qualia-framework 7.0.0 → 7.1.0

package/tests/lib.test.sh

@@ -532,10 +532,10 @@ TMP=$(mktmp)
 mkdir -p "$TMP/home/.claude/bin" "$TMP/home/.claude/hooks" "$TMP/home/.claude/knowledge/daily-log" "$TMP/home/.claude/qualia-design" "$TMP/home/.claude/agents" "$TMP/home/.claude/qualia-templates" "$TMP/project"
 echo '{"installed_by":"Test","role":"OWNER","version":"6.3.0","erp":{"enabled":false}}' > "$TMP/home/.claude/.qualia-config.json"
 touch "$TMP/home/.claude/CLAUDE.md" "$TMP/home/.claude/settings.json"
-for f in runtime-manifest.js command-surface.js host-adapters.js state.js qualia-ui.js statusline.js knowledge.js knowledge-flush.js recall.js vault-access.js repo-map.js design-tokens.js batch-plan.js state-ledger.js plan-contract.js contract-runner.js agent-status.js analyze-gate.js verify-panel.js wave-plan.js eval-runner.js branch-hygiene.js last-report.js harness-eval.js trust-score.js agent-runs.js slop-detect.mjs erp-retry.js erp-event.js work-packet.js report-payload.js project-snapshot.js project-sync.js codex-goal.js planning-hygiene.js prune-deprecated.js learning-candidates.js status-snapshot.js security-scan.js auto-report.js; do
+for f in runtime-manifest.js command-surface.js host-adapters.js state.js qualia-ui.js statusline.js knowledge.js knowledge-flush.js recall.js vault-access.js repo-map.js design-tokens.js batch-plan.js state-ledger.js plan-contract.js contract-runner.js agent-status.js analyze-gate.js verify-panel.js wave-plan.js eval-runner.js branch-hygiene.js last-report.js harness-eval.js trust-score.js agent-runs.js slop-detect.mjs dep-verify.mjs erp-retry.js erp-event.js work-packet.js report-payload.js project-snapshot.js project-sync.js codex-goal.js planning-hygiene.js prune-deprecated.js learning-candidates.js status-snapshot.js security-scan.js auto-report.js; do
   touch "$TMP/home/.claude/bin/$f"
 done
-for h in session-start.js auto-update.js branch-guard.js pre-push.js pre-deploy-gate.js migration-guard.js git-guardrails.js stop-session-log.js fawzi-approval-guard.js vercel-account-guard.js env-empty-guard.js supabase-destructive-guard.js; do
+for h in session-start.js auto-update.js branch-guard.js pre-push.js pre-deploy-gate.js migration-guard.js git-guardrails.js stop-session-log.js fawzi-approval-guard.js vercel-account-guard.js env-empty-guard.js supabase-destructive-guard.js secret-guard.js; do
   touch "$TMP/home/.claude/hooks/$h"
 done
 touch "$TMP/home/.claude/knowledge/index.md" "$TMP/home/.claude/knowledge/agents.md" "$TMP/home/.claude/agents/visual-evaluator.md" "$TMP/home/.claude/qualia-guide.md" "$TMP/home/.claude/qualia-templates/help.html"
@@ -647,10 +647,10 @@ TMP=$(mktmp)
 mkdir -p "$TMP/.claude/bin" "$TMP/.claude/hooks" "$TMP/.claude/knowledge/daily-log" "$TMP/.claude/qualia-design" "$TMP/.claude/agents" "$TMP/.claude/qualia-templates" "$TMP/project/.planning"
 echo '{"installed_by":"Test","role":"OWNER","erp":{"enabled":false}}' > "$TMP/.claude/.qualia-config.json"
 touch "$TMP/.claude/CLAUDE.md" "$TMP/.claude/settings.json"
-for f in runtime-manifest.js command-surface.js host-adapters.js state.js qualia-ui.js statusline.js knowledge.js knowledge-flush.js recall.js vault-access.js repo-map.js design-tokens.js batch-plan.js state-ledger.js plan-contract.js contract-runner.js agent-status.js analyze-gate.js verify-panel.js wave-plan.js eval-runner.js branch-hygiene.js last-report.js harness-eval.js trust-score.js agent-runs.js slop-detect.mjs erp-retry.js erp-event.js work-packet.js report-payload.js project-snapshot.js project-sync.js codex-goal.js planning-hygiene.js prune-deprecated.js learning-candidates.js status-snapshot.js security-scan.js auto-report.js; do
+for f in runtime-manifest.js command-surface.js host-adapters.js state.js qualia-ui.js statusline.js knowledge.js knowledge-flush.js recall.js vault-access.js repo-map.js design-tokens.js batch-plan.js state-ledger.js plan-contract.js contract-runner.js agent-status.js analyze-gate.js verify-panel.js wave-plan.js eval-runner.js branch-hygiene.js last-report.js harness-eval.js trust-score.js agent-runs.js slop-detect.mjs dep-verify.mjs erp-retry.js erp-event.js work-packet.js report-payload.js project-snapshot.js project-sync.js codex-goal.js planning-hygiene.js prune-deprecated.js learning-candidates.js status-snapshot.js security-scan.js auto-report.js; do
   touch "$TMP/.claude/bin/$f"
 done
-for h in session-start.js auto-update.js branch-guard.js pre-push.js pre-deploy-gate.js migration-guard.js git-guardrails.js stop-session-log.js fawzi-approval-guard.js vercel-account-guard.js env-empty-guard.js supabase-destructive-guard.js; do
+for h in session-start.js auto-update.js branch-guard.js pre-push.js pre-deploy-gate.js migration-guard.js git-guardrails.js stop-session-log.js fawzi-approval-guard.js vercel-account-guard.js env-empty-guard.js supabase-destructive-guard.js secret-guard.js; do
   touch "$TMP/.claude/hooks/$h"
 done
 touch "$TMP/.claude/knowledge/index.md" "$TMP/.claude/knowledge/agents.md"

