cclaw-cli 2.0.0 → 3.0.0

package/dist/content/opencode-plugin.js

@@ -609,10 +609,7 @@ export default function cclawPlugin(ctx) {
         eventType === "session.updated";
       if (isSessionLifecycle) {
         // Keep OpenCode aligned with Claude/Cursor/Codex: session-start is
-        // the canonical rehydrate path that refreshes derived state such as
-        // Ralph Loop, compound readiness, and hook-error breadcrumbs. The
-        // plugin refreshes its local bootstrap cache afterwards so the system
-        // transform sees the side effects from the hook runtime.
+        // the canonical rehydrate path.
         await runHookScript("session-start", eventData ?? {});
         await refreshBootstrapCache(true);
       }
@@ -620,74 +617,6 @@ export default function cclawPlugin(ctx) {
         await runHookScript("stop-handoff", { loop_count: 0 });
       }
     },
-    "tool.execute.before": async (input, output) => {
-      const disabled = isCclawDisabled();
-      if (disabled.disabled) {
-        // Explicit user override (CCLAW_DISABLE=1 et al): stay fully out
-        // of the way. Any real problem with the guard chain should not
-        // prevent the user from unblocking themselves.
-        noteDisabled(disabled);
-        return;
-      }
-      const payload = normalizeToolPayload(input, output);
-      if (isSafeReadOnlyTool(payload)) {
-        // Read-only tools bypass guards — they cannot mutate state and
-        // blocking them gives users an unusable session when guards are
-        // misconfigured or cclaw isn't fully initialized.
-        return;
-      }
-      if (!isCclawInitialized()) {
-        // Project has no flow-state or hook runtime: cclaw isn't in use
-        // here. Never block the user's tools because of setup they didn't
-        // ask for. Surface a single advisory so they can notice.
-        noteNotInitialized();
-        return;
-      }
-      const [promptOk, workflowOk] = await Promise.all([
-        runHookScript("prompt-guard", payload),
-        runHookScript("workflow-guard", payload)
-      ]);
-      if (!promptOk || !workflowOk) {
-        const failed = !promptOk ? "prompt-guard" : "workflow-guard";
-        const rawDetail = lastHookStderr.get(failed) || "";
-        const detail = rawDetail.length > 0 ? rawDetail.slice(-400) : "(no stderr captured)";
-        if (looksLikeInfrastructureFailure(rawDetail)) {
-          // Never let a broken hook runtime or misrouted child-process
-          // stderr (yargs help, Node crash, ENOENT, timeout) masquerade
-          // as a policy block. Log the infra hit and let the user keep
-          // working regardless of strictness.
-          logToFile(
-            "infra: " + failed + " non-zero exit with non-guard stderr — treated as infrastructure failure, tool allowed. " +
-            "stderr=" + detail.replace(/\\s+/g, " ").slice(0, 300)
-          );
-          return;
-        }
-        const strictness = await resolveStrictness();
-        if (strictness !== "strict") {
-          // Advisory mode (the default) — every guard refusal is a hint,
-          // not a hard stop. Users report the "failure" as a log line
-          // and keep working. Only \`strictness: strict\` in config.yaml
-          // or CCLAW_STRICTNESS=strict upgrades this to a thrown block.
-          logToFile(
-            "advisory: " + failed + " flagged tool.execute.before (strictness=" +
-            strictness + "). detail=" + detail.replace(/\\s+/g, " ").slice(0, 300)
-          );
-          return;
-        }
-        throw new Error(
-          "cclaw " + failed + " blocked tool.execute.before.\\n" +
-          "Reason: " + detail + "\\n" +
-          "Diagnose: run \`npx cclaw-cli sync\` in project root.\\n" +
-          "Bypass (temporary): export CCLAW_DISABLE=1 before starting OpenCode,\\n" +
-          "or set \`strictness: advisory\` in .cclaw/config.yaml."
-        );
-      }
-    },
-    "tool.execute.after": async (input, output) => {
-      const payload = normalizeToolPayload(input, output);
-      await runHookScript("context-monitor", payload);
-      void refreshBootstrapCache(false);
-    },
     "experimental.chat.system.transform": (payload) => {
       const bootstrap = getBootstrap();
       if (!bootstrap) return payload;

package/dist/content/stages/design.js

@@ -94,7 +94,7 @@ export const DESIGN = {
             "Artifact written to `.cclaw/artifacts/03-design-<slug>.md`.",
             "Failure-mode table exists in Method/Exception/Rescue/UserSees format.",
             "Tier-required diagram markers are present: architecture (all tiers). Standard/Deep add-ons (shadow/error) and Deep add-ons (state-machine/rollback/deployment-sequence) are included only when risk warrants them.",
-            "Stale diagram audit finding is clear by default (unless `.cclaw/config.yaml::optInAudits.staleDiagramAudit` is explicitly false): no blast-radius file newer than diagram markers without explicit update.",
+            "Stale diagram audit finding is clear: no blast-radius file newer than diagram markers without explicit update.",
             "Security & threat model findings are documented with mitigations.",
             "Observability and deployment plans are explicit for critical flows.",
             "Outside-voice findings and dispositions are recorded (accept/reject/defer).",
@@ -165,7 +165,7 @@ export const DESIGN = {
             { section: "Data-Flow Shadow Paths", required: false, validationRule: "Standard/Deep add-on: include `<!-- diagram: data-flow-shadow-paths -->` marker plus a table for high-risk choices: chosen path, shadow alternative, switch trigger, failure/rescue/degraded behavior, and verification evidence." },
             { section: "Error Flow Diagram", required: false, validationRule: "Standard/Deep add-on: include `<!-- diagram: error-flow -->` marker and failure-detection -> rescue -> user-visible outcome flow." },
             { section: "Data Flow", required: false, validationRule: "Must include data/state flow, happy path, nil input, empty input, upstream error paths, plus Interaction Edge Case matrix rows for double-click, nav-away-mid-request, 10K-result dataset, background-job abandonment, zombie connection. Each row declares handled yes/no and deferred item when not handled." },
-            { section: "Stale Diagram Audit", required: false, validationRule: "Default-on audit (unless `.cclaw/config.yaml::optInAudits.staleDiagramAudit` is false): blast-radius files from Codebase Investigation must not be newer than the current design diagram-marker baseline unless explicitly refreshed." },
+            { section: "Stale Diagram Audit", required: false, validationRule: "Blast-radius files from Codebase Investigation must not be newer than the current design diagram-marker baseline unless explicitly refreshed." },
             { section: "Failure Mode Table", required: true, validationRule: "Use Method/Exception/Rescue/UserSees columns and treat silent user impact without rescue as critical." },
             { section: "Pre-mortem", required: false, validationRule: "Recommended: list top failure scenarios, early warning signal, mitigation owner, and containment action before implementation." },
             { section: "Security & Threat Model", required: true, validationRule: "Must list trust boundaries, abuse/failure scenarios, mitigations, and residual risks." },

