cclaw-cli 6.8.0 → 6.9.0

package/dist/content/skills-elicitation.js

@@ -47,7 +47,7 @@ These behaviors are the exact reason this skill exists. The linter will block yo
 - Use harness-native question tools first; prose fallback is allowed only when the tool is unavailable.
 - Keep a running Q&A trace in the active artifact under \`## Q&A Log\` in \`${RUNTIME_ROOT}/artifacts/\` as append-only rows.
 - **Early-loop ledger discipline**: Never append \`.cclaw/state/early-loop-log.jsonl\` rows whose \`iteration\` exceeds the active \`maxIterations\`. If the cap fired, escalate or accept convergence outcomes—do not bump the iteration counter afterward. \`deriveEarlyLoopStatus\` clamps persistence, but the log source should stay honest too.
-- **Convergence floor**: do NOT advance the stage (do NOT call \`stage-complete.mjs\`) until Q&A converges. The machine contract matches \`evaluateQaLogFloor\` in \`src/artifact-linter/shared.ts\` (rule \`qa_log_unconverged\`). Pass when ANY holds: (a) every forcing-question topic id is tagged \`[topic:<id>]\` on at least one \`## Q&A Log\` row; (b) the Ralph-Loop detector fires (last 2 substantive rows are non-decision-changing: \`skip\`/\`continue\`/\`no-change\`/\`done\`/etc.) **and** the log has at least \`max(2, questionBudgetHint(discoveryMode, stage).min)\` substantive rows — **unless** \`discoveryMode\` is \`guided\` or \`deep\` with pending forcing-topic ids (then Ralph-Loop alone cannot pass until topics are tagged, a stop-signal is recorded, or \`--skip-questions\` downgrades the finding to advisory); (c) an explicit user stop-signal row; or (d) \`--skip-questions\` was persisted (unconverged is advisory only). Wave 24 (v6.0.0) made \`[topic:<id>]\` mandatory (no English keyword fallback).
+- **Convergence floor (a.k.a. "Q&A Ralph Loop" / "Elicitation Convergence")**: do NOT advance the stage (do NOT call \`stage-complete.mjs\`) until Q&A converges. The machine contract matches \`evaluateQaLogFloor\` in \`src/artifact-linter/shared.ts\` (rule \`qa_log_unconverged\`). Pass when ANY holds: (a) every forcing-question topic id is tagged \`[topic:<id>]\` on at least one \`## Q&A Log\` row; (b) the Q&A Ralph Loop detector fires (last 2 substantive rows are non-decision-changing: \`skip\`/\`continue\`/\`no-change\`/\`done\`/etc.) **and** the log has at least \`max(2, questionBudgetHint(discoveryMode, stage).min)\` substantive rows — **unless** \`discoveryMode\` is \`guided\` or \`deep\` with pending forcing-topic ids (then the Q&A Ralph Loop alone cannot pass until topics are tagged, a stop-signal is recorded, or \`--skip-questions\` downgrades the finding to advisory); (c) an explicit user stop-signal row; or (d) \`--skip-questions\` was persisted (unconverged is advisory only). Wave 24 (v6.0.0) made \`[topic:<id>]\` mandatory (no English keyword fallback). The "Q&A Ralph Loop" is the elicitation-stage convergence mechanism; the producer/critic Concern Ledger that drives early-stage iteration is the **Early-Loop**, persisted in \`.cclaw/state/early-loop-log.jsonl\` and \`early-loop.json\` — they are different machines, do not conflate them.
 - **NEVER run shell hash commands** (\`shasum\`, \`sha256sum\`, \`md5sum\`, \`Get-FileHash\`, \`certutil\`, etc.) to compute artifact hashes. If a linter ever asks you for a hash, that is a linter bug — report failure and stop, do not auto-fix in bash.
 - **NEVER paste cclaw command lines into chat** (e.g. \`node .cclaw/hooks/stage-complete.mjs ... --evidence-json '{...}'\`). Run them via the tool layer; report only the resulting summary. The user does not run cclaw manually and seeing the command line is noise.
 
@@ -107,7 +107,7 @@ Do not ask extra questions "for theater" on simple low-risk work.
 
 ## Question Budget Hint (\`questionBudgetHint\` — min rows feed the convergence floor)
 
-Source of truth: \`questionBudgetHint(discoveryMode, stage)\`. The \`Min\` column is **not advisory** for the Ralph-Loop exit: \`evaluateQaLogFloor\` requires at least \`max(2, Min)\` substantive rows before the no-new-decisions path can converge (other exits — full topic coverage, stop-signal, \`--skip-questions\` advisory — ignore that minimum). \`Recommended\` and \`Hard cap warning\` remain pacing hints for the harness.
+Source of truth: \`questionBudgetHint(discoveryMode, stage)\`. The \`Min\` column is **not advisory** for the Q&A Ralph Loop exit: \`evaluateQaLogFloor\` requires at least \`max(2, Min)\` substantive rows before the no-new-decisions path can converge (other exits — full topic coverage, stop-signal, \`--skip-questions\` advisory — ignore that minimum). \`Recommended\` and \`Hard cap warning\` remain pacing hints for the harness.
 
