cclaw-cli 2.0.0 → 3.0.0

package/dist/internal/runtime-integrity.js

@@ -2,7 +2,6 @@ import fs from "node:fs/promises";
 import path from "node:path";
 import { readConfig } from "../config.js";
 import { RUNTIME_ROOT } from "../constants.js";
-import { classifyCodexHooksFlag, codexConfigPath, readCodexConfig } from "../codex-feature-flag.js";
 import { exists } from "../fs-utils.js";
 import { HARNESS_ADAPTERS, harnessShimFileNames, harnessShimSkillNames } from "../harness-adapters.js";
 import { validateHookDocument } from "../hook-schema.js";
@@ -220,24 +219,6 @@ async function checkHarnessShims(projectRoot, harnesses) {
     }
     return findings;
 }
-async function checkCodexHooksFlag(harnesses) {
-    if (!harnesses.includes("codex")) {
-        return warningFinding("codex_hooks_flag", true, "Codex harness is not enabled.");
-    }
-    const configTomlPath = codexConfigPath();
-    let existing;
-    try {
-        existing = await readCodexConfig(configTomlPath);
-    }
-    catch (error) {
-        return warningFinding("codex_hooks_flag", false, "Could not read Codex config.toml to validate codex_hooks.", [error instanceof Error ? error.message : String(error)]);
-    }
-    const state = classifyCodexHooksFlag(existing);
-    if (state === "enabled") {
-        return warningFinding("codex_hooks_flag", true, "Codex hooks feature flag is enabled.");
-    }
-    return warningFinding("codex_hooks_flag", false, "Codex hooks file is present, but [features] codex_hooks is not true in Codex config.", [`configPath: ${configTomlPath}`, `state: ${state}`]);
-}
 function buildReport(findings) {
     const errors = findings.filter((finding) => !finding.ok && finding.severity === "error").length;
     const warnings = findings.filter((finding) => !finding.ok && finding.severity === "warning").length;
@@ -274,7 +255,6 @@ export async function runRuntimeIntegrityCommand(projectRoot, argv, io) {
             findings.push(await checkHookDocument(projectRoot, harness));
         }
     }
-    findings.push(await checkCodexHooksFlag(harnesses));
     const report = buildReport(findings);
     if (!args.quiet) {
         if (args.json) {

package/dist/policy.js

@@ -96,11 +96,8 @@ export async function policyChecks(projectRoot, options = {}) {
         { file: runtimeFile("skills/session/SKILL.md"), needle: "## Session Resume Protocol", name: "utility_skill:session:resume" },
         { file: runtimeFile("skills/brainstorm/SKILL.md"), needle: "## Shared Stage Guidance", name: "stage_skill:shared_guidance_inline" },
         { file: runtimeFile("hooks/run-hook.mjs"), needle: "activeRunId", name: "hooks:session_start:active_run" },
-        { file: runtimeFile("hooks/run-hook.mjs"), needle: "write_to_cclaw_runtime", name: "hooks:guard:risky_write_advisory" },
-        { file: runtimeFile("hooks/run-hook.mjs"), needle: "stage_invocation_without_recent_flow_read", name: "hooks:workflow_guard:flow_read_reason" },
-        { file: runtimeFile("hooks/run-hook.mjs"), needle: "stage_jump_", name: "hooks:workflow_guard:stage_jump_reason" },
-        { file: runtimeFile("hooks/run-hook.mjs"), needle: "tdd_write_without_open_red", name: "hooks:workflow_guard:tdd_red_first" },
-        { file: runtimeFile("hooks/run-hook.mjs"), needle: "context remaining is", name: "hooks:context:threshold_warning" },
+        { file: runtimeFile("hooks/run-hook.mjs"), needle: "session-start", name: "hooks:session_start:wired" },
+        { file: runtimeFile("hooks/run-hook.mjs"), needle: "stop-handoff", name: "hooks:stop_handoff:wired" },
         { file: runtimeFile("hooks/opencode-plugin.mjs"), needle: "activeRunId", name: "hooks:opencode:active_run" },
         { file: runtimeFile("hooks/run-hook.mjs"), needle: "Knowledge digest", name: "hooks:session_start:knowledge_digest" },
         { file: runtimeFile("hooks/opencode-plugin.mjs"), needle: "Knowledge digest", name: "hooks:opencode:knowledge_digest" }
@@ -108,13 +105,13 @@ export async function policyChecks(projectRoot, options = {}) {
     if (activeHarnesses.has("opencode")) {
         utilitySkillChecks.push({
             file: ".opencode/plugins/cclaw-plugin.mjs",
-            needle: "\"tool.execute.before\"",
-            name: "hooks:opencode:deployed_tool_hook"
+            needle: "session-start",
+            name: "hooks:opencode:deployed_session_start_hook"
         });
         utilitySkillChecks.push({
             file: ".opencode/plugins/cclaw-plugin.mjs",
-            needle: "workflow-guard",
-            name: "hooks:opencode:deployed_workflow_guard"
+            needle: "stop-handoff",
+            name: "hooks:opencode:deployed_stop_handoff_hook"
         });
     }
     if (activeHarnesses.has("cursor")) {

