cclaw-cli 0.5.16 → 0.6.0

package/dist/artifact-linter.d.ts

@@ -18,3 +18,16 @@ export declare function validateReviewArmy(projectRoot: string): Promise<{
     valid: boolean;
     errors: string[];
 }>;
+export interface ReviewVerdictConsistencyResult {
+    ok: boolean;
+    errors: string[];
+    finalVerdict: "APPROVED" | "APPROVED_WITH_CONCERNS" | "BLOCKED" | "UNKNOWN";
+    openCriticalCount: number;
+    shipBlockerCount: number;
+}
+/**
+ * Ensure the narrative verdict in 07-review.md is consistent with the
+ * structured review-army reconciliation. A review cannot declare
+ * APPROVED while open Critical findings or shipBlockers remain.
+ */
+export declare function checkReviewVerdictConsistency(projectRoot: string): Promise<ReviewVerdictConsistencyResult>;

package/dist/artifact-linter.js

@@ -134,7 +134,61 @@ function extractRequiredKeywords(rule) {
         return [];
     return phrases;
 }
-function validateSectionBody(sectionBody, rule) {
+const VAGUE_AC_ADJECTIVES = [
+    "fast",
+    "quick",
+    "slow",
+    "fast enough",
+    "quickly",
+    "intuitive",
+    "robust",
+    "reliable",
+    "scalable",
+    "simple",
+    "easy",
+    "user-friendly",
+    "user friendly",
+    "nice",
+    "good",
+    "clean",
+    "secure enough",
+    "responsive",
+    "efficient",
+    "performant",
+    "smooth",
+    "seamless",
+    "modern"
+];
+function isSeparatorRow(line) {
+    return /^\|[-:| ]+\|$/u.test(line);
+}
+function getMarkdownTableRows(sectionBody) {
+    const lines = sectionBody.split(/\r?\n/).map((line) => line.trim());
+    const rows = [];
+    let sawSeparator = false;
+    for (const line of lines) {
+        if (!/^\|.*\|$/u.test(line))
+            continue;
+        if (isSeparatorRow(line)) {
+            sawSeparator = true;
+            continue;
+        }
+        if (!sawSeparator)
+            continue;
+        rows.push(parseMarkdownTableRow(line));
+    }
+    return rows;
+}
+function lineContainsVagueAdjective(text) {
+    const lower = text.toLowerCase();
+    for (const adjective of VAGUE_AC_ADJECTIVES) {
+        const pattern = new RegExp(`(?:^|[^A-Za-z])${adjective.replace(/ /g, "\\s+")}(?:[^A-Za-z]|$)`, "iu");
+        if (pattern.test(lower))
+            return adjective;
+    }
+    return null;
+}
+function validateSectionBody(sectionBody, rule, sectionName) {
     const bodyLines = sectionBody.split(/\r?\n/).map((line) => line.trim());
     const meaningful = meaningfulLineCount(sectionBody);
     if (meaningful === 0) {
@@ -231,6 +285,29 @@ function validateSectionBody(sectionBody, rule) {
             };
         }
     }
+    if (normalizeHeadingTitle(sectionName).toLowerCase() === "acceptance criteria" &&
+        /observable[\s,]*measurable[\s,]+(and )?falsifiable/iu.test(rule)) {
+        const rows = getMarkdownTableRows(sectionBody);
+        for (const row of rows) {
+            const criterionText = row[1] ?? row[0] ?? "";
+            const adjective = lineContainsVagueAdjective(criterionText);
+            if (adjective) {
+                return {
+                    ok: false,
+                    details: `Acceptance criterion uses vague adjective "${adjective}" without a measurable predicate: "${criterionText.slice(0, 140)}". Rewrite with a numeric threshold or boolean outcome.`
+                };
+            }
+            const hasDigit = /\d/u.test(criterionText);
+            const hasMeasurableVerb = /\b(blocks?|rejects?|returns?|matches?|equals?|emits?|succeeds?|fails?|publishes?|logs?|persists?|reads?|writes?|creates?|deletes?|throws?|contains?|restores?|exceeds?|responds?|warns?|quarantines?|includes?|raises?|passes?|denies|refuses|exits|succeeds|completes|prevents|allows|maps|points|signals|surfaces|records|produces|accepts|requires)\b/iu.test(criterionText);
+            const hasMeaningfulText = /[A-Za-z]/u.test(criterionText) && criterionText.trim().length >= 12;
