moflo 4.10.5 → 4.10.6

package/bin/gate.cjs

@@ -82,6 +82,53 @@ var command = process.argv[2];
 
 var EXEMPT = ['.claude/', '.claude\\', 'CLAUDE.md', 'MEMORY.md', 'workflow-state', 'node_modules', 'moflo.yaml'];
 var DANGEROUS = ['rm -rf /', 'format c:', 'del /s /q c:\\', ':(){:|:&};:', 'mkfs.', '> /dev/sda'];
+
+// #1132 — Bash memory-first gate.
+//
+// CREDIT: the legacy detector that marks the gate satisfied when Claude
+// manually invokes a memory-search CLI (flo-search, the moflo MCP search via
+// shell, etc.). Preserved verbatim from the pre-#1132 behaviour so existing
+// recipes keep crediting the gate.
+var CREDIT_MEMORY_SEARCH_RE = /semantic-search|memory search|memory retrieve|memory-search/;
+// BLOCK: read-like Bash commands that bypass the existing check-before-read /
+// check-before-scan gates by going through the shell. Anchored to the start of
+// the line so subcommands inside pipelines or `npm install grep` don't trip.
+// Covers POSIX read/search tools, Windows cmd `type`, and PowerShell readers.
+var READ_LIKE_BASH_RE = new RegExp([
+  '^\\s*(?:cat|head|tail|less|more|bat|xxd|od|hexdump)\\b',
+  '^\\s*(?:grep|rg|ag|fgrep|egrep|find|fd)\\b',
+  '^\\s*sed\\s+-n\\b',
+  '^\\s*awk\\s+(?!.*<<)',
+  // `type <path>` on Windows. No `$` anchor so a piped form
+  // (`type src\foo.ts | grep x`) still matches and gets blocked. The argument
+  // must contain a slash, backslash, or dot — otherwise it's the shell-builtin
+  // command-lookup form (`type ls`, `type cd`) which the gate has no business
+  // blocking. False-negative trade: extension-less filenames like `type Makefile`
+  // pass through. Acceptable — source files all have extensions, and the
+  // primary risk pattern is leaking past the gate via `type src\foo.ts`.
+  '^\\s*type\\s+\\S*[\\\\/.]',
+  '^\\s*(?:Get-Content|gc|Select-String|sls)\\b',
+].join('|'), 'i');
+// CARVE-OUT: commands that LOOK read-like but are operational. Anchored to the
+// LEADING command — the pipe-filter case (`npm test | grep FAIL`) is already
+// handled by READ_LIKE's `^\s*` anchor never matching the leading `npm`, so
+// there is intentionally no pipe arm here: catching the leading command lets
+// `grep -r TODO src/ | head -5` reach the BLOCK exit (which it must, that's
+// the gap the ticket exists to close). #1132.
+var BASH_CARVE_OUT_RE = new RegExp([
+  '^\\s*(npm|npx|pnpm|yarn|bun|node|deno|tsx|ts-node)\\s',
+  '^\\s*(git|gh|hub)\\s',
+  '^\\s*(docker|kubectl|helm|terraform)\\s',
+  '^\\s*(curl|wget|http|fetch)\\s',
+  '^\\s*(jq|yq|xq)\\s',
+  '^\\s*(echo|printf|true|false|sleep|test|\\[)\\s',
+  '^\\s*cat\\s+(<<|<<<)',
+  '^\\s*cat\\s+[^|]*\\s*>',
+  '^\\s*tee\\b',
+  // Lazy `.+?` instead of `.+\s` to avoid catastrophic backtracking on long
+  // `find` commands that lack a `-delete` / `-exec rm` suffix.
+  '^\\s*find\\s+.+?-(delete|exec\\s+rm)\\b',
+].join('|'));
 var DIRECTIVE_RE = /^(yes|no|yeah|yep|nope|sure|ok|okay|correct|right|exactly|perfect)\b/i;
 var TASK_RE = /\b(fix|bug|error|implement|add|create|build|write|refactor|debug|test|feature|issue|security|optimi)\b/i;
 
