qualia-framework 6.2.9 → 6.3.0

package/tests/hooks.test.sh

@@ -154,6 +154,46 @@ echo '{"role":""}' > "$TMP/.claude/.qualia-config.json"
 assert_exit "empty role field → blocked" 2 $?
 rm -rf "$TMP"
 
+# --- fawzi-approval-guard.js ---
+echo ""
+echo "fawzi-approval-guard:"
+
+TMP=$(mktemp -d)
+mkdir -p "$TMP/.claude"
+cat > "$TMP/.claude/.qualia-config.json" <<'EOF'
+{"code":"QS-HASAN-02","installed_by":"Hasan","role":"EMPLOYEE","erp":{"enabled":false}}
+EOF
+OUT=$(echo '{"tool_input":{"content":"Fawzi said ok, ship it now."}}' | HOME="$TMP" $NODE "$HOOKS_DIR/fawzi-approval-guard.js" 2>&1)
+RC=$?
+if [ "$RC" -eq 0 ] \
+   && [ -z "$OUT" ] \
+   && [ -f "$TMP/.claude/.approval-policy-events.json" ] \
+   && grep -q '"proxy_owner_approval_claim"' "$TMP/.claude/.approval-policy-events.json" \
+   && grep -q '"total": 1' "$TMP/.claude/.approval-policy-events.json"; then
+  echo "  ✓ employee proxy approval claim → silently recorded"
+  PASS=$((PASS + 1))
+else
+  echo "  ✗ employee proxy approval claim record failed (exit=$RC out=$OUT)"
+  FAIL=$((FAIL + 1))
+fi
+rm -rf "$TMP"
+
+TMP=$(mktemp -d)
+mkdir -p "$TMP/.claude"
+cat > "$TMP/.claude/.qualia-config.json" <<'EOF'
+{"code":"QS-FAWZI-11","installed_by":"Fawzi Goussous","role":"OWNER","erp":{"enabled":false}}
+EOF
+echo '{"tool_input":{"content":"Fawzi said ok, ship it now."}}' | HOME="$TMP" $NODE "$HOOKS_DIR/fawzi-approval-guard.js" >/dev/null 2>&1
+RC=$?
+if [ "$RC" -eq 0 ] && [ ! -f "$TMP/.claude/.approval-policy-events.json" ]; then
+  echo "  ✓ OWNER phrasing → not recorded as employee violation"
+  PASS=$((PASS + 1))
+else
+  echo "  ✗ OWNER phrasing should not record (exit=$RC)"
+  FAIL=$((FAIL + 1))
+fi
+rm -rf "$TMP"
+
 # --- pre-push.js ---
 echo ""
 echo "pre-push:"
@@ -184,6 +224,27 @@ rm -rf "$TMP"
 echo ""
 echo "pre-deploy-gate:"
 
+TMP=$(mktemp -d)
+mkdir -p "$TMP/.claude" "$TMP/proj/.planning"
+cat > "$TMP/.claude/.qualia-config.json" <<'EOF'
+{"code":"QS-HASAN-02","installed_by":"Hasan","role":"EMPLOYEE"}
+EOF
+cat > "$TMP/proj/.planning/tracking.json" <<'EOF'
+{"status":"built","verification":"pending","next_command":"/qualia-report"}
+EOF
+OUT=$(cd "$TMP/proj" && echo '{"tool_input":{"command":"QUALIA_SHIP_FORCE=1 vercel --prod"}}' | HOME="$TMP" $NODE "$HOOKS_DIR/pre-deploy-gate.js" 2>&1)
+RC=$?
+if [ "$RC" -eq 2 ] \
+   && echo "$OUT" | grep -q "OWNER-only" \
+   && echo "$OUT" | grep -q "/qualia-report"; then
+  echo "  ✓ employee force ship → blocked with short next command"
+  PASS=$((PASS + 1))
+else
+  echo "  ✗ employee force ship block failed (exit=$RC out=$OUT)"
+  FAIL=$((FAIL + 1))
+fi
+rm -rf "$TMP"
+
 # Empty project (no package.json, no tsconfig) → nothing to gate → exit 0
 TMP=$(mktemp -d)
 (cd "$TMP" && $NODE "$HOOKS_DIR/pre-deploy-gate.js" >/dev/null 2>&1)
@@ -338,6 +399,25 @@ Status: setup
 EOF
 (cd "$TMP" && $NODE "$HOOKS_DIR/session-start.js" >/dev/null 2>&1)
 assert_exit "exits 0 with STATE.md" 0 $?
+
+cat > "$TMP/.planning/work-packet.json" <<'EOF'
+{
+  "id": "aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa",
+  "project_id": "7b5d3b4e-2b8a-4de4-91a1-9b2f3182f5ef",
+  "deadline_date": "2026-06-01",
+  "next_command": "/qualia-verify",
+  "project": { "name": "Acme Portal" }
+}
+EOF
+OUT=$(cd "$TMP" && $NODE "$HOOKS_DIR/session-start.js" 2>&1)
+RC=$?
+if [ "$RC" -eq 0 ] && echo "$OUT" | grep -q "Acme Portal" && echo "$OUT" | grep -q "/qualia-verify"; then
+  echo "  ✓ renders local ERP work packet context"
+  PASS=$((PASS + 1))
+else
+  echo "  ✗ ERP work packet context missing (exit=$RC)"
+  FAIL=$((FAIL + 1))
+fi
 rm -rf "$TMP"
 
