cursordoctrine 0.3.3 → 0.4.0

package/bin/cli.mjs

@@ -40,7 +40,7 @@ const pendingDir = join(cursorDst, '.hooks-pending');
 const hooksJsonDst = join(cursorDst, 'hooks.json');
 
 const injectName = platform === 'windows' ? 'inject-doctrine.ps1' : 'inject-doctrine.sh';
-const doctrineFiles = [injectName, 'doctrine.md', 'USER-RULES.md', 'declared-editing.md'];
+const doctrineFiles = [injectName, 'doctrine.md', 'USER-RULES.md', 'declared-editing.md', 'pre-compile.md'];
 
 function payloadHookFiles() {
   return readdirSync(join(payload, 'hooks'));
@@ -263,6 +263,22 @@ function verify() {
     return true;
   });
 
+  check('anchor-set nudge fires on first edit, then goes quiet', () => {
+    // First edit of the implementation -> the pre-compile nudge stashes its
+    // advisory in the pending feedback bus and arms the one-shot flag.
+    const first = runHook(hook('anchor-set-nudge'), { conversation_id: 'npxv3', file_path: join(HOME, 'x.py') });
+    if (!first.includes('additional_context') || !first.includes('PRE-COMPILE NUDGE')) {
+      // anchor-set-nudge appends to feedback-<cid>.txt (the shared bus) rather
+      // than emitting JSON directly; drain it the same way post-tool-use does.
+      const drained = runHook(hook('post-tool-use'), { conversation_id: 'npxv3' });
+      if (!drained.includes('PRE-COMPILE NUDGE')) return { ok: false, detail: 'nudge did not reach the feedback bus on first edit' };
+    }
+    // Second edit -> flag is armed, nudge must stay silent.
+    const second = runHook(hook('anchor-set-nudge'), { conversation_id: 'npxv3', file_path: join(HOME, 'y.py') });
+    if (second.includes('PRE-COMPILE NUDGE')) return { ok: false, detail: 'nudge re-fired on second edit (flag not gating)' };
+    return true;
+  });
+
   check('doctrine injection emits additional_context', () =>
     runHook(join(cursorDst, injectName), {}).includes('additional_context'));
 

package/linux/hooks/anchor-set-nudge.sh

@@ -0,0 +1,77 @@
+#!/usr/bin/env bash
+# anchor-set-nudge.sh - afterFileEdit "pre-compile" nudge (Cursor, Linux).
+#
+# Proactive counterpart to the reactive audits. On the FIRST file edit of an
+# implementation (per conversation), remind the agent to compile its Anchor Set
+# (pre-compile.md) and write .scope.json BEFORE piling on more code. The
+# reactive stack (self-review, anti-slop, final-review) only fires AFTER code
+# exists; this nudge catches intent dilution at token ~50, not at the ~5000 of
+# the stop-hook axis 0. A clean final review of the wrong feature is still the
+# wrong feature - the Anchor Set exists so the right feature is on the rails
+# from the first edit.
+#
+# One-shot PER IMPLEMENTATION, not per session: gated by an
+# anchor-declared-<cid>.flag in the pending dir. That flag is cleared by
+# final-review.sh / subagent-stop-review.sh at the SAME per-implementation
+# boundary where they clear session-edits-<cid>.txt and reviewed-<cid>.flag
+# (the stop after a review pass). So a long conversation with N implementations
+# gets N nudges, not one - every new body of work re-earns the reminder.
+#
+# Advisory only: never blocks, never reads the diff, ALWAYS exits 0. Appends to
+# the shared feedback-<cid>.txt bus; post-tool-use.sh delivers it next turn.
+# Disable: HOOKS_ENFORCE=0  or  ANCHOR_NUDGE_ENFORCE=0
+
+set +e
+. "$(dirname "$0")/hook-common.sh"
+
+[ "${HOOKS_ENFORCE:-}" = "0" ] && exit 0
+[ "${ANCHOR_NUDGE_ENFORCE:-}" = "0" ] && exit 0
+
+input="$(read_hook_stdin)"
+[ -n "$input" ] || exit 0
+
+file_path=""
+for k in file_path path filePath; do
+    file_path="$(json_get "$input" "$k")"
+    [ -n "$file_path" ] && break
+done
+[ -n "$file_path" ] || exit 0
+is_cursor_config_path "$file_path" && exit 0
+
+cid="$(safe_conversation_id "$input")"
+pending_dir="$(hooks_pending_dir)"
+flag="$pending_dir/anchor-declared-$cid.flag"
+
+# Already nudged this implementation -> stay quiet. The flag is cleared at the
+# per-implementation boundary in final-review.sh / subagent-stop-review.sh.
+[ -f "$flag" ] && exit 0
+
+msg="PRE-COMPILE NUDGE - first edit of this implementation: $file_path
+
+Before you keep going, did you compile your Anchor Set (pre-compile.md)?
+  1. OBJECTIVE   - one operational sentence. What is strictly necessary.
+  2. CONSTRAINTS - local negations (what you will NOT do).
+  3. SCOPE       - files to touch, files untouchable.
+  4. SUCCESS     - the one deterministic check that decides done.
+
+If you have not already, write it to .scope.json now (intent / files /
+acceptance / allow_growth). The scope-gate audits every edit against files[],
+and final-review axis 0 traces every diff hunk back to intent. An Anchor Set
+that lives only in your head is not an Anchor Set - the gate cannot audit it.
+
+Skip this for trivial one-liners (typo, literal). Otherwise: compile, then code."
+
+# Append to the shared pending file (same bus as the other advisories).
+pending="$pending_dir/feedback-$cid.txt"
+mkdir -p "$pending_dir" 2>/dev/null
+if [ -s "$pending" ]; then
+    printf '\n\n---\n\n%s' "$msg" >> "$pending" 2>/dev/null
+else
+    printf '%s' "$msg" >> "$pending" 2>/dev/null
+fi
+
+# Arm the one-shot brake BEFORE returning, so a crash after the append can't
+# re-nudge on the next edit. Mirrors the arming order in final-review.sh.
+touch "$flag" 2>/dev/null
+
+exit 0

package/linux/hooks/final-review.sh

@@ -36,13 +36,16 @@ cid="$(safe_conversation_id "$input")"
 pending_dir="$(hooks_pending_dir)"
 marker="$pending_dir/session-edits-$cid.txt"
 flag="$pending_dir/reviewed-$cid.flag"
+anchor_flag="$pending_dir/anchor-declared-$cid.flag"
 
 # Sweep state from sessions that died before their stop hook ran.
 find "$pending_dir" -maxdepth 1 -type f -mtime +7 -delete 2>/dev/null
 
 # One-shot brake: the previous stop for this conversation emitted the review.
+# Also clear anchor-declared-<cid>.flag so the pre-compile nudge re-fires for
+# the NEXT implementation (one nudge per body of work, not per session).
 if [ -f "$flag" ]; then
-    rm -f "$flag" "$marker" 2>/dev/null
+    rm -f "$flag" "$marker" "$anchor_flag" 2>/dev/null
     emit_none
 fi
 
