nubos-pilot 0.9.4 → 0.9.5

package/bin/np-tools/commit-task.cjs

@@ -11,27 +11,53 @@ const { deleteCheckpoint, readCheckpoint } = require('../../lib/checkpoint.cjs')
 
 const BYPASS_FLAG = '--bypass-nubosloop';
 
+// Evidence-based gate: a complete Nubosloop run accumulates fields on the
+// checkpoint envelope (cache_hit from preflight, verify_exit_code from
+// post-executor, findings from post-critics, committed_at from commit). A
+// gamed run that only invokes `loop-run-round --phase commit` directly leaves
+// verify_exit_code and findings undefined. Checking last_phase alone is not
+// enough — we require the cumulative signature.
 function _assertLoopGate(taskId, cwd, bypass, stderr) {
   const cp = readCheckpoint(taskId, cwd);
-  const last = cp && cp.nubosloop && cp.nubosloop.last_phase;
-  if (last === 'commit') return { bypassed: false, last_phase: last };
-  const reason = !cp ? 'no-checkpoint' : 'last-phase-mismatch';
-  const observed = last || (cp ? 'none' : 'no-checkpoint');
+  const np = (cp && cp.nubosloop) || null;
+  const last = np && np.last_phase;
+  const checks = [
+    { ok: !!cp,                              reason: 'no-checkpoint',                missing: 'checkpoint',         observed: 'no-checkpoint' },
+    { ok: last === 'commit',                 reason: 'last-phase-mismatch',          missing: 'last_phase=commit',  observed: last || 'none' },
+    { ok: np && np.verify_exit_code === 0,   reason: 'post-executor-not-green',      missing: 'verify_exit_code=0', observed: np && np.verify_exit_code !== undefined ? String(np.verify_exit_code) : 'undefined' },
+    { ok: np && Array.isArray(np.findings),  reason: 'post-critics-missing',         missing: 'findings (array)',   observed: np && np.findings !== undefined ? JSON.stringify(np.findings).slice(0, 60) : 'undefined' },
+    { ok: np && !!np.committed_at,           reason: 'commit-phase-not-stamped',     missing: 'committed_at',       observed: (np && np.committed_at) || 'undefined' },
+  ];
+  const failed = checks.find((c) => !c.ok);
+  if (!failed) {
+    return { bypassed: false, last_phase: last, forced_commit_phase: !!(np && np.forced_commit_phase) };
+  }
   if (bypass) {
     stderr.write(
       '[nubos-pilot] WARNING: commit-task ' + taskId +
-      ' bypassing Nubosloop gate (' + BYPASS_FLAG + '; observed=' + observed +
+      ' bypassing Nubosloop gate (' + BYPASS_FLAG +
+      '; reason=' + failed.reason + '; missing=' + failed.missing +
+      '; observed=' + failed.observed +
       '). Single-pass commit, no critic review enforced.\n',
     );
-    return { bypassed: true, last_phase: last || null };
+    return { bypassed: true, last_phase: last || null, forced_commit_phase: !!(np && np.forced_commit_phase) };
   }
   throw new NubosPilotError(
     'commit-task-loop-bypass-violation',
-    'commit-task refused: Nubosloop did not reach phase=commit for ' + taskId +
-    ' (observed nubosloop.last_phase=' + observed + '). ' +
-    'Run `loop-run-round ' + taskId + ' --phase commit` first, or pass ' + BYPASS_FLAG +
+    'commit-task refused: Nubosloop sequence incomplete for ' + taskId +
+    ' (reason=' + failed.reason + '; missing=' + failed.missing +
+    '; observed=' + failed.observed + '). ' +
+    'Run the full loop (preflight → post-executor verify-green → post-critics → commit) first, or pass ' + BYPASS_FLAG +
     ' for an explicit single-pass override.',
-    { taskId, reason, last_phase: last || null },
+    {
+      taskId,
+      reason: failed.reason,
+      missing: failed.missing,
+      observed_last_phase: last || null,
+      observed_verify_exit_code: np && np.verify_exit_code !== undefined ? np.verify_exit_code : null,
+      observed_findings_is_array: !!(np && Array.isArray(np.findings)),
+      observed_committed_at: (np && np.committed_at) || null,
+    },
   );
 }
 
