cclaw-cli 0.48.8 → 0.48.10

package/dist/content/observe.js

@@ -1,1666 +1,6 @@
-/**
- * Hook helper scripts and harness hook JSON generators.
- *
- * This module still provides prompt/workflow/context guard scripts and
- * cross-harness hook wiring. Observation pipeline scripts are retained only
- * for backward compatibility and are not wired by default runtime generation.
- */
 import { RUNTIME_ROOT } from "../constants.js";
-import { RUNTIME_SHELL_DETECT_ROOT } from "./hooks.js";
-export function promptGuardScript(options = {}) {
-    const promptGuardMode = options.strictMode === true ? "strict" : "advisory";
-    return `#!/usr/bin/env bash
-# cclaw prompt guard hook — generated by cclaw sync
-# Advisory-only guard for risky writes into ${RUNTIME_ROOT} runtime files.
-set -uo pipefail
-shopt -s globstar 2>/dev/null || true
-PROMPT_GUARD_MODE="${promptGuardMode}"
-
-${RUNTIME_SHELL_DETECT_ROOT}
-
-STATE_DIR="$ROOT/${RUNTIME_ROOT}/state"
-GUARD_LOG="$STATE_DIR/prompt-guard.jsonl"
-mkdir -p "$STATE_DIR" 2>/dev/null || true
-
-INPUT=$(cat 2>/dev/null || echo '{}')
-[ -n "$INPUT" ] || exit 0
-
-TOOL="unknown"
-PAYLOAD="$INPUT"
-if command -v cclaw_hook_extract_tool_and_payload >/dev/null 2>&1; then
-  cclaw_hook_extract_tool_and_payload "$INPUT"
-  TOOL="\${CCLAW_HOOK_TOOL:-unknown}"
-  PAYLOAD="\${CCLAW_HOOK_PAYLOAD:-$INPUT}"
-elif command -v jq >/dev/null 2>&1; then
-  TOOL=$(printf '%s' "$INPUT" | jq -r '.tool_name // .tool // .toolName // .name // .id // .command // .tool.name // .tool.id // .input.tool_name // .input.tool // .input.toolName // .input.name // .input.id // .input.command // .input.tool.name // .input.tool.id // "unknown"' 2>/dev/null || echo "unknown")
-  PAYLOAD=$(printf '%s' "$INPUT" | jq -r '.tool_input // .input // .arguments // .params // .payload // {} | tostring' 2>/dev/null || echo "")
-elif command -v python3 >/dev/null 2>&1; then
-  TOOL=$(INPUT_JSON="$INPUT" python3 - <<'PY'
-import json
-import os
-
-try:
-    value = json.loads(os.environ.get("INPUT_JSON", "{}"))
-except Exception:
-    value = {}
-
-def pick_tool(payload):
-    if not isinstance(payload, dict):
-        return "unknown"
-    candidates = [
-        payload.get("tool_name"),
-        payload.get("tool"),
-        payload.get("toolName"),
-        payload.get("name"),
-        payload.get("id"),
-        payload.get("command")
-    ]
-    top_tool = payload.get("tool")
-    if isinstance(top_tool, dict):
-        candidates.extend([top_tool.get("name"), top_tool.get("id")])
-    nested = payload.get("input")
-    if isinstance(nested, dict):
-        candidates.extend([
-            nested.get("tool_name"),
-            nested.get("tool"),
-            nested.get("toolName"),
-            nested.get("name"),
-            nested.get("id"),
-            nested.get("command")
-        ])
-        nested_tool = nested.get("tool")
-        if isinstance(nested_tool, dict):
-            candidates.extend([nested_tool.get("name"), nested_tool.get("id")])
-    for candidate in candidates:
-        if isinstance(candidate, str) and candidate.strip():
-            return candidate.strip()
-    return "unknown"
-
-print(pick_tool(value))
-PY
-)
-  PAYLOAD=$(printf '%s' "$INPUT")
-else
-  PAYLOAD=$(printf '%s' "$INPUT")
-fi
-
-if [ -z "$PAYLOAD" ]; then
-  PAYLOAD=$(printf '%s' "$INPUT")
-fi
-
-if command -v cclaw_hook_lower >/dev/null 2>&1; then
-  PAYLOAD_LOWER=$(cclaw_hook_lower "$PAYLOAD")
-  TOOL_LOWER=$(cclaw_hook_lower "$TOOL")
-else
-  PAYLOAD_LOWER=$(printf '%s' "$PAYLOAD" | tr '[:upper:]' '[:lower:]')
-  TOOL_LOWER=$(printf '%s' "$TOOL" | tr '[:upper:]' '[:lower:]')
-fi
-TS=$(date -u +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || echo "")
-REASONS=""
-
-case "$TOOL_LOWER" in
-  write|edit|multiedit|delete|applypatch|runcommand|shell|terminal|execcommand)
-    if printf '%s' "$PAYLOAD_LOWER" | grep -Eq '\.cclaw/(state|artifacts|hooks|skills|commands|agents|runs|knowledge)'; then
-      REASONS="write_to_cclaw_runtime"
-    fi
-    ;;
-esac
-
-if printf '%s' "$PAYLOAD_LOWER" | grep -Eq '(rm[[:space:]]+-rf[[:space:]]+\.cclaw|curl[[:space:]].*https?://|wget[[:space:]].*https?://|base64[[:space:]]+-d|eval[(]|python[[:space:]]+-c)'; then
-  if [ -n "$REASONS" ]; then
-    REASONS="$REASONS,suspicious_payload_pattern"
-  else
-    REASONS="suspicious_payload_pattern"
-  fi
-fi
-
-if [ -n "$REASONS" ]; then
-  NOTE="Cclaw advisory: potential risky write intent detected for ${RUNTIME_ROOT} runtime (\${REASONS}). Prefer installer commands or explicit confirmation before mutating runtime internals."
-  if command -v jq >/dev/null 2>&1; then
-    ENTRY=$(jq -n -c \
-      --arg ts "$TS" \
-      --arg harness "$HARNESS" \
-      --arg tool "$TOOL" \
-      --arg reasons "$REASONS" \
-      --arg note "$NOTE" \
-      '{ts:$ts,harness:$harness,tool:$tool,reasons:($reasons|split(",")),note:$note}' 2>/dev/null || echo "")
-  elif command -v python3 >/dev/null 2>&1; then
-    ENTRY=$(TS="$TS" HARNESS="$HARNESS" TOOL="$TOOL" REASONS="$REASONS" NOTE="$NOTE" python3 - <<'PY'
-import json, os
-
-ts = os.environ.get("TS") or ""
-harness = os.environ.get("HARNESS") or ""
-tool = os.environ.get("TOOL") or "unknown"
-reasons_raw = os.environ.get("REASONS") or ""
-note = os.environ.get("NOTE") or ""
-reasons = [r for r in reasons_raw.split(",") if r]
-print(json.dumps({"ts": ts, "harness": harness, "tool": tool, "reasons": reasons, "note": note}, ensure_ascii=False))
-PY
-)
-  else
-    ENTRY=""
-  fi
-
-  if [ -n "$ENTRY" ]; then
-    printf '%s\n' "$ENTRY" >> "$GUARD_LOG" 2>/dev/null || true
-  fi
-  if [ "$PROMPT_GUARD_MODE" = "strict" ]; then
-    printf '[cclaw] %s (blocked by strict mode)\n' "$NOTE" >&2
-    exit 1
-  fi
-  printf '[cclaw] %s\n' "$NOTE" >&2
-fi
-
-exit 0
-`;
-}
-export function workflowGuardScript(options = {}) {
-    const workflowGuardMode = options.workflowGuardMode === "strict" ? "strict" : "advisory";
-    const tddEnforcementMode = options.tddEnforcementMode === "strict" ? "strict" : "advisory";
-    const tddTestPathPatterns = options.tddTestPathPatterns && options.tddTestPathPatterns.length > 0
-        ? options.tddTestPathPatterns.join(",")
-        : "**/*.test.*,**/tests/**,**/__tests__/**";
-    const tddProductionPathPatterns = options.tddProductionPathPatterns && options.tddProductionPathPatterns.length > 0
-        ? options.tddProductionPathPatterns.join(",")
-        : "";
-    return `#!/usr/bin/env bash
-# cclaw workflow guard hook — generated by cclaw sync
-# Enforces stage-aware command discipline and recent flow-state read hygiene.
