nubos-pilot 0.9.3 → 0.9.5

package/bin/np-tools/commit-task.cjs

@@ -9,6 +9,58 @@ const git = require('../../lib/git.cjs');
 const { commitTask, findCommitByTaskId } = git;
 const { deleteCheckpoint, readCheckpoint } = require('../../lib/checkpoint.cjs');
 
+const BYPASS_FLAG = '--bypass-nubosloop';
+
+// Evidence-based gate: a complete Nubosloop run accumulates fields on the
+// checkpoint envelope (cache_hit from preflight, verify_exit_code from
+// post-executor, findings from post-critics, committed_at from commit). A
+// gamed run that only invokes `loop-run-round --phase commit` directly leaves
+// verify_exit_code and findings undefined. Checking last_phase alone is not
+// enough — we require the cumulative signature.
+function _assertLoopGate(taskId, cwd, bypass, stderr) {
+  const cp = readCheckpoint(taskId, cwd);
+  const np = (cp && cp.nubosloop) || null;
+  const last = np && np.last_phase;
+  const checks = [
+    { ok: !!cp,                              reason: 'no-checkpoint',                missing: 'checkpoint',         observed: 'no-checkpoint' },
+    { ok: last === 'commit',                 reason: 'last-phase-mismatch',          missing: 'last_phase=commit',  observed: last || 'none' },
+    { ok: np && np.verify_exit_code === 0,   reason: 'post-executor-not-green',      missing: 'verify_exit_code=0', observed: np && np.verify_exit_code !== undefined ? String(np.verify_exit_code) : 'undefined' },
+    { ok: np && Array.isArray(np.findings),  reason: 'post-critics-missing',         missing: 'findings (array)',   observed: np && np.findings !== undefined ? JSON.stringify(np.findings).slice(0, 60) : 'undefined' },
+    { ok: np && !!np.committed_at,           reason: 'commit-phase-not-stamped',     missing: 'committed_at',       observed: (np && np.committed_at) || 'undefined' },
+  ];
+  const failed = checks.find((c) => !c.ok);
+  if (!failed) {
+    return { bypassed: false, last_phase: last, forced_commit_phase: !!(np && np.forced_commit_phase) };
+  }
+  if (bypass) {
+    stderr.write(
+      '[nubos-pilot] WARNING: commit-task ' + taskId +
+      ' bypassing Nubosloop gate (' + BYPASS_FLAG +
+      '; reason=' + failed.reason + '; missing=' + failed.missing +
+      '; observed=' + failed.observed +
+      '). Single-pass commit, no critic review enforced.\n',
+    );
+    return { bypassed: true, last_phase: last || null, forced_commit_phase: !!(np && np.forced_commit_phase) };
+  }
+  throw new NubosPilotError(
+    'commit-task-loop-bypass-violation',
+    'commit-task refused: Nubosloop sequence incomplete for ' + taskId +
+    ' (reason=' + failed.reason + '; missing=' + failed.missing +
+    '; observed=' + failed.observed + '). ' +
+    'Run the full loop (preflight → post-executor verify-green → post-critics → commit) first, or pass ' + BYPASS_FLAG +
+    ' for an explicit single-pass override.',
+    {
+      taskId,
+      reason: failed.reason,
+      missing: failed.missing,
+      observed_last_phase: last || null,
+      observed_verify_exit_code: np && np.verify_exit_code !== undefined ? np.verify_exit_code : null,
+      observed_findings_is_array: !!(np && Array.isArray(np.findings)),
+      observed_committed_at: (np && np.committed_at) || null,
+    },
+  );
+}
+
 function _resolveTaskFile(taskId, cwd) {
   const parsed = layout.parseTaskFullId(taskId);
   const filePath = layout.taskPlanPath(parsed.milestone, parsed.slice, parsed.task, cwd);
@@ -49,8 +101,11 @@ function run(args, ctx) {
   const context = ctx || {};
   const cwd = context.cwd || process.cwd();
   const stdout = context.stdout || process.stdout;
+  const stderr = context.stderr || process.stderr;
   const list = Array.isArray(args) ? args : [];
-  const taskId = list[0];
+  const bypass = list.includes(BYPASS_FLAG);
+  const positional = list.filter((a) => !String(a).startsWith('--'));
+  const taskId = positional[0];
 
   if (!taskId) {
     throw new NubosPilotError(
@@ -67,6 +122,8 @@ function run(args, ctx) {
     );
   }
 
