principles-disciple 1.73.0 → 1.74.0

package/tests/core/paths-refactor.test.ts

@@ -1,9 +1,5 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
-import { planStatus } from '../../src/utils/io.js';
 import { resolvePdPath } from '../../src/core/paths.js';
-import * as fs from 'fs';
-
-vi.mock('fs');
 
 describe('Path Anchoring Integration', () => {
     const workspaceDir = '/mock/workspace';
@@ -17,26 +13,8 @@ describe('Path Anchoring Integration', () => {
         expect(resolvePdPath(workspaceDir, 'PROFILE')).toBe(expected);
     });
 
-    it('should resolve PLAN.md at the project root', () => {
-        const expected = '/mock/workspace/PLAN.md';
-        expect(resolvePdPath(workspaceDir, 'PLAN')).toBe(expected);
-    });
-
     it('should resolve AGENT_SCORECARD.json inside .state/', () => {
         const expected = '/mock/workspace/.state/AGENT_SCORECARD.json';
         expect(resolvePdPath(workspaceDir, 'AGENT_SCORECARD')).toBe(expected);
     });
-
-    it('planStatus should look for PLAN.md in the root', () => {
-        const rootPlanPath = '/mock/workspace/PLAN.md';
-        vi.mocked(fs.existsSync).mockImplementation((p) => p === rootPlanPath);
-        vi.mocked(fs.readFileSync).mockReturnValue('STATUS: READY');
-
-        const status = planStatus(workspaceDir);
-        
-        expect(status).toBe('READY');
-        expect(fs.existsSync).toHaveBeenCalledWith(rootPlanPath);
-        // Verify it does NOT look in docs/
-        expect(fs.existsSync).not.toHaveBeenCalledWith(expect.stringContaining('docs/PLAN.md'));
-    });
 });

package/tests/core/workspace-context.test.ts

@@ -65,8 +65,8 @@ describe('WorkspaceContext', () => {
         
         // PROFILE is at .principles/PROFILE.json
         expect(wctx.resolve('PROFILE')).toBe(path.join(workspaceDir, '.principles', 'PROFILE.json'));
-        // PLAN is at root
-        expect(wctx.resolve('PLAN')).toBe(path.join(workspaceDir, 'PLAN.md'));
+        // THINKING_OS is at .principles/THINKING_OS.md
+        expect(wctx.resolve('THINKING_OS')).toBe(path.join(workspaceDir, '.principles', 'THINKING_OS.md'));
     });
 
     it('should support explicit disposal from cache', () => {

package/tests/core-anti-growth.test.ts

@@ -94,7 +94,6 @@ describe('PRI-212 plugin core anti-growth guard', () => {
     'external-training-contract.ts',
     'merge-gate-audit.ts',
     'shadow-observation-registry.ts',
-    'confirm-first-gate.ts',
     'control-ui-db.ts',
     'thinking-models.ts',
     'pd-task-reconciler.ts',

