cclaw-cli 7.0.1 → 7.0.3

package/dist/content/meta-skill.js

@@ -57,6 +57,16 @@ If you think any of these, stop and follow the routing flow:
 - "I can answer from memory without loading the active stage skill." -> No. Load the skill first.
 - "Hook guard warned, but I can ignore it." -> No. Resolve the warning before continuing.
 - "I'll edit \`.cclaw/state\` directly to move faster." -> No. Use managed commands only.
+- "I'll just do the worker's job inline so we move faster." -> No. See the Controller dispatch discipline below.
+
+## Controller dispatch discipline (applies to every stage)
+
+cclaw stages have **mandatory delegations** (TDD: \`slice-builder\`; review: \`reviewer\` + \`security-reviewer\`; design: \`architect\`; scope: \`planner\`; etc.). The controller is the **orchestrator**, not the worker. When a stage declares a mandatory delegation:
+
+- **Dispatch via the harness Task tool.** Do NOT write the worker's output (slice code, review findings, architect notes) into the artifact yourself as a substitute for delegating. Editing \`06-tdd.md\` slice cards, \`07-review.md\` findings, or any other "result of mandatory worker" content inline in the controller chat is a protocol violation.
+- **Parallel by default when paths/lenses are independent.** TDD wave-fanout (disjoint \`claimedPaths\`) and review-army (independent reviewer lenses) MUST emit all parallel \`Task\` calls in a SINGLE controller message — not sequentially over multiple turns. The controller waits for all spans to return before reconciling.
+- **Record lifecycle on the same span** via \`delegation-record --status=scheduled|launched|acknowledged|completed\`; the worker emits its own \`--phase=…\` and evidence rows. A \`completed\` row without a matching ACK or dispatch surface is a forgery.
+- **Auto-advance when stage-complete returns ok.** When the helper reports a new \`currentStage\`, immediately load the next stage skill and continue. Announce \`Stage <prev> complete → entering <next>. Continuing.\` Do NOT pause for the user to retype \`/cc\` or say \"продолжай\" — that pause is the failure mode 7.0.2 explicitly removed. The only legitimate stop is a real blocker (missing user input, ambiguous decision, hook fail).
 
 ## Routing flow
 
@@ -140,7 +150,7 @@ Use session-injected knowledge digest first. Only stream full
 
 - Do not skip stages silently.
 - Do not claim gate completion without evidence.
-- Do not auto-advance after stage completion unless user asks.
+- DO auto-advance to the next stage after \`stage-complete\` returns ok (see Controller dispatch discipline). The user does not need to retype \`/cc\`.
 - Escalate after repeated failures (see decision protocol).
 `;
 }

package/dist/content/skills.d.ts

@@ -26,6 +26,13 @@ export declare function behaviorAnchorBlock(stage: FlowStage): string;
  * Empty for non-TDD stages.
  */
 export declare function tddTopOfSkillBlock(stage: FlowStage): string;
+/**
+ * Review-only prelude: mandates parallel reviewer / security-reviewer dispatch
+ * via harness Task and forbids inline authoring of findings.
+ *
+ * Empty for non-review stages.
+ */
+export declare function reviewTopOfSkillBlock(stage: FlowStage): string;
 export declare function stageSkillFolder(stage: FlowStage): string;
 export declare function stageSkillMarkdown(stage: FlowStage, track?: FlowTrack, _packageVersion?: string | null): string;
 export declare function executingWavesSkillMarkdown(): string;

package/dist/content/skills.js

@@ -183,16 +183,87 @@ export function tddTopOfSkillBlock(stage) {
         return "";
     return `## TDD orchestration primer
 
-**Always first:** run \`node .cclaw/cli.mjs internal wave-status --json\` — it reads the managed plan markers; open \`05-plan.md\`/wave-plan files afterward for detail.
+**MANDATE — controller never implements.** In TDD the controller plans, dispatches, and reconciles. **NEVER edit production code, tests, or run cargo/npm/pytest yourself in the controller chat.** Every slice's RED → GREEN → REFACTOR → DOC cycle MUST happen inside an isolated \`slice-builder\` span dispatched via the harness Task tool. Inline code edits in the controller chat are a protocol violation that defeats parallelism, evidence isolation, and the audit ledger.
 