package/dist/content/stages/plan.js

@@ -45,7 +45,7 @@ export const PLAN = {
             "Group tasks into dependency batches — batch N+1 cannot start until batch N has verification evidence.",
             "Slice into vertical tasks — each task targets 2-5 minutes, produces one testable outcome, and touches one coherent area.",
             "Task Contract — every task has one coherent outcome, AC mapping, exact verification command/manual step, and expected evidence snippet or pass condition. Avoid vague `run tests` wording.",
-            "Annotate slice-review metadata — if `.cclaw/config.yaml::sliceReview.enabled` is true, every task row additionally carries `touchCount` (rough number of files expected to change) and `touchPaths` (glob hints, e.g. `migrations/**`, `src/auth/**`). A task may set `highRisk: true` to force a review pass regardless of thresholds. These fields feed the TDD stage's Per-Slice Review point; when `sliceReview` is disabled they are optional.",
+            "Annotate slice-review metadata — task rows may carry `touchCount` (rough number of files expected to change), `touchPaths` (glob hints, e.g. `migrations/**`, `src/auth/**`), and optional `highRisk: true` to force a review pass. These fields feed the TDD stage's Per-Slice Review point.",
             "Map scope Locked Decisions — every LD#hash anchor from scope is referenced by at least one plan task (or explicitly marked deferred with reason).",
             "Run anti-placeholder + anti-scope-reduction scans — block `TODO/TBD/...` and phrasing like `v1`, `for now`, `later` for locked boundaries.",
             "Define validation points — mark where progress must be checked before continuing, with concrete command and expected evidence.",
@@ -127,7 +127,7 @@ export const PLAN = {
             { section: "Upstream Handoff", required: false, validationRule: "Summarizes spec/design/scope decisions, constraints, open questions, and explicit drift before task breakdown." },
             { section: "Dependency Graph", required: false, validationRule: "Ordering and parallel opportunities explicit. No circular dependencies." },
             { section: "Dependency Batches", required: true, validationRule: "Every task belongs to a batch. Each batch has an exit gate and dependency statement." },
-            { section: "Task List", required: true, validationRule: "Each task row includes ID, description, acceptance criterion, exact verification command/manual step, expected evidence/pass condition, and effort estimate (S/M/L). Every task must also carry a minutes estimate within the 2-5 minute budget. When the sliceReview option is enabled in the cclaw config, each task row additionally declares touchCount, touchPaths, and an optional highRisk flag so the TDD stage can decide whether a Per-Slice Review pass is required." },
+            { section: "Task List", required: true, validationRule: "Each task row includes ID, description, acceptance criterion, exact verification command/manual step, expected evidence/pass condition, and effort estimate (S/M/L). Every task must also carry a minutes estimate within the 2-5 minute budget. When present, touchCount/touchPaths/highRisk metadata drives Per-Slice Review escalation in TDD." },
             { section: "Acceptance Mapping", required: true, validationRule: "Every spec criterion is covered by at least one task." },
             { section: "Execution Posture", required: true, validationRule: "States sequential/batch/parallel posture, stop conditions, risk triggers, and RED/GREEN/REFACTOR checkpoint or commit expectations for TDD when consistent with the repo workflow." },
             { section: "Locked Decision Coverage", required: false, validationRule: "Every locked decision ID (D-XX) from scope is listed with linked task IDs or explicit defer rationale." },

