cursordoctrine 0.6.3 → 0.6.5

package/INSTALL.md

@@ -76,11 +76,13 @@ echo '{"conversation_id":"t1","status":"completed"}' | bash ~/.agents/hooks/fina
 echo '{"conversation_id":"t2","file_path":"/tmp/x.py"}' | bash ~/.agents/hooks/self-review-trigger.sh
 echo '{"conversation_id":"t2","status":"completed"}' | bash ~/.agents/hooks/subagent-stop-review.sh  # expect {"followup_message": "SUBAGENT FINAL REVIEW ..."} once, then {}
 echo '{"conversation_id":"t2"}'       | bash ~/.agents/hooks/post-tool-use.sh     # drain t2's leftover feedback file
-# intent-anchor: writes .scope.json from the current prompt and re-injects it.
-# Needs a repo root in cwd (it will NOT write to $HOME - that's the guard).
+# intent-precompile: writes .scope.json from the prompt BEFORE the first token.
+# Needs a repo root (workspace_roots/cwd; it will NOT write to $HOME - that's the guard).
+echo '{"conversation_id":"t3","cwd":"/tmp","prompt":"fix the dashboard bug"}' | bash ~/.agents/hooks/intent-precompile.sh
+cat /tmp/.scope.json                                                         # expect intent="fix the dashboard bug", a seeded acceptance (no <TODO>)
+# intent-anchor: re-injects the contract (and is the fallback creator).
 echo '{"conversation_id":"t3","cwd":"/tmp","file_path":"/tmp/x.py"}' | bash ~/.agents/hooks/intent-anchor.sh
-cat /tmp/.scope.json                                                         # expect a JSON scaffold with intent placeholder
-echo '{"conversation_id":"t3"}'       | bash ~/.agents/hooks/post-tool-use.sh # expect additional_context with the scaffold
+echo '{"conversation_id":"t3"}'       | bash ~/.agents/hooks/post-tool-use.sh # expect additional_context with the contract
 echo '{}' | bash ~/.cursor/inject-doctrine.sh                                # expect {"additional_context": ...}
 python3 ~/.cursor/skills/anti-slop/scripts/scan_slop.py --help               # expect usage text (final review's scanner)
 rm -f /tmp/.scope.json                                                        # cleanup the test scaffold
@@ -97,11 +99,13 @@ Windows (same payloads, swap `bash ~/...sh` for `pwsh.exe -NoProfile -File $HOME
 echo '{"command":"git push --force"}' | pwsh.exe -NoProfile -File $HOME\.agents\hooks\permission-gate.ps1
 echo '{"conversation_id":"t2","file_path":"C:\tmp\x.py"}' | pwsh.exe -NoProfile -File $HOME\.agents\hooks\self-review-trigger.ps1
 echo '{"conversation_id":"t2","status":"completed"}' | pwsh.exe -NoProfile -File $HOME\.agents\hooks\subagent-stop-review.ps1  # SUBAGENT FINAL REVIEW once, then {}
-# intent-anchor: writes .scope.json from the current prompt and re-injects it.
-# Needs a repo root in cwd (it will NOT write to $HOME - that's the guard).
+# intent-precompile: writes .scope.json from the prompt BEFORE the first token.
+# Needs a repo root (workspace_roots/cwd; it will NOT write to $HOME - that's the guard).
+echo '{"conversation_id":"t3","cwd":"C:\tmp","prompt":"fix the dashboard bug"}' | pwsh.exe -NoProfile -File $HOME\.agents\hooks\intent-precompile.ps1
+Get-Content C:\tmp\.scope.json                                            # expect intent="fix the dashboard bug", a seeded acceptance (no <TODO>)
+# intent-anchor: re-injects the contract (and is the fallback creator).
 echo '{"conversation_id":"t3","cwd":"C:\tmp","file_path":"C:\tmp\x.py"}' | pwsh.exe -NoProfile -File $HOME\.agents\hooks\intent-anchor.ps1
-Get-Content C:\tmp\.scope.json                                            # expect a JSON scaffold with intent placeholder
-echo '{"conversation_id":"t3"}'  | pwsh.exe -NoProfile -File $HOME\.agents\hooks\post-tool-use.ps1  # additional_context with the scaffold
+echo '{"conversation_id":"t3"}'  | pwsh.exe -NoProfile -File $HOME\.agents\hooks\post-tool-use.ps1  # additional_context with the contract
 python $HOME\.cursor\skills\anti-slop\scripts\scan_slop.py --help
 Remove-Item C:\tmp\.scope.json -Force                                     # cleanup the test scaffold
 ```
@@ -112,7 +116,7 @@ Also validate the config: `~/.cursor/hooks.json` must parse as JSON.
 
 1. Restart Cursor (hooks.json is read at startup).
 2. Open any project and start a new agent chat. The doctrine should be in context — ask the agent "what does your doctrine say about diffs?" and it should answer from §2; ask "what is the Anchor Set?" and it should answer from `pre-compile.md` (Objective / Constraints / Scope / Deterministic success).
-3. Have the agent make a small edit to a tracked file. On the next turn it should receive a `SELF-REVIEW TRIGGER` message, and `intent-anchor` should have written `.scope.json` to the repo root (intent from your prompt, `<TODO>` placeholders for files/acceptance). The scaffold regenerates when your prompt changes and is re-injected every turn.
+3. Send a prompt. `.scope.json` should appear in the repo root **immediately** (before the agent's first edit), written by `intent-precompile` with `intent` from your prompt and a seeded `acceptance` (not a bare `<TODO>`). Have the agent make a small edit: on the next turn it should receive a `SELF-REVIEW TRIGGER` message, and `intent-anchor` re-injects the contract. The contract regenerates when your prompt changes.
 4. Ask the agent to run `git push --force` (in a throwaway repo). The permission gate must block it.
 5. Finish a small implementation and stop. A single `FINAL REVIEW` follow-up should fire — exactly once.
 6. Delegate a small edit to a subagent (e.g. ask the agent to "use a generalPurpose subagent to add a comment to <file>"). The subagent should receive one `SUBAGENT FINAL REVIEW` follow-up before returning, and the parent should see `SUBAGENT WORK DETECTED` at its next tool boundary. (`subagentStop` is only read at startup — if nothing fires, restart Cursor again.)

package/README.md

@@ -10,7 +10,7 @@
 <div align="center">
   <h1>cursordoctrine</h1>
   <p><strong>Self-review hooks for Cursor — proactive and reactive.</strong></p>
-  <p>Five hook events, one message bus.<br />The model compiles its intent, audits its own work, and stays on the rails. Cursor carries context and gates blast radius.</p>
+  <p>Six hook events, one message bus.<br />The model compiles its intent, audits its own work, and stays on the rails. Cursor carries context and gates blast radius.</p>
 </div>
 
 <br />
@@ -21,7 +21,7 @@
 
 Cursor hooks that make the agent review its own edits without bolting a static-analysis pipeline onto every keystroke. No regex army, no scoring engine. Four jobs:
 
-1. **Compile intent before coding** (proactive) — at session start the agent gets the doctrine plus the **Anchor Set** discipline (`pre-compile.md`): before writing code it must emit *Objective / Constraints / Scope / Deterministic success*. `intent-anchor` materializes that as `.scope.json` on the first tool of each turn (auto-created, regenerated when the prompt changes) and re-injects it into context every turn, so the contract stays in focus against Salience Dilution.
+1. **Compile intent before coding** (proactive) — at session start the agent gets the doctrine plus the **Anchor Set** discipline (`pre-compile.md`): before writing code it must emit *Objective / Constraints / Scope / Deterministic success*. `intent-precompile` (`beforeSubmitPrompt`) materializes that as `.scope.json` the moment you hit send — **before the agent's first token** — with `intent` locked from the request and `acceptance` seeded (never a bare `<TODO>`), so the contract is the first artifact of the turn. `intent-anchor` then re-injects it into context every turn (regenerated when the prompt changes), so it stays in focus against Salience Dilution.
 2. **Inject the doctrine** at session start — every chat starts with the same short governing text (`doctrine.md`, `USER-RULES.md`, `declared-editing.md` the YAGNI ultra ladder, and `pre-compile.md` the thin intent-compilation phase).
 3. **Hand the model its own edits back** (reactive) — after each agent edit, a self-review prompt goes into a pending file (plus semantic-density, scope-gate, and anti-slop advisories when they trip). Next turn the model reads its diff, fixes real bugs, stays quiet otherwise.
 4. **Gate blast radius** — one permission gate denies a short explicit list of dangerous commands (`rm -rf /`, `curl | sh`, force-push, `npm publish`, ...). Everything else passes.
@@ -90,31 +90,31 @@ Two machine-checkable consequences:
 - **`scope-gate-audit`** (afterFileEdit, opt-in via `.scope.json` existing) audits every edit against `files[]` and quotes `intent` + `acceptance` back on a violation. Editing outside the declared set is the textbook scope-creep signal.
 - **final-review axis 0** (intent trace) traces every diff hunk back to `intent`. Anything untraceable is a hallucinated requirement.
 
-On the **first tool of each agent turn**, `intent-anchor` materializes the Anchor Set: it writes `.scope.json` to the repo root (regenerating it when the prompt changed) and re-injects it into context. One scaffold per prompt, re-injection per turn. The latch is armed on first fire and cleared **unconditionally** by the stop hook on every turn boundary, so the next turn re-fires and can never get stranded silenced mid-session.
+**Before the agent's first token**, `intent-precompile` (`beforeSubmitPrompt`) materializes the Anchor Set: the moment you hit send it writes `.scope.json` to the repo root with `intent` locked from the prompt (which is in the event payload directly) and `acceptance` seeded with a real default — so the contract is the first artifact of the turn. `intent-anchor` (`postToolUse`) then re-injects it into context on the first tool boundary. One contract per prompt, re-injection per turn. The intent-anchor latch is armed on first fire and cleared **unconditionally** by the stop hook on every turn boundary, so the next turn re-fires and can never get stranded silenced mid-session.
 
 The Anchor Set is skipped for trivial one-liners (typo, literal) — the `declared-editing.md` ladder's rung 1 governs when it's overkill.
 
-### Keeping the contract alive: `intent-anchor` (anti-Salience-Dilution)
+### Contract first, then kept alive: `intent-precompile` + `intent-anchor`
 
-Writing `.scope.json` once is not enough. As a conversation fills with code, logs and errors, the token of the original request shrinks to a rounding error against the recent history — *Salience Dilution* — and the agent stops checking the contract it wrote at prompt 1. It forgets symmetry, colors, the acceptance bar. Re-injecting the contract every turn is what defeats this: the requirements are re-stated in front of the model before each edit, not just written once and hoped-for.
+The contract has to exist *before* the agent edits and stay in focus *as* it edits. Two hooks, two jobs:
 
-`intent-anchor` (`postToolUse`, registered first so it runs before `post-tool-use` drains the bus) does two things on the **first tool boundary of every turn** (per-turn latch, cleared unconditionally at each stop):