package/tests/hooks/confirm-first-removal.test.ts

@@ -0,0 +1,188 @@
+/**
+ * PRI-286: Verify confirm-first gate has been fully removed from live paths.
+ *
+ * These tests prove that:
+ * 1. The confirm-first-gate module no longer exists as an importable live module
+ * 2. gate.ts does not call any confirm-first function
+ * 3. prompt.ts does not import any confirm-first function
+ * 4. gate-block-helper does not output confirm-first specific block messages
+ * 5. confirm_first_gate does not appear in DEFAULT_FEATURE_FLAGS
+ * 6. Default PD installation does not block mutating tools due to PLAN.md absence
+ * 7. PLAN.md is not a canonical PD path (paths.ts, path-resolver.ts, env.ts, migration.ts)
+ * 8. confirm-first event types and state store are fully deleted
+ */
+
+import { describe, it, expect } from 'vitest';
+import fs from 'fs';
+import path from 'path';
+
+// __dirname = packages/openclaw-plugin/tests/hooks → go up 4 to monorepo root
+// (hooks → tests → openclaw-plugin → packages → monorepo-root)
+const ROOT = path.resolve(__dirname, '..', '..', '..', '..');
+
+describe('PRI-286: Confirm-first gate removal verification', () => {
+  it('confirm-first-gate.ts source file has been deleted', () => {
+    const gatePath = path.join(ROOT, 'packages/openclaw-plugin/src/core/confirm-first-gate.ts');
+    expect(fs.existsSync(gatePath)).toBe(false);
+  });
+
+  it('gate.ts does not import from confirm-first-gate', async () => {
+    const gateSource = fs.readFileSync(
+      path.join(ROOT, 'packages/openclaw-plugin/src/hooks/gate.ts'),
+      'utf8',
+    );
+    expect(gateSource).not.toContain('confirm-first-gate');
+    expect(gateSource).not.toContain('evaluateConfirmFirstGateSync');
+    expect(gateSource).not.toContain('confirm-first');
+  });
+
+  it('prompt.ts does not import from confirm-first-gate', async () => {
+    const promptSource = fs.readFileSync(
+      path.join(ROOT, 'packages/openclaw-plugin/src/hooks/prompt.ts'),
+      'utf8',
+    );
+    expect(promptSource).not.toContain('confirm-first-gate');
+    expect(promptSource).not.toContain('detectApprovalMarker');
+    expect(promptSource).not.toContain('setConfirmFirstDirective');
+    expect(promptSource).not.toContain('setConfirmFirstApproval');
+    expect(promptSource).not.toContain('hydrateFromStore');
+    expect(promptSource).not.toContain('pruneStoreStaleRows');
+    expect(promptSource).not.toContain('setConfirmFirstStore');
+    expect(promptSource).not.toContain('resetConfirmFirst');
+    expect(promptSource).not.toContain('setConfirmFirstGateEnabled');
+    expect(promptSource).not.toContain('SqliteConfirmFirstStateStore');
+    expect(promptSource).not.toContain('confirm_first_gate');
+  });
+
+  it('gate-block-helper does not have confirm-first specific branch', () => {
+    const helperSource = fs.readFileSync(
+      path.join(ROOT, 'packages/openclaw-plugin/src/hooks/gate-block-helper.ts'),
+      'utf8',
+    );
+    expect(helperSource).not.toContain('confirm-first-gate');
+    expect(helperSource).not.toContain('Confirm-First Gate Blocked');
+    expect(helperSource).not.toContain('confirm-first behavioral directive');
+  });
+
+  it('confirm_first_gate is not in DEFAULT_FEATURE_FLAGS', async () => {
+    const { DEFAULT_FEATURE_FLAGS } = await import('@principles/core/runtime-v2');
+    const ids = DEFAULT_FEATURE_FLAGS.map((f: { id: string }) => f.id);
+    expect(ids).not.toContain('confirm_first_gate');
+  });
+
+  it('no PLAN.md physical interception language in AGENTS.md templates', () => {
+    const templateDirs = [
+      path.join(ROOT, 'packages/openclaw-plugin/templates'),
+      path.join(ROOT, 'packages/create-principles-disciple/templates'),
+      path.join(ROOT, 'packages/create-principles-disciple/plugin/templates'),
+    ];
+
+    for (const dir of templateDirs) {
+      if (!fs.existsSync(dir)) continue;
+      const agentsFiles = findFiles(dir, 'AGENTS.md');
+      for (const file of agentsFiles) {
