claude-dev-env 1.12.1 → 1.14.0

package/bin/install.mjs

@@ -29,7 +29,7 @@ const INSTALL_GROUPS = {
         description: 'Prompt engineering tools',
         skills: ['prompt-generator', 'agent-prompt'],
         includeHookFiles: [
-            'blocking/agent-execution-intent-gate.py',
+            'blocking/prompt_workflow_gate_config.py',
             'blocking/prompt_workflow_gate_core.py',
             'blocking/prompt-workflow-stop-guard.py',
             'HOOK_SPECS_PROMPT_WORKFLOW.md',

package/hooks/HOOK_SPECS_PROMPT_WORKFLOW.md

@@ -2,21 +2,9 @@
 
 Deterministic runtime gates for prompt workflows.
 
-## Gate: Execution Intent (PreToolUse Task/Agent)
+## PreToolUse Task/Agent (removed)
 
-- Hook: `hooks/blocking/agent-execution-intent-gate.py`
-- Event: `PreToolUse`
-- Matcher: `Task|Agent`
-- Fail condition:
-  - Missing structured execution intent contract field:
-    - `tool_input.execution_intent: explicit|execute|delegate`, or
-    - `tool_input.execution_intent_explicit: true`, or
-    - `tool_input.metadata.execution_intent: explicit|execute|delegate`
-  - Missing required scope anchors in launch payload (always enforced when execution launch is evaluated)
-- Compatibility fallback:
-  - Text markers are only accepted when `PROMPT_WORKFLOW_ALLOW_TEXT_INTENT_FALLBACK=1` is set.
-  - Fallback usage is logged to stderr.
-- Action: `deny` with concrete missing requirement list.
+The former `agent-execution-intent-gate.py` hook is **removed**. Native Agent/Task launches do not carry stable custom metadata; enforcing scope text on every spawn blocked legitimate `/agent-prompt` and refinement delegations. Scope and checklist rules remain enforced by the Stop guard when a prompt-workflow response is detected.
 
 ## Gate: Leakage + Checklist + Scope (Stop)
 

package/hooks/blocking/prompt-workflow-stop-guard.py

@@ -18,6 +18,7 @@ from prompt_workflow_gate_core import (
     is_prompt_workflow_response,
     missing_context_control_signals,
     missing_checklist_rows,
+    missing_required_xml_sections,
     missing_scope_anchors,
 )
 
@@ -150,10 +151,23 @@ def _check_negative_keywords_in_artifact(assistant_message: str) -> dict | None:
         ),
     )
 
+def _check_required_xml_sections(assistant_message: str) -> dict | None:
+    missing_sections = missing_required_xml_sections(assistant_message)
+    if not missing_sections:
+        return None
+    return _build_block(
+        brief_label="retrying: include all required XML sections",
+        full_reason=(
+            "PROMPT-WORKFLOW GATE: Fenced XML artifact missing required sections: "
+            + ", ".join(missing_sections)
+        ),
+    )
+
 def _evaluate_workflow_gates(assistant_message: str) -> dict | None:
     if not is_prompt_workflow_response(assistant_message):
         return None
     workflow_gate_checks: tuple[Callable[[str], dict | None], ...] = (
+        _check_required_xml_sections,
         _check_missing_checklist_rows,
         _check_missing_scope_anchors,
         _check_missing_context_signals,