+  const gate = _assertLoopGate(taskId, cwd, bypass, stderr);
+
   const { filePath } = _resolveTaskFile(taskId, cwd);
   const raw = fs.readFileSync(filePath, 'utf-8');
   const { frontmatter, body } = extractFrontmatter(raw);
@@ -93,7 +150,7 @@ function run(args, ctx) {
   const name = _extractName(frontmatter, body);
   const message = 'task(' + taskId + '): ' + name;
 
-  
+
 
   commitTask(taskId, safeFiles, message);
   const sha = findCommitByTaskId(taskId);
@@ -103,7 +160,15 @@ function run(args, ctx) {
     process.stderr.write('[nubos-pilot warn] setTaskStatus failed for ' + taskId + ': ' + (err && err.message) + '\n');
   }
 
-  const payload = { ok: true, task_id: taskId, sha, files: safeFiles, files_source: filesSource };
+  const payload = {
+    ok: true,
+    task_id: taskId,
+    sha,
+    files: safeFiles,
+    files_source: filesSource,
+    nubosloop_bypassed: gate.bypassed,
+    nubosloop_forced_commit_phase: !!gate.forced_commit_phase,
+  };
   stdout.write(JSON.stringify(payload));
   return payload;
 }

package/bin/np-tools/commit-task.test.cjs

@@ -82,6 +82,37 @@ function _capture() {
   return { stub, get: () => buf };
 }
 
+// Seed a checkpoint that satisfies the full Nubosloop gate (sequence-integrity).
+// A real loop accumulates evidence on the envelope; the gate refuses unless
+// every required marker is present. Tests that exercise game-paths build their
+// own partial fixtures.
+function seedLoopReadyCheckpoint(root, taskId, extra) {
+  const cpPath = path.join(root, '.nubos-pilot', 'checkpoints', taskId + '.json');
+  fs.mkdirSync(path.dirname(cpPath), { recursive: true });
+  const base = {
+    schema_version: 1,
+    task_id: taskId,
+    status: 'pre-commit',
+    files_touched: [],
+    nubosloop: {
+      round: 1,
+      cache_hit: false,
+      last_phase: 'commit',
+      last_action: 'commit',
+      verify_exit_code: 0,
+      findings: [],
+      committed_at: '2026-05-04T12:00:00Z',
+    },
+  };
+  // Allow the test to override individual fields (incl. nubosloop sub-fields).
+  const merged = Object.assign({}, base, extra || {});
+  if (extra && extra.nubosloop) {
+    merged.nubosloop = Object.assign({}, base.nubosloop, extra.nubosloop);
+  }
+  fs.writeFileSync(cpPath, JSON.stringify(merged), 'utf-8');
+  return cpPath;
+}
+
 after(() => {
   while (_repos.length) {
     const r = _repos.pop();
@@ -110,6 +141,7 @@ test('CT-2: commit-task rejects invalid TASK_ID format (defense-in-depth)', () =
 test('CT-3: commit-task emits JSON with sha + files on success', () => {
   const root = makeRepo();
   seedPlanAndTask(root, '06-01', 'M006-S001-T0001', ['src/a.ts']);
+  seedLoopReadyCheckpoint(root, 'M006-S001-T0001');
 
   fs.mkdirSync(path.join(root, 'src'), { recursive: true });
   fs.writeFileSync(path.join(root, 'src', 'a.ts'), 'export const a = 1;\n', 'utf-8');
@@ -126,6 +158,7 @@ test('CT-3: commit-task emits JSON with sha + files on success', () => {
   assert.equal(payload.task_id, 'M006-S001-T0001');
   assert.ok(/^[0-9a-f]{40}$/.test(payload.sha));
   assert.deepEqual(payload.files, ['src/a.ts']);
+  assert.equal(payload.nubosloop_bypassed, false);
 