+        const content = fs.readFileSync(file, 'utf8');
+        // Must NOT contain physical interception language
+        expect(content, `${file} should not contain physical interception`).not.toContain('Physical interception');
+        expect(content, `${file} should not contain 物理拦截`).not.toContain('物理拦截');
+        expect(content, `${file} should not contain Single source of truth.*PLAN`).not.toMatch(/Single source of truth.*PLAN/i);
+      }
+    }
+  });
+
+  it('no mandatory PLAN.md STATUS:READY in THINKING_OS templates', () => {
+    const templateDirs = [
+      path.join(ROOT, 'packages/openclaw-plugin/templates'),
+      path.join(ROOT, 'packages/create-principles-disciple/templates'),
+      path.join(ROOT, 'packages/create-principles-disciple/plugin/templates'),
+    ];
+
+    for (const dir of templateDirs) {
+      if (!fs.existsSync(dir)) continue;
+      const thinkingFiles = findFiles(dir, 'THINKING_OS.md');
+      for (const file of thinkingFiles) {
+        const content = fs.readFileSync(file, 'utf8');
+        expect(content, `${file} should not require PLAN.md status: READY`).not.toContain('PLAN.md` (status: READY)');
+        expect(content, `${file} should not require PLAN.md（状态：READY）`).not.toContain('PLAN.md`（状态：READY）');
+      }
+    }
+  });
+
+  // ── Round 2: Canonical PLAN.md path removal ──
+
+  it('paths.ts does not contain PLAN: entry', () => {
+    const source = fs.readFileSync(
+      path.join(ROOT, 'packages/openclaw-plugin/src/core/paths.ts'),
+      'utf8',
+    );
+    expect(source).not.toMatch(/PLAN:\s*'PLAN\.md'/);
+  });
+
+  it('path-resolver.ts does not contain PLAN key', () => {
+    const source = fs.readFileSync(
+      path.join(ROOT, 'packages/openclaw-plugin/src/core/path-resolver.ts'),
+      'utf8',
+    );
+    expect(source).not.toContain("'PLAN':");
+    expect(source).not.toContain('"PLAN":');
+  });
+
+  it('env.ts CORE_FILES does not contain PLAN.md', () => {
+    const source = fs.readFileSync(
+      path.join(ROOT, 'packages/create-principles-disciple/src/utils/env.ts'),
+      'utf8',
+    );
+    // Match 'PLAN.md' inside the CORE_FILES array — should not exist
+    expect(source).not.toMatch(/CORE_FILES\s*=\s*\[[\s\S]*?'PLAN\.md'/);
+  });
+
+  it('migration.ts does not migrate docs/PLAN.md', () => {
+    const source = fs.readFileSync(
+      path.join(ROOT, 'packages/openclaw-plugin/src/core/migration.ts'),
+      'utf8',
+    );
+    expect(source).not.toContain("'PLAN.md'");
+    expect(source).not.toContain("newKey: 'PLAN'");
+  });
+
+  // ── Round 2: Event type and state store full deletion ──
+
+  it('event-types.ts does not contain runtime_v2_confirm_first_gate', () => {
+    const source = fs.readFileSync(
+      path.join(ROOT, 'packages/principles-core/src/runtime-v2/types/event-types.ts'),
+      'utf8',
+    );
+    expect(source).not.toContain('runtime_v2_confirm_first_gate');
+    expect(source).not.toContain('RuntimeV2ConfirmFirstGate');
+  });
+
+  it('confirm-first state store source has been deleted', () => {
+    const storePath = path.join(
+      ROOT, 'packages/principles-core/src/runtime-v2/activation/sqlite-confirm-first-state-store.ts',
+    );
+    expect(fs.existsSync(storePath)).toBe(false);
+  });
+
+  it('confirm-first state store test has been deleted', () => {
+    const testPath = path.join(
+      ROOT, 'packages/principles-core/src/runtime-v2/__tests__/sqlite-confirm-first-state-store.test.ts',
+    );
+    expect(fs.existsSync(testPath)).toBe(false);
+  });
+});
+
+function findFiles(dir: string, filename: string): string[] {
+  const results: string[] = [];
+  function walk(d: string): void {
+    for (const entry of fs.readdirSync(d, { withFileTypes: true })) {
+      const full = path.join(d, entry.name);
+      if (entry.isDirectory()) {
+        walk(full);
+      } else if (entry.name === filename) {
+        results.push(full);
+      }
+    }
+  }
+  walk(dir);
+  return results;
+}