 # pre-compact.js removed in v6.2.0 — state.js journal provides crash safety.
@@ -348,7 +428,7 @@ echo "auto-update:"
 
 TMP=$(mktemp -d)
 mkdir -p "$TMP/.claude"
-echo '{"code":"QS-FAWZI-01","version":"99.99.99"}' > "$TMP/.claude/.qualia-config.json"
+echo '{"code":"QS-FAWZI-11","version":"99.99.99"}' > "$TMP/.claude/.qualia-config.json"
 HOME="$TMP" $NODE "$HOOKS_DIR/auto-update.js" >/dev/null 2>&1
 assert_exit "exits 0 (fast path)" 0 $?
 # Should now have cache file

package/tests/install-smoke.test.sh

@@ -61,8 +61,15 @@ fi
 
 tar -xzf "$TARBALL_PATH" -C "$TMP" 2>"$TMP/tar.err"
 if [ -f "$TMP/package/bin/install.js" ] \
+  && [ -f "$TMP/package/bin/runtime-manifest.js" ] \
+  && [ -f "$TMP/package/bin/command-surface.js" ] \
+  && [ -f "$TMP/package/bin/host-adapters.js" ] \
   && [ -f "$TMP/package/bin/report-payload.js" ] \
+  && [ -f "$TMP/package/bin/work-packet.js" ] \
   && [ -f "$TMP/package/bin/project-snapshot.js" ] \
+  && [ -f "$TMP/package/bin/harness-eval.js" ] \
+  && [ -f "$TMP/package/bin/planning-hygiene.js" ] \
+  && [ -f "$TMP/package/bin/state-ledger.js" ] \
   && [ -f "$TMP/package/AGENTS.md" ] \
   && [ -f "$TMP/package/CLAUDE.md" ]; then
   pass "tarball contains installer + Claude/Codex instruction roots"
@@ -70,7 +77,7 @@ else
   fail_case "tarball missing install surfaces" "$(cat "$TMP/tar.err" 2>/dev/null)"
 fi
 
-printf 'QS-FAWZI-01\n3\n' | HOME="$HOME_DIR" "$NODE" "$TMP/package/bin/install.js" >"$TMP/install.log" 2>&1
+printf 'QS-FAWZI-11\n3\n' | HOME="$HOME_DIR" "$NODE" "$TMP/package/bin/install.js" >"$TMP/install.log" 2>&1
 EXIT=$?
 if [ "$EXIT" -eq 0 ]; then
   pass "packaged installer exits 0 for target=Both"
@@ -89,14 +96,27 @@ fi
 if [ -f "$HOME_DIR/.codex/AGENTS.md" ] \
   && [ -f "$HOME_DIR/.codex/hooks.json" ] \
   && [ -f "$HOME_DIR/.codex/config.toml" ] \
+  && [ -f "$HOME_DIR/.codex/bin/runtime-manifest.js" ] \
+  && [ -f "$HOME_DIR/.codex/bin/command-surface.js" ] \
+  && [ -f "$HOME_DIR/.codex/bin/host-adapters.js" ] \
   && [ -f "$HOME_DIR/.codex/bin/statusline.js" ] \
+  && [ -f "$HOME_DIR/.codex/bin/state-ledger.js" ] \
+  && [ -f "$HOME_DIR/.codex/bin/contract-runner.js" ] \
+  && [ -f "$HOME_DIR/.codex/bin/harness-eval.js" ] \
+  && [ -f "$HOME_DIR/.codex/bin/trust-score.js" ] \
+  && [ -f "$HOME_DIR/.codex/bin/work-packet.js" ] \
   && [ -f "$HOME_DIR/.codex/bin/project-snapshot.js" ] \
+  && [ -f "$HOME_DIR/.codex/bin/planning-hygiene.js" ] \
   && [ -f "$HOME_DIR/.codex/agents/planner.toml" ] \
   && [ -f "$HOME_DIR/.codex/skills/qualia-new/SKILL.md" ] \
   && [ -f "$HOME_DIR/.codex/qualia-references/questioning.md" ] \
   && grep -q "Role: OWNER" "$HOME_DIR/.codex/AGENTS.md" \
   && ! grep -q "{{ROLE}}" "$HOME_DIR/.codex/AGENTS.md" \
+  && grep -q "status_line" "$HOME_DIR/.codex/config.toml" \
+  && grep -q "model-with-reasoning" "$HOME_DIR/.codex/config.toml" \
+  && grep -q "task-progress" "$HOME_DIR/.codex/config.toml" \
   && grep -q "pre-deploy-gate.js" "$HOME_DIR/.codex/hooks.json" \
+  && ! grep -R "\${QUALIA_BIN}" "$HOME_DIR/.codex/skills" >/dev/null 2>&1 \
   && ! grep -R "\.claude/bin" "$HOME_DIR/.codex/skills" >/dev/null 2>&1; then
   pass "Codex runtime installed with OWNER role"
 else
@@ -104,19 +124,29 @@ else
 fi
 
