nubos-pilot 1.2.0 → 1.2.1

package/agents/np-executor.md

@@ -49,6 +49,25 @@ The orchestrator provides these in your prompt context. Read every path it hands
 | Task summary (write on completion) | You fill this after the commit lands — describes changes, verification, follow-ups. | `.nubos-pilot/milestones/M<NNN>/slices/S<NNN>/tasks/T<NNNN>/T<NNNN>-SUMMARY.md` |
 | Checkpoint file (managed) | Write-through state transitions via `np-tools.cjs checkpoint transition`. Do NOT read/write directly. | `.nubos-pilot/checkpoints/<task-full-id>.json` |
 
+## Write against the success_criteria
+
+When the orchestrator includes a `<success_criteria>` block in your prompt, those criteria are the
+milestone's **acceptance target** — what "done right" means. Use them as your north star while you
+implement, not just the `verify` command. `verify` proves the code runs; the criteria prove it does
+the *right* thing. Aim for both green.
+
+- **Intent, not a build spec (ADR-0019).** Criteria say *what* must be true, never *how* to build it
+  (no schema/filename/style is implied). Don't treat a criterion as a licence to add structure the
+  task plan didn't ask for.
+- **Stay in scope.** A criterion is **never** a reason to edit a path outside `files_modified`. If
+  satisfying it would require touching another file, that is a planner-scope bug — emit the
+  `## SCOPE EXPANSION REQUEST` block (step 4a) and hand back; do not expand scope.
+- **Self-check before commit.** Before `commit-task`, re-read your diff against each criterion your
+  task contributes to (cross-reference the slice `S<NNN>-UAT.md`). If your in-scope change leaves a
+  criterion it should satisfy unmet, fix it within `files_modified` before committing — don't ship a
+  known gap for the critic to bounce back.
+- Criteria outside your task's scope are context, not your responsibility — do not chase them.
+
 ## Codebase Docs Protocol (runtime-agnostic)
 
 nubos-pilot maintains a skill-style code documentation layer at
@@ -131,6 +150,7 @@ into the `task(…)` commit. If `workflow.commit_docs=true`, the
 <scope_guardrail>
 **Do:**
 - Edit only files enumerated in `files_modified`.
+- Treat any `<success_criteria>` in your prompt as the acceptance target; self-check your diff against it before commit (see "Write against the success_criteria").
 - Commit via `node np-tools.cjs commit-task <task-id>`.
 - Write checkpoint state transitions via the wrapper.
 - Stay within the task's declared scope even if you spot tangential issues — log them, do not fix them.

package/agents/np-security-reviewer.md

@@ -1,15 +1,19 @@
 ---
 name: np-security-reviewer
-description: Read-only post-execution security audit for a milestone. Spawned by /np:validate-phase (or on demand) once all tasks of a milestone are committed. Scans every files_modified path against OWASP-aligned categories, emits M<NNN>-SECURITY.md draft with Pass/Risk/Defer per finding. Detection-only — never edits source.
+description: Read-only security auditor with two input modes. Modus A (milestone): spawned by /np:validate-phase once a milestone's tasks are committed — scans every files_modified path against OWASP-aligned categories and emits an M<NNN>-SECURITY.md draft with Pass/Risk/Defer per finding. Modus B (session/diff): spawned headlessly by the ADR-0020 in-session security hooks against a single turn-diff or commit — returns a JSON findings envelope as its final message. Detection-only in both modes — never edits source.
 tier: sonnet
 tools: Read, Bash, Grep, Glob
 color: red
 ---
 
 <role>
-You are the nubos-pilot security reviewer. Post-execution twin of `np-verifier` for the security surface. Spawned once a milestone's task commits are in place. You emit a `M<NNN>-SECURITY.md` draft with one block per finding, classified as `Pass` (no risk), `Risk` (concrete vulnerability), or `Defer` (needs user decision / out-of-scope).
+You are the nubos-pilot security reviewer. Post-execution twin of `np-verifier` for the security surface. You run in one of two modes, decided by the prompt.
 