package/tests/hooks/gate-no-path-write-tool.test.ts

@@ -0,0 +1,172 @@
+/**
+ * Regression test: write tools without file_path must still go through RuleHost.
+ *
+ * PRI-286 P1: After removing confirm-first gate, write tools (apply_patch, patch, etc.)
+ * that have no file_path/path/file/target param must NOT be silently allowed.
+ * They must use a synthetic path `<tool:${toolName}>` and still evaluate via RuleHost.
+ *
+ * Uses vi.hoisted + mock of WorkspaceContext to avoid isolation issues in full suite.
+ * WorkspaceContext is the key — in full suite, other test files initialize the real
+ * context which caches a real EventLogService that doesn't have our mock methods.
+ */
+
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+
+// vi.hoisted ensures these are available to vi.mock factories at hoist time
+const { mockEvaluate, mockEventLog, mockEvolution } = vi.hoisted(() => {
+  const mockEvaluate = vi.fn().mockReturnValue(undefined);
+  const mockEventLog = {
+    recordRuleHostEvaluated: vi.fn(),
+    recordRuleEnforced: vi.fn(),
+    recordRuleHostBlocked: vi.fn(),
+    recordRuleHostRequireApproval: vi.fn(),
+    recordRuleHostAutoCorrectProposed: vi.fn(),
+    recordRuleHostAutoCorrectApplied: vi.fn(),
+    recordGateBlock: vi.fn(),
+    recordSession: vi.fn(),
+  };
+  const mockEvolution = {
+    getTier: vi.fn().mockReturnValue(3),
+    getPoints: vi.fn().mockReturnValue(200),
+  };
+  return { mockEvaluate, mockEventLog, mockEvolution };
+});
+
+vi.mock('../../src/core/session-tracker.js', () => ({
+  getSession: vi.fn(() => ({ currentGfi: 0 })),
+  trackBlock: vi.fn(),
+  hasRecentThinking: vi.fn(() => false),
+}));
+
+vi.mock('../../src/core/evolution-engine.js', () => ({
+  getEvolutionEngine: vi.fn(() => mockEvolution),
+}));
+
+vi.mock('../../src/core/event-log.js', () => ({
+  EventLogService: { get: vi.fn(() => mockEventLog) },
+}));
+
+vi.mock('../../src/core/rule-host.js', () => ({
+  RuleHost: vi.fn(function(this: any, _stateDir: string, _logger: any) {
+    this.evaluate = mockEvaluate;
+  }),
+}));
+
+vi.mock('../../src/core/principle-tree-ledger.js', () => ({
+  loadLedger: vi.fn(),
+  listImplementationsByLifecycleState: vi.fn(() => []),
+}));
+
+// Mock WorkspaceContext to return a controlled instance with our mockEventLog.
+// This prevents full-suite caching of real WorkspaceContext instances.
+vi.mock('../../src/core/workspace-context.js', () => {
+  return {
+    WorkspaceContext: {
+      fromHookContext: vi.fn((ctx: any) => ({
+        workspaceDir: ctx.workspaceDir,
+        stateDir: ctx.workspaceDir + '/.state',
+        eventLog: mockEventLog,
+        trajectory: {
+          recordGateBlock: vi.fn(),
+          recordPainEvent: vi.fn(),
+          recordSession: vi.fn(),
+        },
+        config: {
+          get: vi.fn().mockReturnValue(undefined),
+        },
+      })),
+    },
+  };
+});
+
+// Dynamic import AFTER mocks are set up
+const { handleBeforeToolCall } = await import('../../src/hooks/gate.js');
+
+const workspaceDir = '/mock/workspace';
+const sessionId = 'test-no-path';
+