package/tests/recall.test.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# recall.test.sh — bin/recall.js (read-side memory recall, role-filtered vault)
+# recall.test.sh — bin/recall.js (read-side memory recall — OWNER-only command)
 # Run: bash tests/recall.test.sh
 
 PASS=0
@@ -44,7 +44,8 @@ cat > "$VAULT/wiki/_meta/access.md" <<'EOF'
 EOF
 
 export QUALIA_MEMORY_ROOT="$VAULT"
-RUN() { QUALIA_HOME="$HOME_DIR" "$@"; }
+# recall is OWNER-only — every functional test runs as OWNER to reach the logic.
+RUN() { QUALIA_HOME="$HOME_DIR" QUALIA_ROLE=OWNER "$@"; }
 
 # ── Invocation guards ──
 RUN $NODE "$RECALL" >/dev/null 2>&1; assert_exit "no query → exit 2" 2 $?
@@ -55,15 +56,15 @@ OUT=$(QUALIA_ROLE=OWNER RUN $NODE "$RECALL" zebrafish 2>&1); assert_exit "valid
 assert_contains "knowledge-layer hit"    "$OUT" "learned-patterns.md"
 assert_contains "vault ALL_ROLES hit"    "$OUT" "concepts/notes.md"
 
-# ── Role enforcement (the security boundary) ──
-OWNER_OUT=$(QUALIA_ROLE=OWNER RUN $NODE "$RECALL" zebrafish --scope vault 2>&1)
-assert_contains "OWNER sees OWNER_ONLY path"  "$OWNER_OUT" "_meta/access.md"
-EMP_OUT=$(QUALIA_ROLE=EMPLOYEE RUN $NODE "$RECALL" zebrafish --scope vault 2>&1)
-assert_contains "EMPLOYEE still sees ALL_ROLES" "$EMP_OUT" "concepts/notes.md"
-assert_absent   "EMPLOYEE blocked from OWNER_ONLY" "$EMP_OUT" "_meta/access.md"
-# fail-closed: no role config + no QUALIA_ROLE → RESTRICTED
-NOROLE_OUT=$(QUALIA_HOME="$VAULT" env -u QUALIA_ROLE $NODE "$RECALL" zebrafish --scope vault 2>&1)
-assert_absent   "RESTRICTED (fail-closed) blocked from OWNER_ONLY" "$NOROLE_OUT" "_meta/access.md"
+# ── OWNER-only gate (the command itself is restricted, not just vault content) ──
+OWNER_OUT=$(QUALIA_HOME="$HOME_DIR" QUALIA_ROLE=OWNER $NODE "$RECALL" zebrafish --scope vault 2>&1); assert_exit "OWNER → allowed (exit 0)" 0 $?
+assert_contains "OWNER sees vault content" "$OWNER_OUT" "concepts/notes.md"
+QUALIA_HOME="$HOME_DIR" QUALIA_ROLE=EMPLOYEE $NODE "$RECALL" zebrafish >/dev/null 2>&1; assert_exit "EMPLOYEE → refused (exit 3)" 3 $?
+EMP_MSG=$(QUALIA_HOME="$HOME_DIR" QUALIA_ROLE=EMPLOYEE $NODE "$RECALL" zebrafish 2>&1)
+assert_contains "EMPLOYEE refusal names OWNER-only" "$EMP_MSG" "OWNER-only"
+QUALIA_HOME="$HOME_DIR" QUALIA_ROLE=MANAGER $NODE "$RECALL" zebrafish >/dev/null 2>&1; assert_exit "MANAGER → refused (exit 3)" 3 $?
+# unknown role (no QUALIA_ROLE, no config) → fail-closed → refused
+env -u QUALIA_ROLE QUALIA_HOME="$HOME_DIR" $NODE "$RECALL" zebrafish >/dev/null 2>&1; assert_exit "unknown role (fail-closed) → refused (exit 3)" 3 $?
 
