opensquid 0.5.412 → 0.5.432

package/packs/builtin/coding-flow/skills/entry-and-handoffs/skill.yaml

@@ -89,6 +89,15 @@ rules:
         args:
           key: coding-flow-track
           value: trivial
+  # TR.B (wg-2d1d8698f563): deliver the coding-flow quality rubric to the agent BEFORE it authors — the
+  # fix for the blind-first-draft root cause. Placed AFTER enter-scoping so the cold kickoff turn's
+  # just-armed `scoping` is visible (rules walk file-order; handoff-rescope-nudge below relies on the same
+  # ordering). rubric_pre_inject reads the coding-flow FSM and, when in an active SCOPE/AUTHOR phase, returns
+  # an inject_context payload carrying the FULL rubric (scope + author — prompt_submit can't track mid-turn
+  # phase advances, so one injection must cover the whole uninterrupted turn). Inject-only; never blocks.
+  - id: inject-rubric
+    process:
+      - call: rubric_pre_inject
   # GF.1 (F9) — the re-scope NUDGE, surfaced on prompt_submit (where directives are
   # delivered) for the `scoping` state. Fires after `enter-scoping` advanced idle→scoping
   # (or after task-start's task_unscoped reset, or GF.7's phases_complete re-arm landed

package/packs/builtin/coding-flow/skills/execute-gate/skill.yaml

@@ -15,18 +15,25 @@ triggers:
 rules:
   - id: phase-logged-before-commit
     process:
-      - call: match_command
+      # T-GATE-MATCHER-SUBSTRING (GM.3, wg-52e57e2ed252): was a raw-string `match_command`
+      # regex `\bgit…commit\b` over the whole command — it false-fired on `git commit` inside a
+      # grep pattern, an echo arg, or a quoted subprocess prompt (`claude -p "…git commit…"`).
+      # `command_invokes` parses the command into real shell segments and matches only a genuine
+      # `git commit` INVOCATION (compounds like `cd x && git commit` still match; the owned git
+      # pre-commit hook stays the hard boundary). Recall-over-precision band-aid retired.
+      - call: command_invokes
         args:
-          # T-FLOW-UNSKIPPABLE FU.1 (the real root cause): this was `^git…commit`, anchored
-          # at START — so a COMPOUND command `cd <dir> && git commit …` (how every commit is
-          # actually made, since the Bash tool resets cwd) starts with `cd` and EVADED the
-          # gate entirely. The gate was dead for real commits. Match `git … commit` ANYWHERE
-          # (`\b`, like the sibling no-verify matcher) so compounds can't slip past. A false
-          # match on a string that merely mentions `git commit` is the safe direction (recall
-          # over precision, same as no-verify-block).
-          pattern: '\bgit\s+(?:-[cC]\s+\S+\s+)*commit\b'
-          target: tool_args.command
+          program: git
+          subcommand: commit
         as: committing
+      # T-commit-nudge-docsonly-parity (wg-3dcca3b29ed1): a docs-only commit the git-owned
+      # HARD gate ALLOWS (gate.ts isDocsOnly) must not be over-blocked by this in-session gate
+      # either — predicate parity, the SAME `staged_docs_only` primitive the default-discipline
+      # nudge uses. Reads the staged diff (fixed-argv git); fails toward `false` (= not docs-only
+      # = the gate still fires) on any error, so it can never falsely SUPPRESS a real code block.
+      - call: staged_docs_only
+        if: 'committing'
+        as: docs_only
       # T-FLOW-UNSKIPPABLE FU.1 (D1): the gates must COMPOSE. The "no active task ⇒
       # ad-hoc ⇒ allow" branch below was a SEAM — a blocked TaskCreate (AUTHOR gate)
       # leaves NO active task, so its code leaked out as an "ad-hoc" commit. Close it:
@@ -39,7 +46,7 @@ rules:
         if: 'committing'
         as: st
       - call: verdict
-        if: 'committing && (st == "scoping" || st == "researching" || st == "researched" || st == "spec_authored")'
+        if: 'committing && !docs_only && (st == "scoping" || st == "researching" || st == "researched" || st == "spec_authored")'
         args:
           level: block
           message: >-
@@ -54,7 +61,7 @@ rules:
         if: 'committing && active.present == true'
         as: phases
       - call: verdict
-        if: 'committing && active.present == true && phases.complete == false'
+        if: 'committing && active.present == true && phases.complete == false && !docs_only'
         args:
           level: block
           message: >-