package/hooks/blocking/prompt_workflow_gate_config.py

@@ -0,0 +1,117 @@
+"""Static lists and compiled regexes for prompt-workflow gate checks.
+
+Edit this file to change scope anchors, checklist rows, markers, or keyword lists
+without touching gate logic in prompt_workflow_gate_core.py.
+"""
+
+from __future__ import annotations
+
+import re
+
+REQUIRED_SCOPE_ANCHORS: tuple[str, ...] = (
+    "target_local_roots",
+    "target_canonical_roots",
+    "target_file_globs",
+    "comparison_basis",
+    "completion_boundary",
+)
+
+REQUIRED_CHECKLIST_ROWS: tuple[str, ...] = (
+    "structured_scoped_instructions",
+    "sequential_steps_present",
+    "positive_framing",
+    "acceptance_criteria_defined",
+    "safety_reversibility_language",
+    "reversible_action_and_safety_check_guidance",
+    "concrete_output_contract",
+    "scope_boundary_present",
+    "explicit_scope_anchors_present",
+    "all_instructions_artifact_bound",
+    "scope_terms_explicit_and_anchored",
+    "completion_boundary_measurable",
+    "citation_grounding_policy_present",
+    "source_priority_rules_present",
+    "artifact_language_confidence",
+)
+
+AMBIGUOUS_SCOPE_TERMS: tuple[str, ...] = (
+    "this session",
+    "current files",
+    "here",
+    "above",
+    "as needed",
+)
+
+INTERNAL_OBJECT_MARKERS: tuple[str, ...] = (
+    '"pipeline_mode": "internal_section_refinement_with_final_audit"',
+    '"scope_block": {',
+    '"required_sections": [',
+    '"section_output_contract": {',
+    '"merge_output_contract": {',
+    '"audit_output_contract": {',
+)
+
+PROMPT_WORKFLOW_RESPONSE_MARKERS: tuple[str, ...] = (
+    "checklist_results",
+    "overall_status",
+    "scope anchors",
+    "target_local_roots",
+    "target_canonical_roots",
+    "target_file_globs",
+    "comparison_basis",
+    "completion_boundary",
+)
+
+DEBUG_INTENT_MARKERS: tuple[str, ...] = (
+    "debug",
+    "show internal",
+    "raw internal object",
+    "pipeline object",
+)
+
+NEGATIVE_KEYWORDS_IN_ARTIFACT: tuple[str, ...] = (
+    "no",
+    "not",
+    "don't",
+    "do not",
+    "never",
+    "avoid",
+    "without",
+    "refrain",
+    "stop",
+    "prevent",
+    "exclude",
+    "prohibit",
+    "forbid",
+    "reject",
+    "cannot",
+    "unless",
+)
+
+NEGATIVE_INDIRECT_PATTERNS_IN_ARTIFACT: tuple[str, ...] = (
+    r"instead of\s+\w+",
+    r"rather than\s+\w+",
+    r"as opposed to\s+\w+",
+)
+
+REQUIRED_XML_SECTIONS: tuple[str, ...] = (
+    "role",
+    "context",
+    "instructions",
+    "constraints",
+    "output_format",
+)
+
+FENCED_XML_BLOCK_PATTERN: re.Pattern[str] = re.compile(
+    r"```xml\s*\n(.*?)```", re.DOTALL
+)
+
+COMPILED_NEGATIVE_KEYWORD_PATTERNS: tuple[re.Pattern[str], ...] = tuple(
+    re.compile(rf"\b{re.escape(keyword)}\b", re.IGNORECASE)
+    for keyword in NEGATIVE_KEYWORDS_IN_ARTIFACT
+)
+
+COMPILED_NEGATIVE_INDIRECT_PATTERNS: tuple[re.Pattern[str], ...] = tuple(
+    re.compile(pattern, re.IGNORECASE)
+    for pattern in NEGATIVE_INDIRECT_PATTERNS_IN_ARTIFACT
+)

package/hooks/blocking/prompt_workflow_gate_core.py

@@ -6,118 +6,17 @@ from __future__ import annotations
 import re
 from typing import Iterable
 
-REQUIRED_SCOPE_ANCHORS: tuple[str, ...] = (
-    "target_local_roots",
-    "target_canonical_roots",
-    "target_file_globs",
-    "comparison_basis",
-    "completion_boundary",
-)
-
-REQUIRED_CHECKLIST_ROWS: tuple[str, ...] = (
-    "structured_scoped_instructions",
-    "sequential_steps_present",
-    "positive_framing",
-    "acceptance_criteria_defined",
-    "safety_reversibility_language",
-    "reversible_action_and_safety_check_guidance",
-    "concrete_output_contract",
-    "scope_boundary_present",
-    "explicit_scope_anchors_present",
-    "all_instructions_artifact_bound",
-    "scope_terms_explicit_and_anchored",
-    "completion_boundary_measurable",
-    "citation_grounding_policy_present",
-    "source_priority_rules_present",
-    "artifact_language_confidence",
-)
-
-REQUIRED_CONTEXT_CONTROL_SIGNALS: tuple[str, ...] = (
-    "base_minimal_instruction_layer: true",
-    "on_demand_skill_loading: true",
-)
-
-AMBIGUOUS_SCOPE_TERMS: tuple[str, ...] = (
-    "this session",
-    "current files",
-    "here",
-    "above",
-    "as needed",
-)
-
-INTERNAL_OBJECT_MARKERS: tuple[str, ...] = (
-    '"pipeline_mode": "internal_section_refinement_with_final_audit"',
-    '"scope_block": {',
-    '"required_sections": [',
-    '"section_output_contract": {',
-    '"merge_output_contract": {',
-    '"audit_output_contract": {',
-)
-
-EXPLICIT_EXECUTION_MARKERS: tuple[str, ...] = (
-    "/agent-prompt",
-    "execution_intent: explicit",
-    "execution_intent_explicit: true",
-    "explicit execution intent",
-    "explicit delegation intent",
-)
-
-PROMPT_WORKFLOW_RESPONSE_MARKERS: tuple[str, ...] = (
-    "checklist_results",
-    "overall_status",
-    "scope anchors",
-    "target_local_roots",
-    "target_canonical_roots",
-    "target_file_globs",
-    "comparison_basis",
-    "completion_boundary",
-)
-
-DEBUG_INTENT_MARKERS: tuple[str, ...] = (
-    "debug",
-    "show internal",
-    "raw internal object",
-    "pipeline object",
-)
-
-
-NEGATIVE_KEYWORDS_IN_ARTIFACT: tuple[str, ...] = (
-    "no",
-    "not",
-    "don't",
-    "do not",
-    "never",
-    "avoid",
-    "without",
-    "refrain",
-    "stop",
-    "prevent",
-    "exclude",
-    "prohibit",
-    "forbid",
-    "reject",
-    "cannot",
-    "unless",
-)
-
-NEGATIVE_INDIRECT_PATTERNS_IN_ARTIFACT: tuple[str, ...] = (
-    r"instead of\s+\w+",
-    r"rather than\s+\w+",
-    r"as opposed to\s+\w+",
-)
-
-COMPILED_NEGATIVE_KEYWORD_PATTERNS: tuple[re.Pattern[str], ...] = tuple(
-    re.compile(rf"\b{re.escape(keyword)}\b", re.IGNORECASE)
-    for keyword in NEGATIVE_KEYWORDS_IN_ARTIFACT
-)
-
-COMPILED_NEGATIVE_INDIRECT_PATTERNS: tuple[re.Pattern[str], ...] = tuple(
-    re.compile(pattern, re.IGNORECASE)
-    for pattern in NEGATIVE_INDIRECT_PATTERNS_IN_ARTIFACT
-)
-
-FENCED_XML_BLOCK_PATTERN: re.Pattern[str] = re.compile(
-    r"```xml\s*\n(.*?)```", re.DOTALL
+from prompt_workflow_gate_config import (
+    AMBIGUOUS_SCOPE_TERMS,
+    COMPILED_NEGATIVE_INDIRECT_PATTERNS,
+    COMPILED_NEGATIVE_KEYWORD_PATTERNS,
+    DEBUG_INTENT_MARKERS,
+    FENCED_XML_BLOCK_PATTERN,
+    INTERNAL_OBJECT_MARKERS,
+    PROMPT_WORKFLOW_RESPONSE_MARKERS,
+    REQUIRED_CHECKLIST_ROWS,
+    REQUIRED_SCOPE_ANCHORS,
+    REQUIRED_XML_SECTIONS,
 )
 