@@ -146,6 +193,29 @@ function classifyNamespaceHint(promptText) {
   return '';
 }
 
+// #1132 — command-shape namespace classifier for the bash-BLOCK message.
+// Used when the prompt-derived `lastNamespaceHint` is empty (e.g. subagents,
+// which never see the user prompt) so the block message still routes to a
+// useful namespace rather than the generic "pick one of five" list. Returns a
+// full sentence in the same shape as classifyNamespaceHint so the BLOCK arm
+// can write either source's hint without branching on format.
+//
+// SYNC: duplicated verbatim in src/cli/init/helpers-generator.ts.
+function classifyBashNamespaceHint(cmd) {
+  // Search-like tools — the user is hunting for a symbol/file, code-map wins.
+  if (/^\s*(?:grep|rg|ag|fgrep|egrep|find|fd|Select-String|sls)\b/i.test(cmd)) {
+    return 'Memory namespace hint: use "code-map" for codebase navigation.';
+  }
+  // Reading a .md / RST / TXT, or a well-known doc file — guidance/learnings win.
+  // `.*` (not `\S*`) so flag-prefixed forms like `head -50 README.md` match.
+  // Anchored on the leading reader so a piped `cmd | grep foo.md` doesn't trip.
+  if (/^\s*(?:cat|head|tail|less|more|bat|type|Get-Content|gc)\b.*\.(?:md|mdx|rst|txt)\b/i.test(cmd)
+   || /^\s*(?:cat|head|tail|less|more|bat|type|Get-Content|gc)\b.*\b(?:README|CLAUDE|CHANGELOG|CONTRIBUTING|LICENSE)\b/i.test(cmd)) {
+    return 'Memory namespace hint: search "guidance" and "learnings" for project rules and decisions.';
+  }
+  return '';
+}
+
 // Apply per-prompt state reset shared by `prompt-reminder` (full) and
 // `prompt-state-reset` (defensive safety-net, no emission). Idempotent — both
 // UserPromptSubmit hooks can run it without compounding any field. Caller
@@ -402,11 +472,41 @@ switch (command) {
     break;
   }
   case 'check-bash-memory': {
+    // #1132 — preserve CREDIT side-effect AND add a BLOCK arm for read-like
+    // Bash commands. Wired as PreToolUse[Bash] (was PostToolUse before #1132)
+    // so process.exit(2) actually prevents the read from reaching the shell.
     var cmd = process.env.TOOL_INPUT_command || '';
-    if (/semantic-search|memory search|memory retrieve|memory-search/.test(cmd)) {
+
+    // 1) CREDIT — preserved behavior. A real memory-search invocation flips
+    // the gate flag so subsequent Read/Grep/Glob within this prompt pass.
+    if (CREDIT_MEMORY_SEARCH_RE.test(cmd)) {
       var s = readState();
       if (markMemorySearched(s)) writeState(s);
+      break;
     }
+
+    // 2) BLOCK — new behavior. Cheap regex checks come BEFORE readState() so
+    // the overwhelming majority of Bash invocations (git/npm/curl/echo/etc.)
+    // never touch the filesystem. Order: config flag → command-shape regexes
+    // → state read → memory gate.
+    if (!config.memory_first) break;
+    if (!READ_LIKE_BASH_RE.test(cmd)) break;
+    if (BASH_CARVE_OUT_RE.test(cmd)) break;
+    var s2 = readState();
+    if (!s2.memoryRequired || isMemorySearchedFor(s2)) break;
+    // Hint precedence: prompt-derived classification (set by applyPromptStateReset
+    // from the user prompt text) → command-shape classification (works for
+    // subagents that never saw the user prompt). Either source returns a full
+    // "Memory namespace hint: ..." sentence so the BLOCK message stays uniform.
+    var hint = s2.lastNamespaceHint || classifyBashNamespaceHint(cmd) || '';
+    process.stderr.write(
+      'BLOCKED: Search memory before reading files via Bash.\n' +
+      'Example: mcp__moflo__memory_search { query: "<topic>", namespace: "<one of: guidance | code-map | patterns | learnings | tests>" }\n' +
+      (hint ? hint + '\n' : '') +
+      'On chunk hits, traverse via mcp__moflo__memory_get_neighbors — see .claude/guidance/moflo-memory-protocol.md\n' +
+      'Disable per-gate via moflo.yaml: gates: memory_first: false\n'
+    );
+    process.exit(2);
     break;
   }
   case 'check-task-transition': {