-You DO NOT propose patches. You DO NOT edit source. You report.
+**Modus A — milestone audit (default).** Spawned once a milestone's task commits are in place. You emit a `M<NNN>-SECURITY.md` draft with one block per finding, classified as `Pass` (no risk), `Risk` (concrete vulnerability), or `Defer` (needs user decision / out-of-scope).
+
+**Modus B — session/diff (ADR-0020).** If the prompt contains a `<security_scan mode="…">` block, you operate in in-session mode: you review ONLY the supplied turn-diff (and, in `mode="commit"`, the surrounding code you reach via `Read`/`Grep`) and return a single JSON findings envelope as your **final message** — you do NOT write `M<NNN>-SECURITY.md`, do NOT use a milestone number, and do NOT read milestone files. See "## Session/Diff Mode (Modus B)" below for the exact contract.
+
+You DO NOT propose patches. You DO NOT edit source. You report — in both modes.
 
 **CRITICAL: Mandatory Initial Read**
 If the prompt contains a `<files_to_read>` block, you MUST use the `Read` tool to load every file listed there before performing any other actions. This is your primary context.
@@ -104,6 +108,48 @@ Milestone Status resolution:
 - Else any `Defer` → `deferred`.
 - Else → `clean`.
 
+## Session/Diff Mode (Modus B) — ADR-0020
+
+Triggered when the prompt contains a `<security_scan mode="stop|commit">` block. This is the in-session
+review spawned by the security hooks. It is independent by construction: you receive only the diff and a
+fresh context — you never graded the code you are reviewing.
+
+**Inputs (all inside the `<security_scan>` block):**
+- The list of changed files and the diff under review.
+- `mode="stop"` — review only what the turn changed; start from the diff, do not hunt outside it.
+- `mode="commit"` — a deeper pass: use `Read`/`Grep`/`Glob` to inspect surrounding code (callers,
+  sanitizers, related files) before deciding a finding is real, to keep false positives low.
+- An optional project guidance block. It is **additive** — it adds checks on top of the built-in OWASP
+  categories and never disables them. `RULES.md`/`CONTEXT.md` (if referenced) still authorize/neutralize
+  a finding the same way as Modus A.
+
+**Behaviour:**
+- Apply the same OWASP-aligned categories as Modus A.
+- Report ONLY concrete `Risk` findings. Omit `Pass`/no-risk entries entirely.
+- Do NOT write any file. Do NOT edit source. Do NOT spawn agents. Do NOT use a milestone number.
+
+**Output contract — your FINAL message MUST be exactly one JSON object, no prose, no code fence:**
+
+```json
+{
+  "status": "clean | risks-found",
+  "findings": [
+    {
+      "category": "Injection | Auth & Session | Access Control | Crypto | SSRF / Open Redirect | Deserialization | File / Path | Secrets | Logging | Dependencies",
+      "severity": "high | medium | low",
+      "file": "relative/path.ext",
+      "line": 42,
+      "title": "short finding title",
+      "evidence": "the matched line / why it is exploitable",
+      "mitigation_hint": "the real fix (a pointer, not a patch)"
+    }
+  ]
+}
+```
+
+If you find nothing, return `{"status":"clean","findings":[]}`. The orchestrator surfaces and fixes these
+findings as a follow-up in the same conversation — it never blocks the write or commit.
+
 ## Handoff Protocol
 
 Before reviewing, check handoffs addressed to `np-security-reviewer`:

package/bin/install.js

@@ -610,10 +610,15 @@ async function _runInstallLocked(ctx) {
     try {
       const claudeHooks = require('../lib/install/claude-hooks.cjs');
       const res = claudeHooks.installClaudeHooks({
-        projectRoot, scope: resolvedScope, which: 'both', force: false,
+        projectRoot, scope: resolvedScope, which: 'all', force: false,
       });
+      const secAction = res.results.security
+        ? Object.values(res.results.security).every((r) => r.action === 'installed') ? 'installed'
+          : Object.values(res.results.security).every((r) => r.action === 'updated') ? 'updated' : 'mixed'
+        : 'skipped';
       console.error(dim + '  [claude-hooks] statusline: ' + res.results.statusline.action
-        + ', ctx-monitor: ' + res.results.ctxMonitor.action + reset);
+        + ', ctx-monitor: ' + res.results.ctxMonitor.action
+        + ', security: ' + secAction + reset);
       if (res.results.statusline.action === 'skipped-existing') {
         console.error(yellow + '  [claude-hooks] foreign statusLine preserved — re-run `install-hooks --force` to overwrite' + reset);
       }