package/dist/runtime/run-hook.mjs

@@ -7405,117 +7405,6 @@ var REQUIRED_GITIGNORE_PATTERNS = [
   ".cursor/rules/cclaw-workflow.mdc"
 ];
 
-// src/content/iron-laws.ts
-var IRON_LAWS = [
-  {
-    id: "tdd-red-before-write",
-    title: "RED before production write",
-    rule: "Do not edit production code in tdd stage before a failing RED test exists for the slice.",
-    rationale: "Prevents implementation-first behavior and keeps RED as executable specification.",
-    enforcement: "PreToolUse",
-    severity: "hard-gate",
-    appliesTo: ["tdd"],
-    hookMatcher: {
-      toolPattern: "write|edit|multiedit|applypatch|shell|bash",
-      payloadPattern: "\\.(ts|tsx|js|jsx|py|go|java|rs|rb|php|c|cc|cpp|h|hpp)"
-    }
-  },
-  {
-    id: "plan-requires-approval",
-    title: "No implementation before plan approval",
-    rule: "Do not perform write-like actions while plan stage is pending WAIT_FOR_CONFIRM approval.",
-    rationale: "Locks intent before execution and reduces expensive rework from unapproved paths.",
-    enforcement: "PreToolUse",
-    severity: "hard-gate",
-    appliesTo: ["plan"]
-  },
-  {
-    id: "runtime-writes-managed-only",
-    title: "Runtime writes are managed",
-    rule: `Do not mutate ${RUNTIME_ROOT}/state, ${RUNTIME_ROOT}/hooks, or ${RUNTIME_ROOT}/skills by ad-hoc edits unless using cclaw-managed commands.`,
-    rationale: "Protects generated runtime integrity and avoids drift that silently breaks hooks or skills.",
-    enforcement: "PreToolUse",
-    severity: "hard-gate",
-    appliesTo: "all",
-    hookMatcher: {
-      toolPattern: "write|edit|multiedit|delete|applypatch|shell|bash",
-      payloadPattern: "\\.cclaw/(state|hooks|skills)"
-    }
-  },
-  {
-    id: "flow-state-read-fresh",
-    title: "Fresh flow-state read required",
-    rule: `Before mutating actions, a fresh read of ${RUNTIME_ROOT}/state/flow-state.json must exist within guard freshness window.`,
-    rationale: "Prevents stale-stage mutations after context shifts or multi-agent divergence.",
-    enforcement: "PreToolUse",
-    severity: "hard-gate",
-    appliesTo: "all"
-  },
-  {
-    id: "review-layer-order",
-    title: "Review layers are sequential",
-    rule: "Review stage must complete Layer 1 spec compliance before Layer 2 quality/security passes.",
-    rationale: "Stops premature quality discussion when acceptance criteria are not yet satisfied.",
-    enforcement: "PreToolUse",
-    severity: "hard-gate",
-    appliesTo: ["review"]
-  },
-  {
-    id: "review-criticals-close-before-ship",