   const subject = execFileSync('git', ['-C', root, 'log', '-n', '1', '--format=%s'], { encoding: 'utf-8' }).trim();
   assert.ok(subject.startsWith('task(M006-S001-T0001):'), 'subject: ' + subject);
@@ -134,6 +167,7 @@ test('CT-3: commit-task emits JSON with sha + files on success', () => {
 test('CT-4: commit-task LOUD-FAILS when every files_modified entry is gitignored (D-25)', () => {
   const root = makeRepo();
   seedPlanAndTask(root, '06-01', 'M006-S001-T0002', ['build/out.js']);
+  seedLoopReadyCheckpoint(root, 'M006-S001-T0002');
   fs.writeFileSync(path.join(root, '.gitignore'), 'build/\n', 'utf-8');
   fs.mkdirSync(path.join(root, 'build'), { recursive: true });
   fs.writeFileSync(path.join(root, 'build', 'out.js'), 'noise', 'utf-8');
@@ -152,9 +186,13 @@ test('CT-4: commit-task LOUD-FAILS when every files_modified entry is gitignored
 
 test('CT-5: commit-task unknown task id → task-not-found', () => {
   const root = makeRepo();
+  // Loop gate runs BEFORE task lookup (no checkpoint seeded), so we expect
+  // the bypass-violation here, not the task-not-found error. Using --bypass
+  // so we exercise the unknown-task path instead.
   const cap = _capture();
+  const stderr = _capture();
   assert.throws(
-    () => subcmd.run(['M006-S099-T0099'], { cwd: root, stdout: cap.stub }),
+    () => subcmd.run(['M006-S099-T0099', '--bypass-nubosloop'], { cwd: root, stdout: cap.stub, stderr: stderr.stub }),
     (err) => err && err.code === 'commit-task-not-found',
   );
 });
@@ -164,14 +202,8 @@ test('CT-6: empty files_modified falls back to checkpoint.files_touched', () =>
   seedPlanAndTask(root, '06-01', 'M006-S001-T0010', []);
   fs.mkdirSync(path.join(root, 'src'), { recursive: true });
   fs.writeFileSync(path.join(root, 'src', 'b.ts'), 'export const b = 2;\n', 'utf-8');
-  const cpPath = path.join(root, '.nubos-pilot', 'checkpoints', 'M006-S001-T0010.json');
-  fs.mkdirSync(path.dirname(cpPath), { recursive: true });
-  fs.writeFileSync(cpPath, JSON.stringify({
-    schema_version: 1,
-    task_id: 'M006-S001-T0010',
-    status: 'pre-commit',
-    files_touched: ['src/b.ts'],
-  }), 'utf-8');
+  // Checkpoint must satisfy the loop gate AND carry files_touched.
+  seedLoopReadyCheckpoint(root, 'M006-S001-T0010', { files_touched: ['src/b.ts'] });
   const prev = process.cwd();
   process.chdir(root);
   const cap = _capture();
@@ -189,9 +221,190 @@ test('CT-6: empty files_modified falls back to checkpoint.files_touched', () =>
 test('CT-7: empty files_modified AND no checkpoint → commit-task-no-files', () => {
   const root = makeRepo();
   seedPlanAndTask(root, '06-01', 'M006-S001-T0011', []);
+  // No checkpoint → gate would normally refuse first; bypass to reach the
+  // no-files path that this test exercises.
   const cap = _capture();
+  const stderr = _capture();
   assert.throws(
-    () => subcmd.run(['M006-S001-T0011'], { cwd: root, stdout: cap.stub }),
+    () => subcmd.run(['M006-S001-T0011', '--bypass-nubosloop'], { cwd: root, stdout: cap.stub, stderr: stderr.stub }),
     (err) => err && err.code === 'commit-task-no-files',
   );
 });
+
+test('CT-8: refuse commit when no checkpoint exists (Nubosloop gate)', () => {
+  const root = makeRepo();
+  seedPlanAndTask(root, '06-01', 'M006-S001-T0020', ['src/c.ts']);
+  fs.mkdirSync(path.join(root, 'src'), { recursive: true });
+  fs.writeFileSync(path.join(root, 'src', 'c.ts'), 'export const c = 3;\n', 'utf-8');
+  const cap = _capture();
+  const stderr = _capture();
+  assert.throws(
+    () => subcmd.run(['M006-S001-T0020'], { cwd: root, stdout: cap.stub, stderr: stderr.stub }),
+    (err) => err && err.code === 'commit-task-loop-bypass-violation' && err.details && err.details.reason === 'no-checkpoint',
+  );
+});
+