package/packs/builtin/coding-flow/skills/scope-lifecycle/skill.yaml

@@ -43,7 +43,9 @@ rules:
   #    checks run BEFORE the advance, and research_done is COUPLED to them — no
   #    advisory pass. The advance fires ONLY when SCOPE content is complete:
   #    GUESS_FREE (every claim cited-or-flagged + the BEST/simplest solution justified)
-  #    AND zero unresolved OPEN QUESTION markers AND research depth >= 3 this turn.
+  #    AND zero unresolved open-question markers (an unchecked `- [ ] OPEN QUESTION:` task-list
+  #    item — GM.3 made this a STRUCTURED marker so prose that merely mentions the phrase no
+  #    longer false-blocks) AND research depth >= 3 this turn.
   - id: scope-advance
     process:
       - call: tool_name
@@ -94,8 +96,23 @@ rules:
       # latency (268s worst observed under subscription contention, 2026-06-10)
       # and 20s under the 360s outer hook cap the setup wizard writes — the
       # inner timer must die first so the gate fails with a readable error.
-      - call: cached_audit
+      # TR.A (wg-2d1d8698f563): the rubric is single-sourced to docs/rubric/scope.md and interpolated as
+      # {{rubric}} below — NOT hardcoded here. read_rubric returns null on a missing/unreadable fragment.
+      - call: read_rubric
         if: '(tool == "Write" || tool == "Edit") && contains(targs.file_path, "docs/research/") && contains(targs.file_path, "-pre-research-")'
+        args: { name: scope }
+        as: rubric
+      # FAIL-LOUD: never run the audit rubric-less (a rubric-less verdict would be a silent fallback worse
+      # than fail-open). docs/rubric/scope.md MUST ship (package.json files[]).
+      - call: verdict
+        if: '(tool == "Write" || tool == "Edit") && contains(targs.file_path, "docs/research/") && contains(targs.file_path, "-pre-research-") && rubric == null'
+        args:
+          level: block
+          message: >-
+            SCOPE audit cannot run: the canonical rubric (docs/rubric/scope.md) is unreadable — a
+            packaging/install fault, NOT a content failure. Verify the opensquid package ships docs/rubric/.
+      - call: cached_audit
+        if: '(tool == "Write" || tool == "Edit") && contains(targs.file_path, "docs/research/") && contains(targs.file_path, "-pre-research-") && rubric != null'
         on_error: continue
         args:
           cache_key: coding-flow-guess-audit-cache
@@ -103,16 +120,8 @@ rules:
           timeout_ms: 340000
           prompt: >-
             You are an adversarial reviewer enforcing the lexicon's Research/Audit flow
-            principles (docs/lexicon.md — never-guess, best-solution, full-fix-over-patch, teach-back depth) on a
-            pre-research / scope artifact. (1) NEVER-GUESS: a claim is acceptable ONLY if DERIVED from cited
-            evidence (a file:line, a memory, or the user's own words) OR explicitly flagged
-            as an OPEN QUESTION to ask the user. (2) BEST-SOLUTION: the artifact must show
-            the best solution was found — alternatives weighed against the criteria and the
-            SIMPLEST correct one chosen per docs/lexicon.md (no proliferating special-cases).
-            (3) FULL-FIX: the chosen solution must be the FULL fix — when the existing shape
-            is the cause, it is re-architected, NOT a local patch that bolts on a special-case
-            to dodge the rework (that patch is itself the proliferating-special-case
-            overcomplication the Full-fix-over-patch guideline forbids).
+            principles on a pre-research / scope artifact. Apply EXACTLY this rubric (the single
+            canonical source, docs/rubric/scope.md):\n\n{{rubric}}\n\n
             Begin your response with EXACTLY one line — `VERDICT: GUESS_FREE` ONLY if every
