moflo 4.10.12 → 4.10.13

package/dist/src/cli/commands/doctor-checks-config.js

@@ -3,12 +3,12 @@
  * config files, statusLine, daemon, MCP servers, moflo.yaml compliance,
  * test directories.
  */
-import { existsSync, readFileSync, statSync } from 'fs';
-import { join } from 'path';
+import { existsSync, readFileSync, readdirSync, statSync } from 'fs';
+import { join, relative } from 'path';
 import os from 'os';
 import { findProjectDaemonPids, getDaemonLockHolder, getDaemonLockPayload, } from '../services/daemon-lock.js';
 import { resolveClientPort, LEGACY_DEFAULT_PORT, probeDaemonHealthWithRetry as probeDaemonHealthIdentity, normalizeProjectRoot, } from '../services/daemon-port.js';
-import { LEGACY_SWARM_DIR, memoryDbCandidatePaths, memoryDbPath, } from '../services/moflo-paths.js';
+import { COMMON_WALK_SKIP_NAMES, LEGACY_SWARM_DIR, memoryDbCandidatePaths, memoryDbPath, } from '../services/moflo-paths.js';
 import { probeDbIntegrity } from '../services/memory-db-integrity-repair.js';
 import { findProjectRoot } from '../services/project-root.js';
 import { errorDetail } from '../shared/utils/error-detail.js';
@@ -303,6 +303,10 @@ export async function checkSwarmResidue() {
         'sona-patterns.json',
         'state.json',
         'code-map-hash.txt',
+        // patterns-hash.txt + tests-hash.txt are pre-#699 residue (writers now
+        // target `.moflo/` directly). Surfaced + migrated by #1170.
+        'patterns-hash.txt',
+        'tests-hash.txt',
         'hooks.log',
         'background.log',
     ];
@@ -317,6 +321,128 @@ export async function checkSwarmResidue() {
         fix: 'flo healer --fix -c swarm-residue',
     };
 }
+/**
+ * Cap on `found.length` so a pathological monorepo (or adversarial layout)
+ * can't accumulate an unbounded array. 50 islands is already 50× more than
+ * any legitimate consumer should ever have; surfacing more would just bury
+ * the actionable signal in noise. Setting `truncated = true` signals the
+ * walker stopped early so the doctor message can hint at re-running with
+ * something more targeted.
+ */
+const NESTED_BFS_MAX_FOUND = 50;
+function scanNestedMofloDirs(root, maxDepth = 5) {
+    const found = [];
+    let truncated = false;
+    function walk(dir, depth) {
+        if (found.length >= NESTED_BFS_MAX_FOUND) {
+            truncated = true;
+            return;
+        }
+        let entries;
+        try {
+            entries = readdirSync(dir, { withFileTypes: true });
+        }
+        catch {
+            return;
+        }
+        for (const entry of entries) {
+            if (!entry.isDirectory())
+                continue;
+            const lower = entry.name.toLowerCase();
+            if (COMMON_WALK_SKIP_NAMES.has(lower))
+                continue;
+            // Skip any .moflo* directory — both the canonical `.moflo` (we're
+            // looking for nested ones, not this level's own) and archived
+            // `.moflo-archived-*` produced by `flo doctor --fix`.
+            if (lower.startsWith('.moflo'))
+                continue;
+            if (entry.name.startsWith('.') && depth > 0)
+                continue;
+            const childDir = join(dir, entry.name);
+            if (existsSync(join(childDir, '.moflo', 'moflo.db'))) {
+                found.push(childDir);
+                if (found.length >= NESTED_BFS_MAX_FOUND) {