package/bin/session-start-launcher.mjs

@@ -1053,12 +1053,14 @@ try {
       // prune when the consumer's file matches a known-shipped hash —
       // customized files (different hash) get preserved with a one-line
       // notice the user can act on.
+      let prunedRetiredPaths = new Set();
       try {
         const retiredManifestPath = resolve(
           projectRoot,
           'node_modules/moflo/retired-files.json',
         );
         const report = applyRetiredPrune(projectRoot, retiredManifestPath);
+        prunedRetiredPaths = new Set(report.pruned);
         if (report.pruned.length > 0) {
           emitMutation(
             'pruned retired shipped files',
@@ -1110,10 +1112,23 @@ try {
 
       // Manifest reflects synced files immediately; version stamp is deferred
       // to 3g so an aborted launcher re-runs upgrade detection (#730).
+      //
+      // Exclude paths that `applyRetiredPrune` just deleted from disk —
+      // recording a non-existent file in `installed-files.json` triggers
+      // false drift detection on the next launcher run (`manifestDrifted`
+      // flips true because the recorded path doesn't exist), which spuriously
+      // re-fires the cherry-pick + manifest-sync pipeline. Widening
+      // `retired-files.json`'s hash window in #1133 exposed this — more
+      // legitimate matches → more pruned files → guaranteed false drift on
+      // the next launcher and re-imported legacy rows (knowledge namespace
+      // came back even though the migration deleted it).
+      const persistedManifest = prunedRetiredPaths.size > 0
+        ? currentManifest.filter((e) => !prunedRetiredPaths.has(e.path))
+        : currentManifest;
       try {
         const cfDir = resolve(projectRoot, '.moflo');
         if (!existsSync(cfDir)) mkdirSync(cfDir, { recursive: true });
-        writeFileSync(manifestPath, JSON.stringify(currentManifest, null, 2));
+        writeFileSync(manifestPath, JSON.stringify(persistedManifest, null, 2));
         pendingVersionStampWrite = { path: versionStampPath, version: installedVersion };
       } catch (err) {
         // #854: manifest write must surface — without it the next launcher

