qualia-framework 7.0.0 → 7.1.0

package/hooks/secret-guard.js

@@ -0,0 +1,162 @@
+#!/usr/bin/env node
+// ~/.claude/hooks/secret-guard.js — block commits that stage secrets.
+//
+// Constitution non-negotiables: the service_role key is server-only and must
+// never be committed; .env files must never be committed. Those were prose-only
+// until now. This is the deterministic gate: a PreToolUse hook on
+// `git commit*` that scans STAGED content (git diff --cached) for high-signal
+// secret patterns and a staged `.env` file, and BLOCKS the commit (exit 2) if
+// any are found.
+//
+// Design mirrors pre-deploy-gate.js: self-filter on the command, fail-CLOSED on
+// a real match, OWNER-only escape (QUALIA_SECRET_SKIP=1), trace every decision.
+// It NEVER prints the matched secret value — only the pattern name and file.
+//
+// Exits 2 to BLOCK. Exits 0 to allow. Cross-platform. No external deps.
+
+const fs = require("fs");
+const path = require("path");
+const os = require("os");
+const { spawnSync } = require("child_process");
+
+const _traceStart = Date.now();
+
+function qualiaHome() {
+  if (process.env.QUALIA_HOME) return process.env.QUALIA_HOME;
+  const parent = path.basename(path.dirname(__dirname));
+  if (parent === ".codex" || parent === ".claude") return path.dirname(__dirname);
+  return path.join(os.homedir(), ".claude");
+}
+
+const QUALIA_HOME = qualiaHome();
+const CONFIG = path.join(QUALIA_HOME, ".qualia-config.json");
+const SHELL = process.platform === "win32";
+let HOOK_COMMAND = null;
+
+// Self-filter: only act on `git commit`. Direct invocation (no stdin) runs the
+// full scan so the test suite and manual runs work.
+(function selfFilter() {
+  if (process.stdin.isTTY) return;
+  let command = null;
+  try {
+    const raw = fs.readFileSync(0, "utf8");
+    if (raw) {
+      const payload = JSON.parse(raw);
+      command = (payload && payload.tool_input && payload.tool_input.command) || "";
+    }
+  } catch {}
+  if (command === null) return; // no/!malformed stdin — run full scan
+  HOOK_COMMAND = command;
+  if (!/\bgit\s+commit\b/.test(command)) process.exit(0);
+})();
+
+function readConfig() {
+  try {
+    return JSON.parse(fs.readFileSync(CONFIG, "utf8"));
+  } catch {
+    return {};
+  }
+}
+
+function _trace(result, extra) {
+  try {
+    const traceDir = path.join(QUALIA_HOME, ".qualia-traces");
+    if (!fs.existsSync(traceDir)) fs.mkdirSync(traceDir, { recursive: true });
+    const entry = { hook: "secret-guard", result, timestamp: new Date().toISOString(), duration_ms: Date.now() - _traceStart, ...extra };
+    fs.appendFileSync(path.join(traceDir, `${new Date().toISOString().split("T")[0]}.jsonl`), JSON.stringify(entry) + "\n");
+  } catch {}
+}
+
+// High-signal secret patterns. Narrow on purpose — false positives on a commit
+// gate are expensive, so each pattern targets a real credential shape.
+const SECRET_PATTERNS = [
+  { name: "private key block", re: /-----BEGIN (?:RSA |EC |DSA |OPENSSH |PGP )?PRIVATE KEY-----/ },
+  { name: "AWS access key id", re: /\bAKIA[0-9A-Z]{16}\b/ },
+  { name: "OpenAI/Anthropic-style secret key", re: /\bsk-[A-Za-z0-9_-]{20,}\b/ },
+  { name: "GitHub token", re: /\bgh[pousr]_[A-Za-z0-9]{30,}\b/ },
+  { name: "Supabase service_role key assignment", re: /SUPABASE_SERVICE_ROLE_KEY\s*[:=]\s*['"]?[A-Za-z0-9._-]{20,}/ },
+  { name: "service_role JWT", re: /eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}[\s\S]{0,400}service_role/ },
+];
+
+// A staged .env file (real env, not an example/template) is a leak by itself.
+function stagedEnvFiles(names) {
+  return names.filter((f) => {
+    const base = path.basename(f);
+    if (!/^\.env(\.|$)/.test(base)) return false;