@@ -91,6 +94,14 @@ Fix now, re-run the scan + tests, then stop. If an axis is clean, say so in one
 fi
 body="$(expand_agent_paths "$body")"
 
+# Regla R1 (re-entry): if this review pass is a re-audit after a failed gate or
+# axis, suppress History Propagation - the model must NOT build on its own prior
+# wrong diff. Reset its prior to the Anchor Set, not to its previous attempt.
+reentry_line="
+
+RE-ENTRY RULE (Regla R1): if a gate or axis failed, forget the approach that produced it. Re-read your ORIGINAL REQUEST above and your Anchor Set (.scope.json, if you wrote one). Fix ONLY what is failing. Do not refactor in this pass - that is History Propagation, the exact failure mode the Anchor Set exists to prevent.
+"
+
 file_list=""
 while IFS= read -r p; do
     [ -n "$p" ] || continue
@@ -127,7 +138,7 @@ msg="FINAL REVIEW (end of implementation) - intent, correctness, reliability, co
 ${surface_block}${intent_block}Files you changed this session:
 $file_list
 
-$body"
+${body}${reentry_line}"
 
 # Arm the one-shot brake BEFORE emitting, so a crash after emit can't re-fire.
 touch "$flag" 2>/dev/null

package/linux/hooks/scope-gate-audit.sh

@@ -78,8 +78,10 @@ if p.get("in_scope"):
     sys.exit(3)   # in scope -> clean
 allow_growth = "1" if p.get("allow_growth") else "0"
 intent = p.get("intent", "")
+acceptance = p.get("acceptance", "")
 print(f"__AG__{allow_growth}")
 print(f"__INTENT__{intent}")
+print(f"__ACCEPT__{acceptance}")
 sys.exit(0)
 PYEOF
 }
@@ -90,6 +92,7 @@ rc=$?
 
 allow_growth="$(printf '%s\n' "$parsed" | grep '__AG__' | sed 's/__AG__//')"
 intent="$(printf '%s\n' "$parsed" | grep '__INTENT__' | sed 's/__INTENT__//')"
+acceptance="$(printf '%s\n' "$parsed" | grep '__ACCEPT__' | sed 's/__ACCEPT__//')"
 
 # Read declared files for the message (best-effort)
 declared_files="$(printf '%s' "$scope_file" | "$py" -c "
@@ -102,16 +105,29 @@ except Exception:
 " "$scope_file" 2>/dev/null)"
 
 # --- compose advisory ------------------------------------------------------
+# acceptance line: only quote it when the agent declared one. A blank acceptance
+# means the Anchor Set was incomplete - surface that gap, since the whole point
+# of the pre-compile phase is to name the deterministic success check.
+if [ -n "$acceptance" ]; then
+    acceptance_line="$acceptance"
+else
+    acceptance_line="(not declared - your Anchor Set is missing the EXITO/acceptance field)"
+fi
+
 if [ "$allow_growth" = "1" ]; then
     summary="Scope note - $rel is new vs your declared scope (growth allowed)"
     body="  You touched a file outside your initial declared set. Since allow_growth is
   true, this is not a violation, but justify it: add $rel to .scope.json or
-  explain why the scope grew."
+  explain why the scope grew.
+
+  Your success contract (acceptance): $acceptance_line
+  Does growing into $rel still serve that?"
 else
     summary="[SCOPE VIOLATION] $rel is NOT in your declared scope"
     body="  Your contract (.scope.json):
     intent: $intent
     files: $declared_files
+    acceptance: $acceptance_line
 
   You declared these files and touched one outside the set. Either:
     1. Add $rel to .scope.json with a one-line justification, OR

package/linux/hooks/subagent-stop-review.sh

@@ -44,10 +44,13 @@ cid="$(safe_conversation_id "$input")"
 pending_dir="$(hooks_pending_dir)"
 marker="$pending_dir/session-edits-$cid.txt"
 flag="$pending_dir/reviewed-$cid.flag"
+anchor_flag="$pending_dir/anchor-declared-$cid.flag"
 
 # One-shot brake: the previous subagentStop for this id emitted the review.
+# Also clear anchor-declared-<cid>.flag so the pre-compile nudge re-fires for
+# the next subagent implementation (one nudge per body of work).
 if [ -f "$flag" ]; then
-    rm -f "$flag" "$marker" 2>/dev/null
+    rm -f "$flag" "$marker" "$anchor_flag" 2>/dev/null
     emit_none
 fi
 
@@ -80,6 +83,14 @@ If an axis is clean, say so in one line. Then stop.'
 fi
 body="$(expand_agent_paths "$body")"
 
+# Regla R1 (re-entry): same suppression as final-review.sh. A subagent that
+# failed an axis must not build on its own prior wrong diff - reset its prior
+# to the Anchor Set, not to its previous attempt.
+reentry_line="
+
+RE-ENTRY RULE (Regla R1): if an axis failed, forget the approach that produced it. Re-read your original task and your Anchor Set (.scope.json, if you wrote one). Fix ONLY what is failing. Do not refactor in this pass.
+"
+
 file_list=""
 while IFS= read -r p; do
     [ -n "$p" ] || continue
@@ -94,7 +105,7 @@ msg="SUBAGENT FINAL REVIEW - you just finished delegated implementation work. Be
 Files you changed this run:
 $file_list
 
-$body"
+${body}${reentry_line}"
 
 # Arm the one-shot brake BEFORE emitting, so a crash after emit can't re-fire.
 touch "$flag" 2>/dev/null

package/linux/hooks.json

@@ -38,6 +38,12 @@
         "timeout": 15,
         "matcher": "^(Write|StrReplace|EditNotebook)$",
         "_comment": "15s: AI-slop advisory, companion to minimal-edit-audit. git diff flags new deps / premature abstractions (Factory/Repository/Mediator/CQRS/DDD) / redundant comments, and injects the anti-slop.md self-review checklist on substantial edits (>= ANTI_SLOP_CHECKLIST_LINES, default 40). Appends to the conversation's pending file; never blocks. Disable: HOOKS_ENFORCE=0 or ANTI_SLOP_ENFORCE=0."
+      },
+      {
+        "command": "bash ~/.agents/hooks/anchor-set-nudge.sh",
+        "timeout": 5,
+        "matcher": "^(Write|StrReplace|EditNotebook)$",
+        "_comment": "5s: PROACTIVE pre-compile nudge. On the FIRST edit of each implementation (per conversation), remind the agent to compile its Anchor Set (pre-compile.md) into .scope.json BEFORE piling on more code. The reactive audits (self-review / anti-slop / final-review axis 0) only fire after code exists; this catches intent dilution at token ~50 instead of ~5000. One-shot per implementation: gated by anchor-declared-<cid>.flag, which final-review.sh / subagent-stop-review.sh clear at the same per-implementation boundary as reviewed-<cid>.flag. Advisory only; never blocks. Disable: HOOKS_ENFORCE=0 or ANCHOR_NUDGE_ENFORCE=0."
       }
     ],
     "postToolUse": [