 
@@ -126,6 +25,19 @@ def extract_fenced_xml_content(text: str) -> str:
     return "\n".join(all_matches)
 
 
+def missing_required_xml_sections(text: str) -> list[str]:
+    fenced_body = extract_fenced_xml_content(text)
+    if not fenced_body.strip():
+        return []
+    missing_sections: list[str] = []
+    for section_name in REQUIRED_XML_SECTIONS:
+        open_tag = re.compile(rf"<{re.escape(section_name)}(\s[^>]*)?>")
+        close_tag = re.compile(rf"</{re.escape(section_name)}>")
+        if not open_tag.search(fenced_body) or not close_tag.search(fenced_body):
+            missing_sections.append(section_name)
+    return missing_sections
+
+
 def find_negative_keywords_in_fenced_xml(
     text: str,
 ) -> list[dict[str, str | int]]:
@@ -159,36 +71,6 @@ def _contains_any_marker(text: str, markers: Iterable[str]) -> bool:
     return any(marker.lower() in lower_text for marker in markers)
 
 
-def has_explicit_execution_intent(text: str) -> bool:
-    return _contains_any_marker(text, EXPLICIT_EXECUTION_MARKERS)
-
-
-def has_structured_execution_intent(tool_input: object) -> bool:
-    if not isinstance(tool_input, dict):
-        return False
-
-    explicit_flag = tool_input.get("execution_intent_explicit")
-    if isinstance(explicit_flag, bool):
-        return explicit_flag
-
-    intent_value = tool_input.get("execution_intent")
-    if isinstance(intent_value, str):
-        normalized = intent_value.strip().lower()
-        return normalized in {"explicit", "execute", "delegation", "delegate"}
-    if isinstance(intent_value, bool):
-        return intent_value
-
-    metadata = tool_input.get("metadata")
-    if isinstance(metadata, dict):
-        metadata_intent = metadata.get("execution_intent")
-        if isinstance(metadata_intent, str):
-            return metadata_intent.strip().lower() in {"explicit", "execute", "delegate"}
-        if isinstance(metadata_intent, bool):
-            return metadata_intent
-
-    return False
-
-
 def has_debug_intent(text: str) -> bool:
     return _contains_any_marker(text, DEBUG_INTENT_MARKERS)
 