+    return !/\.(example|sample|template|dist)$/.test(base) && base !== ".env.example";
+  });
+}
+
+function git(args) {
+  return spawnSync("git", args, { encoding: "utf8", timeout: 8000, shell: SHELL });
+}
+
+function scan() {
+  // Staged file names.
+  const nameRes = git(["diff", "--cached", "--name-only"]);
+  if (nameRes.status !== 0) return { skipped: "not-a-repo-or-git-error" };
+  const names = (nameRes.stdout || "").split(/\r?\n/).filter(Boolean);
+  if (names.length === 0) return { clean: true, reason: "nothing-staged" };
+
+  const findings = [];
+
+  for (const env of stagedEnvFiles(names)) {
+    findings.push({ file: env, pattern: "staged .env file (never commit secrets)" });
+  }
+
+  // Added lines only (the `+` side of the staged diff).
+  const diffRes = git(["diff", "--cached", "--unified=0"]);
+  const diff = diffRes.stdout || "";
+  let currentFile = "?";
+  for (const line of diff.split(/\r?\n/)) {
+    if (line.startsWith("+++ b/")) { currentFile = line.slice(6); continue; }
+    if (!line.startsWith("+") || line.startsWith("+++")) continue;
+    for (const p of SECRET_PATTERNS) {
+      if (p.re.test(line)) findings.push({ file: currentFile, pattern: p.name });
+    }
+  }
+  return { findings };
+}
+
+function blockAllowedByOwner() {
+  if (process.env.QUALIA_SECRET_SKIP !== "1" && !/\bQUALIA_SECRET_SKIP=1\b/.test(HOOK_COMMAND || "")) return false;
+  const role = String(readConfig().role || "").toUpperCase();
+  if (role === "OWNER") return true;
+  console.error("BLOCKED: QUALIA_SECRET_SKIP is OWNER-only.");
+  _trace("block", { reason: "skip-non-owner" });
+  process.exit(2);
+}
+
+let result;
+try {
+  result = scan();
+} catch (e) {
+  // Fail OPEN on a scan error — a commit gate that errors must not brick every
+  // commit. A real match (below) still blocks.
+  console.error(`⚠ secret-guard: scan error (${e.message}). Commit proceeding.`);
+  _trace("warn", { error: e.message });
+  process.exit(0);
+}
+
+if (result && result.findings && result.findings.length > 0) {
+  if (blockAllowedByOwner()) {
+    console.error("⚠ secret-guard: findings present but QUALIA_SECRET_SKIP=1 (OWNER). Commit proceeding.");
+    _trace("allow", { skipped_owner: true, count: result.findings.length });
+    process.exit(0);
+  }
+  console.error("BLOCKED: secret(s) detected in staged content. Unstage and remove before committing.");
+  // Dedupe file+pattern; never print the matched value.
+  const seen = new Set();
+  for (const f of result.findings) {
+    const key = `${f.file}::${f.pattern}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    console.error(`  ✗ ${f.file} — ${f.pattern}`);
+  }
+  console.error("  Fix: move the secret to an env var / secrets manager; add the file to .gitignore.");
+  _trace("block", { count: seen.size });
+  process.exit(2);
+}
+
+_trace("allow", result || {});
+process.exit(0);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "qualia-framework",
-  "version": "7.0.0",
+  "version": "7.1.0",
   "description": "Claude Code and Codex workflow framework by Qualia Solutions. Plan, build, verify, ship.",
   "bin": {
     "qualia-framework": "./bin/cli.js"
@@ -30,6 +30,9 @@
     "test:lib": "bash tests/lib.test.sh",
     "test:skills": "bash tests/skills.test.sh",
     "test:slop-detect": "bash tests/slop-detect.test.sh",
+    "test:dep-verify": "bash tests/dep-verify.test.sh",
+    "test:runtime-parity": "bash tests/runtime-parity.test.sh",
+    "test:secret-guard": "bash tests/secret-guard.test.sh",
     "test:statusline": "bash tests/statusline.test.sh",
     "test:refs": "bash tests/refs.test.sh",
     "test:published-install": "bash tests/published-install-smoke.test.sh",