-set -uo pipefail
-shopt -s globstar 2>/dev/null || true
-WORKFLOW_GUARD_MODE="\${CCLAW_WORKFLOW_GUARD_MODE:-${workflowGuardMode}}"
-MAX_FLOW_READ_AGE_SEC="\${CCLAW_WORKFLOW_GUARD_MAX_AGE_SEC:-1800}"
-TDD_ENFORCEMENT_MODE="${tddEnforcementMode}"
-TDD_TEST_PATH_PATTERNS="${tddTestPathPatterns}"
-TDD_PRODUCTION_PATH_PATTERNS="${tddProductionPathPatterns}"
-
-${RUNTIME_SHELL_DETECT_ROOT}
-
-STATE_DIR="$ROOT/${RUNTIME_ROOT}/state"
-FLOW_STATE_FILE="$STATE_DIR/flow-state.json"
-TDD_LOG_FILE="$STATE_DIR/tdd-cycle-log.jsonl"
-IRON_LAWS_FILE="$STATE_DIR/iron-laws.json"
-REVIEW_ARMY_FILE="$ROOT/${RUNTIME_ROOT}/artifacts/07-review-army.json"
-GUARD_STATE_FILE="$STATE_DIR/workflow-guard.json"
-GUARD_LOG="$STATE_DIR/workflow-guard.jsonl"
-mkdir -p "$STATE_DIR" 2>/dev/null || true
-
-INPUT=$(cat 2>/dev/null || echo '{}')
-[ -n "$INPUT" ] || exit 0
-
-TOOL="unknown"
-PAYLOAD="$INPUT"
-if command -v cclaw_hook_extract_tool_and_payload >/dev/null 2>&1; then
-  cclaw_hook_extract_tool_and_payload "$INPUT"
-  TOOL="\${CCLAW_HOOK_TOOL:-unknown}"
-  PAYLOAD="\${CCLAW_HOOK_PAYLOAD:-$INPUT}"
-elif command -v jq >/dev/null 2>&1; then
-  TOOL=$(printf '%s' "$INPUT" | jq -r '.tool_name // .tool // .toolName // .name // .id // .command // .tool.name // .tool.id // .input.tool_name // .input.tool // .input.toolName // .input.name // .input.id // .input.command // .input.tool.name // .input.tool.id // "unknown"' 2>/dev/null || echo "unknown")
-  PAYLOAD=$(printf '%s' "$INPUT" | jq -r '.tool_input // .input // .arguments // .params // .payload // {} | tostring' 2>/dev/null || echo "")
-elif command -v python3 >/dev/null 2>&1; then
-  TOOL=$(INPUT_JSON="$INPUT" python3 - <<'PY'
-import json
-import os
-try:
-    value = json.loads(os.environ.get("INPUT_JSON", "{}"))
-except Exception:
-    value = {}
-
-def pick_tool(payload):
-    if not isinstance(payload, dict):
-        return "unknown"
-    candidates = [
-        payload.get("tool_name"),
-        payload.get("tool"),
-        payload.get("toolName"),
-        payload.get("name"),
-        payload.get("id"),
-        payload.get("command")
-    ]
-    top_tool = payload.get("tool")
-    if isinstance(top_tool, dict):
-        candidates.extend([top_tool.get("name"), top_tool.get("id")])
-    nested = payload.get("input")
-    if isinstance(nested, dict):
-        candidates.extend([
-            nested.get("tool_name"),
-            nested.get("tool"),
-            nested.get("toolName"),
-            nested.get("name"),
-            nested.get("id"),
-            nested.get("command")
-        ])
-        nested_tool = nested.get("tool")
-        if isinstance(nested_tool, dict):
-            candidates.extend([nested_tool.get("name"), nested_tool.get("id")])
-    for candidate in candidates:
-        if isinstance(candidate, str) and candidate.strip():
-            return candidate.strip()
-    return "unknown"
-
-print(pick_tool(value))
-PY
-)
-  PAYLOAD=$(printf '%s' "$INPUT")
-else
-  PAYLOAD=$(printf '%s' "$INPUT")
-fi
-
-[ -n "$PAYLOAD" ] || PAYLOAD=$(printf '%s' "$INPUT")
-if command -v cclaw_hook_lower >/dev/null 2>&1; then
-  TOOL_LOWER=$(cclaw_hook_lower "$TOOL")
-  PAYLOAD_LOWER=$(cclaw_hook_lower "$PAYLOAD")
-else
-  TOOL_LOWER=$(printf '%s' "$TOOL" | tr '[:upper:]' '[:lower:]')
-  PAYLOAD_LOWER=$(printf '%s' "$PAYLOAD" | tr '[:upper:]' '[:lower:]')
-fi
-TS=$(date -u +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || echo "")
-NOW_EPOCH=$(date +%s 2>/dev/null || echo "0")
-REASONS=""
-
-ACTIVE_AGENT="\${CCLAW_ACTIVE_AGENT:-}"
-if [ -z "$ACTIVE_AGENT" ]; then
-  if command -v jq >/dev/null 2>&1; then
-    ACTIVE_AGENT=$(printf '%s' "$INPUT" | jq -r '.agent_name // .agent // .input.agent_name // .input.agent // .tool_input.agent_name // .tool_input.agent // ""' 2>/dev/null || echo "")
-  fi
-fi
-if command -v cclaw_hook_lower >/dev/null 2>&1; then
-  ACTIVE_AGENT_LOWER=$(cclaw_hook_lower "$ACTIVE_AGENT")
-else
-  ACTIVE_AGENT_LOWER=$(printf '%s' "$ACTIVE_AGENT" | tr '[:upper:]' '[:lower:]')
-fi
-
-CURRENT_STAGE="none"
-CURRENT_RUN="active"
-if command -v cclaw_hook_read_flow_state_minimal >/dev/null 2>&1; then
-  cclaw_hook_read_flow_state_minimal "$FLOW_STATE_FILE"
-  CURRENT_STAGE="\${CCLAW_HOOK_FLOW_STAGE:-none}"
-  CURRENT_RUN="\${CCLAW_HOOK_FLOW_RUN_ID:-active}"
-elif [ -f "$FLOW_STATE_FILE" ]; then
-  if command -v jq >/dev/null 2>&1; then
-    CURRENT_STAGE=$(jq -r '.currentStage // "none"' "$FLOW_STATE_FILE" 2>/dev/null || echo "none")
-    CURRENT_RUN=$(jq -r '.activeRunId // "active"' "$FLOW_STATE_FILE" 2>/dev/null || echo "active")
-  elif command -v python3 >/dev/null 2>&1; then
-    CURRENT_STAGE=$(python3 - "$FLOW_STATE_FILE" <<'PY'
-import json
-import sys
-stage = "none"
-try:
-    with open(sys.argv[1], "r", encoding="utf-8") as fh:
-        parsed = json.load(fh)
-    value = parsed.get("currentStage")
-    if isinstance(value, str) and value:
-        stage = value
-except Exception:
-    pass
-print(stage)
-PY
-)
-    CURRENT_RUN=$(python3 - "$FLOW_STATE_FILE" <<'PY'
-import json
-import sys
-run_id = "active"
-try:
-    with open(sys.argv[1], "r", encoding="utf-8") as fh:
-        parsed = json.load(fh)
-    value = parsed.get("activeRunId")
-    if isinstance(value, str) and value:
-        run_id = value
-except Exception:
-    pass
-print(run_id)
-PY
-)
-  fi
-fi
-
-SHIP_PREFLIGHT_PASSED="false"
-if [ -f "$FLOW_STATE_FILE" ]; then
-  if command -v jq >/dev/null 2>&1; then
-    SHIP_PREFLIGHT_PASSED=$(jq -r '
-      if ((.stageGateCatalog.ship.passed // []) | index("ship_preflight_passed")) == null
-      then "false"
-      else "true"
-      end
-    ' "$FLOW_STATE_FILE" 2>/dev/null || echo "false")
-  elif command -v python3 >/dev/null 2>&1; then
-    SHIP_PREFLIGHT_PASSED=$(python3 - "$FLOW_STATE_FILE" <<'PY'
-import json
-import sys
-value = "false"
-try:
-    with open(sys.argv[1], "r", encoding="utf-8") as fh:
-        parsed = json.load(fh)
-    ship = ((parsed.get("stageGateCatalog") or {}).get("ship") or {}).get("passed") or []
-    if isinstance(ship, list) and "ship_preflight_passed" in ship:
-        value = "true"
-except Exception:
-    value = "false"
-print(value)
-PY
-)
-  fi
-fi
-
-IRON_LAW_STRICT_ALL="false"
-IRON_LAW_STRICT_IDS=""
-if [ -f "$IRON_LAWS_FILE" ]; then
-  if command -v jq >/dev/null 2>&1; then
-    IRON_LAW_STRICT_ALL=$(jq -r 'if (.mode // "advisory") == "strict" then "true" else "false" end' "$IRON_LAWS_FILE" 2>/dev/null || echo "false")
-    IRON_LAW_STRICT_IDS=$(jq -r '(.laws // []) | map(select(.strict == true) | (.id // "")) | map(select(length > 0)) | join(",")' "$IRON_LAWS_FILE" 2>/dev/null || echo "")
-  elif command -v python3 >/dev/null 2>&1; then
-    IRON_LAW_STRICT_ALL=$(python3 - "$IRON_LAWS_FILE" <<'PY'
-import json
-import sys
-mode = "false"
-try:
-    with open(sys.argv[1], "r", encoding="utf-8") as fh:
-        parsed = json.load(fh)
-    if str(parsed.get("mode", "advisory")) == "strict":
-        mode = "true"
-except Exception:
-    mode = "false"
-print(mode)
-PY
-)
-    IRON_LAW_STRICT_IDS=$(python3 - "$IRON_LAWS_FILE" <<'PY'
-import json
-import sys
-out = []
-try:
-    with open(sys.argv[1], "r", encoding="utf-8") as fh:
-        parsed = json.load(fh)
-    for row in parsed.get("laws", []):
-        if isinstance(row, dict) and row.get("strict") and isinstance(row.get("id"), str):
-            out.append(row["id"].strip())
-except Exception:
-    out = []
-print(",".join([v for v in out if v]))
-PY
-)
-  fi
-fi
-
-iron_law_is_strict() {
-  local law_id="$1"
-  if [ "$IRON_LAW_STRICT_ALL" = "true" ]; then
-    return 0
-  fi
-  if [ -z "$IRON_LAW_STRICT_IDS" ]; then
-    return 1
-  fi
-  case ",$IRON_LAW_STRICT_IDS," in
-    *",$law_id,"*) return 0 ;;
-    *) return 1 ;;
-  esac
-}
-
-LAST_FLOW_READ_AT=0
-if [ -f "$GUARD_STATE_FILE" ]; then
-  if command -v jq >/dev/null 2>&1; then
-    LAST_FLOW_READ_AT=$(jq -r '.lastFlowReadAtEpoch // 0' "$GUARD_STATE_FILE" 2>/dev/null || echo "0")
-  elif command -v python3 >/dev/null 2>&1; then
-    LAST_FLOW_READ_AT=$(python3 - "$GUARD_STATE_FILE" <<'PY'
-import json
-import sys
-value = 0
-try:
-    with open(sys.argv[1], "r", encoding="utf-8") as fh:
-        parsed = json.load(fh)
-    raw = parsed.get("lastFlowReadAtEpoch", 0)
-    if isinstance(raw, (int, float)):
-        value = int(raw)
-except Exception:
-    pass
-print(value)
-PY
-)
-  fi
-fi
-[ -n "$LAST_FLOW_READ_AT" ] || LAST_FLOW_READ_AT=0
-
-stage_index() {
-  case "$1" in
-    brainstorm) echo 1 ;;
-    scope) echo 2 ;;
-    design) echo 3 ;;
-    spec) echo 4 ;;
-    plan) echo 5 ;;
-    tdd) echo 6 ;;
-    review) echo 7 ;;
-    ship) echo 8 ;;
-    *) echo 0 ;;
-  esac
-}
-
-is_mutating_tool() {
-  case "$1" in