+test('CT-9: refuse commit when nubosloop.last_phase ≠ commit', () => {
+  const root = makeRepo();
+  seedPlanAndTask(root, '06-01', 'M006-S001-T0021', ['src/d.ts']);
+  fs.mkdirSync(path.join(root, 'src'), { recursive: true });
+  fs.writeFileSync(path.join(root, 'src', 'd.ts'), 'export const d = 4;\n', 'utf-8');
+  // Checkpoint exists but loop only made it to verifying — gate must refuse.
+  seedLoopReadyCheckpoint(root, 'M006-S001-T0021', {
+    nubosloop: { last_phase: 'verifying', last_action: 'verify-green' },
+  });
+  const cap = _capture();
+  const stderr = _capture();
+  assert.throws(
+    () => subcmd.run(['M006-S001-T0021'], { cwd: root, stdout: cap.stub, stderr: stderr.stub }),
+    (err) => err && err.code === 'commit-task-loop-bypass-violation'
+      && err.details && err.details.reason === 'last-phase-mismatch'
+      && err.details.observed_last_phase === 'verifying',
+  );
+});
+
+test('CT-12: refuse gamed commit (last_phase=commit but no verify_exit_code)', () => {
+  const root = makeRepo();
+  seedPlanAndTask(root, '06-01', 'M006-S001-T0030', ['src/g.ts']);
+  fs.mkdirSync(path.join(root, 'src'), { recursive: true });
+  fs.writeFileSync(path.join(root, 'src', 'g.ts'), 'export const g = 7;\n', 'utf-8');
+  // Simulates an agent that ran ONLY `loop-run-round --phase commit` to game
+  // the gate, without going through preflight/post-executor/post-critics.
+  // verify_exit_code is undefined → post-executor never ran.
+  const cpPath = path.join(root, '.nubos-pilot', 'checkpoints', 'M006-S001-T0030.json');
+  fs.mkdirSync(path.dirname(cpPath), { recursive: true });
+  fs.writeFileSync(cpPath, JSON.stringify({
+    schema_version: 1,
+    task_id: 'M006-S001-T0030',
+    status: 'pre-commit',
+    files_touched: [],
+    nubosloop: { last_phase: 'commit', last_action: 'commit', committed_at: '2026-05-04T12:00:00Z' },
+  }), 'utf-8');
+  const cap = _capture();
+  const stderr = _capture();
+  assert.throws(
+    () => subcmd.run(['M006-S001-T0030'], { cwd: root, stdout: cap.stub, stderr: stderr.stub }),
+    (err) => err && err.code === 'commit-task-loop-bypass-violation'
+      && err.details && err.details.reason === 'post-executor-not-green',
+  );
+});
+
+test('CT-13: refuse gamed commit when verify ran but post-critics findings missing', () => {
+  const root = makeRepo();
+  seedPlanAndTask(root, '06-01', 'M006-S001-T0031', ['src/h.ts']);
+  fs.mkdirSync(path.join(root, 'src'), { recursive: true });
+  fs.writeFileSync(path.join(root, 'src', 'h.ts'), 'export const h = 8;\n', 'utf-8');
+  // verify ran (exit_code=0) but critics never produced findings — agent
+  // skipped the critic-schwarm step.
+  const cpPath = path.join(root, '.nubos-pilot', 'checkpoints', 'M006-S001-T0031.json');
+  fs.mkdirSync(path.dirname(cpPath), { recursive: true });
+  fs.writeFileSync(cpPath, JSON.stringify({
+    schema_version: 1,
+    task_id: 'M006-S001-T0031',
+    status: 'pre-commit',
+    files_touched: [],
+    nubosloop: {
+      last_phase: 'commit', last_action: 'commit',
+      verify_exit_code: 0, // post-executor ran
+      committed_at: '2026-05-04T12:00:00Z',
+      // findings: missing → post-critics never ran
+    },
+  }), 'utf-8');
+  const cap = _capture();
+  const stderr = _capture();
+  assert.throws(
+    () => subcmd.run(['M006-S001-T0031'], { cwd: root, stdout: cap.stub, stderr: stderr.stub }),
+    (err) => err && err.code === 'commit-task-loop-bypass-violation'
+      && err.details && err.details.reason === 'post-critics-missing',
+  );
+});
+
+test('CT-14: refuse when verify-red was recorded (post-executor failed)', () => {
+  const root = makeRepo();
+  seedPlanAndTask(root, '06-01', 'M006-S001-T0032', ['src/i.ts']);
+  fs.mkdirSync(path.join(root, 'src'), { recursive: true });