+**`intent-precompile` (`beforeSubmitPrompt`) — write it first.** This event fires right after the user hits send, before the backend request, with the user's `prompt` in the payload directly — no `<user_query>` extraction, no transcript dependency, no contamination from auto-submitted review followups. When the prompt is new (its `_intent_hash` differs from the contract on disk) it writes a fresh `.scope.json`: `intent` locked from the prompt, `files: []`, `acceptance` seeded with a real default (never a bare `<TODO>` — a placeholder that looks owned and never gets filled was the old failure mode), `_intent_hash` for change detection. It also stashes the verbatim prompt so `intent-anchor` reads the *same* ground-truth text. Same prompt on disk → left intact, preserving the agent's refined `intent`/`acceptance`/`files`. Hook-generated submits are skipped.
 
-1. **Materialize the contract per prompt.** When the current `<user_query>` differs from the contract on disk (no contract yet, or its recorded `_intent_hash` doesn't match), the hook **writes a fresh `.scope.json` to the repo root**: `intent` locked from the prompt, `files`/`acceptance` as `<TODO>` placeholders the agent fills in. Every new prompt → a fresh contract the agent works from. Same prompt → no rewrite.
-2. **Re-inject the contract every turn.** Reads `.scope.json` and stashes `intent` + `files` + `acceptance` into the feedback bus, which `post-tool-use` delivers as `additional_context`. The contract is back in the model's attentional focus at the start of each turn, before edits pile up and dilute it.
+**`intent-anchor` (`postToolUse`, registered first so it runs before `post-tool-use` drains the bus) — keep it alive.** As a conversation fills with code, logs and errors, the token of the original request shrinks to a rounding error against recent history — *Salience Dilution* — and the agent stops checking the contract. So on the first tool boundary of every turn (per-turn latch, cleared unconditionally at each stop) it reads `.scope.json` and stashes `intent` + `files` + `acceptance` into the feedback bus, which `post-tool-use` delivers as `additional_context` — the contract back in attentional focus before edits pile up. It also **falls back to creating the contract** if `beforeSubmitPrompt` didn't run (older Cursor), and re-injects a loud demand each turn until the agent sharpens the seeded `acceptance` to the one deterministic check.
 
-> **The hook writes `.scope.json` deliberately.** This is the intended behavior: the contract must exist *before* the agent edits, and it must track the request. The agent fills the `<TODO>` placeholders (`files`, `acceptance`) on the first turn; the hook regenerates the scaffold when the prompt changes. Two real bugs in the earlier 0.4.4 build are fixed here: (a) **never writes to `$HOME`** — if the repo `cwd` can't be resolved the hook stays silent rather than drop a ghost file (bail instead of fallback); (b) **regenerates on prompt CHANGE, not on every turn** — staleness is tracked via `_intent_hash` stored in the file itself, so a same-prompt turn re-injects without rewriting.
+> **The hooks write `.scope.json` deliberately.** The contract must exist before the agent edits and track the request. Safeguards: (a) **never writes to `$HOME`** — if the repo root can't be resolved the hook stays silent rather than drop a ghost file; (b) **regenerates on prompt CHANGE, not every turn** — staleness is tracked via `_intent_hash` in the file, and `intent-precompile`/`intent-anchor` share one hashing helper so a same-prompt turn re-injects without rewriting; (c) **`trace.query` stays verbatim** as the audit anchor even when the agent normalizes `intent`.
 
 Crucially, `intent-anchor` carries the **semantic** contract (`intent`/`acceptance`) into context every turn — something the path-only `scope-gate-audit` can never do. That is what makes "the agent forgot about grid symmetry while editing the right file" catchable: the symmetry requirement is re-stated in front of the model before each edit, not just checked against a file list after.
 
-## The five flows
+## The flows
 
 | Flow | Event | What happens |
 |---|---|---|
+| Submit | `beforeSubmitPrompt` | **`intent-precompile`** writes `.scope.json` to the repo root from the prompt in the payload — **before the agent's first token** — with `intent` locked and `acceptance` seeded, and stashes the verbatim prompt for `intent-anchor`. Skips hook-generated auto-submits; hash-gated so the agent's refinements survive. |
 | Session | `sessionStart` | `inject-doctrine` reads doctrine + user rules + declared-editing + **pre-compile** and emits them as `additional_context`. |
-| Every turn | `postToolUse` | **`intent-anchor`** (registered first) re-injects `.scope.json` into `additional_context` at the first tool boundary of each turn — the anti-Salience-Dilution move that keeps `intent` + `acceptance` in the model's attentional focus before edits pile up. If the prompt changed since last turn, it demands the contract be updated. Then `post-tool-use` folds subagent markers and drains the feedback file. |
+| Every turn | `postToolUse` | **`intent-anchor`** (registered first) re-injects `.scope.json` into `additional_context` at the first tool boundary of each turn — the anti-Salience-Dilution move that keeps `intent` + `acceptance` in the model's attentional focus before edits pile up, and demands the seeded `acceptance` be sharpened. Then `post-tool-use` folds subagent markers and drains the feedback file. |
 | Shell | `beforeShellExecution` | `permission-gate` checks the command against a deny list. Allow by default, deny by list, fail open. |
-| Edit | `afterFileEdit` + `stop` | **Proactive:** `intent-anchor` (`postToolUse`) scaffolds `.scope.json` per prompt and re-injects it each turn. **Reactive:** `self-review-trigger` stashes the review prompt per edit; `semantic-density-audit`, `scope-gate-audit` (opt-in, audits `.scope.json`), and `anti-slop-audit` append advisories when they trip; `final-review` fires one end-of-implementation seven-axis pass. |
+| Edit | `afterFileEdit` + `stop` | **Proactive:** `intent-precompile` writes the contract per prompt; `intent-anchor` re-injects it each turn. **Reactive:** `self-review-trigger` stashes the review prompt per edit; `semantic-density-audit`, `scope-gate-audit` (opt-in, audits `.scope.json`), and `anti-slop-audit` append advisories when they trip; `final-review` fires one end-of-implementation seven-axis pass. |
 | Subagent | `subagentStop` | `subagent-stop-review` fires one in-subagent final review when a delegated run edited files, before the result returns to the parent. Marker-gated and flag-braked like `final-review`. |
 
 ## Layout

package/linux/USER-RULES.md

@@ -6,13 +6,15 @@ the task itself is a behavior change. Refactors, renames, cleanup only when
 asked. Leave generated files alone unless explicitly required.
 
 ## Intent contract (.scope.json)
-The harness auto-creates `.scope.json` in the repo root on your first tool of
-each turn, and re-injects it into your context every turn. Treat it as your
-operating contract, not optional:
-- On a fresh scaffold, FILL the `intent` and `acceptance` TODOs from the user's
-  request before editing source. `files[]` is auto-tracked - do not maintain it.
-- When the user's request changes, the scaffold regenerates with a new intent -
-  refill it for the new ask.
+The harness writes `.scope.json` to the repo root the moment you hit send -
+BEFORE your first token - with `intent` locked from the request, and re-injects
+it every turn. Treat it as your operating contract, not optional:
+- It is the FIRST thing that exists each turn; govern by it from your first action.
+  As your first edits, refine `intent` to your normalized restatement and SHARPEN
+  the seeded `acceptance` to the one deterministic check (it is a draft, not a
+  blank `<TODO>`). `files[]` is auto-tracked - do not maintain it.
+- When the user's request changes, the contract regenerates with the new intent -
+  refine it again for the new ask.
 - If a hook surfaces the contract, defer to it: it outranks momentum. Edit
   inside the declared scope; if you must grow it, justify it, don't sneak past.
 

package/linux/hooks/hook-common.sh

@@ -79,6 +79,50 @@ safe_conversation_id() {
 
 hooks_pending_dir() { printf '%s' "$HOME/.cursor/.hooks-pending"; }
 
+# sha256_hex <text> -> SHA-256 hex. SHARED so intent-precompile (beforeSubmitPrompt)
+# and intent-anchor (postToolUse) hash the SAME text the SAME way; otherwise they
+# disagree on _intent_hash and postToolUse needlessly rewrites the prompt hook's
+# scope. Mirrors the hashing intent-anchor.sh already does (sha256sum|shasum).
+sha256_hex() {
+    if command -v sha256sum >/dev/null 2>&1; then
+        printf '%s' "$1" | sha256sum | awk '{print $1}'
+    elif command -v shasum >/dev/null 2>&1; then
+        printf '%s' "$1" | shasum -a 256 | awk '{print $1}'
+    fi
+}
+
+# Path where beforeSubmitPrompt stashes the verbatim user prompt for the turn.
+# intent-anchor PREFERS this over transcript parsing: ground-truth request from
+# the payload, present on the FIRST postToolUse, immune to <user_query>
+# contamination.
+current_prompt_path() { printf '%s' "$(hooks_pending_dir)/current-prompt-$1.txt"; }
+
+# stashed_prompt <cid> -> the stashed prompt ('' if none). Only ever holds real
+# human prompts - intent-precompile filters hook-generated submits. (The caller's
+# command substitution strips the trailing newline.)
+stashed_prompt() {
+    local p; p="$(current_prompt_path "$1")"
+    [ -f "$p" ] && cat "$p" 2>/dev/null
+}
+
+# default_acceptance -> the real default the hook seeds so .scope.json NEVER ships
+# a bare "<TODO>" (the thing that looks broken and never gets filled). A verifiable
+# bar the agent then sharpens to the single deterministic check. ONE place so both
+# hooks emit the identical string.
+default_acceptance() {
+    printf '%s' 'Every change traces to intent; the project typecheck/build and any *.selfcheck pass, and the described problem no longer reproduces. (Sharpen to the one deterministic check.)'
+}
+
+# redact_secrets <text> -> portable (sed) secret scrub for text we persist to
+# .scope.json / the prompt stash. Mirrors the python redaction in
+# extract_last_user_query so the beforeSubmitPrompt path is no leakier.
+redact_secrets() {
+    printf '%s' "$1" | sed -E \
+        -e 's/\bnpm_[A-Za-z0-9]{10,}\b/[REDACTED_NPM_TOKEN]/g' \
+        -e 's/\b(sk-[A-Za-z0-9]{10,}|ghp_[A-Za-z0-9]{20,}|gho_[A-Za-z0-9]{20,})\b/[REDACTED_TOKEN]/g' \
+        -e 's/([Aa][Pp][Ii][_-]?[Kk][Ee][Yy]|[Tt][Oo][Kk][Ee][Nn]|[Ss][Ee][Cc][Rr][Ee][Tt]|[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd])[[:space:]]*[:=][[:space:]]*[^[:space:]]+/\1=[REDACTED]/g'
+}
+
 # is_cursor_config_path <path> -> 0 if the path lives under a .cursor directory
 is_cursor_config_path() {