@@ -141,6 +167,7 @@ function run(args, ctx) {
     files: safeFiles,
     files_source: filesSource,
     nubosloop_bypassed: gate.bypassed,
+    nubosloop_forced_commit_phase: !!gate.forced_commit_phase,
   };
   stdout.write(JSON.stringify(payload));
   return payload;

package/bin/np-tools/commit-task.test.cjs

@@ -82,9 +82,10 @@ function _capture() {
   return { stub, get: () => buf };
 }
 
-// Seed a checkpoint that satisfies the Nubosloop gate (last_phase=commit) so
-// commit-task accepts it. Tests that exercise the gate explicitly bypass this
-// helper. Optional `extra` overrides any field on the envelope.
+// Seed a checkpoint that satisfies the full Nubosloop gate (sequence-integrity).
+// A real loop accumulates evidence on the envelope; the gate refuses unless
+// every required marker is present. Tests that exercise game-paths build their
+// own partial fixtures.
 function seedLoopReadyCheckpoint(root, taskId, extra) {
   const cpPath = path.join(root, '.nubos-pilot', 'checkpoints', taskId + '.json');
   fs.mkdirSync(path.dirname(cpPath), { recursive: true });
@@ -94,12 +95,21 @@ function seedLoopReadyCheckpoint(root, taskId, extra) {
     status: 'pre-commit',
     files_touched: [],
     nubosloop: {
+      round: 1,
+      cache_hit: false,
       last_phase: 'commit',
       last_action: 'commit',
+      verify_exit_code: 0,
+      findings: [],
       committed_at: '2026-05-04T12:00:00Z',
     },
   };
-  fs.writeFileSync(cpPath, JSON.stringify(Object.assign(base, extra || {})), 'utf-8');
+  // Allow the test to override individual fields (incl. nubosloop sub-fields).
+  const merged = Object.assign({}, base, extra || {});
+  if (extra && extra.nubosloop) {
+    merged.nubosloop = Object.assign({}, base.nubosloop, extra.nubosloop);
+  }
+  fs.writeFileSync(cpPath, JSON.stringify(merged), 'utf-8');
   return cpPath;
 }
 