+            if (hasMeaningfulText && !hasDigit && !hasMeasurableVerb) {
+                return {
+                    ok: false,
+                    details: `Acceptance criterion lacks a measurable predicate (no numeric threshold, no observable verb like blocks/returns/publishes/matches): "${criterionText.slice(0, 140)}". Rewrite so the criterion is falsifiable by a single test.`
+                };
+            }
+        }
+    }
     return {
         ok: true,
         details: "Section heading and content satisfy lint heuristics."
@@ -273,7 +350,7 @@ export async function lintArtifact(projectRoot, stage) {
         const body = hasHeading ? sectionBodyByName(sections, v.section) : null;
         const validation = body === null
             ? { ok: false, details: `No ## heading matching required section "${v.section}".` }
-            : validateSectionBody(body, v.validationRule);
+            : validateSectionBody(body, v.validationRule, v.section);
         const found = hasHeading && validation.ok;
         findings.push({
             section: v.section,
@@ -384,18 +461,19 @@ export async function validateReviewArmy(projectRoot) {
             if (!isStringArray(o.reportedBy) || o.reportedBy.length === 0) {
                 errors.push(`findings[${i}].reportedBy must be a non-empty string array.`);
             }
-            if (o.location !== undefined) {
-                if (o.location === null || typeof o.location !== "object" || Array.isArray(o.location)) {
-                    errors.push(`findings[${i}].location must be an object when present.`);
+            if (o.location === undefined || o.location === null) {
+                errors.push(`findings[${i}].location is required and must be an object with file + line.`);
+            }
+            else if (typeof o.location !== "object" || Array.isArray(o.location)) {
+                errors.push(`findings[${i}].location must be an object with file + line.`);
+            }
+            else {
+                const loc = o.location;
+                if (!isNonEmptyString(loc.file)) {
+                    errors.push(`findings[${i}].location.file must be a non-empty string.`);
                 }
-                else {
-                    const loc = o.location;
-                    if (!isNonEmptyString(loc.file)) {
-                        errors.push(`findings[${i}].location.file must be a non-empty string.`);
-                    }
-                    if (!isFiniteNumber(loc.line) || loc.line < 1) {
-                        errors.push(`findings[${i}].location.line must be a positive number.`);
-                    }
+                if (!isFiniteNumber(loc.line) || loc.line < 1) {
+                    errors.push(`findings[${i}].location.line must be a positive number.`);
                 }
             }
             if (o.recommendation !== undefined && !isNonEmptyString(o.recommendation)) {
@@ -445,6 +523,21 @@ export async function validateReviewArmy(projectRoot) {
             for (const msId of rec.multiSpecialistConfirmed) {
                 if (!findingIds.has(msId)) {
                     errors.push(`reconciliation.multiSpecialistConfirmed references unknown finding id "${msId}".`);
+                    continue;
+                }
+                if (Array.isArray(root.findings)) {
+                    const finding = root.findings.find((f) => {
+                        return f && typeof f === "object" && !Array.isArray(f) && f.id === msId;
+                    });
+                    if (finding && typeof finding === "object" && !Array.isArray(finding)) {
+                        const reportedBy = finding.reportedBy;
+                        const count = Array.isArray(reportedBy)
+                            ? new Set(reportedBy.filter((v) => typeof v === "string")).size
+                            : 0;
+                        if (count < 2) {
