principles-disciple 1.7.4 → 1.7.6

package/dist/hooks/gate.js

@@ -1,111 +1,38 @@
+/**
+ * Security Gate Hook - Orchestration Layer
+ *
+ * HOOK CHAIN PRIORITY (short-circuits on first block):
+ *
+ * 1. Early Return: Skip if not write/bash/agent tool or no workspace
+ * 2. Thinking OS Checkpoint (P-10): Deep reflection enforcement
+ * 3. GFI Gate: Fatigue index-based blocking
+ * 4. Bash Mutation Detection: Heuristic for bash file modifications
+ * 5. Progressive Trust Gate: Stage 1-4 access control
+ * 6. Edit Verification (P-03): Exact/fuzzy match for edit operations
+ *
+ * IMPORTANT: This is the SINGLE AUTHORITATIVE orchestration path.
+ * All policy modules (gfi-gate, progressive-trust-gate) use the shared
+ * `recordGateBlockAndReturn` helper to ensure consistent block persistence.
+ *
+ * Zero-width character detection is handled in bash-risk.ts.
+ */
 import * as fs from 'fs';
-import * as path from 'path';
 import { isRisky, normalizePath, planStatus as getPlanStatus } from '../utils/io.js';
-import { matchesAnyPattern } from '../utils/glob-match.js';
 import { normalizeProfile } from '../core/profile.js';
-import { trackBlock, hasRecentThinking, getSession } from '../core/session-tracker.js';
-import { assessRiskLevel, estimateLineChanges, getTargetFileLineCount, calculatePercentageThreshold } from '../core/risk-calculator.js';
+import { estimateLineChanges } from '../core/risk-calculator.js';
 import { WorkspaceContext } from '../core/workspace-context.js';
-import { checkEvolutionGate } from '../core/evolution-engine.js';
-import { EventLogService } from '../core/event-log.js';
-import { AGENT_TOOLS, BASH_TOOLS_SET, HIGH_RISK_TOOLS, LOW_RISK_WRITE_TOOLS, WRITE_TOOLS, } from '../constants/tools.js';
-const TRAJECTORY_GATE_BLOCK_RETRY_DELAY_MS = 250;
-const TRAJECTORY_GATE_BLOCK_MAX_RETRIES = 3;
-// ═══ GFI Gate Tool Tiers ═══
-// TIER 0: 只读工具 - 永不拦截
-// TIER 1: 低风险修改 - GFI >= low_risk_block 时拦截
-// 注意：pd_run_worker、sessions_spawn、task 是 Agent 派生工具，不应被 GFI Gate 拦截
-// 它们属于 AGENT_TOOLS，在早期过滤后直接放行
-// TIER 2: 高风险操作 - GFI >= high_risk_block 时拦截
-// TIER 3: Bash 命令 - 根据内容判断
-/**
- * 分析 Bash 命令风险等级
- */
-function analyzeBashCommand(command, safePatterns, dangerousPatterns, logger) {
-    let normalizedCmd = command.trim().toLowerCase();
-    // P2 fix: Unicode de-obfuscation — convert Cyrillic/Unicode lookalikes to ASCII equivalents
-    // Common Cyrillic lookalikes that could bypass detection: аеорсух (Cyrillic) → aeopcyx (Latin)
-    const CYRILLIC_TO_LATIN = {
-        'а': 'a', 'е': 'e', 'о': 'o', 'р': 'p', 'с': 'c', 'у': 'y', 'х': 'x',
-        'А': 'a', 'Е': 'e', 'О': 'o', 'Р': 'p', 'С': 'c', 'У': 'y', 'Х': 'x',
-        // Additional confusable chars
-        'і': 'i', 'ј': 'j', 'ѕ': 's', 'ԁ': 'd', 'ɡ': 'g', 'һ': 'h', 'ⅰ': 'i',
-        'ƚ': 'l', 'м': 'm', 'п': 'n', 'ѵ': 'v', 'ѡ': 'w', 'ᴦ': 'r', 'ꜱ': 's',
-    };
-    normalizedCmd = normalizedCmd.replace(/[а-яА-Яіјѕԁɡһⅰƚмпеꜱѵѡᴦꜱ]/g, m => CYRILLIC_TO_LATIN[m] ?? m);
-    // P2 fix: Tokenize command chain before pattern matching to catch `cmd1 && cmd2` bypasses
-    // Only split on statement separators (; && ||), NOT on pipe (|) which is part of the command
-    const tokens = normalizedCmd
-        .split(/\s*(?:;|&&|\|\|)\s*/)
-        .map(t => t.trim())
-        .filter(t => t.length > 0);
-    // If no tokens (e.g., pure pipe-only), use the original
-    const segments = tokens.length > 0 ? tokens : [normalizedCmd];
-    // P2 fix: Also strip outer $() and backticks from each segment
-    const cleanSegments = segments.map(seg => {
-        let s = seg;
-        // Strip leading $() or ${} or backtick-wrapped commands
-        s = s.replace(/^\$\([^)]+\)$/, '').replace(/^\$\{[^}]+\}$/, '').replace(/^`([^`]+)`$/, '$1');
-        return s.trim();
-    }).filter(s => s.length > 0);
-    // 1. Check dangerous patterns against each segment
-    for (const seg of cleanSegments) {
-        for (const pattern of dangerousPatterns) {
-            try {
-                if (new RegExp(pattern, 'i').test(seg)) {
-                    return 'dangerous';
-                }
-            }
-            catch (error) {
-                logger?.warn?.(`[PD_GATE] Invalid dangerous bash regex "${pattern}": ${String(error)}. Failing closed.`);
-                return 'dangerous';
-                // Fail-closed: 无效的危险模式正则视为匹配危险命令
-            }
-        }
-    }
-    // 2. Check safe patterns (only if ALL segments are safe)
-    for (const seg of cleanSegments) {
-        let isSafe = false;
-        for (const pattern of safePatterns) {
-            try {
-                if (new RegExp(pattern, 'i').test(seg)) {
-                    isSafe = true;
-                    break;
-                }
-            }
-            catch (error) {
-                logger?.warn?.(`[PD_GATE] Invalid safe bash regex "${pattern}": ${String(error)}. Ignoring safe override.`);
-            }
-        }
-        if (!isSafe) {
-            // Not all segments are safe → treat as normal