package/linux/inject-doctrine.sh

@@ -16,7 +16,7 @@ set +e
 cat >/dev/null
 
 context=""
-for p in "$HOME/.cursor/doctrine.md" "$HOME/.cursor/USER-RULES.md" "$HOME/.cursor/declared-editing.md"; do
+for p in "$HOME/.cursor/doctrine.md" "$HOME/.cursor/USER-RULES.md" "$HOME/.cursor/declared-editing.md" "$HOME/.cursor/pre-compile.md"; do
     if [ -f "$p" ]; then
         part="$(cat "$p")"
         if [ -n "$context" ]; then context="$context

package/linux/pre-compile.md

@@ -0,0 +1,72 @@
+# Pre-compile — Thin Intent Compilation
+
+ACTIVE EVERY IMPLEMENTATION TURN. Before writing or modifying a single line of
+code, emit your Anchor Set. Compiling intent first is what stops the dilution
+that no later axis can fully undo — a clean final review of the wrong feature
+is still the wrong feature.
+
+This is the proactive phase. The anti-slop checklist, the self-review trigger
+and the final review are reactive — they audit after the fact. You compile the
+intent BEFORE the first token of code so they have the right thing to audit.
+
+## The Anchor Set
+
+Answer these four, terse, in your first response. One phrase each, not prose:
+
+1. OBJECTIVE — one operational sentence. What is *strictly* necessary. Not
+   "improve X" — "make X return Y when Z".
+2. CONSTRAINTS (local negations) — what you will NOT do. "NO schema migration.
+   NO new dependency. NO refactor of the surrounding function." Negations bind
+   harder than the objective: a constraint that the task contradicts is a bug
+   in your reading of the task, and you ask before you override it.
+3. SCOPE —
+   - FILES TO TOUCH: exact list, derived from the objective, nothing speculative.
+   - FILES UNTOUCHABLE: anything the system marked off-limits (.cursor state,
+     lockfiles you weren't asked to touch, files outside the request's blast
+     radius).
+4. DETERMINISTIC SUCCESS — the one command, test, or observable check that
+   will decide whether this is done. "Tests pass" is not deterministic; the
+   specific failing test going green is. If you cannot name one, you do not
+   yet understand the task — ask.
+
+## Materialize it: .scope.json
+
+Write the Anchor Set to `.scope.json` in the repo root before editing source.
+This is the machine-checkable form — the scope-gate hook audits every edit
+against `files[]`, and the final-review axis 0 traces every diff hunk back to
+`intent`. An Anchor Set that lives only in your head is not an Anchor Set.
+
+```json
+{
+  "intent": "<OBJECTIVE>",
+  "files": ["<FILES TO TOUCH, repo-relative, glob-friendly>"],
+  "acceptance": "<DETERMINISTIC SUCCESS>",
+  "allow_growth": false
+}
+```
+
+`allow_growth: false` is the default — the gate fires on any edit outside
+`files[]`. Set it true only if you expect the work to discover new files
+(a refactor, a migration) and you will justify each one as it appears.
+
+No need to write `.scope.json` for trivial one-liners (a typo, a literal).
+The declared-editing ladder's rung 1 ("does this need to exist?") governs when
+the Anchor Set itself is overkill. When in doubt, write it.
+
+## Regla R3 — Authority
+
+If, during execution, you read logs or code that contradict these anchors,
+**the anchors win.** Prior history in this session is auditor material, not
+authority. An earlier wrong assumption of yours does not override the Anchor
+Set you declared at the start.
+
+## Regla R1 — On re-entry (when the loop hands you back a failure)
+
+If the harness returns a gate failure or a failed axis: forget the approach
+that produced it. Re-read your OBJECTIVE and your Anchor Set, not your prior
+diff. Fix ONLY what is failing. Do not refactor in the same pass — that is
+History Propagation, the failure mode the Anchor Set exists to prevent.
+
+---
+
+End of pre-compile. Now emit the Anchor Set, then do the work.

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cursordoctrine",
-  "version": "0.3.3",
-  "description": "Thin self-review hooks for Cursor — the model is the auditor. Intent-trace final review (Tier 0), unified 13-item anti-slop checklist, operational slop detection.",
+  "version": "0.4.0",
+  "description": "Thin self-review hooks for Cursor — the model is the auditor. Pre-compile Anchor Set phase (proactive intent compilation), intent-trace final review (Tier 0), unified 13-item anti-slop checklist, operational slop detection.",
   "bin": {
     "cursordoctrine": "bin/cli.mjs"
   },

package/skills/anti-slop/scripts/scope_match.py

@@ -5,7 +5,16 @@ One job: given a repo-relative path and a list of declared-scope patterns
 (from .scope.json `files`), return whether the path is in scope. Shared
 between the per-edit scope-gate-audit hook (afterFileEdit) and final-review's
 declared-scope check (Step C), so the two never disagree on what counts as
-"in scope".
+"in scope". It also surfaces the contract's `intent` and `acceptance` fields
+so the calling hook can quote them back to the agent.
+
+.scope.json schema (intent + files[] + acceptance + allow_growth):
+  {
+    "intent":       "one operational sentence of objective",
+    "files":        [ "repo-relative globs", ... ],
+    "acceptance":   "the deterministic check that decides success",
+    "allow_growth": false
+  }
 
 Pattern support:
   - exact path:   src/components/LoginButton.tsx
@@ -17,7 +26,8 @@ Stdlib only; Python 3.9+. REPORTS only - never edits.
 
 CLI:
   scope_match.py --path src/auth/session.ts --patterns-file .scope.json
-  -> prints JSON {"in_scope": false, "matched_by": null} and exits 0
+  -> prints JSON {"in_scope": false, "matched_by": null, "acceptance": "..."}
+     and exits 0
   -> if .scope.json is missing or unparseable, prints {"in_scope": true,
      "skipped": "no .scope.json"} (fail-open: no contract = no gate)
 """
@@ -129,6 +139,7 @@ def main() -> int:
             "matched_by": by,
             "allow_growth": bool(scope.get("allow_growth", False)),
             "intent": scope.get("intent", ""),
+            "acceptance": scope.get("acceptance", ""),
         }
 
     print(json.dumps(result))