     case "$1" in
@@ -105,7 +149,7 @@ resolve_agent_path() {
     esac
 }
 
-# extract_last_user_query <json> -> text of the last <user_query> in this
+# extract_last_user_query <json> -> text of the last *human* <user_query> in this
 # conversation's transcript, or '' if there is none. Capped at 2000 chars.
 #
 # This is the Tier 0 intent-trace primitive: the final-review hook prepends the
@@ -113,7 +157,14 @@ resolve_agent_path() {
 # to it. Anything untraceable is a hallucinated requirement.
 #
 # Walks the JSONL backward via tac (preferred) or a portable awk fallback; finds
-# the first (last) user record whose content carries a <user_query> tag.
+# the first (last) user record whose content carries a <user_query> tag - SKIPPING
+# hook-generated turns. final-review.sh / subagent-stop-review.sh emit a
+# {followup_message} that Cursor replays as a user turn (and self-review /
+# intent-anchor inject into additional_context); returning one of those would lock
+# the review boilerplate into .scope.json as the intent (the contamination loop).
+# Hook turns are detected by their fixed headers; if the transcript has been
+# trimmed to just the hook turn, recover the real request from the embedded
+# "ORIGINAL REQUEST ... --- <request> ---" block.
 extract_last_user_query() {
     local json="$1"
     local tp
@@ -134,6 +185,14 @@ extract_last_user_query() {
     if have_py; then
         printf '%s' "$reversed" | python3 -c '
 import json, re, sys
+HOOK_HDR = re.compile(r"^\s*(FINAL REVIEW \(end of implementation\)|SUBAGENT FINAL REVIEW|SELF-REVIEW|INTENT ANCHOR)", re.M)
+EMBEDDED = re.compile(r"ORIGINAL REQUEST[^\r\n]*\r?\n-{3,}\r?\n(.+?)\r?\n-{3,}", re.S)
+def redact(q):
+    q = re.sub(r"\bnpm_[A-Za-z0-9]{10,}\b", "[REDACTED_NPM_TOKEN]", q)
+    q = re.sub(r"\b(sk-[A-Za-z0-9]{10,}|ghp_[A-Za-z0-9]{20,}|gho_[A-Za-z0-9]{20,})\b", "[REDACTED_TOKEN]", q)
+    q = re.sub(r"(?i)(api[_-]?key|token|secret|password)\s*[:=]\s*\S+", r"\1=[REDACTED]", q)
+    return q
+embedded_fallback = ""
 try:
     for line in sys.stdin:
         line = line.strip()
@@ -155,15 +214,26 @@ try:
                 if isinstance(p, dict) and p.get("type") == "text" and p.get("text"):
                     text += p["text"]
         m = re.search(r"<user_query>\s*(.+?)\s*</user_query>", text, re.S)
-        if m:
-            q = m.group(1).strip()
-            if len(q) > 2000:
-                q = q[:2000] + "..."
-            q = re.sub(r"\bnpm_[A-Za-z0-9]{10,}\b", "[REDACTED_NPM_TOKEN]", q)
-            q = re.sub(r"\b(sk-[A-Za-z0-9]{10,}|ghp_[A-Za-z0-9]{20,}|gho_[A-Za-z0-9]{20,})\b", "[REDACTED_TOKEN]", q)
-            q = re.sub(r"(?i)(api[_-]?key|token|secret|password)\s*[:=]\s*\S+", r"\1=[REDACTED]", q)
-            print(q)
-            break
+        if not m:
+            continue
+        q = m.group(1).strip()
+        # Hook-generated turn -> not the human words. Remember the embedded
+        # ORIGINAL REQUEST (latest such turn) and keep walking back.
+        if HOOK_HDR.search(q):
+            if not embedded_fallback:
+                em = EMBEDDED.search(q)
+                if em:
+                    embedded_fallback = em.group(1).strip()
+            continue
+        if len(q) > 2000:
+            q = q[:2000] + "..."
+        print(redact(q))
+        break
+    else:
+        if embedded_fallback:
+            if len(embedded_fallback) > 2000:
+                embedded_fallback = embedded_fallback[:2000] + "..."
+            print(redact(embedded_fallback))
 except Exception:
     pass
 ' 2>/dev/null
@@ -172,9 +242,14 @@ except Exception:
 
     # No python3: best-effort grep for the common case where the user message
     # is the only place <user_query> appears in a line. Imperfect but bounded.
+    # Drop hook-generated turns (FINAL REVIEW / SUBAGENT / SELF-REVIEW / INTENT
+    # ANCHOR) so we never lock review boilerplate as the intent; take the first
+    # surviving human <user_query>.
     printf '%s' "$reversed" |
-        grep -m1 -oE '<user_query>[^<]*</user_query>' 2>/dev/null |
+        grep -oE '<user_query>[^<]*</user_query>' 2>/dev/null |
         sed -E 's@</?user_query>@@g' |
+        grep -vE '^[[:space:]]*(FINAL REVIEW \(end of implementation\)|SUBAGENT FINAL REVIEW|SELF-REVIEW|INTENT ANCHOR)' 2>/dev/null |
+        head -n1 |
         sed -E 's/\bnpm_[A-Za-z0-9]{10,}\b/[REDACTED_NPM_TOKEN]/g' |
         head -c 2000
 }

package/linux/hooks/intent-anchor.sh

@@ -74,19 +74,20 @@ fi
 # Already injected this turn -> quiet. Latch cleared at every stop.
 [ -f "$latch" ] && exit 0
 
-# --- current request (best-effort; absent in sandboxed runs) -----------------
-current_query="$(extract_last_user_query "$input")"
+# --- current request ---------------------------------------------------------
+# PREFER the prompt stashed by intent-precompile (beforeSubmitPrompt): ground-truth
+# request from the payload, present on the FIRST postToolUse, immune to <user_query>
+# contamination. Fall back to transcript parsing only when the prompt hook did not
+# run. Both share sha256_hex so _intent_hash is consistent across the two hooks.
+current_query="$(stashed_prompt "$cid")"
+[ -n "$current_query" ] || current_query="$(extract_last_user_query "$input")"
 has_query=0
 [ -n "$current_query" ] && has_query=1
 
 current_hash=""
 prompt_changed=0
 if [ "$has_query" = "1" ]; then
-    if command -v sha256sum >/dev/null 2>&1; then
-        current_hash="$(printf '%s' "$current_query" | sha256sum | awk '{print $1}')"
-    elif command -v shasum >/dev/null 2>&1; then
-        current_hash="$(printf '%s' "$current_query" | shasum -a 256 | awk '{print $1}')"
-    fi
+    current_hash="$(sha256_hex "$current_query")"
     prev_hash=""
     [ -f "$hash_file" ] && prev_hash="$(cat "$hash_file" 2>/dev/null)"
     [ "$current_hash" != "$prev_hash" ] && prompt_changed=1
@@ -150,12 +151,14 @@ EOF
     #     changed (or a new session) => regenerate and RESET files[] (the "arrastre entre
     #     features" fix). Same prompt this session => heal in place (backfill bookkeeping, keep
     #     files[]/acceptance) so the NEXT prompt is detected by hash.
-    # Hollow = no real intent on disk: empty, or still the hook's <TODO> placeholder.
-    # A hollow contract is worse than none (it looks owned, so neither hook nor agent
-    # fills it). Treat it as unusable: regenerate when the request is readable, else
-    # hand the agent the pre-compile demand to author a real one.
+    # Hollow = no real intent on disk: empty, the hook's <TODO> placeholder, OR
+    # hook-generated review boilerplate that a stale extractor locked in (the
+    # contamination loop - "FINAL REVIEW (end of implementation)..."). A hollow
+    # contract is worse than none (it looks owned, so neither hook nor agent fills
+    # it). Treat it as unusable: regenerate when the request is readable, else hand
+    # the agent the pre-compile demand to author a real one.
     case "$scope_intent" in
-        ""|"<TODO"*) scope_hollow=1 ;;
+        ""|"<TODO"*|"FINAL REVIEW (end of implementation)"*|"SUBAGENT FINAL REVIEW"*|"SELF-REVIEW"*|"INTENT ANCHOR"*) scope_hollow=1 ;;
     esac
     if [ "$scope_exists" = "1" ] && [ "$has_query" = "1" ]; then
         if [ "$scope_hollow" = "1" ]; then
@@ -194,19 +197,21 @@ if [ "$should_create" = "1" ] || [ "$should_regen" = "1" ]; then
     # Both paths require $has_query, so intent is always locked from the request.
     intent_val="$current_query"
     trace_query="$current_query"
-    # jq preferred; python3 fallback. Write intent, empty files[], TODO acceptance,
-    # trace provenance, and _intent_hash so staleness is self-contained.
+    default_acc="$(default_acceptance)"
+    # jq preferred; python3 fallback. Write intent, empty files[], a real seeded
+    # acceptance (never a bare <TODO>), trace provenance, and _intent_hash so
+    # staleness is self-contained.
     if have_jq; then
-        jq -n --arg intent "$intent_val" --arg hash "$current_hash" --arg tq "$trace_query" --arg ts "$now_ts" \
-            '{intent:$intent, files:[], acceptance:"<TODO: the one deterministic check that decides done>", allow_growth:false, trace:{query:$tq, ts:$ts}, _intent_hash:$hash, _generated_by:"intent-anchor hook"}' \
+        jq -n --arg intent "$intent_val" --arg hash "$current_hash" --arg tq "$trace_query" --arg ts "$now_ts" --arg acc "$default_acc" \
+            '{intent:$intent, files:[], acceptance:$acc, allow_growth:false, trace:{query:$tq, ts:$ts}, _intent_hash:$hash, _generated_by:"intent-anchor hook"}' \
             > "$scope_path" 2>/dev/null && regenerated=1
     elif have_py; then
-        if I_FILE="$scope_path" I_INTENT="$intent_val" I_HASH="$current_hash" I_TQ="$trace_query" I_TS="$now_ts" python3 -c '
+        if I_FILE="$scope_path" I_INTENT="$intent_val" I_HASH="$current_hash" I_TQ="$trace_query" I_TS="$now_ts" I_ACC="$default_acc" python3 -c '
 import json, os
 obj = {
     "intent": os.environ["I_INTENT"],
     "files": [],
-    "acceptance": "<TODO: the one deterministic check that decides done>",
+    "acceptance": os.environ["I_ACC"],
     "allow_growth": False,
     "trace": {"query": os.environ["I_TQ"], "ts": os.environ["I_TS"]},
     "_intent_hash": os.environ["I_HASH"],
@@ -220,7 +225,7 @@ with open(os.environ["I_FILE"], "w", encoding="utf-8") as f:
     fi
     if [ "$regenerated" = "1" ]; then
         scope_intent="$intent_val"
-        scope_acceptance="<TODO: the one deterministic check that decides done>"
+        scope_acceptance="$default_acc"
         scope_files="(auto-tracked - the scope hook records every file you edit)"
         scope_exists=1
         scope_stale=0
@@ -269,6 +274,17 @@ else
     query_line="(current request unavailable - no transcript in this event)"
 fi
 
+# acceptance is seeded with a real default (never a bare <TODO>), but the default
+# is generic - the contract is not fully set until the agent sharpens it to the
+# ONE deterministic check. Detect the unsharpened state -> loud demand each turn.
+acceptance_demand=""
+case "$scope_acceptance" in
+    "<TODO"*|*"Sharpen to the one deterministic check"*)
+        acceptance_demand="
+
+>> acceptance is still the seeded default. Your FIRST action this turn is a targeted string-replace on .scope.json setting acceptance to the one deterministic check that decides done - then do the work." ;;
+esac
+
 if [ "$regenerated" = "1" ]; then
     msg="INTENT ANCHOR (scope regenerated) - .scope.json written for this prompt.
 
@@ -278,9 +294,9 @@ if [ "$regenerated" = "1" ]; then
 
 The hook wrote a fresh scaffold to $scope_path from your current request. intent
 is locked from what you just asked. files[] is AUTO-TRACKED - the scope hook
-records every file you edit, so do not maintain it by hand. Set acceptance to
-the one deterministic check that decides done, THEN proceed. This contract will
-be re-injected every turn until your request changes again."