 if [ -d "$HOME_DIR/.claude/hooks" ] \
-  && [ "$(find "$HOME_DIR/.claude/hooks" -maxdepth 1 -name '*.js' | wc -l | tr -d ' ')" = "11" ] \
+  && [ "$(find "$HOME_DIR/.claude/hooks" -maxdepth 1 -name '*.js' | wc -l | tr -d ' ')" = "12" ] \
+  && [ -f "$HOME_DIR/.claude/hooks/fawzi-approval-guard.js" ] \
   && [ ! -f "$HOME_DIR/.claude/hooks/pre-compact.js" ]; then
-  pass "packaged install has 11 hooks and no pre-compact"
+  pass "packaged install has 12 hooks and no pre-compact"
 else
   fail_case "packaged hook set mismatch"
 fi
 
 if [ -f "$HOME_DIR/.claude/bin/report-payload.js" ] \
+  && [ -f "$HOME_DIR/.claude/bin/work-packet.js" ] \
   && [ -f "$HOME_DIR/.claude/bin/project-snapshot.js" ] \
+  && [ -f "$HOME_DIR/.claude/bin/runtime-manifest.js" ] \
+  && [ -f "$HOME_DIR/.claude/bin/command-surface.js" ] \
+  && [ -f "$HOME_DIR/.claude/bin/host-adapters.js" ] \
+  && [ -f "$HOME_DIR/.claude/bin/state-ledger.js" ] \
+  && [ -f "$HOME_DIR/.claude/bin/contract-runner.js" ] \
+  && [ -f "$HOME_DIR/.claude/bin/harness-eval.js" ] \
+  && [ -f "$HOME_DIR/.claude/bin/trust-score.js" ] \
+  && [ -f "$HOME_DIR/.claude/bin/planning-hygiene.js" ] \
   && grep -q "report-payload.js" "$HOME_DIR/.claude/skills/qualia-report/SKILL.md"; then
-  pass "packaged install includes ERP report/snapshot helpers"
+  pass "packaged install includes ERP report/snapshot + contract helpers"
 else
-  fail_case "packaged install missing ERP report/snapshot helpers"
+  fail_case "packaged install missing ERP report/snapshot/contract helpers"
 fi
 
 PKG_VERSION=$("$NODE" -e "console.log(require(process.argv[1]).version)" "$TMP/package/package.json")

package/tests/lib.test.sh

@@ -149,6 +149,123 @@ console.log(d2.drift ? "DRIFT-DETECTED" : "FAIL2");
 ' | tail -1 > /tmp/qfdrift.out
 [ "$(cat /tmp/qfdrift.out)" = "DRIFT-DETECTED" ] && ok "drift detection" || fail "drift detection: $(cat /tmp/qfdrift.out)"
 