-    write|edit|multiedit|multi_edit|delete|applypatch|apply_patch) return 0 ;;
-    *) return 1 ;;
-  esac
-}
-
-is_execution_or_mutating_tool() {
-  case "$1" in
-    write|edit|multiedit|multi_edit|delete|applypatch|apply_patch) return 0 ;;
-    shell|bash|runcommand|run_command|execcommand|exec_command|terminal) return 0 ;;
-    *) return 1 ;;
-  esac
-}
-
-is_plan_mode_safe_tool() {
-  case "$1" in
-    read|readfile|open|view|cat|head|tail) return 0 ;;
-    grep|glob|search|semanticsearch|ripgrep|rg|find|list_directory|ls) return 0 ;;
-    askquestion|askuserquestion|ask_question|ask_user_question|question) return 0 ;;
-    todowrite|todoread|todo_write|todo_read) return 0 ;;
-    webfetch|websearch|web_fetch|web_search|fetchmcpresource) return 0 ;;
-    switchmode|switch_mode) return 0 ;;
-    task|delegate) return 0 ;;
-    *) return 1 ;;
-  esac
-}
-
-is_cclaw_cli_payload() {
-  printf '%s' "$1" | grep -Eq '(cclaw |npx cclaw |/cc-|/cc[^[:alnum:]_-])'
-}
-
-extract_flow_state_after_json() {
-  if command -v jq >/dev/null 2>&1; then
-    printf '%s' "$INPUT" | jq -r '
-      .tool_input?.content //
-      .input?.content //
-      .arguments?.content //
-      .params?.content //
-      .payload?.content //
-      .content //
-      .input?.new_string //
-      .tool_input?.new_string //
-      ""
-    ' 2>/dev/null || echo ""
-    return 0
-  fi
-
-  if command -v python3 >/dev/null 2>&1; then
-    INPUT_JSON="$INPUT" python3 - <<'PY'
-import json
-import os
-
-try:
-    payload = json.loads(os.environ.get("INPUT_JSON", "{}"))
-except Exception:
-    payload = {}
-
-def pick(value):
-    if not isinstance(value, dict):
-        return ""
-    for key in ("tool_input", "input", "arguments", "params", "payload"):
-        nested = value.get(key)
-        if isinstance(nested, dict):
-            content = nested.get("content")
-            if isinstance(content, str) and content.strip():
-                return content
-            new_string = nested.get("new_string")
-            if isinstance(new_string, str) and new_string.strip():
-                return new_string
-    content = value.get("content")
-    if isinstance(content, str) and content.strip():
-        return content
-    return ""
-
-print(pick(payload))
-PY
-    return 0
-  fi
-
-  printf ''
-  return 0
-}
-
-verify_flow_state_candidate() {
-  local candidate_json="$1"
-  [ -n "$candidate_json" ] || return 1
-  local tmp_file="$STATE_DIR/.flow-state-candidate.$$.$RANDOM.json"
-  printf '%s' "$candidate_json" > "$tmp_file" 2>/dev/null || {
-    rm -f "$tmp_file" 2>/dev/null || true
-    return 1
-  }
-
-  if ! command -v cclaw >/dev/null 2>&1; then
-    rm -f "$tmp_file" 2>/dev/null || true
-    printf '[cclaw] workflow guard: cclaw binary is required to validate flow-state edits; install cclaw and re-run.\\n' >&2
-    return 1
-  fi
-  local verify_cmd=(cclaw internal verify-flow-state-diff --after-file="$tmp_file" --quiet)
-
-  if "\${verify_cmd[@]}" >/dev/null 2>&1; then
-    rm -f "$tmp_file" 2>/dev/null || true
-    return 0
-  fi
-
-  rm -f "$tmp_file" 2>/dev/null || true
-  return 1
-}
-
-is_preimplementation_stage() {
-  case "$1" in
-    brainstorm|scope|design|spec|plan) return 0 ;;
-    *) return 1 ;;
-  esac
-}
-
-normalize_payload_path() {
-  local raw="$1"
-  local normalized="$raw"
-  normalized=$(printf '%s' "$normalized" | tr '\\\\' '/')
-  normalized=$(printf '%s' "$normalized" | tr '[:upper:]' '[:lower:]')
-  normalized="\${normalized#./}"
-  printf '%s' "$normalized"
-}
-
-extract_payload_paths() {
-  if command -v jq >/dev/null 2>&1; then
-    printf '%s' "$INPUT" | jq -r '
-      [.. | objects | (.path?, .file_path?, .filepath?) | select(type == "string" and length > 0)]
-      | unique
-      | .[]
-    ' 2>/dev/null || printf ''
-    return 0
-  fi
-  if command -v python3 >/dev/null 2>&1; then
-    INPUT_JSON="$INPUT" python3 - <<'PY'
-import json
-import os
-
-def visit(node, acc):
-    if isinstance(node, dict):
-        for key in ("path", "file_path", "filepath"):
-            value = node.get(key)
-            if isinstance(value, str) and value.strip():
-                acc.add(value.strip())
-        for value in node.values():
-            visit(value, acc)
-    elif isinstance(node, list):
-        for value in node:
-            visit(value, acc)
-
-try:
-    payload = json.loads(os.environ.get("INPUT_JSON", "{}"))
-except Exception:
-    payload = {}
-
-items = set()
-visit(payload, items)
-for value in sorted(items):
-    print(value)
-PY
-    return 0
-  fi
-  printf ''
-  return 0
-}
-
-matches_path_patterns() {
-  local candidate="$1"
-  local patterns_csv="$2"
-  [ -n "$candidate" ] || return 1
-  [ -n "$patterns_csv" ] || return 1
-  local old_ifs="$IFS"
-  IFS=','
-  for pattern in $patterns_csv; do
-    local normalized_pattern
-    normalized_pattern=$(normalize_payload_path "$pattern")
-    [ -n "$normalized_pattern" ] || continue
-    case "$candidate" in
-      $normalized_pattern)
-        IFS="$old_ifs"
-        return 0
-        ;;
-    esac
-  done
-  IFS="$old_ifs"
-  return 1
-}
-
-is_code_like_path() {
-  local candidate="$1"
-  printf '%s' "$candidate" | grep -Eq '\\.(ts|tsx|js|jsx|mjs|cjs|py|go|rs|java|kt|rb|php|cs|swift)$'
-}
-
-is_tdd_test_payload() {
-  local text="$1"
-  local payload_paths="$2"
-  if [ -n "$payload_paths" ]; then
-    while IFS= read -r raw_path; do
-      [ -n "$raw_path" ] || continue
-      local normalized
-      normalized=$(normalize_payload_path "$raw_path")
-      if matches_path_patterns "$normalized" "$TDD_TEST_PATH_PATTERNS"; then
-        return 0
-      fi
-    done <<< "$payload_paths"
-  fi
-  if printf '%s' "$text" | grep -Eq '/tests?/|/__tests__/|\\.test\\.'; then
-    return 0
-  fi
-  return 1
-}
-
-is_tdd_production_path() {
-  local normalized="$1"
-  [ -n "$normalized" ] || return 1
-  if printf '%s' "$normalized" | grep -Eq '(^|/)\\.cclaw/'; then
-    return 1
-  fi
-  if matches_path_patterns "$normalized" "$TDD_TEST_PATH_PATTERNS"; then
-    return 1
-  fi
-  if [ -n "$TDD_PRODUCTION_PATH_PATTERNS" ]; then
-    matches_path_patterns "$normalized" "$TDD_PRODUCTION_PATH_PATTERNS"
-    return $?
-  fi
-  is_code_like_path "$normalized"
-  return $?
-}
-
-is_tdd_production_write_payload() {
-  local text="$1"
-  local payload_paths="$2"
-  if [ -n "$payload_paths" ]; then
-    while IFS= read -r raw_path; do
-      [ -n "$raw_path" ] || continue
-      local normalized
-      normalized=$(normalize_payload_path "$raw_path")
-      if is_tdd_production_path "$normalized"; then
-        return 0
-      fi
-    done <<< "$payload_paths"
-    return 1
-  fi
-  if [ -n "$TDD_PRODUCTION_PATH_PATTERNS" ]; then
-    return 1
-  fi
-  if printf '%s' "$text" | grep -Eq '\\.cclaw/'; then
-    return 1
-  fi
-  if ! printf '%s' "$text" | grep -Eq '\\.(ts|tsx|js|jsx|mjs|cjs|py|go|rs|java|kt|rb|php|cs|swift)'; then
-    return 1
-  fi
-  if is_tdd_test_payload "$text" ""; then
-    return 1
-  fi
-  return 0
-}
-
-collect_tdd_production_paths() {
-  local payload_paths="$1"
-  local out=""
-  [ -n "$payload_paths" ] || {
-    printf ''
-    return 0
-  }
-  while IFS= read -r raw_path; do
-    [ -n "$raw_path" ] || continue
-    local normalized
-    normalized=$(normalize_payload_path "$raw_path")
-    if is_tdd_production_path "$normalized"; then
-      if [ -n "$out" ]; then
-        out="$out"$'\n'"$raw_path"
-      else
-        out="$raw_path"
-      fi
-    fi
-  done <<< "$payload_paths"
-  printf '%s' "$out"
-}
-
-review_layer_coverage_complete() {
-  if [ ! -f "$REVIEW_ARMY_FILE" ]; then
-    return 1
-  fi
-  if command -v jq >/dev/null 2>&1; then
-    jq -e '
-      ((.reconciliation.layerCoverage.spec // false) == true) and
-      ((.reconciliation.layerCoverage.correctness // false) == true) and
-      ((.reconciliation.layerCoverage.security // false) == true) and
-      ((.reconciliation.layerCoverage.performance // false) == true) and
-      ((.reconciliation.layerCoverage.architecture // false) == true) and
-      ((.reconciliation.layerCoverage["external-safety"] // false) == true)
-    ' "$REVIEW_ARMY_FILE" >/dev/null 2>&1
-    return $?
-  fi
-  if command -v python3 >/dev/null 2>&1; then
-    python3 - "$REVIEW_ARMY_FILE" <<'PY'
-import json
-import sys
-keys = ["spec", "correctness", "security", "performance", "architecture", "external-safety"]
-try:
-    with open(sys.argv[1], "r", encoding="utf-8") as handle:
-        parsed = json.load(handle)
-    coverage = ((parsed.get("reconciliation") or {}).get("layerCoverage") or {})
-    ok = all(coverage.get(key) is True for key in keys)
-except Exception:
-    ok = False
-raise SystemExit(0 if ok else 1)
-PY
-    return $?