-    title: "No ship with open criticals",
-    rule: "Ship decisions are blocked when review-army contains open Critical findings or ship blockers.",
-    rationale: "Enforces explicit risk closure before release finalization.",
-    enforcement: "PreToolUse",
-    severity: "hard-gate",
-    appliesTo: ["ship"]
-  },
-  {
-    id: "ship-preflight-required",
-    title: "Preflight required before finalization",
-    rule: "Do not execute release finalization actions until ship preflight gate is passed.",
-    rationale: "Catches regressions before irreversible release steps.",
-    enforcement: "PreToolUse",
-    severity: "hard-gate",
-    appliesTo: ["ship"]
-  },
-  {
-    id: "review-coverage-complete-before-ship",
-    title: "Review layer coverage before ship",
-    rule: "Block ship finalization when review-army does not confirm full Layer 1/2 coverage map.",
-    rationale: "Prevents finalization when multi-pass review evidence is incomplete or partially missing.",
-    enforcement: "PreToolUse",
-    severity: "hard-gate",
-    appliesTo: ["ship"]
-  },
-  {
-    id: "subagent-task-self-contained",
-    title: "Subagent tasks are self-contained",
-    rule: "Delegated tasks must include explicit objective, constraints, and expected output, not just references.",
-    rationale: "Avoids context loss and low-quality delegation in isolated worker contexts.",
-    enforcement: "advisory",
-    severity: "soft-gate",
-    appliesTo: "all"
-  },
-  {
-    id: "no-secrets-in-artifacts",
-    title: "Never log secrets in artifacts",
-    rule: "Secrets/tokens/passwords must not be written to review, ship, or runtime state artifacts.",
-    rationale: "Prevents accidental credential leakage through generated workflow artifacts.",
-    enforcement: "PostToolUse",
-    severity: "hard-gate",
-    appliesTo: "all"
-  },
-  {
-    id: "stop-clean-or-handoff",
-    title: "Stop only from clean handoff",
-    rule: "Do not end a session with dirty state unless the current artifact records unresolved work and blockers.",
-    rationale: "Protects continuity and prevents silent half-finished sessions.",
-    enforcement: "Stop",
-    severity: "hard-gate",
-    appliesTo: "all"
-  }
-];
-
 // src/types.ts
 var FLOW_STAGES = [
   "brainstorm",
@@ -7527,9 +7416,7 @@ var FLOW_STAGES = [
   "review",
   "ship"
 ];
-var FLOW_TRACKS = ["quick", "medium", "standard"];
 var HARNESS_IDS = ["claude", "cursor", "opencode", "codex"];
-var LANGUAGE_RULE_PACKS = ["typescript", "python", "go"];
 