 ${budgetTable}
 

package/dist/content/stages/brainstorm.js

@@ -36,7 +36,7 @@ export const BRAINSTORM = {
     },
     executionModel: {
         checklist: [
-            "**ADAPTIVE ELICITATION COMES FIRST (no exceptions, no subagent dispatch before).** Load `.cclaw/skills/adaptive-elicitation/SKILL.md`. Walk the brainstorm forcing questions one-at-a-time via the harness-native question tool, append one row to `## Q&A Log` (`Turn | Question | User answer (1-line) | Decision impact`) after each user answer **and stamp the row's `Decision impact` cell with the matching `[topic:<id>]` tag** (e.g. `[topic:pain]`). Continue until every forcing-question topic id is tagged on a row OR Ralph-Loop convergence detector says no new decision-changing rows in last 2 iterations OR user records an explicit stop-signal row. Only then proceed to delegations, drafts, or analysis. The linter `qa_log_unconverged` rule will block `stage-complete` if convergence is not reached.",
+            "**ADAPTIVE ELICITATION COMES FIRST (no exceptions, no subagent dispatch before).** Load `.cclaw/skills/adaptive-elicitation/SKILL.md`. Walk the brainstorm forcing questions one-at-a-time via the harness-native question tool, append one row to `## Q&A Log` (`Turn | Question | User answer (1-line) | Decision impact`) after each user answer **and stamp the row's `Decision impact` cell with the matching `[topic:<id>]` tag** (e.g. `[topic:pain]`). Continue until every forcing-question topic id is tagged on a row OR the Q&A Ralph Loop convergence detector says no new decision-changing rows in last 2 iterations OR user records an explicit stop-signal row. Only then proceed to delegations, drafts, or analysis. The linter `qa_log_unconverged` rule will block `stage-complete` if convergence is not reached.",
             "**Explore project context** — after the elicitation loop converges, inspect existing files/docs/recent activity to refine the Discovered context section; capture matching files/patterns/seeds in `Context > Discovered context` so downstream stages don't redo discovery.",
             "**Brainstorm forcing questions (must be covered or explicitly waived)** — `pain: what pain are we solving`; `direct-path: what is the direct path`; `operator: who is the first operator/user affected`; `no-go: what no-go boundaries are non-negotiable`. Tag the matching `## Q&A Log` row's `Decision impact` cell with `[topic:<id>]` (e.g. `[topic:pain]`) so the linter can verify coverage in any natural language. Tags are MANDATORY for forcing-question rows; un-tagged rows do NOT count toward coverage. Round 6 (v6.7.0) removed the counterfactual `do-nothing` topic; the Problem Decision Record already captures `Do-nothing consequence`.",
             "**Discovery posture (flow-state `discoveryMode`)** — follow `lean` / `guided` / `deep` from the active run. Use lean for smallest safe discovery pass; guided as the default balanced pass; escalate to deep when ambiguity, architecture, external dependency, security/data risk, or explicit think-bigger requests warrant fuller option pressure and mandatory specialist coverage.",
@@ -52,7 +52,7 @@ export const BRAINSTORM = {
             "**Compare 2-3 distinct approaches with stable Role/Upside columns** — Role values are `baseline` | `challenger` | `wild-card`; Upside is `low` | `modest` | `high` | `higher`; include real trade-offs, reuse notes, and reference-pattern source/disposition when a known pattern influenced the option; include exactly one challenger with explicit `high` or `higher` upside.",
             "**Collect reaction before recommending** — ask which option feels closest and what concern remains, then recommend based on that reaction.",
             "**Write the `Not Doing` list** — name 3-5 things this brainstorm explicitly is not committing to (vs. deferred). This protects scope from silent enlargement and the next stage from rework.",
-            "**Run early Ralph loop discipline** — after each producer iteration, append a `Critic Pass` JSONL row to `.cclaw/state/early-loop-log.jsonl`, refresh `.cclaw/state/early-loop.json`, and iterate until open concerns clear or convergence guard escalates.",
+            "**Run Early-Loop / Concern Ledger discipline** — after each producer iteration, append a `Critic Pass` JSONL row to `.cclaw/state/early-loop-log.jsonl`, refresh `.cclaw/state/early-loop.json`, and iterate until open concerns clear or convergence guard escalates. (This is the producer-critic concern ledger, not the Q&A Ralph Loop used for elicitation convergence.)",
             "**Embedded Grill (post-pick, one-at-a-time)** — after `Selected Direction` is named, if grilling triggers fire (irreversibility, security/auth boundary, domain-model ambiguity per `adaptive-elicitation:Conditional Grilling`), continue the elicitation loop with sharper questions **one at a time**, appended to `## Q&A Log` and reflected as rows in `## Embedded Grill`. Do NOT batch the 3-5 grill checks — each one follows the Core Protocol (ask, wait, log, self-eval, ask next).",
             "**Self-review before user approval** — re-read the artifact and patch contradictions, weak trade-offs, placeholders, ambiguity, and weak handoff language. Record the result in `Self-Review Notes` using the calibrated review format: `- Status: Approved` (or `Issues Found`), `- Patches applied:` with inline note or sub-bullets, `- Remaining concerns:` with inline note or sub-bullets. Use `Patches applied: None` and `Remaining concerns: None` when there is nothing to record.",
             "**Request explicit approval to close the stage** — state exactly what direction is being approved after the adaptive elicitation loop converges; do not advance without approval and artifact review.",