package/dist/src/cli/commands/daemon.js

@@ -472,7 +472,7 @@ export async function killBackgroundDaemon(projectRoot) {
     try {
         // Platform-split shutdown. On Linux/macOS we try SIGTERM first so the
         // daemon's shutdown handlers (sql.js flush, lock release) can run; force-
-        // kill only if it doesn't exit within ~1s.
+        // kill only if it doesn't exit within the graceful window.
         //
         // On Windows there is no SIGTERM equivalent for our headless detached
         // Node daemon — `taskkill /PID` (no /F) sends a window-close message
@@ -481,25 +481,46 @@ export async function killBackgroundDaemon(projectRoot) {
         // implementation invoked it anyway, ate the error in a bare catch, then
         // slept 1s before escalating to /F. Skip the dead step: go straight to
         // /F /T (tree-kill, in case a worker child outlived its parent) on Win.
+        //
+        // #1136: previously this used `setTimeout(1000)` after SIGTERM and
+        // skipped post-SIGKILL verification. Under load on a populated DB the
+        // daemon's shutdown handler (worker-daemon.ts:582 → scheduler.stop +
+        // saveState) can exceed 1s — SIGKILL hit mid-sql.js-dump and left
+        // torn pages in `.moflo/moflo.db` (the page-ref / rowid-order
+        // signature seen in the populated-consumer smoke). Bring the kill
+        // window in line with the launcher's stopDaemon
+        // (bin/session-start-launcher.mjs:425): 3s graceful poll + 1s force
+        // poll, both verifying liveness before returning.
         if (process.platform === 'win32') {
             try {
                 execFileSync('taskkill', ['/F', '/T', '/PID', String(holderPid)], { windowsHide: true });
             }
             catch {
-                // Already exiting / unreachable — process.kill(pid, 0) below verifies.
+                // Already exiting / unreachable — verified via poll below.
+            }
+            const forceDeadline = Date.now() + 1000;
+            while (Date.now() < forceDeadline && isProcessRunning(holderPid)) {
+                await new Promise(resolve => setTimeout(resolve, 100));
             }
         }
         else {
-            process.kill(holderPid, 'SIGTERM');
-            // Wait briefly so SIGTERM has a chance to land before checking liveness.
-            await new Promise(resolve => setTimeout(resolve, 1000));
             try {
-                process.kill(holderPid, 0);
-                // Still alive — force kill.
-                process.kill(holderPid, 'SIGKILL');
+                process.kill(holderPid, 'SIGTERM');
             }
-            catch {
-                // Process terminated
+            catch { /* already dead */ }
+            const gracefulDeadline = Date.now() + 3000;
+            while (Date.now() < gracefulDeadline && isProcessRunning(holderPid)) {
+                await new Promise(resolve => setTimeout(resolve, 100));
+            }
+            if (isProcessRunning(holderPid)) {
+                try {
+                    process.kill(holderPid, 'SIGKILL');
+                }
+                catch { /* already dead */ }
+                const forceDeadline = Date.now() + 1000;
+                while (Date.now() < forceDeadline && isProcessRunning(holderPid)) {
+                    await new Promise(resolve => setTimeout(resolve, 100));
+                }
             }
         }
         // Release lock

package/dist/src/cli/commands/retire.js

@@ -42,7 +42,7 @@ function findMofloRepoRoot(start) {
 }
 export const retireCommand = {
     name: 'retire',
-    description: 'Record a retired shipped file in retired-files.json (moflo dev only) — usage: flo retire <path> [--retired-by #nnn]',
+    description: 'Record a retired shipped file in retired-files.json (moflo dev only) — usage: flo retire <path> [--retired-by #nnn] | flo retire --rebuild-hashes',
     hidden: true,
     options: [
         {
@@ -56,15 +56,16 @@ export const retireCommand = {
             type: 'string',
         },
         {
-            name: 'hashes',
-            description: 'Maximum number of historical content hashes to record (default 3)',
-            type: 'number',
-            default: 3,
+            name: 'rebuild-hashes',
+            description: 'Recompute knownContentHashes[] for every existing entry from full git history (#1133 backfill)',
+            type: 'boolean',
+            default: false,
         },
     ],
     examples: [
         { command: 'flo retire .claude/agents/v3/performance-engineer.md --retired-by #932', description: 'Record a retirement' },
         { command: 'flo retire .claude/skills/skill-builder/SKILL.md --retired-by #945 --retired-in 4.9.21', description: 'Pin retiredIn' },
+        { command: 'flo retire --rebuild-hashes', description: 'Backfill every entry from full git history' },
     ],
     action: async (ctx) => {
         const repoRoot = findMofloRepoRoot(__filename) || findMofloRepoRoot(ctx.cwd);
@@ -73,11 +74,6 @@ export const retireCommand = {
             output.printInfo('retired-files.json lives at the moflo package root and does not ship to consumer projects');
             return { success: false, message: 'not in moflo repo', exitCode: 1 };
         }
-        const path = ctx.args[0];
-        if (!path) {
-            output.printError('Missing required argument: <path>');
-            return { success: false, message: 'missing path', exitCode: 2 };
-        }
         const scriptPath = resolve(repoRoot, 'scripts', 'build-retired-files.mjs');
         if (!existsSync(scriptPath)) {
             output.printError(`scripts/build-retired-files.mjs not found at ${scriptPath}`);
@@ -86,13 +82,22 @@ export const retireCommand = {
         // Parser normalises kebab-case flag names to camelCase before storing
         // (#787). Read as ctx.flags.<camelCase> — bracket-with-kebab is always
         // undefined and ESLint blocks that pattern.
-        const args = ['--add', path];
-        if (ctx.flags.retiredBy)
-            args.push('--retired-by', String(ctx.flags.retiredBy));
-        if (ctx.flags.retiredIn)
-            args.push('--retired-in', String(ctx.flags.retiredIn));
-        if (ctx.flags.hashes)
-            args.push('--hashes', String(ctx.flags.hashes));
+        let args;
+        if (ctx.flags.rebuildHashes) {
+            args = ['--rebuild-hashes'];
+        }
+        else {
+            const path = ctx.args[0];
+            if (!path) {
+                output.printError('Missing required argument: <path> (or pass --rebuild-hashes)');
+                return { success: false, message: 'missing path', exitCode: 2 };
+            }
+            args = ['--add', path];
+            if (ctx.flags.retiredBy)
+                args.push('--retired-by', String(ctx.flags.retiredBy));
+            if (ctx.flags.retiredIn)
+                args.push('--retired-in', String(ctx.flags.retiredIn));
+        }
         const result = spawnSync('node', [scriptPath, ...args], {
             cwd: repoRoot,
             stdio: 'inherit',

