
+        stage = stage_value
+    if isinstance(run_value, str) and run_value:
+        run_id = run_value
+except Exception:
+    pass
+print(stage)
+print(run_id)
+PY
+)
+    {
+      IFS= read -r CURRENT_STAGE
+      IFS= read -r CURRENT_RUN
+    } <<EOF
+$FLOW_META
+EOF
+  fi
+fi
+AUTO_TOOL=""
+AUTO_COMMAND=""
+AUTO_EXIT_CODE=""
+AUTO_PATHS_CSV=""
+if command -v python3 >/dev/null 2>&1; then
+  AUTO_META=$(INPUT_JSON="$INPUT" python3 - <<'PY'
+import json
+import os
+import re
+from typing import Any, Iterator
+raw = os.environ.get("INPUT_JSON", "{}")
+try:
+    payload = json.loads(raw)
+except Exception:
+    payload = {}
+def walk(node: Any) -> Iterator[Any]:
+    if isinstance(node, dict):
+        yield node
+        for value in node.values():
+            yield from walk(value)
+    elif isinstance(node, list):
+        for value in node:
+            yield from walk(value)
+def first_string(keys: list[str]) -> str:
+    for node in walk(payload):
+        if not isinstance(node, dict):
+            continue
+        for key in keys:
+            value = node.get(key)
+            if isinstance(value, str) and value.strip():
+                return value.strip()
+    return ""
+tool = first_string(["tool_name", "tool", "toolName", "name", "id"])
+command = ""
+for node in walk(payload):
+    if not isinstance(node, dict):
+        continue
+    for key in ("command", "cmd"):
+        value = node.get(key)
+        if isinstance(value, str) and value.strip():
+            command = value.strip()
+            break
+    if command:
+        break
+exit_code = ""
+for node in walk(payload):
+    if not isinstance(node, dict):
+        continue
+    for key in ("exitCode", "exit_code", "code", "status"):
+        value = node.get(key)
+        if isinstance(value, bool):
+            exit_code = "0" if value else "1"
+            break
+        if isinstance(value, (int, float)):
+            exit_code = str(int(value))
+            break
+    if exit_code:
+        break
+blob_parts: list[str] = []
+for node in walk(payload):
+    if not isinstance(node, dict):
+        continue
+    for key in ("stderr", "stdout", "output", "text", "message"):
+        value = node.get(key)
+        if isinstance(value, str) and value:
+            blob_parts.append(value)
+blob_parts.append(command)
+blob = "\\n".join(blob_parts)
+path_pattern = re.compile(r"(?:[A-Za-z0-9_.-]+/)+[A-Za-z0-9_.-]+\.(?:ts|tsx|js|jsx|mjs|cjs|py|go|rs|java|kt|rb|php|cs|swift)")
+seen: set[str] = set()
+paths: list[str] = []
+for match in path_pattern.findall(blob):
+    normalized = match.strip().strip("\\"'.,:;()[]{}<>")
+    if not normalized or normalized in seen:
+        continue
+    seen.add(normalized)
+    paths.append(normalized)
+print(tool.replace("\\t", " ").replace("\\n", " "))
+print(command.replace("\\t", " ").replace("\\n", " "))
+print(exit_code)
+print(",".join(paths[:20]).replace("\\t", " ").replace("\\n", " "))
+PY
+)
+  {
+    IFS= read -r AUTO_TOOL
+    IFS= read -r AUTO_COMMAND
+    IFS= read -r AUTO_EXIT_CODE
+    IFS= read -r AUTO_PATHS_CSV
+  } <<EOF
+$AUTO_META
+EOF
+fi
+if [ "$CURRENT_STAGE" = "tdd" ] && [ -n "$AUTO_COMMAND" ] && [ -n "$AUTO_EXIT_CODE" ]; then
+  if command -v cclaw_hook_lower >/dev/null 2>&1; then
+    AUTO_COMMAND_LOWER=$(cclaw_hook_lower "$AUTO_COMMAND")
+  else
+    AUTO_COMMAND_LOWER=$(printf '%s' "$AUTO_COMMAND" | tr '[:upper:]' '[:lower:]')
+  fi
+  if printf '%s' "$AUTO_COMMAND_LOWER" | grep -Eq '(npm test|npm run test|pnpm test|pnpm run test|yarn test|bun test|vitest|jest|pytest|go test|cargo test|mvn test|gradle test|dotnet test)'; then
+    if printf '%s' "$AUTO_EXIT_CODE" | grep -Eq '^-?[0-9]+$' && [ "$AUTO_EXIT_CODE" -ne 0 ]; then
+      TS_AUTO=$(date -u +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || echo "")
+      if command -v jq >/dev/null 2>&1; then
+        AUTO_ENTRY=$(jq -n -c \
+          --arg ts "$TS_AUTO" \
+          --arg run "$CURRENT_RUN" \
+          --arg command "$AUTO_COMMAND" \
+          --arg tool "$AUTO_TOOL" \
+          --argjson exitCode "$AUTO_EXIT_CODE" \
+          --arg paths "$AUTO_PATHS_CSV" \
+          '{
+            ts: $ts,
+            runId: $run,
+            stage: "tdd",
+            source: "posttool-auto",
+            command: $command,
+            tool: $tool,
+            exitCode: $exitCode,
+            paths: ($paths | split(",") | map(select(length > 0)))
+          }' 2>/dev/null || echo "")
+      elif command -v python3 >/dev/null 2>&1; then
+        AUTO_ENTRY=$(python3 - "$TS_AUTO" "$CURRENT_RUN" "$AUTO_COMMAND" "$AUTO_TOOL" "$AUTO_EXIT_CODE" "$AUTO_PATHS_CSV" <<'PY'
+import json
+import sys
+ts, run_id, command, tool, exit_code, paths_csv = sys.argv[1:7]
+paths = [value for value in paths_csv.split(",") if value]
+entry = {
+    "ts": ts,
+    "runId": run_id,
+    "stage": "tdd",
+    "source": "posttool-auto",
+    "command": command,
+    "tool": tool,
+    "exitCode": int(exit_code),
+    "paths": paths
+}
+print(json.dumps(entry, ensure_ascii=False))
+PY
+)
+      else
+        AUTO_ENTRY=""
+      fi
+      if [ -n "$AUTO_ENTRY" ]; then
+        printf '%s\n' "$AUTO_ENTRY" >> "$TDD_AUTO_EVIDENCE_FILE" 2>/dev/null || true
+      fi
+    fi
+  fi
+fi
 REMAINING_PERCENT=""
 if command -v python3 >/dev/null 2>&1; then
   REMAINING_PERCENT=$(INPUT_JSON="$INPUT" python3 - <<'PY'