+# CLI validate
+TMP=$(mktmp)
+cat > "$TMP/contract.json" <<JSON
+{
+  "version": 1,
+  "phase": 1,
+  "goal": "contract cli",
+  "why": "prove validator is executable",
+  "generated_at": "2026-05-23T00:00:00Z",
+  "generated_by": "manual",
+  "source_plan_hash": "",
+  "success_criteria": ["contract validates"],
+  "tasks": [{
+    "id": "T1",
+    "title": "Create evidence",
+    "wave": 1,
+    "depends_on": [],
+    "files_modify": [],
+    "files_create": ["out.txt"],
+    "files_delete": [],
+    "acceptance_criteria": ["out.txt exists"],
+    "action": "Create out.txt",
+    "context_files": [],
+    "verification": [{ "type": "file-exists", "path": "out.txt" }]
+  }]
+}
+JSON
+OUT=$($NODE "$PC" validate "$TMP/contract.json" 2>&1)
+[ "$OUT" = "VALID $TMP/contract.json" ] && ok "plan-contract CLI validates contract" || fail "plan-contract CLI validate: $OUT"
+
+# ─── contract-runner ───────────────────────────────────────
+
+CR="$FRAMEWORK_DIR/bin/contract-runner.js"
+$NODE --check "$CR" >/dev/null 2>&1 && ok "contract-runner.js parses" || fail "contract-runner.js parse"
+
+TMP=$(mktmp)
+mkdir -p "$TMP/src" "$TMP/.planning"
+echo "export const wired = true;" > "$TMP/src/feature.ts"
+cat > "$TMP/.planning/phase-1-contract.json" <<JSON
+{
+  "version": 1,
+  "phase": 1,
+  "goal": "runner pass",
+  "why": "prove checks execute",
+  "generated_at": "2026-05-23T00:00:00Z",
+  "generated_by": "manual",
+  "source_plan_hash": "",
+  "success_criteria": ["all checks pass"],
+  "tasks": [{
+    "id": "T1",
+    "title": "Check feature",
+    "wave": 1,
+    "depends_on": [],
+    "files_modify": ["src/feature.ts"],
+    "files_create": [],
+    "files_delete": [],
+    "acceptance_criteria": ["feature exists and is wired"],
+    "action": "Validate feature",
+    "context_files": [],
+    "verification": [
+      { "type": "file-exists", "path": "src/feature.ts", "must_contain": "wired" },
+      { "type": "grep-match", "path": "src/feature.ts", "pattern": "wired\\\\s*=\\\\s*true", "expect": "present" },
+      { "type": "command-exit", "command": "printf", "args": ["contract-ok"], "expected_exit": 0, "expect_stdout_match": "contract-ok" },
+      { "type": "behavioral", "description": "evidence file includes wired flag", "evidence_required": [{ "path": "src/feature.ts", "description": "feature evidence", "matcher": "wired" }] }
+    ]
+  }]
+}
+JSON
+OUT=$(cd "$TMP" && $NODE "$CR" .planning/phase-1-contract.json 2>&1)
+if echo "$OUT" | grep -q "PASS phase 1: 4 check" && [ -f "$TMP/.planning/evidence/phase-1-contract-run.json" ]; then
+  ok "contract-runner executes passing contract and writes evidence"
+else
+  fail "contract-runner pass/evidence: $OUT"
+fi
+
+OUT=$(cd "$TMP" && $NODE "$CR" .planning/phase-1-contract.json --json 2>/dev/null)
+if echo "$OUT" | grep -q '"ok": true' && echo "$OUT" | grep -q '"checked": 4'; then
+  ok "contract-runner --json reports checked count"
+else
+  fail "contract-runner json output: $OUT"
+fi
+
+TMP=$(mktmp)
+mkdir -p "$TMP/.planning"
+cat > "$TMP/.planning/phase-1-contract.json" <<JSON
+{
+  "version": 1,
+  "phase": 1,
+  "goal": "runner fail",
+  "why": "prove failures block",
+  "generated_at": "2026-05-23T00:00:00Z",
+  "generated_by": "manual",
+  "source_plan_hash": "",
+  "success_criteria": ["failure is detected"],
+  "tasks": [{
+    "id": "T1",
+    "title": "Missing file",
+    "wave": 1,
+    "depends_on": [],
+    "files_modify": [],
+    "files_create": [],
+    "files_delete": [],
+    "acceptance_criteria": ["missing file fails"],
+    "action": "Validate missing file",
+    "context_files": [],
+    "verification": [{ "type": "file-exists", "path": "missing.txt" }]
+  }]
+}
+JSON
+OUT=$(cd "$TMP" && $NODE "$CR" .planning/phase-1-contract.json 2>&1)
+EXIT=$?
+if [ "$EXIT" -eq 1 ] && echo "$OUT" | grep -q "missing file"; then
+  ok "contract-runner fails closed on failed check"
+else
+  fail "contract-runner failed-check behavior: exit=$EXIT out=$OUT"
+fi
+
 # ─── agent-runs ──────────────────────────────────────────
 
 AR="$FRAMEWORK_DIR/bin/agent-runs.js"
@@ -233,6 +350,321 @@ console.log("removed:" + r.removed);
 ')
 [ "$RES" = "removed:1" ] && ok "prune --before removes old records" || fail "prune: $RES"
 