-  fi
-  return 1
-}
-
-tdd_cycle_counts() {
-  if [ ! -f "$TDD_LOG_FILE" ] || [ ! -s "$TDD_LOG_FILE" ]; then
-    printf '0:0'
-    return 0
-  fi
-  local red_count="0"
-  local green_count="0"
-  if command -v jq >/dev/null 2>&1 && jq -n '1' >/dev/null 2>&1; then
-    red_count=$(jq -r --arg run "$CURRENT_RUN" 'select((.runId // $run) == $run and .phase == "red") | .phase' "$TDD_LOG_FILE" 2>/dev/null | wc -l | tr -d ' ' || echo "0")
-    green_count=$(jq -r --arg run "$CURRENT_RUN" 'select((.runId // $run) == $run and .phase == "green") | .phase' "$TDD_LOG_FILE" 2>/dev/null | wc -l | tr -d ' ' || echo "0")
-  elif command -v python3 >/dev/null 2>&1 && python3 - <<'PY' >/dev/null 2>&1
-print("ok")
-PY
-  then
-    red_count=$(python3 - "$TDD_LOG_FILE" "$CURRENT_RUN" <<'PY'
-import json
-import sys
-count = 0
-run_id = sys.argv[2]
-with open(sys.argv[1], "r", encoding="utf-8") as fh:
-    for raw in fh:
-        raw = raw.strip()
-        if not raw:
-            continue
-        try:
-            parsed = json.loads(raw)
-        except Exception:
-            continue
-        if not isinstance(parsed, dict):
-            continue
-        if str(parsed.get("runId", run_id)) != run_id:
-            continue
-        if parsed.get("phase") == "red":
-            count += 1
-print(count)
-PY
-)
-    green_count=$(python3 - "$TDD_LOG_FILE" "$CURRENT_RUN" <<'PY'
-import json
-import sys
-count = 0
-run_id = sys.argv[2]
-with open(sys.argv[1], "r", encoding="utf-8") as fh:
-    for raw in fh:
-        raw = raw.strip()
-        if not raw:
-            continue
-        try:
-            parsed = json.loads(raw)
-        except Exception:
-            continue
-        if not isinstance(parsed, dict):
-            continue
-        if str(parsed.get("runId", run_id)) != run_id:
-            continue
-        if parsed.get("phase") == "green":
-            count += 1
-print(count)
-PY
-)
-  else
-    if command -v awk >/dev/null 2>&1; then
-      local fallback_counts
-      fallback_counts=$(awk -v run="$CURRENT_RUN" '
-        BEGIN { red=0; green=0; }
-        {
-          line=$0;
-          line_run=run;
-          if (match(line, /"runId"[[:space:]]*:[[:space:]]*"[^"]+"/)) {
-            line_run=substr(line, RSTART, RLENGTH);
-            sub(/.*"/, "", line_run);
-            sub(/"$/, "", line_run);
-          }
-          if (line_run != run) next;
-          if (match(line, /"phase"[[:space:]]*:[[:space:]]*"[^"]+"/)) {
-            phase=substr(line, RSTART, RLENGTH);
-            sub(/.*"/, "", phase);
-            sub(/"$/, "", phase);
-            if (phase == "red") red += 1;
-            else if (phase == "green") green += 1;
-          }
-        }
-        END { printf "%d:%d", red, green; }
-      ' "$TDD_LOG_FILE" 2>/dev/null || true)
-      if printf '%s' "$fallback_counts" | grep -Eq '^[0-9]+:[0-9]+$'; then
-        printf '%s' "$fallback_counts"
-        return 0
-      fi
-    fi
-    printf '__UNAVAILABLE__'
-    return 0
-  fi
-  [ -n "$red_count" ] || red_count="0"
-  [ -n "$green_count" ] || green_count="0"
-  printf '%s:%s' "$red_count" "$green_count"
-}
-
-has_open_red_cycle() {
-  local counts
-  counts=$(tdd_cycle_counts)
-  if [ "$counts" = "__UNAVAILABLE__" ]; then
-    return 2
-  fi
-  local red_count="\${counts%%:*}"
-  local green_count="\${counts##*:}"
-  if ! printf '%s' "$red_count:$green_count" | grep -Eq '^[0-9]+:[0-9]+$'; then
-    return 2
-  fi
-  if [ "$red_count" -gt "$green_count" ]; then
-    return 0
-  fi
-  return 1
-}
-
-tdd_cycle_state() {
-  local counts
-  counts=$(tdd_cycle_counts)
-  if [ "$counts" = "__UNAVAILABLE__" ]; then
-    printf '__UNAVAILABLE__'
-    return 0
-  fi
-  local red_count="\${counts%%:*}"
-  local green_count="\${counts##*:}"
-  if ! printf '%s' "$red_count:$green_count" | grep -Eq '^[0-9]+:[0-9]+$'; then
-    printf '__UNAVAILABLE__'
-    return 0
-  fi
-  if [ "$red_count" -le 0 ]; then
-    printf 'need_red'
-    return 0
-  fi
-  if [ "$red_count" -gt "$green_count" ]; then
-    printf 'red_open'
-    return 0
-  fi
-  printf 'green_done'
-  return 0
-}
-
-detect_target_stage() {
-  local text="$1"
-  for stage in brainstorm scope design spec plan tdd review ship; do
-    if printf '%s' "$text" | grep -Eq "(/cc-$stage|cc-$stage)([^[:alnum:]_-]|$)"; then
-      printf '%s' "$stage"
-      return 0
-    fi
-  done
-  printf ''
-  return 0
-}
-
-is_flow_progression_command() {
-  local text="$1"
-  if printf '%s' "$text" | grep -Eq '(/cc-next|cc-next)([^[:alnum:]_-]|$)'; then
-    return 0
-  fi
-  if printf '%s' "$text" | grep -Eq '/cc([^[:alnum:]_-]|$)'; then
-    return 0
-  fi
-  return 1
-}
-
-TARGET_STAGE=$(detect_target_stage "$PAYLOAD_LOWER")
-FLOW_COMMAND_INVOKED=0
-if is_flow_progression_command "$PAYLOAD_LOWER"; then
-  FLOW_COMMAND_INVOKED=1
-fi
-MUTATION_PATHS=""
-if is_mutating_tool "$TOOL_LOWER"; then
-  MUTATION_PATHS=$(extract_payload_paths)
-fi
-TDD_CYCLE_STATE="unknown"
-if [ -n "$TARGET_STAGE" ] && [ "$CURRENT_STAGE" != "none" ]; then
-  CURRENT_IDX=$(stage_index "$CURRENT_STAGE")
-  TARGET_IDX=$(stage_index "$TARGET_STAGE")
-  if [ "$CURRENT_IDX" -gt 0 ] && [ "$TARGET_IDX" -gt 0 ]; then
-    if [ "$TARGET_IDX" -gt $((CURRENT_IDX + 1)) ]; then
-      REASONS="stage_jump_\${CURRENT_STAGE}_to_\${TARGET_STAGE}"
-    fi
-  fi
-fi
-
-if is_mutating_tool "$TOOL_LOWER" && printf '%s' "$PAYLOAD_LOWER" | grep -Eq '\.cclaw/state/flow-state\.json'; then
-  if [ -n "$REASONS" ]; then
-    REASONS="$REASONS,direct_flow_state_edit"
-  else
-    REASONS="direct_flow_state_edit"
-  fi
-  FLOW_STATE_AFTER_JSON=$(extract_flow_state_after_json)
-  if [ -n "$FLOW_STATE_AFTER_JSON" ]; then
-    if ! verify_flow_state_candidate "$FLOW_STATE_AFTER_JSON"; then
-      REASONS="$REASONS,flow_state_edit_failed_internal_validation"
-    fi
-  else
-    REASONS="$REASONS,flow_state_edit_without_serialized_content"
-  fi
-fi
-
-if is_preimplementation_stage "$CURRENT_STAGE" && is_mutating_tool "$TOOL_LOWER"; then
-  if ! printf '%s' "$PAYLOAD_LOWER" | grep -Eq '\.cclaw/'; then
-    if [ -n "$REASONS" ]; then
-      REASONS="$REASONS,implementation_write_before_\${CURRENT_STAGE}_completion"
-    else
-      REASONS="implementation_write_before_\${CURRENT_STAGE}_completion"
-    fi
-  fi
-fi
-
-if [ "$CURRENT_STAGE" = "tdd" ] && is_mutating_tool "$TOOL_LOWER"; then
-  TDD_MISSING_RED_PATHS=""
-  if is_tdd_production_write_payload "$PAYLOAD_LOWER" "$MUTATION_PATHS"; then
-    PRODUCTION_PATHS=$(collect_tdd_production_paths "$MUTATION_PATHS")
-    PER_PATH_RED_CHECKED="false"
-    if [ -n "$PRODUCTION_PATHS" ] && command -v cclaw >/dev/null 2>&1; then
-      PER_PATH_RED_CHECKED="true"
-      while IFS= read -r production_path; do
-        [ -n "$production_path" ] || continue
-        cclaw internal tdd-red-evidence --path="$production_path" --run-id="$CURRENT_RUN" --quiet >/dev/null 2>&1
-        EVIDENCE_STATUS=$?
-        if [ "$EVIDENCE_STATUS" -eq 0 ]; then
-          continue
-        fi
-        if [ "$EVIDENCE_STATUS" -eq 2 ]; then
-          if [ -n "$TDD_MISSING_RED_PATHS" ]; then
-            TDD_MISSING_RED_PATHS="$TDD_MISSING_RED_PATHS, $production_path"
-          else
-            TDD_MISSING_RED_PATHS="$production_path"
-          fi
-          continue
-        fi
-        if [ -n "$REASONS" ]; then
-          REASONS="$REASONS,tdd_red_evidence_check_failed"
-        else
-          REASONS="tdd_red_evidence_check_failed"
-        fi
-      done <<< "$PRODUCTION_PATHS"
-      if [ -n "$TDD_MISSING_RED_PATHS" ]; then
-        if [ -n "$REASONS" ]; then
-          REASONS="$REASONS,tdd_write_without_red_for_path"
-        else
-          REASONS="tdd_write_without_red_for_path"
-        fi
-      fi
-    fi
-    if [ "$PER_PATH_RED_CHECKED" != "true" ]; then
-      if has_open_red_cycle; then
-        TDD_CYCLE_STATE="red_open"
-      else
-        OPEN_RED_STATUS=$?