+  fs.writeFileSync(path.join(root, 'src', 'i.ts'), 'export const i = 9;\n', 'utf-8');
+  // Loop reached commit-stamp somehow but verify was red — must refuse.
+  seedLoopReadyCheckpoint(root, 'M006-S001-T0032', {
+    nubosloop: { verify_exit_code: 1 },
+  });
+  const cap = _capture();
+  const stderr = _capture();
+  assert.throws(
+    () => subcmd.run(['M006-S001-T0032'], { cwd: root, stdout: cap.stub, stderr: stderr.stub }),
+    (err) => err && err.code === 'commit-task-loop-bypass-violation'
+      && err.details && err.details.reason === 'post-executor-not-green'
+      && err.details.observed_verify_exit_code === 1,
+  );
+});
+
+test('CT-15: bypass on gamed commit logs precise reason in stderr', () => {
+  const root = makeRepo();
+  seedPlanAndTask(root, '06-01', 'M006-S001-T0033', ['src/j.ts']);
+  fs.mkdirSync(path.join(root, 'src'), { recursive: true });
+  fs.writeFileSync(path.join(root, 'src', 'j.ts'), 'export const j = 10;\n', 'utf-8');
+  const cpPath = path.join(root, '.nubos-pilot', 'checkpoints', 'M006-S001-T0033.json');
+  fs.mkdirSync(path.dirname(cpPath), { recursive: true });
+  fs.writeFileSync(cpPath, JSON.stringify({
+    schema_version: 1, task_id: 'M006-S001-T0033', status: 'pre-commit', files_touched: [],
+    nubosloop: { last_phase: 'commit', last_action: 'commit', committed_at: 'z' },
+  }), 'utf-8');
+  const prev = process.cwd();
+  process.chdir(root);
+  const cap = _capture();
+  const stderr = _capture();
+  try {
+    subcmd.run(['M006-S001-T0033', '--bypass-nubosloop'], { cwd: root, stdout: cap.stub, stderr: stderr.stub });
+  } finally {
+    process.chdir(prev);
+  }
+  const payload = JSON.parse(cap.get());
+  assert.equal(payload.ok, true);
+  assert.equal(payload.nubosloop_bypassed, true);
+  assert.match(stderr.get(), /reason=post-executor-not-green/);
+  assert.match(stderr.get(), /missing=verify_exit_code=0/);
+});
+
+test('CT-10: --bypass-nubosloop allows single-pass commit and warns on stderr', () => {
+  const root = makeRepo();
+  seedPlanAndTask(root, '06-01', 'M006-S001-T0022', ['src/e.ts']);
+  fs.mkdirSync(path.join(root, 'src'), { recursive: true });
+  fs.writeFileSync(path.join(root, 'src', 'e.ts'), 'export const e = 5;\n', 'utf-8');
+  const prev = process.cwd();
+  process.chdir(root);
+  const cap = _capture();
+  const stderr = _capture();
+  try {
+    subcmd.run(['M006-S001-T0022', '--bypass-nubosloop'], { cwd: root, stdout: cap.stub, stderr: stderr.stub });
+  } finally {
+    process.chdir(prev);
+  }
+  const payload = JSON.parse(cap.get());
+  assert.equal(payload.ok, true);
+  assert.equal(payload.nubosloop_bypassed, true);
+  assert.match(stderr.get(), /WARNING: commit-task M006-S001-T0022 bypassing Nubosloop gate/);
+  assert.match(stderr.get(), /observed=no-checkpoint/);
+});
+
+test('CT-11: --bypass-nubosloop on partial loop state stamps the bypass reason', () => {
+  const root = makeRepo();
+  seedPlanAndTask(root, '06-01', 'M006-S001-T0023', ['src/f.ts']);
+  fs.mkdirSync(path.join(root, 'src'), { recursive: true });
+  fs.writeFileSync(path.join(root, 'src', 'f.ts'), 'export const f = 6;\n', 'utf-8');
+  seedLoopReadyCheckpoint(root, 'M006-S001-T0023', {
+    nubosloop: { last_phase: 'post-critics', last_action: 'executor' },
+  });
+  const prev = process.cwd();
+  process.chdir(root);
+  const cap = _capture();
+  const stderr = _capture();
+  try {
+    subcmd.run(['M006-S001-T0023', '--bypass-nubosloop'], { cwd: root, stdout: cap.stub, stderr: stderr.stub });
+  } finally {
+    process.chdir(prev);
+  }
+  const payload = JSON.parse(cap.get());
+  assert.equal(payload.ok, true);
+  assert.equal(payload.nubosloop_bypassed, true);
+  assert.match(stderr.get(), /observed=post-critics/);
+});