 // src/managed-resources.ts
 var MANAGED_RESOURCE_MANIFEST_REL_PATH = `${RUNTIME_ROOT}/state/managed-resources.json`;
@@ -7538,11 +7425,7 @@ var MANAGED_RESOURCE_HARNESSES = /* @__PURE__ */ new Set(["core", ...HARNESS_IDS
 // src/config.ts
 var CONFIG_PATH = `${RUNTIME_ROOT}/config.yaml`;
 var HARNESS_ID_SET = new Set(HARNESS_IDS);
-var FLOW_TRACK_SET = new Set(FLOW_TRACKS);
-var LANGUAGE_RULE_PACK_SET = new Set(LANGUAGE_RULE_PACKS);
 var SUPPORTED_HARNESSES_TEXT = HARNESS_IDS.join(", ");
-var SUPPORTED_TRACKS_TEXT = FLOW_TRACKS.join(", ");
-var SUPPORTED_LANGUAGE_RULE_PACKS_TEXT = LANGUAGE_RULE_PACKS.join(", ");
 var DEFAULT_TDD_TEST_PATH_PATTERNS = [
   "**/*.test.*",
   "**/tests/**",
@@ -7656,10 +7539,6 @@ function reviewPromptFileName(stage) {
 `;
 
 // src/content/node-hooks.ts
-function normalizePatterns(patterns, fallback) {
-  if (!patterns || patterns.length === 0) return [...fallback];
-  return patterns.map((value) => value.trim()).filter((value) => value.length > 0);
-}
 function resolveCliRuntimeForGeneratedHook() {
   const here = fileURLToPath2(import.meta.url);
   const candidates = [
@@ -7679,16 +7558,19 @@ function resolveCliRuntimeForGeneratedHook() {
   return { entrypoint: null, argsPrefix: [] };
 }
 function nodeHookRuntimeScript(options = {}) {
-  const strictness = options.strictness === "strict" ? "strict" : "advisory";
-  const tddTestPathPatterns = normalizePatterns(options.tddTestPathPatterns, [
+  void options;
+  const strictness = "advisory";
+  const tddTestPathPatterns = [
     "**/*.test.*",
     "**/tests/**",
     "**/__tests__/**"
-  ]);
-  const tddProductionPathPatterns = normalizePatterns(options.tddProductionPathPatterns, []);
-  const compoundRecurrenceThreshold = typeof options.compoundRecurrenceThreshold === "number" && Number.isInteger(options.compoundRecurrenceThreshold) && options.compoundRecurrenceThreshold >= 1 ? options.compoundRecurrenceThreshold : DEFAULT_COMPOUND_RECURRENCE_THRESHOLD;
-  const earlyLoopEnabled = options.earlyLoopEnabled !== false;
-  const earlyLoopMaxIterations = typeof options.earlyLoopMaxIterations === "number" && Number.isInteger(options.earlyLoopMaxIterations) && options.earlyLoopMaxIterations >= 1 ? options.earlyLoopMaxIterations : DEFAULT_EARLY_LOOP_MAX_ITERATIONS;
+  ];
+  const tddProductionPathPatterns = [];
+  const compoundRecurrenceThreshold = DEFAULT_COMPOUND_RECURRENCE_THRESHOLD;
+  const earlyLoopEnabled = true;
+  const earlyLoopMaxIterations = DEFAULT_EARLY_LOOP_MAX_ITERATIONS;
+  const defaultHookProfile = "standard";
+  const defaultDisabledHooks = [];
   const cliRuntime = resolveCliRuntimeForGeneratedHook();
   return `#!/usr/bin/env node
 import fs from "node:fs/promises";
@@ -7715,6 +7597,14 @@ const EARLY_LOOP_ENABLED = ${JSON.stringify(earlyLoopEnabled)};
 const EARLY_LOOP_MAX_ITERATIONS = ${JSON.stringify(earlyLoopMaxIterations)};
 const CCLAW_CLI_ENTRYPOINT = ${JSON.stringify(cliRuntime.entrypoint)};
 const CCLAW_CLI_ARGS_PREFIX = ${JSON.stringify(cliRuntime.argsPrefix)};
+const DEFAULT_HOOK_PROFILE = ${JSON.stringify(defaultHookProfile)};
+const DEFAULT_DISABLED_HOOKS = ${JSON.stringify(defaultDisabledHooks)};
+const HOOK_PROFILE_VALUES = new Set(["minimal", "standard", "strict"]);
+const MINIMAL_PROFILE_ALLOWED_HOOKS = new Set([
+  "session-start",
+  "session-start-refresh",
+  "stop-handoff"
+]);
 const SESSION_DIGEST_SCHEMA_VERSION = 1;
 const SESSION_DIGEST_CACHE_FILE = "session-digest.json";
 const SESSION_DIGEST_REFRESH_MARKER_FILE = "session-digest.refresh.json";
@@ -7723,7 +7613,119 @@ const SESSION_DIGEST_REFRESH_STALE_MS = 30000;
 ${SHARED_FLOW_AND_KNOWLEDGE_SNIPPETS}
 ${SHARED_STAGE_SUPPORT_SNIPPETS}
 