@@ -230,6 +112,9 @@ def is_prompt_workflow_response(text: str) -> bool:
 
 
 def missing_context_control_signals(text: str) -> list[str]:
-    return [
-        signal for signal in REQUIRED_CONTEXT_CONTROL_SIGNALS if signal not in text.lower()
-    ]
+    required_signals: tuple[str, ...] = (
+        "base_minimal_instruction_layer: true",
+        "on_demand_skill_loading: true",
+    )
+    lowered = text.lower()
+    return [signal for signal in required_signals if signal not in lowered]

package/hooks/blocking/test_context_control_policy_files.py

@@ -20,8 +20,8 @@ def test_context_control_rule_exists_with_required_sections() -> None:
 
 def test_hook_spec_exists_with_required_gates() -> None:
     text = HOOK_SPEC_PATH.read_text(encoding="utf-8")
-    assert "Execution Intent (PreToolUse Task/Agent)" in text
+    assert "PreToolUse Task/Agent (removed)" in text
+    assert "agent-execution-intent-gate.py" in text
     assert "Leakage + Checklist + Scope (Stop)" in text
     assert "Required Deterministic Checklist Rows" in text
-    assert "structured execution intent contract" in text
     assert "Runtime Context-Control Signals" in text

package/hooks/blocking/test_prompt_workflow_gate_core.py

@@ -3,28 +3,15 @@
 from prompt_workflow_gate_core import (
     find_ambiguous_scope_terms,
     has_checklist_container,
-    has_explicit_execution_intent,
-    has_structured_execution_intent,
     has_internal_object_leak,
     is_prompt_workflow_response,
     missing_context_control_signals,
     missing_checklist_rows,
+    missing_required_xml_sections,
     missing_scope_anchors,
 )
 
 
-def test_execution_intent_marker_detected() -> None:
-    assert has_explicit_execution_intent("execution_intent: explicit")
-
-
-def test_structured_execution_intent_detected_from_contract_field() -> None:
-    assert has_structured_execution_intent({"execution_intent": "explicit"})
-
-
-def test_structured_execution_intent_detected_from_boolean_flag() -> None:
-    assert has_structured_execution_intent({"execution_intent_explicit": True})
-
-
 def test_internal_object_leak_detected() -> None:
     text = '{"pipeline_mode": "internal_section_refinement_with_final_audit"}'
     assert has_internal_object_leak(text)
@@ -66,3 +53,53 @@ def test_ambiguous_scope_terms_detected() -> None:
     terms = find_ambiguous_scope_terms(text)
     assert "this session" in terms
     assert "current files" in terms
+
+
+def _fenced_xml(body: str) -> str:
+    return f"```xml\n{body}\n```"
+
+
+def test_missing_required_xml_sections_all_present_returns_empty() -> None:
+    body = (
+        "<role>R.</role>\n"
+        "<context>C.</context>\n"
+        "<instructions>I.</instructions>\n"
+        "<constraints>Co.</constraints>\n"
+        "<output_format>O.</output_format>\n"
+    )
+    assert missing_required_xml_sections(_fenced_xml(body)) == []
+
+
+def test_missing_required_xml_sections_missing_context() -> None:
+    body = (
+        "<role>R.</role>\n"
+        "<instructions>I.</instructions>\n"
+        "<constraints>Co.</constraints>\n"
+        "<output_format>O.</output_format>\n"
+    )
+    assert missing_required_xml_sections(_fenced_xml(body)) == ["context"]
+
+
+def test_missing_required_xml_sections_missing_role_and_output_format() -> None:
+    body = (
+        "<context>C.</context>\n"
+        "<instructions>I.</instructions>\n"
+        "<constraints>Co.</constraints>\n"
+    )
+    missing = missing_required_xml_sections(_fenced_xml(body))
+    assert missing == ["role", "output_format"]
+
+
+def test_missing_required_xml_sections_no_fence_returns_empty() -> None:
+    assert missing_required_xml_sections("no fenced xml here") == []
+
+
+def test_missing_required_xml_sections_prose_without_tags_counts_as_missing() -> None:
+    body = (
+        "<role>R.</role>\n"
+        "context appears in prose but has no tags.\n"
+        "<instructions>I.</instructions>\n"
+        "<constraints>Co.</constraints>\n"
+        "<output_format>O.</output_format>\n"
+    )
+    assert missing_required_xml_sections(_fenced_xml(body)) == ["context"]

package/hooks/blocking/test_prompt_workflow_stop_guard.py

@@ -118,6 +118,16 @@ def test_blocks_ambiguous_scope_phrasing() -> None:
     assert response["decision"] == "block"
     assert "Ambiguous scope phrasing detected" in response["reason"]
 
+def _wrap_five_section_scaffold(inner_body: str) -> str:
+    return (
+        "<role>Test role sentence one.</role>\n"
+        "<context>Test context sentence one.</context>\n"
+        f"{inner_body}\n"
+        "<constraints>Test constraints sentence one.</constraints>\n"
+        "<output_format>Test output format sentence one.</output_format>\n"
+    )
+
+
 def _build_prompt_workflow_message_with_fenced_xml(fenced_xml_body: str) -> str:
     return (
         "Audit: pass 15/15\n"
@@ -137,7 +147,9 @@ def _build_prompt_workflow_message_with_fenced_xml(fenced_xml_body: str) -> str:
 