+                            errors.push(`reconciliation.multiSpecialistConfirmed entry "${msId}" must be confirmed by at least 2 distinct reviewers (found ${count}).`);
+                        }
+                    }
                 }
             }
         }
@@ -474,3 +567,79 @@ export async function validateReviewArmy(projectRoot) {
     }
     return { valid: errors.length === 0, errors };
 }
+/**
+ * Ensure the narrative verdict in 07-review.md is consistent with the
+ * structured review-army reconciliation. A review cannot declare
+ * APPROVED while open Critical findings or shipBlockers remain.
+ */
+export async function checkReviewVerdictConsistency(projectRoot) {
+    const errors = [];
+    const reviewMdPath = path.join(projectRoot, RUNTIME_ROOT, "artifacts", "07-review.md");
+    const armyJsonPath = path.join(projectRoot, RUNTIME_ROOT, "artifacts", "07-review-army.json");
+    let finalVerdict = "UNKNOWN";
+    if (await exists(reviewMdPath)) {
+        const raw = await fs.readFile(reviewMdPath, "utf8");
+        const sections = extractH2Sections(raw);
+        const verdictBody = sectionBodyByName(sections, "Final Verdict");
+        if (verdictBody) {
+            const chosen = [];
+            for (const token of ["APPROVED_WITH_CONCERNS", "APPROVED", "BLOCKED"]) {
+                const regex = new RegExp(`\\b${token}\\b`, "u");
+                if (regex.test(verdictBody)) {
+                    // APPROVED would match inside APPROVED_WITH_CONCERNS; prefer the longer match first.
+                    if (token === "APPROVED" && /\bAPPROVED_WITH_CONCERNS\b/u.test(verdictBody))
+                        continue;
+                    chosen.push(token);
+                }
+            }
+            if (chosen.length === 1) {
+                finalVerdict = chosen[0];
+            }
+            else if (chosen.length > 1) {
+                errors.push(`Final Verdict section lists multiple verdict tokens (${chosen.join(", ")}). Select exactly one.`);
+            }
+            else {
+                errors.push('Final Verdict section does not select APPROVED, APPROVED_WITH_CONCERNS, or BLOCKED.');
+            }
+        }
+        else {
+            errors.push('07-review.md is missing the "## Final Verdict" section.');
+        }
+    }
+    let openCriticalCount = 0;
+    let shipBlockerCount = 0;
+    if (await exists(armyJsonPath)) {
+        try {
+            const raw = await fs.readFile(armyJsonPath, "utf8");
+            const parsed = JSON.parse(raw);
+            const findings = Array.isArray(parsed.findings) ? parsed.findings : [];
+            for (const f of findings) {
+                if (!f || typeof f !== "object" || Array.isArray(f))
+                    continue;
+                const o = f;
+                if (o.severity === "Critical" && o.status === "open") {
+                    openCriticalCount++;
+                }
+            }
+            const rec = parsed.reconciliation && typeof parsed.reconciliation === "object" && !Array.isArray(parsed.reconciliation)
+                ? parsed.reconciliation
+                : null;
+            if (rec && Array.isArray(rec.shipBlockers)) {
+                shipBlockerCount = rec.shipBlockers.filter((v) => typeof v === "string").length;
+            }
+        }
+        catch {
+            // JSON validity is the concern of validateReviewArmy; skip silently here.
+        }
+    }
+    if (finalVerdict === "APPROVED" && (openCriticalCount > 0 || shipBlockerCount > 0)) {
+        errors.push(`Final Verdict is APPROVED but review-army has ${openCriticalCount} open Critical finding(s) and ${shipBlockerCount} shipBlocker(s). Use BLOCKED or APPROVED_WITH_CONCERNS.`);
+    }
+    return {
+        ok: errors.length === 0,
+        errors,
+        finalVerdict,
+        openCriticalCount,
+        shipBlockerCount
+    };
+}