+records every file you edit, so do not maintain it by hand. acceptance is seeded
+with a sensible default; sharpen it to the one deterministic check, THEN proceed.
+This contract will be re-injected every turn until your request changes again.$acceptance_demand"
 elif [ "$scope_exists" != "1" ] || [ "$scope_hollow" = "1" ]; then
     if [ "$scope_hollow" = "1" ]; then
         state="the .scope.json in $root is only a <TODO> placeholder (the hook could not read your request to fill it)"
@@ -314,7 +330,7 @@ else
   acceptance: $scope_acceptance
 
 $drift_note If a constraint above conflicts with what you are about to do, stop
-and reconcile - the contract outranks momentum."
+and reconcile - the contract outranks momentum.$acceptance_demand"
 fi
 
 # --- stash to the feedback bus (drained by post-tool-use.sh) -----------------

package/linux/hooks/intent-precompile.sh

@@ -0,0 +1,114 @@
+#!/usr/bin/env bash
+# intent-precompile.sh - beforeSubmitPrompt "contract first" writer (Cursor, Linux).
+#
+# THE FIX for "el .scope.json se crea casi al final": creation used to live on
+# postToolUse (intent-anchor), which fires only AFTER the agent's first tool and
+# depends on the transcript becoming readable to detect the prompt. Until then the
+# PREVIOUS prompt's intent persisted and the agent worked under it - the scope only
+# flipped to the right intent late in the turn.
+#
+# beforeSubmitPrompt fires "right after the user hits send, before the backend
+# request" - BEFORE the agent's first token - and its payload carries the user's
+# `prompt` DIRECTLY (no <user_query> extraction, no transcript dependency, no
+# hook-followup contamination). So this hook writes .scope.json with the real
+# intent up front, making the contract the FIRST artifact of the turn.
+#
+# Two deterministic jobs:
+#   1. STASH the verbatim prompt to current-prompt-<cid>.txt. intent-anchor prefers
+#      it over transcript parsing, so both hooks hash the SAME text (sha256_hex)
+#      and never fight over _intent_hash.
+#   2. WRITE / REGENERATE .scope.json from the prompt when it is new (hash differs)
+#      or missing. Same prompt on disk -> leave it (preserve the agent's refined
+#      intent / acceptance / files). acceptance is seeded with a real default
+#      (default_acceptance), never a bare <TODO>.
+#
+# Hook-generated submits (auto-submitted final-review / subagent-review followups)
+# are SKIPPED: their prompt is review boilerplate, not the user's request.
+#
+# Never blocks submission; writes files as a side effect and exits 0. Disable:
+# HOOKS_ENFORCE=0 or INTENT_ANCHOR_ENFORCE=0 (shares the intent-anchor kill switch).
+
+set +e
+. "$(dirname "$0")/hook-common.sh"
+
+[ "${HOOKS_ENFORCE:-}" = "0" ] && exit 0
+[ "${INTENT_ANCHOR_ENFORCE:-}" = "0" ] && exit 0
+
+input="$(read_hook_stdin)"
+[ -n "$input" ] || exit 0
+
+# --- the prompt (direct from payload - the whole point of this event) --------
+prompt="$(json_get "$input" prompt)"
+# trim leading/trailing whitespace
+prompt="$(printf '%s' "$prompt" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
+[ -n "$prompt" ] || exit 0
+
+# Auto-submitted hook followups are not the user's request -> leave the contract.
+case "$prompt" in
+    "FINAL REVIEW (end of implementation)"*|"SUBAGENT FINAL REVIEW"*|"SELF-REVIEW"*|"INTENT ANCHOR"*) exit 0 ;;
+esac
+
+prompt="$(redact_secrets "$prompt")"
+
+cid="$(safe_conversation_id "$input")"
+pending_dir="$(hooks_pending_dir)"
+
+# --- repo root (workspace_roots / cwd; NO $HOME fallback - no ghost files) ----
+root=""
+while IFS= read -r cand; do
+    [ -n "$cand" ] && [ -d "$cand" ] && { root="${cand%/}"; break; }
+done <<EOF
+$(json_get "$input" cwd)
+$(json_get_array "$input" workspace_roots)
+EOF
+if [ -z "$root" ] && [ -n "$CURSOR_PROJECT_DIR" ] && [ -d "$CURSOR_PROJECT_DIR" ]; then
+    root="${CURSOR_PROJECT_DIR%/}"
+fi
+[ -n "$root" ] || exit 0
+
+# --- stash the prompt so intent-anchor reads the same ground-truth text -------
+mkdir -p "$pending_dir" 2>/dev/null
+printf '%s' "$prompt" > "$(current_prompt_path "$cid")" 2>/dev/null
+
+# --- write / regenerate .scope.json (hash-gated) ------------------------------
+current_hash="$(sha256_hex "$prompt")"
+scope_path="$root/.scope.json"
+on_disk_hash=""
+if [ -f "$scope_path" ]; then
+    if have_jq; then
+        on_disk_hash="$(jq -r '._intent_hash // empty' "$scope_path" 2>/dev/null)"
+    elif have_py; then
+        on_disk_hash="$(python3 -c 'import json,sys
+try: print(json.load(open(sys.argv[1])).get("_intent_hash","") or "")
+except Exception: pass' "$scope_path" 2>/dev/null)"
+    fi
+fi
+
+# Same prompt already locked (prior fire this turn, or the agent refined the
+# contract) -> leave it. Only (re)write on a NEW or missing/garbage contract.
+[ "$on_disk_hash" = "$current_hash" ] && [ -n "$current_hash" ] && exit 0
+
+now_ts="$(date -u +%Y-%m-%dT%H:%M:%SZ 2>/dev/null)"
+default_acc="$(default_acceptance)"
+if have_jq; then
+    jq -n --arg intent "$prompt" --arg hash "$current_hash" --arg ts "$now_ts" --arg acc "$default_acc" \
+        '{intent:$intent, files:[], acceptance:$acc, allow_growth:false, trace:{query:$intent, ts:$ts}, _intent_hash:$hash, _generated_by:"intent-precompile hook (beforeSubmitPrompt)"}' \
+        > "$scope_path" 2>/dev/null
+elif have_py; then
+    I_FILE="$scope_path" I_INTENT="$prompt" I_HASH="$current_hash" I_TS="$now_ts" I_ACC="$default_acc" python3 -c '
+import json, os
+obj = {
+    "intent": os.environ["I_INTENT"],
+    "files": [],
+    "acceptance": os.environ["I_ACC"],
+    "allow_growth": False,
+    "trace": {"query": os.environ["I_INTENT"], "ts": os.environ["I_TS"]},
+    "_intent_hash": os.environ["I_HASH"],
+    "_generated_by": "intent-precompile hook (beforeSubmitPrompt)",
+}
+with open(os.environ["I_FILE"], "w", encoding="utf-8") as f:
+    json.dump(obj, f, ensure_ascii=False, indent=2)
+' 2>/dev/null
+fi
+
+exit 0

package/linux/hooks.json

@@ -1,6 +1,13 @@
 {
   "version": 1,
   "hooks": {
+    "beforeSubmitPrompt": [
+      {
+        "command": "bash ~/.agents/hooks/intent-precompile.sh",
+        "timeout": 5,
+        "_comment": "5s: CONTRACT FIRST. Fires right after the user hits send, BEFORE the agent's first token, with the user's `prompt` in the payload directly. Writes/regenerates .scope.json (intent locked from the prompt, acceptance seeded with a real default - never a bare <TODO>) so the contract is the FIRST artifact of the turn instead of appearing late once postToolUse can read the transcript. Also stashes the verbatim prompt to current-prompt-<cid>.txt so intent-anchor (postToolUse) re-injects from the SAME ground-truth text - no <user_query> contamination, no _intent_hash fights. Skips hook-generated auto-submits (FINAL REVIEW / SUBAGENT / SELF-REVIEW). Hash-gated: same prompt on disk -> left intact (preserves the agent's refined intent/acceptance/files). Never blocks submission, always exits 0. Disable: HOOKS_ENFORCE=0 or INTENT_ANCHOR_ENFORCE=0."
+      }
+    ],
     "sessionStart": [
       {
         "command": "bash ~/.cursor/inject-doctrine.sh",

package/linux/pre-compile.md

@@ -53,23 +53,30 @@ Answer these four, terse, in your first response. One phrase each, not prose:
 
 ## Materialize it: .scope.json (the hook owns this file)
 
-The `intent-anchor` hook creates and maintains `.scope.json` in the repo root for
-you, automatically, on the first tool of every turn:
-  - `intent` is seeded from your verbatim request and REFRESHED when the request
-    changes — a new prompt regenerates the contract and resets `files[]`, so it
-    never carries over between features;
+The contract is written for you **before your first token**: the `intent-precompile`
+hook fires on `beforeSubmitPrompt` (right after the user hits send) and writes
+`.scope.json` to the repo root with the real `intent` already locked from the
+request — so the contract is the FIRST artifact of the turn, and you govern by it
+from the very first action. `intent-anchor` then re-injects it on every tool
+boundary to keep it in focus.
+  - `intent` is locked from the request and REFRESHED when the request changes — a
+    new prompt regenerates the contract and resets `files[]`, so it never carries
+    over between features;
   - `files[]` is auto-recorded — the scope hook appends every file you edit, so
     you never maintain it by hand;
+  - `acceptance` is SEEDED with a real default (never a bare `<TODO>`); it is not a
+    blank you must fill, it is a draft you SHARPEN;
   - `trace.query` is the VERBATIM request (the audit anchor), `_intent_hash` and
     `_generated_by` are hook bookkeeping. Leave all three alone.
 
 Your two targeted edits on the contract (each a string replace on ONE field, never
-a whole-file rewrite):
-  - **`intent`** → replace the verbatim seed with your Step 0 restatement: the
-    normalized, meaning-preserving sentence. This is what final-review axis 0
-    traces each diff hunk against, so a clean `intent` makes the audit sharp.
-  - **`acceptance`** → set the single deterministic check that decides done, which
-    the hook cannot derive.
+a whole-file rewrite), done as your FIRST actions this turn before editing source:
+  - **`intent`** → replace the seed with your Step 0 restatement: the normalized,
+    meaning-preserving sentence. This is what final-review axis 0 traces each diff
+    hunk against, so a clean `intent` makes the audit sharp.
+  - **`acceptance`** → sharpen the seeded default to the single deterministic check
+    that decides done, which the hook cannot derive. The hook re-injects a loud
+    demand every turn until you do.
 
 Do **NOT** touch `trace.query`, `_intent_hash`, or `_generated_by`, and do **NOT**
 rewrite the whole file: `_intent_hash` is computed from the verbatim `trace.query`,
@@ -82,11 +89,11 @@ changed the meaning: `intent` and `trace.query` must agree.
 {
   "intent":       "<YOU refine this: your normalized Step 0 restatement>",
   "files":        ["<auto-recorded by the hook as you edit>"],
-  "acceptance":   "<YOU set this: the deterministic check that decides done>",
+  "acceptance":   "<seeded with a default; YOU sharpen to the deterministic check>",
   "allow_growth": false,
   "trace":        { "query": "<VERBATIM request - the hook owns this, leave it>", "ts": "<when>" },
   "_intent_hash": "<hook bookkeeping>",
-  "_generated_by":"intent-anchor hook"
+  "_generated_by":"intent-precompile / intent-anchor hook"
 }
 ```
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cursordoctrine",
-  "version": "0.6.3",
+  "version": "0.6.5",
   "description": "Thin self-review hooks for Cursor — the model is the auditor. Pruned + deduplicated: intent-anchor (auto-scaffolded .scope.json per prompt + per-turn re-injection against Salience Dilution), intent-trace final review, unified anti-slop checklist as single source of truth.",
   "bin": {
     "cursordoctrine": "bin/cli.mjs"