package/dist/content/stages/scope.js

@@ -74,7 +74,7 @@ export const SCOPE = {
             "**STOP BEFORE ADVANCE.** Mandatory delegation `planner` must be completed or explicitly waived for a real blocker. If the active harness cannot isolate a planner, run a role-switch planner pass instead: announce `## cclaw role-switch: scope/planner (mandatory)`, write the planner output/evidence into the scope artifact, and append a completed delegation row with `fulfillmentMode: \"role-switch\"` plus non-empty `evidenceRefs`. Then close with `node .cclaw/hooks/stage-complete.mjs scope --passed=scope_mode_selected,scope_contract_written,scope_user_approved --evidence-json '{\"scope_mode_selected\":\"<user-approved mode + rationale>\",\"scope_contract_written\":\"<artifact path + sections>\",\"scope_user_approved\":\"<explicit user approval quote or summary>\"}'`. `scope_user_approved` must cite the user's approval; review-loop evidence alone is not approval."
         ],
         process: [
-            "Run configured pre-scope audit only when enabled.",
+            "Run pre-scope audit before premise challenge.",
             "Run the scope pass scaled to risk: default to job-to-be-done plus explicit scope contract; add premise challenge, 10-star upside, smallest useful wedge, and change conditions only for deep/high-risk scope.",
             "Compare minimum viable, product-grade, and ideal architecture scope alternatives with explicit reuse/effort/risk.",
             "Recommend a scope mode with explicit rationale, then ask for user opt-in before treating it as selected.",
@@ -89,7 +89,7 @@ export const SCOPE = {
         ],
         requiredEvidence: [
             "Artifact written to `.cclaw/artifacts/02-scope-<slug>.md`.",
-            "When `.cclaw/config.yaml::optInAudits.scopePreAudit` is true, Pre-Scope System Audit findings are captured (git log/diff/stash/debt markers).",
+            "Pre-Scope System Audit findings are captured (git log/diff/stash/debt markers).",
             "In-scope and out-of-scope lists are explicit.",
             "Discretion areas are explicit (or marked as `None`).",
             "Selected mode and rationale are documented using HOLD SCOPE, SELECTIVE EXPANSION, SCOPE EXPANSION, or SCOPE REDUCTION.",
@@ -148,7 +148,7 @@ export const SCOPE = {
         },
         artifactValidation: [
             { section: "Upstream Handoff", required: false, validationRule: "Summarizes brainstorm/idea decisions, constraints, open questions, and explicit drift before scope decisions." },
-            { section: "Pre-Scope System Audit", required: false, validationRule: "When `.cclaw/config.yaml::optInAudits.scopePreAudit` is true: must capture git log -30, git diff --stat, git stash list, and debt-marker scan (TODO/FIXME/XXX/HACK) before premise challenge." },
+            { section: "Pre-Scope System Audit", required: true, validationRule: "Must capture git log -30, git diff --stat, git stash list, and debt-marker scan (TODO/FIXME/XXX/HACK) before premise challenge." },
             { section: "Prime Directives", required: false, validationRule: "For each scoped capability: named failure modes, explicit error surface, four data-flow paths, interaction edge cases, observability expectations, and deferred-item handling." },
             { section: "Premise Challenge", required: false, validationRule: "Must list at least 3 question/answer rows in a markdown table or bullet list (gstack default trio: right problem? direct path? what if we do nothing? — extend with leverage and reversibility for richer scope). The linter enforces structure, not English wording — answers may be in any language." },
             { section: "Scope Contract", required: true, validationRule: "Canonical contract: selected mode, in scope, out of scope, requirements, locked decisions, discretion areas, deferred ideas, accepted/rejected reference ideas, success definition, and design handoff." },