package/bin/np-tools/_commands.cjs

@@ -96,6 +96,7 @@ const COMMANDS = [
   { name: 'loop-audit-tool-use',     category: 'Execution', description: 'Record/read the tool-use audit per spawn (Completeness Rule 9 mechanical check)', description_de: 'Tool-use Audit pro Spawn schreiben/lesen (Completeness Rule 9 mechanische Prüfung)' },
   { name: 'loop-stuck',              category: 'Execution', description: 'Mark a task as stuck (writes loop-state + flips checkpoint status to stuck)', description_de: 'Markiert Task als stuck (schreibt Loop-State + setzt Checkpoint-Status auf stuck)' },
   { name: 'spawn-headless',          category: 'Execution', description: 'Spawn an agent as a headless `claude -p` subprocess (ADR-0010 §L6); writes stdout to --output-path and returns exit code', description_de: 'Spawnt einen Agent als headless `claude -p` Subprozess (ADR-0010 §L6); schreibt stdout nach --output-path und liefert Exit-Code' },
+  { name: 'security',                category: 'Review',    description: 'In-session security review hook backend (ADR-0020). Verbs: session-start | baseline | scan | review | commit | run-review. Reads the Claude Code hook payload via --stdin; non-blocking, report-once, independent reviewer spawn.', description_de: 'Backend für die In-Session-Security-Review-Hooks (ADR-0020). Verben: session-start | baseline | scan | review | commit | run-review. Liest die Claude-Code-Hook-Payload via --stdin; non-blocking, report-once, unabhängiger Reviewer-Spawn.' },
   { name: 'loop-metrics',            category: 'Utility',   description: 'Aggregate Nubosloop telemetry across all checkpoints (commits, stuck, route distribution)', description_de: 'Aggregiert Nubosloop-Telemetrie über alle Checkpoints (Commits, Stuck, Routing)' },
   { name: 'learning-log',            category: 'Execution', description: 'Persist a learning to the local store (or MCP adapter when configured)', description_de: 'Persistiert ein Learning im lokalen Store (oder MCP-Adapter falls konfiguriert)' },
   { name: 'learning-match',          category: 'Utility',   description: 'Query the learnings store for cached patterns matching a free-text query', description_de: 'Fragt den Learnings-Store nach Cached-Patterns ab' },