+let ACTIVE_HOOK_PROFILE = DEFAULT_HOOK_PROFILE;
+
+function normalizeHookToken(value) {
+  return String(value == null ? "" : value).trim().toLowerCase();
+}
+
+function parseHookProfile(rawValue, fallback = "standard") {
+  const normalized = normalizeHookToken(rawValue);
+  if (HOOK_PROFILE_VALUES.has(normalized)) return normalized;
+  return fallback;
+}
+
+function parseDisabledHooksCsv(rawValue) {
+  const raw = typeof rawValue === "string" ? rawValue : "";
+  if (raw.trim().length === 0) return [];
+  const out = [];
+  for (const token of raw.split(",")) {
+    const normalized = normalizeHookToken(token);
+    if (normalized.length === 0) continue;
+    if (!out.includes(normalized)) out.push(normalized);
+  }
+  return out;
+}
+
+function parseInlineYamlList(rawValue) {
+  const raw = typeof rawValue === "string" ? rawValue.trim() : "";
+  if (!raw.startsWith("[") || !raw.endsWith("]")) return [];
+  const inside = raw.slice(1, -1).trim();
+  if (inside.length === 0) return [];
+  return inside.split(",").map((token) => normalizeHookToken(token.replace(/^['"]|['"]$/g, ""))).filter((token) => token.length > 0);
+}
+
+function parseConfigHookProfile(rawYaml) {
+  if (typeof rawYaml !== "string" || rawYaml.trim().length === 0) {
+    return "";
+  }
+  const match = rawYaml.match(/^\\s*hookProfile\\s*:\\s*([A-Za-z0-9_-]+)\\s*$/m);
+  if (!match || typeof match[1] !== "string") return "";
+  return parseHookProfile(match[1], "");
+}
+
+function parseConfigDisabledHooks(rawYaml) {
+  if (typeof rawYaml !== "string" || rawYaml.trim().length === 0) {
+    return [];
+  }
+  const lines = rawYaml.split(/\\r?\\n/u);
+  const out = [];
+  for (let i = 0; i < lines.length; i += 1) {
+    const line = lines[i];
+    const inlineMatch = line.match(/^\\s*disabledHooks\\s*:\\s*(\\[[^\\]]*\\])\\s*$/u);
+    if (inlineMatch) {
+      for (const value of parseInlineYamlList(inlineMatch[1])) {
+        if (!out.includes(value)) out.push(value);
+      }
+      continue;
+    }
+    const blockMatch = line.match(/^(\\s*)disabledHooks\\s*:\\s*$/u);
+    if (!blockMatch) continue;
+    const baseIndent = blockMatch[1] ? blockMatch[1].length : 0;
+    for (let j = i + 1; j < lines.length; j += 1) {
+      const nextLine = lines[j];
+      const indent = (nextLine.match(/^(\\s*)/u)?.[1].length ?? 0);
+      const trimmed = nextLine.trim();
+      if (trimmed.length === 0) continue;
+      if (indent <= baseIndent) break;
+      const itemMatch = nextLine.match(/^\\s*-\\s*(.+?)\\s*$/u);
+      if (!itemMatch) continue;
+      const normalized = normalizeHookToken(itemMatch[1].replace(/^['"]|['"]$/g, ""));
+      if (normalized.length === 0) continue;
+      if (!out.includes(normalized)) out.push(normalized);
+    }
+  }
+  return out;
+}
+
+async function readConfigHookPolicy(root) {
+  const configPath = path.join(root, RUNTIME_ROOT, "config.yaml");
+  const raw = await readTextFile(configPath, "");
+  const profile = parseConfigHookProfile(raw);
+  const disabledHooks = parseConfigDisabledHooks(raw);
+  return { profile, disabledHooks };
+}
+
+async function resolveHookPolicy(root) {
+  const fromConfig = await readConfigHookPolicy(root);
+  const configProfile = parseHookProfile(fromConfig.profile, DEFAULT_HOOK_PROFILE);
+  const configDisabledHooks = Array.isArray(fromConfig.disabledHooks) && fromConfig.disabledHooks.length > 0
+    ? fromConfig.disabledHooks
+    : DEFAULT_DISABLED_HOOKS;
+
+  const envProfileRaw = process.env.CCLAW_HOOK_PROFILE;
+  const envProfile = parseHookProfile(envProfileRaw, "");
+  const profile = envProfile.length > 0 ? envProfile : configProfile;
+
+  const envDisabledRaw = process.env.CCLAW_DISABLED_HOOKS;
+  const envDisabledHooks = parseDisabledHooksCsv(envDisabledRaw);
+  const disabledHooks = envDisabledHooks.length > 0 ? envDisabledHooks : configDisabledHooks;
+  const disabled = new Set(disabledHooks.map((value) => normalizeHookToken(value)));
+  return { profile, disabled };
+}
+
+function hookDisabledByProfile(profile, hookName) {
+  if (profile !== "minimal") return false;
+  return !MINIMAL_PROFILE_ALLOWED_HOOKS.has(hookName);
+}
+
+function isHookDisabled(policy, hookName) {
+  if (policy.disabled.has(hookName)) return true;
+  return hookDisabledByProfile(policy.profile, hookName);
+}
+
 function resolveStrictness() {
+  if (ACTIVE_HOOK_PROFILE === "strict") return "strict";
   return process.env.CCLAW_STRICTNESS === "strict" ? "strict" : DEFAULT_STRICTNESS;
 }
 