+describe('Write tools without file_path must go through RuleHost', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockEvaluate.mockReturnValue(undefined);
+  });
+
+  it('apply_patch with no path triggers RuleHost evaluate', () => {
+    mockEvaluate.mockReturnValue(undefined); // allow
+
+    const result = handleBeforeToolCall(
+      { toolName: 'apply_patch', params: { patch: 'some diff content' } } as any,
+      { workspaceDir, sessionId } as any,
+    );
+
+    // Should not be blocked (RuleHost returned undefined = allow)
+    expect(result).toBeUndefined();
+    // But RuleHost MUST have been called
+    expect(mockEvaluate).toHaveBeenCalledTimes(1);
+    // Verify synthetic path was used
+    const input = mockEvaluate.mock.calls[0][0];
+    expect(input.action.normalizedPath).toBe('<tool:apply_patch>');
+  });
+
+  it('apply_patch with no path: RuleHost block must return block', () => {
+    mockEvaluate.mockReturnValue({
+      decision: 'block',
+      matched: true,
+      reason: 'Test block: write tool without path',
+      ruleId: 'R_TEST',
+      principleId: 'P_TEST',
+    });
+
+    const result = handleBeforeToolCall(
+      { toolName: 'apply_patch', params: { patch: 'dangerous content' } } as any,
+      { workspaceDir, sessionId } as any,
+    );
+
+    expect(result).toBeDefined();
+    expect(result?.block).toBe(true);
+    expect(result?.blockReason).toContain('Test block: write tool without path');
+    expect(mockEvaluate).toHaveBeenCalledTimes(1);
+    expect(mockEvaluate.mock.calls[0][0].action.normalizedPath).toBe('<tool:apply_patch>');
+  });
+
+  it('patch tool with no path triggers RuleHost evaluate', () => {
+    mockEvaluate.mockReturnValue(undefined); // allow
+
+    const result = handleBeforeToolCall(
+      { toolName: 'patch', params: {} } as any,
+      { workspaceDir, sessionId } as any,
+    );
+
+    expect(result).toBeUndefined();
+    expect(mockEvaluate).toHaveBeenCalledTimes(1);
+    expect(mockEvaluate.mock.calls[0][0].action.normalizedPath).toBe('<tool:patch>');
+  });
+
+  it('Write tool with valid file_path still uses real path', () => {
+    mockEvaluate.mockReturnValue(undefined); // allow
+
+    const result = handleBeforeToolCall(
+      { toolName: 'write', params: { file_path: '/mock/workspace/src/app.ts', content: 'x' } } as any,
+      { workspaceDir, sessionId } as any,
+    );
+
+    expect(result).toBeUndefined();
+    expect(mockEvaluate).toHaveBeenCalledTimes(1);
+    expect(mockEvaluate.mock.calls[0][0].action.normalizedPath).toBe('src/app.ts');
+  });
+
+  it('bash with no file target still goes through RuleHost (existing behavior)', () => {
+    mockEvaluate.mockReturnValue(undefined); // allow
+
+    const result = handleBeforeToolCall(
+      { toolName: 'bash', params: { command: 'echo hello' } } as any,
+      { workspaceDir, sessionId } as any,
+    );
+
+    expect(result).toBeUndefined();
+    expect(mockEvaluate).toHaveBeenCalledTimes(1);
+    // Bash without file target uses the full command as path (existing heuristic)
+    const input = mockEvaluate.mock.calls[0][0];
+    expect(input.action.normalizedPath).toContain('echo hello');
+  });
+});