package/dist/content/stages/design.js

@@ -41,7 +41,7 @@ export const DESIGN = {
     },
     executionModel: {
         checklist: [
-            "**ADAPTIVE ELICITATION COMES FIRST (no exceptions, no subagent dispatch before).** Load `.cclaw/skills/adaptive-elicitation/SKILL.md`. Walk the design forcing questions one-at-a-time via the harness-native question tool, append one row to `## Q&A Log` (`Turn | Question | User answer (1-line) | Decision impact`) after each user answer **and stamp the row's `Decision impact` cell with the matching `[topic:<id>]` tag** (e.g. `[topic:data-flow]`). Continue until every forcing-question topic id is tagged on a row OR Ralph-Loop convergence detector says no new decision-changing rows in last 2 iterations OR user records an explicit stop-signal row. Only then proceed to research, investigator pass, architecture lock, or any delegations. The linter `qa_log_unconverged` rule will block `stage-complete` if convergence is not reached.",
+            "**ADAPTIVE ELICITATION COMES FIRST (no exceptions, no subagent dispatch before).** Load `.cclaw/skills/adaptive-elicitation/SKILL.md`. Walk the design forcing questions one-at-a-time via the harness-native question tool, append one row to `## Q&A Log` (`Turn | Question | User answer (1-line) | Decision impact`) after each user answer **and stamp the row's `Decision impact` cell with the matching `[topic:<id>]` tag** (e.g. `[topic:data-flow]`). Continue until every forcing-question topic id is tagged on a row OR the Q&A Ralph Loop convergence detector says no new decision-changing rows in last 2 iterations OR user records an explicit stop-signal row. Only then proceed to research, investigator pass, architecture lock, or any delegations. The linter `qa_log_unconverged` rule will block `stage-complete` if convergence is not reached.",
             "**Design forcing questions (must be covered or explicitly waived)** — `data-flow: what is the end-to-end data flow`; `seams: where are seams/ownership boundaries`; `invariants: which invariants must hold`; `not-refactor: what will explicitly NOT be refactored now`. Tag the matching `## Q&A Log` row's `Decision impact` cell with `[topic:<id>]` (e.g. `[topic:data-flow]`) so the linter can verify coverage in any natural language. Tags are MANDATORY for forcing-question rows; un-tagged rows do NOT count toward coverage.",
             "**Out-of-scope carry-forward (do NOT re-author)** — scope OWNS the out-of-scope list. Cite scope's `## In Scope / Out of Scope > Out of Scope` via `## Upstream Handoff > Decisions carried forward`; do NOT add a separate `## NOT in scope` section in the design artifact. Add a row to `## Spec Handoff` only if a design-stage decision NEWLY excludes something not already in scope's out-of-scope.",
             "Compact design lock — design does not decide what to build; it decides how the approved scope works. For simple slices, produce a tight lock: upstream handoff, existing fit, architecture boundary, one labeled diagram, data/state flow, critical path, failure/rescue, trust boundaries, test/perf expectations, rollout/rollback, rejected alternative, and spec handoff.",
@@ -55,7 +55,7 @@ export const DESIGN = {
             "Review core risk areas — existing system fit, data/state flow, critical path, security/trust boundaries, tests, performance budget, observability/debuggability, rollout/rollback, rejected alternatives, and spec handoff.",
             "**ADR + pre-mortem contract** — capture ADR-style decision rows (context, decision, alternatives, consequences), run a pre-mortem on likely failures, and map each critical flow to a validating test and diagram anchor before lock.",
             "Critic pass — run/reconcile adversarial second opinion on architecture, coupling, failure modes, and cheaper alternatives; record outcomes per the Design Outside Voice Loop policy.",
-            "**Run early Ralph loop discipline** — after each producer iteration, append a `Critic Pass` JSONL row to `.cclaw/state/early-loop-log.jsonl`, refresh `.cclaw/state/early-loop.json`, and iterate until open concerns clear or convergence guard escalates.",
+            "**Run Early-Loop / Concern Ledger discipline** — after each producer iteration, append a `Critic Pass` JSONL row to `.cclaw/state/early-loop-log.jsonl`, refresh `.cclaw/state/early-loop.json`, and iterate until open concerns clear or convergence guard escalates. (This is the producer-critic concern ledger, not the Q&A Ralph Loop used for elicitation convergence.)",
             "Run stale-diagram audit as a design freshness gate (default-on; explicit config opt-out allowed).",
             "Capture leftovers — seed high-upside deferred ideas, list unresolved decisions with defaults, document distribution for new artifact types, and cross-reference deferred items to scope or unresolved decisions."
         ],