 
 def test_allows_positive_phrasing_inside_fenced_xml() -> None:
-    fenced_content = "<instructions>Ensure all functions have explicit return types.</instructions>"
+    fenced_content = _wrap_five_section_scaffold(
+        "<instructions>Ensure all functions have explicit return types.</instructions>"
+    )
     payload = {
         "last_assistant_message": _build_prompt_workflow_message_with_fenced_xml(fenced_content),
     }
@@ -172,7 +184,9 @@ def test_blocks_banned_pattern_inside_fenced_xml(
     fenced_xml_content: str,
 ) -> None:
     payload = {
-        "last_assistant_message": _build_prompt_workflow_message_with_fenced_xml(fenced_xml_content),
+        "last_assistant_message": _build_prompt_workflow_message_with_fenced_xml(
+            _wrap_five_section_scaffold(fenced_xml_content)
+        ),
     }
     result = _run_hook(payload)
     response = json.loads(result.stdout)
@@ -180,12 +194,15 @@ def test_blocks_banned_pattern_inside_fenced_xml(
 
 
 def test_permits_negative_keywords_outside_fenced_xml() -> None:
+    fenced_inner = _wrap_five_section_scaffold(
+        "<instructions>Ensure all functions have explicit return types.</instructions>"
+    )
     message = (
         "Audit: pass 15/15\n"
         "Do not skip the audit line.\n"
         "```xml\n"
-        "<instructions>Ensure all functions have explicit return types.</instructions>\n"
-        "```\n"
+        + fenced_inner
+        + "\n```\n"
         "overall_status: pass\n"
         + _full_checklist_rows()
         + "target_local_roots\n"
@@ -201,6 +218,23 @@ def test_permits_negative_keywords_outside_fenced_xml() -> None:
     assert result.stdout.strip() == ""
 
 
+def test_blocks_when_fenced_xml_missing_context_section() -> None:
+    fenced_body = (
+        "<role>Test role sentence one.</role>\n"
+        "<instructions>Test instructions sentence one.</instructions>\n"
+        "<constraints>Test constraints sentence one.</constraints>\n"
+        "<output_format>Test output format sentence one.</output_format>\n"
+    )
+    payload = {
+        "last_assistant_message": _build_prompt_workflow_message_with_fenced_xml(fenced_body),
+    }
+    result = _run_hook(payload)
+    response = json.loads(result.stdout)
+    assert response["decision"] == "block"
+    assert "context" in response["reason"]
+    assert "include all required XML sections" in response["systemMessage"]
+
+
 def test_allows_fully_structured_prompt_workflow_output() -> None:
     payload = {
         "last_assistant_message": (

package/hooks/hooks.json

@@ -94,11 +94,6 @@
             "type": "command",
             "command": "python3 ${CLAUDE_PLUGIN_ROOT}/hooks/blocking/parallel-task-blocker.py",
             "timeout": 10
-          },
-          {
-            "type": "command",
-            "command": "python3 ${CLAUDE_PLUGIN_ROOT}/hooks/blocking/agent-execution-intent-gate.py",
-            "timeout": 10
           }
         ]
       },

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "claude-dev-env",
-    "version": "1.12.1",
+    "version": "1.14.0",
     "description": "Claude Code development standards — rules, hooks, agents, commands, and skills",
     "type": "module",
     "bin": {

package/skills/agent-prompt/SKILL.md

@@ -68,7 +68,6 @@ Use simplified mode when either condition is true:
 
 This mode is triggered when execution input includes `pipeline_mode: internal_section_refinement_with_final_audit` or equivalent execution-ready orchestration metadata.
 If present, carry forward the scope block (`target_local_roots`, `target_canonical_roots`, `target_file_globs`, `comparison_basis`, `completion_boundary`) so execution remains artifact-bound.
-Execution launch payload must include `execution_intent: explicit`.
 
 1. Spawn exactly 6 refinement agents, one per section in fixed order:
    - `role`
@@ -194,7 +193,7 @@ Section-refinement orchestration is done only when all are true:
 - Gather context before crafting -- do not send an agent in blind
 - Start only after explicit user execution intent; keep prompt authoring/refinement in `/prompt-generator`
 - Default to `section_refinement_with_final_audit` orchestration for execution tasks unless user requests simplified mode
-- Include `execution_intent: explicit` in Task/Agent launch prompts so runtime hooks can enforce deterministic gating
+- Carry scope-block context into execution prompts; native Agent/Task tools have no custom intent metadata
 - If the task is too small for an agent (single file read, quick grep), say so and just do it directly
 - Include obstacle handling: "When encountering obstacles, do not use destructive actions as a shortcut (e.g. --no-verify, discarding unfamiliar files)" -- agents without this guidance may take irreversible shortcuts
 - Frame agent tasks with collaborative language and include permission to express uncertainty — agents produce higher-quality output with collaborative briefing (Anthropic emotion concepts research, 2026)

package/skills/prompt-generator/REFINEMENT_PIPELINE_RUNBOOK.md

@@ -26,7 +26,7 @@ Use this command:
      - `target_file_globs`
      - `comparison_basis`
      - `completion_boundary`
-   - XML scaffold includes all sections:
+   - XML scaffold includes all sections — verified by the Stop hook at runtime; each required section tag must have both an opening and a closing tag:
      - `<role>`
      - `<context>`
      - `<instructions>`
@@ -115,7 +115,7 @@ If `overall_status` is `fail`:
 