package/windows/USER-RULES.md

@@ -6,13 +6,15 @@ the task itself is a behavior change. Refactors, renames, cleanup only when
 asked. Leave generated files alone unless explicitly required.
 
 ## Intent contract (.scope.json)
-The harness auto-creates `.scope.json` in the repo root on your first tool of
-each turn, and re-injects it into your context every turn. Treat it as your
-operating contract, not optional:
-- On a fresh scaffold, FILL the `intent` and `acceptance` TODOs from the user's
-  request before editing source. `files[]` is auto-tracked - do not maintain it.
-- When the user's request changes, the scaffold regenerates with a new intent -
-  refill it for the new ask.
+The harness writes `.scope.json` to the repo root the moment you hit send -
+BEFORE your first token - with `intent` locked from the request, and re-injects
+it every turn. Treat it as your operating contract, not optional:
+- It is the FIRST thing that exists each turn; govern by it from your first action.
+  As your first edits, refine `intent` to your normalized restatement and SHARPEN
+  the seeded `acceptance` to the one deterministic check (it is a draft, not a
+  blank `<TODO>`). `files[]` is auto-tracked - do not maintain it.
+- When the user's request changes, the contract regenerates with the new intent -
+  refine it again for the new ask.
 - If a hook surfaces the contract, defer to it: it outranks momentum. Edit
   inside the declared scope; if you must grow it, justify it, don't sneak past.
 

package/windows/hooks/anti-slop-audit.ps1

@@ -172,6 +172,86 @@ if ($logCount -ge 6) {
     $opsFlags.Add("- TELEMETRY SPAM: $logCount log/print statements added in this one edit. Debug-level telemetry that nobody reads is slop; consolidate or remove (kept only if this is a real logging entrypoint).")
 }
 
+# --- signal 5: AI vibe-coding structural slop (Arrow / Masking / Boolean /
+# Switch Bloat) - high-precision regex/heuristics, deterministic, language-agnostic
+# where possible. Each rule flags a SPECIFIC pattern that the model does because
+# it cannot combine conditions or design types; the rule's "Stop" forces the
+# canonical fix (guard clauses, fail-fast, named types, dictionary dispatch).
+$vibeFlags = New-Object System.Collections.Generic.List[string]
+
+# (5a) ARROW CODE: 3+ levels of nested if/for/while/switch in the ADDED lines.
+# Measure indent depth of control-flow keywords; 3+ distinct nesting levels in
+# one block = arrow code. The model nests because it cannot combine conditions.
+# Stop: guard clauses (early returns) - read top-to-bottom, no deep indent.
+$controlKw = '(?i)^\s*(if|for|while|switch|try|else|elif|else\s+if)\b'
+$nestHits   = 0
+$maxNest    = 0
+foreach ($a in $added) {
+    if ($a -notmatch $controlKw) { continue }
+    $spaces = ($a -replace '\S.*$', '').Length
+    # Normalize: assume 2-space or tab indent. Floor to indent LEVELS.
+    $indents = [int][math]::Floor($spaces / 2)
+    if ($indents -ge 3) {                         # 3+ levels of nesting
+        $nestHits++
+        if ($indents -gt $maxNest) { $maxNest = $indents }
+    }
+}
+if ($nestHits -ge 2) {
+    $vibeFlags.Add("- ARROW CODE: $nestHits control-flow lines at >= 3 levels of nesting (max level: $maxNest). The model nests because it cannot combine conditions. Stop: GUARD CLAUSES (early returns). If a condition does not hold, return immediately; the body must read top-to-bottom without deep indent.")
+}
+
+# (5b) SYMPTOM MASKING: empty catch, catch-and-swallow, or value-nullish-coalesced
+# instead of fixing the source of null. The model patches the symptom (catch it,
+# default it) instead of fixing why the value is invalid.
+#   - `catch {}` / `catch (e) {}` with no body OR a bare return/log
+#   - `x ?? defaultValue` / `x || default` on what should be a fail-fast path
+#   - `try { ... } catch { return ... }` swallowing an error
+# Stop: FAIL-FAST. If a function receives invalid state, throw an explicit Error;
+# never catch an error only to hide it.
+$swallowRe = '(?i)catch\s*(\([^)]*\))?\s*\{\s*(?://[^\n]*)?(?:\}|return\s|//\s*ignore|/\*.*\*/\s*\})'
+# Note: no leading \b - the ?? operator is not a word boundary.
+$coalesceRe = '\?\?\s*(?:null|undefined|0|''''|""|\[\]|\{\}|false|new\b)'
+$maskingHits = 0
+foreach ($a in $added) {
+    if ($a -match $swallowRe) { $maskingHits++; continue }
+    if ($a -match $coalesceRe) { $maskingHits++ }
+}
+if ($maskingHits -ge 1) {
+    $vibeFlags.Add("- SYMPTOM MASKING: $maskingHits instance(s) of empty/swallowed catch or nullish-coalesced fallback detected. The model patches the symptom (`x ?? default`, `catch {} return`) instead of fixing WHY the value is invalid. Stop: FAIL-FAST. If a function receives invalid state, throw an explicit Error; never catch only to hide, never default over a value that should never be null.")
+}
+
+# (5c) BOOLEAN TRAP: a function that takes a positional boolean to switch behavior.
+# `processData(data, true)` is a classic - the model uses one function + a flag
+# instead of two functions or a strategy. Stop: no boolean flags; split the
+# function or use a strategy/dictionary dispatch.
+$boolParamRe = '(?i)\bfunction\s+\w+\s*\([^)]*\b(is[A-Z]|should[A-Z]|with[A-Z]|use[A-Z]|enable[A-Z]|disable[A-Z]|force[A-Z]|skip[A-Z]|verbose|dryRun|async|strict|deep|quick)\b\s*[:=]\s*(?:boolean|bool|true|false)[^)]*\)'
+$arrowBoolRe = '(?i)(?:const|let|var|func|def|fn)\s+\w+\s*\([^)]*\b(is[A-Z]|should[A-Z]|with[A-Z]|use[A-Z]|enable[A-Z]|disable[A-Z]|force[A-Z]|skip[A-Z]|verbose|dryRun|strict|deep|quick)\??\s*[:=]\s*(?:boolean|bool|true|false)\b[^)]*\)'
+$boolHits = 0
+foreach ($a in $added) {
+    if ($a -match $boolParamRe) { $boolHits++; continue }
+    if ($a -match $arrowBoolRe) { $boolHits++ }
+}
+if ($boolHits -ge 1) {
+    $vibeFlags.Add("- BOOLEAN TRAP: $boolHits function(s) take a positional boolean to switch behavior (is*/should*/with*/use*/enable*/force*/skip*/verbose/dryRun/strict/deep/quick). The model uses a flag instead of two functions. Stop: SPLIT the function or use a strategy/dictionary dispatch. If the behavior changes, it is a different function.")
+}
+
+# (5d) SWITCH BLOAT: a switch or if/else-if chain with > 5 cases. The model maps
+# states via switch instead of a dictionary. Stop: replace with a Record<Map, Fn>
+# / dictionary dispatch (Map<Estado, Funcion>), never a switch with > 5 arms.
+$switchRe = '(?i)\bswitch\b'
+$caseRe   = '(?i)^\s*(?:case\s|default\s*:|when\s)'
+$elseifRe = '(?i)^\s*(?:}\s*)?else\s+if\b'
+$caseCount = 0
+$inSwitch  = $false
+foreach ($a in $added) {
+    if ($a -match $switchRe) { $inSwitch = $true; continue }
+    if ($inSwitch -and $a -match $caseRe) { $caseCount++; continue }
+    if ($a -match $elseifRe) { $caseCount++ }
+}
+if ($caseCount -ge 6) {
+    $vibeFlags.Add("- SWITCH BLOAT: $caseCount case/branch arms detected in one switch or if/else-if chain. The model maps states via switch. Stop: DICTIONARY DISPATCH - a Record<Estado, Funcion> / Map<state, handler> lookup, never a switch with > 5 arms.")
+}
+
 # --- decide whether to fire ----------------------------------------------
 $srcRe = '\.(ts|tsx|js|jsx|mjs|cjs|py|go|rs|java|kt|kts|cs|cpp|cc|cxx|c|h|hpp|rb|php|swift|scala|m|mm|sh|ps1|lua|dart|ex|exs|vue|svelte)$'
 $addedCode = 0
@@ -184,6 +264,7 @@ if ($depAdded)              { $flags.Add("- DEPENDENCY: " + $base + " gained a d
 if ($patterns.Count -gt 0)  { $flags.Add("- PREMATURE ABSTRACTION: " + ($patterns -join ', ') + " - is there a real, present problem (2-3+ call sites that exist today) that needs it? If it is speculative, delete it and write the direct code.") }
 if ($redundant.Count -gt 0) { $flags.Add("- REDUNDANT COMMENTS: " + ($redundant -join ' | ') + " - delete comments that restate the code; keep only WHY.") }
 $flags.AddRange($opsFlags)
+$flags.AddRange($vibeFlags)
 