package/dist/content/stages/scope.js

@@ -46,7 +46,7 @@ export const SCOPE = {
     },
     executionModel: {
         checklist: [
-            "**ADAPTIVE ELICITATION COMES FIRST (no exceptions, no subagent dispatch before).** Load `.cclaw/skills/adaptive-elicitation/SKILL.md`. Walk the scope forcing questions one-at-a-time via the harness-native question tool, append one row to `## Q&A Log` (`Turn | Question | User answer (1-line) | Decision impact`) after each user answer **and stamp the row's `Decision impact` cell with the matching `[topic:<id>]` tag** (e.g. `[topic:in-out]`). Continue until every forcing-question topic id is tagged on a row OR Ralph-Loop convergence detector says no new decision-changing rows in last 2 iterations OR user records an explicit stop-signal row. Only then propose the scope contract draft, recommend a mode, or dispatch any delegations. The linter `qa_log_unconverged` rule will block `stage-complete` if convergence is not reached.",
+            "**ADAPTIVE ELICITATION COMES FIRST (no exceptions, no subagent dispatch before).** Load `.cclaw/skills/adaptive-elicitation/SKILL.md`. Walk the scope forcing questions one-at-a-time via the harness-native question tool, append one row to `## Q&A Log` (`Turn | Question | User answer (1-line) | Decision impact`) after each user answer **and stamp the row's `Decision impact` cell with the matching `[topic:<id>]` tag** (e.g. `[topic:in-out]`). Continue until every forcing-question topic id is tagged on a row OR the Q&A Ralph Loop convergence detector says no new decision-changing rows in last 2 iterations OR user records an explicit stop-signal row. Only then propose the scope contract draft, recommend a mode, or dispatch any delegations. The linter `qa_log_unconverged` rule will block `stage-complete` if convergence is not reached.",
             "**Scope forcing questions (must be covered or explicitly waived)** — `in-out: what is definitely in/out`; `locked-upstream: which upstream decisions are locked`. Tag the matching `## Q&A Log` row's `Decision impact` cell with `[topic:<id>]` (e.g. `[topic:in-out]`) so the linter can verify coverage in any natural language. Tags are MANDATORY for forcing-question rows; un-tagged rows do NOT count toward coverage. Round 6 (v6.7.0) removed the counterfactual `rollback` and `failure-modes` topics from scope forcing questions; Design still owns the Failure Mode Table and rollback evidence.",
             "**Scope contract first** — read brainstorm handoff, name upstream decisions used, explicit drift, confidence, unresolved questions, and next-stage risk hints; draft the in-scope/out-of-scope/deferred/discretion contract before any design choice.",
             "**Premise carry-forward (do NOT re-author)** — brainstorm OWNS the premise check (right problem / direct path). Cite brainstorm's `## Premise Check` section in `## Upstream Handoff > Decisions carried forward`. Add a row to `## Premise Drift` only when the scope-stage Q&A surfaced NEW evidence that materially changes the brainstorm answer (e.g. new constraint, new user signal). Otherwise mark `Premise Drift: None` — do not duplicate the brainstorm premise table.",
@@ -58,7 +58,7 @@ export const SCOPE = {
             "**Architecture handoff (do NOT pick architecture tier here)** — design OWNS architecture choice (minimum-viable / product-grade / ideal). Scope only picks the SCOPE MODE (HOLD/SELECTIVE/EXPAND/REDUCE) and boundary; record in `## Scope Contract > Design handoff` what design must decide (e.g. `architecture-tier`, `framework`, `data-model`). Do NOT enumerate Implementation Alternatives in scope.",
             "**Constraints (carry-forward from brainstorm/external sources)** — record explicit external/regulatory/system/integration constraints in `## Scope Contract > Constraints`. Spec OWNS testable assumptions (`## Assumptions Before Finalization`); do NOT duplicate constraint material as assumption material.",
             "**Run outside voice before final approval** — for simple/low-risk scope, record one concise adversarial self-check row; for complex/high-risk/configured scope, iterate until threshold. Record the loop summary in `## Scope Outside Voice Loop`, but do not treat it as user approval.",
-            "**Run early Ralph loop discipline** — after each producer iteration, append a `Critic Pass` JSONL row to `.cclaw/state/early-loop-log.jsonl`, refresh `.cclaw/state/early-loop.json`, and iterate until open concerns clear or convergence guard escalates.",
+            "**Run Early-Loop / Concern Ledger discipline** — after each producer iteration, append a `Critic Pass` JSONL row to `.cclaw/state/early-loop-log.jsonl`, refresh `.cclaw/state/early-loop.json`, and iterate until open concerns clear or convergence guard escalates. (This is the producer-critic concern ledger, not the Q&A Ralph Loop used for elicitation convergence.)",
             "**Ask only one decision-changing question** — if the user rejects the contract but is unsure, offer 3-4 concrete scope moves instead of open-ended interrogation.",
             "**Write the scope contract after approval** — include selected mode, in scope, out of scope, requirements, locked decisions, discretion areas, deferred ideas, accepted/rejected reference ideas, success definition, design handoff, completion dashboard, and explicit approval evidence."
         ],

package/dist/content/stages/tdd.js

@@ -58,6 +58,7 @@ export const TDD = {
         ],
         interactionProtocol: [
             "Pick one vertical slice at a time: source item, RED test, GREEN implementation, REFACTOR, and verification evidence move together.",
+            "Slice implementers are sequential by default. Parallel implementers are allowed only when (a) lanes touch non-overlapping files, (b) the controller passes `--allow-parallel` on each ledger row, and (c) an `integration-overseer` is dispatched after the parallel lanes and writes cohesion-evidence into the artifact before the gate is marked passed.",
             "Controller owns orchestration; one mandatory `test-author` delegation carries phase-specific RED -> GREEN -> REFACTOR evidence instead of spawning separate workers by default.",
             "Before writing RED tests, discover relevant existing tests and commands so the new test extends the suite instead of fighting it.",
             "Before implementation, perform a system-wide impact check across callbacks, state, interfaces, schemas, and external contracts touched by the slice.",

package/dist/content/subagents.js

@@ -176,7 +176,17 @@ Before parallel dispatch, answer yes to all gates: tasks are independent, write
    - Copy each task verbatim into a working queue (checklist is fine).
    - Normalize each task so it includes: goal, acceptance criteria, constraints, and explicit “out of scope.”
 
-2. **For each task sequentially (NEVER parallel implementation subagents — file conflicts):**
+2. **For each task — sequential by default; parallel only with cohesion controls:**
+   - Implementation subagents are sequential by default. Parallel implementers
+     are allowed only when ALL three conditions hold:
+     - (a) the lanes touch non-overlapping files (verify via the plan's task
+       file-set list before dispatch),
+     - (b) the controller passes \`--allow-parallel\` on each ledger row, and
+     - (c) an \`integration-overseer\` is dispatched after the parallel lanes
+       complete and writes cohesion-evidence (cross-file integration tests,
+       contract checks, or merge-conflict scan) into the artifact before any
+       gate is marked passed.
+     If any of the three conditions are unmet, serialize.
    1. **Dispatch implementer subagent** with the **full task text pasted in** (not a file reference).
    2. **Check return status:** \`DONE\` / \`DONE_WITH_CONCERNS\` / \`NEEDS_CONTEXT\` / \`BLOCKED\`
    3. If \`DONE\`: dispatch **reviewer** subagent to verify actual code matches spec and quality expectations.