@@ -249,10 +259,112 @@ test('CT-9: refuse commit when nubosloop.last_phase ≠ commit', () => {
     () => subcmd.run(['M006-S001-T0021'], { cwd: root, stdout: cap.stub, stderr: stderr.stub }),
     (err) => err && err.code === 'commit-task-loop-bypass-violation'
       && err.details && err.details.reason === 'last-phase-mismatch'
-      && err.details.last_phase === 'verifying',
+      && err.details.observed_last_phase === 'verifying',
+  );
+});
+
+test('CT-12: refuse gamed commit (last_phase=commit but no verify_exit_code)', () => {
+  const root = makeRepo();
+  seedPlanAndTask(root, '06-01', 'M006-S001-T0030', ['src/g.ts']);
+  fs.mkdirSync(path.join(root, 'src'), { recursive: true });
+  fs.writeFileSync(path.join(root, 'src', 'g.ts'), 'export const g = 7;\n', 'utf-8');
+  // Simulates an agent that ran ONLY `loop-run-round --phase commit` to game
+  // the gate, without going through preflight/post-executor/post-critics.
+  // verify_exit_code is undefined → post-executor never ran.
+  const cpPath = path.join(root, '.nubos-pilot', 'checkpoints', 'M006-S001-T0030.json');
+  fs.mkdirSync(path.dirname(cpPath), { recursive: true });
+  fs.writeFileSync(cpPath, JSON.stringify({
+    schema_version: 1,
+    task_id: 'M006-S001-T0030',
+    status: 'pre-commit',
+    files_touched: [],
+    nubosloop: { last_phase: 'commit', last_action: 'commit', committed_at: '2026-05-04T12:00:00Z' },
+  }), 'utf-8');
+  const cap = _capture();
+  const stderr = _capture();
+  assert.throws(
+    () => subcmd.run(['M006-S001-T0030'], { cwd: root, stdout: cap.stub, stderr: stderr.stub }),
+    (err) => err && err.code === 'commit-task-loop-bypass-violation'
+      && err.details && err.details.reason === 'post-executor-not-green',
+  );
+});
+
+test('CT-13: refuse gamed commit when verify ran but post-critics findings missing', () => {
+  const root = makeRepo();
+  seedPlanAndTask(root, '06-01', 'M006-S001-T0031', ['src/h.ts']);
+  fs.mkdirSync(path.join(root, 'src'), { recursive: true });
+  fs.writeFileSync(path.join(root, 'src', 'h.ts'), 'export const h = 8;\n', 'utf-8');
+  // verify ran (exit_code=0) but critics never produced findings — agent
+  // skipped the critic-schwarm step.
+  const cpPath = path.join(root, '.nubos-pilot', 'checkpoints', 'M006-S001-T0031.json');
+  fs.mkdirSync(path.dirname(cpPath), { recursive: true });
+  fs.writeFileSync(cpPath, JSON.stringify({
+    schema_version: 1,
+    task_id: 'M006-S001-T0031',
+    status: 'pre-commit',
+    files_touched: [],
+    nubosloop: {
+      last_phase: 'commit', last_action: 'commit',
+      verify_exit_code: 0, // post-executor ran
+      committed_at: '2026-05-04T12:00:00Z',
+      // findings: missing → post-critics never ran
+    },
+  }), 'utf-8');
+  const cap = _capture();
+  const stderr = _capture();
+  assert.throws(
+    () => subcmd.run(['M006-S001-T0031'], { cwd: root, stdout: cap.stub, stderr: stderr.stub }),
+    (err) => err && err.code === 'commit-task-loop-bypass-violation'
+      && err.details && err.details.reason === 'post-critics-missing',
+  );
+});
+
+test('CT-14: refuse when verify-red was recorded (post-executor failed)', () => {
+  const root = makeRepo();
+  seedPlanAndTask(root, '06-01', 'M006-S001-T0032', ['src/i.ts']);
+  fs.mkdirSync(path.join(root, 'src'), { recursive: true });
+  fs.writeFileSync(path.join(root, 'src', 'i.ts'), 'export const i = 9;\n', 'utf-8');
+  // Loop reached commit-stamp somehow but verify was red — must refuse.
+  seedLoopReadyCheckpoint(root, 'M006-S001-T0032', {
+    nubosloop: { verify_exit_code: 1 },
+  });
+  const cap = _capture();
+  const stderr = _capture();
+  assert.throws(
+    () => subcmd.run(['M006-S001-T0032'], { cwd: root, stdout: cap.stub, stderr: stderr.stub }),
+    (err) => err && err.code === 'commit-task-loop-bypass-violation'
+      && err.details && err.details.reason === 'post-executor-not-green'
+      && err.details.observed_verify_exit_code === 1,
   );
 });
 
+test('CT-15: bypass on gamed commit logs precise reason in stderr', () => {
+  const root = makeRepo();
+  seedPlanAndTask(root, '06-01', 'M006-S001-T0033', ['src/j.ts']);
+  fs.mkdirSync(path.join(root, 'src'), { recursive: true });
+  fs.writeFileSync(path.join(root, 'src', 'j.ts'), 'export const j = 10;\n', 'utf-8');
+  const cpPath = path.join(root, '.nubos-pilot', 'checkpoints', 'M006-S001-T0033.json');
+  fs.mkdirSync(path.dirname(cpPath), { recursive: true });
+  fs.writeFileSync(cpPath, JSON.stringify({
+    schema_version: 1, task_id: 'M006-S001-T0033', status: 'pre-commit', files_touched: [],
+    nubosloop: { last_phase: 'commit', last_action: 'commit', committed_at: 'z' },
+  }), 'utf-8');
+  const prev = process.cwd();
+  process.chdir(root);
+  const cap = _capture();
+  const stderr = _capture();
+  try {
+    subcmd.run(['M006-S001-T0033', '--bypass-nubosloop'], { cwd: root, stdout: cap.stub, stderr: stderr.stub });
+  } finally {
+    process.chdir(prev);
+  }
+  const payload = JSON.parse(cap.get());
+  assert.equal(payload.ok, true);
+  assert.equal(payload.nubosloop_bypassed, true);
+  assert.match(stderr.get(), /reason=post-executor-not-green/);
+  assert.match(stderr.get(), /missing=verify_exit_code=0/);
+});
+
 test('CT-10: --bypass-nubosloop allows single-pass commit and warns on stderr', () => {
   const root = makeRepo();
   seedPlanAndTask(root, '06-01', 'M006-S001-T0022', ['src/e.ts']);