+                    truncated = true;
+                    return;
+                }
+                // Don't recurse below a nested island — its own descendants would
+                // be conflated under that residue.
+                continue;
+            }
+            if (depth + 1 > maxDepth) {
+                truncated = true;
+                continue;
+            }
+            walk(childDir, depth + 1);
+            if (found.length >= NESTED_BFS_MAX_FOUND)
+                return;
+        }
+    }
+    walk(root, 0);
+    return { islands: found, truncated };
+}
+function findNestedMofloDirs(root, maxDepth = 5) {
+    return scanNestedMofloDirs(root, maxDepth).islands;
+}
+/**
+ * Public wrapper for the BFS used by `checkNestedMofloIslands`. Exposed so
+ * `doctor-fixes.ts:fixNestedMofloIslands` can enumerate the same set without
+ * duplicating the skip-list / depth-bound logic. Returns parent directories
+ * (the consumer joins `.moflo` itself).
+ */
+export function findNestedMofloDirsForFix(root) {
+    return findNestedMofloDirs(root);
+}
+/**
+ * Surface nested `.moflo/moflo.db` directories — every one of them is a daemon
+ * island in a monorepo (#1174). The MCP server, daemon, and CLI tools each
+ * resolve their own anchor via cwd; pre-#1174 the resolver returned the
+ * *nearest* ancestor, so subdirectory invocations silently spawned isolated
+ * daemons with separate sockets, ports, registries, and vector state.
+ *
+ * Status semantics:
+ *  - `pass` — no nested `.moflo/` directories under the canonical project root.
+ *  - `warn` — one or more nested `.moflo/` directories detected; lists each
+ *    with its relative path. `fix` points at the auto-fix that archives them.
+ *
+ * Auto-fix (`fixNestedMofloIslands` in doctor-fixes.ts) renames each nested
+ * `.moflo/` to `.moflo-archived-<ISO>/` so the user can manually inspect or
+ * restore them. Daemons running out of those nested directories are stopped
+ * first.
+ */
+export async function checkNestedMofloIslands(cwd) {
+    const root = cwd ?? findProjectRoot();
+    let scan;
+    try {
+        scan = scanNestedMofloDirs(root);
+    }
+    catch (e) {
+        return {
+            name: 'Nested .moflo/ Islands',
+            status: 'warn',
+            message: `Walk failed: ${errorDetail(e, { firstLineOnly: true })}`,
+        };
+    }
+    const { islands, truncated } = scan;
+    if (islands.length === 0) {
+        const baseMsg = 'No nested .moflo/ directories detected';
+        return {
+            name: 'Nested .moflo/ Islands',
+            status: truncated ? 'warn' : 'pass',
+            message: truncated
+                ? `${baseMsg} within depth-5 walk — deeper subtrees not inspected`
+                : baseMsg,
+        };
+    }
+    const rels = islands.map(p => relative(root, p) || '.');
+    const truncNote = truncated ? ' (walk truncated at depth 5 — deeper islands may exist)' : '';
+    return {
+        name: 'Nested .moflo/ Islands',
+        status: 'warn',
+        message: `${islands.length} nested .moflo/ ${islands.length === 1 ? 'directory' : 'directories'} (#1174): ${rels.join(', ')}${truncNote}`,
+        fix: 'flo healer --fix -c nested-moflo',
+    };
+}
 /**
  * Tier-1 corruption probe for `.moflo/moflo.db`. Runs `PRAGMA integrity_check`
  * via a raw node:sqlite readonly handle — bypasses `openBackend` because that

