feed-the-machine 1.7.14 → 1.7.16

package/ftm-executor/SKILL.md

@@ -370,12 +370,12 @@ For EACH task, follow this cycle:
    - Review again
    - Repeat until clean
 
-5. **Continue** — Move to the next task. Do not stop to ask questions. If something is ambiguous, make the best technical decision and document it in your commit message.
+5. **Continue** — HARD GATE: Before moving to the next task, verify a commit was made for this task. Run `git log --oneline -1` and confirm the most recent commit message matches what you just did. If there is no commit, STOP — you skipped step 2. Go back and commit now. You CANNOT proceed to the next task without a commit. This is not optional.
 
 ## Rules
 
+- NEVER move to the next task without committing the current one. Run `git log --oneline -1` to verify. No exceptions.
 - NEVER stop to ask for input. Make decisions and keep going.
-- ALWAYS commit after each task (not one big commit at the end).
 - ALWAYS review after each commit. The review-fix loop is not optional.
 - Follow the plan's steps exactly — don't improvise unless the plan is clearly wrong.
 - Stay in your worktree. Don't touch files outside your assigned scope.

package/ftm-mind/references/decide-act-protocol.md

@@ -51,42 +51,16 @@ If next move reveals new information → plan to re-enter Observe after.
 
 ## Act
 
-### Pre-Act Checkpoint (HARD GATE)
+### Pre-Act Checkpoint
 
-Before executing ANYTHING — Bash, MCP, Write, Edit, API calls:
+Before executing, verify:
 
-1. **Checkbox plan presented?** Medium+ tasks require `N. [ ] action → target` format, approved by user. Prose is NOT a plan.
+1. **Checkbox plan presented?** Medium+ tasks require `N. [ ] action → target` format, approved by user.
 2. **User approved?** Wait for explicit go/approve/yes.
 3. **Plan marker written?** Write to `~/.claude/ftm-state/.plan-presented` after approval.
-4. **External mutations approved?** Per Approval Gates in orient-protocol.
-5. None apply (micro/small, no forced escalation) → proceed.
+4. None apply (micro/small, no forced escalation) → proceed.
 
-| Rationalization | Reality |
-|---|---|
-| "Do as much as you can" = implicit approval | That's the task description, not plan approval |
-| "I know what to do, plan is overhead" | Plan is for the USER |
-| "Just one small API call first" | One becomes five becomes a full unplanned execution |
-| "User seems impatient" | 30-second plan saves 10 minutes of wrong work |
-
-Applies to ALL execution methods including Bash/curl/python. The plan-gate hook catches Edit/Write/MCP; this checkpoint catches everything else.
-
-### Compare Before You Loop (MANDATORY for external systems)
-
-**Never trial-and-error. Always compare first.**
-
-1. **Find working reference** — GET a resource that already works the way you want
-2. **Diff** — compare field-by-field against the broken one. Fix is almost always a small, specific difference
-3. **Targeted change** — change ONLY what the diff revealed. Verify after each change
-
-**Loop detection red flags:**
-- 3+ API calls to same system without success
-- Trying different URL formats (underscore vs hyphen, internal vs display ID)
-- Shuffling payload fields hoping one works
-- Reading API docs for endpoint paths (playbook should have this)
-
-**On detection:** STOP. Tell user: "Tried N approaches, none worked. Comparing against working reference." Do step 1.
-
-See `references/incidents.md` → Braintrust Incident for the cost of skipping this.
+**Note**: The `ftm-guard` hook enforces approval gates, destructive action prevention, playbook checks, and loop detection at the tool-call level. You don't need to self-check these — the hook will stop you. But you should still present plans and get approval before acting.
 
 ### 1. Direct action
 
@@ -98,11 +72,11 @@ Show one routing line, then invoke: `Routing to ftm-debug: flaky failure with di
 
 ### 3. MCP execution
 
-Parallel reads, sequential writes, approval gates for external-facing actions.
+Parallel reads, sequential writes. The ftm-guard hook handles approval gates for external-facing actions.
 
 ### 3.5 Draft-before-send
 
-Slack/email/outbound comms → save to `.ftm-drafts/` first. Filename: `YYYY-MM-DD_HH-MM_<type>_<recipient>.md`. Present for approval, update status on send/cancel.
+Slack/email/outbound comms → save to `.ftm-drafts/` AND `~/.claude/ftm-ops/drafts/` first. Filename: `YYYY-MM-DD_HH-MM_<type>_<recipient>.md`. Present for approval, update status on send/cancel.
 
 ### 4. Blackboard updates (mandatory)
 

package/ftm-mind/references/orient-protocol.md

@@ -56,54 +56,6 @@ Look for the arc, not just the last message:
 
 Check: dirty worktree, recent commits, active branch, in-progress changes, conflicts with request. Clean tree = lower cost of direct action. Uncommitted changes = continuity and risk.
 