package/windows/hooks/anchor-set-nudge.ps1

@@ -0,0 +1,76 @@
+# anchor-set-nudge.ps1 - afterFileEdit "pre-compile" nudge (Cursor).
+#
+# Proactive counterpart to the reactive audits. On the FIRST file edit of an
+# implementation (per conversation), remind the agent to compile its Anchor Set
+# (pre-compile.md) and write .scope.json BEFORE piling on more code. The
+# reactive stack (self-review, anti-slop, final-review) only fires AFTER code
+# exists; this nudge catches intent dilution at token ~50, not at the ~5000 of
+# the stop-hook axis 0. A clean final review of the wrong feature is still the
+# wrong feature - the Anchor Set exists so the right feature is on the rails
+# from the first edit.
+#
+# One-shot PER IMPLEMENTATION, not per session: gated by an
+# anchor-declared-<cid>.flag in the pending dir. That flag is cleared by
+# final-review.ps1 / subagent-stop-review.ps1 at the SAME per-implementation
+# boundary where they clear session-edits-<cid>.txt and reviewed-<cid>.flag
+# (the stop after a review pass). So a long conversation with N implementations
+# gets N nudges, not one - every new body of work re-earns the reminder.
+#
+# Advisory only: never blocks, never reads the diff, ALWAYS exits 0. Appends to
+# the shared feedback-<cid>.txt bus; post-tool-use.ps1 delivers it next turn.
+# Disable: HOOKS_ENFORCE=0  or  ANCHOR_NUDGE_ENFORCE=0
+
+$ErrorActionPreference = 'SilentlyContinue'
+. "$PSScriptRoot\hook-common.ps1"
+
+if ($env:HOOKS_ENFORCE -eq '0' -or $env:ANCHOR_NUDGE_ENFORCE -eq '0') { exit 0 }
+
+$obj = Read-HookStdinJson
+if (-not $obj) { exit 0 }
+
+$filePath = ''
+if     ($obj.PSObject.Properties['file_path']) { $filePath = [string]$obj.file_path }
+elseif ($obj.PSObject.Properties['path'])      { $filePath = [string]$obj.path }
+elseif ($obj.PSObject.Properties['filePath'])  { $filePath = [string]$obj.filePath }
+if (-not $filePath) { exit 0 }
+if (Test-IsCursorConfigPath $filePath) { exit 0 }
+
+$cid = Get-SafeConversationId $obj
+$pendingDir = Get-HooksPendingDir
+$flag = Join-Path $pendingDir "anchor-declared-$cid.flag"
+
+# Already nudged this implementation -> stay quiet. The flag is cleared at the
+# per-implementation boundary in final-review.ps1 / subagent-stop-review.ps1.
+if (Test-Path $flag) { exit 0 }
+
+$msg = @"
+PRE-COMPILE NUDGE - first edit of this implementation: $filePath
+
+Before you keep going, did you compile your Anchor Set (pre-compile.md)?
+  1. OBJECTIVE   - one operational sentence. What is strictly necessary.
+  2. CONSTRAINTS - local negations (what you will NOT do).
+  3. SCOPE       - files to touch, files untouchable.
+  4. SUCCESS     - the one deterministic check that decides done.
+
+If you have not already, write it to .scope.json now (intent / files /
+acceptance / allow_growth). The scope-gate audits every edit against files[],
+and final-review axis 0 traces every diff hunk back to intent. An Anchor Set
+that lives only in your head is not an Anchor Set - the gate cannot audit it.
+
+Skip this for trivial one-liners (typo, literal). Otherwise: compile, then code.
+"@
+
+# Append to the shared pending file (same bus as the other advisories).
+$pending = Join-Path $pendingDir "feedback-$cid.txt"
+try {
+    New-Item -ItemType Directory -Path $pendingDir -Force | Out-Null
+    $prefix = ''
+    if ((Test-Path $pending) -and ((Get-Item $pending).Length -gt 0)) { $prefix = "`n`n---`n`n" }
+    Add-Content -Path $pending -Value ($prefix + $msg) -NoNewline
+} catch { }
+
+# Arm the one-shot brake BEFORE returning, so a crash after the append can't
+# re-nudge on the next edit. Mirrors the arming order in final-review.ps1.
+New-Item -ItemType File -Path $flag -Force -ErrorAction SilentlyContinue | Out-Null
+
+exit 0

package/windows/hooks/final-review.ps1

@@ -40,6 +40,7 @@ $cid = Get-SafeConversationId $obj
 $pendingDir = Get-HooksPendingDir
 $marker = Join-Path $pendingDir "session-edits-$cid.txt"
 $flag   = Join-Path $pendingDir "reviewed-$cid.flag"
+$anchorFlag = Join-Path $pendingDir "anchor-declared-$cid.flag"
 
 # Sweep state from sessions that died before their stop hook ran. Cheap (one
 # directory listing on an event that fires once per agent loop).
@@ -49,8 +50,10 @@ Get-ChildItem $pendingDir -File -ErrorAction SilentlyContinue |
 
 # One-shot brake: the previous stop for this conversation emitted the review.
 # Clear the flag (and whatever the review pass itself edited) and end the loop.
+# Also clear anchor-declared-<cid>.flag so the pre-compile nudge re-fires for
+# the NEXT implementation (one nudge per body of work, not per session).
 if (Test-Path $flag) {
-    Remove-Item $flag, $marker -Force -ErrorAction SilentlyContinue
+    Remove-Item $flag, $marker, $anchorFlag -Force -ErrorAction SilentlyContinue
     Emit-None
 }
 
@@ -102,6 +105,11 @@ Fix now, re-run the scan + tests, then stop. If an axis is clean, say so in one
 }
 $body = Expand-AgentPaths $body
 
+# Regla R1 (re-entry): if this review pass is a re-audit after a failed gate or
+# axis, suppress History Propagation - the model must NOT build on its own prior
+# wrong diff. Reset its prior to the Anchor Set, not to its previous attempt.
+$reentryLine = "`n`nRE-ENTRY RULE (Regla R1): if a gate or axis failed, forget the approach that produced it. Re-read your ORIGINAL REQUEST above and your Anchor Set (.scope.json, if you wrote one). Fix ONLY what is failing. Do not refactor in this pass - that is History Propagation, the exact failure mode the Anchor Set exists to prevent.`n"
+
 $resolved = @($edited | ForEach-Object { Resolve-AgentPath $_ })
 $fileList = ($resolved | Select-Object -First 30) -join "`n  "
 
@@ -121,7 +129,7 @@ if ($userQuery) {
 $uniqueFiles = @($edited | Select-Object -Unique).Count
 $surfaceBlock = "Session footprint: $uniqueFiles file(s) touched. If a simple request produced >5 files or >200 lines, justify each file's inclusion or trim.`n`n"
 
-$msg = "FINAL REVIEW (end of implementation) - intent, correctness, reliability, coverage, anti-slop.`n`n${surfaceBlock}${intentBlock}Files you changed this session:`n  $fileList`n`n$body"
+$msg = "FINAL REVIEW (end of implementation) - intent, correctness, reliability, coverage, anti-slop.`n`n${surfaceBlock}${intentBlock}Files you changed this session:`n  $fileList`n`n$body${reentryLine}"
 