package/skills/qualia-build/SKILL.md

@@ -172,11 +172,18 @@ Status protocol (machine-readable fan-in — do this, do not skip):
   (use BLOCKED or PARTIAL with `--note \"why\"` instead of DONE if you could not finish)
 
 Execute. Commit. Write your DONE/BLOCKED/PARTIAL status. Return DONE/BLOCKED/PARTIAL.
-", subagent_type="qualia-builder", description="Task {N}: {title}")
+", subagent_type="qualia-builder", model="{tier}", description="Task {N}: {title}")
 ```
 
 **Cache ordering:** Role + grounding FIRST, phase_context SECOND, task_context LAST. Stable prefix ~2-5k tokens → 92% cache hit. Pre-inline eliminates 3-5 Read calls per builder.
 
+**Model routing (intelligent model routing — the OpEx lever).** Most builders are *implementers*, not architects: they follow a precise task contract (files, AC, validation) within established patterns. That is exactly the deterministic, low-ambiguity work that belongs on a cheaper, faster model — reserving the frontier model for the judgment-heavy steps (planning, verification, skeptic adjudication). Per task, pass `model=`:
+- **`sonnet`** (default for builders) — single-/few-file tasks against established patterns, CRUD, wiring, styling, test scaffolding. The bulk of every phase.
+- **frontier (omit `model=` → inherits the session model)** — tasks the contract marks high-complexity, the `architect` persona, novel algorithms, or anything touching auth/payments/migrations where a wrong-but-plausible implementation is expensive.
+- **`haiku`** — pure mechanical edits (rename sweeps, import fixes, format-only changes); pairs naturally with `/qualia-build --batch`.
+
+When unsure, default to `sonnet`; escalate only when the task carries real ambiguity or correctness risk. This routes the high-volume mechanical work off the frontier model without weakening the steps where model strength actually changes the outcome.
+
 **After each task:**
 - Verify commit: `git log --oneline -1`
 - Show:

package/skills/qualia-recall/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: qualia-recall
-description: "Recall curated prior lessons from the Qualia memory substrate — the knowledge layer + the qualia-memory vault, role-filtered. The read side of /qualia-learn. Triggers: 'recall', 'have we done this before', 'what did we learn about X', 'prior art', 'any notes on', 'check the vault'."
+description: "OWNER-ONLY. Recall curated prior lessons from the Qualia memory substrate — the knowledge layer + the qualia-memory vault. The read side of /qualia-learn. Only the OWNER (Fawzi) can run it; recall.js refuses any other role. Triggers (OWNER only): 'recall', 'have we done this before', 'what did we learn about X', 'prior art', 'any notes on', 'check the vault'."
 allowed-tools:
   - Read
   - Grep
@@ -9,6 +9,11 @@ allowed-tools:
 
 # /qualia-recall — Recall Knowledge
 
+> **OWNER-only.** `recall.js` resolves the install role and **refuses any role
+> other than `OWNER`** (exit 3). This is a deterministic gate, not a convention —
+> do not run it for an employee. Employees still have the read-only memory MCP for
+> ALL_ROLES wiki content; the curated cross-project recall is the OWNER's surface.
+
 The **read side** of memory. `/qualia-learn` writes; `/qualia-recall` reads. One
 query, both stores:
 

package/skills/qualia-ship/SKILL.md

@@ -66,9 +66,10 @@ if node -e "const p=require('./package.json');process.exit(p.scripts&&p.scripts.
 if node -e "const p=require('./package.json');process.exit(p.scripts&&p.scripts.test?0:1)"; then npm test; fi
 npm run build             # Build — must succeed
 node ${QUALIA_BIN}/slop-detect.mjs --severity=critical   # Anti-slop — CRITICAL design tells block ship
+node ${QUALIA_BIN}/dep-verify.mjs --severity=critical     # Hallucinated/slopsquatted imports block ship
 ```
 
-The `pre-deploy-gate.js` hook re-runs the anti-slop scan at `vercel --prod` time as the hard, non-bypassable gate (OWNER-only `QUALIA_SKIP_SLOP=1` escape). This step surfaces failures early so they're fixed before the deploy command.
+`dep-verify` blocks ship when any import references a package that is neither declared in `package.json` nor installed in `node_modules` — catching AI-invented or typosquatted dependencies before they reach production. The `pre-deploy-gate.js` hook re-runs **both** scans at `vercel --prod` time as the hard, non-bypassable gate — anti-slop (OWNER-only `QUALIA_SKIP_SLOP=1` escape) and dep-verify (OWNER-only `QUALIA_SKIP_DEPCHECK=1` escape, for the rare known-good import not yet in `package.json`). Both gates fail **closed**: a crash or timeout in either scanner blocks the deploy rather than passing silently. This step surfaces failures early so they're fixed before the deploy command.
 
 On failure:
 1. Summarize what failed in plain language

package/skills/qualia-verify/SKILL.md

@@ -76,9 +76,11 @@ Verify the {L} concerns of this phase. Every finding needs file:line evidence an
 Write your findings as a JSON array to .planning/phase-{N}-panel-{L}.json:
   [{\"file\":\"path\",\"line\":N,\"severity\":\"CRITICAL|HIGH|MEDIUM|LOW\",\"title\":\"one-line claim\"}]
 Empty array [] if the {L} lens is clean. Also append a human '## {L} lens' section to .planning/phase-{N}-verification.md.
-", subagent_type="qualia-verifier", description="Verify phase {N} — {L} lens")
+", subagent_type="qualia-verifier", model="sonnet", description="Verify phase {N} — {L} lens")
 ```
 
+**Model routing.** Panel verifiers do *finding* work — grep code against acceptance criteria and the shared machine evidence — which is high-recall but low-judgment, so they run on **`sonnet`**. Spend the frontier model where the verdict is actually decided: the skeptic vote (§3c step 2). This is the intelligent-model-routing OpEx lever applied to verification — cheaper on the wide finding pass, frontier on the narrow adjudication.
+
 ### 3b. Browser QA (if phase touched frontend)
 
 If plan Files include `.tsx`/`.jsx`/`.css`/`.scss` or `app/`/`pages/`/`components/` paths, spawn browser QA parallel:
@@ -129,6 +131,8 @@ Return exactly one line: REAL — {file:line reason}   OR   NOT_REAL — {file:l
 ", subagent_type="qualia-verifier", description="Skeptic {i}/3 — {title}")
 ```
 