+# ─── state-ledger ────────────────────────────────────────
+
+SL="$FRAMEWORK_DIR/bin/state-ledger.js"
+$NODE --check "$SL" >/dev/null 2>&1 && ok "state-ledger.js parses" || fail "state-ledger.js parse"
+
+HA="$FRAMEWORK_DIR/bin/host-adapters.js"
+$NODE --check "$HA" >/dev/null 2>&1 && ok "host-adapters.js parses" || fail "host-adapters.js parse"
+RES=$($NODE -e '
+const { renderText } = require("'"$HA"'");
+const c = renderText("node ${QUALIA_BIN}/state.js @${QUALIA_AGENTS}/planner.md", "codex");
+const d = renderText("node ${QUALIA_BIN}/state.js @${QUALIA_AGENTS}/planner.md", "claude");
+console.log(c.includes(".codex/bin/state.js") && c.includes(".codex/agents/planner.md") && d.includes(".claude/bin/state.js") ? "HOST-RENDER-OK" : c + "\n" + d);
+')
+[ "$RES" = "HOST-RENDER-OK" ] && ok "host-adapters renders Qualia path tokens per host" || fail "host-adapters render: $RES"
+
+CS="$FRAMEWORK_DIR/bin/command-surface.js"
+$NODE --check "$CS" >/dev/null 2>&1 && ok "command-surface.js parses" || fail "command-surface.js parse"
+RES=$($NODE -e '
+const cs = require("'"$CS"'");
+console.log(cs.ACTIVE_SKILLS.length === 23 && cs.RETIRED_SKILLS.includes("qualia-debug") && cs.RETIRED_SKILLS.includes("qualia-vibe") ? "SURFACE-OK" : JSON.stringify(cs));
+')
+[ "$RES" = "SURFACE-OK" ] && ok "command-surface defines 23 active skills and retired folds" || fail "command-surface manifest: $RES"
+RES=$($NODE -e '
+const fs = require("fs");
+const path = require("path");
+const root = "'"$FRAMEWORK_DIR"'";
+const { ACTIVE_SKILLS, RETIRED_SKILLS } = require(path.join(root, "bin/command-surface.js"));
+const dirs = fs.readdirSync(path.join(root, "skills"), { withFileTypes: true })
+  .filter((d) => d.isDirectory())
+  .map((d) => d.name)
+  .sort();
+const active = [...ACTIVE_SKILLS].sort();
+const extra = dirs.filter((d) => !active.includes(d));
+const missing = active.filter((d) => !dirs.includes(d));
+const retiredPresent = RETIRED_SKILLS.filter((d) => dirs.includes(d));
+console.log(!extra.length && !missing.length && !retiredPresent.length ? "SKILL-DIRS-OK" : JSON.stringify({ extra, missing, retiredPresent }));
+')
+[ "$RES" = "SKILL-DIRS-OK" ] && ok "skills directory matches active command surface only" || fail "skill directory surface: $RES"
+
+TMP=$(mktmp)
+RES=$(cd "$TMP" && $NODE -e '
+const ledger = require("'"$SL"'");
+const fs = require("fs");
+fs.mkdirSync(".planning", { recursive: true });
+ledger.append(process.cwd(), {
+  action: "init",
+  status_after: "setup",
+  phase_after: 1,
+  state_raw_after: "state-1",
+  tracking_raw_after: "{\"status\":\"setup\"}"
+});
+ledger.append(process.cwd(), {
+  action: "transition",
+  status_before: "setup",
+  status_after: "planned",
+  phase_before: 1,
+  phase_after: 1,
+  state_raw_before: "state-1",
+  state_raw_after: "state-2",
+  tracking_raw_before: "{\"status\":\"setup\"}",
+  tracking_raw_after: "{\"status\":\"planned\"}",
+  evidence_refs: [".planning/phase-1-plan.md"]
+});
+const v = ledger.validate(process.cwd());
+const lines = fs.readFileSync(ledger.ledgerPath(process.cwd()), "utf8").trim().split(/\n/);
+console.log(v.ok && v.count === 2 && lines.length === 2 ? "CHAIN-OK" : JSON.stringify(v));
+')
+[ "$RES" = "CHAIN-OK" ] && ok "state-ledger appends and validates hash chain" || fail "state-ledger chain: $RES"
+
+RES=$(cd "$TMP" && $NODE -e '
+const ledger = require("'"$SL"'");
+const fs = require("fs");
+const file = ledger.ledgerPath(process.cwd());
+const lines = fs.readFileSync(file, "utf8").trim().split(/\n/);
+const first = JSON.parse(lines[0]);
+first.status_after = "tampered";
+lines[0] = JSON.stringify(first);
+fs.writeFileSync(file, lines.join("\n") + "\n");
+const v = ledger.validate(process.cwd());
+console.log(!v.ok && v.errors.some(e => /event_hash/.test(e)) ? "TAMPER-DETECTED" : JSON.stringify(v));
+')
+[ "$RES" = "TAMPER-DETECTED" ] && ok "state-ledger detects tampered event" || fail "state-ledger tamper: $RES"
+
+# ─── trust-score ─────────────────────────────────────────
+
+PH="$FRAMEWORK_DIR/bin/planning-hygiene.js"
+$NODE --check "$PH" >/dev/null 2>&1 && ok "planning-hygiene.js parses" || fail "planning-hygiene.js parse"
+
+TMP=$(mktmp)
+mkdir -p "$TMP/.planning"
+touch "$TMP/.planning/PROJECT.md"
+touch "$TMP/.planning/phase-1-plan.md"
+OUT=$(cd "$TMP" && $NODE "$PH" scan 2>&1)
+EXIT=$?
+if [ "$EXIT" -eq 0 ] && echo "$OUT" | grep -q "clean"; then
+  ok "planning-hygiene clean project passes"
+else
+  fail "planning-hygiene clean project: exit=$EXIT out=$OUT"
+fi
+
+TMP=$(mktmp)
+mkdir -p "$TMP/.planning"
+echo debug > "$TMP/.planning/DEBUG-2026-05-23-0100.md"
+echo fix > "$TMP/.planning/FIX-2026-05-23-0101.md"
+echo review > "$TMP/.planning/REVIEW.md"
+echo image > "$TMP/.planning/vibe-after.png"
+OUT=$(cd "$TMP" && $NODE "$PH" scan --json 2>&1)
+EXIT=$?
+if [ "$EXIT" -eq 1 ] \
+  && echo "$OUT" | grep -q '"status": "needs_organizing"' \
+  && echo "$OUT" | grep -q 'reports/debug/DEBUG-2026-05-23-0100.md' \
+  && echo "$OUT" | grep -q 'reports/fix/FIX-2026-05-23-0101.md' \
+  && echo "$OUT" | grep -q 'reports/review/REVIEW.md' \