-            return 'normal';
-        }
-    }
-    // All segments are safe
-    return 'safe';
-}
-/**
- * 计算动态 GFI 阈值
- */
-function calculateDynamicThreshold(baseThreshold, trustStage, lineChanges, config) {
-    // 1. Trust Stage 乘数
-    const stageMultiplier = config.trust_stage_multipliers[trustStage.toString()] || 1.0;
-    let threshold = baseThreshold * stageMultiplier;
-    // 2. 大规模修改降低阈值
-    if (lineChanges > config.large_change_lines) {
-        const ratio = Math.min(lineChanges / 200, 0.5); // 最多降低 50%
-        threshold = threshold * (1 - ratio);
-    }
-    return Math.round(Math.max(threshold, 0));
-}
+import { checkThinkingCheckpoint } from './thinking-checkpoint.js';
+import { handleEditVerification } from './edit-verification.js';
+import { checkGfiGate } from './gfi-gate.js';
+import { checkProgressiveTrustGate } from './progressive-trust-gate.js';
+import { recordGateBlockAndReturn } from './gate-block-helper.js';
+import { AGENT_TOOLS, BASH_TOOLS_SET, WRITE_TOOLS, } from '../constants/tools.js';
 export function handleBeforeToolCall(event, ctx) {
     const logger = ctx.logger || console;
     // 1. Identify tool type
     const isBash = BASH_TOOLS_SET.has(event.toolName);
     const isWriteTool = WRITE_TOOLS.has(event.toolName);
     const isAgentTool = AGENT_TOOLS.has(event.toolName);
-    // Profile loaded first for config-driven behavior (see below)
     if (!ctx.workspaceDir || (!isWriteTool && !isBash && !isAgentTool)) {
         return;
     }
@@ -134,7 +61,7 @@ export function handleBeforeToolCall(event, ctx) {
         thinking_checkpoint: {
             enabled: false, // Default OFF
             window_ms: 5 * 60 * 1000,
-            high_risk_tools: ['run_shell_command', 'delete_file', 'move_file', 'pd_run_worker'],
+            high_risk_tools: ['run_shell_command', 'delete_file', 'move_file'],
         }
     };
     if (fs.existsSync(profilePath)) {
@@ -146,171 +73,23 @@ export function handleBeforeToolCall(event, ctx) {
             logger?.error?.(`[PD_GATE] Failed to parse PROFILE.json: ${String(e)}`);
         }
     }
-    // ═══ THINKING OS CHECKPOINT (P-10) — Config-gated ═══
+    // ─────────────────────────────────────────────────────────────────────────────
+    // POLICY STEP 1: Thinking OS Checkpoint (P-10)
+    // ─────────────────────────────────────────────────────────────────────────────
     // Only enforced when thinking_checkpoint.enabled = true in PROFILE.json
-    const isHighRisk = profile.thinking_checkpoint?.high_risk_tools?.includes(event.toolName) ?? false;
-    if (profile.thinking_checkpoint?.enabled && isHighRisk && ctx.sessionId) {
-        const windowMs = profile.thinking_checkpoint.window_ms ?? 5 * 60 * 1000;
-        const hasThinking = hasRecentThinking(ctx.sessionId, windowMs);
-        if (!hasThinking) {
-            logger?.info?.(`[PD:THINKING_GATE] High-risk tool "${event.toolName}" called without recent deep thinking`);
-            return {
-                block: true,
-                blockReason: `[Thinking OS Checkpoint] 高风险操作 "${event.toolName}" 需要先进行深度思考。\n\n请先使用 deep_reflect 工具分析当前情况，然后再尝试此操作。\n\n这是强制性检查点，目的是确保决策质量。\n\n提示：调用 deep_reflect 后，${Math.round(windowMs / 60000)}分钟内的操作将自动放行。\n\n可在PROFILE.json中设置 thinking_checkpoint.enabled: false 来禁用此检查。`,
-            };
-        }
+    const thinkingResult = checkThinkingCheckpoint(event, profile.thinking_checkpoint || {}, ctx.sessionId, logger);
+    if (thinkingResult) {
+        return thinkingResult;
     }
-    // ═══ GFI GATE - Hard Intercept ═══
+    // ─────────────────────────────────────────────────────────────────────────────
+    // POLICY STEP 2: GFI Gate - Hard Intercept
+    // ─────────────────────────────────────────────────────────────────────────────
     // 根据 GFI (疲劳指数) 精细化拦截工具调用
     // 注意：TIER 0 (只读工具) 已在早期过滤中放行，此处不检查
     const gfiGateConfig = wctx.config.get('gfi_gate');
-    if (gfiGateConfig?.enabled !== false && ctx.sessionId) {
-        const session = getSession(ctx.sessionId);
-        const currentGfi = session?.currentGfi || 0;
-        // TIER 3: Bash 命令 - 根据内容判断
-        if (BASH_TOOLS_SET.has(event.toolName)) {
-            const command = String(event.params.command || event.params.args || '');
-            const bashRisk = analyzeBashCommand(command, gfiGateConfig?.bash_safe_patterns || [], gfiGateConfig?.bash_dangerous_patterns || [], logger);
-            if (bashRisk === 'dangerous') {
-                // 危险命令 - 直接拦截
-                logger?.warn?.(`[PD:GFI_GATE] Dangerous bash command blocked: ${command.substring(0, 50)}...`);
-                return {
-                    block: true,
-                    blockReason: `[GFI Gate] 危险命令被拦截。
-
-命令: ${command.substring(0, 100)}${command.length > 100 ? '...' : ''}
-
-原因: 检测到危险命令模式，需要确认执行意图。
-
-解决方案:
-1. 如果确实需要执行，请确认操作意图后重试
-2. 使用更安全的方式（如手动操作）
-3. 咨询用户确认是否继续
-
-注意: 危险命令需要更严格的审批流程。`,
-                };
-            }
-            // safe 命令 - 放行
-            else if (bashRisk === 'safe') {