package/dist/content/stages/tdd.js

@@ -41,7 +41,7 @@ export const TDD = {
             "Map to acceptance criterion — identify the specific spec criterion this test proves.",
             "Discover the test surface — inspect existing tests, fixtures, helpers, test commands, and nearby assertions before authoring RED. Reuse the local test style unless the slice genuinely needs a new pattern.",
             "Run a system-wide impact check — name callbacks, state transitions, interfaces, schemas, CLI/config/API contracts, persistence, or event boundaries that this slice can affect. Add RED coverage for each affected public contract or record why it is out of scope.",
-            "Source/test preflight — before production edits, classify planned paths using `.cclaw/config.yaml::tdd.testPathPatterns` and `tdd.productionPathPatterns` when present; verify the RED touches a test path and the GREEN touches only source paths needed for the failing behavior.",
+            "Source/test preflight — before production edits, classify planned paths using test-path patterns; verify the RED touches a test path and the GREEN touches only source paths needed for the failing behavior.",
             "Set execution posture — record whether this slice is sequential, batch-safe, or blocked; when the existing git workflow permits small commits, checkpoint after RED, GREEN, and REFACTOR (or record why commits are deferred).",
             "Use the mandatory `test-author` delegation for RED — after discovery and impact check, produce failing behavior tests and RED evidence only (no production edits). Set `CCLAW_ACTIVE_AGENT=tdd-red` when the harness supports phase labels.",
             "RED: Capture failure output — copy the exact failure output as RED evidence. Record in artifact.",
@@ -52,7 +52,7 @@ export const TDD = {
             "REFACTOR: continue the `test-author` evidence cycle (or a dedicated refactor mode when available) to improve code quality without behavior changes. Set `CCLAW_ACTIVE_AGENT=tdd-refactor` when the harness supports phase labels.",
             "Record evidence — capture test discovery, system-wide impact check, RED failure, GREEN output, and REFACTOR notes in the TDD artifact. When logging a `green` row, attach the closed acceptance-criterion IDs in `acIds` so Ralph Loop status counts them.",
             "Annotate traceability — link to the active track's source: plan task ID + spec criterion on standard/medium, or spec acceptance item / bug reproduction slice on quick.",
-            "Per-Slice Review (conditional) — if `.cclaw/config.yaml::sliceReview.enabled` is true and the slice meets any trigger (touchCount >= filesChangedThreshold, touchPaths match touchTriggers, or highRisk=true), append a `## Per-Slice Review` entry for this slice before moving on (see the dedicated section below).",
+            "Per-Slice Review (conditional) — if the slice meets any trigger (touchCount >= filesChangedThreshold, touchPaths match touchTriggers, or highRisk=true), append a `## Per-Slice Review` entry for this slice before moving on (see the dedicated section below).",
             "Repeat for each slice — return to step 1 for the next plan slice."
         ],
         interactionProtocol: [
@@ -70,7 +70,7 @@ export const TDD = {
             "Use incremental RED/GREEN/REFACTOR commits when the repository workflow and working tree make that appropriate; otherwise record the checkpoint boundaries in the artifact.",
             "Stop if regressions appear and fix before proceeding.",
             "If a test passes unexpectedly, investigate: does the behavior already exist, or is the test wrong?",
-            "**Per-Slice Review point (conditional, opt-in).** When `.cclaw/config.yaml::sliceReview.enabled` is true, check every slice against the triggers before declaring it DONE. Triggers: `touchCount >= filesChangedThreshold`, any `touchPaths` match a `touchTriggers` glob, or the plan row declares `highRisk: true`. On a trigger, run two passes on the slice alone — (1) Spec-Compliance: trace RED/GREEN/REFACTOR evidence back to its plan task + spec criterion, noting edge cases the tests skip; (2) Quality: diff-scan for naming, error handling, dead code, simpler alternatives. Record both under `## Per-Slice Review` in `06-tdd.md`, naming the trigger that fired. Dispatch the `reviewer` subagent natively when available (log `fulfillmentMode: \"isolated\"`); otherwise fulfil via in-session role switch (`fulfillmentMode: \"role-switch\"`). Never fabricate an isolated pass from memory. Tracks outside `sliceReview.enforceOnTracks` still emit the section; sync only escalates missed reviews on enforced tracks."
+            "**Per-Slice Review point (conditional).** Check every slice against the triggers before declaring it DONE. Triggers: `touchCount >= filesChangedThreshold`, any `touchPaths` match a `touchTriggers` glob, or the plan row declares `highRisk: true`. On a trigger, run two passes on the slice alone — (1) Spec-Compliance: trace RED/GREEN/REFACTOR evidence back to its plan task + spec criterion, noting edge cases the tests skip; (2) Quality: diff-scan for naming, error handling, dead code, simpler alternatives. Record both under `## Per-Slice Review` in `06-tdd.md`, naming the trigger that fired. Dispatch the `reviewer` subagent natively when available (log `fulfillmentMode: \"isolated\"`); otherwise fulfil via in-session role switch (`fulfillmentMode: \"role-switch\"`). Never fabricate an isolated pass from memory."
         ],
         process: [
             "Select one vertical slice and map it to acceptance criterion(s).",
@@ -81,10 +81,10 @@ export const TDD = {
             "Run tests and capture failure output.",
             "Use `test-author` in GREEN intent and implement the smallest change needed for GREEN.",
             "Run full tests and build checks.",
-            "Run a fresh verification-before-completion check and capture command + PASS/FAIL plus a commit SHA when VCS is present; for `vcs: none`, record explicit no-vcs reason plus content/artifact hash unless `tdd.verificationRef: disabled` is configured.",
+            "Run a fresh verification-before-completion check and capture command + PASS/FAIL plus a commit SHA when `.git` is present; otherwise record explicit no-vcs reason plus content/artifact hash.",
             "Run the REFACTOR intent preserving behavior.",
             "Record RED, GREEN, and REFACTOR evidence in artifact.",
-            "Annotate traceability to plan task and spec criterion; on `sliceReview` triggers, append a Per-Slice Review entry before closing the slice."
+            "Annotate traceability to plan task and spec criterion; on per-slice triggers, append a Per-Slice Review entry before closing the slice."
         ],
         requiredGates: [
             { id: "tdd_test_discovery_complete", description: "Relevant existing tests, fixtures, helpers, and runnable commands were discovered before RED tests were written." },
@@ -92,7 +92,7 @@ export const TDD = {
             { id: "tdd_red_test_written", description: "Failing tests exist before implementation changes." },
             { id: "tdd_green_full_suite", description: "Full relevant suite passes in GREEN state." },
             { id: "tdd_refactor_completed", description: "Refactor pass completed with behavior preservation verified." },
-            { id: "tdd_verified_before_complete", description: "Fresh verification evidence includes test command, explicit pass/fail status, and a config-aware ref: commit SHA when VCS is present/required or an explicit no-VCS attestation when allowed." },
+            { id: "tdd_verified_before_complete", description: "Fresh verification evidence includes test command, explicit pass/fail status, and a durable ref: commit SHA when `.git` is present or explicit no-VCS attestation + hash when not." },
             { id: "tdd_iron_law_acknowledged", description: "Iron Law acknowledgement is explicit (`Acknowledged: yes`) before implementation proceeds." },
             { id: "tdd_watched_red_observed", description: "Watched-RED Proof records at least one observed failing test with ISO timestamp evidence." },
             { id: "tdd_slice_cycle_complete", description: "Vertical Slice Cycle records RED, GREEN, and REFACTOR phases per active slice." },
@@ -106,7 +106,7 @@ export const TDD = {
             "Execution posture and vertical-slice RED/GREEN/REFACTOR checkpoint plan recorded, including commit boundaries when the repo workflow supports them.",
             "Failing command output captured (RED).",
             "Full test/build output recorded (GREEN).",
-            "Fresh verification evidence recorded with command, PASS/FAIL status, and config-aware commit SHA or no-VCS reason plus content/artifact hash before completion.",
+            "Fresh verification evidence recorded with command, PASS/FAIL status, and commit SHA or no-VCS reason plus content/artifact hash before completion.",
             "Iron Law Acknowledgement section explicitly states `Acknowledged: yes`.",
             "Watched-RED Proof includes at least one populated row with an ISO timestamp.",
             "Vertical Slice Cycle records RED, GREEN, and REFACTOR per active slice.",
@@ -125,7 +125,7 @@ export const TDD = {
             "behavior changed during refactor",
             "no evidence recorded",
             "RED/GREEN blocked — classify with the managed taxonomy `NO_SOURCE_CONTEXT`, `NO_TEST_SURFACE`, `NO_IMPLEMENTABLE_SLICE`, `RED_NOT_EXPRESSIBLE`, or `NO_VCS_MODE` and capture blockedBecause, missingInputs, recommendedRoute, nextCommand, resumeCriteria, and the repair path: RED needs a failing test surface, GREEN needs full-suite pass evidence, REFACTOR needs behavior-preservation evidence.",
-            "no-VCS workspace without explicit `vcs: none`, no-vcs reason, content/artifact hash, or `tdd.verificationRef: disabled`"
+            "no-VCS workspace without explicit no-vcs reason and content/artifact hash"
         ],
         exitCriteria: [
             "test discovery and system-wide impact check are recorded",
@@ -170,7 +170,7 @@ export const TDD = {
             { section: "Test Pyramid Shape", required: false, validationRule: "If present: per-slice count of Small/Medium/Large tests added, to let reviewers verify the suite is not drifting top-heavy." },
             { section: "Mock Preference Order", required: false, validationRule: "When mocks/spies appear in Test Discovery or RED Evidence, prefer Real > Fake > Stub > Mock. Mock-heavy slices should include explicit boundary justification (for example network/fs/time/external trust boundaries)." },
             { section: "Prove-It Reproduction", required: false, validationRule: "Required for bug-fix slices: original failing reproduction test (RED without fix), passing output with fix (GREEN), and a note confirming the test fails again if the fix is reverted." },
-            { section: "Per-Slice Review", required: false, validationRule: "When `.cclaw/config.yaml::sliceReview.enabled` is true: per triggered slice, a two-part record — Spec-Compliance (slice <-> plan task <-> spec criterion trace plus edge-case notes) and Quality (diff-focused review of naming, error handling, dead code, simpler alternatives). Each entry names the trigger (touchCount, touchPaths glob, or highRisk) and the delegation fulfillmentMode (`isolated` when a reviewer subagent was dispatched natively; `role-switch` when fulfilled in-session). Slices that did not meet any trigger may list `not triggered` instead of a full pass." }
+            { section: "Per-Slice Review", required: false, validationRule: "Per triggered slice, a two-part record — Spec-Compliance (slice <-> plan task <-> spec criterion trace plus edge-case notes) and Quality (diff-focused review of naming, error handling, dead code, simpler alternatives). Each entry names the trigger (touchCount, touchPaths glob, or highRisk) and the delegation fulfillmentMode (`isolated` when a reviewer subagent was dispatched natively; `role-switch` when fulfilled in-session). Slices that did not meet any trigger may list `not triggered` instead of a full pass." }
         ]
     },
     reviewLens: {
@@ -224,9 +224,9 @@ export const TDD = {
             {
                 title: "Per-Slice Review Audit (conditional)",
                 evaluationPoints: [
-                    "When `.cclaw/config.yaml::sliceReview.enabled` is true: does every triggered slice (touchCount >= threshold, touchPaths match, or highRisk=true) carry a Per-Slice Review entry with BOTH a Spec-Compliance pass (plan task <-> spec criterion + edge-case notes) AND a Quality pass (diff-level naming/errors/dead code/simpler alternatives)?",
+                    "Does every triggered slice (touchCount >= threshold, touchPaths match, or highRisk=true) carry a Per-Slice Review entry with BOTH a Spec-Compliance pass (plan task <-> spec criterion + edge-case notes) AND a Quality pass (diff-level naming/errors/dead code/simpler alternatives)?",
                     "Is the delegation `fulfillmentMode` recorded (`isolated` for a dispatched reviewer subagent, `role-switch` for an in-session pass) and does it match an entry in `.cclaw/state/delegation-log.json`?",
-                    "On tracks listed in `sliceReview.enforceOnTracks`, are there zero missed triggered slices (sync also surfaces this as a warning)?"
+                    "Are there zero missed triggered slices when triggers fired?"
                 ],
                 stopGate: false
             },