package/dist/src/cli/commands/doctor-fixes.js

@@ -11,7 +11,7 @@ import { output } from '../output.js';
 import { errorDetail } from '../shared/utils/error-detail.js';
 import { atomicWriteFileSync } from '../shared/utils/atomic-file-write.js';
 import { repairHookWiring } from '../services/hook-wiring.js';
-import { getDaemonLockHolder } from '../services/daemon-lock.js';
+import { findProjectDaemonPids, getDaemonLockHolder } from '../services/daemon-lock.js';
 import { findProjectRoot } from '../services/project-root.js';
 import { legacyMemoryDbPath, legacyMemoryDbBakPath, memoryDbPath, mofloDir } from '../services/moflo-paths.js';
 import { findZombieProcesses } from './doctor-zombies.js';
@@ -164,6 +164,9 @@ async function fixSwarmLegacyResidue() {
     const neuralDir = join(moflo, 'neural');
     const swarmStateDir = join(moflo, 'swarm');
     const memoryStateDir = join(moflo, 'memory');
+    // patterns-hash.txt + tests-hash.txt: writers in bin/index-patterns.mjs +
+    //   bin/index-tests.mjs already target `.moflo/` directly (post-#699). Any
+    //   `.swarm/` copies are pre-#699 residue with no active writer (#1170).
     const stateFiles = [
         { name: 'q-learning-model.json', dest: movectorDir },
         { name: 'model-router-state.json', dest: movectorDir },
@@ -173,6 +176,8 @@ async function fixSwarmLegacyResidue() {
         { name: 'sona-patterns.json', dest: neuralDir },
         { name: 'state.json', dest: swarmStateDir },
         { name: 'code-map-hash.txt', dest: memoryStateDir },
+        { name: 'patterns-hash.txt', dest: moflo },
+        { name: 'tests-hash.txt', dest: moflo },
     ];
     for (const { name, dest } of stateFiles) {
         const src = join(swarmDir, name);
@@ -237,6 +242,169 @@ async function fixSwarmLegacyResidue() {
     }
     return allMigrated;
 }
+/**
+ * Stop any moflo daemons owned by `subRoot` before archiving its `.moflo/`.
+ *
+ * Pre-#1174 nested-daemon PIDs are not visible to the canonical orphan reap
+ * (which uses the topmost projectRoot's CLI candidate paths). Calling
+ * `findProjectDaemonPids` with the SUB-root finds them. SIGTERM first, wait a
+ * brief grace, SIGKILL if still alive. On Windows, daemons holding files in
+ * `.moflo/` would otherwise cause `renameSync` to fail with EBUSY; on POSIX,
+ * the rename succeeds but the daemon's open FDs keep pointing at the inode.
+ */
+/**
+ * `process.kill` failure modes worth distinguishing:
+ *   - `ESRCH` — no such process (already exited). Treat as success.
+ *   - `EPERM` — caller lacks permission (POSIX: daemon owned by another user;
+ *     Windows: insufficient ACLs). The signal was NOT delivered. We must
+ *     report this as "remaining" so the caller doesn't archive `.moflo/`
+ *     thinking the daemon is gone.
+ *   - other — surface as remaining + log; don't crash the fix path.
+ */
+function killOutcome(err) {
+    const code = err?.code;
+    if (code === 'ESRCH')
+        return 'gone';
+    if (code === 'EPERM')
+        return 'denied';
+    return 'unknown';
+}
+async function stopNestedDaemons(subRoot) {
+    let pids = [];
+    try {
+        pids = findProjectDaemonPids(subRoot);
+    }
+    catch {
+        return { stopped: [], remaining: [], denied: [] };
+    }
+    if (pids.length === 0)
+        return { stopped: [], remaining: [], denied: [] };
+    const stopped = [];
+    const denied = [];
+    for (const pid of pids) {
+        try {
+            process.kill(pid, 'SIGTERM');
+            stopped.push(pid);
+        }
+        catch (err) {
+            const outcome = killOutcome(err);
+            if (outcome === 'gone')
+                continue; // already exited
+            if (outcome === 'denied')
+                denied.push(pid); // wrong-owner daemon
+            else
+                denied.push(pid); // unknown — treat as undelivered
+        }
+    }
+    // Poll for exit with a 1s deadline (matches the daemon-service stop loop in
+    // commands/daemon.ts). Async-by-default — busy-waiting here would pin CPU
+    // during the very contention we're waiting out (see feedback memory).
+    const deadline = Date.now() + 1000;
+    while (Date.now() < deadline) {
+        const alive = stopped.filter(pid => {
+            try {
+                process.kill(pid, 0);
+                return true;
+            }
+            catch {
+                return false;
+            }
+        });
+        if (alive.length === 0)
+            break;
+        await new Promise(resolve => setTimeout(resolve, 50));
+    }
+    const remaining = [];
+    for (const pid of stopped) {
+        let stillAlive = false;
+        try {