-**Several ready lanes:** Issue exactly one AskQuestion (**launch parallel wave**, default vs **single slice**).
+**Step 1 — Wave status (always first):**
+\`node .cclaw/cli.mjs internal wave-status --json\`
 
-**Delegation order:** Emit \`delegation-record\` \`--status=scheduled\` then \`--status=launched\` *before* every \`Task\`; workers ACK/complete locally.
+The output names: \`waves[]\` (closed/open), \`nextDispatch.waveId\`, \`nextDispatch.mode\` (\`wave-fanout\` or \`single-slice\`), \`nextDispatch.readyToDispatch\` (slice ids), and \`nextDispatch.pathConflicts\` (overlapping \`claimedPaths\` between members).
 
-**Per slice worker:** Prefer \`Task("slice-builder --slice S-<id> ...")\`. Pass explicit \`--paths\`; parallel Tasks are okay when overlaps are disjoint. Follow any lane lease flags the helper still mandates on your ledger.
+**Step 2 — Decide automatically (no user question when paths disjoint):**
+
+| \`mode\`         | \`pathConflicts\` | Action                                                                                                                                  |
+|------------------|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------|
+| \`wave-fanout\`  | \`[]\`            | **Fan out the entire wave in one tool batch.** Emit one \`Task\` per ready slice in a single controller message. Do NOT ask the user.   |
+| \`wave-fanout\`  | non-empty         | Issue exactly one AskQuestion (resolve the overlap, drop the conflicting slice, or downgrade to single-slice for the disputed member).  |
+| \`single-slice\` | —                 | One \`Task\` for the next ready slice.                                                                                                  |
+
+**Step 3 — Dispatch protocol per slice:** in the SAME controller message that issues the \`Task\` call:
+
+1. Append \`delegation-record --status=scheduled\` for the \`slice-builder\` span (one row per slice; reuse the same \`spanId\` across the entire RED → GREEN → REFACTOR → DOC lifecycle).
+2. Append \`delegation-record --status=launched\` immediately after.
+3. Issue the harness Task call: \`Task(subagent_type=<harness slice-builder mapping>, description="slice-builder <slice-id>", prompt="<full slice context, claimedPaths, plan-row, AC ids, paths to source/tests, slice-card path>")\`.
+4. The slice-builder span ACKs locally (\`delegation-record --status=acknowledged\`) and runs the **complete** RED → GREEN → REFACTOR → DOC cycle inside the span — including writing \`tdd-slices/S-<id>.md\` and emitting \`--phase=red\`, \`--phase=green\`, \`--phase=refactor\` (or \`--phase=refactor-deferred\` with rationale), and \`--phase=doc\` rows on its own.
+5. The controller waits for ALL parallel spans to terminate before reconciling. Do not page back into the controller chat between spans.
+
+**Step 4 — Wave closeout:** after all in-flight slices report \`completed\`:
+
+1. Re-run \`wave-status --json\`. Confirm the wave is \`closed\` and the next dispatch is the following wave (or \`closeout\`).
+2. If \`integrationCheckRequired\` is true, dispatch \`integration-overseer\` (proactive) and append the \`cclaw_integration_overseer_skipped\` audit kind only when the contract waives it.
+3. If \`wave-status\` reports another \`wave-fanout\` next dispatch with disjoint paths, **immediately repeat Step 2 — do not pause for \"continue\"**.
+4. When all waves are closed and no more slices remain ready, run \`stage-complete tdd\`.
+
+**Step 5 — Auto-advance after stage-complete:** when \`stage-complete\` returns \`ok\` with a new \`currentStage\`, immediately load the next stage skill and continue. The user does NOT need to retype \`/cc\`. Announce \"Stage tdd complete → entering <next>. Continuing.\" and proceed.
 
 Wave resume: reuse \`wave-status\` outputs and parallelize unfinished members instead of restarting finished slices.
 