package/dist/gate-evidence.js

@@ -2,7 +2,6 @@ import fs from "node:fs/promises";
 import path from "node:path";
 import { checkReviewSecurityNoChangeAttestation, checkReviewVerdictConsistency, extractMarkdownSectionBody, lintArtifact, validateReviewArmy } from "./artifact-linter.js";
 import { resolveArtifactPath } from "./artifact-paths.js";
-import { readConfig } from "./config.js";
 import { RUNTIME_ROOT } from "./constants.js";
 import { stageSchema } from "./content/stage-schema.js";
 import { readDelegationLedger } from "./delegation.js";
@@ -179,10 +178,7 @@ async function readEarlyLoopGateSnapshot(projectRoot, flowState) {
         return { snapshot: onDisk };
     }
     try {
-        const config = await readConfig(projectRoot);
-        const computed = await computeEarlyLoopStatus(flowState.currentStage, flowState.activeRunId, path.join(stateDir, "early-loop-log.jsonl"), {
-            maxIterations: config.earlyLoop?.maxIterations
-        });
+        const computed = await computeEarlyLoopStatus(flowState.currentStage, flowState.activeRunId, path.join(stateDir, "early-loop-log.jsonl"));
         return {
             snapshot: {
                 stage: computed.stage,

package/dist/hook-schema.js

@@ -68,6 +68,9 @@ function validateClaudeLikeEvent(eventName, eventEntries, errors) {
             if (hook.timeout !== undefined && !isPositiveNumber(hook.timeout)) {
                 errors.push(`hooks.${eventName}[${index}].hooks[${hookIndex}].timeout must be a positive number when present`);
             }
+            if (hook.statusMessage !== undefined && !isNonEmptyString(hook.statusMessage)) {
+                errors.push(`hooks.${eventName}[${index}].hooks[${hookIndex}].statusMessage must be a non-empty string when present`);
+            }
         }
     }
 }

package/dist/hook-schemas/claude-hooks.v1.json

@@ -5,8 +5,6 @@
     "schemaVersion": 2,
     "requiredEvents": [
         "SessionStart",
-        "PreToolUse",
-        "PostToolUse",
         "Stop"
     ]
 }

package/dist/hook-schemas/codex-hooks.v1.json

@@ -5,9 +5,6 @@
     "schemaVersion": 2,
     "requiredEvents": [
         "SessionStart",
-        "UserPromptSubmit",
-        "PreToolUse",
-        "PostToolUse",
         "Stop"
     ]
 }