+  && echo "$OUT" | grep -q 'assets/vibe/vibe-after.png'; then
+  ok "planning-hygiene routes loose artifacts"
+else
+  fail "planning-hygiene loose routing: exit=$EXIT out=$OUT"
+fi
+
+OUT=$(cd "$TMP" && $NODE "$PH" organize --write 2>&1)
+EXIT=$?
+if [ "$EXIT" -eq 0 ] \
+  && [ -f "$TMP/.planning/reports/debug/DEBUG-2026-05-23-0100.md" ] \
+  && [ -f "$TMP/.planning/reports/fix/FIX-2026-05-23-0101.md" ] \
+  && [ -f "$TMP/.planning/reports/review/REVIEW.md" ] \
+  && [ -f "$TMP/.planning/assets/vibe/vibe-after.png" ]; then
+  ok "planning-hygiene organize moves loose artifacts"
+else
+  fail "planning-hygiene organize: exit=$EXIT out=$OUT"
+fi
+
+TS="$FRAMEWORK_DIR/bin/trust-score.js"
+$NODE --check "$TS" >/dev/null 2>&1 && ok "trust-score.js parses" || fail "trust-score.js parse"
+
+HE="$FRAMEWORK_DIR/bin/harness-eval.js"
+$NODE --check "$HE" >/dev/null 2>&1 && ok "harness-eval.js parses" || fail "harness-eval.js parse"
+
+TMP=$(mktmp)
+OUT=$(cd "$TMP" && $NODE "$HE" --json 2>/dev/null)
+EXIT=$?
+if [ "$EXIT" -eq 1 ] && echo "$OUT" | grep -q '"status": "FAIL"' && echo "$OUT" | grep -q 'No .planning directory'; then
+  ok "harness-eval fails closed without planning state"
+else
+  fail "harness-eval no-planning behavior: exit=$EXIT out=$OUT"
+fi
+
+TMP=$(mktmp)
+mkdir -p "$TMP/home/.claude/bin" "$TMP/home/.claude/hooks" "$TMP/home/.claude/knowledge/daily-log" "$TMP/home/.claude/qualia-design" "$TMP/home/.claude/agents" "$TMP/home/.claude/qualia-templates" "$TMP/project"
+echo '{"installed_by":"Test","role":"OWNER","version":"6.3.0","erp":{"enabled":false}}' > "$TMP/home/.claude/.qualia-config.json"
+touch "$TMP/home/.claude/CLAUDE.md" "$TMP/home/.claude/settings.json"
+for f in runtime-manifest.js command-surface.js host-adapters.js state.js qualia-ui.js statusline.js knowledge.js knowledge-flush.js state-ledger.js plan-contract.js contract-runner.js harness-eval.js trust-score.js agent-runs.js slop-detect.mjs erp-retry.js work-packet.js report-payload.js project-snapshot.js codex-goal.js planning-hygiene.js; do
+  touch "$TMP/home/.claude/bin/$f"
+done
+for h in session-start.js auto-update.js branch-guard.js pre-push.js pre-deploy-gate.js migration-guard.js git-guardrails.js stop-session-log.js fawzi-approval-guard.js vercel-account-guard.js env-empty-guard.js supabase-destructive-guard.js; do
+  touch "$TMP/home/.claude/hooks/$h"
+done
+touch "$TMP/home/.claude/knowledge/index.md" "$TMP/home/.claude/knowledge/agents.md" "$TMP/home/.claude/agents/visual-evaluator.md" "$TMP/home/.claude/qualia-guide.md" "$TMP/home/.claude/qualia-templates/help.html"
+for f in design-laws.md design-rubric.md design-brand.md design-product.md design-reference.md frontend.md graphics.md; do
+  touch "$TMP/home/.claude/qualia-design/$f"
+done
+for s in qualia qualia-new qualia-discuss qualia-map qualia-research qualia-plan qualia-build qualia-verify qualia-fix qualia-feature qualia-review qualia-optimize qualia-polish qualia-test qualia-milestone qualia-ship qualia-handoff qualia-report qualia-doctor qualia-road qualia-learn qualia-postmortem zoho-workflow; do
+  mkdir -p "$TMP/home/.claude/skills/$s"
+  touch "$TMP/home/.claude/skills/$s/SKILL.md"
+done
+(
+  cd "$TMP/project" || exit 1
+  HOME="$TMP/home" $NODE "$FRAMEWORK_DIR/bin/state.js" init --project "HarnessEvalProject" --phases '[{"name":"Foundation","goal":"Eval"}]' >/dev/null 2>&1
+)
+cat > "$TMP/project/eval-target.txt" <<'EOF'
+contract ok
+EOF
+cat > "$TMP/project/.planning/phase-1-plan.md" <<'EOF'
+# Phase 1 Plan
+
+## Task 1
+Create the eval target.
+
+**Acceptance Criteria:**
+- eval target exists
+
+## Success Criteria
+- [x] eval target exists
+EOF
+$NODE -e '
+const fs = require("fs");
+const path = require("path");
+const pc = require("'"$PC"'");
+const root = "'"$TMP"'/project";
+const plan = fs.readFileSync(path.join(root, ".planning/phase-1-plan.md"), "utf8");
+const trackingPath = path.join(root, ".planning/tracking.json");
+const tracking = JSON.parse(fs.readFileSync(trackingPath, "utf8"));
+Object.assign(tracking, {
+  project_id: "harness-eval-project",
+  erp_project_id: "7b5d3b4e-2b8a-4de4-91a1-9b2f3182f5ef",
+  phase_name: "Foundation",
+  tasks_done: 1,
+  tasks_total: 1
+});
+fs.writeFileSync(trackingPath, JSON.stringify(tracking, null, 2) + "\n");
+const contract = {
+  version: 1,
+  phase: 1,
+  goal: "Harness eval positive path",
+  why: "Prove scoring writes artifacts and passes on machine evidence",
+  generated_at: "2026-05-23T00:00:00Z",
+  generated_by: "manual",
+  source_plan_hash: pc.hashPlan(plan),
+  success_criteria: ["eval target exists"],
+  tasks: [{
+    id: "T1",
+    title: "Eval target",
+    wave: 1,
+    depends_on: [],
+    files_modify: [],
+    files_create: ["eval-target.txt"],
+    files_delete: [],
+    acceptance_criteria: ["eval target exists"],
+    action: "Create eval target",
+    context_files: [],
+    verification: [
+      { type: "file-exists", path: "eval-target.txt", must_contain: "contract ok" },
+      { type: "command-exit", command: process.execPath, args: ["-e", "console.log(\"ok\")"], expected_exit: 0, expect_stdout_match: "ok" }