package/dist/cli.d.ts

@@ -1,9 +1,10 @@
 #!/usr/bin/env node
-import type { HarnessId } from "./types.js";
+import type { FlowTrack, HarnessId } from "./types.js";
 type CommandName = "init" | "sync" | "doctor" | "upgrade" | "uninstall" | "archive";
 interface ParsedArgs {
     command?: CommandName;
     harnesses?: HarnessId[];
+    track?: FlowTrack;
     reconcileGates?: boolean;
     archiveName?: string;
     showHelp?: boolean;
@@ -11,5 +12,6 @@ interface ParsedArgs {
 }
 export declare function usage(): string;
 declare function parseHarnesses(raw: string): HarnessId[];
+declare function parseTrack(raw: string): FlowTrack;
 declare function parseArgs(argv: string[]): ParsedArgs;
-export { parseArgs, parseHarnesses };
+export { parseArgs, parseHarnesses, parseTrack };

package/dist/cli.js

@@ -3,7 +3,7 @@ import { readFileSync, realpathSync } from "node:fs";
 import process from "node:process";
 import path from "node:path";
 import { fileURLToPath } from "node:url";
-import { HARNESS_IDS } from "./types.js";
+import { FLOW_TRACKS, HARNESS_IDS } from "./types.js";
 import { doctorChecks, doctorSucceeded } from "./doctor.js";
 import { initCclaw, syncCclaw, uninstallCclaw, upgradeCclaw } from "./install.js";
 import { error, info } from "./logger.js";
@@ -20,6 +20,7 @@ Usage:
 Commands:
   init       Bootstrap .cclaw runtime, state, and harness shims in this project.
              Flags: --harnesses=<list>  Comma list of harnesses (claude,cursor,opencode,codex).
+                    --track=<id>        Flow track for new runs (standard | quick). Default: standard.
   sync       Regenerate harness shim files from the current .cclaw config (non-destructive).
   doctor     Run health checks against the local .cclaw runtime. Exit code 2 on failure.
              Flags: --reconcile-gates   Recompute current-stage gate evidence before checks.
@@ -77,6 +78,13 @@ function parseHarnesses(raw) {
     }
     return requested;
 }
+function parseTrack(raw) {
+    const trimmed = raw.trim();
+    if (!FLOW_TRACKS.includes(trimmed)) {
+        throw new Error(`Unknown track: ${trimmed}. Supported: ${FLOW_TRACKS.join(", ")}`);
+    }
+    return trimmed;
+}
 function parseArgs(argv) {
     const parsed = {};
     const helpFlag = argv.find((arg) => arg === "--help" || arg === "-h");
@@ -96,6 +104,10 @@ function parseArgs(argv) {
             parsed.harnesses = parseHarnesses(flag.replace("--harnesses=", ""));
             continue;
         }
+        if (flag.startsWith("--track=")) {
+            parsed.track = parseTrack(flag.replace("--track=", ""));
+            continue;
+        }
         if (flag === "--reconcile-gates") {
             parsed.reconcileGates = true;
             continue;
@@ -123,9 +135,11 @@ async function runCommand(parsed, ctx) {
     if (command === "init") {
         await initCclaw({
             projectRoot: ctx.cwd,
-            harnesses: parsed.harnesses
+            harnesses: parsed.harnesses,
+            track: parsed.track
         });
-        info(ctx, "Initialized .cclaw runtime and generated harness shims");
+        const trackNote = parsed.track ? ` (track: ${parsed.track})` : "";
+        info(ctx, `Initialized .cclaw runtime and generated harness shims${trackNote}`);
         return 0;
     }
     if (command === "sync") {
@@ -190,4 +204,4 @@ function isDirectExecution() {
 if (isDirectExecution()) {
     void main();
 }
-export { parseArgs, parseHarnesses };
+export { parseArgs, parseHarnesses, parseTrack };