@@ -8801,8 +8803,6 @@ async function readStageSupportContext(root, currentStage) {
 
 async function handleSessionStart(runtime) {
   const state = await readFlowState(runtime.root);
-  const stateDir = path.join(runtime.root, RUNTIME_ROOT, "state");
-  const ironLawsFile = path.join(stateDir, "iron-laws.json");
   const metaSkillFile = path.join(runtime.root, RUNTIME_ROOT, "skills", "using-cclaw", "SKILL.md");
 
 
@@ -8818,35 +8818,11 @@ async function handleSessionStart(runtime) {
   );
   const knowledge = await buildKnowledgeDigest(runtime.root, state.currentStage, knowledgeRaw);
 
-  // Fast path: read precomputed status lines from session-digest cache.
-  // If cache is stale, schedule a debounced background refresh so this hook
-  // returns quickly inside harness startup.
-  const flowStateMtimeMs = await readFileMtimeMs(state.filePath);
-  const forceSyncRefresh =
-    normalizeText(process.env.CCLAW_SESSION_START_BG_SYNC).toLowerCase() === "1" ||
-    ["1", "true", "yes"].includes(normalizeText(process.env.VITEST).toLowerCase());
-  let sessionDigest = await readSessionDigestLines(stateDir, state, flowStateMtimeMs);
-  if (forceSyncRefresh && flowStateMtimeMs > 0) {
-    await refreshSessionDigestCache(runtime.root, state, flowStateMtimeMs);
-    sessionDigest = await readSessionDigestLines(stateDir, state, flowStateMtimeMs);
-  } else if (!sessionDigest.fresh) {
-    await scheduleSessionDigestRefresh(runtime, state, flowStateMtimeMs);
-  }
-  const ralphLoopLine = sessionDigest.ralphLoopLine;
-  const earlyLoopLine = sessionDigest.earlyLoopLine;
-  const compoundReadinessLine = sessionDigest.compoundReadinessLine;
-
-  const ironLawsObj = toObject(await readJsonFile(ironLawsFile, {})) || {};
-  const laws = Array.isArray(ironLawsObj.laws) ? ironLawsObj.laws : [];
-  const ironLawLines = laws
-    .filter((row) => row && typeof row === "object")
-    .slice(0, 6)
-    .map((row) => {
-      const strict = row.strict === true ? "strict" : "advisory";
-      const id = typeof row.id === "string" && row.id.length > 0 ? row.id : "law";
-      const rule = typeof row.rule === "string" ? row.rule : "";
-      return "- [" + strict + "] " + id + " -> " + rule;
-    });
+  // Wave 21 honest-core: session-start no longer runs background helper
+  // pipelines or digest caches. It rehydrates flow + knowledge only.
+  const ralphLoopLine = "";
+  const earlyLoopLine = "";
+  const compoundReadinessLine = "";
   const staleStages = toObject(state.raw.staleStages) || {};
   const staleStageNames = Object.keys(staleStages);
   const interactionHints = toObject(state.raw.interactionHints) || {};
@@ -8907,9 +8883,6 @@ async function handleSessionStart(runtime) {
   if (stageSupportContext.length > 0) {
     parts.push(...stageSupportContext);
   }
-  if (ironLawLines.length > 0) {
-    parts.push("Iron laws (enforced policy highlights):\\n" + ironLawLines.join("\\n"));
-  }
   if (metaContent.length > 0) {
     parts.push(metaContent);
   }
@@ -8948,22 +8921,80 @@ async function isGitDirty(root) {
   });
 }
 