-## Approval Gates (HARD STOP)
-
-**Circuit breaker. External mutations require explicit user approval. No exceptions.**
-
-See `references/incidents.md` → Hindsight Incident for why this exists.
-
-### Requires approval (STOP before each)
-
-Every individual external mutation. "User approved the plan" ≠ "user approved every API call."
-
-- **Okta**: create apps/groups, assign users, modify policies
-- **Freshservice**: create tickets/records/catalog items/custom objects
-- **Jira/Confluence**: create/update issues, pages, comments
-- **Slack/Email**: send messages (draft-before-send applies)
-- **Calendar**: create/modify events
-- **S3/cloud**: write/modify objects
-- **Browser forms**: submit data
-- **Deploys**: any production-affecting operation
-- **Git remote**: push, PR creation
-
-Batch by phase — not per-call, not whole-plan.
-
-### Destructive Actions (EXTRA HARD GATE)
-
-**NEVER delete/recreate external resources without per-resource user confirmation.**
-
-- DELETE any external resource
-- Recreate (delete + create) — new ID breaks all automation referencing the old one
-- Overwrite S3 objects other systems read
-- Remove users from groups, deactivate accounts
-- Close/resolve tickets others watch
-
-When you can't update via API: tell the user, suggest manual fix (admin UI link + steps). Only delete if user explicitly confirms with dependency awareness. See `references/incidents.md` → Braintrust Incident.
-
-### Auto-proceeds (no approval)
-
-Local edits, tests, lint, builds, audits, local git, GET requests, blackboard reads/writes, saving drafts.
-
-### Rationalization traps
-
-| Thought | Reality |
-|---|---|
-| "The user clearly wants this" | Present the action, wait for approval |
-| "It's part of the approved plan" | Each mutation needs its own gate |
-| "I already started" | Sunk cost. Stop and ask |
-| "Just one more API call" | That's how incidents start |
-| "User will appreciate proactivity" | User will appreciate not breaking things |
-
 ## Blackboard-First Rule (before any access/auth questions)
 
 Before asking about credentials, API access, or authorization:
@@ -148,8 +100,19 @@ Load active tasks, surface high-priority via TaskCreate. Skip if brain.py absent
 2. `ls docs/playbooks/` in current repo
 3. Blackboard experiences filtered by target system tags — check `code_patterns` and `api_gotchas`
 
-If any source has relevant content, read it before writing code. See `references/incidents.md` → Braintrust Incident for what happens when you skip this.
+If any source has relevant content, read it before writing code. After checking, write a marker: `~/.claude/ftm-state/.playbook-checked-{system}` so the ftm-guard hook knows you checked.
 
 ## Orient Synthesis
 
 Before leaving Orient, have one clear internal picture: what the user wants, task type, session continuity, codebase constraints, relevant lessons/patterns, capability mix, correct task size, whether approval or clarification is needed. Orient is complete when the next move feels obvious.
+
+## Safety Protocols
+
+**Approval gates, destructive action prevention, compare-before-you-loop, and loop detection are enforced by the `ftm-guard` hook**, which fires on every mutating tool call automatically. You do not need to self-enforce these — the hook will inject warnings if you're about to do something dangerous. But you should still be aware of them:
+
+- External mutations need user approval per-phase (not per-call, not whole-plan)
+- Destructive actions (delete, recreate) need per-resource confirmation
+- 3+ failed API calls = stop and compare against a working reference
+- Never trial-and-error; always diff a working resource first
+
+See `references/incidents.md` for the full incident history behind these rules.