-        if [ "$OPEN_RED_STATUS" -eq 2 ]; then
-          TDD_CYCLE_STATE="counts_unavailable"
-          if [ -n "$REASONS" ]; then
-            REASONS="$REASONS,tdd_cycle_counts_unavailable"
-          else
-            REASONS="tdd_cycle_counts_unavailable"
-          fi
-        else
-          TDD_CYCLE_STATE=$(tdd_cycle_state)
-        fi
-      fi
-      if [ "$TDD_CYCLE_STATE" = "need_red" ]; then
-        if [ -n "$REASONS" ]; then
-          REASONS="$REASONS,tdd_write_without_open_red"
-        else
-          REASONS="tdd_write_without_open_red"
-        fi
-      elif [ "$TDD_CYCLE_STATE" = "__UNAVAILABLE__" ]; then
-        if [ -n "$REASONS" ]; then
-          REASONS="$REASONS,tdd_cycle_counts_unavailable"
-        else
-          REASONS="tdd_cycle_counts_unavailable"
-        fi
-      fi
-    fi
-  fi
-fi
-
-if [ "$CURRENT_STAGE" = "tdd" ] && is_mutating_tool "$TOOL_LOWER"; then
-  ACTIVE_AGENT_EFFECTIVE="$ACTIVE_AGENT_LOWER"
-  if [ -z "$ACTIVE_AGENT_EFFECTIVE" ]; then
-    INFERRED_TDD_PHASE=$(tdd_cycle_state)
-    case "$INFERRED_TDD_PHASE" in
-      need_red) ACTIVE_AGENT_EFFECTIVE="tdd-red" ;;
-      red_open) ACTIVE_AGENT_EFFECTIVE="tdd-green" ;;
-      green_done) ACTIVE_AGENT_EFFECTIVE="tdd-refactor" ;;
-      *) ACTIVE_AGENT_EFFECTIVE="" ;;
-    esac
-  fi
-  if [ "$ACTIVE_AGENT_EFFECTIVE" = "tdd-red" ] && is_tdd_production_write_payload "$PAYLOAD_LOWER" "$MUTATION_PATHS"; then
-    if [ -n "$REASONS" ]; then
-      REASONS="$REASONS,tdd_red_agent_cannot_write_production"
-    else
-      REASONS="tdd_red_agent_cannot_write_production"
-    fi
-  fi
-  if [ "$ACTIVE_AGENT_EFFECTIVE" = "tdd-green" ] && is_tdd_test_payload "$PAYLOAD_LOWER" "$MUTATION_PATHS"; then
-    if [ -n "$REASONS" ]; then
-      REASONS="$REASONS,tdd_green_agent_cannot_write_tests"
-    else
-      REASONS="tdd_green_agent_cannot_write_tests"
-    fi
-  fi
-  if [ "$ACTIVE_AGENT_EFFECTIVE" = "tdd-refactor" ]; then
-    TDD_AGENT_STATE=$(tdd_cycle_state)
-    if [ "$TDD_AGENT_STATE" != "green_done" ]; then
-      if [ -n "$REASONS" ]; then
-        REASONS="$REASONS,tdd_refactor_before_green"
-      else
-        REASONS="tdd_refactor_before_green"
-      fi
-    fi
-  fi
-fi
-
-if is_mutating_tool "$TOOL_LOWER"; then
-  if [ "$LAST_FLOW_READ_AT" -le 0 ] || [ "$NOW_EPOCH" -le 0 ] || [ $((NOW_EPOCH - LAST_FLOW_READ_AT)) -gt "$MAX_FLOW_READ_AGE_SEC" ]; then
-    if [ -n "$REASONS" ]; then
-      REASONS="$REASONS,mutating_without_recent_flow_read"
-    else
-      REASONS="mutating_without_recent_flow_read"
-    fi
-  fi
-fi
-
-if is_mutating_tool "$TOOL_LOWER" && printf '%s' "$PAYLOAD_LOWER" | grep -Eq '\.cclaw/(state|hooks|skills)'; then
-  if ! is_cclaw_cli_payload "$PAYLOAD_LOWER"; then
-    if [ -n "$REASONS" ]; then
-      REASONS="$REASONS,runtime_write_requires_managed_only"
-    else
-      REASONS="runtime_write_requires_managed_only"
-    fi
-  fi
-fi
-
-if [ "$CURRENT_STAGE" = "ship" ] && is_execution_or_mutating_tool "$TOOL_LOWER"; then
-  if printf '%s' "$PAYLOAD_LOWER" | grep -Eq '(npm publish|pnpm publish|yarn publish|gh release create|git push[[:space:]].*--tags|npm version)'; then
-    if [ "$SHIP_PREFLIGHT_PASSED" != "true" ]; then
-      if [ -n "$REASONS" ]; then
-        REASONS="$REASONS,ship_preflight_required"
-      else
-        REASONS="ship_preflight_required"
-      fi
-    fi
-    if ! review_layer_coverage_complete; then
-      if [ -n "$REASONS" ]; then
-        REASONS="$REASONS,ship_review_coverage_required"
-      else
-        REASONS="ship_review_coverage_required"
-      fi
-    fi
-  fi
-fi
-
-if is_preimplementation_stage "$CURRENT_STAGE" && ! is_plan_mode_safe_tool "$TOOL_LOWER"; then
-  if ! is_mutating_tool "$TOOL_LOWER"; then
-    if ! printf '%s' "$PAYLOAD_LOWER" | grep -Eq '\.cclaw/' && ! is_cclaw_cli_payload "$PAYLOAD_LOWER"; then
-      if [ -n "$REASONS" ]; then
-        REASONS="$REASONS,non_safe_tool_in_plan_stage_\${CURRENT_STAGE}"
-      else
-        REASONS="non_safe_tool_in_plan_stage_\${CURRENT_STAGE}"
-      fi
-    fi
-  fi
-fi
-
-if [ -n "$TARGET_STAGE" ] || [ "$FLOW_COMMAND_INVOKED" -eq 1 ]; then
-  if [ "$LAST_FLOW_READ_AT" -le 0 ] || [ "$NOW_EPOCH" -le 0 ] || [ $((NOW_EPOCH - LAST_FLOW_READ_AT)) -gt "$MAX_FLOW_READ_AGE_SEC" ]; then
-    if [ -n "$REASONS" ]; then
-      REASONS="$REASONS,stage_invocation_without_recent_flow_read"
-    else
-      REASONS="stage_invocation_without_recent_flow_read"
-    fi
-  fi
-fi
-
-SHOULD_RECORD_FLOW_READ=0
-case "$TOOL_LOWER" in
-  read|readfile|open|view|cat) SHOULD_RECORD_FLOW_READ=1 ;;
-  shell|runcommand|run_command|execcommand|exec_command|terminal) SHOULD_RECORD_FLOW_READ=1 ;;
-esac
-
-if [ "$SHOULD_RECORD_FLOW_READ" -eq 1 ] && printf '%s' "$PAYLOAD_LOWER" | grep -Eq '(\.cclaw/state/flow-state\.json|cclaw doctor|cclaw sync)'; then
-  TMP_STATE_FILE="$GUARD_STATE_FILE.tmp.$$"
-  if command -v jq >/dev/null 2>&1 && [ -f "$GUARD_STATE_FILE" ]; then
-    jq --arg ts "$TS" --argjson epoch "$NOW_EPOCH" '
-      .lastFlowReadAt = $ts
-      | .lastFlowReadAtEpoch = $epoch
-    ' "$GUARD_STATE_FILE" > "$TMP_STATE_FILE" 2>/dev/null || true
-  elif command -v python3 >/dev/null 2>&1; then
-    python3 - "$GUARD_STATE_FILE" "$TMP_STATE_FILE" "$TS" "$NOW_EPOCH" <<'PY'
-import json
-import sys
-from pathlib import Path
-source = Path(sys.argv[1])
-target = Path(sys.argv[2])
-ts = sys.argv[3]
-epoch = int(float(sys.argv[4])) if sys.argv[4] else 0
-payload = {}
-if source.exists():
-    try:
-        raw = json.loads(source.read_text(encoding="utf-8"))
-        if isinstance(raw, dict):
-            payload.update(raw)
-    except Exception:
-        pass
-payload["lastFlowReadAt"] = ts
-payload["lastFlowReadAtEpoch"] = epoch
-target.write_text(json.dumps(payload, indent=2) + "\\n", encoding="utf-8")
-PY
-  fi
-  if [ -s "$TMP_STATE_FILE" ]; then
-    mv "$TMP_STATE_FILE" "$GUARD_STATE_FILE" 2>/dev/null || rm -f "$TMP_STATE_FILE" 2>/dev/null || true
-  else
-    printf '{\\n  "lastFlowReadAt": "%s",\\n  "lastFlowReadAtEpoch": %s\\n}\\n' "$TS" "$NOW_EPOCH" > "$GUARD_STATE_FILE" 2>/dev/null || true
-  fi
-fi
-
-if [ -n "$REASONS" ]; then
-  if printf '%s' "$REASONS" | grep -Eq 'tdd_write_without_red_for_path'; then
-    NOTE="Cclaw workflow guard: missing failing RED evidence for production path(s): \${TDD_MISSING_RED_PATHS:-unknown}. Log failing tests before touching these files."
-  elif printf '%s' "$REASONS" | grep -Eq 'tdd_write_without_open_red'; then
-    NOTE="Cclaw workflow guard: Write a failing test first before editing production files during tdd stage (state=\${TDD_CYCLE_STATE})."
-  elif printf '%s' "$REASONS" | grep -Eq 'tdd_red_evidence_check_failed'; then
-    NOTE="Cclaw workflow guard: failed to validate per-path RED evidence via \`cclaw internal tdd-red-evidence\`; refusing write until evidence check succeeds."
-  elif printf '%s' "$REASONS" | grep -Eq 'tdd_red_agent_cannot_write_production'; then
-    NOTE="Cclaw workflow guard: tdd-red agent is limited to test-side RED work and cannot edit production files."
-  elif printf '%s' "$REASONS" | grep -Eq 'tdd_green_agent_cannot_write_tests'; then
-    NOTE="Cclaw workflow guard: tdd-green agent can implement production fixes but should not author new RED tests."
-  elif printf '%s' "$REASONS" | grep -Eq 'tdd_refactor_before_green'; then
-    NOTE="Cclaw workflow guard: tdd-refactor requires a green_done cycle state before refactor edits."