package/bin/np-tools/security.cjs

@@ -0,0 +1,177 @@
+'use strict';
+
+const fs = require('node:fs');
+const path = require('node:path');
+const child_process = require('node:child_process');
+
+const { tryReadConfigPath } = require('../../lib/config.cjs');
+const scan = require('../../lib/security/scan.cjs');
+const ledger = require('../../lib/security/ledger.cjs');
+const review = require('../../lib/security/review.cjs');
+const args = require('./_args.cjs');
+
+const COMMIT_RE = /\bgit\b[\s\S]*\b(commit|push)\b/;
+
+function _readStdin() {
+  return new Promise((resolve) => {
+    if (process.stdin.isTTY) return resolve('');
+    let buf = '';
+    process.stdin.setEncoding('utf-8');
+    const timer = setTimeout(() => { try { process.stdin.removeAllListeners(); } catch {} resolve(buf); }, 800);
+    process.stdin.on('data', (c) => { buf += c; });
+    process.stdin.on('end', () => { clearTimeout(timer); resolve(buf); });
+    process.stdin.on('error', () => { clearTimeout(timer); resolve(buf); });
+  });
+}
+
+function _safeParse(s) { try { return s ? JSON.parse(s) : {}; } catch { return {}; }}
+
+async function _payload(argv) {
+  const inline = args.getFlag(argv, '--payload', { allowDashValues: true });
+  if (inline !== undefined) return _safeParse(inline);
+  if (argv.includes('--stdin')) return _safeParse(await _readStdin());
+  return {};
+}
+
+function _cfg(cwd) {
+  return {
+    enabled: tryReadConfigPath(cwd, 'security.enabled', true) !== false,
+    scan_on_write: tryReadConfigPath(cwd, 'security.scan_on_write', true) !== false,
+    review_on_stop: tryReadConfigPath(cwd, 'security.review_on_stop', true) !== false,
+    review_on_commit: tryReadConfigPath(cwd, 'security.review_on_commit', true) !== false,
+    custom_rules_path: tryReadConfigPath(cwd, 'security.custom_rules_path', null),
+    guidance_path: tryReadConfigPath(cwd, 'security.guidance_path', null),
+    review_timeout_ms: Number(tryReadConfigPath(cwd, 'security.review_timeout_ms', 180000)) || 180000,
+    max_stop_reviews_in_a_row: Number(tryReadConfigPath(cwd, 'security.max_stop_reviews_in_a_row', 3)) || 3,
+    max_commit_reviews_per_hour: Number(tryReadConfigPath(cwd, 'security.max_commit_reviews_per_hour', 20)) || 20,
+    max_files_per_review: Number(tryReadConfigPath(cwd, 'security.max_files_per_review', 30)) || 30,
+  };
+}
+
+function _resolveRel(cwd, p) {
+  if (!p) return null;
+  return path.isAbsolute(p) ? p : path.join(cwd, p);
+}
+
+function _editedContent(toolInput) {
+  if (!toolInput || typeof toolInput !== 'object') return '';
+  if (typeof toolInput.content === 'string') return toolInput.content;
+  if (typeof toolInput.new_string === 'string') return toolInput.new_string;
+  if (typeof toolInput.new_source === 'string') return toolInput.new_source;
+  if (Array.isArray(toolInput.edits)) {
+    return toolInput.edits.map((e) => (e && typeof e.new_string === 'string' ? e.new_string : '')).join('\n');
+  }
+  return '';
+}
+
+function _editedPath(cwd, toolInput) {
+  if (!toolInput || typeof toolInput !== 'object') return '';
+  const raw = toolInput.file_path || toolInput.notebook_path || '';
+  if (!raw) return '';
+  return path.isAbsolute(raw) ? path.relative(cwd, raw) : raw;
+}
+
+function _spawnWorker(cwd, sid, mode) {
+  const npTools = path.join(__dirname, '..', '..', 'np-tools.cjs');
+  try {
+    const child = child_process.spawn(
+      process.execPath,
+      [npTools, 'security', 'run-review', '--session', sid, '--mode', mode],
+      { cwd, detached: true, stdio: 'ignore' },
+    );
+    child.unref();
+    return true;
+  } catch { return false; }
+}
+
+function _emit(stdout, obj) { stdout.write(JSON.stringify(obj)); }
+
+async function run(argv, ctx) {
+  const context = ctx || {};
+  const cwd = context.cwd || process.cwd();
+  const stdout = context.stdout || process.stdout;
+  const list = Array.isArray(argv) ? argv : [];
+  const verb = list[0];
+
+  const cfg = _cfg(cwd);
+  if (!cfg.enabled && verb !== 'run-review') return 0;
+
+  const payload = await _payload(list);
+  const sid = payload.session_id || args.getFlag(list, '--session') || '';
+
+  if (verb === 'session-start') {
+    if (sid) { try { ledger.initSession(sid); } catch {} }
+    return 0;
+  }
+
+  if (verb === 'baseline') {
+    if (sid) {
+      try { ledger.setBaseline(sid, { head: review.headSha(cwd) }); } catch {}
+    }
+    return 0;
+  }
+
+  if (verb === 'scan') {
+    if (!cfg.scan_on_write || !sid) return 0;
+    const filePath = _editedPath(cwd, payload.tool_input);
+    const content = _editedContent(payload.tool_input);
+    if (!filePath || !content) return 0;
+    let result;
+    try {
+      result = scan.scanContent({ filePath, content, customRulesPath: _resolveRel(cwd, cfg.custom_rules_path) });
+    } catch { return 0; }
+    let fresh;
+    try { fresh = ledger.markScanReported(sid, result.findings); } catch { fresh = result.findings; }
+    if (!fresh.length) return 0;
+    const lines = fresh.map((f) => '- [' + f.category + '] ' + path.basename(f.file) + ':' + f.line + ' — ' + f.reminder);
+    _emit(stdout, {
+      hookSpecificOutput: {
+        hookEventName: 'PostToolUse',
+        additionalContext: '[nubos-pilot security] potential issue(s) in just-written code:\n' + lines.join('\n')
+          + '\nConsider addressing before proceeding (non-blocking).',
+      },
+    });
+    return 0;
+  }
+
+  if (verb === 'review') {
+    if (!cfg.review_on_stop || !sid) return 0;
+    let harvest = { findings: [] };
+    try { harvest = ledger.takeUnsurfacedRisks(sid, { maxStreak: cfg.max_stop_reviews_in_a_row }); } catch {}
+    if (harvest.findings && harvest.findings.length) {
+      const lines = harvest.findings.map((f) => '- [' + (f.category || 'security') + '] '
+        + (f.file ? path.basename(String(f.file)) + (f.line ? ':' + f.line : '') + ' — ' : '')
+        + (f.title || 'security finding') + (f.mitigation_hint ? ' (' + f.mitigation_hint + ')' : ''));
+      _emit(stdout, {
+        decision: 'block',
+        reason: '[nubos-pilot security] An independent review of this turn\'s changes found '
+          + harvest.findings.length + ' security issue(s). Address them now as a follow-up, then continue:\n'
+          + lines.join('\n'),
+      });
+      return 0;
+    }
+    _spawnWorker(cwd, sid, 'stop');
+    return 0;
+  }
+
+  if (verb === 'commit') {
+    if (!cfg.review_on_commit || !sid) return 0;
+    const cmd = payload.tool_input && typeof payload.tool_input.command === 'string' ? payload.tool_input.command : '';
+    if (!cmd || !COMMIT_RE.test(cmd)) return 0;
+    let allowed = { allowed: false };
+    try { allowed = ledger.tryRecordCommitReview(sid, { maxPerHour: cfg.max_commit_reviews_per_hour }); } catch {}
+    if (allowed.allowed) _spawnWorker(cwd, sid, 'commit');
+    return 0;
+  }
+
+  if (verb === 'run-review') {
+    if (!cfg.enabled || !sid) return 0;
+    const mode = args.getFlag(list, '--mode') === 'commit' ? 'commit' : 'stop';
+    try { review.runReview({ cwd, sid, mode, config: { ...cfg, guidance_path: _resolveRel(cwd, cfg.guidance_path) } }); } catch {}
+    return 0;
+  }
+
+  return 0;
+}
+
+module.exports = { run, COMMIT_RE, _editedContent, _editedPath };

