pumuki 6.3.39 → 6.3.40

package/integrations/gate/evaluateAiGate.ts

@@ -20,6 +20,35 @@ export type AiGateViolation = {
   severity: 'ERROR' | 'WARN';
 };
 
+type PreWriteWorktreeHygienePolicy = {
+  enabled: boolean;
+  warnThreshold: number;
+  blockThreshold: number;
+};
+
+export type AiGateSkillsContractPlatformRequirement = {
+  platform: PreWriteSkillsPlatform;
+  required_rule_prefix: string;
+  required_bundles: ReadonlyArray<string>;
+  required_critical_rule_ids: ReadonlyArray<string>;
+  required_any_transversal_critical_rule_ids: ReadonlyArray<string>;
+  active_prefix_covered: boolean;
+  evaluated_prefix_covered: boolean;
+  missing_bundles: ReadonlyArray<string>;
+  missing_critical_rule_ids: ReadonlyArray<string>;
+  transversal_critical_covered: boolean;
+  missing_any_transversal_critical_rule_ids: ReadonlyArray<string>;
+};
+
+export type AiGateSkillsContractAssessment = {
+  stage: AiGateStage;
+  enforced: boolean;
+  status: 'PASS' | 'FAIL' | 'NOT_APPLICABLE';
+  detected_platforms: ReadonlyArray<PreWriteSkillsPlatform>;
+  requirements: ReadonlyArray<AiGateSkillsContractPlatformRequirement>;
+  violations: ReadonlyArray<AiGateViolation>;
+};
+
 export type AiGateCheckResult = {
   stage: AiGateStage;
   status: 'ALLOWED' | 'BLOCKED';
@@ -53,6 +82,7 @@ export type AiGateCheckResult = {
     max_age_seconds: number | null;
     age_seconds: number | null;
   };
+  skills_contract: AiGateSkillsContractAssessment;
   repo_state: RepoState;
   violations: AiGateViolation[];
 };
@@ -79,8 +109,46 @@ const DEFAULT_MAX_AGE_SECONDS: Readonly<Record<AiGateStage, number>> = {
   PRE_PUSH: 1800,
   CI: 7200,
 };
+const DEFAULT_PREWRITE_WORKTREE_HYGIENE: PreWriteWorktreeHygienePolicy = {
+  enabled: true,
+  warnThreshold: 12,
+  blockThreshold: 24,
+};
+const PREWRITE_WORKTREE_HYGIENE_ENABLED_ENV = 'PUMUKI_PREWRITE_WORKTREE_HYGIENE_ENABLED';
+const PREWRITE_WORKTREE_HYGIENE_WARN_THRESHOLD_ENV = 'PUMUKI_PREWRITE_WORKTREE_WARN_THRESHOLD';
+const PREWRITE_WORKTREE_HYGIENE_BLOCK_THRESHOLD_ENV = 'PUMUKI_PREWRITE_WORKTREE_BLOCK_THRESHOLD';
 
 const DEFAULT_PROTECTED_BRANCHES = new Set(['main', 'master', 'develop', 'dev']);
+const PREWRITE_SKILLS_PLATFORMS = ['ios', 'android', 'backend', 'frontend'] as const;
+type PreWriteSkillsPlatform = (typeof PREWRITE_SKILLS_PLATFORMS)[number];
+const PLATFORM_SKILLS_RULE_PREFIXES: Readonly<Record<PreWriteSkillsPlatform, string>> = {
+  ios: 'skills.ios.',
+  android: 'skills.android.',
+  backend: 'skills.backend.',
+  frontend: 'skills.frontend.',
+};
+const PLATFORM_REQUIRED_SKILLS_BUNDLES: Readonly<Record<PreWriteSkillsPlatform, ReadonlyArray<string>>> = {
+  ios: [
+    'ios-guidelines',
+    'ios-concurrency-guidelines',
+    'ios-swiftui-expert-guidelines',
+  ],
+  android: ['android-guidelines'],
+  backend: ['backend-guidelines'],
+  frontend: ['frontend-guidelines'],
+};
+const PREWRITE_CRITICAL_SKILLS_RULES: Readonly<Record<PreWriteSkillsPlatform, ReadonlyArray<string>>> = {
+  ios: ['skills.ios.critical-test-quality'],
+  android: [],
+  backend: [],
+  frontend: [],
+};
+const PREWRITE_TRANSVERSAL_CRITICAL_SKILLS_RULES: Readonly<Record<PreWriteSkillsPlatform, ReadonlyArray<string>>> = {
+  ios: [],
+  android: ['skills.android.no-runblocking', 'skills.android.no-thread-sleep'],