package/dist/content/stages/review.js CHANGED Viewed

@@ -16,8 +16,7 @@ export const REVIEW = {
     ],
     whenNotToUse: [
         "There is no implementation diff to review",
-        "TDD stage evidence is missing or stale",
-        "The goal is direct release execution without layered quality checks"
+        "TDD stage evidence is missing or stale"
     ],
     checklist: [
         "Diff Scope — Run `git diff` against base branch. If no diff, exit early with APPROVED (no changes to review). Scope the review to changed files unless blast-radius analysis requires wider inspection.",
@@ -62,6 +61,7 @@ export const REVIEW = {
     requiredGates: [
         { id: "review_layer1_spec_compliance", description: "Spec compliance check completed with per-criterion verdict." },
         { id: "review_layer2_security", description: "Security review completed." },
+        { id: "review_layer_coverage_complete", description: "Layer coverage map in 07-review-army.json confirms spec/correctness/security/performance/architecture/external-safety passes." },
         { id: "review_criticals_resolved", description: "No unresolved critical blockers remain." },
         { id: "review_army_json_valid", description: "07-review-army.json passes schema validation (validateReviewArmy)." },
         { id: "review_trace_matrix_clean", description: "Trace matrix has no orphaned criteria/tasks/test slices for the active run." }

package/dist/content/templates.js CHANGED Viewed

@@ -609,6 +609,14 @@ inputs_hash: sha256:pending
     "duplicatesCollapsed": 0,
     "conflicts": [],
     "multiSpecialistConfirmed": [],
+    "layerCoverage": {
+      "spec": false,
+      "correctness": false,
+      "security": false,
+      "performance": false,
+      "architecture": false,
+      "external-safety": false
+    },
     "shipBlockers": []
   }
 }