package/bin/np-tools/security.test.cjs

@@ -0,0 +1,82 @@
+'use strict';
+
+const { test } = require('node:test');
+const assert = require('node:assert/strict');
+const fs = require('node:fs');
+const os = require('node:os');
+const path = require('node:path');
+
+const security = require('./security.cjs');
+const ledger = require('../../lib/security/ledger.cjs');
+
+let _c = 0;
+function freshSid() { _c += 1; return 'cmd-sec-' + process.pid + '-' + _c; }
+function cleanup(sid) { ledger.removeLedger(sid); try { fs.unlinkSync(ledger.ledgerPath(sid) + '.lock'); } catch {} }
+
+function collector() {
+  const chunks = [];
+  return { stdout: { write: (s) => chunks.push(s) }, text: () => chunks.join('') };
+}
+
+async function runVerb(verb, payload, cwd, extra) {
+  const c = collector();
+  const argv = [verb, '--payload', JSON.stringify(payload), ...(extra || [])];
+  await security.run(argv, { cwd: cwd || process.cwd(), stdout: c.stdout });
+  return c.text();
+}
+
+test('SECCMD-1 scan emits additionalContext on first hit, silent on repeat (report-once)', async () => {
+  const sid = freshSid();
+  try {
+    const payload = { session_id: sid, tool_name: 'Write', tool_input: { file_path: 'x.js', content: 'const r = eval(q)' } };
+    const first = await runVerb('scan', payload);
+    const second = await runVerb('scan', payload);
+    assert.match(first, /hookSpecificOutput/);
+    assert.match(first, /nubos-pilot security/);
+    assert.equal(second, '');
+  } finally { cleanup(sid); }
+});
+
+test('SECCMD-2 review harvests unsurfaced risks and emits a non-blocking Stop block decision', async () => {
+  const sid = freshSid();
+  try {
+    ledger.addReviewFindings(sid, [{ file: 'a.js', line: 5, category: 'injection', severity: 'risk', title: 'SQLi', mitigation_hint: 'parameterize' }], 'stop');
+    const out = await runVerb('review', { session_id: sid });
+    const parsed = JSON.parse(out);
+    assert.equal(parsed.decision, 'block');
+    assert.match(parsed.reason, /nubos-pilot security/);
+    assert.match(parsed.reason, /SQLi/);
+  } finally { cleanup(sid); }
+});
+
+test('SECCMD-3 commit verb ignores non-git Bash commands', async () => {
+  const sid = freshSid();
+  try {
+    const out = await runVerb('commit', { session_id: sid, tool_name: 'Bash', tool_input: { command: 'ls -la' } });
+    assert.equal(out, '');
+    assert.equal(ledger.readLedger(sid).commit_review_times.length, 0);
+  } finally { cleanup(sid); }
+});
+
+test('SECCMD-4 master toggle off makes every hook verb a silent no-op', async () => {
+  const root = fs.mkdtempSync(path.join(os.tmpdir(), 'np-sec-proj-'));
+  fs.mkdirSync(path.join(root, '.nubos-pilot'), { recursive: true });
+  fs.writeFileSync(path.join(root, '.nubos-pilot', 'config.json'), JSON.stringify({ security: { enabled: false } }));
+  const sid = freshSid();
+  try {
+    const scanOut = await runVerb('scan', { session_id: sid, tool_name: 'Write', tool_input: { file_path: 'x.js', content: 'eval(q)' } }, root);
+    ledger.addReviewFindings(sid, [{ file: 'a.js', line: 1, category: 'x', severity: 'risk', title: 't' }], 'stop');
+    const reviewOut = await runVerb('review', { session_id: sid }, root);
+    assert.equal(scanOut, '');
+    assert.equal(reviewOut, '');
+  } finally { cleanup(sid); fs.rmSync(root, { recursive: true, force: true }); }
+});
+
+test('SECCMD-5 session-start and baseline are safe no-throw no-ops without a repo', async () => {
+  const sid = freshSid();
+  const root = fs.mkdtempSync(path.join(os.tmpdir(), 'np-sec-nr-'));
+  try {
+    assert.equal(await runVerb('session-start', { session_id: sid }, root), '');
+    assert.equal(await runVerb('baseline', { session_id: sid }, root), '');
+  } finally { cleanup(sid); fs.rmSync(root, { recursive: true, force: true }); }
+});