 if ($flags.Count -eq 0 -and -not $substantial) { exit 0 }
 
@@ -193,13 +274,19 @@ $checklist = ''
 if (Test-Path -LiteralPath $checklistFile) { $checklist = Get-Content -Raw -LiteralPath $checklistFile }
 if (-not $checklist) {
     $checklist = @'
-ANTI-SLOP — read ~/.agents/hooks/anti-slop.md (13 items). Fallback if missing:
+ANTI-SLOP — read ~/.agents/hooks/anti-slop.md (17 items). Fallback if missing:
   1–10: edge cases, duplication, conventions, deps, premature abstraction,
   accidental complexity, tests (no tautologies), cargo cult, architecture,
   redundant comments / prompt residue.
   11: semantic contracts (behavior change without name/signature change).
   12: operational slop (retry w/o backoff, await-in-loop, telemetry spam).
   13: change surface (too many files for a simple request).
+  14: SLAP - one function one abstraction level.
+  15: phantom state - explicit lifecycle, no implicit call-order.
+  16: primitive obsession - value objects over loose primitives with rules.
+  17: loop-driven - prefer map/filter/reduce over imperative for on arrays.
+Static vibe-coding signals also flagged inline when detected: arrow code,
+symptom masking, boolean trap, switch bloat.
 Fix guilty items now. Never revert what the user asked for.
 '@
 }

package/windows/hooks/anti-slop.md

@@ -50,5 +50,29 @@ Do not explain. If clean, say nothing.
  13. CHANGE SURFACE (Tier 5) — Did a simple request touch many files? Every
      file in the diff must trace to the task. Trim unrelated hunks.
 
+ 14. MIXED LEVELS OF ABSTRACTION (SLAP violation) — Does one function mix a DB
+     call, a string validation, and a date format? The model writes one blob
+     because it cannot see the layers. Stop: SLAP - one function, one level of
+     abstraction. Extract details to named helpers; the top function reads as a
+     recipe, the bottom functions do the work.
+
+ 15. PHANTOM STATE (temporal coupling) — Must callers invoke init() before
+     process()? Does the function break unless something else ran first? The
+     model never validates lifecycle. Stop: make state explicit - a state
+     machine, or a guard at the top of every public method that throws if the
+     object is not in the required state. No implicit call-order contracts.
+
+ 16. PRIMITIVE OBSESSION — Are you passing loose strings/numbers for things
+     that have rules (userId: string, email: string, amount: number)? The model
+     spreads primitives instead of value objects. Stop: if a primitive has
+     domain rules (validation, formatting, equality semantics), it is a named
+     type / value object, not a raw string. Stop at the boundary where it enters.
+
+ 17. LOOP-DRIVEN LOGIC (imperative where declarative fits) — Are you writing
+     for loops to transform arrays when the language has .map / .filter /
+     .reduce / list comprehensions? The model defaults to imperative mutation.
+     Stop: prefer pure higher-order functions for data transformation; reserve
+     for-loops for genuine early-exit, index-based, or perf-critical paths.
+
 Hard constraints: never revert what the USER asked for — slop is what got added
 on top. At most a few targeted edits, then stop.

package/windows/hooks/hook-common.ps1

@@ -39,6 +39,45 @@ function Get-HooksPendingDir {
     return Join-Path $HOME '.cursor\.hooks-pending'
 }
 
+# SHA-256 hex of a string. SHARED so intent-precompile (beforeSubmitPrompt) and
+# intent-anchor (postToolUse) hash the SAME text the SAME way - otherwise the two
+# disagree on the contract's _intent_hash and the postToolUse hook needlessly
+# regenerates the scope the prompt hook just wrote.
+function Get-Sha256Hex([string]$text) {
+    if ($null -eq $text) { $text = '' }
+    $bytes  = [System.Text.Encoding]::UTF8.GetBytes($text)
+    $hasher = [System.Security.Cryptography.SHA256]::Create()
+    return (-join ($hasher.ComputeHash($bytes) | ForEach-Object { $_.ToString('x2') }))
+}
+
+# Path where the beforeSubmitPrompt hook stashes the verbatim user prompt for the
+# turn, keyed by conversation. intent-anchor PREFERS this over transcript parsing:
+# it is the ground-truth request captured directly from the payload (no <user_query>
+# extraction, no hook-followup contamination, available on the FIRST postToolUse
+# of the turn instead of whenever the transcript happens to become readable).
+function Get-CurrentPromptPath([string]$cid) {
+    return Join-Path (Get-HooksPendingDir) "current-prompt-$cid.txt"
+}
+
+# Read the stashed prompt for this conversation ('' if none). The stash only ever
+# holds real human prompts - intent-precompile filters hook-generated submits.
+function Get-StashedPrompt([string]$cid) {
+    $p = Get-CurrentPromptPath $cid
+    if (Test-Path -LiteralPath $p) {
+        $t = Get-Content -LiteralPath $p -Raw -ErrorAction SilentlyContinue
+        if ($t) { return $t.TrimEnd("`r", "`n") }
+    }
+    return ''
+}
+
+# Default acceptance the hook seeds so .scope.json NEVER ships a bare "<TODO>"
+# placeholder (the thing that looks broken and never gets filled). It is a real,
+# verifiable bar derived from intent; the agent sharpens it to the single
+# deterministic check. Kept in ONE place so both hooks emit the identical string.
+function Get-DefaultAcceptance {
+    return 'Every change traces to intent; the project typecheck/build and any *.selfcheck pass, and the described problem no longer reproduces. (Sharpen to the one deterministic check.)'
+}
+
 function Test-IsCursorConfigPath([string]$path) {
     if (-not $path) { return $false }
     return ($path -match '(^|[\\/])\.cursor([\\/]|$)')
@@ -83,11 +122,36 @@ function Redact-SecretsFromIntent([string]$text) {
     return $text
 }
 