+  backend: ['skills.backend.no-empty-catch', 'skills.backend.avoid-explicit-any'],
+  frontend: ['skills.frontend.no-empty-catch', 'skills.frontend.avoid-explicit-any'],
+};
 const MCP_RECEIPT_STAGE_ORDER: Readonly<Record<AiGateStage, number>> = {
   PRE_WRITE: 0,
   PRE_COMMIT: 1,
@@ -94,6 +162,66 @@ const toErrorViolation = (code: string, message: string): AiGateViolation => ({
   message,
 });
 
+const toWarnViolation = (code: string, message: string): AiGateViolation => ({
+  code,
+  severity: 'WARN',
+  message,
+});
+
+const toPositiveInteger = (value: unknown, fallback: number): number => {
+  if (typeof value !== 'number' || !Number.isFinite(value)) {
+    return fallback;
+  }
+  const normalized = Math.trunc(value);
+  return normalized > 0 ? normalized : fallback;
+};
+
+const toBooleanFromEnv = (value: string | undefined, fallback: boolean): boolean => {
+  if (typeof value !== 'string') {
+    return fallback;
+  }
+  const normalized = value.trim().toLowerCase();
+  if (normalized === '1' || normalized === 'true' || normalized === 'yes' || normalized === 'on') {
+    return true;
+  }
+  if (normalized === '0' || normalized === 'false' || normalized === 'no' || normalized === 'off') {
+    return false;
+  }
+  return fallback;
+};
+
+const resolvePreWriteWorktreeHygienePolicy = (
+  input?: Partial<PreWriteWorktreeHygienePolicy>
+): PreWriteWorktreeHygienePolicy => {
+  const enabled = input?.enabled
+    ?? toBooleanFromEnv(
+      process.env[PREWRITE_WORKTREE_HYGIENE_ENABLED_ENV],
+      DEFAULT_PREWRITE_WORKTREE_HYGIENE.enabled
+    );
+  const warnThreshold = toPositiveInteger(
+    input?.warnThreshold
+      ?? (process.env[PREWRITE_WORKTREE_HYGIENE_WARN_THRESHOLD_ENV]
+        ? Number(process.env[PREWRITE_WORKTREE_HYGIENE_WARN_THRESHOLD_ENV])
+        : undefined),
+    DEFAULT_PREWRITE_WORKTREE_HYGIENE.warnThreshold
+  );
+  const requestedBlockThreshold = toPositiveInteger(
+    input?.blockThreshold
+      ?? (process.env[PREWRITE_WORKTREE_HYGIENE_BLOCK_THRESHOLD_ENV]
+        ? Number(process.env[PREWRITE_WORKTREE_HYGIENE_BLOCK_THRESHOLD_ENV])
+        : undefined),
+    DEFAULT_PREWRITE_WORKTREE_HYGIENE.blockThreshold
+  );
+  const blockThreshold =
+    requestedBlockThreshold >= warnThreshold ? requestedBlockThreshold : warnThreshold;
+
+  return {
+    enabled,
+    warnThreshold,
+    blockThreshold,
+  };
+};
+
 const toTimestampAgeSeconds = (
   timestamp: string,
   nowMs: number
@@ -123,11 +251,330 @@ const toCanonicalPath = (value: string): string => {
   }
 };
 
+const toNormalizedSkillsBundleName = (bundle: string): string => {
+  const separatorIndex = bundle.lastIndexOf('@');
+  if (separatorIndex <= 0) {
+    return bundle.trim();
+  }
+  return bundle.slice(0, separatorIndex).trim();
+};
+
+const toDetectedSkillsPlatforms = (
+  platforms: Extract<EvidenceReadResult, { kind: 'valid' }>['evidence']['platforms'] | undefined
+): ReadonlyArray<PreWriteSkillsPlatform> => {
+  const platformsState = platforms ?? {};
+  const detected: PreWriteSkillsPlatform[] = [];
+  for (const platform of PREWRITE_SKILLS_PLATFORMS) {
+    if (platformsState[platform]?.detected === true) {
+      detected.push(platform);
+    }
+  }
+  return detected;
+};
+
+const collectActiveRuleIdsCoverageViolations = (params: {