package/src/core/confirm-first-gate.ts

@@ -1,255 +0,0 @@
-/**
- * Confirm-First Gate
- *
- * Hard enforcement for confirm-first Runtime V2 prompt activations.
- * When an owner-approved activation requires confirmation before coding,
- * this gate blocks mutating tools until the session has explicit owner approval.
- *
- * This is NOT a replacement for prompt injection — it's a hard fallback
- * for models that don't follow system prompt behavioral directives.
- *
- * Flow:
- * 1. Prompt hook (before_prompt_build) detects confirm-first directive and caches state
- * 2. Prompt hook detects user approval language and marks session approved
- * 3. Gate hook (before_tool_call) checks cached state synchronously
- */
-
-import { BASH_TOOLS_SET, WRITE_TOOLS } from '../constants/tools.js';
-import { SqliteConfirmFirstStateStore } from '@principles/core/runtime-v2';
-
-/** Per-session confirm-first state */
-interface ConfirmFirstSessionState {
-  active: boolean;
-  principleId?: string;
-}
-
-/** Size cap to prevent memory leaks from abandoned sessions */
-const MAX_SESSION_ENTRIES = 500;
-
-// TODO(PRI-268): stale directive cleanup
-const sessionDirectiveState = new Map<string, ConfirmFirstSessionState>();
-// TODO(PRI-267): per-task approval scope
-const sessionApprovalState = new Map<string, boolean>();
-
-let confirmFirstStore: SqliteConfirmFirstStateStore | null = null;
-
-export function setConfirmFirstStore(store: SqliteConfirmFirstStateStore | null): void {
-  confirmFirstStore = store;
-}
-
-function evictOldestIfFull(map: Map<string, unknown>): void {
-  if (map.size >= MAX_SESSION_ENTRIES) {
-    const firstKey = map.keys().next().value;
-    if (firstKey !== undefined) map.delete(firstKey);
-  }
-}
-
-export interface ConfirmFirstGateResult {
-  action: 'allow' | 'block' | 'skip';
-  reason?: string;
-  nextAction?: string;
-  principleId?: string;
-}
-
-/**
- * Check if a tool is mutating (write, edit, delete, or mutating exec).
- */
-function isMutatingTool(toolName: string, params?: Record<string, unknown>): boolean {
-  // Direct write/edit/delete tools are always mutating
-  if (WRITE_TOOLS.has(toolName)) return true;
-
-  // For exec/bash, only mutating if the command content is mutating
-  if (BASH_TOOLS_SET.has(toolName)) {
-    const command = String(params?.command || params?.args || '');
-    if (!command) return false;
-    return />\s*|>>\s*|\brm\b|\bmv\b|\bmkdir\b|\btouch\b|\bcp\s|\bsed\s+-i|\bchmod\b|\bchown\b|\bdel\s|\bRemove-Item\b|\bSet-Content\b|\bOut-File\b|\bNew-Item\b/.test(command);
-  }
-
-  return false;
-}
-
-/**
- * Detect if user message contains clear approval language.
- * Rejects negated forms (e.g., "don't proceed", "不同意", "确认一下").
- */
-export function detectApprovalMarker(message: string): boolean {
-  const trimmed = message.trim();
-
-  // Negation prefixes — reject if present before approval keywords
-  const zhNegation = /不|别|暂不|先不|无法|不能|没准备好|还没|尚未/;
-  const enNegation = /don'?t|not\s+ready|can'?t|won'?t|stop|hold|cannot|isn'?t|aren'?t|haven'?t|shouldn'?t/i;
-
-  // Single-word Chinese markers require exact match (the word alone, not embedded in a sentence)
-  const zhExactMarkers = /^(?:确认|批准|同意|执行吧|开始执行)$/;
-  // Multi-word Chinese markers
-  const zhPhraseMarkers = /按计划执行|可以执行|就这么做|去执行|照.*做|没问题.*执行/;
-
-  // English markers — unambiguous single-word approvals only
-  const enMarkers = /\bapproved\b|\bgo\s*ahead\b|\blgtm\b/i;
-  // English phrase markers — require explicit approval context
-  const enPhraseMarkers = /\byes,?\s*(do\s+it|proceed|execute)\b|\bdo\s+it\b|\bproceed\s+with\s+the\s+plan\b|\bexecute\s+the\s+plan\b|\bplease\s+proceed\s+with\s+the\s+plan\b/i;
-
-  // Check Chinese
-  if (zhExactMarkers.test(trimmed) || zhPhraseMarkers.test(trimmed)) {
-    // Reject if negation prefix present
-    if (zhNegation.test(trimmed)) return false;
-    return true;
-  }
-
-  // Check English
-  if (enMarkers.test(trimmed) || enPhraseMarkers.test(trimmed)) {
-    if (enNegation.test(trimmed)) return false;
-    return true;
-  }
-
-  return false;
-}
-
-/**
- * Set confirm-first directive state for a session (called from prompt hook).
- */
-export function setConfirmFirstDirective(
-  sessionId: string,
-  active: boolean,
-  principleId?: string,
-): void {