             claim is cited-or-flagged-open AND the simplest-correct solution is justified
             against alternatives AND is a full fix, not a patch around a design that should be
@@ -124,18 +133,20 @@ rules:
       #    audit-string trichotomy below is a clean partition over its own subspace.
       # BLOCK: unresolved open questions — answer them in SCOPE (this is the interactive phase).
       - call: verdict
-        if: '(tool == "Write" || tool == "Edit") && contains(targs.file_path, "docs/research/") && contains(targs.file_path, "-pre-research-") && contains(effective, "OPEN QUESTION")'
+        if: '(tool == "Write" || tool == "Edit") && contains(targs.file_path, "docs/research/") && contains(targs.file_path, "-pre-research-") && match(effective, "(?im)^\\s*-\\s*\\[ \\]\\s*open[ _-]?question")'
         args:
           level: block
           message: >-
-            SCOPE incomplete: the pre-research still has unresolved OPEN QUESTION(s).
-            SCOPE is the interactive phase — ASK the user (AskUserQuestion), record + cite
-            the answer, and remove the marker BEFORE authoring. Everything after scope is
-            automated; a question must not survive into it.
+            SCOPE incomplete: the pre-research still has an unresolved open-question marker
+            (an unchecked `- [ ] OPEN QUESTION: …` task-list item). SCOPE is the interactive
+            phase — ASK the user (AskUserQuestion), record + cite the answer, then CHECK THE BOX
+            (`- [x]`) or remove the item BEFORE authoring. Everything after scope is automated;
+            a question must not survive into it. (Merely MENTIONING the phrase in prose is fine —
+            only an unchecked checkbox marker blocks.)
       # BLOCK: shallow research (folded DPC.5 depth). Ordered after open-question; its
-      # !OPEN QUESTION guard keeps the two preconditions mutually exclusive.
+      # !match(OQ-marker) guard keeps the two preconditions mutually exclusive.
       - call: verdict
-        if: '(tool == "Write" || tool == "Edit") && contains(targs.file_path, "docs/research/") && contains(targs.file_path, "-pre-research-") && !contains(effective, "OPEN QUESTION") && depth.count < 3'
+        if: '(tool == "Write" || tool == "Edit") && contains(targs.file_path, "docs/research/") && contains(targs.file_path, "-pre-research-") && !match(effective, "(?im)^\\s*-\\s*\\[ \\]\\s*open[ _-]?question") && depth.count < 3'
         args:
           level: block
           message: >-
@@ -145,17 +156,17 @@ rules:
       #    {GUESS_FREE, UNRESOLVED, no-VERDICT} is a total partition of the audit string.
       # PASS → advance.
       - call: advance_fsm
-        if: '(tool == "Write" || tool == "Edit") && contains(targs.file_path, "docs/research/") && contains(targs.file_path, "-pre-research-") && depth.count >= 3 && !contains(effective, "OPEN QUESTION") && contains(audit, "VERDICT: GUESS_FREE")'
+        if: '(tool == "Write" || tool == "Edit") && contains(targs.file_path, "docs/research/") && contains(targs.file_path, "-pre-research-") && depth.count >= 3 && !match(effective, "(?im)^\\s*-\\s*\\[ \\]\\s*open[ _-]?question") && contains(audit, "VERDICT: GUESS_FREE")'
         args:
           event: research_done
       # CONTENT-FAIL → loop-back + warn (keyed POSITIVELY on UNRESOLVED, not !GUESS_FREE — so an
       # audit that could not run no longer masquerades as "guesses found").
       - call: advance_fsm
-        if: '(tool == "Write" || tool == "Edit") && contains(targs.file_path, "docs/research/") && contains(targs.file_path, "-pre-research-") && depth.count >= 3 && !contains(effective, "OPEN QUESTION") && contains(audit, "VERDICT: UNRESOLVED")'
+        if: '(tool == "Write" || tool == "Edit") && contains(targs.file_path, "docs/research/") && contains(targs.file_path, "-pre-research-") && depth.count >= 3 && !match(effective, "(?im)^\\s*-\\s*\\[ \\]\\s*open[ _-]?question") && contains(audit, "VERDICT: UNRESOLVED")'