package/dist/delegation.d.ts

@@ -232,11 +232,18 @@ export declare class DispatchDuplicateError extends Error {
     });
 }
 /**
- * v6.8.0 — find the latest active span for a given `(stage, agent)`
+ * v6.9.0 — find the latest active span for a given `(stage, agent)`
  * pair in the supplied ledger entries. Returns the row whose latest
  * status (after the latest-by-spanId fold) is still in the active set
- * (`scheduled | launched | acknowledged`). Caller is responsible for
- * filtering to the current run.
+ * (`scheduled | launched | acknowledged`).
+ *
+ * Run-scope is **strict**: only entries whose `runId` matches the
+ * supplied `runId` are folded. Entries with empty/missing `runId`
+ * (legacy ledgers from v6.8 and earlier) are treated as NOT belonging
+ * to the current run, so they cannot keep an old span "active" across
+ * a fresh dispatch and trip a spurious `dispatch_duplicate`. This
+ * fixes R7: a slice-implementer that ran in run-1 must not block a
+ * slice-implementer scheduled in run-2.
  *
  * keep in sync with the inline copy in
  * `src/content/hooks.ts::delegationRecordScript`.

package/dist/delegation.js

@@ -548,18 +548,27 @@ export class DispatchDuplicateError extends Error {
     }
 }
 /**
- * v6.8.0 — find the latest active span for a given `(stage, agent)`
+ * v6.9.0 — find the latest active span for a given `(stage, agent)`
  * pair in the supplied ledger entries. Returns the row whose latest
  * status (after the latest-by-spanId fold) is still in the active set
- * (`scheduled | launched | acknowledged`). Caller is responsible for
- * filtering to the current run.
+ * (`scheduled | launched | acknowledged`).
+ *
+ * Run-scope is **strict**: only entries whose `runId` matches the
+ * supplied `runId` are folded. Entries with empty/missing `runId`
+ * (legacy ledgers from v6.8 and earlier) are treated as NOT belonging
+ * to the current run, so they cannot keep an old span "active" across
+ * a fresh dispatch and trip a spurious `dispatch_duplicate`. This
+ * fixes R7: a slice-implementer that ran in run-1 must not block a
+ * slice-implementer scheduled in run-2.
  *
  * keep in sync with the inline copy in
  * `src/content/hooks.ts::delegationRecordScript`.
  */
 export function findActiveSpanForPair(stage, agent, runId, ledger) {
     const sameRun = ledger.entries.filter((entry) => {
-        if (entry.runId && entry.runId !== runId)
+        if (typeof entry.runId !== "string" || entry.runId.length === 0)
+            return false;
+        if (entry.runId !== runId)
             return false;
         return entry.stage === stage && entry.agent === agent;
     });

package/dist/early-loop.js

@@ -137,9 +137,23 @@ export function parseEarlyLoopLog(text, options = {}) {
                 continue;
             }
         }
+        // v6.9.0 schema repair: legacy logs may carry rows with no runId
+        // (the prior parser silently coerced them to "active", which then
+        // collided across runs). Surface a structured warning on read but
+        // skip the row so derived status doesn't fold cross-run state.
+        // Writers must always provide a runId (enforced upstream in the
+        // CLI/hook surface).
+        if (runId.length === 0) {
+            issues?.push({
+                lineNumber,
+                reason: "missing-runId: legacy entry skipped to avoid cross-run pollution",
+                rawLine: raw
+            });
+            continue;
+        }
         entries.push({
             ts: normalizeText(parsed.ts, ""),
-            runId: runId.length > 0 ? runId : "active",
+            runId,
             stage: stage.length > 0 ? stage : "brainstorm",
             iteration,
             concerns,