+Skeptics deliberately **omit `model=`** so they inherit the session's frontier model: their REAL/NOT_REAL judgment is what flips a CRITICAL/HIGH verdict, and that is the one step in the pipeline where model strength most changes the outcome. Route cheap on the finding pass, never on the adjudication.
+
 Tally each finding's votes into `.planning/phase-{N}-panel.json` (`votes.real` / `votes.notReal`).
 
 **3. Aggregate** deterministically:
@@ -196,13 +200,16 @@ Write the deterministic eval artifact before changing state:
 node ${QUALIA_BIN}/harness-eval.js --phase {N} --run --write
 ```
 
-Run the zero-token anti-slop scan as a deterministic gate (same role as `migration-guard`/`branch-guard` — the scanner exits non-zero on CRITICAL design tells). A CRITICAL finding is a verification FAIL, not a soft note:
+Run the zero-token deterministic gates (same role as `migration-guard`/`branch-guard` — each exits non-zero on a hard fault). A non-zero exit is a verification FAIL, not a soft note:
 
 ```bash
-node ${QUALIA_BIN}/slop-detect.mjs --severity=critical
+node ${QUALIA_BIN}/slop-detect.mjs --severity=critical   # CRITICAL design tells (the slop half)
+node ${QUALIA_BIN}/dep-verify.mjs --severity=critical     # hallucinated/slopsquatted imports (the correctness half)
 ```
 
-The phase is PASS only if ALL of these agree: the panel verdict (§3c `verify-panel.js` exit 0), the harness-eval status, and the anti-slop scan. If any is FAIL/non-zero, mark the phase FAIL. The state machine also refuses PASS when a contract exists but `.planning/evidence/phase-{N}-contract-run.json` is missing/failing, or when the verification report contains `INSUFFICIENT EVIDENCE`.
+`dep-verify` flags any import whose package is BOTH undeclared in `package.json` AND absent from `node_modules` — the exact signature of an AI-invented or typosquatted dependency (the #1 named AI-generated-code security failure mode). It is the correctness/security companion to the design-focused `slop-detect`.
+
+The phase is PASS only if ALL of these agree: the panel verdict (§3c `verify-panel.js` exit 0), the harness-eval status, the anti-slop scan, and the dependency scan. If any is FAIL/non-zero, mark the phase FAIL. The state machine also refuses PASS when a contract exists but `.planning/evidence/phase-{N}-contract-run.json` is missing/failing, or when the verification report contains `INSUFFICIENT EVIDENCE`.
 
 ```bash
 node ${QUALIA_BIN}/state.js transition --to verified --phase {N} --verification {pass|fail} --evidence .planning/evals/harness-eval-*.json

package/tests/bin.test.sh

@@ -495,8 +495,8 @@ fi
 # usage-capture added in v6.9.1 — UserPromptSubmit telemetry capture;
 # task-write-guard added in v6.13 — R1 runtime plan-contract file-scope guard)
 HOOK_COUNT=$(ls "$TMP/.claude/hooks/"*.js 2>/dev/null | wc -l)
-if [ "$HOOK_COUNT" -eq 15 ]; then
-  pass "15 hooks installed in hooks/ (incl. task-write-guard v6.13)"
+if [ "$HOOK_COUNT" -eq 16 ]; then
+  pass "16 hooks installed in hooks/ (incl. task-write-guard + secret-guard)"
 else
   fail_case "hook count" "got $HOOK_COUNT"
 fi