+    ]
+  }]
+};
+fs.writeFileSync(path.join(root, ".planning/phase-1-contract.json"), JSON.stringify(contract, null, 2) + "\n");
+fs.writeFileSync(path.join(root, ".planning/phase-1-verification.md"), "Result: PASS\n\nEvidence checked.\n");
+'
+OUT=$(cd "$TMP/project" && HOME="$TMP/home" $NODE "$HE" --phase 1 --run --write --json 2>/dev/null)
+EXIT=$?
+if [ "$EXIT" -eq 0 ] \
+  && echo "$OUT" | grep -q '"status": "PASS"' \
+  && echo "$OUT" | grep -q '"machine_evidence"' \
+  && [ -f "$TMP/project/.planning/evidence/phase-1-contract-run.json" ] \
+  && ls "$TMP/project"/.planning/evals/harness-eval-*.json >/dev/null 2>&1 \
+  && ls "$TMP/project"/.planning/evals/harness-eval-*.md >/dev/null 2>&1; then
+  ok "harness-eval passes with machine evidence and writes artifacts"
+else
+  fail "harness-eval positive path: exit=$EXIT out=$OUT"
+fi
+RES=$(cd "$TMP/project" && HOME="$TMP/home" $NODE -e '
+const path = require("path");
+const { latestEval } = require("'"$HE"'");
+const { buildPayload } = require("'"$FRAMEWORK_DIR"'/bin/report-payload.js");
+const { buildSnapshot } = require("'"$FRAMEWORK_DIR"'/bin/project-snapshot.js");
+const ev = latestEval(process.cwd());
+const payload = buildPayload({ cwd: process.cwd(), home: "'"$TMP"'/home", env: { SUBMITTED_BY: "Test", SUBMITTED_AT: "2026-05-23T00:30:00Z" } });
+const snapshot = buildSnapshot({ cwd: process.cwd(), home: "'"$TMP"'/home", now: "2026-05-23T00:30:00Z" });
+console.log(ev && payload.harness_eval && snapshot.quality.harness_eval && payload.harness_eval.score === ev.score && snapshot.quality.harness_eval.score === ev.score ? "ERP-EVAL-OK" : JSON.stringify({ ev, payload: payload.harness_eval, snapshot: snapshot.quality.harness_eval }));
+')
+[ "$RES" = "ERP-EVAL-OK" ] && ok "latest harness eval flows into ERP report and project snapshot" || fail "ERP harness eval wiring: $RES"
+
+TMP=$(mktmp)
+OUT=$(HOME="$TMP" $NODE "$TS" --json 2>/dev/null)
+EXIT=$?
+if [ "$EXIT" -eq 1 ] && echo "$OUT" | grep -q '"status": "FAIL"'; then
+  ok "trust-score fails closed when no install exists"
+else
+  fail "trust-score no-install behavior: exit=$EXIT out=$OUT"
+fi
+
+TMP=$(mktmp)
+mkdir -p "$TMP/.claude/bin" "$TMP/.claude/hooks" "$TMP/.claude/knowledge/daily-log" "$TMP/.claude/qualia-design" "$TMP/.claude/agents" "$TMP/.claude/qualia-templates" "$TMP/project/.planning"
+echo '{"installed_by":"Test","role":"OWNER","erp":{"enabled":false}}' > "$TMP/.claude/.qualia-config.json"
+touch "$TMP/.claude/CLAUDE.md" "$TMP/.claude/settings.json"
+for f in runtime-manifest.js command-surface.js host-adapters.js state.js qualia-ui.js statusline.js knowledge.js knowledge-flush.js state-ledger.js plan-contract.js contract-runner.js harness-eval.js trust-score.js agent-runs.js slop-detect.mjs erp-retry.js work-packet.js report-payload.js project-snapshot.js codex-goal.js planning-hygiene.js; do
+  touch "$TMP/.claude/bin/$f"
+done
+for h in session-start.js auto-update.js branch-guard.js pre-push.js pre-deploy-gate.js migration-guard.js git-guardrails.js stop-session-log.js fawzi-approval-guard.js vercel-account-guard.js env-empty-guard.js supabase-destructive-guard.js; do
+  touch "$TMP/.claude/hooks/$h"
+done
+touch "$TMP/.claude/knowledge/index.md" "$TMP/.claude/knowledge/agents.md"
+for f in design-laws.md design-rubric.md design-brand.md design-product.md design-reference.md frontend.md graphics.md; do
+  touch "$TMP/.claude/qualia-design/$f"
+done
+for s in qualia qualia-new qualia-discuss qualia-map qualia-research qualia-plan qualia-build qualia-verify qualia-fix qualia-feature qualia-review qualia-optimize qualia-polish qualia-test qualia-milestone qualia-ship qualia-handoff qualia-report qualia-doctor qualia-road qualia-learn qualia-postmortem zoho-workflow; do
+  mkdir -p "$TMP/.claude/skills/$s"
+  touch "$TMP/.claude/skills/$s/SKILL.md"
+done
+touch "$TMP/.claude/agents/visual-evaluator.md" "$TMP/.claude/qualia-guide.md" "$TMP/.claude/qualia-templates/help.html"
+cat > "$TMP/project/.planning/STATE.md" <<'EOF'
+Phase: 1 of 1 — Trust
+Status: planned
+EOF
+echo '{"phase":1,"status":"planned"}' > "$TMP/project/.planning/tracking.json"
+cat > "$TMP/project/.planning/phase-1-plan.md" <<'EOF'
+---
+goal: trust
+---
+# Plan
+## Task 1
+**Acceptance Criteria:**
+- ok
+## Success Criteria
+- [ ] ok
+EOF
+$NODE -e '
+const ledger = require("'"$SL"'");
+ledger.append("'"$TMP"'/project", {
+  action: "init",
+  status_after: "planned",
+  phase_after: 1,
+  state_raw_after: "Phase: 1 of 1\nStatus: planned\n",
+  tracking_raw_after: "{\"phase\":1,\"status\":\"planned\"}"
+});
+' >/dev/null
+OUT=$(cd "$TMP/project" && HOME="$TMP" $NODE "$TS" --json 2>/dev/null)
+if echo "$OUT" | grep -q '"status": "DEGRADED"' \
+   && echo "$OUT" | grep -q '"score": 88' \
+   && echo "$OUT" | grep -q 'JSON contract missing'; then
+  ok "trust-score reports 88 degraded when only contract is missing"
+else
+  fail "trust-score degraded contract score: $OUT"
+fi
+
 echo ""
 echo "lib.test.sh: $PASS passed, $FAIL failed"
 [ "$FAIL" -eq 0 ]