+---
+`;
+}
+/**
+ * Review-only prelude: mandates parallel reviewer / security-reviewer dispatch
+ * via harness Task and forbids inline authoring of findings.
+ *
+ * Empty for non-review stages.
+ */
+export function reviewTopOfSkillBlock(stage) {
+    if (stage !== "review")
+        return "";
+    return `## Review orchestration primer
+
+**MANDATE — controller never authors findings inline.** In review the controller orchestrates; \`reviewer\` (functional/spec/correctness/architecture/perf/observability) and \`security-reviewer\` (security sweep + dependency/version audit) are the **mandatory delegated workers** that produce findings, lens coverage, and the verdict input. Typing \`## Layer 1 Findings\`, \`## Layer 2 Findings\`, \`## Lens Coverage\`, or \`## Final Verdict\` content directly into \`07-review.md\` in the controller chat is a protocol violation. The controller writes ONLY the reconciled multi-specialist verdict block AFTER all reviewer Tasks return.
+
+**Step 1 — Diff scope (always first):**
+\`git diff --stat <base>...HEAD\` and \`git diff --name-only <base>...HEAD\`.
+If the diff is empty, exit early with APPROVED (no changes to review).
+
+**Step 2 — Dispatch the review army in PARALLEL (single controller message):**
+
+| Lens                     | Worker                | Mandatory? |
+|--------------------------|-----------------------|------------|
+| Spec compliance / Layer 1 | \`reviewer\`         | yes        |
+| Layer 2 cross-slice / correctness / observability | \`reviewer\` | yes |
+| Security sweep + dep/version audit | \`security-reviewer\` | yes (or \`NO_SECURITY_IMPACT\` attestation) |
+| Adversarial second opinion | \`reviewer\` (adversarial framing) | only if trust boundaries moved OR diff is large+high-risk |
+
+Emit ONE \`Task\` per lens in a single controller message. For each lens:
+
+1. Append \`delegation-record --status=scheduled\` for the lens span (one row per lens; reuse the same \`spanId\` for the lens lifecycle).
+2. Append \`delegation-record --status=launched\` immediately after.
+3. Issue the harness Task call: \`Task(subagent_type=<harness reviewer/security-reviewer mapping>, description="<lens> review", prompt="<diff range, files, AC ids, upstream artifacts (spec, design, tdd Per-Slice Reviews), expected output schema for 07-review-army.json>")\`.
+4. The reviewer span ACKs locally and writes its findings/lens coverage to \`07-review-army.json\` (and the structured findings table in \`07-review.md\`) on its own — including \`NO_SECURITY_IMPACT\` rationale if a security pass yields zero findings.
+5. The controller waits for ALL lens spans to return before reconciling.
+
+**Step 3 — Reconcile and verdict:** after all lens spans complete:
+
+1. Run \`validateReviewArmy\` (helper or linter) on \`07-review-army.json\`.
+2. Dedup by fingerprint, mark multi-specialist confirmations.
+3. Confirm acceptance criteria coverage and Pre-Critic / Lens Coverage / Anti-sycophancy fields are present (linter requires them).
+4. Compute the final verdict: APPROVED, APPROVED_WITH_CONCERNS, or BLOCKED.
+5. If BLOCKED, emit \`ROUTE_BACK_TO_TDD\` with the blocking finding ids and the managed \`npx cclaw-cli internal rewind tdd\` command. Do NOT silently stop.
+
+**Step 4 — Auto-advance after stage-complete:** when \`stage-complete review\` returns \`ok\` with a new \`currentStage\` (typically \`ship\`), immediately load the next stage skill and continue. Announce \"Stage review complete → entering <next>. Continuing.\" and proceed without waiting for the user to retype \`/cc\`.
+
 ---
 `;
 }
@@ -619,7 +690,7 @@ If you are about to violate the Iron Law, STOP. No amount of urgency, partial pr
 
 </EXTREMELY-IMPORTANT>
 
-${renderTrackTerminology(tddTopOfSkillBlock(stage), trackContext)}${quickStartBlock(stage, track)}
+${renderTrackTerminology(tddTopOfSkillBlock(stage) + reviewTopOfSkillBlock(stage), trackContext)}${quickStartBlock(stage, track)}
 