package/tests/dep-verify.test.sh

@@ -0,0 +1,247 @@
+#!/bin/bash
+# Qualia Framework — bin/dep-verify.mjs behavior tests
+# Verifies the hallucinated/slopsquatted-dependency gate catches what it claims:
+# imports that are neither declared in package.json nor installed in node_modules.
+#
+# Run: bash tests/dep-verify.test.sh
+
+PASS=0
+FAIL=0
+DEP_VERIFY="$(cd "$(dirname "$0")/../bin" && pwd)/dep-verify.mjs"
+NODE="${NODE:-node}"
+
+TMP_DIRS=()
+cleanup() {
+  for d in "${TMP_DIRS[@]}"; do
+    [ -d "$d" ] && rm -rf "$d"
+  done
+}
+trap cleanup EXIT
+
+mktmp() {
+  local TMP
+  TMP=$(mktemp -d)
+  TMP_DIRS+=("$TMP")
+  echo "$TMP"
+}
+
+pass() { echo "  ✓ $1"; PASS=$((PASS + 1)); }
+fail_case() { echo "  ✗ $1"; echo "    $2"; FAIL=$((FAIL + 1)); }
+
+echo "dep-verify.test.sh — bin/dep-verify.mjs behavioral tests"
+echo ""
+
+# ── Sanity: file exists and parses ────────────────────────────────────
+if [ ! -f "$DEP_VERIFY" ]; then
+  fail_case "dep-verify exists" "$DEP_VERIFY not found"
+  echo "=== Results: $PASS passed, $FAIL failed ==="
+  exit 1
+fi
+pass "dep-verify.mjs exists at expected path"
+
+if $NODE --check "$DEP_VERIFY" 2>/dev/null; then
+  pass "dep-verify.mjs syntax is valid"
+else
+  fail_case "syntax check" "node --check failed on $DEP_VERIFY"
+fi
+
+# ── Declared dependency: should pass (exit 0) ─────────────────────────
+TMP=$(mktmp)
+cat > "$TMP/package.json" <<'EOF'
+{ "name": "fixture", "dependencies": { "react": "^19.0.0" } }
+EOF
+cat > "$TMP/declared.tsx" <<'EOF'
+import { useState } from 'react';
+import { thing } from './local-module';
+import fs from 'node:fs';
+export const x = useState;
+EOF
+EXIT_CODE=0
+$NODE "$DEP_VERIFY" "$TMP/declared.tsx" >/dev/null 2>&1 || EXIT_CODE=$?
+if [ "$EXIT_CODE" = "0" ]; then
+  pass "exits 0 when imports are declared / relative / builtin"
+else
+  fail_case "declared deps" "expected exit 0, got $EXIT_CODE"
+fi
+
+# ── Hallucinated package: undeclared AND not installed → exit 1 ────────
+TMP2=$(mktmp)
+cat > "$TMP2/package.json" <<'EOF'
+{ "name": "fixture", "dependencies": { "react": "^19.0.0" } }
+EOF
+cat > "$TMP2/bad.tsx" <<'EOF'
+import { toast } from 'react-use-magic-toast-9000';
+export const t = toast;
+EOF
+EXIT_CODE=0
+OUT=$($NODE "$DEP_VERIFY" "$TMP2/bad.tsx" 2>&1) || EXIT_CODE=$?
+if [ "$EXIT_CODE" = "1" ] && echo "$OUT" | grep -q "react-use-magic-toast-9000"; then
+  pass "exits 1 and names the hallucinated package"
+else
+  fail_case "hallucinated dep" "exit=$EXIT_CODE out=$(echo "$OUT" | head -c 120)"
+fi
+
+# ── Installed-but-undeclared (phantom): should NOT flag ───────────────
+TMP3=$(mktmp)
+cat > "$TMP3/package.json" <<'EOF'
+{ "name": "fixture", "dependencies": {} }
+EOF
+mkdir -p "$TMP3/node_modules/left-pad"
+cat > "$TMP3/uses-installed.js" <<'EOF'
+const lp = require('left-pad');
+module.exports = lp;
+EOF
+EXIT_CODE=0
+$NODE "$DEP_VERIFY" "$TMP3/uses-installed.js" >/dev/null 2>&1 || EXIT_CODE=$?
+if [ "$EXIT_CODE" = "0" ]; then
+  pass "does NOT flag a package that is installed in node_modules (low false positives)"
+else
+  fail_case "installed phantom" "expected exit 0, got $EXIT_CODE"
+fi
+
+# ── tsconfig path alias should be ignored ─────────────────────────────
+TMP4=$(mktmp)
+cat > "$TMP4/package.json" <<'EOF'
+{ "name": "fixture", "dependencies": {} }
+EOF
+cat > "$TMP4/tsconfig.json" <<'EOF'
+{ "compilerOptions": { "paths": { "@app/*": ["src/*"] } } }
+EOF
+cat > "$TMP4/alias.tsx" <<'EOF'
+import { Button } from '@app/components/button';
+export const B = Button;
+EOF
+EXIT_CODE=0
+$NODE "$DEP_VERIFY" "$TMP4/alias.tsx" >/dev/null 2>&1 || EXIT_CODE=$?
+if [ "$EXIT_CODE" = "0" ]; then
+  pass "ignores tsconfig path aliases (@app/*)"
+else
+  fail_case "path alias" "expected exit 0, got $EXIT_CODE"
+fi
+
+# ── Commented-out import must not trigger ─────────────────────────────
+TMP5=$(mktmp)
+cat > "$TMP5/package.json" <<'EOF'
+{ "name": "fixture", "dependencies": {} }
+EOF
+cat > "$TMP5/commented.ts" <<'EOF'
+// import { x } from 'definitely-not-real-pkg';
+export const y = 1;
+EOF
+EXIT_CODE=0
+$NODE "$DEP_VERIFY" "$TMP5/commented.ts" >/dev/null 2>&1 || EXIT_CODE=$?
+if [ "$EXIT_CODE" = "0" ]; then
+  pass "ignores commented-out imports"
+else