-  elif printf '%s' "$REASONS" | grep -Eq 'ship_preflight_required'; then
-    NOTE="Cclaw workflow guard: ship finalization command detected before ship_preflight_passed gate. Run preflight and record evidence first."
-  elif printf '%s' "$REASONS" | grep -Eq 'ship_review_coverage_required'; then
-    NOTE="Cclaw workflow guard: ship finalization requires review layer coverage for spec/correctness/security/performance/architecture/external-safety in 07-review-army.json."
-  elif printf '%s' "$REASONS" | grep -Eq 'tdd_cycle_counts_unavailable'; then
-    NOTE="Cclaw workflow guard: unable to inspect run-scoped tdd-cycle counts (missing usable jq/python3/awk). Install one of these tools before writing production code in tdd."
-  elif printf '%s' "$REASONS" | grep -Eq 'runtime_write_requires_managed_only|direct_flow_state_edit'; then
-    NOTE="Cclaw workflow guard: runtime write to managed ${RUNTIME_ROOT} internals detected (\${REASONS}). Prefer cclaw-managed helpers (stage-complete, sync, command contracts) instead of ad-hoc edits."
-  elif printf '%s' "$REASONS" | grep -Eq 'mutating_without_recent_flow_read'; then
-    NOTE="Cclaw workflow guard: mutating action requires a fresh read of ${RUNTIME_ROOT}/state/flow-state.json before edits."
-  else
-    NOTE="Cclaw workflow guard: detected potential flow violation (\${REASONS}). Re-read ${RUNTIME_ROOT}/state/flow-state.json, avoid source edits before tdd stage, and enforce RED -> GREEN -> REFACTOR discipline inside tdd."
-  fi
-  if command -v jq >/dev/null 2>&1; then
-    ENTRY=$(jq -n -c \
-      --arg ts "$TS" \
-      --arg tool "$TOOL" \
-      --arg stage "$CURRENT_STAGE" \
-      --arg target "$TARGET_STAGE" \
-      --arg reasons "$REASONS" \
-      --arg note "$NOTE" \
-      '{ts:$ts,tool:$tool,currentStage:$stage,targetStage:$target,reasons:($reasons|split(",")),note:$note}' 2>/dev/null || echo "")
-  else
-    ENTRY=""
-  fi
-  if [ -n "$ENTRY" ]; then
-    printf '%s\n' "$ENTRY" >> "$GUARD_LOG" 2>/dev/null || true
-  fi
-  SHOULD_BLOCK="false"
-  if printf '%s' "$REASONS" | grep -Eq 'implementation_write_before_'; then
-    SHOULD_BLOCK="true"
-  fi
-  if printf '%s' "$REASONS" | grep -Eq 'tdd_write_without_open_red|tdd_write_without_red_for_path' && [ "$TDD_ENFORCEMENT_MODE" = "strict" ]; then
-    SHOULD_BLOCK="true"
-  fi
-  if printf '%s' "$REASONS" | grep -Eq 'tdd_write_without_open_red|tdd_write_without_red_for_path' && iron_law_is_strict "tdd-red-before-write"; then
-    SHOULD_BLOCK="true"
-  fi
-  if printf '%s' "$REASONS" | grep -Eq 'runtime_write_requires_managed_only|direct_flow_state_edit' && iron_law_is_strict "runtime-writes-managed-only"; then
-    SHOULD_BLOCK="true"
-  fi
-  if printf '%s' "$REASONS" | grep -Eq 'mutating_without_recent_flow_read|stage_invocation_without_recent_flow_read' && iron_law_is_strict "flow-state-read-fresh"; then
-    SHOULD_BLOCK="true"
-  fi
-  if printf '%s' "$REASONS" | grep -Eq 'ship_preflight_required' && iron_law_is_strict "ship-preflight-required"; then
-    SHOULD_BLOCK="true"
-  fi
-  if printf '%s' "$REASONS" | grep -Eq 'ship_review_coverage_required' && iron_law_is_strict "review-coverage-complete-before-ship"; then
-    SHOULD_BLOCK="true"
-  fi
-  if printf '%s' "$REASONS" | grep -Eq 'implementation_write_before_plan_completion' && iron_law_is_strict "plan-requires-approval"; then
-    SHOULD_BLOCK="true"
-  fi
-  if printf '%s' "$REASONS" | grep -Eq 'tdd_cycle_counts_unavailable|tdd_red_evidence_check_failed'; then
-    SHOULD_BLOCK="true"
-  fi
-  if printf '%s' "$REASONS" | grep -Eq 'tdd_red_agent_cannot_write_production|tdd_green_agent_cannot_write_tests|tdd_refactor_before_green'; then
-    SHOULD_BLOCK="true"
-  fi
-  if [ "$WORKFLOW_GUARD_MODE" = "strict" ] || [ "$SHOULD_BLOCK" = "true" ]; then
-    printf '[cclaw] %s (blocked by workflow guard)\n' "$NOTE" >&2
-    exit 1
-  fi
-  printf '[cclaw] %s\n' "$NOTE" >&2
-fi
-
-exit 0
-`;
-}
-export function contextMonitorScript() {
-    return `#!/usr/bin/env bash
-# cclaw context monitor hook — generated by cclaw sync
-# Advisory-only context pressure warnings (best effort).
-set -uo pipefail
-
-${RUNTIME_SHELL_DETECT_ROOT}
-
-STATE_DIR="$ROOT/${RUNTIME_ROOT}/state"
-MONITOR_STATE="$STATE_DIR/context-monitor.json"
-WARNINGS_FILE="$STATE_DIR/context-warnings.jsonl"
-FLOW_STATE_FILE="$STATE_DIR/flow-state.json"
-TDD_AUTO_EVIDENCE_FILE="$STATE_DIR/tdd-red-evidence.jsonl"
-mkdir -p "$STATE_DIR" 2>/dev/null || true
-
-INPUT=$(cat 2>/dev/null || echo '{}')
-[ -n "$INPUT" ] || exit 0
-
-CURRENT_STAGE="none"
-CURRENT_RUN="active"
-if command -v cclaw_hook_read_flow_state_minimal >/dev/null 2>&1; then
-  cclaw_hook_read_flow_state_minimal "$FLOW_STATE_FILE"
-  CURRENT_STAGE="\${CCLAW_HOOK_FLOW_STAGE:-none}"
-  CURRENT_RUN="\${CCLAW_HOOK_FLOW_RUN_ID:-active}"
-elif [ -f "$FLOW_STATE_FILE" ]; then
-  if command -v jq >/dev/null 2>&1; then
-    CURRENT_STAGE=$(jq -r '.currentStage // "none"' "$FLOW_STATE_FILE" 2>/dev/null || echo "none")
-    CURRENT_RUN=$(jq -r '.activeRunId // "active"' "$FLOW_STATE_FILE" 2>/dev/null || echo "active")
-  elif command -v python3 >/dev/null 2>&1; then
-    FLOW_META=$(python3 - "$FLOW_STATE_FILE" <<'PY'
-import json
-import sys
-stage = "none"
-run_id = "active"
-try:
-    with open(sys.argv[1], "r", encoding="utf-8") as fh:
-        payload = json.load(fh)
-    stage_value = payload.get("currentStage")
-    run_value = payload.get("activeRunId")
-    if isinstance(stage_value, str) and stage_value:
-        stage = stage_value
-    if isinstance(run_value, str) and run_value:
-        run_id = run_value
-except Exception:
-    pass
-print(stage)
-print(run_id)
-PY
-)
-    {
-      IFS= read -r CURRENT_STAGE
-      IFS= read -r CURRENT_RUN
-    } <<EOF
-$FLOW_META
-EOF
-  fi
-fi
-
-AUTO_TOOL=""
-AUTO_COMMAND=""
-AUTO_EXIT_CODE=""
-AUTO_PATHS_CSV=""
-if command -v python3 >/dev/null 2>&1; then
-  AUTO_META=$(INPUT_JSON="$INPUT" python3 - <<'PY'
-import json
-import os
-import re
-from typing import Any, Iterator
-
-raw = os.environ.get("INPUT_JSON", "{}")
-try:
-    payload = json.loads(raw)
-except Exception:
-    payload = {}
-
-def walk(node: Any) -> Iterator[Any]:
-    if isinstance(node, dict):
-        yield node
-        for value in node.values():
-            yield from walk(value)
-    elif isinstance(node, list):
-        for value in node:
-            yield from walk(value)
-
-def first_string(keys: list[str]) -> str:
-    for node in walk(payload):
-        if not isinstance(node, dict):
-            continue
-        for key in keys:
-            value = node.get(key)
-            if isinstance(value, str) and value.strip():
-                return value.strip()
-    return ""
-
-tool = first_string(["tool_name", "tool", "toolName", "name", "id"])
-command = ""
-for node in walk(payload):
-    if not isinstance(node, dict):
-        continue
-    for key in ("command", "cmd"):
-        value = node.get(key)
-        if isinstance(value, str) and value.strip():
-            command = value.strip()
-            break
-    if command:
-        break
-
-exit_code = ""
-for node in walk(payload):
-    if not isinstance(node, dict):
-        continue
-    for key in ("exitCode", "exit_code", "code", "status"):
-        value = node.get(key)
-        if isinstance(value, bool):
-            exit_code = "0" if value else "1"
-            break
-        if isinstance(value, (int, float)):
-            exit_code = str(int(value))
-            break
-    if exit_code:
-        break
-
-blob_parts: list[str] = []
-for node in walk(payload):
-    if not isinstance(node, dict):
-        continue
-    for key in ("stderr", "stdout", "output", "text", "message"):
-        value = node.get(key)
-        if isinstance(value, str) and value:
-            blob_parts.append(value)
-blob_parts.append(command)
-blob = "\\n".join(blob_parts)