 # Arm the one-shot brake BEFORE emitting, so a crash after emit can't re-fire.
 New-Item -ItemType File -Path $flag -Force -ErrorAction SilentlyContinue | Out-Null

package/windows/hooks/permission-gate.ps1

@@ -1,98 +1,98 @@
-# permission-gate.ps1 - beforeShellExecution for Cursor.
-#
-# Single responsibility: deny a small, explicit list of dangerous commands.
-# This is a *permission* gate, not a *quality* gate. The model handles
-# quality; the harness handles blast radius.
-#
-# Behavior:
-#   - Exit 0 always.
-#   - Print Cursor-canonical {"permission": "allow"|"deny", ...} JSON.
-#   - On internal failure: fail OPEN (allow), never block the user.
-#
-# Disable: PERM_GATE_ENFORCE=0
-
-$ErrorActionPreference = 'SilentlyContinue'
-. "$PSScriptRoot\hook-common.ps1"
-
-if ($env:PERM_GATE_ENFORCE -eq '0') {
-    Write-HookJson @{ permission = 'allow' }
-    exit 0
-}
-
-# Without BOM-safe decode the JSON never parses, the raw-text fallback below
-# matches deny patterns anywhere in the envelope (false positives), and the
-# deny message leaks conversation id / transcript path / user email into the UI.
-$inputText = Read-HookStdin
-
-$cmd = ''
-if ($inputText) {
-    try {
-        $obj = $inputText | ConvertFrom-Json
-        if ($obj -and $obj.PSObject.Properties['command']) {
-            $cmd = [string]$obj.command
-        }
-    } catch {
-        $cmd = ''
-    }
-    # Belt-and-braces: if stdin was not the documented JSON shape, still gate
-    # on the raw text rather than waving everything through.
-    if (-not $cmd) { $cmd = $inputText }
-}
-
-if (-not $cmd) {
-    Write-HookJson @{ permission = 'allow' }
-    exit 0
-}
-
-function Test-Deny {
-    param([string]$Pattern, [string]$Reason)
-    if ($cmd -match $Pattern) { Deny $Reason }
-}
-
-function Deny {
-    param([string]$Reason)
-    # Truncate the echo: the command can be a multi-hundred-char one-liner and
-    # the UI message only needs enough to identify it.
-    $shown = if ($cmd.Length -gt 400) { $cmd.Substring(0, 400) + '...' } else { $cmd }
-    $userMsg = "BLOCKED by permission-gate: $Reason`n`nCommand: $shown`n`nIf this is genuinely intended, run it yourself in your terminal."
-    Write-HookJson @{
-        permission    = 'deny'
-        user_message  = $userMsg
-        agent_message = "$userMsg Do not retry verbatim. Ask the user to run it manually if it is truly intended."
-    }
-    exit 0
-}
-
-# --- POSIX-flavored ---------------------------------------------------------
-# Anchored to start OR a command separator so `cd /tmp && rm -rf /` is caught,
-# while `git rm`, `npm run rm-cache`, `echo "rm -rf /"` stay allowed.
-Test-Deny '(?:^|[;&|]\s*)(?:sudo\s+)?rm\s+-[a-zA-Z]*([rR][fF]|[fF][rR])[a-zA-Z]*\s+/' 'destructive rm -rf on absolute path (use relative paths or be more specific)'
-Test-Deny ':\(\)\{\s*:\|:&\s*\};:|bash\s+-c\s+["'']*:\s*\(\)\{' 'reverse shell / fork-bomb pattern'
-Test-Deny 'curl\s.*\|\s*(sudo\s*)?(bash|sh|zsh|dash|ash)' 'curl piped to shell'
-Test-Deny 'wget\s.*\|\s*(sudo\s*)?(bash|sh|zsh|dash|ash)' 'wget piped to shell'
-Test-Deny 'git\s+push\s+.*--force(-with-lease)?(\s|$)' 'git push --force'
-Test-Deny 'git\s+push\s+(-f|--force)(\s|$)' 'git push -f / --force'
-Test-Deny 'git\s+reset\s+--hard' 'git reset --hard (data loss)'
-Test-Deny 'git\s+clean\s+-[a-zA-Z]*f' 'git clean -f (untracked data loss)'
-Test-Deny 'dd\s.*of=/dev/(sd|nvme|hd|xvd)' 'dd to block device'
-Test-Deny 'mkfs(\.[a-z0-9]+)?\s+/dev/' 'mkfs on device'
-Test-Deny 'chmod\s+-R\s+777\s+/' 'chmod -R 777 on root'
-Test-Deny 'chown\s+-R\s+[^\s]+\s+/' 'chown -R on root'
-Test-Deny '^(npm|pnpm|yarn)\s+publish(\s|$)' 'package publish (use ship-hook, not direct publish)'
-
-# --- Windows equivalents (the agent shell here IS PowerShell) ---------------
-# iwr/irm | iex is the moral twin of curl|sh.
-Test-Deny '\b(iwr|irm|curl|wget|Invoke-WebRequest|Invoke-RestMethod)\b[^|]*\|\s*(iex\b|Invoke-Expression)' 'web download piped to Invoke-Expression'
-# Disk-level destruction, twin of mkfs / dd-to-device.
-Test-Deny '\b(Format-Volume|Clear-Disk)\b' 'disk format / clear (destructive)'
-# Recursive+forced delete of a bare drive root, user-profile root, or
-# C:\Users / C:\Windows. Twin of rm -rf /. Composed checks instead of one
-# unreadable regex; subfolder deletes (e.g. C:\Temp\x) stay allowed.
-$rmVerb    = '(?:^|[;&|]\s*)(?:Remove-Item|rm|ri|del|erase|rd|rmdir)\s'
-$rootPath  = '(?:^|[\s"''])(?:[A-Za-z]:[\\/]{0,2}|[A-Za-z]:[\\/](?:Users|Windows)[\\/]?|\$(?:env:USERPROFILE|HOME)[\\/]?)["'']?\s*(?:$|[;&|-])'
-if (($cmd -match $rmVerb) -and ($cmd -match $rootPath) -and ($cmd -match '(?:-Recurse\b|/s\b)') -and ($cmd -match '(?:-Force\b|/q\b)')) {
-    Deny 'recursive forced delete of a drive root / Users / Windows / profile root'
-}
-
-Write-HookJson @{ permission = 'allow' }
-exit 0
+# permission-gate.ps1 - beforeShellExecution for Cursor.
+#
+# Single responsibility: deny a small, explicit list of dangerous commands.
+# This is a *permission* gate, not a *quality* gate. The model handles
+# quality; the harness handles blast radius.
+#
+# Behavior:
+#   - Exit 0 always.
+#   - Print Cursor-canonical {"permission": "allow"|"deny", ...} JSON.
+#   - On internal failure: fail OPEN (allow), never block the user.
+#
+# Disable: PERM_GATE_ENFORCE=0
+
+$ErrorActionPreference = 'SilentlyContinue'
+. "$PSScriptRoot\hook-common.ps1"
+
+if ($env:PERM_GATE_ENFORCE -eq '0') {
+    Write-HookJson @{ permission = 'allow' }
+    exit 0
+}
+
+# Without BOM-safe decode the JSON never parses, the raw-text fallback below
+# matches deny patterns anywhere in the envelope (false positives), and the
+# deny message leaks conversation id / transcript path / user email into the UI.
+$inputText = Read-HookStdin
+
+$cmd = ''
+if ($inputText) {
+    try {
+        $obj = $inputText | ConvertFrom-Json
+        if ($obj -and $obj.PSObject.Properties['command']) {
+            $cmd = [string]$obj.command
+        }
+    } catch {
+        $cmd = ''
+    }
+    # Belt-and-braces: if stdin was not the documented JSON shape, still gate
+    # on the raw text rather than waving everything through.
+    if (-not $cmd) { $cmd = $inputText }
+}
+
+if (-not $cmd) {
+    Write-HookJson @{ permission = 'allow' }
+    exit 0
+}
+
+function Test-Deny {
+    param([string]$Pattern, [string]$Reason)
+    if ($cmd -match $Pattern) { Deny $Reason }
+}
+
+function Deny {
+    param([string]$Reason)
+    # Truncate the echo: the command can be a multi-hundred-char one-liner and
+    # the UI message only needs enough to identify it.
+    $shown = if ($cmd.Length -gt 400) { $cmd.Substring(0, 400) + '...' } else { $cmd }
+    $userMsg = "BLOCKED by permission-gate: $Reason`n`nCommand: $shown`n`nIf this is genuinely intended, run it yourself in your terminal."
+    Write-HookJson @{
+        permission    = 'deny'
+        user_message  = $userMsg
+        agent_message = "$userMsg Do not retry verbatim. Ask the user to run it manually if it is truly intended."
+    }
+    exit 0
+}
+
+# --- POSIX-flavored ---------------------------------------------------------
+# Anchored to start OR a command separator so `cd /tmp && rm -rf /` is caught,
+# while `git rm`, `npm run rm-cache`, `echo "rm -rf /"` stay allowed.
+Test-Deny '(?:^|[;&|]\s*)(?:sudo\s+)?rm\s+-[a-zA-Z]*([rR][fF]|[fF][rR])[a-zA-Z]*\s+/' 'destructive rm -rf on absolute path (use relative paths or be more specific)'
+Test-Deny ':\(\)\{\s*:\|:&\s*\};:|bash\s+-c\s+["'']*:\s*\(\)\{' 'reverse shell / fork-bomb pattern'
+Test-Deny 'curl\s.*\|\s*(sudo\s*)?(bash|sh|zsh|dash|ash)' 'curl piped to shell'
+Test-Deny 'wget\s.*\|\s*(sudo\s*)?(bash|sh|zsh|dash|ash)' 'wget piped to shell'
+Test-Deny 'git\s+push\s+.*--force(-with-lease)?(\s|$)' 'git push --force'
+Test-Deny 'git\s+push\s+(-f|--force)(\s|$)' 'git push -f / --force'
+Test-Deny 'git\s+reset\s+--hard' 'git reset --hard (data loss)'
+Test-Deny 'git\s+clean\s+-[a-zA-Z]*f' 'git clean -f (untracked data loss)'
+Test-Deny 'dd\s.*of=/dev/(sd|nvme|hd|xvd)' 'dd to block device'
+Test-Deny 'mkfs(\.[a-z0-9]+)?\s+/dev/' 'mkfs on device'
+Test-Deny 'chmod\s+-R\s+777\s+/' 'chmod -R 777 on root'
+Test-Deny 'chown\s+-R\s+[^\s]+\s+/' 'chown -R on root'
+Test-Deny '^(npm|pnpm|yarn)\s+publish(\s|$)' 'package publish (use ship-hook, not direct publish)'
+
+# --- Windows equivalents (the agent shell here IS PowerShell) ---------------
+# iwr/irm | iex is the moral twin of curl|sh.
+Test-Deny '\b(iwr|irm|curl|wget|Invoke-WebRequest|Invoke-RestMethod)\b[^|]*\|\s*(iex\b|Invoke-Expression)' 'web download piped to Invoke-Expression'
+# Disk-level destruction, twin of mkfs / dd-to-device.
+Test-Deny '\b(Format-Volume|Clear-Disk)\b' 'disk format / clear (destructive)'
+# Recursive+forced delete of a bare drive root, user-profile root, or
+# C:\Users / C:\Windows. Twin of rm -rf /. Composed checks instead of one
+# unreadable regex; subfolder deletes (e.g. C:\Temp\x) stay allowed.
+$rmVerb    = '(?:^|[;&|]\s*)(?:Remove-Item|rm|ri|del|erase|rd|rmdir)\s'
+$rootPath  = '(?:^|[\s"''])(?:[A-Za-z]:[\\/]{0,2}|[A-Za-z]:[\\/](?:Users|Windows)[\\/]?|\$(?:env:USERPROFILE|HOME)[\\/]?)["'']?\s*(?:$|[;&|-])'
+if (($cmd -match $rmVerb) -and ($cmd -match $rootPath) -and ($cmd -match '(?:-Recurse\b|/s\b)') -and ($cmd -match '(?:-Force\b|/q\b)')) {
+    Deny 'recursive forced delete of a drive root / Users / Windows / profile root'
+}
+
+Write-HookJson @{ permission = 'allow' }
+exit 0