         args:
           event: guess_found
       - call: verdict
-        if: '(tool == "Write" || tool == "Edit") && contains(targs.file_path, "docs/research/") && contains(targs.file_path, "-pre-research-") && depth.count >= 3 && !contains(effective, "OPEN QUESTION") && contains(audit, "VERDICT: UNRESOLVED")'
+        if: '(tool == "Write" || tool == "Edit") && contains(targs.file_path, "docs/research/") && contains(targs.file_path, "-pre-research-") && depth.count >= 3 && !match(effective, "(?im)^\\s*-\\s*\\[ \\]\\s*open[ _-]?question") && contains(audit, "VERDICT: UNRESOLVED")'
         args:
           level: warn
           message: >-
@@ -166,7 +177,7 @@ rules:
       # AUDIT-UNAVAILABLE → terminal BLOCK, NO advance (stays scoping, re-armable). F0c fix:
       # the audit subagent could not spawn (a no-VERDICT response, incl. the bound err message).
       - call: verdict
-        if: '(tool == "Write" || tool == "Edit") && contains(targs.file_path, "docs/research/") && contains(targs.file_path, "-pre-research-") && depth.count >= 3 && !contains(effective, "OPEN QUESTION") && !contains(audit, "VERDICT:")'
+        if: '(tool == "Write" || tool == "Edit") && contains(targs.file_path, "docs/research/") && contains(targs.file_path, "-pre-research-") && depth.count >= 3 && !match(effective, "(?im)^\\s*-\\s*\\[ \\]\\s*open[ _-]?question") && rubric != null && !contains(audit, "VERDICT:")'
         args:
           level: block
           message: >-
@@ -214,25 +225,29 @@ rules:
       # SCOPE audit — a re-fire on an UNCHANGED spec reuses the verdict, no spawn.
       # timeout_ms (T-AUDIT-SPAWN-FIX): 340s, same measured sizing as the SCOPE
       # audit above (268s worst observed; 20s under the 360s outer hook cap).
-      - call: cached_audit
+      # TR.A (wg-2d1d8698f563): the AUTHOR rubric is single-sourced to docs/rubric/author.md,
+      # interpolated as {{rubric}} below — NOT hardcoded. Fail-loud on a missing fragment (below).
+      - call: read_rubric
         if: '(tool == "Write" || tool == "Edit") && contains(targs.file_path, "docs/tasks/T-") && endsWith(targs.file_path, ".md")'
+        args: { name: author }
+        as: rubric
+      - call: verdict
+        if: '(tool == "Write" || tool == "Edit") && contains(targs.file_path, "docs/tasks/T-") && endsWith(targs.file_path, ".md") && rubric == null'
+        args:
+          level: block
+          message: >-
+            AUTHOR audit cannot run: the canonical rubric (docs/rubric/author.md) is unreadable — a
+            packaging/install fault, NOT a content failure. Verify the opensquid package ships docs/rubric/.
+      - call: cached_audit
+        if: '(tool == "Write" || tool == "Edit") && contains(targs.file_path, "docs/tasks/T-") && endsWith(targs.file_path, ".md") && rubric != null'
         on_error: continue
         args:
           cache_key: coding-flow-spec-audit-cache
           model: reasoning
           timeout_ms: 340000
           prompt: >-
-            You are an adversarial reviewer enforcing THREE author-completeness rules.
-            (1) 11-FIELD CONTRACT: EVERY "### Task" block has all 11 fields (Required
-            skills, Deliverable, Depends on, Files affected, Key code shapes, Test
-            fixtures, Acceptance criteria, Risk callouts, References, Verification
-            commands, 7-phase steps), every Key-code-shapes block is REAL code (not
-            pseudocode), every 7-phase step names concrete files/decisions. (2) 100%
-            DESIGN COVERAGE: the task set covers EVERY element of the SCOPE design below —
-            no design item is left without a task. (3) SIMPLICITY (per docs/lexicon.md):