package/dist/config.d.ts

@@ -1,5 +1,5 @@
-import type { HarnessId, VibyConfig } from "./types.js";
+import type { FlowTrack, HarnessId, VibyConfig } from "./types.js";
 export declare function configPath(projectRoot: string): string;
-export declare function createDefaultConfig(harnesses?: HarnessId[]): VibyConfig;
+export declare function createDefaultConfig(harnesses?: HarnessId[], defaultTrack?: FlowTrack): VibyConfig;
 export declare function readConfig(projectRoot: string): Promise<VibyConfig>;
 export declare function writeConfig(projectRoot: string, config: VibyConfig): Promise<void>;

package/dist/config.js

@@ -3,17 +3,20 @@ import path from "node:path";
 import { parse, stringify } from "yaml";
 import { CCLAW_VERSION, DEFAULT_HARNESSES, FLOW_VERSION, RUNTIME_ROOT } from "./constants.js";
 import { exists, writeFileSafe } from "./fs-utils.js";
-import { HARNESS_IDS } from "./types.js";
+import { FLOW_TRACKS, HARNESS_IDS } from "./types.js";
 const CONFIG_PATH = `${RUNTIME_ROOT}/config.yaml`;
 const HARNESS_ID_SET = new Set(HARNESS_IDS);
+const FLOW_TRACK_SET = new Set(FLOW_TRACKS);
 const SUPPORTED_HARNESSES_TEXT = HARNESS_IDS.join(", ");
+const SUPPORTED_TRACKS_TEXT = FLOW_TRACKS.join(", ");
 const ALLOWED_CONFIG_KEYS = new Set([
     "version",
     "flowVersion",
     "harnesses",
     "autoAdvance",
     "promptGuardMode",
-    "gitHookGuards"
+    "gitHookGuards",
+    "defaultTrack"
 ]);
 function configFixExample() {
     return `harnesses:
@@ -23,20 +26,22 @@ function configFixExample() {
 function configValidationError(configFilePath, reason) {
     return new Error(`Invalid cclaw config at ${configFilePath}: ${reason}\n` +
         `Supported harnesses: ${SUPPORTED_HARNESSES_TEXT}\n` +
+        `Supported tracks: ${SUPPORTED_TRACKS_TEXT}\n` +
         `Example config:\n${configFixExample()}\n` +
         `After fixing, run: cclaw sync`);
 }
 export function configPath(projectRoot) {
     return path.join(projectRoot, CONFIG_PATH);
 }
-export function createDefaultConfig(harnesses = DEFAULT_HARNESSES) {
+export function createDefaultConfig(harnesses = DEFAULT_HARNESSES, defaultTrack = "standard") {
     return {
         version: CCLAW_VERSION,
         flowVersion: FLOW_VERSION,
         harnesses,
         autoAdvance: false,
         promptGuardMode: "advisory",
-        gitHookGuards: false
+        gitHookGuards: false,
+        defaultTrack
     };
 }
 export async function readConfig(projectRoot) {
@@ -89,13 +94,22 @@ export async function readConfig(projectRoot) {
         throw configValidationError(fullPath, `"gitHookGuards" must be a boolean`);
     }
     const gitHookGuards = typeof gitHookGuardsRaw === "boolean" ? gitHookGuardsRaw : false;
+    const defaultTrackRaw = parsed.defaultTrack;
+    if (Object.prototype.hasOwnProperty.call(parsed, "defaultTrack") &&
+        (typeof defaultTrackRaw !== "string" || !FLOW_TRACK_SET.has(defaultTrackRaw))) {
+        throw configValidationError(fullPath, `"defaultTrack" must be one of: ${SUPPORTED_TRACKS_TEXT}`);
+    }
+    const defaultTrack = typeof defaultTrackRaw === "string" && FLOW_TRACK_SET.has(defaultTrackRaw)
+        ? defaultTrackRaw
+        : "standard";
     return {
         version: parsed.version ?? CCLAW_VERSION,
         flowVersion: parsed.flowVersion ?? FLOW_VERSION,
         harnesses,
         autoAdvance,
         promptGuardMode,
-        gitHookGuards
+        gitHookGuards,
+        defaultTrack
     };
 }
 export async function writeConfig(projectRoot, config) {