-                // 继续执行
-            }
-            // normal 命令 - 按 GFI 阈值判断
-            else {
-                const trustEngine = wctx.trust;
-                const stage = trustEngine.getStage();
-                const baseThreshold = gfiGateConfig?.thresholds?.low_risk_block || 70;
-                const dynamicThreshold = calculateDynamicThreshold(baseThreshold, stage, 0, // bash 命令没有行数概念
-                {
-                    large_change_lines: gfiGateConfig?.large_change_lines || 50,
-                    trust_stage_multipliers: gfiGateConfig?.trust_stage_multipliers || { '1': 0.5, '2': 0.75, '3': 1.0, '4': 1.5 },
-                });
-                if (currentGfi >= dynamicThreshold) {
-                    logger?.warn?.(`[PD:GFI_GATE] Bash blocked by GFI: ${currentGfi} >= ${dynamicThreshold}`);
-                    return {
-                        block: true,
-                        blockReason: `[GFI Gate] 疲劳指数过高，操作被拦截。
-
-命令: ${command.substring(0, 100)}${command.length > 100 ? '...' : ''}
-GFI: ${currentGfi}/100
-动态阈值: ${dynamicThreshold} (Stage ${stage})
-
-原因: 当前疲劳指数超过阈值，系统进入保护模式。
-
-解决方案:
-1. 执行 /pd-status reset 清零疲劳值
-2. 检查是否存在理解偏差或死循环
-3. 等待问题自然解决后再尝试
-
-注意: 这是系统级硬性拦截，AI 无法绕过。`,
-                    };
-                }
-            }
-        }
-        // TIER 2: 高风险操作 - GFI >= high_risk_block 时拦截
-        else if (HIGH_RISK_TOOLS.has(event.toolName)) {
-            const trustEngine = wctx.trust;
-            const stage = trustEngine.getStage();
-            const baseThreshold = gfiGateConfig?.thresholds?.high_risk_block || 40;
-            const dynamicThreshold = calculateDynamicThreshold(baseThreshold, stage, 0, {
-                large_change_lines: gfiGateConfig?.large_change_lines || 50,
-                trust_stage_multipliers: gfiGateConfig?.trust_stage_multipliers || { '1': 0.5, '2': 0.75, '3': 1.0, '4': 1.5 },
-            });
-            if (currentGfi >= dynamicThreshold) {
-                const filePath = event.params.file_path || event.params.path || event.params.file || event.params.target || 'unknown';
-                logger?.warn?.(`[PD:GFI_GATE] High-risk tool "${event.toolName}" blocked by GFI: ${currentGfi} >= ${dynamicThreshold}`);
-                return {
-                    block: true,
-                    blockReason: `[GFI Gate] 高风险操作被拦截。
-
-工具: ${event.toolName}
-文件: ${filePath}
-GFI: ${currentGfi}/100
-动态阈值: ${dynamicThreshold} (Stage ${stage})
-
-原因: 高风险工具需要更低的 GFI 阈值才能执行。
-
-解决方案:
-1. 执行 /pd-status reset 清零疲劳值
-2. 检查是否存在理解偏差或死循环
-3. 等待 GFI 自然衰减后重试
-
-注意: 这是系统级硬性拦截，AI 无法绕过。`,
-                };
-            }
-        }
-        // TIER 1: 低风险修改 - GFI >= low_risk_block 时拦截
-        else if (LOW_RISK_WRITE_TOOLS.has(event.toolName)) {
-            const trustEngine = wctx.trust;
-            const stage = trustEngine.getStage();
-            const lineChanges = estimateLineChanges({ toolName: event.toolName, params: event.params });
-            const baseThreshold = gfiGateConfig?.thresholds?.low_risk_block || 70;
-            const dynamicThreshold = calculateDynamicThreshold(baseThreshold, stage, lineChanges, {
-                large_change_lines: gfiGateConfig?.large_change_lines || 50,
-                trust_stage_multipliers: gfiGateConfig?.trust_stage_multipliers || { '1': 0.5, '2': 0.75, '3': 1.0, '4': 1.5 },
-            });
-            if (currentGfi >= dynamicThreshold) {
-                const filePath = event.params.file_path || event.params.path || event.params.file || event.params.target || 'unknown';
-                logger?.warn?.(`[PD:GFI_GATE] Low-risk tool "${event.toolName}" blocked by GFI: ${currentGfi} >= ${dynamicThreshold}`);
-                return {
-                    block: true,
-                    blockReason: `[GFI Gate] 疲劳指数过高，操作被拦截。
-
-工具: ${event.toolName}
-文件: ${filePath}
-GFI: ${currentGfi}/100
-动态阈值: ${dynamicThreshold} (Stage ${stage}${lineChanges > 50 ? `, ${lineChanges}行修改` : ''})
-
-原因: 当前疲劳指数超过阈值，系统进入保护模式。
-
-解决方案:
-1. 执行 /pd-status reset 清零疲劳值
-2. 检查是否存在理解偏差或死循环
-3. 等待问题自然解决后再尝试
-
-注意: 这是系统级硬性拦截，AI 无法绕过。`,
-                };
-            }
-        }
-        // AGENT_TOOLS: Block subagent spawn when GFI is critically high (P0 fix: prevent privilege escalation via spawned subagents)
-        if (isAgentTool) {
-            const AGENT_SPAWN_GFI_THRESHOLD = 90;
-            if (currentGfi >= AGENT_SPAWN_GFI_THRESHOLD) {
-                logger?.warn?.(`[PD:GFI_GATE] Agent tool "${event.toolName}" blocked by GFI: ${currentGfi} >= ${AGENT_SPAWN_GFI_THRESHOLD}`);
-                return {
-                    block: true,
-                    blockReason: `[GFI Gate] 疲劳指数过高，禁止派生子智能体。
-
-GFI: ${currentGfi}/100
-阈值: ${AGENT_SPAWN_GFI_THRESHOLD} (Stage ${wctx.trust.getStage()})
-
-原因: 高疲劳状态下派生子智能体会放大错误风险。
-
-解决方案:
-1. 执行 /pd-status reset 清零疲劳值
-2. 简化任务后重试`,
-                };
-            }
-        }
+    const gfiResult = checkGfiGate(event, wctx, ctx.sessionId, gfiGateConfig, logger);