package/windows/hooks/scope-gate-audit.ps1

@@ -78,6 +78,8 @@ $allowGrowth = $false
 if ($payload.PSObject.Properties['allow_growth'] -and $payload.allow_growth) { $allowGrowth = $true }
 $intent = ''
 if ($payload.PSObject.Properties['intent']) { $intent = [string]$payload.intent }
+$acceptance = ''
+if ($payload.PSObject.Properties['acceptance']) { $acceptance = [string]$payload.acceptance }
 
 # Read the declared files list for the message (best-effort; skip on failure)
 $declaredFiles = ''
@@ -86,6 +88,11 @@ try {
     if ($scopeJson.files) { $declaredFiles = ($scopeJson.files -join ', ') }
 } catch { }
 
+# acceptance line: only quote it when the agent bothered to declare one. A blank
+# acceptance means the Anchor Set was incomplete - surface that gap, since the
+# whole point of the pre-compile phase is to name the deterministic success check.
+$acceptanceLine = if ($acceptance) { $acceptance } else { '(not declared — your Anchor Set is missing the ÉXITO/acceptance field)' }
+
 if ($allowGrowth) {
     # Growth is allowed: informational, not a violation
     $summary = "Scope note - $rel is new vs your declared scope (growth allowed)"
@@ -93,6 +100,9 @@ if ($allowGrowth) {
   You touched a file outside your initial declared set. Since allow_growth is
   true, this is not a violation, but justify it: add $rel to .scope.json or
   explain why the scope grew.
+
+  Your success contract (acceptance): $acceptanceLine
+  Does growing into $rel still serve that?
 "@
 } else {
     # Hard violation: edited outside the declared contract
@@ -101,6 +111,7 @@ if ($allowGrowth) {
   Your contract (.scope.json):
     intent: $intent
     files: $declaredFiles
+    acceptance: $acceptanceLine
 