+            process.kill(pid, 0);
+            stillAlive = true;
+        }
+        catch { /* gone */ }
+        if (!stillAlive)
+            continue;
+        // Still alive — escalate.
+        try {
+            process.kill(pid, 'SIGKILL');
+        }
+        catch (err) {
+            if (killOutcome(err) === 'denied') {
+                denied.push(pid);
+                continue;
+            }
+            // Other errors (incl. ESRCH on race) — re-probe below.
+        }
+        try {
+            process.kill(pid, 0);
+            remaining.push(pid);
+        }
+        catch { /* gone */ }
+    }
+    return { stopped, remaining, denied };
+}
+/**
+ * Archive nested `.moflo/` directories that fragment monorepo state (#1174).
+ *
+ * Each nested `.moflo/` is renamed to `.moflo-archived-<ISO>` in place. Never
+ * deletes — sub-daemon vector state can be uniquely useful (subworkspace-
+ * specific learnings) and silently dropping it would be the wrong default.
+ * The user can manually inspect or restore archived directories.
+ *
+ * Daemon reap: before each rename, `findProjectDaemonPids(island)` enumerates
+ * any moflo daemons whose cmdline references the sub-root, then SIGTERMs them
+ * (escalates to SIGKILL after 1s). This is required for both platforms:
+ *   - Windows: `renameSync` fails with EBUSY if any file is open. Without the
+ *     reap, archive silently fails until the user manually stops the daemon.
+ *   - POSIX: rename succeeds but the daemon's open FDs keep pointing at the
+ *     inode; the daemon keeps writing to a now-archived path until it exits.
+ */
+async function fixNestedMofloIslands() {
+    const root = findProjectRoot();
+    let islands;
+    try {
+        const { findNestedMofloDirsForFix } = await import('./doctor-checks-config.js');
+        islands = findNestedMofloDirsForFix(root);
+    }
+    catch (e) {
+        output.writeln(output.warning(`  Unable to enumerate nested .moflo/: ${errorDetail(e)}`));
+        return false;
+    }
+    if (islands.length === 0)
+        return true;
+    const ts = new Date().toISOString().replace(/[:.]/g, '-');
+    let allArchived = true;
+    for (const island of islands) {
+        const src = join(island, '.moflo');
+        const dst = join(island, `.moflo-archived-${ts}`);
+        if (!existsSync(src))
+            continue;
+        // Step 1: stop any sub-daemon. The canonical projectRoot-based orphan
+        // scan can't see nested daemons; we have to enumerate from the sub-root.
+        const { stopped, remaining, denied } = await stopNestedDaemons(island);
+        if (stopped.length > 0) {
+            output.writeln(output.dim(`  ${island}: stopped daemon PID${stopped.length === 1 ? '' : 's'} ${stopped.join(', ')}.`));
+        }
+        if (denied.length > 0) {
+            output.writeln(output.warning(`  ${island}: permission denied stopping PID${denied.length === 1 ? '' : 's'} ${denied.join(', ')} — daemon owned by another user; stop it manually before re-running this fix.`));
+            allArchived = false;
+        }
+        if (remaining.length > 0) {
+            output.writeln(output.warning(`  ${island}: PID${remaining.length === 1 ? '' : 's'} ${remaining.join(', ')} survived SIGKILL — manual intervention required.`));
+            allArchived = false;
+        }
+        try {
+            renameSync(src, dst);
+            output.writeln(output.success(`  Archived: ${island}/.moflo → .moflo-archived-${ts}/`));
+        }
+        catch (e) {
+            output.writeln(output.warning(`  Failed to archive ${island}/.moflo: ${errorDetail(e)}. ` +
+                `If a process still holds files open, stop it manually and re-run \`flo doctor --fix -c nested-moflo\`.`));
+            allArchived = false;
+        }
+    }
+    return allArchived;
+}
 /**
  * Execute the fix for a failed/warned health check.
  * Returns true if the fix succeeded (re-check should pass).
@@ -589,6 +757,13 @@ export async function autoFixCheck(check) {
         'Swarm Residue': async () => {
             return fixSwarmLegacyResidue();
         },
+        // Archive nested `.moflo/` directories that fragment monorepo state
+        // (#1174). Rename, never delete — sub-daemon vector state can be unique
+        // and silently losing it would be the wrong default. The archive name
+        // includes an ISO timestamp so re-runs don't collide.
+        'Nested .moflo/ Islands': async () => {
+            return fixNestedMofloIslands();
+        },
         'Status Line': async () => {
             const settingsPath = join(process.cwd(), '.claude', 'settings.json');
             if (!existsSync(settingsPath))