+    if (gfiResult) {
+        return gfiResult;
     }
     // Merge pluginConfig (OpenClaw UI settings)
     const configRiskPaths = ctx.pluginConfig?.riskPaths ?? [];
@@ -343,186 +122,40 @@ GFI: ${currentGfi}/100
     const risky = (isBash && filePath.includes(' '))
         ? profile.risk_paths.some(rp => filePath.includes(rp))
         : isRisky(relPath, profile.risk_paths);
-    // ── PROGRESSIVE GATE LOGIC ──
+    // ─────────────────────────────────────────────────────────────────────────────
+    // POLICY STEP 3: Progressive Trust Gate (Stage 1-4 access control)
+    // ─────────────────────────────────────────────────────────────────────────────
+    // IMPORTANT: This step does NOT return early on allow.
+    // We must continue to edit verification for ALL allowed operations.
     if (profile.progressive_gate?.enabled) {
-        const trustEngine = wctx.trust;
-        const trustScore = trustEngine.getScore();
-        const stage = trustEngine.getStage();
-        const trustSettings = wctx.config.get('trust') || {
-            limits: {
-                stage_2_max_lines: 50,
-                stage_3_max_lines: 300,
-                stage_2_max_percentage: 10,
-                stage_3_max_percentage: 15,
-                min_lines_fallback: 20,
-            }
-        };
-        const riskLevel = assessRiskLevel(relPath, { toolName: event.toolName, params: event.params }, profile.risk_paths);
         const lineChanges = estimateLineChanges({ toolName: event.toolName, params: event.params });
-        const planApprovals = profile.progressive_gate?.plan_approvals;
-        const canUsePlanApproval = Boolean(stage === 1 &&
-            planApprovals?.enabled &&
-            getPlanStatus(ctx.workspaceDir) === 'READY' &&
-            planApprovals.allowed_operations?.includes(event.toolName) &&
-            matchesAnyPattern(relPath, planApprovals.allowed_patterns || []) &&
-            ((planApprovals.max_lines_override ?? -1) === -1 || lineChanges <= (planApprovals.max_lines_override ?? -1)));
-        logger.info(`[PD_GATE] Trust: ${trustScore} (Stage ${stage}), Risk: ${riskLevel}, Path: ${relPath}`);
-        // ── EP SIMULATION MODE (M6验证) ──
-        // 记录EP系统的模拟决策，但不生效（仅用于对比分析）
-        // BUGFIX #90: 移到所有Stage检查之前，确保所有Stage都触发EP simulation记录
-        try {
-            const epDecision = checkEvolutionGate(ctx.workspaceDir, {
-                toolName: event.toolName,
-                content: event.params?.content,
-                lineCount: lineChanges,
-                isRiskPath: risky,
-            });
-            const epLogEntry = {
-                timestamp: new Date().toISOString(),
-                toolName: event.toolName,
-                filePath: relPath,
-                trustEngine: { score: trustScore, stage, decision: 'allow' },
-                epSystem: { tier: epDecision.currentTier ?? 'UNKNOWN', allowed: epDecision.allowed, reason: epDecision.reason },
-                conflict: epDecision.allowed === false, // Trust允许但EP拒绝（任何阶段）
-            };
-            const epLogPath = path.join(ctx.workspaceDir, '.state', 'ep_simulation.jsonl');
-            // 安全创建目录（如果失败则跳过日志写入，但不影响 Trust Engine 决策）
-            let canWriteEpLog = true;
-            try {
-                fs.mkdirSync(path.dirname(epLogPath), { recursive: true });
-            }
-            catch (mkdirErr) {
-                if (!mkdirErr || mkdirErr.code !== 'EEXIST') {
-                    logger.warn(`[PD_EP_SIM] Failed to create log dir: ${mkdirErr?.message ?? String(mkdirErr)}, skipping log`);
-                    canWriteEpLog = false;
-                }
-            }
-            if (canWriteEpLog) {
-                fs.appendFileSync(epLogPath, JSON.stringify(epLogEntry) + '\n');
-            }
-            logger.info(`[PD_EP_SIM] Tier: ${epDecision.currentTier}, Allowed: ${epDecision.allowed}, Trust: ${trustScore} (Stage ${stage})`);
-        }
-        catch (err) {
-            // EP 模拟失败不应该影响 Trust Engine 决策
-            const errMsg = err instanceof Error ? err.message : String(err);
-            logger.warn(`[PD_EP_SIM] Simulation failed: ${errMsg}, continuing with Trust Engine`);
-        }
-        // Stage 1 (Bankruptcy): Block ALL writes to risk paths, and all medium+ writes
-        if (stage === 1) {
-            if (canUsePlanApproval) {
-                const planStatus = 'READY';
-                wctx.eventLog.recordPlanApproval(ctx.sessionId, {
-                    toolName: event.toolName,
-                    filePath: relPath,
-                    pattern: relPath,
-                    planStatus
-                });
-                wctx.trajectory?.recordGateBlock?.({
-                    sessionId: ctx.sessionId,
-                    toolName: event.toolName,
-                    filePath: relPath,
-                    reason: 'plan_approval',
-                    planStatus,
-                });
-                logger.info(`[PD_GATE] Stage 1 PLAN approval: ${relPath}`);