   You declared these files and touched one outside the set. Either:
     1. Add $rel to .scope.json with a one-line justification, OR

package/windows/hooks/self-review-trigger.ps1

@@ -1,83 +1,83 @@
-# self-review-trigger.ps1 - afterFileEdit for Cursor.
-#
-# Single responsibility: when the model just edited a file, hand the
-# edit context to the NEXT model turn as additional_context. The model
-# is the auditor; the harness is just the message bus.
-#
-# This is intentionally minimal:
-#   - We do NOT parse the diff ourselves.
-#   - We do NOT spawn a sub-agent.
-#   - We do NOT write to .stuck-files/.
-#   - We do NOT block.
-#
-# We DO:
-#   - Capture the edited file path.
-#   - Stash a self-review prompt that primes the model's next turn.
-#   - Exit 0 always.
-#
-# Cursor's afterFileEdit doesn't consume its own output. To actually
-# surface the message, post-tool-use.ps1 re-emits it on the next tool
-# boundary. See hooks.json.
-
-$ErrorActionPreference = 'SilentlyContinue'
-. "$PSScriptRoot\hook-common.ps1"
-
-$inputText = Read-HookStdin
-
-$filePath = ''
-$cid = ''
-if ($inputText) {
-    try {
-        $obj = $inputText | ConvertFrom-Json
-        if ($obj) {
-            if     ($obj.PSObject.Properties['file_path']) { $filePath = [string]$obj.file_path }
-            elseif ($obj.PSObject.Properties['path'])      { $filePath = [string]$obj.path }
-            elseif ($obj.PSObject.Properties['filePath'])  { $filePath = [string]$obj.filePath }
-            $cid = Get-SafeConversationId $obj
-        }
-    } catch {
-        $filePath = ''
-    }
-}
-
-# Empty path (JSON parse failed, or no file_path field) -> nothing to record.
-# Without this guard the .cursor regex below doesn't match '' and we append a
-# blank line to the session-edits marker on every such fire (it accumulates fast).
-if (-not $filePath) { exit 0 }
-if (Test-IsCursorConfigPath $filePath) { exit 0 }
-
-# State is keyed by conversation_id and lives under $HOME, never the project:
-# no repo litter, works in workspace-less sessions (CURSOR_PROJECT_DIR/
-# workspace_roots are empty there), and concurrent sessions cannot drain each
-# other's prompts.
-$pendingDir = Get-HooksPendingDir
-
-# Record this edit for the end-of-implementation review. The stop hook
-# (final-review.ps1) drains this marker to fire one final review pass over
-# everything changed this agent loop. Append = running list of edits.
-try {
-    $mk = Join-Path $pendingDir "session-edits-$cid.txt"
-    New-Item -ItemType Directory -Path $pendingDir -Force | Out-Null
-    Add-Content -Path $mk -Value $filePath
-} catch { }
-
-$doctrineFile = Join-Path $HOME '.agents\hooks\self-review.md'
-if (-not (Test-Path $doctrineFile)) { exit 0 }
-$doctrine = Get-Content $doctrineFile -Raw
-
-$msg = "SELF-REVIEW TRIGGER - you just edited: $filePath`n`n$doctrine"
-
-$pendingFile = Join-Path $pendingDir "feedback-$cid.txt"
-
-try {
-    New-Item -ItemType Directory -Path $pendingDir -Force | Out-Null
-    $prefix = ''
-    if ((Test-Path $pendingFile) -and ((Get-Item $pendingFile).Length -gt 0)) {
-        $prefix = "`n`n---`n`n"
-    }
-    Add-Content -Path $pendingFile -Value ($prefix + $msg) -NoNewline
-} catch {
-    # Silently fail open
-}
-
-exit 0
+# self-review-trigger.ps1 - afterFileEdit for Cursor.
+#
+# Single responsibility: when the model just edited a file, hand the
+# edit context to the NEXT model turn as additional_context. The model
+# is the auditor; the harness is just the message bus.
+#
+# This is intentionally minimal:
+#   - We do NOT parse the diff ourselves.
+#   - We do NOT spawn a sub-agent.
+#   - We do NOT write to .stuck-files/.
+#   - We do NOT block.
+#
+# We DO:
+#   - Capture the edited file path.
+#   - Stash a self-review prompt that primes the model's next turn.
+#   - Exit 0 always.
+#
+# Cursor's afterFileEdit doesn't consume its own output. To actually
+# surface the message, post-tool-use.ps1 re-emits it on the next tool
+# boundary. See hooks.json.
+
+$ErrorActionPreference = 'SilentlyContinue'
+. "$PSScriptRoot\hook-common.ps1"
+
+$inputText = Read-HookStdin
+
+$filePath = ''
+$cid = ''
+if ($inputText) {
+    try {
+        $obj = $inputText | ConvertFrom-Json
+        if ($obj) {
+            if     ($obj.PSObject.Properties['file_path']) { $filePath = [string]$obj.file_path }
+            elseif ($obj.PSObject.Properties['path'])      { $filePath = [string]$obj.path }
+            elseif ($obj.PSObject.Properties['filePath'])  { $filePath = [string]$obj.filePath }
+            $cid = Get-SafeConversationId $obj
+        }
+    } catch {
+        $filePath = ''
+    }
+}
+
+# Empty path (JSON parse failed, or no file_path field) -> nothing to record.
+# Without this guard the .cursor regex below doesn't match '' and we append a
+# blank line to the session-edits marker on every such fire (it accumulates fast).
+if (-not $filePath) { exit 0 }
+if (Test-IsCursorConfigPath $filePath) { exit 0 }
+
+# State is keyed by conversation_id and lives under $HOME, never the project:
+# no repo litter, works in workspace-less sessions (CURSOR_PROJECT_DIR/
+# workspace_roots are empty there), and concurrent sessions cannot drain each
+# other's prompts.
+$pendingDir = Get-HooksPendingDir
+
+# Record this edit for the end-of-implementation review. The stop hook
+# (final-review.ps1) drains this marker to fire one final review pass over
+# everything changed this agent loop. Append = running list of edits.
+try {
+    $mk = Join-Path $pendingDir "session-edits-$cid.txt"
+    New-Item -ItemType Directory -Path $pendingDir -Force | Out-Null
+    Add-Content -Path $mk -Value $filePath
+} catch { }
+
+$doctrineFile = Join-Path $HOME '.agents\hooks\self-review.md'
+if (-not (Test-Path $doctrineFile)) { exit 0 }
+$doctrine = Get-Content $doctrineFile -Raw
+
+$msg = "SELF-REVIEW TRIGGER - you just edited: $filePath`n`n$doctrine"
+
+$pendingFile = Join-Path $pendingDir "feedback-$cid.txt"
+
+try {
+    New-Item -ItemType Directory -Path $pendingDir -Force | Out-Null
+    $prefix = ''
+    if ((Test-Path $pendingFile) -and ((Get-Item $pendingFile).Length -gt 0)) {
+        $prefix = "`n`n---`n`n"
+    }
+    Add-Content -Path $pendingFile -Value ($prefix + $msg) -NoNewline
+} catch {
+    # Silently fail open
+}
+
+exit 0

package/windows/hooks/subagent-stop-review.ps1

@@ -43,10 +43,13 @@ $cid = Get-SafeConversationId $obj
 $pendingDir = Get-HooksPendingDir
 $marker = Join-Path $pendingDir "session-edits-$cid.txt"
 $flag   = Join-Path $pendingDir "reviewed-$cid.flag"
+$anchorFlag = Join-Path $pendingDir "anchor-declared-$cid.flag"
 