-# Extract the last user <user_query> from a Cursor transcript JSONL.
+# A <user_query> turn can actually be a HOOK-GENERATED message replayed by Cursor
+# as a user turn: final-review.ps1 and subagent-stop-review.ps1 emit a
+# {followup_message} that Cursor auto-submits as the next user turn, and the
+# self-review / intent-anchor injections get drained into additional_context.
+# If Get-LastUserQuery returns one of those, intent-anchor locks the REVIEW
+# BOILERPLATE into .scope.json as the "intent" (the contamination loop that put
+# "FINAL REVIEW (end of implementation)..." in the contract). Detect them by the
+# fixed headers the hooks emit and skip past them to the real human turn.
+function Test-IsHookGeneratedQuery([string]$text) {
+    if (-not $text) { return $false }
+    return ($text -match '(?m)^\s*(FINAL REVIEW \(end of implementation\)|SUBAGENT FINAL REVIEW|SELF-REVIEW|INTENT ANCHOR)')
+}
+
+# The final-review / subagent-review followups embed the real human request as:
+#   ORIGINAL REQUEST (...):\n---\n<request>\n---
+# When the transcript has been trimmed to just the hook turn, recover the human
+# request from that block instead of returning the boilerplate.
+function Get-EmbeddedOriginalRequest([string]$text) {
+    if (-not $text) { return '' }
+    if ($text -match '(?s)ORIGINAL REQUEST[^\r\n]*\r?\n-{3,}\r?\n(.+?)\r?\n-{3,}') {
+        return $Matches[1].Trim()
+    }
+    return ''
+}
+
+# Extract the last *human* user <user_query> from a Cursor transcript JSONL.
 # transcript is an array of {role, message} records; we walk backward from the
-# end, find the last user turn whose content has a <user_query> tag, and return
-# its text. Returns '' if there is no transcript or no user_query. Capped at
-# 2000 chars so the follow-up prompt stays bounded.
+# end, skipping hook-generated turns (see above), and return the first real human
+# turn's text. Returns '' if there is no transcript or no human user_query. Capped
+# at 2000 chars so the follow-up prompt stays bounded.
 #
 # This is the Tier 0 intent-trace primitive: the final-review hook prepends the
 # extracted request to its followup so the model must trace every diff hunk back
@@ -97,6 +161,7 @@ function Get-LastUserQuery($obj) {
     if ($obj -and $obj.PSObject.Properties['transcript_path']) { $tp = [string]$obj.transcript_path }
     if (-not $tp -or -not (Test-Path -LiteralPath $tp)) { return '' }
     $lines = @(Get-Content -LiteralPath $tp -ErrorAction SilentlyContinue)
+    $embeddedFallback = ''
     for ($i = $lines.Count - 1; $i -ge 0; $i--) {
         $line = $lines[$i]
         if (-not $line -or $line -notmatch '"role"\s*:\s*"user"') { continue }
@@ -117,10 +182,22 @@ function Get-LastUserQuery($obj) {
         }
         if ($text -match '(?s)<user_query>\s*(.+?)\s*</user_query>') {
             $q = $Matches[1].Trim()
+            # Hook-generated turn -> not the human's words. Remember the embedded
+            # ORIGINAL REQUEST (from the most recent such turn) and keep walking.
+            if (Test-IsHookGeneratedQuery $q) {
+                if (-not $embeddedFallback) { $embeddedFallback = Get-EmbeddedOriginalRequest $q }
+                continue
+            }
             if ($q.Length -gt 2000) { $q = $q.Substring(0, 2000) + '...' }
             return (Redact-SecretsFromIntent $q)
         }
     }
+    # No real human turn survived in the transcript -> fall back to the request
+    # embedded in the latest hook followup, if we found one.
+    if ($embeddedFallback) {
+        if ($embeddedFallback.Length -gt 2000) { $embeddedFallback = $embeddedFallback.Substring(0, 2000) + '...' }
+        return (Redact-SecretsFromIntent $embeddedFallback)
+    }
     return ''
 }
 

package/windows/hooks/intent-anchor.ps1

@@ -76,16 +76,21 @@ if (Test-Path $latch) {
 # Already injected this turn -> quiet. Latch cleared at every stop.
 if (Test-Path $latch) { exit 0 }
 
-# --- current request (best-effort; absent in sandboxed runs) -----------------
-$currentQuery = Get-LastUserQuery $obj
+# --- current request ---------------------------------------------------------
+# PREFER the prompt stashed by intent-precompile (beforeSubmitPrompt): it is the
+# verbatim request captured straight from the payload, available on the FIRST
+# postToolUse of the turn and immune to <user_query> contamination. Fall back to
+# transcript parsing only when the prompt hook did not run (older Cursor without
+# beforeSubmitPrompt, or a sandboxed run). Both sources share Get-Sha256Hex so
+# the contract's _intent_hash is consistent across the two hooks.
+$currentQuery = Get-StashedPrompt $cid
+if ([string]::IsNullOrWhiteSpace($currentQuery)) { $currentQuery = Get-LastUserQuery $obj }
 $hasQuery = -not [string]::IsNullOrWhiteSpace($currentQuery)
 
 $currentHash = ''
 $promptChanged = $false
 if ($hasQuery) {
-    $bytes  = [System.Text.Encoding]::UTF8.GetBytes($currentQuery)
-    $hasher = [System.Security.Cryptography.SHA256]::Create()
-    $currentHash = -join ($hasher.ComputeHash($bytes) | ForEach-Object { $_.ToString('x2') })
+    $currentHash = Get-Sha256Hex $currentQuery
     $prevHash = ''
     if (Test-Path $hashFile) { $prevHash = (Get-Content $hashFile -Raw -ErrorAction SilentlyContinue).Trim() }
     $promptChanged = ($currentHash -ne $prevHash)
@@ -127,12 +132,14 @@ if (Test-Path -LiteralPath $scopePath) {
         if ([string]::IsNullOrWhiteSpace($scopeFiles)) { $scopeFiles = '(none yet - auto-tracked as you edit)' }
         $scopeExists = $true
         $scopeHasHash = ($sj.PSObject.Properties['_intent_hash'] -and -not [string]::IsNullOrWhiteSpace([string]$sj._intent_hash))
-        # Hollow = no real intent on disk: empty, or still the hook's <TODO> placeholder.
+        # Hollow = no real intent on disk: empty, the hook's <TODO> placeholder, OR
+        # hook-generated review boilerplate that a stale extractor locked in as the
+        # intent (the contamination loop - "FINAL REVIEW (end of implementation)...").
         # A hollow contract is worse than none (it looks owned, so neither hook nor agent
-        # fills it; scope-gate appends files to it and final-review audits against <TODO>).
+        # fills it; scope-gate appends files to it and final-review audits against garbage).
         # Treat it as unusable: regenerate when we can read the request, else hand the agent
         # the pre-compile demand to write a real one.
-        $scopeHollow = ([string]::IsNullOrWhiteSpace($scopeIntent) -or $scopeIntent -match '^\s*<TODO')
+        $scopeHollow = ([string]::IsNullOrWhiteSpace($scopeIntent) -or $scopeIntent -match '^\s*<TODO' -or (Test-IsHookGeneratedQuery $scopeIntent))
         # Staleness, hash-agnostic so it survives MODEL-written contracts:
         #   - hook-written (has _intent_hash): stale when that hash != current query hash.
         #   - model-written (no _intent_hash - the legacy pre-compile.md schema): we cannot
@@ -178,10 +185,11 @@ if ($shouldCreate -or $shouldRegen) {
     try {
         $intentVal  = $currentQuery
         $traceQuery = $currentQuery
+        $defaultAcceptance = Get-DefaultAcceptance
         $scaffold = [ordered]@{
             intent        = $intentVal
             files         = @()
-            acceptance    = '<TODO: the one deterministic check that decides done>'
+            acceptance    = $defaultAcceptance
             allow_growth  = $false
             trace         = [ordered]@{ query = $traceQuery; ts = (Get-Date).ToString('o') }
             _intent_hash  = $currentHash
@@ -190,7 +198,7 @@ if ($shouldCreate -or $shouldRegen) {
         $json = $scaffold | ConvertTo-Json -Depth 8
         [System.IO.File]::WriteAllText($scopePath, $json, [System.Text.UTF8Encoding]::new($false))
         $scopeIntent     = $intentVal
-        $scopeAcceptance = '<TODO: the one deterministic check that decides done>'
+        $scopeAcceptance = $defaultAcceptance
         $scopeFiles      = '(auto-tracked - the scope hook records every file you edit)'
         $scopeExists     = $true
         $scopeStale      = $false
@@ -223,6 +231,15 @@ if ($needsHeal -and -not $regenerated) {
 # to scaffold from), or re-injecting an existing current contract.
 $queryLine = if ($hasQuery) { $currentQuery } else { '(current request unavailable - no transcript in this event)' }
 
+# acceptance is seeded with a real default (never a bare <TODO>), but the default
+# is generic - the contract is not "done being set up" until the agent sharpens it
+# to the ONE deterministic check. Detect the unsharpened state and make it a loud,
+# repeated demand each turn until the agent replaces it.
+$acceptanceUnsharpened = ($scopeAcceptance -match '^\s*<TODO' -or $scopeAcceptance -eq (Get-DefaultAcceptance) -or $scopeAcceptance -match 'Sharpen to the one deterministic check')
+$acceptanceDemand = if ($acceptanceUnsharpened) {
+    "`n`n>> acceptance is still the seeded default. Your FIRST action this turn is a targeted string-replace on .scope.json setting acceptance to the one deterministic check that decides done - then do the work."
+} else { '' }
+
 if ($regenerated) {
     $msg = @"
 INTENT ANCHOR (scope regenerated) - .scope.json written for this prompt.
@@ -233,9 +250,9 @@ INTENT ANCHOR (scope regenerated) - .scope.json written for this prompt.
 