package/dist/src/cli/commands/doctor-registry.js

@@ -12,7 +12,7 @@ import { checkWritersAudit } from './doctor-checks-writers-audit.js';
 import { checkSwarmFunctional, checkHiveMindFunctional, } from './doctor-checks-swarm.js';
 import { checkMemoryAccessFunctional } from './doctor-checks-memory-access.js';
 import { checkBuildTools, checkClaudeCode, checkDiskSpace, checkGit, checkGitRepo, checkNodeVersion, checkNpmVersion, } from './doctor-checks-runtime.js';
-import { checkConfigFile, checkDaemonIdentity, checkDaemonOrphan, checkDaemonStatus, checkDaemonWriteRouting, checkMcpServers, checkMemoryDatabase, checkMemoryDbIntegrity, checkMofloYamlCompliance, checkStatusLine, checkSwarmResidue, checkTestDirs, } from './doctor-checks-config.js';
+import { checkConfigFile, checkDaemonIdentity, checkDaemonOrphan, checkDaemonStatus, checkDaemonWriteRouting, checkMcpServers, checkMemoryDatabase, checkMemoryDbIntegrity, checkMofloYamlCompliance, checkNestedMofloIslands, checkStatusLine, checkSwarmResidue, checkTestDirs, } from './doctor-checks-config.js';
 import { checkSpellEngine, checkSandboxTier } from './doctor-checks-platform.js';
 import { checkEmbeddings, checkSemanticQuality, } from './doctor-checks-memory.js';
 import { checkIntelligence } from './doctor-checks-intelligence.js';
@@ -42,6 +42,10 @@ export const allChecks = [
     checkDaemonWriteRouting,
     checkWritersAudit,
     checkMemoryDatabase,
+    // Surfaces nested `.moflo/moflo.db` directories — every nested instance is
+    // a daemon island in a monorepo (#1174). Runs cheap (depth-bounded BFS,
+    // statSync only) and independent of memory-DB integrity probes.
+    checkNestedMofloIslands,
     // Surfaces leftover `.swarm/` artifacts (memory.db, router state, logs) so
     // the auto-fix can relocate or delete them. Independent of the canonical
     // DB checks — runs cheap (statSync only).
@@ -111,6 +115,10 @@ export const componentMap = {
     'writers-audit': checkWritersAudit,
     'writers': checkWritersAudit,
     'memory': checkMemoryDatabase,
+    'nested-moflo': checkNestedMofloIslands,
+    'nested': checkNestedMofloIslands,
+    'islands': checkNestedMofloIslands,
+    'monorepo': checkNestedMofloIslands,
     'swarm-residue': checkSwarmResidue,
     'residue': checkSwarmResidue,
     'memory-db-integrity': checkMemoryDbIntegrity,