+  fail_case "commented import" "expected exit 0, got $EXIT_CODE"
+fi
+
+# ── String/regex awareness: import sharing a line with a // -bearing
+#    string or regex literal must STILL be caught (no silent false negative) ──
+TMP6=$(mktmp)
+cat > "$TMP6/package.json" <<'EOF'
+{ "name": "fixture", "dependencies": {} }
+EOF
+cat > "$TMP6/sameline.ts" <<'EOF'
+const re = /url:\/\//; import { x } from 'hallucinated-sameline';
+EOF
+EXIT_CODE=0
+OUT=$($NODE "$DEP_VERIFY" "$TMP6/sameline.ts" 2>&1) || EXIT_CODE=$?
+if [ "$EXIT_CODE" = "1" ] && echo "$OUT" | grep -q "hallucinated-sameline"; then
+  pass "catches an import on the same line as a regex literal (no false negative)"
+else
+  fail_case "regex-sameline FN" "exit=$EXIT_CODE out=$(echo "$OUT" | head -c 120)"
+fi
+
+# ── Import syntax INSIDE a string literal must NOT be flagged (no FP) ──
+TMP7=$(mktmp)
+cat > "$TMP7/package.json" <<'EOF'
+{ "name": "fixture", "dependencies": {} }
+EOF
+cat > "$TMP7/strlit.ts" <<'EOF'
+export const example = "import { fake } from 'made-up-package'";
+EOF
+EXIT_CODE=0
+$NODE "$DEP_VERIFY" "$TMP7/strlit.ts" >/dev/null 2>&1 || EXIT_CODE=$?
+if [ "$EXIT_CODE" = "0" ]; then
+  pass "does NOT flag import syntax inside a string literal (no false positive)"
+else
+  fail_case "string-literal FP" "expected exit 0, got $EXIT_CODE"
+fi
+
+# ── Scoped hallucinated package → flagged and named ───────────────────
+TMP8=$(mktmp)
+cat > "$TMP8/package.json" <<'EOF'
+{ "name": "fixture", "dependencies": {} }
+EOF
+cat > "$TMP8/scoped.tsx" <<'EOF'
+import { thing } from '@hallucinated-scope/nonexistent-pkg';
+export const t = thing;
+EOF
+EXIT_CODE=0
+OUT=$($NODE "$DEP_VERIFY" "$TMP8/scoped.tsx" 2>&1) || EXIT_CODE=$?
+if [ "$EXIT_CODE" = "1" ] && echo "$OUT" | grep -q "@hallucinated-scope/nonexistent-pkg"; then
+  pass "flags a scoped hallucinated package (@scope/name)"
+else
+  fail_case "scoped dep" "exit=$EXIT_CODE out=$(echo "$OUT" | head -c 120)"
+fi
+
+# ── Protocol specifier (virtual:/https:) must NOT be flagged ──────────
+TMP9=$(mktmp)
+cat > "$TMP9/package.json" <<'EOF'
+{ "name": "fixture", "dependencies": {} }
+EOF
+cat > "$TMP9/proto.ts" <<'EOF'
+import config from 'virtual:generated-config';
+export const c = config;
+EOF
+EXIT_CODE=0
+$NODE "$DEP_VERIFY" "$TMP9/proto.ts" >/dev/null 2>&1 || EXIT_CODE=$?
+if [ "$EXIT_CODE" = "0" ]; then
+  pass "ignores protocol specifiers (virtual:, https:)"
+else
+  fail_case "protocol specifier" "expected exit 0, got $EXIT_CODE"
+fi
+
+# ── Directory scan: flags src/, skips node_modules/ (production invocation) ──
+TMPD=$(mktmp)
+cat > "$TMPD/package.json" <<'EOF'
+{ "name": "fixture", "dependencies": { "react": "^19.0.0" } }
+EOF
+mkdir -p "$TMPD/src" "$TMPD/node_modules/some-pkg"
+echo "import { useState } from 'react';" > "$TMPD/src/good.ts"
+echo "import { z } from 'ghost-pkg-in-src';" > "$TMPD/src/bad.ts"
+echo "import { q } from 'ghost-inside-node-modules';" > "$TMPD/node_modules/some-pkg/index.ts"
+EXIT_CODE=0
+OUT=$($NODE "$DEP_VERIFY" "$TMPD" 2>&1) || EXIT_CODE=$?
+if [ "$EXIT_CODE" = "1" ] && echo "$OUT" | grep -q "ghost-pkg-in-src" && ! echo "$OUT" | grep -q "ghost-inside-node-modules"; then
+  pass "directory scan flags src/ and skips node_modules/"
+else
+  fail_case "directory scan" "exit=$EXIT_CODE out=$(echo "$OUT" | head -c 160)"
+fi
+
+# ── --json flag produces JSON output (exit 1 + ok:false on findings) ──
+EXIT_CODE=0
+JSON_OUT=$($NODE "$DEP_VERIFY" --json "$TMP2/bad.tsx" 2>/dev/null) || EXIT_CODE=$?
+if [ "$EXIT_CODE" = "1" ] \
+   && echo "$JSON_OUT" | head -1 | grep -qE "^[\{\[]" \
+   && echo "$JSON_OUT" | grep -q '"findings"' \
+   && echo "$JSON_OUT" | grep -q '"ok": false'; then
+  pass "--json produces JSON with ok:false and exits 1 on findings"
+else
+  fail_case "--json output" "exit=$EXIT_CODE first line: '$(echo "$JSON_OUT" | head -c 80)'"
+fi
+
+# ── Missing path → invocation error (exit 2) ──────────────────────────
+EXIT_CODE=0
+$NODE "$DEP_VERIFY" /nonexistent/path/xyz >/dev/null 2>&1 || EXIT_CODE=$?
+if [ "$EXIT_CODE" = "2" ]; then
+  pass "exits 2 on a missing path (invocation error)"
+else
+  fail_case "missing path" "expected exit 2, got $EXIT_CODE"
+fi
+
+echo ""
+echo "=== Results: $PASS passed, $FAIL failed ==="
+
+[ "$FAIL" = "0" ]