package/dist/gate-evidence.js

@@ -9,8 +9,8 @@ import { readDelegationLedger } from "./delegation.js";
 import { exists } from "./fs-utils.js";
 import { computeEarlyLoopStatus, isEarlyLoopStage, normalizeEarlyLoopMaxIterations } from "./early-loop.js";
 import { detectPublicApiChanges } from "./internal/detect-public-api-changes.js";
+import { detectSupplyChainChanges } from "./internal/detect-supply-chain-changes.js";
 import { readFlowState, writeFlowState } from "./runs.js";
-import { parseTddCycleLog, validateTddCycleOrder } from "./tdd-cycle.js";
 import { validateTddVerificationEvidence } from "./tdd-verification-evidence.js";
 async function currentStageArtifactExists(projectRoot, stage, track) {
     const resolved = await resolveArtifactPath(stage, {
@@ -376,35 +376,20 @@ export async function verifyCurrentStageGateEvidence(projectRoot, flowState, opt
         }
         if (stage === "tdd") {
             const docsDriftDetection = await detectPublicApiChanges(projectRoot);
-            if (docsDriftDetection.triggered) {
+            const supplyChainDetection = await detectSupplyChainChanges(projectRoot);
+            if (docsDriftDetection.triggered || supplyChainDetection.triggered) {
                 const ledger = await readDelegationLedger(projectRoot);
                 const hasDocUpdaterCompletion = ledger.entries.some((entry) => entry.runId === flowState.activeRunId &&
                     entry.stage === "tdd" &&
                     entry.agent === "doc-updater" &&
                     entry.status === "completed");
                 if (!hasDocUpdaterCompletion) {
-                    issues.push(`tdd docs drift gate blocked (tdd_docs_drift_check): public surface changes detected (${docsDriftDetection.changedFiles.join(", ")}) but no completed doc-updater delegation exists for the active run.`);
-                }
-            }
-            const tddLogPath = path.join(projectRoot, RUNTIME_ROOT, "state", "tdd-cycle-log.jsonl");
-            if (await exists(tddLogPath)) {
-                try {
-                    const tddLogRaw = await fs.readFile(tddLogPath, "utf8");
-                    const parsedCycles = parseTddCycleLog(tddLogRaw);
-                    const tddOrderValidation = validateTddCycleOrder(parsedCycles, {
-                        runId: flowState.activeRunId
-                    });
-                    if (!tddOrderValidation.ok) {
-                        const details = [...tddOrderValidation.issues];
-                        if (tddOrderValidation.openRedSlices.length > 0) {
-                            details.push(`open red slices: ${tddOrderValidation.openRedSlices.join(", ")}`);
-                        }
-                        issues.push(`tdd cycle order gate blocked: ${details.join("; ")}`);
+                    if (docsDriftDetection.triggered) {
+                        issues.push(`tdd docs drift gate blocked (tdd_docs_drift_check): public surface changes detected (${docsDriftDetection.changedFiles.join(", ")}) but no completed doc-updater delegation exists for the active run.`);
+                    }
+                    if (supplyChainDetection.triggered) {
+                        issues.push(`tdd docs drift gate blocked (tdd_docs_drift_check): supply-chain changes detected (${supplyChainDetection.changedFiles.join(", ")}) but no completed doc-updater delegation exists for the active run.`);
                     }
-                }
-                catch (err) {
-                    const reason = err instanceof Error ? err.message : String(err);
-                    issues.push(`tdd cycle order gate blocked: unable to read tdd-cycle-log.jsonl (${reason}).`);
                 }
             }
         }
@@ -477,6 +462,13 @@ export async function verifyCurrentStageGateEvidence(projectRoot, flowState, opt
             forcingPending: floor.forcingPending,
             noNewDecisions: floor.noNewDecisions
         };
+        // v6.9.0 — when the QA log floor is blocking, mirror that decision into
+        // `gates.issues` so the harness has a single structured source of truth
+        // for "this stage is blocked". The `qa_log_unconverged` linter rule
+        // remains the verbose detail/fallback channel.
+        if (qaLogFloor.blocking) {
+            issues.push(`qa log floor blocked (qa_log_unconverged): ${qaLogFloor.count}/${qaLogFloor.min} entries on stage "${stage}" (track=${flowState.track}, discoveryMode=${flowState.discoveryMode ?? "default"}). Continue elicitation or pass --skip-questions to record the stop.`);
+        }
     }
     return {
         ok: issues.length === 0,

package/dist/harness-adapters.js

@@ -293,9 +293,11 @@ export function harnessesByTier() {
     });
 }
 function ironLawsAgentsMdBlock() {
+    // v6.9.0: keep this set in sync with `ironLawsSkillMarkdown()` —
+    // post-Phase A, only `stop-clean-or-handoff` is still hook-enforced
+    // (Stop hook). All other iron laws live in stage HARD-GATE blocks.
     const enforcedLawIds = new Set([
-        "stop-clean-or-handoff",
-        "review-coverage-complete-before-ship"
+        "stop-clean-or-handoff"
     ]);
     const enforcedRows = IRON_LAWS
         .filter((law) => enforcedLawIds.has(law.id))