 # One-shot brake: the previous subagentStop for this id emitted the review.
+# Also clear anchor-declared-<cid>.flag so the pre-compile nudge re-fires for
+# the next subagent implementation (one nudge per body of work).
 if (Test-Path $flag) {
-    Remove-Item $flag, $marker -Force -ErrorAction SilentlyContinue
+    Remove-Item $flag, $marker, $anchorFlag -Force -ErrorAction SilentlyContinue
     Emit-None
 }
 
@@ -81,9 +84,14 @@ If an axis is clean, say so in one line. Then stop.
 }
 $body = Expand-AgentPaths $body
 
+# Regla R1 (re-entry): same suppression as final-review.ps1. A subagent that
+# failed an axis must not build on its own prior wrong diff - reset its prior
+# to the Anchor Set, not to its previous attempt.
+$reentryLine = "`n`nRE-ENTRY RULE (Regla R1): if an axis failed, forget the approach that produced it. Re-read your original task and your Anchor Set (.scope.json, if you wrote one). Fix ONLY what is failing. Do not refactor in this pass.`n"
+
 $resolved = @($edited | ForEach-Object { Resolve-AgentPath $_ })
 $fileList = ($resolved | Select-Object -First 30) -join "`n  "
-$msg = "SUBAGENT FINAL REVIEW - you just finished delegated implementation work. Before your result returns to the parent agent, audit it.`n`nFiles you changed this run:`n  $fileList`n`n$body"
+$msg = "SUBAGENT FINAL REVIEW - you just finished delegated implementation work. Before your result returns to the parent agent, audit it.`n`nFiles you changed this run:`n  $fileList`n`n$body${reentryLine}"
 
 # Arm the one-shot brake BEFORE emitting, so a crash after emit can't re-fire.
 New-Item -ItemType File -Path $flag -Force -ErrorAction SilentlyContinue | Out-Null

package/windows/hooks.json

@@ -38,6 +38,12 @@
         "timeout": 15,
         "matcher": "^(Write|StrReplace|EditNotebook)$",
         "_comment": "15s: AI-slop advisory, companion to minimal-edit-audit. Native git diff flags new deps / premature abstractions (Factory/Repository/Mediator/CQRS/DDD) / redundant comments, and injects the anti-slop.md self-review checklist on substantial edits (>= ANTI_SLOP_CHECKLIST_LINES, default 40). Appends to the conversation's pending file; never blocks. Disable: HOOKS_ENFORCE=0 or ANTI_SLOP_ENFORCE=0."
+      },
+      {
+        "command": "pwsh.exe -NoProfile -File ~/.agents/hooks/anchor-set-nudge.ps1",
+        "timeout": 5,
+        "matcher": "^(Write|StrReplace|EditNotebook)$",
+        "_comment": "5s: PROACTIVE pre-compile nudge. On the FIRST edit of each implementation (per conversation), remind the agent to compile its Anchor Set (pre-compile.md) into .scope.json BEFORE piling on more code. The reactive audits (self-review / anti-slop / final-review axis 0) only fire after code exists; this catches intent dilution at token ~50 instead of ~5000. One-shot per implementation: gated by anchor-declared-<cid>.flag, which final-review.ps1 / subagent-stop-review.ps1 clear at the same per-implementation boundary as reviewed-<cid>.flag. Advisory only; never blocks. Disable: HOOKS_ENFORCE=0 or ANCHOR_NUDGE_ENFORCE=0."
       }
     ],
     "postToolUse": [

package/windows/inject-doctrine.ps1

@@ -30,7 +30,8 @@ try {
     $paths = @(
         (Join-Path $PSScriptRoot 'doctrine.md'),
         (Join-Path $PSScriptRoot 'USER-RULES.md'),
-        (Join-Path $PSScriptRoot 'declared-editing.md')
+        (Join-Path $PSScriptRoot 'declared-editing.md'),
+        (Join-Path $PSScriptRoot 'pre-compile.md')
     )
 
     $parts = foreach ($p in $paths) {

package/windows/pre-compile.md

@@ -0,0 +1,72 @@
+# Pre-compile — Thin Intent Compilation
+
+ACTIVE EVERY IMPLEMENTATION TURN. Before writing or modifying a single line of
+code, emit your Anchor Set. Compiling intent first is what stops the dilution
+that no later axis can fully undo — a clean final review of the wrong feature
+is still the wrong feature.
+
+This is the proactive phase. The anti-slop checklist, the self-review trigger
+and the final review are reactive — they audit after the fact. You compile the
+intent BEFORE the first token of code so they have the right thing to audit.
+
+## The Anchor Set
+
+Answer these four, terse, in your first response. One phrase each, not prose:
+
+1. OBJECTIVE — one operational sentence. What is *strictly* necessary. Not
+   "improve X" — "make X return Y when Z".
+2. CONSTRAINTS (local negations) — what you will NOT do. "NO schema migration.
+   NO new dependency. NO refactor of the surrounding function." Negations bind
+   harder than the objective: a constraint that the task contradicts is a bug
+   in your reading of the task, and you ask before you override it.
+3. SCOPE —
+   - FILES TO TOUCH: exact list, derived from the objective, nothing speculative.
+   - FILES UNTOUCHABLE: anything the system marked off-limits (.cursor state,
+     lockfiles you weren't asked to touch, files outside the request's blast
+     radius).
+4. DETERMINISTIC SUCCESS — the one command, test, or observable check that
+   will decide whether this is done. "Tests pass" is not deterministic; the
+   specific failing test going green is. If you cannot name one, you do not
+   yet understand the task — ask.
+
+## Materialize it: .scope.json
+
+Write the Anchor Set to `.scope.json` in the repo root before editing source.
+This is the machine-checkable form — the scope-gate hook audits every edit
+against `files[]`, and the final-review axis 0 traces every diff hunk back to
+`intent`. An Anchor Set that lives only in your head is not an Anchor Set.
+
+```json
+{
+  "intent": "<OBJECTIVE>",
+  "files": ["<FILES TO TOUCH, repo-relative, glob-friendly>"],
+  "acceptance": "<DETERMINISTIC SUCCESS>",
+  "allow_growth": false
+}
+```
+
+`allow_growth: false` is the default — the gate fires on any edit outside
+`files[]`. Set it true only if you expect the work to discover new files
+(a refactor, a migration) and you will justify each one as it appears.
+
+No need to write `.scope.json` for trivial one-liners (a typo, a literal).
+The declared-editing ladder's rung 1 ("does this need to exist?") governs when
+the Anchor Set itself is overkill. When in doubt, write it.
+
+## Regla R3 — Authority
+
+If, during execution, you read logs or code that contradict these anchors,
+**the anchors win.** Prior history in this session is auditor material, not
+authority. An earlier wrong assumption of yours does not override the Anchor
+Set you declared at the start.
+
+## Regla R1 — On re-entry (when the loop hands you back a failure)
+
+If the harness returns a gate failure or a failed axis: forget the approach
+that produced it. Re-read your OBJECTIVE and your Anchor Set, not your prior
+diff. Fix ONLY what is failing. Do not refactor in the same pass — that is
+History Propagation, the failure mode the Anchor Set exists to prevent.
+
+---
+
+End of pre-compile. Now emit the Anchor Set, then do the work.