+  stage: AiGateStage;
+  evidence: Extract<EvidenceReadResult, { kind: 'valid' }>['evidence'];
+  coverage: NonNullable<Extract<EvidenceReadResult, { kind: 'valid' }>['evidence']['snapshot']['rules_coverage']>;
+}): AiGateViolation[] => {
+  if (params.coverage.active_rule_ids.length > 0) {
+    return [];
+  }
+  const detectedPlatforms = toDetectedSkillsPlatforms(params.evidence.platforms);
+  if (detectedPlatforms.length === 0) {
+    return [];
+  }
+  return [
+    toErrorViolation(
+      'EVIDENCE_ACTIVE_RULE_IDS_EMPTY_FOR_CODE_CHANGES',
+      `Active rules coverage is empty at ${params.stage} with detected code platforms=[${detectedPlatforms.join(', ')}].`
+    ),
+  ];
+};
+
+const collectPreWritePlatformSkillsViolations = (params: {
+  evidence: Extract<EvidenceReadResult, { kind: 'valid' }>['evidence'];
+  coverage: NonNullable<Extract<EvidenceReadResult, { kind: 'valid' }>['evidence']['snapshot']['rules_coverage']>;
+}): AiGateViolation[] => {
+  const detectedPlatforms = toDetectedSkillsPlatforms(params.evidence.platforms);
+  if (detectedPlatforms.length === 0) {
+    return [];
+  }
+
+  const violations: AiGateViolation[] = [];
+  const missingScopeCoverage: string[] = [];
+  const missingBundlesByPlatform: string[] = [];
+
+  for (const platform of detectedPlatforms) {
+    const prefix = PLATFORM_SKILLS_RULE_PREFIXES[platform];
+    const hasActivePrefix = params.coverage.active_rule_ids.some((ruleId) => ruleId.startsWith(prefix));
+    const hasEvaluatedPrefix = params.coverage.evaluated_rule_ids.some((ruleId) =>
+      ruleId.startsWith(prefix)
+    );
+
+    if (!hasActivePrefix || !hasEvaluatedPrefix) {
+      const reasons: string[] = [];
+      if (!hasActivePrefix) {
+        reasons.push(`active_rules_prefix=${prefix} missing`);
+      }
+      if (!hasEvaluatedPrefix) {
+        reasons.push(`evaluated_rules_prefix=${prefix} missing`);
+      }
+      missingScopeCoverage.push(`${platform}{${reasons.join('; ')}}`);
+    }
+  }
+
+  if (missingScopeCoverage.length > 0) {
+    violations.push(
+      toErrorViolation(
+        'EVIDENCE_PLATFORM_SKILLS_SCOPE_INCOMPLETE',
+        `Detected platforms missing skill-rule coverage in PRE_WRITE: ${missingScopeCoverage.join(' | ')}.`
+      )
+    );
+  }
+
+  const activeSkillsBundles = new Set(
+    params.evidence.rulesets
+      .filter((ruleset) => ruleset.platform === 'skills')
+      .map((ruleset) => toNormalizedSkillsBundleName(ruleset.bundle))
+      .filter((bundle) => bundle.length > 0)
+  );
+
+  for (const platform of detectedPlatforms) {
+    const requiredBundles = PLATFORM_REQUIRED_SKILLS_BUNDLES[platform];
+    const missingBundles = requiredBundles.filter((bundleName) => !activeSkillsBundles.has(bundleName));
+    if (missingBundles.length === 0) {
+      continue;
+    }
+    missingBundlesByPlatform.push(`${platform}{missing_bundles=[${missingBundles.join(', ')}]}`);
+  }
+
+  if (missingBundlesByPlatform.length > 0) {
+    violations.push(
+      toErrorViolation(
+        'EVIDENCE_PLATFORM_SKILLS_BUNDLES_MISSING',
+        `Detected platforms missing required skill bundles in PRE_WRITE: ${missingBundlesByPlatform.join(' | ')}.`
+      )
+    );
+  }
+
+  const missingCriticalRulesByPlatform: string[] = [];
+  for (const platform of detectedPlatforms) {