package/dist/constants.d.ts

@@ -4,9 +4,9 @@ export declare const RUNTIME_ROOT = ".cclaw";
 export declare const CCLAW_VERSION = "0.1.1";
 export declare const FLOW_VERSION = "1.0.0";
 export declare const DEFAULT_HARNESSES: HarnessId[];
-export declare const REQUIRED_DIRS: readonly [".cclaw", ".cclaw/commands", ".cclaw/skills", ".cclaw/contexts", ".cclaw/templates", ".cclaw/artifacts", ".cclaw/state", ".cclaw/runs", ".cclaw/rules", ".cclaw/adapters", ".cclaw/agents", ".cclaw/hooks"];
+export declare const REQUIRED_DIRS: readonly [".cclaw", ".cclaw/commands", ".cclaw/skills", ".cclaw/contexts", ".cclaw/templates", ".cclaw/artifacts", ".cclaw/state", ".cclaw/runs", ".cclaw/rules", ".cclaw/adapters", ".cclaw/agents", ".cclaw/hooks", ".cclaw/custom-skills"];
 export declare const REQUIRED_GITIGNORE_PATTERNS: readonly ["# cclaw generated artifacts", ".cclaw/", ".claude/commands/cc-*.md", ".claude/commands/cc.md", ".cursor/commands/cc-*.md", ".cursor/commands/cc.md", ".opencode/commands/cc-*.md", ".opencode/commands/cc.md", ".codex/commands/cc-*.md", ".codex/commands/cc.md", ".claude/hooks/hooks.json", ".cursor/hooks.json", ".codex/hooks.json", ".opencode/plugins/cclaw-plugin.mjs", ".cursor/rules/cclaw-workflow.mdc"];
 export declare const COMMAND_FILE_ORDER: FlowStage[];
-export declare const UTILITY_COMMANDS: readonly ["learn", "next"];
+export declare const UTILITY_COMMANDS: readonly ["learn", "next", "status"];
 export declare const SUBAGENT_SKILL_FOLDERS: readonly ["subagent-dev", "parallel-dispatch"];
 export type UtilityCommand = (typeof UTILITY_COMMANDS)[number];

package/dist/constants.js

@@ -20,7 +20,8 @@ export const REQUIRED_DIRS = [
     `${RUNTIME_ROOT}/rules`,
     `${RUNTIME_ROOT}/adapters`,
     `${RUNTIME_ROOT}/agents`,
-    `${RUNTIME_ROOT}/hooks`
+    `${RUNTIME_ROOT}/hooks`,
+    `${RUNTIME_ROOT}/custom-skills`
 ];
 export const REQUIRED_GITIGNORE_PATTERNS = [
     "# cclaw generated artifacts",
@@ -49,7 +50,7 @@ export const COMMAND_FILE_ORDER = [
     "review",
     "ship"
 ];
-export const UTILITY_COMMANDS = ["learn", "next"];
+export const UTILITY_COMMANDS = ["learn", "next", "status"];
 export const SUBAGENT_SKILL_FOLDERS = [
     "subagent-dev",
     "parallel-dispatch"

package/dist/content/agents.js

@@ -94,10 +94,10 @@ export const CCLAW_AGENTS = [
     },
     {
         name: "security-reviewer",
-        description: "PROACTIVE after auth, crypto, secrets, parsers, or sensitive data paths change. MUST BE USED when trust boundaries move, new external inputs arrive, or LLM/tool output influences privileged actions.",
+        description: "MANDATORY during every review stage. Even when no auth, crypto, secrets, parsers, or sensitive data paths changed, produce an explicit 'no-change' security attestation. MUST BE USED when trust boundaries move, new external inputs arrive, or LLM/tool output influences privileged actions.",
         tools: ["Read", "Grep", "Glob"],
         model: "balanced",
-        activation: "proactive",
+        activation: "mandatory",
         relatedStages: ["review", "design"],
         body: [
             "You are a **security vulnerability detection** specialist focused on practical exploitability.",