package/dist/src/cli/init/helpers-generator.js

@@ -277,6 +277,10 @@ var command = process.argv[2];
 
 var EXEMPT = ['.claude/', '.claude\\\\', 'CLAUDE.md', 'MEMORY.md', 'workflow-state', 'node_modules', 'moflo.yaml'];
 var DANGEROUS = ['rm -rf /', 'format c:', 'del /s /q c:\\\\', ':(){:|:&};:', 'mkfs.', '> /dev/sda'];
+// #1132 — Bash memory-first gate regexes. See bin/gate.cjs for documentation.
+var CREDIT_MEMORY_SEARCH_RE = /semantic-search|memory search|memory retrieve|memory-search/;
+var READ_LIKE_BASH_RE = /^\\s*(?:cat|head|tail|less|more|bat|xxd|od|hexdump)\\b|^\\s*(?:grep|rg|ag|fgrep|egrep|find|fd)\\b|^\\s*sed\\s+-n\\b|^\\s*awk\\s+(?!.*<<)|^\\s*type\\s+\\S*[\\\\/.]|^\\s*(?:Get-Content|gc|Select-String|sls)\\b/i;
+var BASH_CARVE_OUT_RE = /^\\s*(npm|npx|pnpm|yarn|bun|node|deno|tsx|ts-node)\\s|^\\s*(git|gh|hub)\\s|^\\s*(docker|kubectl|helm|terraform)\\s|^\\s*(curl|wget|http|fetch)\\s|^\\s*(jq|yq|xq)\\s|^\\s*(echo|printf|true|false|sleep|test|\\[)\\s|^\\s*cat\\s+(<<|<<<)|^\\s*cat\\s+[^|]*\\s*>|^\\s*tee\\b|^\\s*find\\s+.+?-(delete|exec\\s+rm)\\b/;
 var DIRECTIVE_RE = /^(yes|no|yeah|yep|nope|sure|ok|okay|correct|right|exactly|perfect)\\b/i;
 var TASK_RE = /\\b(fix|bug|error|implement|add|create|build|write|refactor|debug|test|feature|issue|security|optimi)\\b/i;
 
@@ -340,6 +344,19 @@ function classifyNamespaceHint(promptText) {
   return '';
 }
 