 - Prompt refinement remains inside `/prompt-generator`.
 - `/agent-prompt` is used only after explicit execution/delegation intent.
-- Execution launch metadata includes `execution_intent: explicit`.
+- Execution handoffs that go through `/agent-prompt` carry scope-block context in the execution prompt as needed.
 - Final refined prompt content is treated as artifact text during refinement and audit.
 - Execution steps (when requested) are bound to scope block artifacts.
 
@@ -128,10 +128,8 @@ If `overall_status` is `fail`:
 
 Validate fail-closed runtime gates:
 
-1. **Execution-intent gate (PreToolUse Task/Agent)**
-   - Deny execution when `execution_intent: explicit` marker is missing.
-   - Deny execution when required scope anchors are missing from launch payload.
-2. **Stop leakage/scope/checklist gate**
+1. **Stop leakage/scope/checklist gate**
+   - **Section-presence gate (Stop)** — Block responses where the fenced XML artifact is missing any of the five required section tag pairs: `role`, `context`, `instructions`, `constraints`, `output_format`.
    - Block responses that leak raw internal refinement object fields unless debug intent is explicit.
    - Block responses missing deterministic checklist rows when audit output is present.
    - Block responses using ambiguous scope phrasing in scope-bound sections.
@@ -148,10 +146,10 @@ Validate fail-closed runtime gates:
 ## Deterministic vs Semantic Boundary
 
 - **Deterministic (fail-closed):**
-  - Missing execution intent marker
-  - Missing required scope anchors
+  - Missing required scope anchors (when Stop guard applies)
   - Raw internal object leakage without debug intent
   - Missing required checklist rows in audit output
+  - Missing required XML sections (`role`, `context`, `instructions`, `constraints`, `output_format`) in the fenced artifact (opening and closing tags)
   - Ambiguous scope terms in scope-bound text
   - Negative keywords inside fenced XML artifacts
   - Hedging language inside fenced XML artifacts

package/skills/prompt-generator/SKILL.md

@@ -185,6 +185,7 @@ Expand the light self-check with this internal checklist when useful:
 - [ ] Emotion-informed framing is present: collaborative language, explicit success criteria, and explicit permission to express uncertainty ("say so if unsure")
 - [ ] Constraints are surfaced upfront (proactive constraint awareness) so the model can incorporate them into its plan, and each non-obvious constraint carries its motivation
 - [ ] Self-correction chaining is considered when the prompt must hold up over time (generate → review → refine)
+- [ ] All five required XML sections (`<role>`, `<context>`, `<instructions>`, `<constraints>`, `<output_format>`) are present with both opening and closing tags in the fenced artifact
 
 ### 9. Deliver (orchestrator)
 
@@ -196,6 +197,8 @@ Audit: pass 15/15
 
 (or `fail N/15 — …`), immediately followed by **one** fenced XML block; **send boundary** is immediately after the closing fence so the user receives a copy-ready pair (audit line + artifact) in one assistant message before the conversation continues.
 
+**Render-survival:** When the fenced XML uses tag names that **collide with HTML5 elements** (`context`, `section`, `summary`, `details`, `header`, `footer`, `main`, `aside`, `article`, `nav`, `figure`), or when the artifact is **very large**, **write the artifact to a file** and give the user the path together with the usual one-line audit. Add a brief **section inventory** (confirming the five required sections) so the user can trust the file even if the inline fence would render poorly. Details: **TARGET_OUTPUT.md — Structural invariant E**.
+
 ### 10. Default refinement mode (subagent-internal)
 
 For non-trivial requests, run inside the drafting subagent (use **draft-only** when the user explicitly asks for a quick draft / no refinement loop):
@@ -212,6 +215,8 @@ Required section list is immutable for this pipeline: `role`, `context`, `instru
 
 **Two-tier validation — tier 2:** The `15` in `Audit: pass 15/15` counts these **compliance** rows (stable ids for hooks). Tier 1 is the **light self-check** in §8—keep the steps separate so models do not merge them.
 
+**Runtime Stop hook:** In addition to the 15-row internal audit, the `prompt-workflow-stop-guard` Stop hook enforces **section presence** on prompt-workflow responses: any fenced Markdown XML block must include opening and closing tags for `role`, `context`, `instructions`, `constraints`, and `output_format`. Missing tags trigger a retry before the user sees a passing turn. Pair this with **Structural invariant E** in `TARGET_OUTPUT.md` so users still receive intact XML when chat renderers strip HTML-named tags.
+
 | # | Row name |
 |---|----------|
 | 1 | structured_scoped_instructions |
@@ -263,7 +268,7 @@ When refining prompt text:
 
 ### 16. Optional execution handoff (`/agent-prompt`)
 
-Use `/agent-prompt` only after the user explicitly asks to execute. Append `execution_intent: explicit` in **debug** handoff notes when your tooling expects it — not in the default one-line audit.
+Use `/agent-prompt` only after the user explicitly asks to execute. Refinement subagents do not need `/agent-prompt` unless you are performing an execution handoff.
 