 The hook wrote a fresh scaffold to $scopePath from your current request. intent
 is locked from what you just asked. files[] is AUTO-TRACKED - the scope hook
-records every file you edit, so do not maintain it by hand. Set acceptance to
-the one deterministic check that decides done, THEN proceed. This contract will
-be re-injected every turn until your request changes again.
+records every file you edit, so do not maintain it by hand. acceptance is seeded
+with a sensible default; sharpen it to the one deterministic check, THEN proceed.
+This contract will be re-injected every turn until your request changes again.$acceptanceDemand
 "@
 } elseif (-not $scopeExists -or $scopeHollow) {
     $state = if ($scopeHollow) { "the .scope.json in $root is only a <TODO> placeholder (the hook could not read your request to fill it)" } else { "no .scope.json found in $root, and the current request was unavailable to scaffold from" }
@@ -269,7 +286,7 @@ INTENT ANCHOR (re-injected this turn from .scope.json) - your contract. Do not d
   acceptance: $scopeAcceptance
 
 $driftNote If a constraint above conflicts with what you are about to do, stop
-and reconcile - the contract outranks momentum.
+and reconcile - the contract outranks momentum.$acceptanceDemand
 "@
 }
 

package/windows/hooks/intent-precompile.ps1

@@ -0,0 +1,104 @@
+# intent-precompile.ps1 - beforeSubmitPrompt "contract first" writer (Cursor).
+#
+# THE FIX for "el .scope.json se crea casi al final": creation used to live on
+# postToolUse (intent-anchor), which fires only AFTER the agent's first tool and
+# depends on the transcript becoming readable to detect the prompt. Until then the
+# PREVIOUS prompt's intent persisted and the agent worked under it - the scope
+# only flipped to the right intent late in the turn.
+#
+# beforeSubmitPrompt fires "right after the user hits send, before the backend
+# request" - the earliest possible moment, BEFORE the agent's first token - and
+# its payload carries the user's `prompt` DIRECTLY (no <user_query> extraction, no
+# transcript dependency, no hook-followup contamination). So this hook writes
+# .scope.json with the real intent up front, making the contract the FIRST artifact
+# of the turn, which the agent then governs by.
+#
+# It does TWO things, both deterministic:
+#   1. STASH the verbatim prompt to current-prompt-<cid>.txt. intent-anchor prefers
+#      this over transcript parsing, so both hooks hash the SAME text and never
+#      fight over _intent_hash.
+#   2. WRITE / REGENERATE .scope.json from the prompt when it is new (hash differs)
+#      or missing. Same prompt as on disk -> leave it (preserve the agent's refined
+#      intent / acceptance / files within the turn). acceptance is seeded with a
+#      real default (Get-DefaultAcceptance), never a bare <TODO>.
+#
+# Hook-generated submits (final-review / subagent-review followups that Cursor
+# auto-submits) are SKIPPED: their prompt is review boilerplate, not the user's
+# request - stashing or regenerating from them is the contamination loop.
+#
+# Never blocks submission (no `continue:false`); writes files as a side effect and
+# exits 0. Disable: HOOKS_ENFORCE=0 or INTENT_ANCHOR_ENFORCE=0 (shares the
+# intent-anchor kill switch - they are one subsystem).
+
+$ErrorActionPreference = 'SilentlyContinue'
+. "$PSScriptRoot\hook-common.ps1"
+
+if ($env:HOOKS_ENFORCE -eq '0' -or $env:INTENT_ANCHOR_ENFORCE -eq '0') { exit 0 }
+
+$obj = Read-HookStdinJson
+if (-not $obj) { exit 0 }
+
+# --- the prompt (direct from payload - the whole point of this event) --------
+$prompt = ''
+if ($obj.PSObject.Properties['prompt']) { $prompt = [string]$obj.prompt }
+$prompt = $prompt.Trim()
+if ([string]::IsNullOrWhiteSpace($prompt)) { exit 0 }
+
+# Auto-submitted hook followups (FINAL REVIEW / SUBAGENT / SELF-REVIEW / INTENT
+# ANCHOR) are not the user's request. Leave the real contract intact.
+if (Test-IsHookGeneratedQuery $prompt) { exit 0 }
+
+$prompt = Redact-SecretsFromIntent $prompt
+
+$cid = Get-SafeConversationId $obj
+$pendingDir = Get-HooksPendingDir
+
+# --- repo root (workspace_roots / cwd; NO $HOME fallback - no ghost files) ----
+$root = ''
+$cands = @()
+if ($obj.PSObject.Properties['cwd'] -and $obj.cwd) { $cands += [string]$obj.cwd }
+if ($obj.PSObject.Properties['workspace_roots']) { foreach ($w in $obj.workspace_roots) { $cands += [string]$w } }
+foreach ($c in $cands) { $f = ConvertTo-FwdPath $c; if ($f -and (Test-Path -LiteralPath $f)) { $root = $f.TrimEnd('/'); break } }
+if (-not $root -and $env:CURSOR_PROJECT_DIR) {
+    $cpd = $env:CURSOR_PROJECT_DIR.Replace('\', '/').TrimEnd('/')
+    if (Test-Path -LiteralPath $cpd) { $root = $cpd }
+}
+if (-not $root) { exit 0 }
+
+# --- stash the prompt so intent-anchor reads the same ground-truth text -------
+try {
+    New-Item -ItemType Directory -Path $pendingDir -Force | Out-Null
+    [System.IO.File]::WriteAllText((Get-CurrentPromptPath $cid), $prompt, [System.Text.UTF8Encoding]::new($false))
+} catch { }
+
+# --- write / regenerate .scope.json (hash-gated) ------------------------------
+$currentHash = Get-Sha256Hex $prompt
+$scopePath = Join-Path $root '.scope.json'
+$onDiskHash = ''
+if (Test-Path -LiteralPath $scopePath) {
+    try {
+        $sj = Get-Content -LiteralPath $scopePath -Raw | ConvertFrom-Json
+        if ($sj.PSObject.Properties['_intent_hash']) { $onDiskHash = [string]$sj._intent_hash }
+    } catch { $onDiskHash = '' }   # malformed -> regenerate
+}
+
+# Same prompt already locked (by a prior fire this turn, or by the agent who may
+# have refined intent/acceptance/files) -> leave it. Only (re)write on a NEW or
+# missing/garbage contract.
+if ($onDiskHash -eq $currentHash) { exit 0 }
+
+try {
+    $scaffold = [ordered]@{
+        intent        = $prompt
+        files         = @()
+        acceptance    = (Get-DefaultAcceptance)
+        allow_growth  = $false
+        trace         = [ordered]@{ query = $prompt; ts = (Get-Date).ToString('o') }
+        _intent_hash  = $currentHash
+        _generated_by = 'intent-precompile hook (beforeSubmitPrompt)'
+    }
+    $json = $scaffold | ConvertTo-Json -Depth 8
+    [System.IO.File]::WriteAllText($scopePath, $json, [System.Text.UTF8Encoding]::new($false))
+} catch { }
+
+exit 0

package/windows/hooks.json

@@ -1,6 +1,13 @@
 {
   "version": 1,
   "hooks": {
+    "beforeSubmitPrompt": [
+      {
+        "command": "pwsh.exe -NoProfile -File ~/.agents/hooks/intent-precompile.ps1",
+        "timeout": 5,
+        "_comment": "5s: CONTRACT FIRST. Fires right after the user hits send, BEFORE the agent's first token, with the user's `prompt` in the payload directly. Writes/regenerates .scope.json (intent locked from the prompt, acceptance seeded with a real default - never a bare <TODO>) so the contract is the FIRST artifact of the turn instead of appearing late once postToolUse can read the transcript. Also stashes the verbatim prompt to current-prompt-<cid>.txt so intent-anchor (postToolUse) re-injects from the SAME ground-truth text - no <user_query> contamination, no _intent_hash fights. Skips hook-generated auto-submits (FINAL REVIEW / SUBAGENT / SELF-REVIEW). Hash-gated: same prompt on disk -> left intact (preserves the agent's refined intent/acceptance/files). Never blocks submission, always exits 0. Disable: HOOKS_ENFORCE=0 or INTENT_ANCHOR_ENFORCE=0."
+      }
+    ],
     "sessionStart": [
       {
         "command": "pwsh.exe -NoProfile -File ~/.cursor/inject-doctrine.ps1",

package/windows/pre-compile.md

@@ -53,23 +53,30 @@ Answer these four, terse, in your first response. One phrase each, not prose:
 
 ## Materialize it: .scope.json (the hook owns this file)
 
-The `intent-anchor` hook creates and maintains `.scope.json` in the repo root for
-you, automatically, on the first tool of every turn:
-  - `intent` is seeded from your verbatim request and REFRESHED when the request
-    changes — a new prompt regenerates the contract and resets `files[]`, so it
-    never carries over between features;
+The contract is written for you **before your first token**: the `intent-precompile`
+hook fires on `beforeSubmitPrompt` (right after the user hits send) and writes
+`.scope.json` to the repo root with the real `intent` already locked from the
+request — so the contract is the FIRST artifact of the turn, and you govern by it
+from the very first action. `intent-anchor` then re-injects it on every tool
+boundary to keep it in focus.
+  - `intent` is locked from the request and REFRESHED when the request changes — a
+    new prompt regenerates the contract and resets `files[]`, so it never carries
+    over between features;
   - `files[]` is auto-recorded — the scope hook appends every file you edit, so
     you never maintain it by hand;
+  - `acceptance` is SEEDED with a real default (never a bare `<TODO>`); it is not a
+    blank you must fill, it is a draft you SHARPEN;
   - `trace.query` is the VERBATIM request (the audit anchor), `_intent_hash` and
     `_generated_by` are hook bookkeeping. Leave all three alone.
 
 Your two targeted edits on the contract (each a string replace on ONE field, never
-a whole-file rewrite):
-  - **`intent`** → replace the verbatim seed with your Step 0 restatement: the
-    normalized, meaning-preserving sentence. This is what final-review axis 0
-    traces each diff hunk against, so a clean `intent` makes the audit sharp.
-  - **`acceptance`** → set the single deterministic check that decides done, which
-    the hook cannot derive.
+a whole-file rewrite), done as your FIRST actions this turn before editing source:
+  - **`intent`** → replace the seed with your Step 0 restatement: the normalized,
+    meaning-preserving sentence. This is what final-review axis 0 traces each diff
+    hunk against, so a clean `intent` makes the audit sharp.
+  - **`acceptance`** → sharpen the seeded default to the single deterministic check
+    that decides done, which the hook cannot derive. The hook re-injects a loud
+    demand every turn until you do.
 
 Do **NOT** touch `trace.query`, `_intent_hash`, or `_generated_by`, and do **NOT**
 rewrite the whole file: `_intent_hash` is computed from the verbatim `trace.query`,
@@ -82,11 +89,11 @@ changed the meaning: `intent` and `trace.query` must agree.
 {
   "intent":       "<YOU refine this: your normalized Step 0 restatement>",
   "files":        ["<auto-recorded by the hook as you edit>"],
-  "acceptance":   "<YOU set this: the deterministic check that decides done>",
+  "acceptance":   "<seeded with a default; YOU sharpen to the deterministic check>",
   "allow_growth": false,
   "trace":        { "query": "<VERBATIM request - the hook owns this, leave it>", "ts": "<when>" },
   "_intent_hash": "<hook bookkeeping>",
-  "_generated_by":"intent-anchor hook"
+  "_generated_by":"intent-precompile / intent-anchor hook"
 }
 ```