-                return;
-            }
-            if (risky || riskLevel !== 'LOW') {
-                // Block if not approved by whitelist
-                return block(relPath, `Trust score too low (${trustScore}). Stage 1 agents cannot modify risk paths or perform non-trivial edits.`, wctx, event.toolName, logger, ctx.sessionId);
-            }
-        }
-        // Stage 2 (Editor): Block writes to risk paths. Block large changes.
-        if (stage === 2) {
-            if (risky) {
-                return block(relPath, `Stage 2 agents are not authorized to modify risk paths.`, wctx, event.toolName, logger, ctx.sessionId);
-            }
-            // Percentage-based threshold calculation
-            const targetAbsolutePath = typeof filePath === 'string' ? path.join(ctx.workspaceDir, filePath) : null;
-            const targetLineCount = targetAbsolutePath ? getTargetFileLineCount(targetAbsolutePath) : null;
-            const minLinesFallback = trustSettings.limits?.min_lines_fallback ?? 20;
-            const stage2MaxPercentage = trustSettings.limits?.stage_2_max_percentage ?? 10;
-            const stage2FixedLimit = trustSettings.limits?.stage_2_max_lines ?? 50;
-            let effectiveLimit;
-            let limitType;
-            let actualPercentage = null;
-            if (targetLineCount !== null && targetLineCount > 0) {
-                effectiveLimit = calculatePercentageThreshold(targetLineCount, stage2MaxPercentage, minLinesFallback);
-                actualPercentage = Math.round((lineChanges / targetLineCount) * 100);
-                limitType = 'percentage';
-            }
-            else {
-                effectiveLimit = stage2FixedLimit;
-                limitType = 'fixed';
-            }
-            if (lineChanges > effectiveLimit) {
-                return block(relPath, buildLineLimitReason(lineChanges, effectiveLimit, limitType, targetLineCount, actualPercentage, 2), wctx, event.toolName, logger, ctx.sessionId);
-            }
-        }
-        // Stage 3 (Developer): Allow normal writes. Require READY plan for risk paths.
-        if (stage === 3) {
-            if (risky) {
-                const planStatus = getPlanStatus(ctx.workspaceDir);
-                if (planStatus !== 'READY') {
-                    return block(relPath, `No READY plan found. Stage 3 requires a plan for risk path modifications.`, wctx, event.toolName, logger, ctx.sessionId);
-                }
-            }
-            // Percentage-based threshold calculation
-            const targetAbsolutePath = typeof filePath === 'string' ? path.join(ctx.workspaceDir, filePath) : null;
-            const targetLineCount = targetAbsolutePath ? getTargetFileLineCount(targetAbsolutePath) : null;
-            const minLinesFallback = trustSettings.limits?.min_lines_fallback ?? 20;
-            const stage3MaxPercentage = trustSettings.limits?.stage_3_max_percentage ?? 15;
-            const stage3FixedLimit = trustSettings.limits?.stage_3_max_lines ?? 300;
-            let effectiveLimit;
-            let limitType;
-            let actualPercentage = null;
-            if (targetLineCount !== null && targetLineCount > 0) {
-                effectiveLimit = calculatePercentageThreshold(targetLineCount, stage3MaxPercentage, minLinesFallback);
-                actualPercentage = Math.round((lineChanges / targetLineCount) * 100);
-                limitType = 'percentage';
-            }
-            else {
-                effectiveLimit = stage3FixedLimit;
-                limitType = 'fixed';
-            }
-            if (lineChanges > effectiveLimit) {
-                return block(relPath, buildLineLimitReason(lineChanges, effectiveLimit, limitType, targetLineCount, actualPercentage, 3), wctx, event.toolName, logger, ctx.sessionId);
-            }
-        }
-        // Stage 4 (Architect): Full bypass
-        if (stage === 4) {
-            logger.info(`[PD_GATE] Trusted Architect bypass for ${relPath}`);
-            // Audit log for Stage 4 bypass (security traceability)
-            try {
-                const stateDir = wctx.resolve('STATE_DIR');
-                const eventLog = EventLogService.get(stateDir);
-                eventLog.recordGateBypass(ctx.sessionId, {
-                    toolName: event.toolName,
-                    filePath: relPath,
-                    bypassType: 'stage4_architect',
-                    trustScore,
-                    trustStage: stage,
-                });
-            }
-            catch (auditErr) {
-                logger?.warn?.(`[PD_GATE] Failed to record Stage 4 bypass audit: ${String(auditErr)}`);
-            }
-            return;
+        const progressiveGateResult = checkProgressiveTrustGate(event, wctx, relPath, risky, lineChanges, logger, ctx, profile);
+        if (progressiveGateResult) {
+            return progressiveGateResult;
         }
+        // NOTE: Do NOT return here! Continue to edit verification.