package/dist/hook-schemas/cursor-hooks.v1.json

@@ -8,8 +8,6 @@
         "sessionResume",
         "sessionClear",
         "sessionCompact",
-        "preToolUse",
-        "postToolUse",
         "stop"
     ]
 }

package/dist/install.d.ts

@@ -11,13 +11,8 @@ export declare function initCclaw(options: InitOptions): Promise<void>;
 export declare function syncCclaw(projectRoot: string, options?: SyncOptions): Promise<void>;
 /**
  * Refresh generated files in `.cclaw/` without touching user-authored
- * artifacts, state, or custom config keys. Only the `version` + `flowVersion`
- * stamps are rewritten so the on-disk config reflects the installed CLI.
- *
- * Shape preservation: if the user previously hand-authored advanced keys
- * (e.g. `tdd`, `compound`, `trackHeuristics`, `sliceReview`), those stay in
- * the yaml. If their existing config is minimal, the upgrade keeps it
- * minimal — advanced knobs are never silently added.
+ * artifacts or state. Config remains harness-only with managed version
+ * stamps.
  */
 export declare function upgradeCclaw(projectRoot: string): Promise<void>;
 export declare function uninstallCclaw(projectRoot: string): Promise<void>;

package/dist/install.js

@@ -3,7 +3,7 @@ import fs from "node:fs/promises";
 import path from "node:path";
 import { promisify } from "node:util";
 import { CCLAW_VERSION, FLOW_VERSION, REQUIRED_DIRS, RUNTIME_ROOT } from "./constants.js";
-import { writeConfig, createDefaultConfig, readConfig, configPath, detectLanguageRulePacks, detectAdvancedKeys } from "./config.js";
+import { writeConfig, createDefaultConfig, readConfig, configPath, detectAdvancedKeys } from "./config.js";
 import { learnSkillMarkdown } from "./content/learnings.js";
 import { stageCommandShimMarkdown } from "./content/stage-command.js";
 import { ideaCommandContract, ideaCommandSkillMarkdown } from "./content/idea.js";
@@ -12,7 +12,7 @@ import { viewCommandContract, viewCommandSkillMarkdown } from "./content/view-co
 import { cancelCommandContract, cancelCommandSkillMarkdown } from "./content/cancel-command.js";
 import { subagentDrivenDevSkill, parallelAgentsSkill } from "./content/subagents.js";
 import { sessionHooksSkillMarkdown } from "./content/session-hooks.js";
-import { ironLawRuntimeDocument, ironLawsSkillMarkdown } from "./content/iron-laws.js";
+import { ironLawsSkillMarkdown } from "./content/iron-laws.js";
 import { stageCompleteScript, startFlowScript, cancelRunScript, runHookCmdScript, delegationRecordScript, opencodePluginJs, claudeHooksJson, codexHooksJson, cursorHooksJson } from "./content/hooks.js";
 import { nodeHookRuntimeScript } from "./content/node-hooks.js";
 import { META_SKILL_NAME, usingCclawSkillMarkdown } from "./content/meta-skill.js";
@@ -21,7 +21,7 @@ import { STATE_CONTRACTS } from "./content/state-contracts.js";
 import { REVIEW_PROMPTS } from "./content/review-prompts.js";
 import { stageSkillFolder, stageSkillMarkdown, executingWavesSkillMarkdown } from "./content/skills.js";
 import { adaptiveElicitationSkillMarkdown } from "./content/skills-elicitation.js";
-import { LANGUAGE_RULE_PACK_DIR, LANGUAGE_RULE_PACK_FILES, LANGUAGE_RULE_PACK_GENERATORS, LEGACY_LANGUAGE_RULE_PACK_FOLDERS } from "./content/utility-skills.js";
+import { LANGUAGE_RULE_PACK_DIR, LEGACY_LANGUAGE_RULE_PACK_FOLDERS } from "./content/utility-skills.js";
 import { RESEARCH_PLAYBOOKS } from "./content/research-playbooks.js";
 import { SUBAGENT_CONTEXT_SKILLS } from "./content/subagent-context-skills.js";
 import { CCLAW_AGENTS } from "./content/core-agents.js";
@@ -407,55 +407,13 @@ async function removeManagedGitHookRelays(projectRoot) {
     }
 }
 async function syncManagedGitHooks(projectRoot, config) {
-    const hooksDir = await resolveGitHooksDir(projectRoot);
-    if (!hooksDir) {
-        return;
-    }
-    if (config.gitHookGuards !== true) {
-        await removeManagedGitHookRelays(projectRoot);
-        try {
-            await fs.rm(path.join(projectRoot, GIT_HOOK_RUNTIME_REL_DIR), { recursive: true, force: true });
-        }
-        catch {
-            // best-effort cleanup
-        }
-        return;
-    }
-    const runtimeGitHooksDir = path.join(projectRoot, GIT_HOOK_RUNTIME_REL_DIR);
-    await ensureDir(runtimeGitHooksDir);
-    for (const hookName of ["pre-commit", "pre-push"]) {
-        const runtimePathForHook = path.join(runtimeGitHooksDir, `${hookName}.mjs`);
-        await writeFileSafe(runtimePathForHook, managedGitRuntimeScript(hookName));
-        try {
-            await fs.chmod(runtimePathForHook, 0o755);
-        }
-        catch {
-            // best effort on constrained filesystems
-        }
+    void config;
+    await removeManagedGitHookRelays(projectRoot);
+    try {
+        await fs.rm(path.join(projectRoot, GIT_HOOK_RUNTIME_REL_DIR), { recursive: true, force: true });
     }
-    await ensureDir(hooksDir);
-    for (const hookName of ["pre-commit", "pre-push"]) {
-        const hookPath = path.join(hooksDir, hookName);
-        let canWriteRelay = true;
-        if (await exists(hookPath)) {
-            try {
-                const existing = await fs.readFile(hookPath, "utf8");
-                canWriteRelay = existing.includes(GIT_HOOK_MANAGED_MARKER);
-            }
-            catch {
-                canWriteRelay = false;
-            }
-        }
-        if (!canWriteRelay) {
-            continue;
-        }
-        await writeFileSafe(hookPath, managedGitRelayHook(hookName));
-        try {
-            await fs.chmod(hookPath, 0o755);
-        }
-        catch {
-            // best effort on constrained filesystems
-        }
+    catch {
+        // best-effort cleanup
     }
 }
 async function ensureStructure(projectRoot) {
@@ -475,7 +433,8 @@ async function writeWavePlansScaffold(projectRoot) {
     await writeFileSafe(runtimePath(projectRoot, "wave-plans", ".gitkeep"), "");
 }
 async function writeSkills(projectRoot, config) {
-    const skillTrack = config?.defaultTrack ?? "standard";
+    void config;
+    const skillTrack = "standard";
     for (const stage of FLOW_STAGES) {
         const folder = stageSkillFolder(stage);
         await writeFileSafe(runtimePath(projectRoot, "skills", folder, "SKILL.md"), stageSkillMarkdown(stage, skillTrack));
@@ -503,42 +462,8 @@ async function writeSkills(projectRoot, config) {
     for (const [folderName, markdown] of Object.entries(SUBAGENT_CONTEXT_SKILLS)) {