 ### 17. Context-footprint controls
 

package/skills/prompt-generator/TARGET_OUTPUT.md

@@ -87,6 +87,13 @@ This file is the **target output spec** for eval-driven iteration of the `prompt
 - Place residual uncertainty only in `<open_question>` elements (one topic per tag) with a clear decision you need from the executor or user.
 - Use definitive phrasing inside instructions (e.g. “Run tests in `packages/foo` with `pytest tests/`”) so each step reads like an executable checklist.
 
+## Structural invariant E — Render-survival for XML sections
+
+- **Problem:** Tag names used for prompt XML sections can overlap **HTML5 element names**. Chat renderers may treat those tokens as HTML and hide or alter the content between tags. High-risk examples include: `context`, `section`, `summary`, `details`, `header`, `footer`, `main`, `aside`, `article`, `nav`, `figure`. The raw assistant text may be complete while the **rendered** message looks like sections are missing (notably `<context>`).
+- **Primary mitigation:** When the fenced XML artifact **contains any tag whose local name is on that HTML-collision list**, or when the artifact is **large enough that render truncation is likely**, the orchestrator **must write the full artifact to a file** (default: under `data/prompts/` or a path the user supplied earlier) and **paste the absolute file path** in the chat message. Pair the path with a **short section inventory** confirming all five required sections (`role`, `context`, `instructions`, `constraints`, `output_format`) are present in the file.
+- **Fallback when file write is unavailable:** Escape the **opening angle bracket** of colliding tags (for example `&lt;context>` — user restores `<` when pasting) or use another distinctive wrapper **documented in the same message**, so the user can recover literal XML. State explicitly that the user should restore brackets when copying into another system.
+- **Structural safety net:** Regardless of renderer behavior, the **Stop hook section-presence gate** blocks any prompt-workflow response whose fenced XML is missing any required opening/closing section tag pair. Methodology: [Anthropic — Agent Skills: evaluation and iteration](https://platform.claude.com/docs/en/agents-and-tools/agent-skills/best-practices#evaluation-and-iteration).
+
 ## XML artifact (minimum sections)
 
 Include at least:

package/skills/prompt-generator/evals/prompt-generator.json

@@ -133,6 +133,43 @@
         "Example: 'Ensure all functions have explicit return types' passes; 'Do not leave return types implicit' fails; 'Avoid missing return types' fails",
         "Applies to all sections inside the fenced block: <role>, <context>, <instructions>, <constraints>, <output_format>"
       ]
+    },
+    {
+      "id": 10,
+      "name": "required_sections_present_in_artifact",
+      "scenario": "Section completeness gate (render-survival)",
+      "prompt": "/prompt-generator Write a system prompt for a Python linting agent that auto-fixes code style issues in this repo",
+      "files": [],
+      "expected_behavior": [
+        "Fenced XML block contains opening and closing tags for all five required sections: role, context, instructions, constraints, output_format",
+        "Each required section contains substantive content (minimum one sentence each)",
+        "The Stop hook section-presence check passes for this output (no missing section tags)",
+        "Sections appear in order: role first, output_format last among the five required sections"
+      ]
+    },
+    {
+      "id": 11,
+      "name": "section_missing_triggers_hook_block",
+      "scenario": "Section completeness gate — failure path",
+      "prompt": "Synthetic eval: assistant final message is prompt-workflow shaped (overall_status, checklist, scope anchors, runtime signals) with a fenced Markdown XML block whose body omits the entire context section (no context opening/closing tags); observer asserts Stop hook behavior and successful retry.",
+      "files": [],
+      "expected_behavior": [
+        "The Stop hook runs _check_required_xml_sections and returns a block decision naming context as a missing section",
+        "The model retry includes all five required sections with both opening and closing tags",
+        "The retry output passes the section-presence gate (empty missing list from missing_required_xml_sections)"
+      ]
+    },
+    {
+      "id": 12,
+      "name": "render_survival_file_fallback",
+      "scenario": "Render-layer mitigation",
+      "prompt": "/prompt-generator Write a comprehensive agent prompt for migrating a large Prisma schema and all related API routes, with step-by-step rollout, rollback, and verification — artifact sized like the migration prompt that triggered chat render stripping.",
+      "files": [],
+      "expected_behavior": [
+        "When the artifact exceeds a size threshold or contains XML section tag names that collide with HTML5 elements (context, section, summary, details, header, footer, main, aside, article, nav, figure), the orchestrator writes the full artifact to a file under data/prompts/ or a user-specified path",
+        "The file contains the complete XML with all tags preserved as literal text",
+        "The user-facing message states the file path and briefly inventories which required sections the artifact contains"
+      ]
     }
   ]
 }