+// #1132 — command-shape namespace classifier for the bash-BLOCK message.
+// SYNC: duplicated verbatim in bin/gate.cjs. See that file for rationale.
+function classifyBashNamespaceHint(cmd) {
+  if (/^\\s*(?:grep|rg|ag|fgrep|egrep|find|fd|Select-String|sls)\\b/i.test(cmd)) {
+    return 'Memory namespace hint: use "code-map" for codebase navigation.';
+  }
+  if (/^\\s*(?:cat|head|tail|less|more|bat|type|Get-Content|gc)\\b.*\\.(?:md|mdx|rst|txt)\\b/i.test(cmd)
+   || /^\\s*(?:cat|head|tail|less|more|bat|type|Get-Content|gc)\\b.*\\b(?:README|CLAUDE|CHANGELOG|CONTRIBUTING|LICENSE)\\b/i.test(cmd)) {
+    return 'Memory namespace hint: search "guidance" and "learnings" for project rules and decisions.';
+  }
+  return '';
+}
+
 function applyPromptStateReset(state, promptText) {
   state.memorySearched = false;
   state.memorySearchedBy = {};
@@ -467,11 +484,29 @@ switch (command) {
     break;
   }
   case 'check-bash-memory': {
+    // #1132 — credit + block. See bin/gate.cjs for full documentation.
     var cmd = process.env.TOOL_INPUT_command || '';
-    if (/semantic-search|memory search|memory retrieve|memory-search/.test(cmd)) {
+    if (CREDIT_MEMORY_SEARCH_RE.test(cmd)) {
       var s = readState();
       if (markMemorySearched(s)) writeState(s);
+      break;
     }
+    if (!config.memory_first) break;
+    if (!READ_LIKE_BASH_RE.test(cmd)) break;
+    if (BASH_CARVE_OUT_RE.test(cmd)) break;
+    var s2 = readState();
+    if (!s2.memoryRequired || isMemorySearchedFor(s2)) break;
+    // Hint precedence: prompt classification → command-shape classification.
+    // See bin/gate.cjs check-bash-memory for full rationale.
+    var hint = s2.lastNamespaceHint || classifyBashNamespaceHint(cmd) || '';
+    process.stderr.write(
+      'BLOCKED: Search memory before reading files via Bash.\\n' +
+      'Example: mcp__moflo__memory_search { query: "<topic>", namespace: "<one of: guidance | code-map | patterns | learnings | tests>" }\\n' +
+      (hint ? hint + '\\n' : '') +
+      'On chunk hits, traverse via mcp__moflo__memory_get_neighbors — see .claude/guidance/moflo-memory-protocol.md\\n' +
+      'Disable per-gate via moflo.yaml: gates: memory_first: false\\n'
+    );
+    process.exit(2);
     break;
   }
   case 'check-task-transition': {

package/dist/src/cli/init/settings-generator.js

@@ -233,6 +233,9 @@ function generateHooksConfig(config) {
                 hooks: [
                     { type: 'command', command: gateHookCmd('check-dangerous-command'), timeout: 2000 },
                     { type: 'command', command: gateHookCmd('check-before-pr'), timeout: 2000 },
+                    // #1132 — moved from PostToolUse so process.exit(2) actually blocks
+                    // read-like Bash that bypasses the Read/Glob/Grep gates via the shell.
+                    { type: 'command', command: gateHookCmd('check-bash-memory'), timeout: 2000 },
                 ],
             },
             // #931 — TaskCreate REMINDER + namespace hint moved here from
@@ -272,7 +275,7 @@ function generateHooksConfig(config) {
             {
                 matcher: '^Bash$',
                 hooks: [
-                    { type: 'command', command: gateHookCmd('check-bash-memory'), timeout: 2000 },
+                    // #1132 — check-bash-memory moved to PreToolUse (above).
                     { type: 'command', command: gateHookCmd('record-test-run'), timeout: 2000 },
                 ],
             },