         await writeFileSafe(runtimePath(projectRoot, "skills", folderName, "SKILL.md"), markdown);
     }
-    // Language rule packs live under .cclaw/rules/lang/<pack>.md. They are opt-in:
-    // only the packs listed in config.languageRulePacks are materialised. Any
-    // legacy per-language skill folders from v0.7.0 (.cclaw/skills/language-*)
-    // are cleaned up below so the new rules/lang layout is the only truth.
-    const enabledPacks = config?.languageRulePacks ?? [];
-    const enabledPackFileNames = new Set();
-    for (const pack of enabledPacks) {
-        const fileName = LANGUAGE_RULE_PACK_FILES[pack];
-        const generator = LANGUAGE_RULE_PACK_GENERATORS[pack];
-        if (!fileName || !generator)
-            continue;
-        enabledPackFileNames.add(fileName);
-        await writeFileSafe(runtimePath(projectRoot, ...LANGUAGE_RULE_PACK_DIR, fileName), generator());
-    }
-    // Strict idempotence: once a pack is removed from config, its generated
-    // file under .cclaw/rules/lang/ must disappear on the next sync. Without
-    // this loop the directory accumulates a superset of every pack ever
-    // enabled, which silently keeps stale guidance alive.
-    const langDir = runtimePath(projectRoot, ...LANGUAGE_RULE_PACK_DIR);
-    if (await exists(langDir)) {
-        const knownPackFileNames = new Set(Object.values(LANGUAGE_RULE_PACK_FILES));
-        let entries = [];
-        try {
-            entries = await fs.readdir(langDir);
-        }
-        catch {
-            entries = [];
-        }
-        for (const entry of entries) {
-            if (!knownPackFileNames.has(entry))
-                continue;
-            if (enabledPackFileNames.has(entry))
-                continue;
-            await fs.rm(path.join(langDir, entry), { force: true });
-        }
-    }
+    // Wave 21: language packs are no longer materialized from config.
+    await fs.rm(runtimePath(projectRoot, ...LANGUAGE_RULE_PACK_DIR), { recursive: true, force: true });
     for (const legacyFolder of LEGACY_LANGUAGE_RULE_PACK_FOLDERS) {
         const legacyPath = runtimePath(projectRoot, "skills", legacyFolder);
         if (await exists(legacyPath)) {
@@ -936,22 +861,10 @@ async function writeHooks(projectRoot, config) {
     const stateDir = runtimePath(projectRoot, "state");
     await ensureDir(hooksDir);
     await ensureDir(stateDir);
-    const effectiveStrictness = config.strictness ?? "advisory";
-    await writeFileSafe(runtimePath(projectRoot, "state", "iron-laws.json"), `${JSON.stringify(ironLawRuntimeDocument({
-        mode: effectiveStrictness,
-        strictLaws: config.ironLaws?.strictLaws
-    }), null, 2)}\n`);
     await writeFileSafe(path.join(hooksDir, "stage-complete.mjs"), stageCompleteScript());
     await writeFileSafe(path.join(hooksDir, "start-flow.mjs"), startFlowScript());
     await writeFileSafe(path.join(hooksDir, "cancel-run.mjs"), cancelRunScript());
-    const hookRuntimeOptions = {
-        strictness: effectiveStrictness,
-        tddTestPathPatterns: config.tdd?.testPathPatterns ?? config.tddTestGlobs,
-        tddProductionPathPatterns: config.tdd?.productionPathPatterns,
-        compoundRecurrenceThreshold: config.compound?.recurrenceThreshold,
-        earlyLoopEnabled: config.earlyLoop?.enabled,
-        earlyLoopMaxIterations: config.earlyLoop?.maxIterations
-    };
+    const hookRuntimeOptions = {};
     const bundledHookRuntime = await readBundledRunHookRuntimeScript(hookRuntimeOptions);
     await writeFileSafe(path.join(hooksDir, "run-hook.mjs"), bundledHookRuntime ?? nodeHookRuntimeScript(hookRuntimeOptions));
     await writeFileSafe(path.join(hooksDir, "run-hook.cmd"), runHookCmdScript());
@@ -1082,6 +995,7 @@ async function syncDisabledHarnessArtifacts(projectRoot, harnesses) {
     }
 }
 async function writeState(projectRoot, config, forceReset = false) {
+    void config;
     // Fresh init no longer materializes flow-state.json. The first managed
     // `/cc <idea>` start-flow call creates the state file.
     if (!forceReset) {
@@ -1091,7 +1005,7 @@ async function writeState(projectRoot, config, forceReset = false) {
     if (await exists(statePath)) {
         return;
     }
-    const state = createInitialFlowState({ track: config.defaultTrack ?? "standard" });
+    const state = createInitialFlowState({ track: "standard" });
     await writeFileSafe(statePath, `${JSON.stringify(state, null, 2)}\n`, { mode: 0o600 });
 }
 async function cleanLegacyArtifacts(projectRoot) {
@@ -1289,17 +1203,8 @@ export async function initCclaw(options) {
     if (options.harnesses !== undefined && options.harnesses.length === 0) {
         throw new Error("Select at least one harness.");
     }
-    const baseConfig = createDefaultConfig(options.harnesses, options.track);
-    // Best-effort auto-detect: a Node project gets `typescript`, a Go module
-    // gets `go`, etc. Skipped entirely when the project root has no manifests.
-    const detectedPacks = await detectLanguageRulePacks(options.projectRoot);
-    const config = {
-        ...baseConfig,
-        languageRulePacks: detectedPacks
-    };
-    // Write a minimal `config.yaml` — advanced knobs live in docs/config.md
-    // and only appear in the on-disk file when the user sets them explicitly
-    // or a non-default value was detected (e.g. languageRulePacks).
+    const config = createDefaultConfig(options.harnesses, options.track);
+    // Wave 21: config is always minimal and harness-only.
     await writeConfig(options.projectRoot, config, { mode: "minimal" });
     // Init should scaffold runtime surfaces but leave flow-state creation to the
     // first managed start-flow invocation.
@@ -1339,13 +1244,8 @@ export async function syncCclaw(projectRoot, options = {}) {
 }
 /**
  * Refresh generated files in `.cclaw/` without touching user-authored
- * artifacts, state, or custom config keys. Only the `version` + `flowVersion`
- * stamps are rewritten so the on-disk config reflects the installed CLI.
- *
- * Shape preservation: if the user previously hand-authored advanced keys
- * (e.g. `tdd`, `compound`, `trackHeuristics`, `sliceReview`), those stay in
- * the yaml. If their existing config is minimal, the upgrade keeps it
- * minimal — advanced knobs are never silently added.
+ * artifacts or state. Config remains harness-only with managed version
+ * stamps.
  */
 export async function upgradeCclaw(projectRoot) {
     const configExists = await exists(configPath(projectRoot));