-function stopLawIsStrict(ironLawsObj) {
-  if ((ironLawsObj.mode || "advisory") === "strict") return true;
-  const laws = Array.isArray(ironLawsObj.laws) ? ironLawsObj.laws : [];
-  return laws.some(
-    (row) =>
-      row &&
-      typeof row === "object" &&
-      (row.id === "stop-clean-or-handoff" || row.id === "stop-clean-or-checkpointed") &&
-      row.strict === true
-  );
+const STOP_BLOCK_LIMIT_PER_TRANSCRIPT = 2;
+
+function asBoolean(value) {
+  if (value === true || value === false) return value;
+  if (typeof value === "number") return Number.isFinite(value) && value !== 0;
+  if (typeof value !== "string") return false;
+  const normalized = value.trim().toLowerCase();
+  if (normalized.length === 0) return false;
+  return ["1", "true", "yes", "on"].includes(normalized);
+}
+
+function stringTokenHit(value, tokens) {
+  const normalized = normalizeText(value).toLowerCase();
+  if (normalized.length === 0) return false;
+  return tokens.some((token) => normalized.includes(token));
+}
+
+function sanitizeStopSessionKey(raw) {
+  const normalized = normalizeText(raw)
+    .toLowerCase()
+    .replace(/[^a-z0-9._-]+/gu, "-")
+    .replace(/^-+|-+$/gu, "");
+  return normalized.length > 0 ? normalized.slice(0, 96) : "global";
+}
+
+function extractStopSignals(input, fallbackSessionKey) {
+  const event = toObject(input.event) || {};
+  const session = toObject(input.session) || {};
+  const contextLimit =
+    asBoolean(input.context_limit) ||
+    asBoolean(input.contextLimit) ||
+    asBoolean(event.context_limit) ||
+    asBoolean(event.contextLimit) ||
+    stringTokenHit(input.reason, ["context_limit", "context limit"]) ||
+    stringTokenHit(event.reason, ["context_limit", "context limit"]) ||
+    stringTokenHit(input.stop_reason, ["context_limit", "context limit"]) ||
+    stringTokenHit(event.stop_reason, ["context_limit", "context limit"]);
+  const userAbort =
+    asBoolean(input.user_abort) ||
+    asBoolean(input.userAbort) ||
+    asBoolean(input.user_cancelled) ||
+    asBoolean(input.userCancelled) ||
+    asBoolean(event.user_abort) ||
+    asBoolean(event.userAbort) ||
+    stringTokenHit(input.reason, ["user_abort", "user abort", "cancelled by user", "stop button", "ctrl+c"]) ||
+    stringTokenHit(event.reason, ["user_abort", "user abort", "cancelled by user", "stop button", "ctrl+c"]) ||
+    stringTokenHit(input.stop_reason, ["user_abort", "user abort", "cancelled by user", "stop button", "ctrl+c"]) ||
+    stringTokenHit(event.stop_reason, ["user_abort", "user abort", "cancelled by user", "stop button", "ctrl+c"]);
+  const stopHookActive =
+    asBoolean(input.stop_hook_active) ||
+    asBoolean(input.stopHookActive) ||
+    asBoolean(event.stop_hook_active) ||
+    asBoolean(event.stopHookActive);
+
+  const sessionKeyCandidate =
+    (typeof input.transcript_id === "string" && input.transcript_id) ||
+    (typeof input.transcriptId === "string" && input.transcriptId) ||
+    (typeof input.session_id === "string" && input.session_id) ||
+    (typeof input.sessionId === "string" && input.sessionId) ||
+    (typeof session.id === "string" && session.id) ||
+    fallbackSessionKey;
+  const sessionKey = sanitizeStopSessionKey(sessionKeyCandidate);
+
+  return {
+    contextLimit,
+    userAbort,
+    stopHookActive,
+    sessionKey
+  };
 }
 
 async function handleStopHandoff(runtime) {
   const state = await readFlowState(runtime.root);
   const stateDir = path.join(runtime.root, RUNTIME_ROOT, "state");
-  const ironLawsFile = path.join(stateDir, "iron-laws.json");
   const input = toObject(runtime.inputData) || {};
   const loopCount =
     typeof input.loop_count === "number" && Number.isFinite(input.loop_count)
@@ -8971,12 +9002,40 @@ async function handleStopHandoff(runtime) {
       : 0;
 