package/hooks/blocking/agent-execution-intent-gate.py

@@ -1,63 +0,0 @@
-#!/usr/bin/env python3
-"""PreToolUse gate for Task/Agent execution intent and scope anchors."""
-
-from __future__ import annotations
-
-import json
-import sys
-
-from prompt_workflow_gate_core import (
-    has_explicit_execution_intent,
-    has_structured_execution_intent,
-    missing_scope_anchors,
-)
-
-
-def _deny(reason: str) -> None:
-    response = {
-        "hookSpecificOutput": {
-            "hookEventName": "PreToolUse",
-            "permissionDecision": "deny",
-            "permissionDecisionReason": reason,
-        }
-    }
-    print(json.dumps(response))
-
-
-def main() -> None:
-    try:
-        hook_input = json.load(sys.stdin)
-    except json.JSONDecodeError:
-        sys.exit(0)
-
-    tool_name = str(hook_input.get("tool_name", ""))
-    if tool_name not in {"Task", "Agent"}:
-        sys.exit(0)
-
-    tool_input = hook_input.get("tool_input", {})
-    prompt_text = str(tool_input.get("prompt", ""))
-    description = str(tool_input.get("description", ""))
-    combined_text = f"{description}\n{prompt_text}"
-
-    if not has_structured_execution_intent(tool_input):
-        if not has_explicit_execution_intent(combined_text):
-            _deny(
-                "BLOCKED: Missing structured execution intent signal for Agent/Task launch. "
-                "Provide `tool_input.execution_intent: explicit` or "
-                "`tool_input.execution_intent_explicit: true`."
-            )
-            sys.exit(0)
-
-    missing_anchors = missing_scope_anchors(combined_text)
-    if missing_anchors:
-        _deny(
-            "BLOCKED: Scope anchors missing for prompt workflow execution: "
-            + ", ".join(missing_anchors)
-        )
-        sys.exit(0)
-
-    sys.exit(0)
-
-
-if __name__ == "__main__":
-    main()

package/hooks/blocking/test_agent_execution_intent_gate.py

@@ -1,84 +0,0 @@
-"""Tests for agent-execution-intent-gate hook."""
-
-import json
-import subprocess
-import sys
-from pathlib import Path
-
-
-SCRIPT_PATH = Path(__file__).parent / "agent-execution-intent-gate.py"
-
-
-def _run_hook(payload: dict) -> subprocess.CompletedProcess[str]:
-    return subprocess.run(
-        [sys.executable, str(SCRIPT_PATH)],
-        input=json.dumps(payload),
-        text=True,
-        capture_output=True,
-        check=False,
-    )
-
-
-def test_denies_task_without_explicit_intent_marker() -> None:
-    payload = {
-        "tool_name": "Task",
-        "tool_input": {"prompt": "run the workflow", "description": "delegate"},
-    }
-    result = _run_hook(payload)
-    response = json.loads(result.stdout)
-    assert response["hookSpecificOutput"]["permissionDecision"] == "deny"
-    assert "structured execution intent signal" in response["hookSpecificOutput"]["permissionDecisionReason"]
-
-
-def test_allows_phrase_marker_with_scope_anchors() -> None:
-    payload = {
-        "tool_name": "Task",
-        "tool_input": {
-            "prompt": (
-                "execution_intent: explicit\n"
-                "target_local_roots\n"
-                "target_canonical_roots\n"
-                "target_file_globs\n"
-                "comparison_basis\n"
-                "completion_boundary\n"
-            ),
-            "description": "explicit delegation intent",
-        },
-    }
-    result = _run_hook(payload)
-    assert result.stdout.strip() == ""
-
-
-def test_denies_when_scope_anchors_missing() -> None:
-    payload = {
-        "tool_name": "Agent",
-        "tool_input": {
-            "execution_intent": "explicit",
-            "prompt": "target_local_roots only",
-            "description": "delegate",
-        },
-    }
-    result = _run_hook(payload)
-    response = json.loads(result.stdout)
-    assert response["hookSpecificOutput"]["permissionDecision"] == "deny"
-    assert "Scope anchors missing" in response["hookSpecificOutput"]["permissionDecisionReason"]
-
-
-def test_allows_when_intent_and_scope_anchors_present() -> None:
-    payload = {
-        "tool_name": "Task",
-        "tool_input": {
-            "execution_intent_explicit": True,
-            "description": "delegate",
-            "prompt": (
-                "target_local_roots\n"
-                "target_canonical_roots\n"
-                "target_file_globs\n"
-                "comparison_basis\n"
-                "completion_boundary\n"
-            ),
-        },
-    }
-    result = _run_hook(payload)
-    assert result.stdout.strip() == ""
-