package/bin/np-tools/loop-commands.test.cjs

@@ -467,6 +467,79 @@ test('LCLI-RR-7: loop-run-round rejects unknown --phase', () => {
   );
 });
 
+test('LCLI-RR-8: phase=commit refuses without verify_exit_code (post-executor never ran)', () => {
+  const r = _mkRoot();
+  checkpoint.startTask({ id: 'M001-S001-T0001' }, r);
+  const loopRunRound = require('./loop-run-round.cjs');
+  assert.throws(
+    () => loopRunRound.run(
+      ['M001-S001-T0001', '--phase', 'commit'],
+      { cwd: r, stdout: _cap().stub },
+    ),
+    (err) => err && err.code === 'loop-commit-precondition-missing'
+      && err.details && err.details.missing === 'verify_exit_code',
+  );
+});
+
+test('LCLI-RR-9: phase=commit refuses without findings (post-critics never ran)', () => {
+  const r = _mkRoot();
+  checkpoint.startTask({ id: 'M001-S001-T0001' }, r);
+  const nubosloop = require('../../lib/nubosloop.cjs');
+  // post-executor ran (verify-green) but critics never produced findings.
+  nubosloop.recordLoopState('M001-S001-T0001', { round: 1 }, r);
+  checkpoint.mergeCheckpoint('M001-S001-T0001', (cur) => ({
+    nubosloop: Object.assign({}, (cur && cur.nubosloop) || {}, { verify_exit_code: 0 }),
+  }), r);
+  const loopRunRound = require('./loop-run-round.cjs');
+  assert.throws(
+    () => loopRunRound.run(
+      ['M001-S001-T0001', '--phase', 'commit'],
+      { cwd: r, stdout: _cap().stub },
+    ),
+    (err) => err && err.code === 'loop-commit-precondition-missing'
+      && err.details && err.details.missing === 'findings',
+  );
+});
+
+test('LCLI-RR-10: phase=commit accepts complete loop state (verify-green + findings array)', () => {
+  const r = _mkRoot();
+  checkpoint.startTask({ id: 'M001-S001-T0001' }, r);
+  const nubosloop = require('../../lib/nubosloop.cjs');
+  nubosloop.recordLoopState('M001-S001-T0001', { round: 1 }, r);
+  checkpoint.mergeCheckpoint('M001-S001-T0001', (cur) => ({
+    nubosloop: Object.assign({}, (cur && cur.nubosloop) || {}, {
+      verify_exit_code: 0,
+      findings: [],
+    }),
+  }), r);
+  const cap = _cap();
+  const loopRunRound = require('./loop-run-round.cjs');
+  loopRunRound.run(['M001-S001-T0001', '--phase', 'commit'], { cwd: r, stdout: cap.stub });
+  const out = JSON.parse(cap.get());
+  assert.equal(out.next_action, 'commit-task');
+  assert.equal(out.forced, false);
+  const cp = checkpoint.readCheckpoint('M001-S001-T0001', r);
+  assert.equal(cp.nubosloop.last_phase, 'commit');
+  assert.equal(cp.nubosloop.forced_commit_phase, false);
+});
+
+test('LCLI-RR-11: phase=commit --force-commit-phase bypasses preconditions and stamps the override', () => {
+  const r = _mkRoot();
+  checkpoint.startTask({ id: 'M001-S001-T0001' }, r);
+  // Empty checkpoint — no verify, no findings. Force should still allow.
+  const cap = _cap();
+  const loopRunRound = require('./loop-run-round.cjs');
+  loopRunRound.run(
+    ['M001-S001-T0001', '--phase', 'commit', '--force-commit-phase'],
+    { cwd: r, stdout: cap.stub },
+  );
+  const out = JSON.parse(cap.get());
+  assert.equal(out.next_action, 'commit-task');
+  assert.equal(out.forced, true);
+  const cp = checkpoint.readCheckpoint('M001-S001-T0001', r);
+  assert.equal(cp.nubosloop.forced_commit_phase, true);
+});
+
 test('LCLI-22: learning-match queries the local store', () => {
   const r = _mkRoot();
   const lr = require('../../lib/learnings.cjs');