-            the design is the SIMPLEST correct solution — no proliferating special-cases
-            (that signals a missed decomposition), every lifecycle an explicit
-            total-transition FSM, every transform a pure function, no implicit state.
+            You are an adversarial reviewer enforcing THREE author-completeness rules. Apply EXACTLY
+            this rubric (the single canonical source, docs/rubric/author.md):\n\n{{rubric}}\n\n
             Begin your response with EXACTLY one line — `VERDICT: SPEC_COMPLETE` ONLY if
             ALL THREE hold; otherwise `VERDICT: INCOMPLETE` + one bullet per offending
             block, uncovered design element, OR over-complected smell. Never say
@@ -260,7 +275,7 @@ rules:
             Audit:\n\n{{spec_audit}}
       # AUDIT-UNAVAILABLE → BLOCK, no advance (stays spec_authored, re-armable). F0c fix.
       - call: verdict
-        if: '(tool == "Write" || tool == "Edit") && contains(targs.file_path, "docs/tasks/T-") && endsWith(targs.file_path, ".md") && !contains(spec_audit, "VERDICT:")'
+        if: '(tool == "Write" || tool == "Edit") && contains(targs.file_path, "docs/tasks/T-") && endsWith(targs.file_path, ".md") && rubric != null && !contains(spec_audit, "VERDICT:")'
         args:
           level: block
           message: >-
@@ -303,25 +318,27 @@ rules:
             code commit/push that has not completed the flow.)
   # ── verify-skip detector: the ONE closed opt-out token (GF.3) ────────────────
   # The git gate (GF.2) is bypassable only by passing the verify-skipping flag to `git
-  # commit/push` (or `git commit -n`) — a single explicit opt-out (not a denylist over an
-  # open set), so it is a hard BLOCK. `git push -n` is --dry-run, NOT a verify-skip, so -n
-  # is matched for `commit` only. KNOWN LIMITATION (matching a shell string is imperfect):
-  # the flag literal appearing inside a `-m "…"` commit MESSAGE also matches → over-block.
-  # That direction is INTENTIONAL and safe for a bypass-detector: a false positive (an
-  # annoying block on a message that mentions the flag) beats a false negative (letting a
-  # real bypass through). Do NOT "fix" this by anchoring to flag position — that
-  # reintroduces a false negative on `git commit -m msg <flag>`.
+  # commit/push` — a single explicit opt-out (not a denylist over an open set), so it is a
+  # hard BLOCK. `git push -n` is --dry-run, NOT a verify-skip, so `-n` is matched for `commit`
+  # ONLY (git-commit(1) `-n,--no-verify`; git-push(1) `-n,--dry-run`).
+  # T-GATE-MATCHER-SUBSTRING (GM.3, wg-52e57e2ed252): was a raw-string `match_command` that
+  # false-fired on a read-only `grep -n "…git commit…"` (the prose `git commit` + grep's `-n`).
+  # `command_invokes` parses real shell segments and detects the flag only WITHIN a genuine git
+  # invocation — so a real `git commit --no-verify`/`-n` still blocks (recall preserved within the
+  # invocation), but prose/grep/echo no longer trip it. The old "over-block is intentional"
+  # band-aid is retired: blocking read-only work gave zero bypass-protection value.
   - id: no-verify-block
     process:
       - call: tool_name
         as: tool
-      - call: match_command
-        args:
-          pattern: '(?:\bgit\s+commit\b.*(?:--no-verify|\s-n\b))|(?:\bgit\s+push\b.*--no-verify)'
-          target: tool_args.command
-        as: skipping
+      - call: command_invokes
+        args: { program: git, subcommand: commit, flag_any: ['--no-verify', '-n'] }
+        as: skip_commit
+      - call: command_invokes
+        args: { program: git, subcommand: push, flag_any: ['--no-verify'] }
+        as: skip_push
       - call: verdict
-        if: '(tool == "Bash") && skipping'
+        if: '(tool == "Bash") && (skip_commit || skip_push)'
         args:
           level: block
           message: >-