 ${STAGE_LANGUAGE_POLICY_POINTER}
 ## Philosophy

package/dist/content/stages/review.js

@@ -32,6 +32,7 @@ export const REVIEW = {
     },
     executionModel: {
         checklist: [
+            "**MANDATE — controller never authors review findings.** The controller orchestrates; `reviewer` and `security-reviewer` are mandatory delegated workers that produce the actual findings, lens coverage, and verdict input. **Dispatch them in parallel as harness Task subagents in a single controller message** — one Task per lens. Do NOT type `## Layer 1 Findings`, `## Layer 2 Findings`, `## Lens Coverage`, or `## Final Verdict` content into `07-review.md` yourself as a substitute for delegating. The controller's only writes to the review artifact are: structural scaffolding (section headings if the template did not pre-render them) and the reconciled multi-specialist verdict block AFTER all reviewer Tasks return.",
             "**Boundary with TDD (do NOT re-classify slice findings).** `tdd.Per-Slice Review` OWNS severity-classified findings WITHIN a single slice (correctness, edge cases, regression for that slice). `review` OWNS whole-diff Layer 1 (spec compliance) plus Layer 2 (cross-slice integration findings, security sweep, dependency/version audit, observability). When the same finding ID appears in both `06-tdd.md > Per-Slice Review` and `07-review.md` / `07-review-army.json`, the severity/disposition MUST match — the cross-artifact-duplication linter blocks otherwise.",
             "Diff Scope — Run `git diff` against base branch. If no diff, exit early with APPROVED (no changes to review). Scope the review to changed files unless blast-radius analysis requires wider inspection.",
             "Change-Size Check — ~100 lines = normal. ~300 lines = consider splitting. ~1000+ lines = strongly recommend stacked PRs. Flag large diffs to the user.",

package/dist/content/start-command.js

@@ -115,7 +115,13 @@ If during any stage the agent discovers evidence that contradicts the initial Ph
 2. If flow state is missing → guide the user to run \`npx cclaw-cli init\` and stop.
 3. If flow state is only a fresh init placeholder (\`completedStages: []\`, all \`passed\` arrays empty, and no \`00-idea.md\`) → stop and ask for \`/cc <prompt>\` to start a tracked run. Do not create a brainstorm state implicitly.
 4. Otherwise check current stage gates, resume if incomplete, and advance if complete.
-5. **TDD wave dispatch:** When \`currentStage\` is \`tdd\`, run \`node .cclaw/cli.mjs internal wave-status --json\` first, then read the managed **Parallel Execution Plan** block inside \`${RUNTIME_ROOT}/artifacts/05-plan.md\` plus \`${RUNTIME_ROOT}/artifacts/wave-plans/\` for detail. Resume partial waves on remaining members only. Dispatch one \`slice-builder\` per slice with explicit \`--paths\`; parallelize when overlaps are disjoint. Each \`slice-builder\` span owns the full RED → GREEN → REFACTOR → DOC cycle for its slice. RED-before-GREEN is enforced per-slice.
+5. **TDD wave dispatch:** When \`currentStage\` is \`tdd\`, run \`node .cclaw/cli.mjs internal wave-status --json\` first, then read the managed **Parallel Execution Plan** block inside \`${RUNTIME_ROOT}/artifacts/05-plan.md\` plus \`${RUNTIME_ROOT}/artifacts/wave-plans/\` for detail. Resume partial waves on remaining members only.
+
+   **The controller never edits production code in TDD.** When \`mode: wave-fanout\` and \`pathConflicts: []\`, fan out the entire wave in a SINGLE controller message: one harness \`Task(subagent_type=…, description="slice-builder S-<id>", prompt=<full slice context>)\` call per ready slice, **side by side in the same tool batch**. Each \`slice-builder\` span owns the full RED → GREEN → REFACTOR → DOC cycle for its slice and emits its own \`delegation-record --phase=red|green|refactor|refactor-deferred|doc\` rows. RED-before-GREEN is enforced per-slice by the linter.
+
+   When \`mode: wave-fanout\` reports \`pathConflicts\`, surface exactly one AskQuestion that lets the user resolve the overlap (drop / split / serialize). When \`mode: single-slice\`, dispatch one \`Task\` for the next ready slice.
+
+6. **Auto-advance after stage-complete:** when \`stage-complete\` returns \`ok\` with a new \`currentStage\`, immediately load the next stage skill and continue without waiting for the user to retype \`/cc\`. Announce \`Stage <prev> complete → entering <next>. Continuing.\` and proceed.
 