package/tests/hooks.test.sh

@@ -494,6 +494,103 @@ else
 fi
 rm -rf "$TMP" "$QH"
 
+# --- pre-deploy-gate: dependency-verification gate (dep-verify.mjs wired into ship) ---
+# Build a tmp QUALIA_HOME carrying bin/dep-verify.mjs so the gate can find it.
+DEP_SRC="$(cd "$(dirname "$0")/../bin" && pwd)/dep-verify.mjs"
+
+# Hallucinated import (undeclared + not installed) → blocked with diagnostic
+TMP=$(mktemp -d)
+QH=$(mktemp -d)
+mkdir -p "$QH/bin" "$TMP/app"
+cp "$DEP_SRC" "$QH/bin/dep-verify.mjs"
+echo '{"name":"x","dependencies":{}}' > "$TMP/package.json"
+echo "import { z } from 'totally-made-up-pkg-xyz';" > "$TMP/app/page.tsx"
+OUT=$( (cd "$TMP" && QUALIA_HOME="$QH" $NODE "$HOOKS_DIR/pre-deploy-gate.js") 2>&1 )
+RC=$?
+if [ "$RC" -eq 2 ] && echo "$OUT" | grep -qi "hallucinated"; then
+  echo "  ✓ hallucinated import → blocked by dependency gate (exit 2)"
+  PASS=$((PASS + 1))
+else
+  echo "  ✗ hallucinated import → dependency block (exit=$RC out=$OUT)"
+  FAIL=$((FAIL + 1))
+fi
+rm -rf "$TMP" "$QH"
+
+# Clean file (no external imports) → dependency gate passes → exit 0
+TMP=$(mktemp -d)
+QH=$(mktemp -d)
+mkdir -p "$QH/bin" "$TMP/app"
+cp "$DEP_SRC" "$QH/bin/dep-verify.mjs"
+echo '{"name":"x","dependencies":{}}' > "$TMP/package.json"
+echo 'export default function P(){return null;}' > "$TMP/app/page.tsx"
+OUT=$( (cd "$TMP" && QUALIA_HOME="$QH" $NODE "$HOOKS_DIR/pre-deploy-gate.js") 2>&1 )
+RC=$?
+if [ "$RC" -eq 0 ] && echo "$OUT" | grep -q "Dependencies"; then
+  echo "  ✓ clean imports → dependency gate passes (exit 0)"
+  PASS=$((PASS + 1))
+else
+  echo "  ✗ clean imports → dependency gate passes (exit=$RC out=$OUT)"
+  FAIL=$((FAIL + 1))
+fi
+rm -rf "$TMP" "$QH"
+
+# QUALIA_SKIP_DEPCHECK=1 by non-OWNER → blocked (OWNER-only escape)
+TMP=$(mktemp -d)
+QH=$(mktemp -d)
+mkdir -p "$QH/bin" "$TMP/app"
+cp "$DEP_SRC" "$QH/bin/dep-verify.mjs"
+echo '{"role":"EMPLOYEE"}' > "$QH/.qualia-config.json"
+echo '{"name":"x","dependencies":{}}' > "$TMP/package.json"
+echo "import { z } from 'totally-made-up-pkg-xyz';" > "$TMP/app/page.tsx"
+OUT=$( (cd "$TMP" && QUALIA_SKIP_DEPCHECK=1 QUALIA_HOME="$QH" $NODE "$HOOKS_DIR/pre-deploy-gate.js") 2>&1 )
+RC=$?
+if [ "$RC" -eq 2 ] && echo "$OUT" | grep -q "OWNER-only"; then
+  echo "  ✓ QUALIA_SKIP_DEPCHECK by non-OWNER → blocked (OWNER-only)"
+  PASS=$((PASS + 1))
+else
+  echo "  ✗ QUALIA_SKIP_DEPCHECK non-OWNER block (exit=$RC out=$OUT)"
+  FAIL=$((FAIL + 1))
+fi
+rm -rf "$TMP" "$QH"
+
+# QUALIA_SKIP_DEPCHECK=1 by OWNER → allowed through (the escape valve works)