+        // Stage 4 bypass or Stage 1-3 allow should still run edit verification.
     }
     else {
-        // FALLBACK: Legacy Gate Logic
+        // FALLBACK: Legacy Gate Logic (when progressive gate is disabled)
         if (risky && profile.gate?.require_plan_for_risk_paths) {
             const planStatus = getPlanStatus(ctx.workspaceDir);
             if (planStatus !== 'READY') {
-                return block(relPath, `No READY plan found in PLAN.md.`, wctx, event.toolName, logger, ctx.sessionId);
+                return recordGateBlockAndReturn(wctx, {
+                    filePath: relPath,
+                    reason: `No READY plan found in PLAN.md.`,
+                    toolName: event.toolName,
+                    sessionId: ctx.sessionId,
+                    blockSource: 'gate-legacy',
+                }, logger);
             }
         }
     }
-    // ═══════════════════════════════════════════════════════════════
-    // P-03: Edit Tool Force Verification
-    // ═══════════════════════════════════════════════════════════════
-    // After all gate checks, verify edit operations (enforces P-03)
+    // ─────────────────────────────────────────────────────────────────────────────
+    // POLICY STEP 4: Edit Tool Verification (P-03)
+    // ─────────────────────────────────────────────────────────────────────────────
+    // This MUST run after all other gate checks for ALL tools.
+    // Edit verification ensures oldText matches the actual file content.
     if (event.toolName === 'edit' && profile.edit_verification?.enabled !== false) {
         const verifyResult = handleEditVerification(event, wctx, ctx, {
             enabled: profile.edit_verification.enabled,
@@ -535,328 +168,6 @@ GFI: ${currentGfi}/100
             return verifyResult; // Block or modify params
         }
     }
-}
-/**
- * Build a detailed reason message for line limit blocks.
- */
-function buildLineLimitReason(lineChanges, effectiveLimit, limitType, targetLineCount, actualPercentage, stage) {
-    if (limitType === 'percentage' && targetLineCount !== null && actualPercentage !== null) {
-        return `Modification too large: ${lineChanges} lines (${actualPercentage}% of ${targetLineCount} lines). ` +
-            `Stage ${stage} limit is ${effectiveLimit} lines (${limitType}). ` +
-            `Threshold calculation: min(${targetLineCount} × ${actualPercentage}%, ${effectiveLimit} lines).`;
-    }
-    else {
-        return `Modification too large: ${lineChanges} lines. ` +
-            `Stage ${stage} limit is ${effectiveLimit} lines (fixed threshold). ` +
-            `Note: Could not read target file to calculate percentage-based limit. Check file permissions and encoding.`;
-    }
-}
-function block(filePath, reason, wctx, toolName, logger, sessionId) {
-    logger.error?.(`[PD_GATE] BLOCKED: ${filePath}. Reason: ${reason}`);
-    if (sessionId) {
-        trackBlock(sessionId);
-    }
-    const trajectoryPayload = {
-        sessionId: sessionId ?? null,
-        toolName,
-        filePath,
-        reason,
-    };
-    try {
-        wctx.eventLog.recordGateBlock(sessionId, {
-            toolName,
-            filePath,
-            reason,
-        });
-    }
-    catch (error) {
-        logger.warn?.(`[PD_GATE] Failed to record gate block event: ${String(error)}`);
-    }
-    try {
-        wctx.trajectory?.recordGateBlock?.(trajectoryPayload);
-    }
-    catch (error) {
-        logger.warn?.(`[PD_GATE] Failed to record trajectory gate block: ${String(error)}`);
-        scheduleTrajectoryGateBlockRetry(wctx, trajectoryPayload, 1, {
-            warn: (message) => logger.warn?.(message),
-            error: (message) => logger.error?.(message),
-        });
-    }
-    return {
-        block: true,
-        blockReason: `[Principles Disciple] Security Gate Blocked this action.
-File: ${filePath}
-Reason: ${reason}
-
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-📋 How to unblock this operation:
-
-1. Use the plan-script skill to create a PLAN.md:
-   → Invoke: skill:plan-script
-
-2. Fill in the plan with:
-   - Target Files: ${filePath}
-   - Steps: What you want to do (be specific)
-   - Metrics: How to verify success
-   - Active Mental Models: Select 2 relevant models from .principles/THINKING_OS.md
-   - Rollback: How to restore if it fails
-
-3. After completing the plan, set STATUS: READY in PLAN.md
-
-4. Retry the operation
-
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-This is a mandatory security gate. The operation was blocked because the modification exceeds the allowed threshold for your current trust stage.