+    const requiredCriticalRuleIds = PREWRITE_CRITICAL_SKILLS_RULES[platform];
+    if (requiredCriticalRuleIds.length === 0) {
+      continue;
+    }
+    const missingCriticalRuleIds = requiredCriticalRuleIds.filter((ruleId) => {
+      const hasActive = params.coverage.active_rule_ids.includes(ruleId);
+      const hasEvaluated = params.coverage.evaluated_rule_ids.includes(ruleId);
+      return !hasActive || !hasEvaluated;
+    });
+    if (missingCriticalRuleIds.length === 0) {
+      continue;
+    }
+    missingCriticalRulesByPlatform.push(
+      `${platform}{missing_critical_rule_ids=[${missingCriticalRuleIds.join(', ')}]}`
+    );
+  }
+
+  if (missingCriticalRulesByPlatform.length > 0) {
+    violations.push(
+      toErrorViolation(
+        'EVIDENCE_PLATFORM_CRITICAL_SKILLS_RULES_MISSING',
+        `Detected platforms missing critical skill-rule enforcement in PRE_WRITE: ${missingCriticalRulesByPlatform.join(' | ')}.`
+      )
+    );
+  }
+
+  return violations;
+};
+
+const collectPreWriteCrossPlatformCriticalViolations = (params: {
+  evidence: Extract<EvidenceReadResult, { kind: 'valid' }>['evidence'];
+  coverage: NonNullable<Extract<EvidenceReadResult, { kind: 'valid' }>['evidence']['snapshot']['rules_coverage']>;
+}): AiGateViolation[] => {
+  const detectedPlatforms = toDetectedSkillsPlatforms(params.evidence.platforms);
+  if (detectedPlatforms.length === 0) {
+    return [];
+  }
+
+  const missingCriticalCoverage: string[] = [];
+  for (const platform of detectedPlatforms) {
+    const requiredRuleIds = PREWRITE_TRANSVERSAL_CRITICAL_SKILLS_RULES[platform];
+    if (requiredRuleIds.length === 0) {
+      continue;
+    }
+
+    const hasCoverage = requiredRuleIds.some((ruleId) =>
+      params.coverage.active_rule_ids.includes(ruleId) &&
+      params.coverage.evaluated_rule_ids.includes(ruleId)
+    );
+
+    if (hasCoverage) {
+      continue;
+    }
+
+    missingCriticalCoverage.push(
+      `${platform}{required_any=[${requiredRuleIds.join(', ')}]}`
+    );
+  }
+
+  if (missingCriticalCoverage.length === 0) {
+    return [];
+  }
+
+  return [
+    toErrorViolation(
+      'EVIDENCE_CROSS_PLATFORM_CRITICAL_ENFORCEMENT_INCOMPLETE',
+      `Cross-platform critical enforcement incomplete in PRE_WRITE: ${missingCriticalCoverage.join(' | ')}.`
+    ),
+  ];
+};
+
+const toSkillsContractAssessment = (params: {
+  stage: AiGateStage;
+  evidenceResult: EvidenceReadResult;
+}): AiGateSkillsContractAssessment => {
+  if (params.evidenceResult.kind !== 'valid') {
+    return {
+      stage: params.stage,
+      enforced: false,
+      status: 'NOT_APPLICABLE',
+      detected_platforms: [],
+      requirements: [],
+      violations: [],
+    };
+  }
+
+  const coverage = params.evidenceResult.evidence.snapshot.rules_coverage;
+  const detectedPlatforms = toDetectedSkillsPlatforms(params.evidenceResult.evidence.platforms);
+  if (detectedPlatforms.length === 0) {
+    return {
+      stage: params.stage,
+      enforced: false,
+      status: 'NOT_APPLICABLE',
+      detected_platforms: [],
+      requirements: [],
+      violations: [],
+    };
+  }
+
+  const activeSkillsBundles = new Set(
+    params.evidenceResult.evidence.rulesets
+      .filter((ruleset) => ruleset.platform === 'skills')