package/dist/install.js

@@ -38,8 +38,6 @@ import { FLOW_STAGES } from "./types.js";
 const OPENCODE_PLUGIN_REL_PATH = ".opencode/plugins/cclaw-plugin.mjs";
 const CURSOR_RULE_REL_PATH = ".cursor/rules/cclaw-workflow.mdc";
 const CURSOR_GUIDELINES_REL_PATH = ".cursor/rules/cclaw-guidelines.mdc";
-const GIT_HOOK_MANAGED_MARKER = "cclaw-managed-git-hook";
-const GIT_HOOK_RUNTIME_REL_DIR = `${RUNTIME_ROOT}/hooks/git`;
 const INIT_SENTINEL_FILE = ".init-in-progress";
 const execFileAsync = promisify(execFile);
 function runtimePath(projectRoot, ...segments) {
@@ -145,13 +143,17 @@ const DEPRECATED_COMMAND_FILES = [
 const DEPRECATED_SKILL_FILES = [
     ["flow-finish", "SKILL.md"],
     ["flow-ops", "SKILL.md"],
-    ["tdd-cycle-log", "SKILL.md"],
     ["flow-retro", "SKILL.md"],
     ["flow-compound", "SKILL.md"],
     ["flow-archive", "SKILL.md"],
     ["flow-rewind", "SKILL.md"],
     ["using-git-worktrees", "SKILL.md"]
 ];
+// Skill folders whose entire directory should be removed on sync so the
+// abandoned tree doesn't linger in user projects.
+const DEPRECATED_SKILL_FOLDERS_FULL = [
+    "tdd-cycle-log"
+];
 const DEPRECATED_STATE_FILES = [
     "checkpoint.json",
     "flow-state.snapshot.json",
@@ -161,7 +163,10 @@ const DEPRECATED_STATE_FILES = [
     "harness-gaps.json",
     "context-mode.json",
     "session-digest.md",
-    "context-warnings.jsonl"
+    "context-warnings.jsonl",
+    // Runtime Honesty 6.9.0 removed the per-run TDD cycle JSONL: gate evidence
+    // now reads cycle phase progression directly from the artifact table.
+    "tdd-cycle-log.jsonl"
 ];
 const DEPRECATED_HOOK_FILES = [
     "observe.sh",
@@ -193,225 +198,33 @@ async function resolveGitHooksDir(projectRoot) {
         return null;
     }
 }
-function managedGitRuntimeScript(hookName) {
-    return `#!/usr/bin/env node
-// ${GIT_HOOK_MANAGED_MARKER}: runtime ${hookName}
-import fs from "node:fs";
-import path from "node:path";
-import process from "node:process";
-import { spawnSync } from "node:child_process";
-
-const HOOK_NAME = ${JSON.stringify(hookName)};
-const RUNTIME_ROOT = ${JSON.stringify(RUNTIME_ROOT)};
-
-function runGit(args, cwd) {
-  const result = spawnSync("git", args, {
-    cwd,
-    encoding: "utf8",
-    stdio: ["ignore", "pipe", "ignore"]
-  });
-  return {
-    status: typeof result.status === "number" ? result.status : 1,
-    stdout: typeof result.stdout === "string" ? result.stdout : ""
-  };
-}
-
-function resolveRepoRoot() {
-  const result = runGit(["rev-parse", "--show-toplevel"], process.cwd());
-  if (result.status === 0) {
-    const root = result.stdout.trim();
-    if (root.length > 0) return root;
-  }
-  return process.cwd();
-}
-
-function isZeroSha(value) {
-  return /^0{40,64}$/u.test(value);
-}
-
-function readStdin() {
-  try {
-    return fs.readFileSync(0, "utf8");
-  } catch {
-    return "";
-  }
-}
-
-function uniqueLines(chunks) {
-  return [...new Set(chunks
-    .join("\n")
-    .split(/\r?\n/gu)
-    .map((line) => line.trim())
-    .filter((line) => line.length > 0))].join("\n");
-}
-
-function diffNames(root, range) {
-  const result = runGit(["diff", "--name-only", range], root);
-  return result.status === 0 ? result.stdout : "";
-}
-
-function changedFilesFromUnpushedCommits(root, localSha = "HEAD") {
-  const revList = runGit(["rev-list", "--reverse", localSha, "--not", "--remotes"], root);
-  if (revList.status !== 0 || revList.stdout.trim().length === 0) {
-    return "";
-  }
-  const chunks = [];
-  for (const commit of revList.stdout.split(/\r?\n/gu).map((line) => line.trim()).filter(Boolean)) {
-    const diffTree = runGit(["diff-tree", "--no-commit-id", "--name-only", "-r", "--root", commit], root);
-    if (diffTree.status === 0) chunks.push(diffTree.stdout);
-  }
-  return uniqueLines(chunks);
-}
-
-function changedFilesFromPrePushStdin(root, stdin) {
-  const chunks = [];
-  for (const rawLine of stdin.split(/\r?\n/gu)) {
-    const parts = rawLine.trim().split(/\s+/u);
-    if (parts.length < 4) continue;
-    const [localRef, localSha, remoteRef, remoteSha] = parts;
-    void localRef;
-    void remoteRef;
-    if (!localSha || isZeroSha(localSha)) continue;
-    if (remoteSha && !isZeroSha(remoteSha)) {
-      chunks.push(diffNames(root, remoteSha + ".." + localSha));
-      continue;
-    }
-    const upstream = runGit(["rev-parse", "--verify", "--quiet", "@{upstream}"], root);
-    if (upstream.status === 0 && upstream.stdout.trim().length > 0) {
-      chunks.push(diffNames(root, upstream.stdout.trim() + ".." + localSha));
-      continue;
-    }
-    chunks.push(changedFilesFromUnpushedCommits(root, localSha));
-  }
-  return uniqueLines(chunks);
-}
-
-function resolveChangedFiles(root) {
-  if (HOOK_NAME === "pre-commit") {
-    const result = runGit(["diff", "--cached", "--name-only"], root);
-    return result.status === 0 ? result.stdout : "";
-  }
-  const stdinChanged = changedFilesFromPrePushStdin(root, readStdin());
-  if (stdinChanged.length > 0) {
-    return stdinChanged;
-  }
-  const upstreamResult = runGit(["diff", "--name-only", "@{upstream}..HEAD"], root);
-  if (upstreamResult.status === 0) {
-    return upstreamResult.stdout;
-  }
-  const unpushed = changedFilesFromUnpushedCommits(root);
-  if (unpushed.length > 0) {
-    return unpushed;
-  }
-  const fallback = runGit(["diff", "--name-only", "HEAD~1...HEAD"], root);
-  return fallback.status === 0 ? fallback.stdout : "";
-}
-
-const root = resolveRepoRoot();
-const runtimeHook = path.join(root, RUNTIME_ROOT, "hooks", "run-hook.mjs");
-if (!fs.existsSync(runtimeHook)) {
-  // cclaw git relay is installed but the runtime entrypoint is missing —
-  // warn visibly (without blocking the commit) so the drift is noticed.
-  process.stderr.write(
-    "[cclaw] " + HOOK_NAME + ": " + runtimeHook + " not found; run \`cclaw sync\` to reinstall\\n"