-path_pattern = re.compile(r"(?:[A-Za-z0-9_.-]+/)+[A-Za-z0-9_.-]+\.(?:ts|tsx|js|jsx|mjs|cjs|py|go|rs|java|kt|rb|php|cs|swift)")
-seen: set[str] = set()
-paths: list[str] = []
-for match in path_pattern.findall(blob):
-    normalized = match.strip().strip("\\"'.,:;()[]{}<>")
-    if not normalized or normalized in seen:
-        continue
-    seen.add(normalized)
-    paths.append(normalized)
-
-print(tool.replace("\\t", " ").replace("\\n", " "))
-print(command.replace("\\t", " ").replace("\\n", " "))
-print(exit_code)
-print(",".join(paths[:20]).replace("\\t", " ").replace("\\n", " "))
-PY
-)
-  {
-    IFS= read -r AUTO_TOOL
-    IFS= read -r AUTO_COMMAND
-    IFS= read -r AUTO_EXIT_CODE
-    IFS= read -r AUTO_PATHS_CSV
-  } <<EOF
-$AUTO_META
-EOF
-fi
-
-if [ "$CURRENT_STAGE" = "tdd" ] && [ -n "$AUTO_COMMAND" ] && [ -n "$AUTO_EXIT_CODE" ]; then
-  if command -v cclaw_hook_lower >/dev/null 2>&1; then
-    AUTO_COMMAND_LOWER=$(cclaw_hook_lower "$AUTO_COMMAND")
-  else
-    AUTO_COMMAND_LOWER=$(printf '%s' "$AUTO_COMMAND" | tr '[:upper:]' '[:lower:]')
-  fi
-  if printf '%s' "$AUTO_COMMAND_LOWER" | grep -Eq '(npm test|npm run test|pnpm test|pnpm run test|yarn test|bun test|vitest|jest|pytest|go test|cargo test|mvn test|gradle test|dotnet test)'; then
-    if printf '%s' "$AUTO_EXIT_CODE" | grep -Eq '^-?[0-9]+$' && [ "$AUTO_EXIT_CODE" -ne 0 ]; then
-      TS_AUTO=$(date -u +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || echo "")
-      if command -v jq >/dev/null 2>&1; then
-        AUTO_ENTRY=$(jq -n -c \
-          --arg ts "$TS_AUTO" \
-          --arg run "$CURRENT_RUN" \
-          --arg command "$AUTO_COMMAND" \
-          --arg tool "$AUTO_TOOL" \
-          --argjson exitCode "$AUTO_EXIT_CODE" \
-          --arg paths "$AUTO_PATHS_CSV" \
-          '{
-            ts: $ts,
-            runId: $run,
-            stage: "tdd",
-            source: "posttool-auto",
-            command: $command,
-            tool: $tool,
-            exitCode: $exitCode,
-            paths: ($paths | split(",") | map(select(length > 0)))
-          }' 2>/dev/null || echo "")
-      elif command -v python3 >/dev/null 2>&1; then
-        AUTO_ENTRY=$(python3 - "$TS_AUTO" "$CURRENT_RUN" "$AUTO_COMMAND" "$AUTO_TOOL" "$AUTO_EXIT_CODE" "$AUTO_PATHS_CSV" <<'PY'
-import json
-import sys
-ts, run_id, command, tool, exit_code, paths_csv = sys.argv[1:7]
-paths = [value for value in paths_csv.split(",") if value]
-entry = {
-    "ts": ts,
-    "runId": run_id,
-    "stage": "tdd",
-    "source": "posttool-auto",
-    "command": command,
-    "tool": tool,
-    "exitCode": int(exit_code),
-    "paths": paths
-}
-print(json.dumps(entry, ensure_ascii=False))
-PY
-)
-      else
-        AUTO_ENTRY=""
-      fi
-      if [ -n "$AUTO_ENTRY" ]; then
-        printf '%s\n' "$AUTO_ENTRY" >> "$TDD_AUTO_EVIDENCE_FILE" 2>/dev/null || true
-      fi
-    fi
-  fi
-fi
-
-REMAINING_PERCENT=""
-if command -v python3 >/dev/null 2>&1; then
-  REMAINING_PERCENT=$(INPUT_JSON="$INPUT" python3 - <<'PY'
-import json
-import os
-from typing import Any
-
-raw = os.environ.get("INPUT_JSON", "{}")
-try:
-    payload = json.loads(raw)
-except Exception:
-    print("")
-    raise SystemExit(0)
-
-def pick(path: list[str]) -> Any:
-    node: Any = payload
-    for key in path:
-        if not isinstance(node, dict):
-            return None
-        node = node.get(key)
-    return node
-
-def as_percent(value: Any, invert: bool = False):
-    if not isinstance(value, (int, float)):
-        return None
-    number = float(value)
-    if number <= 1.0:
-        number *= 100.0
-    if invert:
-        number = 100.0 - number
-    if number < 0:
-        number = 0.0
-    if number > 100:
-        number = 100.0
-    return number
-
-candidates = [
-    (["context", "remaining_percent"], False),
-    (["context", "remainingPercent"], False),
-    (["context_usage", "remaining_percent"], False),
-    (["context_usage", "remainingPercent"], False),
-    (["contextUsage", "remainingPercent"], False),
-    (["context_window", "remaining_percent"], False),
-    (["remaining_context_percent"], False),
-    (["remainingContextPercent"], False),
-    (["remaining_context_ratio"], False),
-    (["remainingContextRatio"], False),
-    (["context", "used_percent"], True),
-    (["context", "usedPercent"], True),
-    (["context_usage", "used_percent"], True),
-    (["context_usage", "usedPercent"], True),
-    (["contextUsage", "usedPercent"], True),
-    (["context_window", "used_ratio"], True),
-    (["context_window", "usedRatio"], True),
-]
-
-for path, invert in candidates:
-    value = pick(path)
-    percent = as_percent(value, invert=invert)
-    if percent is not None:
-        print(f"{percent:.2f}")
-        raise SystemExit(0)
-
-print("")
-PY
-)
-fi
-
-[ -n "$REMAINING_PERCENT" ] || exit 0
-
-BAND="none"
-if awk "BEGIN { exit !($REMAINING_PERCENT <= 20) }"; then
-  BAND="critical"
-elif awk "BEGIN { exit !($REMAINING_PERCENT <= 35) }"; then
-  BAND="warning"
-fi
-
-TTL_SECONDS_RAW="\${CCLAW_CONTEXT_MONITOR_TTL_SEC:-900}"
-if printf '%s' "$TTL_SECONDS_RAW" | grep -Eq '^[0-9]+$'; then
-  TTL_SECONDS="$TTL_SECONDS_RAW"
-else
-  TTL_SECONDS="900"
-fi
-
-LAST_BAND="none"
-LAST_ADVISORY_BAND="none"
-LAST_ADVISORY_AT=""
-LAST_ADVISORY_EPOCH="0"
-if [ -f "$MONITOR_STATE" ]; then
-  if command -v jq >/dev/null 2>&1; then
-    LAST_BAND=$(jq -r '.lastBand // "none"' "$MONITOR_STATE" 2>/dev/null || echo "none")
-    LAST_ADVISORY_BAND=$(jq -r '.lastAdvisoryBand // .lastBand // "none"' "$MONITOR_STATE" 2>/dev/null || echo "none")
-    LAST_ADVISORY_AT=$(jq -r '.lastAdvisoryAt // ""' "$MONITOR_STATE" 2>/dev/null || echo "")
-    LAST_ADVISORY_EPOCH=$(jq -r 'try ((.lastAdvisoryAt // "" | fromdateiso8601)) catch 0' "$MONITOR_STATE" 2>/dev/null || echo "0")
-  elif command -v python3 >/dev/null 2>&1; then
-    STATE_META=$(python3 - "$MONITOR_STATE" <<'PY'
-import json
-import sys
-try:
-    with open(sys.argv[1], "r", encoding="utf-8") as handle:
-        value = json.load(handle)
-    last_band = value.get("lastBand")
-    if not isinstance(last_band, str):
-        last_band = "none"
-    advisory_band = value.get("lastAdvisoryBand")
-    if not isinstance(advisory_band, str):
-        advisory_band = last_band
-    advisory_at = value.get("lastAdvisoryAt")
-    if not isinstance(advisory_at, str):
-        advisory_at = ""
-    advisory_epoch = 0
-    if advisory_at:
-        try:
-            from datetime import datetime
-            normalized = advisory_at.replace("Z", "+00:00")
-            advisory_epoch = int(datetime.fromisoformat(normalized).timestamp())
-        except Exception:
-            advisory_epoch = 0
-    print(f"{last_band}|{advisory_band}|{advisory_at}|{advisory_epoch}")
-except Exception:
-    print("none|none||0")
-PY
-)
-    LAST_BAND=$(printf '%s' "$STATE_META" | cut -d'|' -f1)
-    LAST_ADVISORY_BAND=$(printf '%s' "$STATE_META" | cut -d'|' -f2)
-    LAST_ADVISORY_AT=$(printf '%s' "$STATE_META" | cut -d'|' -f3)
-    LAST_ADVISORY_EPOCH=$(printf '%s' "$STATE_META" | cut -d'|' -f4)
-  fi
-fi
-
-TS=$(date -u +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || echo "")
-NOW_EPOCH=$(date +%s 2>/dev/null || echo "0")
-if ! printf '%s' "$LAST_ADVISORY_EPOCH" | grep -Eq '^[0-9]+$'; then
-  LAST_ADVISORY_EPOCH="0"
-fi
-
-SHOULD_EMIT="false"
-if [ "$BAND" != "none" ]; then
-  if [ "$BAND" != "$LAST_ADVISORY_BAND" ]; then
-    SHOULD_EMIT="true"
-  elif [ "$TTL_SECONDS" -eq 0 ]; then
-    SHOULD_EMIT="true"
-  else
-    ELAPSED=$((NOW_EPOCH - LAST_ADVISORY_EPOCH))
-    if [ "$ELAPSED" -ge "$TTL_SECONDS" ]; then
-      SHOULD_EMIT="true"
-    fi
-  fi
-fi
-
-NEXT_ADVISORY_BAND="$LAST_ADVISORY_BAND"
-NEXT_ADVISORY_AT="$LAST_ADVISORY_AT"
-if [ "$SHOULD_EMIT" = "true" ]; then
-  NOTE="Cclaw advisory: context remaining is \${REMAINING_PERCENT}% (\${BAND}). Consider checkpointing or compacting soon."