+      .map((ruleset) => toNormalizedSkillsBundleName(ruleset.bundle))
+      .filter((bundle) => bundle.length > 0)
+  );
+
+  const requirements: AiGateSkillsContractPlatformRequirement[] = [];
+  const violations: AiGateViolation[] = [];
+  for (const platform of detectedPlatforms) {
+    const requiredRulePrefix = PLATFORM_SKILLS_RULE_PREFIXES[platform];
+    const requiredBundles = [...PLATFORM_REQUIRED_SKILLS_BUNDLES[platform]];
+    const requiredCriticalRuleIds = [...PREWRITE_CRITICAL_SKILLS_RULES[platform]];
+    const requiredAnyTransversalCriticalRuleIds = [
+      ...PREWRITE_TRANSVERSAL_CRITICAL_SKILLS_RULES[platform],
+    ];
+    const activePrefixCovered = coverage
+      ? coverage.active_rule_ids.some((ruleId) => ruleId.startsWith(requiredRulePrefix))
+      : false;
+    const evaluatedPrefixCovered = coverage
+      ? coverage.evaluated_rule_ids.some((ruleId) => ruleId.startsWith(requiredRulePrefix))
+      : false;
+    const missingBundles = requiredBundles.filter(
+      (bundleName) => !activeSkillsBundles.has(bundleName)
+    );
+    const missingCriticalRuleIds = coverage
+      ? requiredCriticalRuleIds.filter((ruleId) => {
+          const hasActive = coverage.active_rule_ids.includes(ruleId);
+          const hasEvaluated = coverage.evaluated_rule_ids.includes(ruleId);
+          return !hasActive || !hasEvaluated;
+        })
+      : [...requiredCriticalRuleIds];
+    const transversalCriticalCovered =
+      requiredAnyTransversalCriticalRuleIds.length === 0
+        ? true
+        : coverage
+          ? requiredAnyTransversalCriticalRuleIds.some((ruleId) =>
+              coverage.active_rule_ids.includes(ruleId)
+              && coverage.evaluated_rule_ids.includes(ruleId)
+            )
+          : false;
+    const missingAnyTransversalCriticalRuleIds = transversalCriticalCovered
+      ? []
+      : [...requiredAnyTransversalCriticalRuleIds];
+
+    requirements.push({
+      platform,
+      required_rule_prefix: requiredRulePrefix,
+      required_bundles: requiredBundles,
+      required_critical_rule_ids: requiredCriticalRuleIds,
+      required_any_transversal_critical_rule_ids: requiredAnyTransversalCriticalRuleIds,
+      active_prefix_covered: activePrefixCovered,
+      evaluated_prefix_covered: evaluatedPrefixCovered,
+      missing_bundles: missingBundles,
+      missing_critical_rule_ids: missingCriticalRuleIds,
+      transversal_critical_covered: transversalCriticalCovered,
+      missing_any_transversal_critical_rule_ids: missingAnyTransversalCriticalRuleIds,
+    });
+
+    if (!activePrefixCovered || !evaluatedPrefixCovered) {
+      const missingParts: string[] = [];
+      if (!activePrefixCovered) {
+        missingParts.push('active_prefix');
+      }
+      if (!evaluatedPrefixCovered) {
+        missingParts.push('evaluated_prefix');
+      }
+      violations.push(
+        toErrorViolation(
+          'EVIDENCE_PLATFORM_SKILLS_SCOPE_INCOMPLETE',
+          `Skills contract scope coverage missing for ${platform}: ${missingParts.join(', ')} (${requiredRulePrefix}).`
+        )
+      );
+    }
+    if (missingBundles.length > 0) {
+      violations.push(
+        toErrorViolation(
+          'EVIDENCE_PLATFORM_SKILLS_BUNDLES_MISSING',
+          `Skills contract missing bundles for ${platform}: [${missingBundles.join(', ')}].`