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━`,
-    };
-}
-function scheduleTrajectoryGateBlockRetry(wctx, payload, attempt, logger) {
-    if (attempt > TRAJECTORY_GATE_BLOCK_MAX_RETRIES) {
-        logger.error?.(`[PD_GATE] Failed to persist trajectory gate block after ${TRAJECTORY_GATE_BLOCK_MAX_RETRIES} retries: ${payload.toolName} ${payload.filePath}`);
-        return;
-    }
-    setTimeout(() => {
-        try {
-            wctx.trajectory?.recordGateBlock?.(payload);
-        }
-        catch (error) {
-            logger.warn(`[PD_GATE] Retrying trajectory gate block persistence: ${String(error)}`);
-            scheduleTrajectoryGateBlockRetry(wctx, payload, attempt + 1, logger);
-        }
-    }, TRAJECTORY_GATE_BLOCK_RETRY_DELAY_MS);
-}
-// ═══════════════════════════════════════════════════════════════
-// P-03: Edit Tool Force Verification
-// ═══════════════════════════════════════════════════════════════
-/**
- * Normalize a line for fuzzy matching by collapsing whitespace
- */
-function normalizeLine(line) {
-    return line.replace(/\s+/g, ' ').trim();
-}
-/**
- * Find fuzzy match between oldText and current file content
- * @param lines - File content split into lines
- * @param oldLines - oldText split into lines
- * @param threshold - Match threshold (0-1)
- * @returns Match index or -1 if not found
- */
-function findFuzzyMatch(lines, oldLines, threshold = 0.8) {
-    if (oldLines.length === 0)
-        return -1; // P2 fix: empty array boundary check
-    const normalizedLines = lines.map(normalizeLine);
-    const normalizedOldLines = oldLines.map(normalizeLine);
-    // Try to find matching sequence
-    for (let i = 0; i <= lines.length - oldLines.length; i++) {
-        let matchCount = 0;
-        for (let j = 0; j < oldLines.length; j++) {
-            if (normalizedLines[i + j] === normalizedOldLines[j]) {
-                matchCount++;
-            }
-        }
-        // Use threshold from config
-        if (matchCount >= oldLines.length * threshold) {
-            return i;
-        }
-    }
-    return -1;
-}
-/**
- * Try to find a fuzzy match for oldText in the current content
- * @param currentContent - Current file content
- * @param oldText - Text to match
- * @param threshold - Match threshold (0-1)
- * @returns Object with found status and corrected text if found
- */
-function tryFuzzyMatch(currentContent, oldText, threshold = 0.8) {
-    const lines = currentContent.split('\n');
-    const oldLines = oldText.split('\n');
-    const matchIndex = findFuzzyMatch(lines, oldLines, threshold);
-    if (matchIndex !== -1) {
-        // Found fuzzy match, extract actual text from file
-        const correctedText = lines.slice(matchIndex, matchIndex + oldLines.length).join('\n');
-        return { found: true, correctedText };
-    }
-    return { found: false };
-}
-/**
- * Generate a helpful error message for edit verification failure
- */
-function generateEditError(filePath, oldText, currentContent) {
-    const expectedSnippet = oldText.split('\n').slice(0, 3).join('\n').substring(0, 200);
-    const actualSnippet = currentContent.substring(0, 200);
-    return `[P-03 Violation] Edit verification failed
-
-File: ${filePath}
-
-The text you're trying to replace does not match the current file content.
-
-Expected to find:
-${expectedSnippet}${oldText.length > 200 ? '...' : ''}
-
-Actual file contains:
-${actualSnippet}${currentContent.length > 200 ? '...' : ''}
-
-Possible reasons:
-  - File has been modified by another process
-  - Whitespace characters do not match (spaces, tabs, newlines)
-  - Context compression caused outdated information
-
-Solution:
-  1. Use the 'read' tool to get the current file content
-  2. Update your edit command with the exact text from the file
-  3. Retry the edit operation
-
-This is enforced by P-03 (精确匹配前验证原则).`;
-}
-/**
- * Handle edit tool verification before allowing the operation
- * This enforces P-03 at the tool layer
- */
-function handleEditVerification(event, wctx, ctx, config = {}) {
-    const logger = ctx.logger || console;
-    const maxSizeBytes = config.max_file_size_bytes ?? 10 * 1024 * 1024; // Default 10MB
-    const fuzzyMatchEnabled = config.fuzzy_match_enabled !== false;
-    const fuzzyMatchThreshold = config.fuzzy_match_threshold ?? 0.8;
-    const skipAction = config.skip_large_file_action ?? 'warn';
-    // 1. Extract parameters (handle both parameter naming conventions)
-    const filePath = event.params.file_path || event.params.path || event.params.file;
-    const oldText = event.params.oldText || event.params.old_string;
-    if (!filePath || !oldText) {
-        // Missing required parameters, let it fail naturally
-        return;
-    }
-    // 2. Resolve and read file
-    let absolutePath;
-    try {
-        absolutePath = wctx.resolve(filePath);
-    }
-    catch (error) {
-        // Path resolution error, let it fail naturally
-        return;
-    }
-    // 2.5. Skip verification for binary files
-    const BINARY_EXTENSIONS = ['.png', '.jpg', '.jpeg', '.gif', '.webp', '.bmp', '.svg',
-        '.pdf', '.zip', '.tar', '.gz', '.7z', '.rar',
-        '.exe', '.dll', '.so', '.dylib', '.bin',
-        '.mp3', '.mp4', '.avi', '.mov', '.wav',
-        '.ttf', '.otf', '.woff', '.woff2',
-        '.doc', '.docx', '.xls', '.xlsx', '.ppt', '.pptx'];
-    const ext = path.extname(absolutePath).toLowerCase();
-    if (BINARY_EXTENSIONS.includes(ext)) {
-        logger?.info?.(`[PD_GATE:EDIT_VERIFY] Skipping verification for binary file: ${path.basename(filePath)}`);
-        return;
-    }
-    try {
-        // 2.6. Check file size before reading (P-03 improvement)
-        try {
-            const stats = fs.statSync(absolutePath);
-            const fileSizeBytes = stats.size;
-            const fileSizeMB = fileSizeBytes / (1024 * 1024);
-            if (fileSizeBytes > maxSizeBytes) {