-  if command -v jq >/dev/null 2>&1; then
-    ENTRY=$(jq -n -c \
-      --arg ts "$TS" \
-      --arg harness "$HARNESS" \
-      --arg band "$BAND" \
-      --arg remaining "$REMAINING_PERCENT" \
-      --arg note "$NOTE" \
-      '{ts:$ts,harness:$harness,band:$band,remainingPercent:($remaining|tonumber),note:$note}' 2>/dev/null || echo "")
-  else
-    ENTRY=$(printf '{"ts":"%s","harness":"%s","band":"%s","remainingPercent":"%s","note":"%s"}' "$TS" "$HARNESS" "$BAND" "$REMAINING_PERCENT" "$NOTE")
-  fi
-
-  if [ -n "$ENTRY" ]; then
-    printf '%s\n' "$ENTRY" >> "$WARNINGS_FILE" 2>/dev/null || true
-  fi
-  printf '[cclaw] %s\n' "$NOTE" >&2
-  NEXT_ADVISORY_BAND="$BAND"
-  NEXT_ADVISORY_AT="$TS"
-fi
-
-TMP_STATE="$MONITOR_STATE.tmp.$$"
-if command -v jq >/dev/null 2>&1; then
-  jq -n \
-    --arg ts "$TS" \
-    --arg band "$BAND" \
-    --arg advisoryBand "$NEXT_ADVISORY_BAND" \
-    --arg advisoryAt "$NEXT_ADVISORY_AT" \
-    --arg remaining "$REMAINING_PERCENT" \
-    --arg harness "$HARNESS" \
-    '{lastUpdated:$ts,lastBand:$band,lastRemainingPercent:($remaining|tonumber),harness:$harness,lastAdvisoryBand:$advisoryBand,lastAdvisoryAt:$advisoryAt}' > "$TMP_STATE" 2>/dev/null || true
-else
-  printf '{\n  "lastUpdated": "%s",\n  "lastBand": "%s",\n  "lastRemainingPercent": %s,\n  "harness": "%s",\n  "lastAdvisoryBand": "%s",\n  "lastAdvisoryAt": "%s"\n}\n' \
-    "$TS" "$BAND" "$REMAINING_PERCENT" "$HARNESS" "$NEXT_ADVISORY_BAND" "$NEXT_ADVISORY_AT" > "$TMP_STATE" 2>/dev/null || true
-fi
-if [ -s "$TMP_STATE" ]; then
-  mv "$TMP_STATE" "$MONITOR_STATE" 2>/dev/null || rm -f "$TMP_STATE" 2>/dev/null || true
-fi
-
-exit 0
-`;
-}
-/**
- * Updated hooks.json generators with PreToolUse/PostToolUse observation.
- */
-function hookDispatcherCommand(scriptName) {
-    return `bash ${RUNTIME_ROOT}/hooks/run-hook.cmd ${scriptName}`;
+function hookDispatcherCommand(hookName) {
+    return `node ${RUNTIME_ROOT}/hooks/run-hook.mjs ${hookName}`;
 }
 export function claudeHooksJsonWithObservation() {
     return JSON.stringify({
@@ -1670,39 +10,33 @@ export function claudeHooksJsonWithObservation() {
                     matcher: "startup|resume|clear|compact",
                     hooks: [{
                             type: "command",
-                            command: hookDispatcherCommand("session-start.sh")
+                            command: hookDispatcherCommand("session-start")
                         }]
                 }],
             PreToolUse: [{
-                    // `prompt-guard.sh` inspects tool inputs across all tool calls;
-                    // it has to stay on `*` so it sees MCP/Edit/Write/WebSearch
-                    // traffic too. `workflow-guard.sh`, however, only checks TDD
-                    // ordering on write-like operations — it is a no-op for reads.
-                    // Splitting the two matchers cuts Claude's per-read hook
-                    // overhead in half without reducing coverage on write paths.
                     matcher: "*",
                     hooks: [{
                             type: "command",
-                            command: hookDispatcherCommand("prompt-guard.sh")
+                            command: hookDispatcherCommand("prompt-guard")
                         }]
                 }, {
                     matcher: "Write|Edit|MultiEdit|NotebookEdit|Bash",
                     hooks: [{
                             type: "command",
-                            command: hookDispatcherCommand("workflow-guard.sh")
+                            command: hookDispatcherCommand("workflow-guard")
                         }]
                 }],
             PostToolUse: [{
                     matcher: "*",
                     hooks: [{
                             type: "command",
-                            command: hookDispatcherCommand("context-monitor.sh")
+                            command: hookDispatcherCommand("context-monitor")
                         }]
                 }],
             Stop: [{
                     hooks: [{
                             type: "command",
-                            command: hookDispatcherCommand("stop-checkpoint.sh"),
+                            command: hookDispatcherCommand("stop-checkpoint"),
                             timeout: 10
                         }]
                 }],
@@ -1710,7 +44,7 @@ export function claudeHooksJsonWithObservation() {
                     matcher: "manual|auto",
                     hooks: [{
                             type: "command",
-                            command: hookDispatcherCommand("pre-compact.sh"),
+                            command: hookDispatcherCommand("pre-compact"),
                             timeout: 10
                         }]
                 }]
@@ -1723,53 +57,37 @@ export function cursorHooksJsonWithObservation() {
         version: 1,
         hooks: {
             sessionStart: [{
-                    command: hookDispatcherCommand("session-start.sh")
+                    command: hookDispatcherCommand("session-start")
                 }],
             sessionResume: [{
-                    command: hookDispatcherCommand("session-start.sh")
+                    command: hookDispatcherCommand("session-start")
                 }],
             sessionClear: [{
-                    command: hookDispatcherCommand("session-start.sh")
+                    command: hookDispatcherCommand("session-start")
                 }],
             sessionCompact: [{
-                    command: hookDispatcherCommand("pre-compact.sh")
+                    command: hookDispatcherCommand("pre-compact")
                 }, {
-                    command: hookDispatcherCommand("session-start.sh")
+                    command: hookDispatcherCommand("session-start")
                 }],
             preToolUse: [{
                     matcher: "*",
-                    command: hookDispatcherCommand("prompt-guard.sh")
+                    command: hookDispatcherCommand("prompt-guard")
                 }, {
                     matcher: "*",
-                    command: hookDispatcherCommand("workflow-guard.sh")
+                    command: hookDispatcherCommand("workflow-guard")
                 }],
             postToolUse: [{
                     matcher: "*",
-                    command: hookDispatcherCommand("context-monitor.sh")
+                    command: hookDispatcherCommand("context-monitor")
                 }],
-            stop: [{ command: hookDispatcherCommand("stop-checkpoint.sh"), timeout: 10 }]
+            stop: [{
+                    command: hookDispatcherCommand("stop-checkpoint"),
+                    timeout: 10
+                }]
         }
     }, null, 2);
 }
-/**
- * Codex CLI ≥ v0.114 hooks. Differences vs. the Claude shape:
- *
- * - `SessionStart` matcher is limited to `startup|resume` — Codex does
- *   not emit `clear` or `compact` lifecycle phases.
- * - `PreToolUse` / `PostToolUse` fire **only for the `Bash` tool**
- *   (documented Codex limitation, v0.114/v0.115). We match both `Bash`
- *   and `bash` variants to tolerate casing drift across Codex builds.
- * - `UserPromptSubmit` is supported and is the closest analogue to
- *   Cursor's `preToolUse` for non-Bash tooling — we run prompt-guard
- *   there so workflow/prompt checks still fire when the tool being
- *   used is `Write` or `Edit` rather than `Bash`.
- * - There is no `PreCompact` event in Codex CLI — pre-compact
- *   semantics are carried by the agent itself inside `/cc-ops retro`.
- *
- * The entire file is inert unless the user opts into
- * `[features] codex_hooks = true` in `~/.codex/config.toml`; cclaw
- * doctor and the init prompt handle that flag.
- */
 export function codexHooksJsonWithObservation() {
     return JSON.stringify({
         cclawHookSchemaVersion: 1,
@@ -1778,51 +96,42 @@ export function codexHooksJsonWithObservation() {
                     matcher: "startup|resume",
                     hooks: [{
                             type: "command",
-                            command: hookDispatcherCommand("session-start.sh")
+                            command: hookDispatcherCommand("session-start")
                         }]
                 }],
             UserPromptSubmit: [{
                     hooks: [{
                             type: "command",
-                            command: hookDispatcherCommand("prompt-guard.sh")
+                            command: hookDispatcherCommand("prompt-guard")
                         }, {
-                            // `workflow-guard.sh` also runs here because Codex's PreToolUse
-                            // only sees Bash; Write/Edit/MCP writes never reach the hook
-                            // surface. Running workflow-guard on UserPromptSubmit catches
-                            // TDD-order violations that originate from the user's prompt
-                            // text (e.g. "edit X.ts to ..."). Payload is a prompt envelope,
-                            // not a tool call, so the script's TOOL extraction falls back
-                            // to "unknown" and advisory mode is a no-op by design — the
-                            // value is that prompt text is scanned for write-shaped intent
-                            // via the existing PAYLOAD_LOWER heuristics.
                             type: "command",
-                            command: hookDispatcherCommand("workflow-guard.sh")
+                            command: hookDispatcherCommand("workflow-guard")
                         }, {
                             type: "command",
-                            command: "bash -lc 'if ! command -v cclaw >/dev/null 2>&1; then echo \"[cclaw] codex hook: cclaw binary is required for verify-current-state\" >&2; exit 1; fi; MODE=\"${CCLAW_WORKFLOW_GUARD_MODE:-advisory}\"; if [ \"$MODE\" = \"strict\" ]; then cclaw internal verify-current-state --quiet >/dev/null; else cclaw internal verify-current-state --quiet >/dev/null || true; fi'"
+                            command: hookDispatcherCommand("verify-current-state")
                         }]
                 }],
             PreToolUse: [{
                     matcher: "Bash|bash",
                     hooks: [{
                             type: "command",
-                            command: hookDispatcherCommand("prompt-guard.sh")
+                            command: hookDispatcherCommand("prompt-guard")
                         }, {
                             type: "command",
-                            command: hookDispatcherCommand("workflow-guard.sh")
+                            command: hookDispatcherCommand("workflow-guard")
                         }]
                 }],
             PostToolUse: [{
                     matcher: "Bash|bash",
                     hooks: [{
                             type: "command",
-                            command: hookDispatcherCommand("context-monitor.sh")
+                            command: hookDispatcherCommand("context-monitor")
                         }]
                 }],
             Stop: [{
                     hooks: [{
                             type: "command",
-                            command: hookDispatcherCommand("stop-checkpoint.sh"),
+                            command: hookDispatcherCommand("stop-checkpoint"),
                             timeout: 10
                         }]
                 }]