 ## Headless mode (CI/automation only)
 
@@ -208,10 +214,10 @@ Progress the tracked flow only when one exists:
 2. If missing, guide the user to run \`npx cclaw-cli init\` and stop.
 3. If it is only a fresh init placeholder (\`completedStages: []\`, no passed gates, and no \`${RUNTIME_ROOT}/artifacts/00-idea.md\`), stop and ask for \`/cc <prompt>\` to start a tracked run. Do not silently create a brainstorm run.
 4. Check gates for \`currentStage\`.
-5. **TDD:** When \`currentStage\` is \`tdd\`, run \`wave-status --json\`, then reconcile the managed **Parallel Execution Plan** in \`05-plan.md\` with \`wave-plans/wave-NN.md\` before slice questions. Prefer \`slice-builder\` per slice when it is installed; mirror plan \`dependsOn\` ordering.
+5. **TDD:** When \`currentStage\` is \`tdd\`, run \`wave-status --json\`, then reconcile the managed **Parallel Execution Plan** in \`05-plan.md\` with \`wave-plans/wave-NN.md\`. **The controller never edits production code in TDD.** When \`mode: wave-fanout\` and \`pathConflicts: []\`, fan out the wave in a SINGLE controller message — one \`Task\` per ready slice, side by side. Each \`slice-builder\` span owns its full RED → GREEN → REFACTOR → DOC cycle. Mirror plan \`dependsOn\` ordering between waves.
 6. **Wave resume:** Parallelize unfinished members; never restart completed lanes. Integration-overseer follows \`integrationCheckRequired\`; when skipped, emit \`cclaw_integration_overseer_skipped\` per the hook contract.
 7. If incomplete → load current stage skill and execute.
-8. If complete → advance to next stage and execute.
+8. If complete → advance to next stage and execute. **Auto-advance:** when \`stage-complete\` returns \`ok\`, immediately load the next stage skill and continue without waiting for the user to retype \`/cc\`.
 9. If flow is done → report completion.
 
 ## Public flow habit

package/dist/content/subagents.js

@@ -395,11 +395,11 @@ This document bridges **Superpowers-style task isolation** with the **gstack “
 ## HARD-GATE
 
 ${conversationLanguagePolicyMarkdown()}
-**Never dispatch parallel IMPLEMENTATION agents that write to the same codebase. Parallel agents are for investigation, analysis, and review ONLY.**
+**Default rule:** parallel implementation agents are SAFE for investigation, analysis, review, and the **TDD wave-fanout** path; otherwise keep implementation sequential.
 
-Implementation that touches shared source trees must remain **sequential** unless you have proven disjoint filesystem ownership (rare) and an explicit merge protocol.
+**TDD wave-fanout is the supported parallel-implementation path.** When \`cclaw-cli internal wave-status --json\` reports \`mode: wave-fanout\` and \`pathConflicts: []\`, fan out one \`slice-builder\` span per ready slice in a single controller message. Each span owns its disjoint \`claimedPaths\`; the dispatcher rejects overlapping spans with \`DispatchOverlapError\` inline, so the disjoint-paths invariant is enforced for you.
 
-When explicit bounded TDD fan-out is approved with parallel \`slice-builder\` lanes, author \`.cclaw/artifacts/cohesion-contract.md\` + \`.json\` before launch and run \`integration-overseer\` after fan-in.
+**Outside wave-fanout** — for ad-hoc parallel implementation that touches shared source trees — keep work **sequential** unless you have proven disjoint filesystem ownership and an explicit merge protocol.
 
 ## When to Use
 
@@ -424,7 +424,7 @@ When explicit bounded TDD fan-out is approved with parallel \`slice-builder\` la
 ## Dispatch Protocol
 
 1. **Identify independent problem domains** (no file overlap; no shared mutable working assumptions).
-2. **Author cohesion contract first** whenever fan-out touches shared interfaces or bounded parallel \`slice-builder\` lanes.
+2. **Author a cohesion contract** only when fan-out touches **shared interfaces or shared types** between slices in the same wave. For TDD wave-fanout where every member's \`claimedPaths\` are disjoint, a cohesion contract is NOT required — the disjoint-paths invariant plus the \`integration-overseer\` post-fan-in audit cover the integration risk.
 3. **Craft one prompt per domain** with **full context pasted** — same HARD-GATE as SDD: no “go read X to learn why.”
 4. **Launch ALL agents in a single controller message** (multiple Task tool calls) so they start with comparable timelines.
 5. **Wait for all to return** before synthesis (avoid incremental confirmation bias).

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cclaw-cli",
-  "version": "7.0.1",
+  "version": "7.0.3",
   "description": "Installer-first flow toolkit for coding agents",
   "type": "module",
   "bin": {