package/hooks/ftm-guard.sh

@@ -0,0 +1,121 @@
+#!/bin/sh
+# ftm-guard.sh
+# Safety system for all Claude Code sessions with ftm installed.
+# Fires on PreToolUse for mutating tools. Injects safety context
+# before Claude executes external mutations, destructive actions,
+# or enters trial-and-error loops.
+#
+# Hook: PreToolUse (matcher: Edit|Write|Bash|mcp__*)
+#
+# This is NOT gated on ftm session state — it protects ALL sessions.
+
+set -eu
+
+INPUT=$(cat)
+TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name // ""' 2>/dev/null)
+
+# Only gate mutating operations
+IS_MUTATING=false
+
+case "$TOOL_NAME" in
+  Edit|Write) IS_MUTATING=true ;;
+  Bash)
+    # Check if the bash command contains mutating API patterns
+    COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // ""' 2>/dev/null)
+    case "$COMMAND" in
+      *deleteFS*|*delete_custom_object*|*DELETE*|*putFS*|*postFS*) IS_MUTATING=true ;;
+      *"curl -X DELETE"*|*"curl -X PUT"*|*"curl -X POST"*|*"curl -X PATCH"*) IS_MUTATING=true ;;
+      *"requests.delete"*|*"requests.put"*|*"requests.post"*|*"requests.patch"*) IS_MUTATING=true ;;
+    esac
+    ;;
+esac
+
+# Also catch mutating MCP calls
+case "$TOOL_NAME" in
+  mcp__*create*|mcp__*update*|mcp__*delete*|mcp__*send*|mcp__*add*|mcp__*remove*|mcp__*apply*|mcp__*transition*|mcp__*commit*|mcp__*push*|mcp__*post_message*|mcp__*reply*|mcp__*modify*|mcp__*batch*|mcp__*convert*)
+    IS_MUTATING=true ;;
+esac
+
+if [ "$IS_MUTATING" != "true" ]; then
+  exit 0
+fi
+
+# --- Build safety context based on what's about to happen ---
+
+FTM_STATE="$HOME/.claude/ftm-state"
+CONTEXT_PARTS=""
+
+# Check 1: Is this a destructive action?
+IS_DESTRUCTIVE=false
+case "$TOOL_NAME" in
+  mcp__*delete*|mcp__*remove*) IS_DESTRUCTIVE=true ;;
+esac
+case "${COMMAND:-}" in
+  *deleteFS*|*delete_custom_object*|*"curl -X DELETE"*|*"requests.delete"*|*DELETE*) IS_DESTRUCTIVE=true ;;
+esac
+
+if [ "$IS_DESTRUCTIVE" = "true" ]; then
+  CONTEXT_PARTS="$CONTEXT_PARTS [DESTRUCTIVE ACTION GATE] You are about to DELETE an external resource. STOP. Confirm with the user FIRST — name the specific resource being deleted and warn about downstream dependencies (workflow configs, automation references, lookup fields). Never delete-and-recreate to fix something. See ftm-mind/references/incidents.md -> Braintrust Incident."
+fi
+
+# Check 2: Is there a playbook for this system?
+SYSTEM=""
+case "$TOOL_NAME" in
+  mcp__freshservice*) SYSTEM="freshservice" ;;
+  mcp__mcp-atlassian*) SYSTEM="jira" ;;
+  mcp__slack*) SYSTEM="slack" ;;
+  mcp__gmail*) SYSTEM="gmail" ;;
+esac
+# Also detect from bash commands
+case "${COMMAND:-}" in
+  *freshservice*|*getFS*|*putFS*|*postFS*|*deleteFS*) SYSTEM="freshservice" ;;
+  *okta*|*OktaGroup*|*OktaUser*) SYSTEM="okta" ;;
+esac
+
+if [ -n "$SYSTEM" ]; then
+  # Check if playbook was consulted this session
+  PLAYBOOK_MARKER="$FTM_STATE/.playbook-checked-$SYSTEM"
+  if [ ! -f "$PLAYBOOK_MARKER" ]; then
+    CONTEXT_PARTS="$CONTEXT_PARTS [PLAYBOOK CHECK] You are calling $SYSTEM APIs. Did you check for playbooks FIRST? Run: brain.py --playbook-match and check docs/playbooks/ and blackboard experiences with code_patterns. If you haven't, STOP and check now. Write to $PLAYBOOK_MARKER after checking."
+  fi
+fi
+
+# Check 3: Loop detection — count recent failures for this system
+ERROR_TRACKER="$FTM_STATE/.error-tracker.jsonl"
+if [ -f "$ERROR_TRACKER" ] && [ -n "$SYSTEM" ]; then
+  NOW=$(date +%s)
+  RECENT_ERRORS=$(python3 -c "
+import json
+count = 0
+cutoff = $NOW - 600
+for line in open('$ERROR_TRACKER'):
+    line = line.strip()
+    if not line: continue
+    try:
+        ev = json.loads(line)
+        if ev.get('module','').lower().find('$SYSTEM') >= 0 and ev.get('type') == 'error' and ev.get('ts',0) >= cutoff:
+            count += 1
+    except: pass
+print(count)
+" 2>/dev/null || echo "0")
+
+  if [ "$RECENT_ERRORS" -ge 3 ]; then
+    CONTEXT_PARTS="$CONTEXT_PARTS [LOOP DETECTED] $RECENT_ERRORS recent errors on $SYSTEM in the last 10 minutes. STOP trial-and-error. Find a WORKING reference resource, GET it, diff field-by-field against the broken one, and make targeted changes. The answer is in the diff, not in your next guess."
+  fi
+fi
+
+# Output combined safety context if any checks triggered
+if [ -n "$CONTEXT_PARTS" ]; then
+  # Escape for JSON
+  ESCAPED=$(echo "$CONTEXT_PARTS" | sed 's/"/\\"/g' | tr '\n' ' ')
+  cat <<JSONEOF
+{
+  "hookSpecificOutput": {
+    "hookEventName": "PreToolUse",
+    "additionalContext": "[ftm-guard]$ESCAPED"
+  }
+}
+JSONEOF
+fi
+
+exit 0

package/hooks/settings-template.json

@@ -22,6 +22,16 @@
             "timeout": 5
           }
         ]
+      },
+      {
+        "matcher": "Bash|mcp__freshservice-mcp|mcp__mcp-atlassian|mcp__slack|mcp__gmail|mcp__git",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "~/.claude/hooks/ftm-guard.sh",
+            "timeout": 5
+          }
+        ]
       }
     ],
     "UserPromptSubmit": [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "feed-the-machine",
-  "version": "1.7.14",
+  "version": "1.7.16",
   "description": "A brain upgrade for Claude Code — 26 skills that teach it how to think before acting, remember across conversations, debug like a war room, run plans on autopilot with agent teams, and get second opinions from GPT & Gemini. Plus 15 hooks that automate the boring stuff.",
   "license": "MIT",
   "author": "kkudumu",