package/dist/doctor.js CHANGED Viewed

@@ -673,6 +673,7 @@ export async function doctorChecks(projectRoot, options = {}) {
     }
     // Hook scripts
     for (const script of [
+        "_lib.sh",
         "session-start.sh",
         "stop-checkpoint.sh",
         "run-hook.cmd",
@@ -877,6 +878,7 @@ export async function doctorChecks(projectRoot, options = {}) {
         const codexStopCmds = collectHookCommands(codexHooks.Stop);
         const codexWiringOk = codexSessionCmds.some((cmd) => cmd.includes("session-start.sh")) &&
             codexUserPromptCmds.some((cmd) => cmd.includes("prompt-guard.sh")) &&
+            codexUserPromptCmds.some((cmd) => cmd.includes("workflow-guard.sh")) &&
             codexUserPromptCmds.some((cmd) => cmd.includes("verify-current-state --quiet")) &&
             codexPreCmds.some((cmd) => cmd.includes("prompt-guard.sh")) &&
             codexPreCmds.some((cmd) => cmd.includes("workflow-guard.sh")) &&
@@ -885,7 +887,7 @@ export async function doctorChecks(projectRoot, options = {}) {
         checks.push({
             name: "hook:wiring:codex",
             ok: codexWiringOk,
-            details: `${codexHooksFile} must wire SessionStart, UserPromptSubmit(prompt-guard + verify-current-state), PreToolUse(prompt/workflow), PostToolUse(context-monitor), and Stop(stop-checkpoint). PreToolUse/PostToolUse run Bash-only in Codex v0.114+`
+            details: `${codexHooksFile} must wire SessionStart, UserPromptSubmit(prompt/workflow/verify-current-state), PreToolUse(prompt/workflow), PostToolUse(context-monitor), and Stop(stop-checkpoint). PreToolUse/PostToolUse run Bash-only in Codex v0.114+`
         });
         // Feature flag warning: Codex ignores `.codex/hooks.json` unless the
         // user has `[features] codex_hooks = true` in `~/.codex/config.toml`.
@@ -965,10 +967,12 @@ export async function doctorChecks(projectRoot, options = {}) {
                     content.includes("workflow-guard.sh") &&
                     content.includes("context-monitor.sh") &&
                     content.includes("pre-compact.sh") &&
+                    content.includes('"session.created"') &&
                     content.includes('"session.idle"') &&
                     content.includes('"session.resumed"') &&
                     content.includes('"session.compacted"') &&
                     content.includes('"session.cleared"') &&
+                    content.includes('"session.updated"') &&
                     content.includes('"experimental.chat.system.transform"');
             singleHandlerPathOk =
                 !content.includes('eventType === "tool.execute.before"') &&
@@ -982,7 +986,7 @@ export async function doctorChecks(projectRoot, options = {}) {
         checks.push({
             name: "lifecycle:opencode:rehydration_events",
             ok,
-            details: `${file} must include event lifecycle handler, tool.execute.before/after with prompt/workflow/context hooks, session.idle checkpoint, and transform rehydration`
+            details: `${file} must include event lifecycle handler, session.created/updated/resumed/cleared/compacted rehydration, tool.execute.before/after with prompt/workflow/context hooks, session.idle checkpoint, and transform rehydration`
         });
         checks.push({
             name: "hook:opencode:single_tool_handler_path",