+TMP=$(mktemp -d)
+QH=$(mktemp -d)
+mkdir -p "$QH/bin" "$TMP/app"
+cp "$DEP_SRC" "$QH/bin/dep-verify.mjs"
+echo '{"role":"OWNER"}' > "$QH/.qualia-config.json"
+echo '{"name":"x","dependencies":{}}' > "$TMP/package.json"
+echo "import { z } from 'totally-made-up-pkg-xyz';" > "$TMP/app/page.tsx"
+OUT=$( (cd "$TMP" && QUALIA_SKIP_DEPCHECK=1 QUALIA_HOME="$QH" $NODE "$HOOKS_DIR/pre-deploy-gate.js") 2>&1 )
+RC=$?
+if [ "$RC" -eq 0 ] && echo "$OUT" | grep -qi "Dependency check skipped"; then
+  echo "  ✓ QUALIA_SKIP_DEPCHECK by OWNER → allowed (escape valve works)"
+  PASS=$((PASS + 1))
+else
+  echo "  ✗ QUALIA_SKIP_DEPCHECK OWNER allow (exit=$RC out=$OUT)"
+  FAIL=$((FAIL + 1))
+fi
+rm -rf "$TMP" "$QH"
+
+# Fail-closed: a crashing/non-completing dep-verify must BLOCK, not pass
+TMP=$(mktemp -d)
+QH=$(mktemp -d)
+mkdir -p "$QH/bin" "$TMP/app"
+# A stub scanner that exits 2 (invocation error) — must be treated as FAIL.
+printf '#!/usr/bin/env node\nprocess.exit(2);\n' > "$QH/bin/dep-verify.mjs"
+echo '{"name":"x","dependencies":{}}' > "$TMP/package.json"
+echo 'export default function P(){return null;}' > "$TMP/app/page.tsx"
+OUT=$( (cd "$TMP" && QUALIA_HOME="$QH" $NODE "$HOOKS_DIR/pre-deploy-gate.js") 2>&1 )
+RC=$?
+if [ "$RC" -eq 2 ] && echo "$OUT" | grep -qi "did not complete"; then
+  echo "  ✓ dep-verify non-completion → blocked, not silently passed (fail-closed)"
+  PASS=$((PASS + 1))
+else
+  echo "  ✗ dep-verify fail-closed (exit=$RC out=$OUT)"
+  FAIL=$((FAIL + 1))
+fi
+rm -rf "$TMP" "$QH"
+
 # Scanner absent (older install) → gate skips silently → exit 0
 TMP=$(mktemp -d)
 QH=$(mktemp -d)

package/tests/install-smoke.test.sh

@@ -124,12 +124,13 @@ else
 fi
 
 if [ -d "$HOME_DIR/.claude/hooks" ] \
-  && [ "$(find "$HOME_DIR/.claude/hooks" -maxdepth 1 -name '*.js' | wc -l | tr -d ' ')" = "15" ] \
+  && [ "$(find "$HOME_DIR/.claude/hooks" -maxdepth 1 -name '*.js' | wc -l | tr -d ' ')" = "16" ] \
   && [ -f "$HOME_DIR/.claude/hooks/fawzi-approval-guard.js" ] \
   && [ -f "$HOME_DIR/.claude/hooks/pre-compact.js" ] \
   && [ -f "$HOME_DIR/.claude/hooks/usage-capture.js" ] \
-  && [ -f "$HOME_DIR/.claude/hooks/task-write-guard.js" ]; then
-  pass "packaged install has 15 hooks including task-write-guard (v6.13)"
+  && [ -f "$HOME_DIR/.claude/hooks/task-write-guard.js" ] \
+  && [ -f "$HOME_DIR/.claude/hooks/secret-guard.js" ]; then
+  pass "packaged install has 16 hooks including task-write-guard + secret-guard"
 else
   fail_case "packaged hook set mismatch"
 fi