 # ── JSON shape ──
 JSON=$(QUALIA_ROLE=OWNER RUN $NODE "$RECALL" zebrafish --json 2>&1)

package/tests/run-all.sh

@@ -18,6 +18,9 @@ SUITES=(
   "refs"
   "install-smoke"
   "slop-detect"
+  "dep-verify"
+  "runtime-parity"
+  "secret-guard"
   "agent-status"
   "analyze-gate"
   "instructions"

package/tests/runner.js

@@ -2655,12 +2655,12 @@ describe("install.js", () => {
     }
   });
 
-  it("15 hooks installed (v6.13: task-write-guard added — R1 plan-contract file-scope guard)", () => {
+  it("16 hooks installed (secret-guard added — commit-time secret gate)", () => {
     const tmpHome = fs.mkdtempSync(path.join(os.tmpdir(), "qualia-install-"));
     try {
       runInstall("QS-FAWZI-11", tmpHome);
       const hooks = fs.readdirSync(path.join(tmpHome, ".claude", "hooks")).filter(f => f.endsWith(".js"));
-      assert.equal(hooks.length, 15, `expected 15 hooks, got ${hooks.length}: ${hooks.join(", ")}`);
+      assert.equal(hooks.length, 16, `expected 16 hooks, got ${hooks.length}: ${hooks.join(", ")}`);
       assert.ok(hooks.includes("fawzi-approval-guard.js"), "fawzi-approval-guard.js must be installed");
       assert.ok(hooks.includes("pre-compact.js"), "pre-compact.js must be installed (v6.3.2 sidecar-snapshot mechanism)");
       assert.ok(hooks.includes("task-write-guard.js"), "task-write-guard.js must be installed (v6.13 R1 guard)");

package/tests/runtime-parity.test.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+# Qualia Framework — Claude/Codex hook-registration parity
+#
+# A blocking gate that runs on Claude but not Codex is a silent hole: the
+# framework's gates-over-prompts guarantee only holds if every deterministic
+# guard fires on BOTH supported runtimes. This suite asserts the Codex hook
+# registration in bin/install.js carries the same critical blocking gates as
+# the Claude registration. The regression it guards: task-write-guard.js was
+# registered on Claude (Edit|Write) but omitted on Codex, so off-contract /
+# fabricated-file writes went unblocked on Codex.
+#
+# Run: bash tests/runtime-parity.test.sh
+
+PASS=0
+FAIL=0
+INSTALL="$(cd "$(dirname "$0")/.." && pwd)/bin/install.js"
+
+pass() { echo "  ✓ $1"; PASS=$((PASS + 1)); }
+fail_case() { echo "  ✗ $1"; echo "    $2"; FAIL=$((FAIL + 1)); }
+
+echo "runtime-parity.test.sh — Claude/Codex hook registration parity"
+echo ""
+
+if [ ! -f "$INSTALL" ]; then
+  fail_case "install.js exists" "$INSTALL not found"
+  echo "=== Results: $PASS passed, $FAIL failed ==="
+  exit 1
+fi
+
+# Extract the Codex hook registration object (const qualiaHooks = { ... };).
+CODEX_BLOCK=$(awk '/const qualiaHooks = \{/{f=1} f{print} f&&/^    \};/{exit}' "$INSTALL")
+
+if [ -z "$CODEX_BLOCK" ]; then
+  fail_case "locate Codex qualiaHooks block" "could not extract 'const qualiaHooks = { ... }' from install.js"
+  echo "=== Results: $PASS passed, $FAIL failed ==="
+  exit 1
+fi
+pass "located the Codex qualiaHooks registration block"
+
+# Critical blocking gates that MUST be registered on Codex (superset check).
+CRITICAL_GATES="task-write-guard.js branch-guard.js migration-guard.js pre-deploy-gate.js supabase-destructive-guard.js fawzi-approval-guard.js secret-guard.js"
+
+for gate in $CRITICAL_GATES; do
+  if echo "$CODEX_BLOCK" | grep -q "$gate"; then
+    pass "Codex registers $gate"
+  else
+    fail_case "Codex missing $gate" "blocking gate registered on Claude but absent from the Codex hooks block"
+  fi
+done
+
+# Specifically pin the regression: task-write-guard must be in the Edit|Write
+# group (where file writes are gated), not merely present somewhere.
+EDIT_GROUP=$(echo "$CODEX_BLOCK" | awk '/matcher: "Edit\|Write"/{f=1} f{print} f&&/\],/{exit}')
+if echo "$EDIT_GROUP" | grep -q "task-write-guard.js"; then
+  pass "task-write-guard.js is in the Codex Edit|Write group"
+else
+  fail_case "task-write-guard in Edit|Write" "task-write-guard.js not found in the Codex Edit|Write matcher group"
+fi
+
+echo ""
+echo "=== Results: $PASS passed, $FAIL failed ==="
+[ "$FAIL" = "0" ]