package/lib/config-defaults.cjs

@@ -41,6 +41,23 @@ const DEFAULT_SWARM = Object.freeze({
   knowledge_adapter: 'local',
 });
 
+const DEFAULT_SECURITY = Object.freeze({
+  enabled: true,
+  scan_on_write: true,
+  review_on_stop: true,
+  review_on_commit: true,
+  custom_rules_path: null,
+  guidance_path: null,
+  review_timeout_ms: 180000,
+  max_stop_reviews_in_a_row: 3,
+  max_commit_reviews_per_hour: 20,
+  max_files_per_review: 30,
+});
+
+const DEFAULT_CONFORMANCE = Object.freeze({
+  inject_criteria: true,
+});
+
 const DEFAULT_AUTO_LOG_LEARNING = true;
 
 const DEFAULT_SPAWN_HEADLESS = Object.freeze({
@@ -67,6 +84,8 @@ const DEFAULT_CONFIG_TREE = Object.freeze({
   loop: DEFAULT_LOOP,
   swarm: DEFAULT_SWARM,
   spawn: DEFAULT_SPAWN,
+  security: DEFAULT_SECURITY,
+  conformance: DEFAULT_CONFORMANCE,
   auto_log_learning: DEFAULT_AUTO_LOG_LEARNING,
 });
 
@@ -98,6 +117,8 @@ function buildInstallConfig(answers) {
         fallback_on_error: DEFAULT_SPAWN_HEADLESS.fallback_on_error,
       },
     },
+    security: { ...DEFAULT_SECURITY },
+    conformance: { ...DEFAULT_CONFORMANCE },
     auto_log_learning: DEFAULT_AUTO_LOG_LEARNING,
   };
 }
@@ -112,6 +133,8 @@ module.exports = {
   DEFAULT_SWARM_CRITIC,
   DEFAULT_SPAWN,
   DEFAULT_SPAWN_HEADLESS,
+  DEFAULT_SECURITY,
+  DEFAULT_CONFORMANCE,
   DEFAULT_AUTO_LOG_LEARNING,
   DEFAULT_MODEL_PROFILE,
   DEFAULT_SCOPE,

package/lib/config-defaults.test.cjs

@@ -69,3 +69,18 @@ test('CFD-7: end-to-end — user answers "true" via askUser → commit_artifacts
     try { fs.rmSync(root, { recursive: true, force: true }); } catch {}
   }
 });
+
+test('CFD-SEC-1: buildInstallConfig writes always-on security defaults', () => {
+  const cfg = buildInstallConfig({ runtime: 'claude' });
+  assert.equal(cfg.security.enabled, true);
+  assert.equal(cfg.security.scan_on_write, true);
+  assert.equal(cfg.security.review_on_stop, true);
+  assert.equal(cfg.security.review_on_commit, true);
+  assert.equal(cfg.security.custom_rules_path, null);
+  assert.equal(cfg.security.max_files_per_review, 30);
+});
+
+test('CFD-CONF-1: buildInstallConfig writes conformance.inject_criteria default', () => {
+  const cfg = buildInstallConfig({ runtime: 'claude' });
+  assert.equal(cfg.conformance.inject_criteria, true);
+});