package/tests/published-install-smoke.test.sh

@@ -69,7 +69,7 @@ else
   exit 1
 fi
 
-printf 'QS-FAWZI-01\n3\n' >"$TMP/install.input"
+printf 'QS-FAWZI-11\n3\n' >"$TMP/install.input"
 timeout "$INSTALL_TIMEOUT_SECONDS" env \
   HOME="$HOME_DIR" \
   NPM_CONFIG_CACHE="$CACHE_DIR" \
@@ -102,9 +102,10 @@ else
 fi
 
 if [ -d "$HOME_DIR/.claude/hooks" ] \
-  && [ "$(find "$HOME_DIR/.claude/hooks" -maxdepth 1 -name '*.js' | wc -l | tr -d ' ')" = "11" ] \
+  && [ "$(find "$HOME_DIR/.claude/hooks" -maxdepth 1 -name '*.js' | wc -l | tr -d ' ')" = "12" ] \
+  && [ -f "$HOME_DIR/.claude/hooks/fawzi-approval-guard.js" ] \
   && [ ! -f "$HOME_DIR/.claude/hooks/pre-compact.js" ]; then
-  pass "public install has 11 hooks and no pre-compact"
+  pass "public install has 12 hooks and no pre-compact"
 else
   fail_case "public install hook set mismatch"
 fi