package/tests/secret-guard.test.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+# Qualia Framework — hooks/secret-guard.js behavior tests
+# The commit-time gate that enforces two constitution non-negotiables:
+# never commit service_role keys; never commit .env files.
+#
+# Run: bash tests/secret-guard.test.sh
+
+PASS=0
+FAIL=0
+GUARD="$(cd "$(dirname "$0")/../hooks" && pwd)/secret-guard.js"
+NODE="${NODE:-node}"
+
+TMP_DIRS=()
+cleanup() { for d in "${TMP_DIRS[@]}"; do [ -d "$d" ] && rm -rf "$d"; done; }
+trap cleanup EXIT
+mktmp() { local T; T=$(mktemp -d); TMP_DIRS+=("$T"); echo "$T"; }
+pass() { echo "  ✓ $1"; PASS=$((PASS + 1)); }
+fail_case() { echo "  ✗ $1"; echo "    $2"; FAIL=$((FAIL + 1)); }
+
+# Build a throwaway git repo with the given file staged; run the guard via a
+# simulated `git commit` PreToolUse payload; echo the exit code.
+run_guard_on_repo() {
+  local repo="$1"
+  ( cd "$repo" && printf '{"tool_input":{"command":"git commit -m wip"}}' | $NODE "$GUARD" >/tmp/sg.out 2>&1 )
+  echo $?
+}
+
+echo "secret-guard.test.sh — hooks/secret-guard.js behavioral tests"
+echo ""
+
+if [ ! -f "$GUARD" ]; then
+  fail_case "secret-guard exists" "$GUARD not found"; echo "=== Results: $PASS passed, $FAIL failed ==="; exit 1
+fi
+pass "secret-guard.js exists"
+$NODE --check "$GUARD" 2>/dev/null && pass "secret-guard.js syntax is valid" || fail_case "syntax" "node --check failed"
+
+git --version >/dev/null 2>&1 || { echo "  - git unavailable, skipping behavioral tests"; echo "=== Results: $PASS passed, $FAIL failed ==="; [ "$FAIL" = 0 ]; exit $?; }
+
+init_repo() {
+  local R; R=$(mktmp)
+  ( cd "$R" && git init -q && git config user.email t@t.co && git config user.name t ) 2>/dev/null
+  echo "$R"
+}
+
+# ── Clean staged file → allow (exit 0) ────────────────────────────────
+R=$(init_repo)
+echo "export const x = 1;" > "$R/app.ts"
+( cd "$R" && git add app.ts ) 2>/dev/null
+RC=$(run_guard_on_repo "$R")
+[ "$RC" = "0" ] && pass "clean staged file → allowed (exit 0)" || fail_case "clean allow" "exit=$RC $(cat /tmp/sg.out)"
+
+# ── Staged private key → block (exit 2), value never printed ──────────
+R=$(init_repo)
+printf -- "-----BEGIN RSA PRIVATE KEY-----\nMIIabc123\n-----END RSA PRIVATE KEY-----\n" > "$R/key.pem"
+( cd "$R" && git add key.pem ) 2>/dev/null
+RC=$(run_guard_on_repo "$R")
+if [ "$RC" = "2" ] && grep -q "key.pem" /tmp/sg.out && ! grep -q "MIIabc123" /tmp/sg.out; then
+  pass "staged private key → blocked (exit 2), value not printed"
+else
+  fail_case "private key block" "exit=$RC out=$(head -c 160 /tmp/sg.out)"
+fi
+
+# ── Staged .env file → block ──────────────────────────────────────────
+R=$(init_repo)
+echo "API_KEY=whatever" > "$R/.env"
+( cd "$R" && git add -f .env ) 2>/dev/null
+RC=$(run_guard_on_repo "$R")
+[ "$RC" = "2" ] && grep -q "\.env" /tmp/sg.out && pass "staged .env file → blocked (exit 2)" || fail_case ".env block" "exit=$RC out=$(head -c 160 /tmp/sg.out)"
+
+# ── .env.example → allowed (template, not a secret) ──────────────────
+R=$(init_repo)
+echo "API_KEY=" > "$R/.env.example"
+( cd "$R" && git add .env.example ) 2>/dev/null
+RC=$(run_guard_on_repo "$R")
+[ "$RC" = "0" ] && pass ".env.example → allowed (template, not flagged)" || fail_case ".env.example allow" "exit=$RC out=$(head -c 160 /tmp/sg.out)"
+
+# ── service_role key assignment → block ──────────────────────────────
+R=$(init_repo)
+echo 'const k = "SUPABASE_SERVICE_ROLE_KEY=abcdef0123456789abcdef0123456789";' > "$R/cfg.ts"
+( cd "$R" && git add cfg.ts ) 2>/dev/null
+RC=$(run_guard_on_repo "$R")
+[ "$RC" = "2" ] && pass "service_role key assignment → blocked (exit 2)" || fail_case "service_role block" "exit=$RC out=$(head -c 160 /tmp/sg.out)"
+
+# ── Non-commit command → self-filter exits 0 silently ────────────────
+R=$(init_repo)
+echo "API_KEY=whatever" > "$R/.env"; ( cd "$R" && git add -f .env ) 2>/dev/null
+RC=$( ( cd "$R" && printf '{"tool_input":{"command":"git status"}}' | $NODE "$GUARD" >/dev/null 2>&1 ); echo $? )
+[ "$RC" = "0" ] && pass "non-commit command (git status) → self-filters, exit 0" || fail_case "self-filter" "exit=$RC"
+
+echo ""
+echo "=== Results: $PASS passed, $FAIL failed ==="
+[ "$FAIL" = "0" ]