package/dist/src/cli/services/hook-block-hash.js

@@ -57,7 +57,12 @@ export function getReferenceHookBlock() {
             { matcher: '^Read$', hooks: [gateHook('check-before-read', 3000)] },
             {
                 matcher: '^Bash$',
-                hooks: [gateHook('check-dangerous-command', 2000), gateHook('check-before-pr', 2000)],
+                hooks: [
+                    gateHook('check-dangerous-command', 2000),
+                    gateHook('check-before-pr', 2000),
+                    // #1132 — moved from PostToolUse so process.exit(2) actually blocks.
+                    gateHook('check-bash-memory', 2000),
+                ],
             },
             // #931 — TaskCreate REMINDER + namespace hint advisory at Agent-spawn time.
             // Routed via gate-hook.mjs so HOOK_SESSION_ID is forwarded for per-actor
@@ -72,8 +77,9 @@ export function getReferenceHookBlock() {
             { matcher: '^Agent$', hooks: [handler('post-task', 5000)] },
             { matcher: '^TaskCreate$', hooks: [gateCjs('record-task-created', 2000)] },
             {
+                // #1132 — check-bash-memory moved to PreToolUse (above).
                 matcher: '^Bash$',
-                hooks: [gateHook('check-bash-memory', 2000), gateHook('record-test-run', 2000)],
+                hooks: [gateHook('record-test-run', 2000)],
             },
             { matcher: '^Skill$', hooks: [gateHook('record-skill-run', 2000)] },
             { matcher: '^mcp__moflo__memory_(search|retrieve|list|stats|store)$', hooks: [gateHook('record-memory-searched', 3000)] },

package/dist/src/cli/services/subagent-bootstrap.js

@@ -21,7 +21,7 @@ const BOOTSTRAP_JSON_REL = '.claude/helpers/subagent-bootstrap.json';
 // Defense-in-depth copy of the canonical directive in subagent-bootstrap.json.
 // Kept as a single-line literal so the parity test can verify it matches the
 // JSON via plain substring containment.
-const FALLBACK_DIRECTIVE = 'MANDATORY FIRST ACTION: Your very first tool call MUST be mcp__moflo__memory_search (any query, any namespace). The memory-first gate WILL BLOCK all Glob, Grep, and Read calls until you do this. After memory search, follow `.claude/guidance/moflo-subagents.md` protocol. When a search hit carries `navigation`, you MUST call mcp__moflo__memory_get_neighbors to traverse — calling mcp__moflo__memory_retrieve on every hit is a protocol violation. See `.claude/guidance/moflo-memory-protocol.md`.';
+const FALLBACK_DIRECTIVE = 'MANDATORY FIRST ACTION: Your very first tool call MUST be mcp__moflo__memory_search (any query, any namespace). The memory-first gate WILL BLOCK all Glob, Grep, Read, and read-like Bash (cat/head/tail/grep/find/sed/awk and the Windows/PowerShell equivalents) calls until you do this. Pick the namespace by task: `guidance` for rules and conventions, `code-map` for file structure, `patterns` for proven solutions, `learnings` for past corrections, `tests` for test inventory. After memory search, follow `.claude/guidance/moflo-subagents.md` protocol. When a search hit carries `navigation`, you MUST call mcp__moflo__memory_get_neighbors to traverse — calling mcp__moflo__memory_retrieve on every hit is a protocol violation. See `.claude/guidance/moflo-memory-protocol.md`.';
 function loadDirective() {
     const jsonPath = locateMofloRootPath(BOOTSTRAP_JSON_REL);
     if (!jsonPath) {

package/dist/src/cli/version.js

@@ -2,5 +2,5 @@
  * Auto-generated by build. Do not edit manually.
  * Source of truth: root package.json → scripts/sync-version.mjs
  */
-export const VERSION = '4.10.5';
+export const VERSION = '4.10.6';
 //# sourceMappingURL=version.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "moflo",
-  "version": "4.10.5",
+  "version": "4.10.6",
   "description": "MoFlo — AI agent orchestration for Claude Code. A standalone, opinionated toolkit with semantic memory, learned routing, gates, spells, and the /flo issue-execution skill.",
   "main": "dist/src/cli/index.js",
   "type": "module",
@@ -95,7 +95,7 @@
     "@typescript-eslint/eslint-plugin": "^7.18.0",
     "@typescript-eslint/parser": "^7.18.0",
     "eslint": "^8.0.0",
-    "moflo": "^4.10.4",
+    "moflo": "^4.10.5",
     "tsx": "^4.21.0",
     "typescript": "^5.9.3",
     "vitest": "^4.0.0"