package/dist/src/cli/commands/init.js

@@ -7,6 +7,7 @@ import { confirm, select, multiSelect, input } from '../prompt.js';
 import * as fs from 'fs';
 import * as path from 'path';
 import { errorDetail } from '../shared/utils/error-detail.js';
+import { findAncestorMofloRoot } from '../services/project-root.js';
 import { executeInit, executeUpgrade, executeUpgradeWithMissing, DEFAULT_INIT_OPTIONS, MINIMAL_INIT_OPTIONS, FULL_INIT_OPTIONS, } from '../init/index.js';
 // Check if project is already initialized
 function isInitialized(cwd) {
@@ -25,6 +26,38 @@ const initAction = async (ctx) => {
     const skipClaude = ctx.flags.skipClaude;
     const onlyClaude = ctx.flags.onlyClaude;
     const cwd = ctx.cwd;
+    // ── Monorepo nested-.moflo guard (#1174) ───────────────────────────
+    // Initializing inside a sub-directory whose ancestor already has
+    // .moflo/moflo.db creates a daemon island: the MCP server, daemon, and CLI
+    // tools end up bound to different daemons depending on cwd. Default to
+    // using the ancestor's state; --force lets the user opt in to a nested
+    // setup (rare, almost always a misconfiguration).
+    const ancestorMoflo = findAncestorMofloRoot(cwd);
+    if (ancestorMoflo && !force) {
+        output.printWarning('Monorepo detected: ancestor moflo project found.');
+        output.printInfo(`  Ancestor: ${ancestorMoflo}`);
+        output.printInfo(`  This directory: ${cwd}`);
+        output.writeln();
+        output.writeln('Initializing here would create a nested .moflo/ — the MCP server and CLI tools');
+        output.writeln('would silently route to different daemons depending on cwd (issue #1174). Use the');
+        output.writeln('ancestor\'s state by running moflo commands from the ancestor instead.');
+        output.writeln();
+        if (ctx.interactive && !ctx.flags.yes) {
+            const proceed = await confirm({
+                message: 'Initialize anyway (creates a nested .moflo/)?',
+                default: false,
+            });
+            if (!proceed) {
+                output.printInfo('Aborted — use the ancestor moflo project.');
+                return { success: true, message: 'aborted by user (ancestor moflo project)' };
+            }
+        }
+        else {
+            output.printError('Refusing to create a nested .moflo/. Pass --force to override, or re-run from the ancestor.');
+            return { success: false, message: 'refused: nested .moflo/ in monorepo', exitCode: 1 };
+        }
+    }
+    // ── End monorepo guard ─────────────────────────────────────────────
     // ── MoFlo Project Setup ────────────────────────────────────────────
     // Always run MoFlo init to ensure moflo.yaml, hooks, skill, and
     // CLAUDE.md are set up, regardless of other init options.

package/dist/src/cli/init/claudemd-generator.js

@@ -29,11 +29,11 @@ function mofloSection() {
 
 ### FIRST ACTION ON EVERY PROMPT: Search Memory
 
-Your first tool call MUST be \`mcp__moflo__memory_search\` — before any Glob/Grep/Read. Search \`guidance\`, \`patterns\`, and \`learnings\` every prompt; add \`code-map\` when navigating code, \`tests\` when looking for test inventory or coverage. When the user says "remember this", call \`mcp__moflo__memory_store\` with namespace \`learnings\`.
+Your first tool call MUST be \`mcp__moflo__memory_search\` — before any Glob/Grep/Read. Pick the namespace by question shape: \`code-map\` for "where is symbol X defined", \`tests\` for "what tests cover Y", \`patterns\` for "what's our pattern for Z", \`guidance\` for project rules, \`learnings\` for "did we hit this before". Pivot on the bare symbol/keyword (not a natural-language question), and trust similarity ≥ 0.80 as a confident hit. When the user says "remember this", call \`mcp__moflo__memory_store\` with namespace \`learnings\`.
 
 ### Traverse chunks, don't bulk-retrieve
 
-Search results carry a compact \`navigation\` crumb (parentDoc, prev/next, chunkTitle). For adjacent/sibling/hierarchical context use \`mcp__moflo__memory_get_neighbors\`; for full chunk content use \`mcp__moflo__memory_retrieve\`; \`Read\` the source doc only via \`parentPath\` when truly needed. Full protocol: \`.claude/guidance/moflo-memory-protocol.md\`.
+Search results carry a compact \`navigation\` crumb (parentDoc, prev/next, chunkTitle). For adjacent/sibling/hierarchical context use \`mcp__moflo__memory_get_neighbors\`; for full chunk content use \`mcp__moflo__memory_retrieve\`; \`Read\` the source doc only via \`parentPath\` when truly needed. Full protocol + worked examples per namespace: \`.claude/guidance/moflo-memory-protocol.md\`.
 
 ### Auto-enforced gates
 
@@ -48,6 +48,10 @@ Prefer MCP (\`mcp__moflo__*\` — memory, swarm, agent, task, hooks, hive-mind,
 
 After \`npm install\` touches moflo, check \`.moflo/restart-pending.json\` — if present, surface its \`message\` field to the user verbatim, then delete the file. (Claude Code only loads new hooks/MCP/launcher at session start.)
 