package/bin/np-tools/loop-run-round.cjs

@@ -164,6 +164,43 @@ function _runPostCritics(taskId, list, cwd) {
 }
 
 function _runCommit(taskId, list, cwd) {
+  // Sequence-integrity guard: the commit phase MUST follow a complete loop run.
+  // Stamping last_phase='commit' is what unlocks commit-task, so without this
+  // check an agent could shell out `loop-run-round --phase commit` directly,
+  // skip preflight/executor/critics, and bypass the entire Nubosloop. The
+  // commit-task gate then sees a satisfied last_phase and lets the commit
+  // through. Defense-in-depth: refuse here AND in commit-task.
+  //
+  // Required evidence on the checkpoint envelope:
+  //   - verify_exit_code === 0   → post-executor ran AND verify was green
+  //   - findings is an array     → post-critics ran (empty array = passed)
+  //
+  // Bypass for legitimate test fixtures / migration: --force-commit-phase.
+  const force = list.includes('--force-commit-phase');
+  if (!force) {
+    const cur = checkpoint.readCheckpoint(taskId, cwd) || {};
+    const np = (cur && cur.nubosloop) || {};
+    if (np.verify_exit_code !== 0) {
+      throw new NubosPilotError(
+        'loop-commit-precondition-missing',
+        'phase=commit refused: post-executor did not record a verify-green run for ' + taskId +
+        ' (observed verify_exit_code=' + (np.verify_exit_code === undefined ? 'undefined' : np.verify_exit_code) + '). ' +
+        'Run `loop-run-round ' + taskId + ' --phase post-executor --verify-exit-code 0 --verify-output-path ...` first, ' +
+        'or pass --force-commit-phase for an explicit override.',
+        { taskId, missing: 'verify_exit_code', observed: np.verify_exit_code === undefined ? null : np.verify_exit_code },
+      );
+    }
+    if (!Array.isArray(np.findings)) {
+      throw new NubosPilotError(
+        'loop-commit-precondition-missing',
+        'phase=commit refused: post-critics did not produce a findings array for ' + taskId +
+        ' (observed findings=' + (np.findings === undefined ? 'undefined' : JSON.stringify(np.findings)) + '). ' +
+        'Run `loop-run-round ' + taskId + ' --phase post-critics --critic-outputs <json>` first, ' +
+        'or pass --force-commit-phase for an explicit override.',
+        { taskId, missing: 'findings', observed: np.findings === undefined ? null : np.findings },
+      );
+    }
+  }
   const pattern = args.getFlag(list, '--learning-pattern') || null;
   const outcome = args.getFlag(list, '--learning-outcome') || 'verified';
   let logged = null;
@@ -184,6 +221,7 @@ function _runCommit(taskId, list, cwd) {
         last_phase: 'commit',
         last_action: 'commit',
         committed_at: new Date().toISOString(),
+        forced_commit_phase: force ? true : (cur && cur.nubosloop && cur.nubosloop.forced_commit_phase) || false,
       }),
     }),
     cwd,
@@ -192,6 +230,7 @@ function _runCommit(taskId, list, cwd) {
     phase: 'commit',
     next_action: 'commit-task',
     learning_logged: logged,
+    forced: force,
   };
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nubos-pilot",
-  "version": "0.9.3",
+  "version": "0.9.5",
   "description": "AI-driven planning and execution tool for code projects",
   "homepage": "https://github.com/Nubos-AI/nubos-pilot",
   "repository": {