package/bin/np-tools/loop-commands.test.cjs

@@ -467,6 +467,79 @@ test('LCLI-RR-7: loop-run-round rejects unknown --phase', () => {
   );
 });
 
+test('LCLI-RR-8: phase=commit refuses without verify_exit_code (post-executor never ran)', () => {
+  const r = _mkRoot();
+  checkpoint.startTask({ id: 'M001-S001-T0001' }, r);
+  const loopRunRound = require('./loop-run-round.cjs');
+  assert.throws(
+    () => loopRunRound.run(
+      ['M001-S001-T0001', '--phase', 'commit'],
+      { cwd: r, stdout: _cap().stub },
+    ),
+    (err) => err && err.code === 'loop-commit-precondition-missing'
+      && err.details && err.details.missing === 'verify_exit_code',
+  );
+});
+
+test('LCLI-RR-9: phase=commit refuses without findings (post-critics never ran)', () => {
+  const r = _mkRoot();
+  checkpoint.startTask({ id: 'M001-S001-T0001' }, r);
+  const nubosloop = require('../../lib/nubosloop.cjs');
+  // post-executor ran (verify-green) but critics never produced findings.
+  nubosloop.recordLoopState('M001-S001-T0001', { round: 1 }, r);
+  checkpoint.mergeCheckpoint('M001-S001-T0001', (cur) => ({
+    nubosloop: Object.assign({}, (cur && cur.nubosloop) || {}, { verify_exit_code: 0 }),
+  }), r);
+  const loopRunRound = require('./loop-run-round.cjs');
+  assert.throws(
+    () => loopRunRound.run(
+      ['M001-S001-T0001', '--phase', 'commit'],
+      { cwd: r, stdout: _cap().stub },
+    ),
+    (err) => err && err.code === 'loop-commit-precondition-missing'
+      && err.details && err.details.missing === 'findings',
+  );
+});
+
+test('LCLI-RR-10: phase=commit accepts complete loop state (verify-green + findings array)', () => {
+  const r = _mkRoot();
+  checkpoint.startTask({ id: 'M001-S001-T0001' }, r);
+  const nubosloop = require('../../lib/nubosloop.cjs');
+  nubosloop.recordLoopState('M001-S001-T0001', { round: 1 }, r);
+  checkpoint.mergeCheckpoint('M001-S001-T0001', (cur) => ({
+    nubosloop: Object.assign({}, (cur && cur.nubosloop) || {}, {
+      verify_exit_code: 0,
+      findings: [],
+    }),
+  }), r);
+  const cap = _cap();
+  const loopRunRound = require('./loop-run-round.cjs');
+  loopRunRound.run(['M001-S001-T0001', '--phase', 'commit'], { cwd: r, stdout: cap.stub });
+  const out = JSON.parse(cap.get());
+  assert.equal(out.next_action, 'commit-task');
+  assert.equal(out.forced, false);
+  const cp = checkpoint.readCheckpoint('M001-S001-T0001', r);
+  assert.equal(cp.nubosloop.last_phase, 'commit');
+  assert.equal(cp.nubosloop.forced_commit_phase, false);
+});
+
+test('LCLI-RR-11: phase=commit --force-commit-phase bypasses preconditions and stamps the override', () => {
+  const r = _mkRoot();
+  checkpoint.startTask({ id: 'M001-S001-T0001' }, r);
+  // Empty checkpoint — no verify, no findings. Force should still allow.
+  const cap = _cap();
+  const loopRunRound = require('./loop-run-round.cjs');
+  loopRunRound.run(
+    ['M001-S001-T0001', '--phase', 'commit', '--force-commit-phase'],
+    { cwd: r, stdout: cap.stub },
+  );
+  const out = JSON.parse(cap.get());
+  assert.equal(out.next_action, 'commit-task');
+  assert.equal(out.forced, true);
+  const cp = checkpoint.readCheckpoint('M001-S001-T0001', r);
+  assert.equal(cp.nubosloop.forced_commit_phase, true);
+});
+
 test('LCLI-22: learning-match queries the local store', () => {
   const r = _mkRoot();
   const lr = require('../../lib/learnings.cjs');