   const dirtyState = await isGitDirty(runtime.root);
-  const strictStop = stopLawIsStrict(toObject(await readJsonFile(ironLawsFile, {})) || {});
-  if (dirtyState === "dirty" && strictStop) {
+  const stopSignals = extractStopSignals(input, "run-" + state.activeRunId);
+  const safetyBypassActive = stopSignals.stopHookActive || stopSignals.userAbort || stopSignals.contextLimit;
+  if (dirtyState === "dirty" && !safetyBypassActive) {
+    const stopBlocksPath = path.join(stateDir, "stop-blocks-" + stopSignals.sessionKey + ".json");
+    const prior = toObject(await readJsonFile(stopBlocksPath, {})) || {};
+    const priorCount =
+      typeof prior.blockCount === "number" && Number.isFinite(prior.blockCount)
+        ? Math.max(0, Math.trunc(prior.blockCount))
+        : 0;
+    if (priorCount < STOP_BLOCK_LIMIT_PER_TRANSCRIPT) {
+      const nextCount = priorCount + 1;
+      await writeJsonFile(stopBlocksPath, {
+        schemaVersion: 1,
+        sessionKey: stopSignals.sessionKey,
+        blockCount: nextCount,
+        updatedAt: new Date().toISOString()
+      });
+      process.stderr.write(
+        '[cclaw] Stop blocked by iron law "stop-clean-or-handoff": working tree is dirty. Commit/revert changes or record blockers in the current artifact before ending the session.\\n'
+      );
+      return 1;
+    }
     process.stderr.write(
-      '[cclaw] Stop blocked by iron law "stop-clean-or-handoff": working tree is dirty. Commit/revert changes or record blockers in the current artifact before ending the session.\\n'
+      '[cclaw] Stop advisory: dirty working tree detected, but block limit reached for this transcript (max 2). Continuing with handoff reminder only.\\n'
+    );
+  } else if (dirtyState === "dirty" && safetyBypassActive) {
+    const reason = stopSignals.stopHookActive
+      ? "stop_hook_active"
+      : stopSignals.userAbort
+        ? "user_abort"
+        : "context_limit";
+    process.stderr.write(
+      "[cclaw] Stop advisory: bypassing strict stop block due to safety rule (" + reason + ").\\n"
     );
-    return 1;
   }
 
   const closeoutObj = toObject(state.raw.closeout) || {};
@@ -9535,16 +9594,9 @@ async function handlePromptPipeline(runtime) {
 function normalizeHookName(rawName) {
   const value = normalizeText(rawName).toLowerCase();
   if (value === "session-start") return "session-start";
-  if (value === "session-start-refresh") return "session-start-refresh";
   if (value === "stop-handoff" || value === "stop") return "stop-handoff";
   if (value === "stop-checkpoint") return "stop-handoff";
   if (value === "session-rehydrate") return "session-start";
-  if (value === "prompt-guard") return "prompt-guard";
-  if (value === "workflow-guard") return "workflow-guard";
-  if (value === "pre-tool-pipeline" || value === "pretool-pipeline") return "pre-tool-pipeline";
-  if (value === "prompt-pipeline" || value === "promptpipeline") return "prompt-pipeline";
-  if (value === "context-monitor") return "context-monitor";
-  if (value === "verify-current-state") return "verify-current-state";
   return "";
 }
 
@@ -9554,7 +9606,7 @@ async function main() {
     process.stderr.write(
       "[cclaw] run-hook: usage: node " +
         RUNTIME_ROOT +
-        "/hooks/run-hook.mjs <session-start|session-start-refresh|stop-handoff|prompt-guard|workflow-guard|pre-tool-pipeline|prompt-pipeline|context-monitor|verify-current-state>\\n"
+        "/hooks/run-hook.mjs <session-start|stop-handoff>\\n"
     );
     process.exitCode = 1;
     return;
@@ -9586,38 +9638,10 @@ async function main() {
       process.exitCode = await handleSessionStart(runtime);
       return;
     }
-    if (hookName === "session-start-refresh") {
-      process.exitCode = await handleSessionStartRefresh(runtime);
-      return;
-    }
     if (hookName === "stop-handoff") {
       process.exitCode = await handleStopHandoff(runtime);
       return;
     }
-    if (hookName === "prompt-guard") {
-      process.exitCode = await handlePromptGuard(runtime);
-      return;
-    }
-    if (hookName === "workflow-guard") {
-      process.exitCode = await handleWorkflowGuard(runtime);
-      return;
-    }
-    if (hookName === "pre-tool-pipeline") {
-      process.exitCode = await handlePreToolPipeline(runtime);
-      return;
-    }
-    if (hookName === "prompt-pipeline") {
-      process.exitCode = await handlePromptPipeline(runtime);
-      return;
-    }
-    if (hookName === "context-monitor") {
-      process.exitCode = await handleContextMonitor(runtime);
-      return;
-    }
-    if (hookName === "verify-current-state") {
-      process.exitCode = await handleVerifyCurrentState(runtime);
-      return;
-    }
     process.stderr.write("[cclaw] run-hook: unsupported hook " + hookName + "\\n");
     process.exitCode = 1;
   } catch (error) {