package/packs/builtin/default-discipline/manifest.yaml

@@ -34,13 +34,16 @@ evolves: true
 # command-boundary prefixes survive).
 guards:
   # git hygiene (block_tool)
+  # T-GATE-MATCHER-SUBSTRING (GM.3, wg-52e57e2ed252): structural — matches a real
+  # `git commit --amend` invocation, not the substring inside a grep/echo/prompt.
   - name: never-amend
     on: tool_call
     detect:
-      call: match_command
+      call: command_invokes
       args:
-        pattern: '(?:^|[;&|\n(])\s*git\s+(?:-[cC]\s+\S+\s+)*commit\b[^\n]*\s--amend\b'
-        target: tool_args.command
+        program: git
+        subcommand: commit
+        flag_any: ['--amend']
     when: hit
     level: block
     message: >-

package/packs/builtin/default-discipline/skills/workflow/skill.yaml

@@ -34,10 +34,14 @@ rules:
 
   - id: phase-logged-before-commit
     process:
-      - call: match_command
+      # T-GATE-MATCHER-SUBSTRING (GM.3, wg-52e57e2ed252): was a raw-string regex over the whole
+      # command (boundary-anchored, but still matched `; git commit` inside a quoted echo/prompt).
+      # `command_invokes` parses real shell segments → matches only a genuine `git commit`
+      # invocation (compounds like `cd … && git commit` still match).
+      - call: command_invokes
         args:
-          pattern: '(?:^|[;&|\n(])\s*git\s+(?:-[cC]\s+\S+\s+)*commit\b' # FU.14: command-boundary (start or after ; && || | newline ( ) — catches `cd … && git commit`
-          target: tool_args.command
+          program: git
+          subcommand: commit
         as: committing
       - call: read_state
         if: committing

package/packs/builtin/pack-architect/SKILL.md

@@ -35,6 +35,16 @@ but the chain-handoff stalls.
 | `skill-yaml-author-walkthrough` | PreToolUse Edit/Write of `packs/*/skills/*/skill.yaml`                              | Surface verdict with skill-field checklist (cites pack-runtime.md §2 + skill-grammar-guide.md)  |
 | `fsm-author-walkthrough`        | PreToolUse Edit/Write of `packs/*/fsm.yaml`                                         | Surface verdict with FSM checklist (cites pack-fsm-architecture.md; coding-flow example)        |
 
+### Discipline: gates teach their rubric (TR.C, wg-2d1d8698f563)
+
+A gate is not just a blocker — it must TEACH its bar. If a skill emits a block/audit verdict with a content
+rubric (like coding-flow's guess/spec audits), it must ship a companion that DELIVERS that rubric to the
+agent BEFORE the gated action, sourced from the gate's single canonical rubric (e.g. `read_rubric` →
+`inject_context` at `prompt_submit`). Otherwise the agent authors content-blind and learns the bar only by
+tripping the gate. Light block/warn gates (no heavy content rubric) teach via a remedy-naming message
+instead. The `skill-yaml-author-walkthrough` checklist enforces this; the coding-flow pairing is the
+reference implementation.
+
 ## The 4-phase pack-authoring workflow (when spawned as profession)
 
 1. **Identify scope + persona** — kind/usage decisions, detected_by

package/packs/builtin/pack-architect/skills/skill-yaml-author-walkthrough/skill.yaml

@@ -45,6 +45,13 @@ rules:
                   functions per skill-grammar-guide.md
               [ ] Final step emits a verdict
                   (pass / block / warn / surface / directive)
+              [ ] GATES TEACH (TR.C, wg-2d1d8698f563): if a rule emits a
+                  block/audit verdict (a GATE with a content rubric), ship a
+                  companion that DELIVERS that gate's rubric to the agent BEFORE
+                  the gated action, sourced from the gate's canonical rubric
+                  (e.g. read_rubric → inject_context at prompt_submit). A gate
+                  teaches its bar; it does not only block. (Light block/warn
+                  gates teach via a remedy-naming message instead.)
               [ ] For directive verdict: next_action is skill XOR tool
                   XOR profession (exactly one)
               [ ] No vendor model names anywhere (use model_alias)

package/packs/builtin/scope-architect/team.yaml

@@ -61,5 +61,8 @@ roles:
           weighed against the criteria with the SIMPLEST-correct chosen;
           failure-modes / inversion; an empirical-spike note; a scope boundary;
           and EVERY claim cited (file:line / memory / the user's words) or
-          flagged OPEN QUESTION — and an OPEN QUESTION must be resolved with the
-          user IN SCOPE before the write, never carried into the artifact.
+          flagged as an unchecked `- [ ] OPEN QUESTION: …` task-list marker — and
+          such a marker must be resolved with the user IN SCOPE before the write
+          (check the box `- [x]` once answered), never carried unresolved into the
+          artifact. (Merely discussing an open question in prose is fine; only an
+          unchecked checkbox marker blocks the advance.)