-  );
-  process.exit(0);
-}
-
-const changedFiles = resolveChangedFiles(root)
-  .split(/\\r?\\n/gu)
-  .map((line) => line.trim())
-  .filter((line) => line.length > 0);
-if (changedFiles.length === 0) {
-  process.exit(0);
-}
-
-const payload = JSON.stringify({
-  tool_name: "Write",
-  tool_input: {
-    path: changedFiles.join("\\n"),
-    paths: changedFiles
-  }
-});
-
-  const result = spawnSync(process.execPath, [runtimeHook, "prompt-guard"], {
-  cwd: root,
-  env: process.env,
-  input: payload,
-  encoding: "utf8",
-  stdio: ["pipe", "ignore", "inherit"]
-});
-process.exit(typeof result.status === "number" ? result.status : 1);
-`;
-}
-function managedGitRelayHook(hookName) {
-    return `#!/usr/bin/env node
-// ${GIT_HOOK_MANAGED_MARKER}: relay ${hookName}
-import fs from "node:fs";
-import path from "node:path";
-import process from "node:process";
-import { spawn, spawnSync } from "node:child_process";
-
-const RUNTIME_REL_DIR = ${JSON.stringify(GIT_HOOK_RUNTIME_REL_DIR)};
-const HOOK_NAME = ${JSON.stringify(hookName)};
-
-function resolveRepoRoot() {
-  const result = spawnSync("git", ["rev-parse", "--show-toplevel"], {
-    cwd: process.cwd(),
-    encoding: "utf8",
-    stdio: ["ignore", "pipe", "ignore"]
-  });
-  if (typeof result.status === "number" && result.status === 0) {
-    const root = (result.stdout || "").trim();
-    if (root.length > 0) return root;
-  }
-  return process.cwd();
-}
-
-const root = resolveRepoRoot();
-const runtimeHook = path.join(root, RUNTIME_REL_DIR, HOOK_NAME + ".mjs");
-if (!fs.existsSync(runtimeHook)) {
-  process.exit(0);
-}
-
-const child = spawn(process.execPath, [runtimeHook, ...process.argv.slice(2)], {
-  cwd: root,
-  env: process.env,
-  stdio: "inherit"
-});
-child.on("error", () => process.exit(1));
-child.on("close", (code, signal) => {
-  process.exit(signal ? 1 : typeof code === "number" ? code : 1);
-});
-`;
-}
-async function removeManagedGitHookRelays(projectRoot) {
+// Legacy cleanup: prior versions installed Node-based git pre-commit/pre-push relays
+// under .git/hooks/* and a runtime tree at .cclaw/hooks/git/. Runtime Honesty 6.9.0
+// removed managed git hooks entirely; the cleanup below stays so existing installs
+// shed the leftover files on next sync/uninstall.
+const LEGACY_GIT_HOOK_MANAGED_MARKER = "cclaw-managed-git-hook";
+const LEGACY_GIT_HOOK_RUNTIME_REL_DIR = `${RUNTIME_ROOT}/hooks/git`;
+async function cleanupLegacyManagedGitHookRelays(projectRoot) {
     const hooksDir = await resolveGitHooksDir(projectRoot);
-    if (!hooksDir) {
-        return;
-    }
-    for (const hookName of ["pre-commit", "pre-push"]) {
-        const hookPath = path.join(hooksDir, hookName);
-        if (!(await exists(hookPath)))
-            continue;
-        let content = "";
-        try {
-            content = await fs.readFile(hookPath, "utf8");
-        }
-        catch {
-            content = "";
-        }
-        if (!content.includes(GIT_HOOK_MANAGED_MARKER)) {
-            continue;
+    if (hooksDir) {
+        for (const hookName of ["pre-commit", "pre-push"]) {
+            const hookPath = path.join(hooksDir, hookName);
+            if (!(await exists(hookPath)))
+                continue;
+            let content = "";
+            try {
+                content = await fs.readFile(hookPath, "utf8");
+            }
+            catch {
+                content = "";
+            }
+            if (!content.includes(LEGACY_GIT_HOOK_MANAGED_MARKER))
+                continue;
+            await fs.rm(hookPath, { force: true });
         }
-        await fs.rm(hookPath, { force: true });
     }
-}
-async function syncManagedGitHooks(projectRoot, config) {
-    void config;
-    await removeManagedGitHookRelays(projectRoot);
     try {
-        await fs.rm(path.join(projectRoot, GIT_HOOK_RUNTIME_REL_DIR), { recursive: true, force: true });
+        await fs.rm(path.join(projectRoot, LEGACY_GIT_HOOK_RUNTIME_REL_DIR), { recursive: true, force: true });
     }
     catch {
         // best-effort cleanup
@@ -1021,6 +834,9 @@ async function cleanLegacyArtifacts(projectRoot) {
     for (const legacyFolder of DEPRECATED_STAGE_SKILL_FOLDERS) {
         await removeBestEffort(runtimePath(projectRoot, "skills", legacyFolder), true);
     }
+    for (const legacyFolder of DEPRECATED_SKILL_FOLDERS_FULL) {
+        await removeBestEffort(runtimePath(projectRoot, "skills", legacyFolder), true);
+    }
     for (const legacyAgentFile of DEPRECATED_AGENT_FILES) {
         await removeBestEffort(runtimePath(projectRoot, "agents", legacyAgentFile));
     }
@@ -1173,7 +989,7 @@ async function materializeRuntime(projectRoot, config, forceStateReset, operatio
         await ensureKnowledgeStore(projectRoot);
         await writeHooks(projectRoot, config);
         await syncDisabledHarnessArtifacts(projectRoot, harnesses);
-        await syncManagedGitHooks(projectRoot, config);
+        await cleanupLegacyManagedGitHookRelays(projectRoot);
         await syncHarnessShims(projectRoot, harnesses);
         await assertExpectedHarnessShims(projectRoot, harnesses);
         await writeCursorWorkflowRule(projectRoot, harnesses);
@@ -1401,7 +1217,7 @@ export async function uninstallCclaw(projectRoot) {
     }
     await removeCclawFromAgentsMd(projectRoot);
     await removeGitignorePatterns(projectRoot);
-    await removeManagedGitHookRelays(projectRoot);
+    await cleanupLegacyManagedGitHookRelays(projectRoot);
     const hookFiles = [
         ".claude/hooks/hooks.json",
         ".cursor/hooks.json",

package/dist/internal/detect-supply-chain-changes.d.ts

@@ -0,0 +1,6 @@
+export interface SupplyChainChangeDetection {
+    triggered: boolean;
+    changedFiles: string[];
+    reasons: string[];
+}
+export declare function detectSupplyChainChanges(projectRoot: string): Promise<SupplyChainChangeDetection>;