+        )
+      );
+    }
+    if (missingCriticalRuleIds.length > 0) {
+      violations.push(
+        toErrorViolation(
+          'EVIDENCE_PLATFORM_CRITICAL_SKILLS_RULES_MISSING',
+          `Skills contract missing critical rule coverage for ${platform}: [${missingCriticalRuleIds.join(', ')}].`
+        )
+      );
+    }
+    if (!transversalCriticalCovered && requiredAnyTransversalCriticalRuleIds.length > 0) {
+      violations.push(
+        toErrorViolation(
+          'EVIDENCE_CROSS_PLATFORM_CRITICAL_ENFORCEMENT_INCOMPLETE',
+          `Skills contract missing transversal critical coverage for ${platform}: required_any=[${requiredAnyTransversalCriticalRuleIds.join(', ')}].`
+        )
+      );
+    }
+  }
+
+  return {
+    stage: params.stage,
+    enforced: true,
+    status: violations.length === 0 ? 'PASS' : 'FAIL',
+    detected_platforms: detectedPlatforms,
+    requirements,
+    violations,
+  };
+};
+
 const collectPreWriteCoherenceViolations = (params: {
   evidence: Extract<EvidenceReadResult, { kind: 'valid' }>['evidence'];
   repoRoot: string;
   repoState: RepoState;
   nowMs: number;
+  preWriteWorktreeHygiene: PreWriteWorktreeHygienePolicy;
 }): AiGateViolation[] => {
   const violations: AiGateViolation[] = [];
   const evidenceRepoRoot = params.evidence.repo_state?.repo_root;
@@ -216,6 +663,27 @@ const collectPreWriteCoherenceViolations = (params: {
         )
       );
     }
+
+    violations.push(
+      ...collectActiveRuleIdsCoverageViolations({
+        stage: 'PRE_WRITE',
+        evidence: params.evidence,
+        coverage,
+      })
+    );
+
+    violations.push(
+      ...collectPreWritePlatformSkillsViolations({
+        evidence: params.evidence,
+        coverage,
+      })
+    );
+    violations.push(
+      ...collectPreWriteCrossPlatformCriticalViolations({
+        evidence: params.evidence,
+        coverage,
+      })
+    );
   }
 
   if (isTimestampFuture(params.evidence.timestamp, params.nowMs)) {
@@ -227,6 +695,25 @@ const collectPreWriteCoherenceViolations = (params: {
     );
   }
 
+  if (params.preWriteWorktreeHygiene.enabled && params.repoState.git.available) {
+    const pendingChanges = params.repoState.git.staged + params.repoState.git.unstaged;
+    if (pendingChanges >= params.preWriteWorktreeHygiene.blockThreshold) {
+      violations.push(
+        toErrorViolation(
+          'EVIDENCE_PREWRITE_WORKTREE_OVER_LIMIT',
+          `PRE_WRITE hygiene exceeded: pending_changes=${pendingChanges} (block_threshold=${params.preWriteWorktreeHygiene.blockThreshold}). Split worktree into atomic slices.`
+        )
+      );
+    } else if (pendingChanges >= params.preWriteWorktreeHygiene.warnThreshold) {
+      violations.push(
+        toWarnViolation(
+          'EVIDENCE_PREWRITE_WORKTREE_WARN',
+          `PRE_WRITE hygiene warning: pending_changes=${pendingChanges} (warn_threshold=${params.preWriteWorktreeHygiene.warnThreshold}). Consider splitting worktree into smaller slices.`
+        )
+      );
+    }
+  }
+
   return violations;
 };
 
@@ -236,7 +723,8 @@ const collectEvidenceViolations = (
   repoState: RepoState,
   stage: AiGateStage,
   nowMs: number,
-  maxAgeSecondsByStage: Readonly<Record<AiGateStage, number>>