package/bin/np-tools/loop-run-round.cjs

@@ -164,6 +164,43 @@ function _runPostCritics(taskId, list, cwd) {
 }
 
 function _runCommit(taskId, list, cwd) {
+  // Sequence-integrity guard: the commit phase MUST follow a complete loop run.
+  // Stamping last_phase='commit' is what unlocks commit-task, so without this
+  // check an agent could shell out `loop-run-round --phase commit` directly,
+  // skip preflight/executor/critics, and bypass the entire Nubosloop. The
+  // commit-task gate then sees a satisfied last_phase and lets the commit
+  // through. Defense-in-depth: refuse here AND in commit-task.
+  //
+  // Required evidence on the checkpoint envelope:
+  //   - verify_exit_code === 0   → post-executor ran AND verify was green
+  //   - findings is an array     → post-critics ran (empty array = passed)
+  //
+  // Bypass for legitimate test fixtures / migration: --force-commit-phase.
+  const force = list.includes('--force-commit-phase');
+  if (!force) {
+    const cur = checkpoint.readCheckpoint(taskId, cwd) || {};
+    const np = (cur && cur.nubosloop) || {};
+    if (np.verify_exit_code !== 0) {
+      throw new NubosPilotError(
+        'loop-commit-precondition-missing',
+        'phase=commit refused: post-executor did not record a verify-green run for ' + taskId +
+        ' (observed verify_exit_code=' + (np.verify_exit_code === undefined ? 'undefined' : np.verify_exit_code) + '). ' +
+        'Run `loop-run-round ' + taskId + ' --phase post-executor --verify-exit-code 0 --verify-output-path ...` first, ' +
+        'or pass --force-commit-phase for an explicit override.',
+        { taskId, missing: 'verify_exit_code', observed: np.verify_exit_code === undefined ? null : np.verify_exit_code },
+      );
+    }
+    if (!Array.isArray(np.findings)) {
+      throw new NubosPilotError(
+        'loop-commit-precondition-missing',
+        'phase=commit refused: post-critics did not produce a findings array for ' + taskId +
+        ' (observed findings=' + (np.findings === undefined ? 'undefined' : JSON.stringify(np.findings)) + '). ' +
+        'Run `loop-run-round ' + taskId + ' --phase post-critics --critic-outputs <json>` first, ' +
+        'or pass --force-commit-phase for an explicit override.',
+        { taskId, missing: 'findings', observed: np.findings === undefined ? null : np.findings },
+      );
+    }
+  }
   const pattern = args.getFlag(list, '--learning-pattern') || null;
   const outcome = args.getFlag(list, '--learning-outcome') || 'verified';
   let logged = null;
@@ -184,6 +221,7 @@ function _runCommit(taskId, list, cwd) {
         last_phase: 'commit',
         last_action: 'commit',
         committed_at: new Date().toISOString(),
+        forced_commit_phase: force ? true : (cur && cur.nubosloop && cur.nubosloop.forced_commit_phase) || false,
       }),
     }),
     cwd,
@@ -192,6 +230,7 @@ function _runCommit(taskId, list, cwd) {
     phase: 'commit',
     next_action: 'commit-task',
     learning_logged: logged,
+    forced: force,
   };
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nubos-pilot",
-  "version": "0.9.4",
+  "version": "0.9.5",
   "description": "AI-driven planning and execution tool for code projects",
   "homepage": "https://github.com/Nubos-AI/nubos-pilot",
   "repository": {