package/dist/install.js CHANGED Viewed

@@ -24,7 +24,7 @@ import { rewindCommandContract, rewindCommandSkillMarkdown } from "./content/rew
 import { subagentDrivenDevSkill, parallelAgentsSkill } from "./content/subagents.js";
 import { sessionHooksSkillMarkdown } from "./content/session-hooks.js";
 import { ironLawRuntimeDocument, ironLawsSkillMarkdown } from "./content/iron-laws.js";
-import { sessionStartScript, stopCheckpointScript, runHookDispatcherScript, stageCompleteScript, preCompactScript, opencodePluginJs, claudeHooksJson, codexHooksJson, cursorHooksJson } from "./content/hooks.js";
+import { hookLibScript, sessionStartScript, stopCheckpointScript, runHookDispatcherScript, stageCompleteScript, preCompactScript, opencodePluginJs, claudeHooksJson, codexHooksJson, cursorHooksJson } from "./content/hooks.js";
 import { contextMonitorScript, promptGuardScript, workflowGuardScript } from "./content/observe.js";
 import { META_SKILL_NAME, usingCclawSkillMarkdown } from "./content/meta-skill.js";
 import { decisionProtocolMarkdown, completionProtocolMarkdown, ethosProtocolMarkdown } from "./content/protocols.js";
@@ -630,6 +630,7 @@ async function writeHooks(projectRoot, config) {
         mode: config.ironLaws?.mode,
         strictLaws: config.ironLaws?.strictLaws
     }), null, 2)}\n`);
+    await writeFileSafe(path.join(hooksDir, "_lib.sh"), hookLibScript());
     await writeFileSafe(path.join(hooksDir, "session-start.sh"), sessionStartScript());
     await writeFileSafe(path.join(hooksDir, "stop-checkpoint.sh"), stopCheckpointScript());
     await writeFileSafe(path.join(hooksDir, "run-hook.cmd"), runHookDispatcherScript());
@@ -649,6 +650,7 @@ async function writeHooks(projectRoot, config) {
     await writeFileSafe(path.join(hooksDir, "opencode-plugin.mjs"), opencodePluginSource);
     try {
         for (const script of [
+            "_lib.sh",
             "session-start.sh",
             "stop-checkpoint.sh",
             "run-hook.cmd",

package/dist/internal/advance-stage.js CHANGED Viewed

@@ -12,6 +12,7 @@ import { readFlowState, writeFlowState } from "../runs.js";
 import { FLOW_STAGES } from "../types.js";
 import { runEnvelopeValidateCommand } from "./envelope-validate.js";
 import { runKnowledgeDigestCommand } from "./knowledge-digest.js";
+import { runTddRedEvidenceCommand } from "./tdd-red-evidence.js";
 function unique(values) {
     return [...new Set(values)];
 }
@@ -623,7 +624,7 @@ async function runVerifyCurrentState(projectRoot, args, io) {
 export async function runInternalCommand(projectRoot, argv, io) {
     const [subcommand, ...tokens] = argv;
     if (!subcommand) {
-        io.stderr.write("cclaw internal requires a subcommand: advance-stage | verify-flow-state-diff | verify-current-state | knowledge-digest | envelope-validate\n");
+        io.stderr.write("cclaw internal requires a subcommand: advance-stage | verify-flow-state-diff | verify-current-state | knowledge-digest | envelope-validate | tdd-red-evidence\n");
         return 1;
     }
     try {
@@ -642,7 +643,10 @@ export async function runInternalCommand(projectRoot, argv, io) {
         if (subcommand === "envelope-validate") {
             return await runEnvelopeValidateCommand(projectRoot, tokens, io);
         }
-        io.stderr.write(`Unknown internal subcommand: ${subcommand}. Expected advance-stage | verify-flow-state-diff | verify-current-state | knowledge-digest | envelope-validate\n`);
+        if (subcommand === "tdd-red-evidence") {
+            return await runTddRedEvidenceCommand(projectRoot, tokens, io);
+        }
+        io.stderr.write(`Unknown internal subcommand: ${subcommand}. Expected advance-stage | verify-flow-state-diff | verify-current-state | knowledge-digest | envelope-validate | tdd-red-evidence\n`);
         return 1;
     }
     catch (err) {

package/dist/internal/tdd-red-evidence.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import type { Writable } from "node:stream";
+interface InternalIo {
+    stdout: Writable;
+    stderr: Writable;
+}
+export declare function runTddRedEvidenceCommand(projectRoot: string, tokens: string[], io: InternalIo): Promise<number>;
+export {};