+  maxAgeSecondsByStage: Readonly<Record<AiGateStage, number>>,
+  preWriteWorktreeHygiene: PreWriteWorktreeHygienePolicy
 ): { violations: AiGateViolation[]; ageSeconds: number | null } => {
   const violations: AiGateViolation[] = [];
   const maxAgeSeconds = maxAgeSecondsByStage[stage];
@@ -287,6 +775,7 @@ const collectEvidenceViolations = (
         repoRoot,
         repoState,
         nowMs,
+        preWriteWorktreeHygiene,
       })
     );
   }
@@ -473,6 +962,7 @@ export const evaluateAiGate = (
     maxAgeSecondsByStage?: Readonly<Record<AiGateStage, number>>;
     protectedBranches?: ReadonlyArray<string>;
     requireMcpReceipt?: boolean;
+    preWriteWorktreeHygiene?: Partial<PreWriteWorktreeHygienePolicy>;
   },
   dependencies: Partial<AiGateDependencies> = {}
 ): AiGateCheckResult => {
@@ -481,6 +971,9 @@ export const evaluateAiGate = (
     ...dependencies,
   };
   const maxAgeSecondsByStage = params.maxAgeSecondsByStage ?? DEFAULT_MAX_AGE_SECONDS;
+  const preWriteWorktreeHygiene = resolvePreWriteWorktreeHygienePolicy(
+    params.preWriteWorktreeHygiene
+  );
   const protectedBranches = new Set(params.protectedBranches ?? Array.from(DEFAULT_PROTECTED_BRANCHES));
   const nowMs = activeDependencies.now();
   const evidenceResult = activeDependencies.readEvidenceResult(params.repoRoot);
@@ -496,7 +989,8 @@ export const evaluateAiGate = (
     repoState,
     params.stage,
     nowMs,
-    maxAgeSecondsByStage
+    maxAgeSecondsByStage,
+    preWriteWorktreeHygiene
   );
   const mcpReceiptAssessment = collectMcpReceiptViolations({
     required: params.requireMcpReceipt ?? false,
@@ -507,8 +1001,22 @@ export const evaluateAiGate = (
     readMcpAiGateReceipt: activeDependencies.readMcpAiGateReceipt,
   });
   const gitflowViolations = collectGitflowViolations(repoState, protectedBranches);
+  const skillsContract = toSkillsContractAssessment({
+    stage: params.stage,
+    evidenceResult,
+  });
+  const stageSkillsContractViolations =
+    params.stage === 'PRE_WRITE' || skillsContract.status !== 'FAIL'
+      ? []
+      : [
+          toErrorViolation(
+            'EVIDENCE_SKILLS_CONTRACT_INCOMPLETE',
+            `Skills contract incomplete for ${params.stage}: ${skillsContract.violations.map((violation) => violation.code).join(', ')}.`
+          ),
+        ];
   const violations = [
     ...evidenceAssessment.violations,
+    ...stageSkillsContractViolations,
     ...gitflowViolations,
     ...mcpReceiptAssessment.violations,
   ];
@@ -538,6 +1046,7 @@ export const evaluateAiGate = (
       max_age_seconds: mcpReceiptAssessment.maxAgeSeconds,
       age_seconds: mcpReceiptAssessment.ageSeconds,
     },
+    skills_contract: skillsContract,
     repo_state: repoState,
     violations,
   };

package/integrations/git/GitService.ts

@@ -26,7 +26,11 @@ const assertSafeGitArgs = (args: ReadonlyArray<string>): void => {
 export class GitService implements IGitService {
   runGit(args: ReadonlyArray<string>, cwd?: string): string {
     assertSafeGitArgs(args);
-    return runBinarySync('git', [...args], { cwd, encoding: 'utf8' });
+    return runBinarySync('git', [...args], {
+      cwd,
+      encoding: 'utf8',
+      stdio: ['ignore', 'pipe', 'pipe'],
+    });
   }
 
   getStagedFacts(extensions: ReadonlyArray<string>): ReadonlyArray<Fact> {