package/lib/config-schema.cjs

@@ -67,6 +67,25 @@ const SCHEMA = Object.freeze({
       },
     },
   },
+  security: {
+    type: 'object', optional: true, shape: {
+      enabled:                    { type: 'boolean', optional: true },
+      scan_on_write:              { type: 'boolean', optional: true },
+      review_on_stop:             { type: 'boolean', optional: true },
+      review_on_commit:           { type: 'boolean', optional: true },
+      custom_rules_path:          { type: 'any', optional: true },  // string | null
+      guidance_path:              { type: 'any', optional: true },  // string | null
+      review_timeout_ms:          { type: 'number', optional: true },
+      max_stop_reviews_in_a_row:  { type: 'number', optional: true },
+      max_commit_reviews_per_hour:{ type: 'number', optional: true },
+      max_files_per_review:       { type: 'number', optional: true },
+    },
+  },
+  conformance: {
+    type: 'object', optional: true, shape: {
+      inject_criteria: { type: 'boolean', optional: true },
+    },
+  },
 });
 
 function _typeOf(v) {

package/lib/config-schema.test.cjs

@@ -146,3 +146,61 @@ test('SCHEMA-SYNC-1 every top-level key in DEFAULT_CONFIG_TREE has a SCHEMA entr
       'SCHEMA.' + key + ' is neither in DEFAULT_CONFIG_TREE nor SCHEMA_ONLY_KEYS — drift');
   }
 });
+
+test('SEC-CFG-1 valid security block produces zero warnings', () => {
+  const w = validateConfig({
+    security: {
+      enabled: true,
+      scan_on_write: true,
+      review_on_stop: false,
+      review_on_commit: true,
+      custom_rules_path: '.nubos-pilot/security-rules.json',
+      guidance_path: null,
+      review_timeout_ms: 120000,
+      max_stop_reviews_in_a_row: 3,
+      max_commit_reviews_per_hour: 20,
+      max_files_per_review: 30,
+    },
+  });
+  assert.deepEqual(w, []);
+});
+
+test('SEC-CFG-2 wrong type in security flags is flagged', () => {
+  const w = validateConfig({ security: { enabled: 'yes', max_files_per_review: 'lots' } });
+  assert.equal(w.length, 2);
+  assert.ok(w.every((x) => x.kind === 'invalid-type'));
+});
+
+test('SEC-CFG-3 unknown security sub-key is flagged', () => {
+  const w = validateConfig({ security: { scan_everywhere: true } });
+  assert.equal(w.length, 1);
+  assert.equal(w[0].kind, 'unknown-key');
+  assert.equal(w[0].path, 'security.scan_everywhere');
+});
+
+test('SEC-CFG-4 default security tree validates clean', () => {
+  const defaults = require('./config-defaults.cjs');
+  assert.deepEqual(validateConfig({ security: defaults.DEFAULT_SECURITY }), []);
+});
+
+test('CONF-CFG-1 valid conformance block produces zero warnings', () => {
+  assert.deepEqual(validateConfig({ conformance: { inject_criteria: true } }), []);
+});
+
+test('CONF-CFG-2 wrong type in conformance.inject_criteria is flagged', () => {
+  const w = validateConfig({ conformance: { inject_criteria: 'yes' } });
+  assert.equal(w.length, 1);
+  assert.equal(w[0].kind, 'invalid-type');
+  assert.equal(w[0].path, 'conformance.inject_criteria');
+});
+
+test('CONF-CFG-3 unknown conformance sub-key is flagged', () => {
+  const w = validateConfig({ conformance: { review_on_executor_stop: true } });
+  assert.equal(w.length, 1);
+  assert.equal(w[0].kind, 'unknown-key');
+});
+
+test('CONF-CFG-4 default conformance tree validates clean', () => {
+  const defaults = require('./config-defaults.cjs');
+  assert.deepEqual(validateConfig({ conformance: defaults.DEFAULT_CONFORMANCE }), []);
+});