package/tests/state.test.sh

@@ -1604,6 +1604,41 @@ else
   fail_case "operate handoff ungated" "out=$OUT"
 fi
 
+# 64. A5 increment failed-status gap closure (regression: A5 sets status
+#     "failed" on a failed verify, unlike the legacy "verified"+fail path).
+#     Asserts: next_command routes to gap closure (not the /qualia dead-end),
+#     re-plan is allowed from "failed", gap_cycles increments, and the
+#     circuit breaker fires at the limit.
+TMP=$(make_project)
+make_valid_plan "$TMP" 1                              # plan + contract + evidence for phase 1
+touch "$TMP/.planning/phase-1-verification.md"        # fail verify only needs the file to exist
+(cd "$TMP" && $NODE "$STATE_JS" migrate >/dev/null 2>&1)
+A5ID=inc-0001-foundation
+a5() { (cd "$TMP" && $NODE "$STATE_JS" transition --to "$1" ${2:+--verification "$2"} --id "$A5ID" 2>&1); }
+a5 planned >/dev/null 2>&1   # ensure planned (no-op if already)
+a5 built >/dev/null 2>&1
+VF=$(a5 verified fail)
+if echo "$VF" | grep -q '"status": "failed"' && echo "$VF" | grep -q '"next_command": "/qualia-plan 1 --gaps"'; then
+  pass "A5 failed verify → status=failed, next_command=/qualia-plan 1 --gaps (no dead-end)"
+else
+  fail_case "A5 failed next_command" "out=$VF"
+fi
+RP1=$(a5 planned)
+if echo "$RP1" | grep -q '"ok": true' && echo "$RP1" | grep -q '"gap_cycles": 1'; then
+  pass "A5 failed → planned gap closure allowed, gap_cycles=1"
+else
+  fail_case "A5 replan-from-failed" "out=$RP1"
+fi
+a5 built >/dev/null 2>&1; a5 verified fail >/dev/null 2>&1
+RP2=$(a5 planned)
+a5 built >/dev/null 2>&1; a5 verified fail >/dev/null 2>&1
+RP3=$(a5 planned)
+if echo "$RP2" | grep -q '"gap_cycles": 2' && echo "$RP3" | grep -q "GAP_CYCLE_LIMIT"; then
+  pass "A5 gap_cycles=2 then circuit breaker fires (GAP_CYCLE_LIMIT) at default limit"
+else
+  fail_case "A5 breaker" "rp2=$RP2 rp3=$RP3"
+fi
+
 # ─── Summary ─────────────────────────────────────────────
 echo ""
 echo "=== Results: $PASS passed, $FAIL failed ==="