-  evictOldestIfFull(sessionDirectiveState);
-  sessionDirectiveState.set(sessionId, { active, principleId });
-  if (confirmFirstStore) {
-    try {
-      confirmFirstStore.upsertDirective(sessionId, active, principleId ?? null);
-    } catch (storeErr) {
-      console.warn(`[PD:ConfirmFirst] Store write failed for directive (session=${sessionId}), degraded to cache-only: ${String(storeErr)}`);
-    }
-  }
-}
-
-/**
- * Mark a session as approved (called from prompt hook when approval detected).
- */
-export function setConfirmFirstApproval(sessionId: string): void {
-  evictOldestIfFull(sessionApprovalState);
-  sessionApprovalState.set(sessionId, true);
-  if (confirmFirstStore) {
-    try {
-      confirmFirstStore.upsertApproval(sessionId);
-    } catch (storeErr) {
-      console.warn(`[PD:ConfirmFirst] Store write failed for approval (session=${sessionId}), degraded to cache-only: ${String(storeErr)}`);
-    }
-  }
-}
-
-/**
- * Synchronous gate evaluation — checks cached state only.
- * Called from before_tool_call hook (must be synchronous).
- */
-export function evaluateConfirmFirstGateSync(
-  sessionId: string | undefined,
-  toolName: string,
-  params: Record<string, unknown> | undefined,
-): ConfirmFirstGateResult {
-  if (!sessionId) return { action: 'skip' };
-
-  // 1. Check if session is already approved
-  if (sessionApprovalState.get(sessionId)) {
-    return { action: 'allow' };
-  }
-
-  // 2. Check if confirm-first directive is active for this session
-  const directive = sessionDirectiveState.get(sessionId);
-  if (!directive?.active) {
-    return { action: 'skip' };
-  }
-
-  // 3. Check if tool is mutating
-  if (!isMutatingTool(toolName, params)) {
-    return { action: 'allow' };
-  }
-
-  // 4. Block: mutating tool with active confirm-first and no approval
-  return {
-    action: 'block',
-    reason: 'confirm_first_required',
-    nextAction:
-      'Summarize requirements, list ambiguities, propose a plan, and wait for explicit owner approval before mutating files.',
-    principleId: directive.principleId,
-  };
-}
-
-/**
- * Reset state for a session (e.g., on /reset).
- */
-export function resetConfirmFirst(sessionId: string): void {
-  sessionDirectiveState.delete(sessionId);
-  sessionApprovalState.delete(sessionId);
-  if (confirmFirstStore) {
-    try {
-      confirmFirstStore.deleteState(sessionId);
-    } catch (storeErr) {
-      console.warn(`[PD:ConfirmFirst] Store delete failed for session=${sessionId}: ${String(storeErr)}`);
-    }
-  }
-}
-
-/**
- * Check if a session has been approved (for testing).
- */
-export function isSessionApproved(sessionId: string): boolean {
-  return sessionApprovalState.get(sessionId) === true;
-}
-
-/**
- * Check if a session has an active directive (for testing).
- */
-export function hasActiveDirective(sessionId: string): boolean {
-  return sessionDirectiveState.get(sessionId)?.active === true;
-}
-
-/**
- * Clear all state (for testing).
- */
-export function clearAllConfirmFirstState(): void {
-  sessionDirectiveState.clear();
-  sessionApprovalState.clear();
-  if (confirmFirstStore) {
-    try {
-      confirmFirstStore.deleteAllState();
-    } catch (storeErr) {
-      console.warn(`[PD:ConfirmFirst] Store clearAll failed: ${String(storeErr)}`);
-    }
-  }
-}
-
-export function hydrateFromStore(sessionId: string): void {
-  if (!confirmFirstStore) return;
-  if (sessionDirectiveState.has(sessionId)) return;
-
-  try {
-    const record = confirmFirstStore.getState(sessionId);
-    if (!record) return;
-
-    evictOldestIfFull(sessionDirectiveState);
-    sessionDirectiveState.set(sessionId, {
-      active: record.directiveActive,
-      principleId: record.directivePrincipleId ?? undefined,
-    });
-
-    if (record.approvalActive) {
-      evictOldestIfFull(sessionApprovalState);
-      sessionApprovalState.set(sessionId, true);
-    }
-  } catch (storeErr) {
-    console.warn(`[PD:ConfirmFirst] Store hydration failed for session=${sessionId}: ${String(storeErr)}`);
-  }
-}
-
-export function pruneStoreStaleRows(): number {
-  if (!confirmFirstStore) return 0;
-  try {
-    return confirmFirstStore.pruneStaleRows();
-  } catch (storeErr) {
-    console.warn(`[PD:ConfirmFirst] Store pruning failed: ${String(storeErr)}`);
-    return 0;
-  }
-}
-