+### Monorepos
+
+Moflo state lives at the monorepo root \`.moflo/\` — never run \`flo init\` inside a sub-workspace of an existing moflo project, or the MCP server and CLI silently bind to different daemons (issue #1174).
+
 ### Full Reference
 
 - Universal agent rules (memory protocol, git/PR conventions, file org, build/test): \`.claude/guidance/moflo-agent-rules.md\`

package/dist/src/cli/init/helpers-generator.js

@@ -276,11 +276,28 @@ var config = loadGateConfig();
 var command = process.argv[2];
 
 var EXEMPT = ['.claude/', '.claude\\\\', 'CLAUDE.md', 'MEMORY.md', 'workflow-state', 'node_modules', 'moflo.yaml'];
-var DANGEROUS = ['rm -rf /', 'format c:', 'del /s /q c:\\\\', ':(){:|:&};:', 'mkfs.', '> /dev/sda'];
+// #1171 — DANGEROUS gained PS additions to match the matcher widening that now
+// routes the PowerShell tool through check-dangerous-command. See bin/gate.cjs.
+var DANGEROUS = ['rm -rf /', 'format c:', 'del /s /q c:\\\\', ':(){:|:&};:', 'mkfs.', '> /dev/sda', 'remove-item -recurse -force c:\\\\', 'remove-item -recurse -force /', 'remove-item -recurse -force ~', 'format-volume', 'clear-disk'];
 // #1132 — Bash memory-first gate regexes. See bin/gate.cjs for documentation.
+// #1171 — READ_LIKE extended with PS-native exploration forms (Get-ChildItem -Recurse,
+// dir /s, Format-Hex). Plain Get-ChildItem stays uncovered (ls-equivalent).
 var CREDIT_MEMORY_SEARCH_RE = /semantic-search|memory search|memory retrieve|memory-search/;
-var READ_LIKE_BASH_RE = /^\\s*(?:cat|head|tail|less|more|bat|xxd|od|hexdump)\\b|^\\s*(?:grep|rg|ag|fgrep|egrep|find|fd)\\b|^\\s*sed\\s+-n\\b|^\\s*awk\\s+(?!.*<<)|^\\s*type\\s+\\S*[\\\\/.]|^\\s*(?:Get-Content|gc|Select-String|sls)\\b/i;
+var READ_LIKE_BASH_RE = /^\\s*(?:cat|head|tail|less|more|bat|xxd|od|hexdump)\\b|^\\s*(?:grep|rg|ag|fgrep|egrep|find|fd)\\b|^\\s*sed\\s+-n\\b|^\\s*awk\\s+(?!.*<<)|^\\s*type\\s+\\S*[\\\\/.]|^\\s*(?:Get-Content|gc|Select-String|sls)\\b|^\\s*(?:Get-ChildItem|gci)\\b[^|]*-Recurse\\b|^\\s*dir\\b[^|]*\\s\\/[sS]\\b|^\\s*Format-Hex\\b/i;
 var BASH_CARVE_OUT_RE = /^\\s*(npm|npx|pnpm|yarn|bun|node|deno|tsx|ts-node)\\s|^\\s*(git|gh|hub)\\s|^\\s*(docker|kubectl|helm|terraform)\\s|^\\s*(curl|wget|http|fetch)\\s|^\\s*(jq|yq|xq)\\s|^\\s*(echo|printf|true|false|sleep|test|\\[)\\s|^\\s*cat\\s+(<<|<<<)|^\\s*cat\\s+[^|]*\\s*>|^\\s*tee\\b|^\\s*find\\s+.+?-(delete|exec\\s+rm)\\b/;
+// #1171 follow-up — strip quoted bodies + heredocs before DANGEROUS substring
+// match so git commit messages with dangerous-shaped text in quoted bodies do
+// not trip the gate. See bin/gate.cjs for the full rationale. Command-sub
+// bodies are intentionally not stripped (those execute).
+function stripQuotedAndHeredocs(cmd) {
+  var out = cmd;
+  out = out.replace(/<<-?\\s*['"]?[\\w-]+['"]?[\\s\\S]*$/, '');
+  out = out.replace(/<<<\\s*\\S+/g, '');
+  out = out.replace(/'[^']*'/g, "''");
+  out = out.replace(/"(?:[^"\\\\]|\\\\.)*"/g, '""');
+  return out;
+}
+
 var DIRECTIVE_RE = /^(yes|no|yeah|yep|nope|sure|ok|okay|correct|right|exactly|perfect)\\b/i;
 var TASK_RE = /\\b(fix|bug|error|implement|add|create|build|write|refactor|debug|test|feature|issue|security|optimi)\\b/i;
 