package/dist/internal/tdd-red-evidence.js ADDED Viewed

@@ -0,0 +1,130 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import { RUNTIME_ROOT } from "../constants.js";
+import { readFlowState } from "../runs.js";
+import { hasFailingTestForPath, parseTddCycleLog } from "../tdd-cycle.js";
+function normalizePath(value) {
+    return value.replace(/\\/gu, "/").toLowerCase();
+}
+function parseArgs(tokens) {
+    const args = { quiet: false };
+    for (const token of tokens) {
+        if (token === "--quiet") {
+            args.quiet = true;
+            continue;
+        }
+        if (token.startsWith("--path=")) {
+            const value = token.slice("--path=".length).trim();
+            if (!value) {
+                throw new Error("--path must not be empty.");
+            }
+            args.targetPath = value;
+            continue;
+        }
+        if (token.startsWith("--run-id=")) {
+            const value = token.slice("--run-id=".length).trim();
+            if (value) {
+                args.runId = value;
+            }
+            continue;
+        }
+        throw new Error(`Unknown flag for tdd-red-evidence: ${token}`);
+    }
+    if (!args.targetPath) {
+        throw new Error("Missing required flag: --path=<production-file-path>");
+    }
+    return args;
+}
+function parseAutoEvidence(text) {
+    const out = [];
+    for (const rawLine of text.split(/\r?\n/gu)) {
+        const line = rawLine.trim();
+        if (!line)
+            continue;
+        try {
+            const parsed = JSON.parse(line);
+            const exitCode = parsed.exitCode;
+            if (typeof exitCode !== "number" || exitCode === 0)
+                continue;
+            const runId = typeof parsed.runId === "string" && parsed.runId.length > 0
+                ? parsed.runId
+                : "active";
+            const rawPaths = Array.isArray(parsed.paths)
+                ? parsed.paths
+                : typeof parsed.path === "string"
+                    ? [parsed.path]
+                    : [];
+            const paths = rawPaths
+                .filter((value) => typeof value === "string")
+                .map((value) => value.trim())
+                .filter((value) => value.length > 0);
+            if (paths.length === 0)
+                continue;
+            out.push({
+                runId,
+                exitCode,
+                paths
+            });
+        }
+        catch {
+            // ignore malformed lines
+        }
+    }
+    return out;
+}
+function hasFailingAutoEvidenceForPath(entries, targetPath, options = {}) {
+    const normalizedTarget = normalizePath(targetPath);
+    for (const entry of entries) {
+        if (options.runId && entry.runId !== options.runId)
+            continue;
+        for (const filePath of entry.paths) {
+            const normalized = normalizePath(filePath);
+            if (normalized === normalizedTarget || normalized.endsWith(`/${normalizedTarget}`)) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+export async function runTddRedEvidenceCommand(projectRoot, tokens, io) {
+    const args = parseArgs(tokens);
+    const flowState = await readFlowState(projectRoot).catch(() => null);
+    const effectiveRunId = args.runId ?? flowState?.activeRunId;
+    const tddLogPath = path.join(projectRoot, RUNTIME_ROOT, "state", "tdd-cycle-log.jsonl");
+    const autoEvidencePath = path.join(projectRoot, RUNTIME_ROOT, "state", "tdd-red-evidence.jsonl");
+    let cycleLogHasRed = false;
+    let autoEvidenceHasRed = false;
+    try {
+        const raw = await fs.readFile(tddLogPath, "utf8");
+        const entries = parseTddCycleLog(raw);
+        cycleLogHasRed = hasFailingTestForPath(entries, args.targetPath, {
+            runId: effectiveRunId
+        });
+    }
+    catch {
+        cycleLogHasRed = false;
+    }
+    try {
+        const raw = await fs.readFile(autoEvidencePath, "utf8");
+        const entries = parseAutoEvidence(raw);
+        autoEvidenceHasRed = hasFailingAutoEvidenceForPath(entries, args.targetPath, {
+            runId: effectiveRunId
+        });
+    }
+    catch {
+        autoEvidenceHasRed = false;
+    }
+    const hasRed = cycleLogHasRed || autoEvidenceHasRed;
+    if (!args.quiet) {
+        io.stdout.write(`${JSON.stringify({
+            ok: hasRed,
+            path: args.targetPath,
+            runId: effectiveRunId ?? null,
+            sources: {
+                tddCycleLog: cycleLogHasRed,
+                autoEvidence: autoEvidenceHasRed
+            }
+        }, null, 2)}\n`);
+    }
+    return hasRed ? 0 : 2;
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "cclaw-cli",
-  "version": "0.48.6",
+  "version": "0.48.7",
   "description": "Installer-first flow toolkit for coding agents",
   "type": "module",
   "bin": {