-                const message = `[PD_GATE:EDIT_VERIFY] File size check: ${path.basename(filePath)} is ${fileSizeMB.toFixed(2)}MB (threshold: ${(maxSizeBytes / (1024 * 1024)).toFixed(2)}MB)`;
-                if (skipAction === 'block') {
-                    logger?.warn?.(message + ' - BLOCKED');
-                    return {
-                        block: true,
-                        blockReason: `${message}\n\nFile is too large for edit verification. Increase max_file_size_bytes in PROFILE.json or reduce file size.`
-                    };
-                }
-                else {
-                    logger?.warn?.(message + ' - SKIPPING verification');
-                    return; // Skip verification but allow operation
-                }
-            }
-            logger?.info?.(`[PD_GATE:EDIT_VERIFY] File size check passed: ${path.basename(filePath)} (${fileSizeMB.toFixed(2)}MB)`);
-        }
-        catch (statError) {
-            // File stat error (e.g., permission denied)
-            const errStr = statError instanceof Error ? statError.message : String(statError);
-            const errCode = statError.code;
-            if (errCode === 'EACCES' || errCode === 'EPERM') {
-                logger?.error?.(`[PD_GATE:EDIT_VERIFY] Permission denied accessing file: ${path.basename(filePath)} (${errStr})`);
-                return {
-                    block: true,
-                    blockReason: `[P-03 Error] Permission denied: Cannot access file ${absolutePath}\n\nError: ${errStr}\n\nSolution: Check file permissions or run with appropriate access rights.`
-                };
-            }
-            else if (errCode === 'ENOENT') {
-                logger?.warn?.(`[PD_GATE:EDIT_VERIFY] File not found: ${path.basename(filePath)} (${errStr})`);
-                // File doesn't exist - let the edit operation proceed (it will create the file)
-                return;
-            }
-            else {
-                logger?.warn?.(`[PD_GATE:EDIT_VERIFY] Stat error: ${errStr}`);
-                // Let it fail naturally on read attempt
-            }
-        }
-        // 3. Read current file content with improved error handling
-        let currentContent;
-        try {
-            currentContent = fs.readFileSync(absolutePath, 'utf-8');
-        }
-        catch (readError) {
-            const errStr = readError instanceof Error ? readError.message : String(readError);
-            const errCode = readError.code;
-            if (errCode === 'EACCES' || errCode === 'EPERM') {
-                logger?.error?.(`[PD_GATE:EDIT_VERIFY] Permission denied reading file: ${path.basename(filePath)} (${errStr})`);
-                return {
-                    block: true,
-                    blockReason: `[P-03 Error] Permission denied: Cannot read file ${absolutePath}\n\nError: ${errStr}\n\nSolution: Check file permissions or run with appropriate access rights.`
-                };
-            }
-            else if (errCode === 'ENOENT') {
-                logger?.warn?.(`[PD_GATE:EDIT_VERIFY] File not found: ${path.basename(filePath)} (${errStr})`);
-                // File doesn't exist - let the edit operation proceed
-                return;
-            }
-            else if (errStr.includes('UTF-8') || errStr.includes('encoding')) {
-                logger?.error?.(`[PD_GATE:EDIT_VERIFY] Encoding error reading file: ${path.basename(filePath)} (${errStr})`);
-                return {
-                    block: true,
-                    blockReason: `[P-03 Error] Encoding error: Cannot read file ${absolutePath}\n\nError: ${errStr}\n\nThe file appears to use an encoding other than UTF-8. Edit verification requires UTF-8 readable text files.\n\nSolution: Ensure the file is UTF-8 encoded text, or mark binary extensions to skip verification.`
-                };
-            }
-            else {
-                logger?.warn?.(`[PD_GATE:EDIT_VERIFY] Read error: ${errStr}`);
-                // Let it fail naturally
-                return;
-            }
-        }
-        // 4. Verify oldText exists in current content
-        if (!currentContent.includes(oldText)) {
-            logger?.info?.(`[PD_GATE:EDIT_VERIFY] Exact match failed for ${path.basename(filePath)}, trying fuzzy match`);
-            // 5. Try fuzzy matching (if enabled)
-            if (fuzzyMatchEnabled) {
-                const fuzzyResult = tryFuzzyMatch(currentContent, oldText, fuzzyMatchThreshold);
-                if (fuzzyResult.found && fuzzyResult.correctedText) {
-                    logger?.info?.(`[PD_GATE:EDIT_VERIFY] Fuzzy match found for ${path.basename(filePath)}, auto-correcting oldText`);
-                    // Return corrected parameters
-                    return {
-                        params: {
-                            ...event.params,
-                            oldText: fuzzyResult.correctedText,
-                            old_string: fuzzyResult.correctedText
-                        }
-                    };
-                }
-            }
-            // 6. No match found, block the operation with helpful error
-            const errorMsg = generateEditError(absolutePath, oldText, currentContent);
-            logger?.error?.(`[PD_GATE:EDIT_VERIFY] Block edit on ${path.basename(filePath)}: oldText not found`);
-            return {
-                block: true,
-                blockReason: errorMsg
-            };
-        }
-        // 7. Verification passed, allow edit to proceed
-        logger?.info?.(`[PD_GATE:EDIT_VERIFY] Verified edit on ${path.basename(filePath)}`);
-        return;
-    }
-    catch (error) {
-        // Unexpected error - let it fail naturally
-        const errorStr = error instanceof Error ? error.message : String(error);
-        logger?.warn?.(`[PD_GATE:EDIT_VERIFY] Unexpected error: ${errorStr}`);
-        return;
-    }
+    // All checks passed - allow the operation
+    return;
 }