@@ -585,7 +602,10 @@ switch (command) {
     process.exit(2);
   }
   case 'check-dangerous-command': {
-    var cmd = (process.env.TOOL_INPUT_command || '').toLowerCase();
+    // #1171 follow-up — strip quoted bodies + heredocs before substring match.
+    // See bin/gate.cjs for full rationale.
+    var raw = process.env.TOOL_INPUT_command || '';
+    var cmd = stripQuotedAndHeredocs(raw).toLowerCase();
     for (var i = 0; i < DANGEROUS.length; i++) {
       if (cmd.indexOf(DANGEROUS[i]) >= 0) {
         console.log('[BLOCKED] Dangerous command: ' + DANGEROUS[i]);

package/dist/src/cli/init/moflo-init.js

@@ -219,7 +219,8 @@ function generateHooks(root, force, answers) {
                 "hooks": [{ "type": "command", "command": gateHook('check-before-read'), "timeout": 3000 }]
             },
             {
-                "matcher": "^Bash$",
+                // #1171 — widened to cover the dedicated `PowerShell` tool.
+                "matcher": "^(Bash|PowerShell)$",
                 "hooks": [
                     { "type": "command", "command": gateHook('check-dangerous-command'), "timeout": 2000 },
                     { "type": "command", "command": gateHook('check-before-pr'), "timeout": 2000 }
@@ -253,7 +254,8 @@ function generateHooks(root, force, answers) {
                 "hooks": [{ "type": "command", "command": gate('record-task-created'), "timeout": 2000 }]
             },
             {
-                "matcher": "^Bash$",
+                // #1171 — widened to cover the dedicated `PowerShell` tool.
+                "matcher": "^(Bash|PowerShell)$",
                 "hooks": [
                     { "type": "command", "command": gateHook('check-bash-memory'), "timeout": 2000 },
                     { "type": "command", "command": gateHook('record-test-run'), "timeout": 2000 }

package/dist/src/cli/init/settings-generator.js

@@ -229,12 +229,16 @@ function generateHooksConfig(config) {
                 hooks: [{ type: 'command', command: gateHookCmd('check-before-read'), timeout: 3000 }],
             },
             {
-                matcher: '^Bash$',
+                // #1171 — widened from `^Bash$` to also cover the dedicated `PowerShell`
+                // tool that Claude Code exposes on Windows. Without this, PS-tool calls
+                // route around every Bash-anchored gate (dangerous-command, pr, memory).
+                matcher: '^(Bash|PowerShell)$',
                 hooks: [
                     { type: 'command', command: gateHookCmd('check-dangerous-command'), timeout: 2000 },
                     { type: 'command', command: gateHookCmd('check-before-pr'), timeout: 2000 },
                     // #1132 — moved from PostToolUse so process.exit(2) actually blocks
-                    // read-like Bash that bypasses the Read/Glob/Grep gates via the shell.
+                    // read-like shell commands that bypass the Read/Glob/Grep gates.
+                    // Name kept for backwards compat; covers PowerShell readers too.
                     { type: 'command', command: gateHookCmd('check-bash-memory'), timeout: 2000 },
                 ],
             },
@@ -273,7 +277,9 @@ function generateHooksConfig(config) {
                 hooks: [{ type: 'command', command: gateCmd('record-task-created'), timeout: 2000 }],
             },
             {
-                matcher: '^Bash$',
+                // #1171 — widened to cover the `PowerShell` tool so PS-invoked
+                // `npm test` / `pytest` etc. credit the testing gate the same as Bash.
+                matcher: '^(Bash|PowerShell)$',
                 hooks: [
                     // #1132 — check-bash-memory moved to PreToolUse (above).
                     { type: 'command', command: gateHookCmd('record-test-run'), timeout: 2000 },