package/dist/internal/compound-readiness.js

@@ -1,7 +1,6 @@
 import fs from "node:fs/promises";
 import path from "node:path";
 import { RUNTIME_ROOT } from "../constants.js";
-import { readConfig } from "../config.js";
 import { writeFileSafe } from "../fs-utils.js";
 import { computeCompoundReadiness, readKnowledgeSafely } from "../knowledge-store.js";
 function parseArgs(tokens) {
@@ -80,21 +79,7 @@ export function formatCompoundReadinessLine(status) {
 }
 export async function runCompoundReadinessCommand(projectRoot, argv, io) {
     const args = parseArgs(argv);
-    // Reading config is best-effort — but DO surface a stderr warning so
-    // mis-wired / malformed config shows up in hook-errors / CI logs
-    // instead of silently degrading to default threshold.
-    let config = null;
-    try {
-        config = await readConfig(projectRoot);
-    }
-    catch (error) {
-        const detail = error instanceof Error ? error.message : String(error);
-        io.stderr.write(`[cclaw] compound-readiness: failed to read config (${detail}); falling back to default threshold\n`);
-    }
-    const threshold = args.threshold ??
-        (typeof config?.compound?.recurrenceThreshold === "number"
-            ? config.compound.recurrenceThreshold
-            : undefined);
+    const threshold = args.threshold;
     const archivedRunsCount = await countArchivedRunsSafely(projectRoot);
     const { entries } = await readKnowledgeSafely(projectRoot, { lockAware: true });
     const status = computeCompoundReadiness(entries, {

package/dist/internal/early-loop-status.js

@@ -1,5 +1,4 @@
 import path from "node:path";
-import { readConfig } from "../config.js";
 import { RUNTIME_ROOT } from "../constants.js";
 import { computeEarlyLoopStatus, formatEarlyLoopStatusLine, isEarlyLoopStage } from "../early-loop.js";
 import { writeFileSafe } from "../fs-utils.js";
@@ -66,14 +65,13 @@ function stateDir(projectRoot) {
 export async function runEarlyLoopStatusCommand(projectRoot, argv, io) {
     const args = parseArgs(argv);
     const flow = await readFlowState(projectRoot).catch(() => null);
-    const config = await readConfig(projectRoot).catch(() => null);
     const stage = args.stage ?? flow?.currentStage;
     if (!isEarlyLoopStage(stage)) {
         io.stderr.write("cclaw internal early-loop-status: current stage is not an early-loop stage. Pass --stage=brainstorm|scope|design.\n");
         return 1;
     }
     const runId = (args.runId ?? flow?.activeRunId ?? "active").trim() || "active";
-    const status = await computeEarlyLoopStatus(stage, runId, path.join(stateDir(projectRoot), "early-loop-log.jsonl"), { maxIterations: config?.earlyLoop?.maxIterations });
+    const status = await computeEarlyLoopStatus(stage, runId, path.join(stateDir(projectRoot), "early-loop-log.jsonl"));
     if (args.write) {
         const target = path.join(stateDir(projectRoot), "early-loop.json");
         await writeFileSafe(target, `${JSON.stringify(status, null, 2)}\n`);